SlideShare a Scribd company logo
1 of 52
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Public Key InfrastructurePublic Key Infrastructure
(X509 PKI)(X509 PKI)
Trusted E-Services Laboratory - HP Labs - BristolTrusted E-Services Laboratory - HP Labs - Bristol
Marco Casassa MontMarco Casassa Mont
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
OutlineOutline
• Basic Problem of Confidence and TrustBasic Problem of Confidence and Trust
• Background: Cryptography, Digital Signature,Background: Cryptography, Digital Signature,
Digital CertificatesDigital Certificates
• (X509) Public Key Infrastructure (PKI)(X509) Public Key Infrastructure (PKI)
• (X509) PKI: Trust and Legal Issues(X509) PKI: Trust and Legal Issues
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Confidence and TrustConfidence and Trust
Issues in the DigitalIssues in the Digital
WorldWorld
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Basic ProblemBasic Problem
IntranetIntranet
ExtranetExtranet
InternetInternet
AliceAliceBobBob
Bob and Alice want to exchange data in a digital world.Bob and Alice want to exchange data in a digital world.
There are Confidence and Trust Issues …There are Confidence and Trust Issues …
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
ConfidenceConfidence and Trust Issuesand Trust Issues
• In the Identity of an Individual or ApplicationIn the Identity of an Individual or Application
AUTHENTICATIONAUTHENTICATION
• That the information will be kept PrivateThat the information will be kept Private
CONFIDENTIALITYCONFIDENTIALITY
• That information cannot be ManipulatedThat information cannot be Manipulated
INTEGRITYINTEGRITY
• That information cannot be DisownedThat information cannot be Disowned
NON-REPUDIATIONNON-REPUDIATION
IntranetIntranet
ExtranetExtranet
InternetInternet
AliceAliceBobBob
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Starting Point:Starting Point:
CryptographyCryptography
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Starting Point: CryptographyStarting Point: Cryptography
CryptographyCryptography
It is the science of making the cost of acquiring or alteringIt is the science of making the cost of acquiring or altering
data greater than the potential value gaineddata greater than the potential value gained
CryptosystemCryptosystem
It is a system that provides techniques for mangling aIt is a system that provides techniques for mangling a
message into an apparently intelligible form and thanmessage into an apparently intelligible form and than
recovering it from the mangled formrecovering it from the mangled form
PlaintextPlaintext EncryptionEncryption DecryptionDecryption PlaintextPlaintextCiphertextCiphertext
KeyKey KeyKey
Hello WorldHello World &$*£(“!273&$*£(“!273 Hello WorldHello World
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Cryptographic AlgorithmsCryptographic Algorithms
All cryptosystems are based only onAll cryptosystems are based only on three Cryptographicthree Cryptographic
AlgorithmsAlgorithms::
• MESSAGE DIGESTMESSAGE DIGEST (MD2-4-5, SHA, SHA-1, …)(MD2-4-5, SHA, SHA-1, …)
• SECRET KEYSECRET KEY (Blowfish, DES, IDEA, RC2-4-5, Triple-DES, …)(Blowfish, DES, IDEA, RC2-4-5, Triple-DES, …)
• PUBLIC KEYPUBLIC KEY (DSA, RSA, …)(DSA, RSA, …)
Maps variable length plaintext into fixed length ciphertextMaps variable length plaintext into fixed length ciphertext
No key usage, computationally infeasible to recover the plaintextNo key usage, computationally infeasible to recover the plaintext
Encrypt and decrypt messages by using the same Secret KeyEncrypt and decrypt messages by using the same Secret Key
Encrypt and decrypt messages by using two different Keys: Public Key,Encrypt and decrypt messages by using two different Keys: Public Key,
Private Key (coupled together)Private Key (coupled together)
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
• Efficient and fast AlgorithmEfficient and fast Algorithm
• Simple modelSimple model
 Provides Integrity, ConfidentialityProvides Integrity, Confidentiality
ConsCons
• The same secret key must be shared by all the entities involved in the data exchangeThe same secret key must be shared by all the entities involved in the data exchange
• High riskHigh risk
• It doesn’t scaleIt doesn’t scale (proliferation of secrets)(proliferation of secrets)
 No Authentication, Non-RepudiationNo Authentication, Non-Repudiation
PlaintextPlaintext EncryptionEncryption DecryptionDecryption PlaintextPlaintextCiphertextCiphertext
Private KeyPrivate Key Private KeyPrivate Key
ProsPros
Cryptographic Algorithms basedCryptographic Algorithms based
on Private Keyon Private Key
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
PlaintextPlaintext EncryptionEncryption DecryptionDecryption PlaintextPlaintextCiphertextCiphertext
Alice’s Public KeyAlice’s Public Key Alice’s Private KeyAlice’s Private Key
IntranetIntranet
ExtranetExtranet
InternetInternet
AliceAliceBobBob
• Private key is only known by the owner: less riskPrivate key is only known by the owner: less risk
• The algorithm ensuresThe algorithm ensures IntegrityIntegrity andand ConfidentialityConfidentiality by encrypting withby encrypting with
the Receiver’s Public keythe Receiver’s Public key
ProsPros
Cryptographic Algorithms basedCryptographic Algorithms based
on Public Keyon Public Key
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
PlaintextPlaintext EncryptionEncryption DecryptionDecryption PlaintextPlaintextCiphertextCiphertext
Bob’s Private KeyBob’s Private Key Bob’s Public KeyBob’s Public Key
IntranetIntranet
ExtranetExtranet
InternetInternet
AliceAliceBobBob
• The algorithm ensuresThe algorithm ensures Non-RepudiationNon-Repudiation by encrypting withby encrypting with
the Sender’s Private keythe Sender’s Private key
ProsPros
Cryptographic Algorithms basedCryptographic Algorithms based
on Public Keyon Public Key
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Cryptographic Algorithms basedCryptographic Algorithms based
on Public Keyon Public Key
ConsCons
• Algorithms are 100 – 1000 times slower than secret key onesAlgorithms are 100 – 1000 times slower than secret key ones
They are initially used in an initial phase of communication and thenThey are initially used in an initial phase of communication and then
secrets keys are generated to deal with encryptionssecrets keys are generated to deal with encryptions
• How are Public keys made available to the other people?How are Public keys made available to the other people?
• There is still a problem ofThere is still a problem of AuthenticationAuthentication!!!!!!
Who ensures that the owner of a key pair is really the person whoseWho ensures that the owner of a key pair is really the person whose
real life name is “Alice”?real life name is “Alice”?
IntranetIntranet
ExtranetExtranet
InternetInternet
AliceAliceBobBob
Moving towards PKI …Moving towards PKI …
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Digital SignatureDigital Signature
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Digital SignatureDigital Signature
A Digital Signature is a data item that vouches the originA Digital Signature is a data item that vouches the origin
and the integrity of a Messageand the integrity of a Message
• The originator of a message uses a signing key (Private Key) to sign theThe originator of a message uses a signing key (Private Key) to sign the
message and send the message and its digital signature to a recipientmessage and send the message and its digital signature to a recipient
• The recipient uses a verification key (Public Key) to verify the origin ofThe recipient uses a verification key (Public Key) to verify the origin of
the message and that it has not been tampered with while in transitthe message and that it has not been tampered with while in transit
IntranetIntranet
ExtranetExtranet
InternetInternet
AliceAliceBobBob
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Digital SignatureDigital Signature
Hash FunctionHash Function
MessageMessage
SignatureSignature
Private KeyPrivate Key EncryptionEncryption
DigestDigest
MessageMessage
DecryptionDecryption
Public KeyPublic Key
ExpectedExpected
DigestDigest
ActualActual
DigestDigest
Hash FunctionHash Function
SignerSigner ReceiverReceiverChannelChannel
DigestDigest
AlgorithmAlgorithm
DigestDigest
AlgorithmAlgorithm
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Digital SignatureDigital Signature
There is still a problem linked to theThere is still a problem linked to the
““Real Identity”Real Identity” of the Signer.of the Signer.
Why should I trust what the Sender claims to be?Why should I trust what the Sender claims to be?
Moving towards PKI …Moving towards PKI …
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Digital CertificateDigital Certificate
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Digital CertificateDigital Certificate
A Digital Certificate is a binding between an entity’sA Digital Certificate is a binding between an entity’s
Public Key and one or more Attributes relating its Identity.Public Key and one or more Attributes relating its Identity.
• The entity can be a Person, an Hardware Component, a Service, etc.The entity can be a Person, an Hardware Component, a Service, etc.
• A Digital Certificate is issued (and signed) by someoneA Digital Certificate is issued (and signed) by someone
• A self-signed certificate usually is not very trustworthyA self-signed certificate usually is not very trustworthy
-- Usually the issuer is a Trusted Third PartyUsually the issuer is a Trusted Third Party
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
CERTIFICATE
Digital CertificateDigital Certificate
IssuerIssuer
SubjectSubject
IssuerIssuer
DigitalDigital
SignatureSignature
Subject Public KeySubject Public Key
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Digital CertificateDigital Certificate
• How are Digital Certificates Issued?How are Digital Certificates Issued?
• Who is issuing them?Who is issuing them?
• Why should I Trust the Certificate Issuer?Why should I Trust the Certificate Issuer?
• How can I check if a Certificate is valid?How can I check if a Certificate is valid?
• How can I revoke a Certificate?How can I revoke a Certificate?
• Who is revoking Certificates?Who is revoking Certificates?
ProblemsProblems
Moving towards PKI …Moving towards PKI …
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Public Key InfrastructurePublic Key Infrastructure
(PKI)(PKI)
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Public Key InfrastructurePublic Key Infrastructure
(PKI)(PKI)
A Public Key Infrastructure is an InfrastructureA Public Key Infrastructure is an Infrastructure
to support and manage Public Key-basedto support and manage Public Key-based
Digital CertificatesDigital Certificates
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Public Key InfrastructurePublic Key Infrastructure
(PKI)(PKI)
““A PKI is a set of agreed-upon standards, CertificationA PKI is a set of agreed-upon standards, Certification
Authorities (CA), structure between multiple CAs,Authorities (CA), structure between multiple CAs,
methods to discover and validate Certification Paths,methods to discover and validate Certification Paths,
Operational Protocols, Management Protocols,Operational Protocols, Management Protocols,
Interoperable Tools and supporting Legislation”Interoperable Tools and supporting Legislation”
““Digital Certificates” book – Jalal Feghhi, Jalil Feghhi, Peter WilliamsDigital Certificates” book – Jalal Feghhi, Jalil Feghhi, Peter Williams
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Public Key InfrastructurePublic Key Infrastructure
(PKI)(PKI)
Focus on:Focus on:
• X509 PKIX509 PKI
• X509 Digital CertificatesX509 Digital Certificates
 Standards defined by IETF, PKIX WG:Standards defined by IETF, PKIX WG:
http://www.ietf.org/http://www.ietf.org/
…… even if X509 is not the only approach (e.g. SPKI)even if X509 is not the only approach (e.g. SPKI)
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
X509 PKI – Technical ViewX509 PKI – Technical View
Basic Components:Basic Components:
• Certificate Authority (CA)Certificate Authority (CA)
• Registration Authority (RA)Registration Authority (RA)
• Certificate Distribution SystemCertificate Distribution System
• PKI enabled applicationsPKI enabled applications
““Consumer” SideConsumer” Side
““Provider” SideProvider” Side
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
X509 PKI – Simple ModelX509 PKI – Simple Model
CACA
RARA
CertificationCertification
EntityEntity
DirectoryDirectory
ApplicationApplication
ServiceService
RemoteRemote
PersonPerson
LocalLocal
PersonPerson
Certs,Certs,
CRLsCRLs
Cert. RequestCert. Request
SignedSigned
CertificateCertificate
InternetInternet
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
X509 PKIX509 PKI
Certificate Authority (CA)Certificate Authority (CA)
Basic Tasks:Basic Tasks:
• Key GenerationKey Generation
• Digital Certificate GenerationDigital Certificate Generation
• Certificate Issuance and DistributionCertificate Issuance and Distribution
• RevocationRevocation
• Key Backup and Recovery SystemKey Backup and Recovery System
• Cross-CertificationCross-Certification
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
X509 PKIX509 PKI
Registration Authority (RA)Registration Authority (RA)
Basic Tasks:Basic Tasks:
• Registration of Certificate InformationRegistration of Certificate Information
• Face-to-Face RegistrationFace-to-Face Registration
• Remote RegistrationRemote Registration
• Automatic RegistrationAutomatic Registration
• RevocationRevocation
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
X509 PKIX509 PKI
Certificate Distribution SystemCertificate Distribution System
Provide Repository for:Provide Repository for:
• Digital CertificatesDigital Certificates
• Certificate Revocation Lists (CRLs)Certificate Revocation Lists (CRLs)
Typically:Typically:
• Special Purposes DatabasesSpecial Purposes Databases
• LDAP directoriesLDAP directories
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Certificate Revocation List
Revoked CertificatesRevoked Certificates
remain in CRLremain in CRL
until they expireuntil they expire
Certificate Revocation ListCertificate Revocation List
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Certificate Revocation List (CRL)Certificate Revocation List (CRL)
• CRLs are published by CAs at well definedCRLs are published by CAs at well defined
interval of timeinterval of time
• It is a responsibility of “Users” of certificates toIt is a responsibility of “Users” of certificates to
““download” a CRL and verify if a certificate hasdownload” a CRL and verify if a certificate has
been revokedbeen revoked
• User application must deal with the revocationUser application must deal with the revocation
processesprocesses
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Online Certificate Status ProtocolOnline Certificate Status Protocol
(OCSP)(OCSP)
• An alternative to CRLsAn alternative to CRLs
• IETF/PKIX standard for a real-time check if aIETF/PKIX standard for a real-time check if a
certificate has been revoked/suspendedcertificate has been revoked/suspended
• Requires a high availability OCSP ServerRequires a high availability OCSP Server
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
CRL vs OCSP ServerCRL vs OCSP Server
UserUser CACA
CRLCRL
DirectoryDirectory
Download CRLDownload CRL
CRLCRL
UserUser CACA
CRLCRL
DirectoryDirectory
DownloadDownload
CRLCRL
Certificate IDsCertificate IDs
to be checkedto be checked
Answer aboutAnswer about
Certificate StatesCertificate States
OCSPOCSP
ServerServer
OCSPOCSP
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
X509 PKIX509 PKI
PKI-enabled ApplicationsPKI-enabled Applications
Functionality Required:Functionality Required:
• Cryptographic functionalityCryptographic functionality
• Secure storage of Personal InformationSecure storage of Personal Information
• Digital Certificate HandlingDigital Certificate Handling
• Directory AccessDirectory Access
• Communication FacilitiesCommunication Facilities
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
X509 PKIX509 PKI
Trust and Legal IssuesTrust and Legal Issues
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
X509 PKIX509 PKI
Trust and Legal IssuesTrust and Legal Issues
• Why should I Trust a CA?Why should I Trust a CA?
• How can I determine the liability of a CA?How can I determine the liability of a CA?
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
X509 PKIX509 PKI
Approaches to Trust andApproaches to Trust and
Legal AspectsLegal Aspects
• Why should I Trust a CA?Why should I Trust a CA?
• How can I determine the liability of a CA?How can I determine the liability of a CA?
Certificate Hierarchies, Cross-CertificationCertificate Hierarchies, Cross-Certification
Certificate Policies (CP) and Certificate PolicyCertificate Policies (CP) and Certificate Policy
Statement (CPS)Statement (CPS)
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
X509 PKIX509 PKI
Approach to TrustApproach to Trust
Certificate HierarchiesCertificate Hierarchies
andand
Cross-CertificationCross-Certification
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Try to reflectTry to reflect
Real world Trust ModelsReal world Trust Models
CA CA
CA
RA RA
CA
RA
LRALRA
CA
CA
RA
CA
CA
RA RA
Directory
Services
InternetInternet
InternetInternet
CA Technology EvolutionCA Technology Evolution
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Each entity has its own certificate (and may
have more than one). The root CA’s certificate
is self signed and each sub-CA is signed by its
parent CA.
Each CA may also issue CRLs. In particular
the lowest level CAs issue CRLs frequently.
End entities need to “find” a certificate path to
a CA that they trust.
Simple Certificate HierarchySimple Certificate Hierarchy
Root CARoot CA
Sub-CAsSub-CAs
End EntitiesEnd Entities
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)

Alice Bob
Simple Certificate PathSimple Certificate Path
Alice trusts the root CAAlice trusts the root CA
Bob sends a message to AliceBob sends a message to Alice
Alice needs Bob’s certificate, the certificate ofAlice needs Bob’s certificate, the certificate of
the CA that signed Bob’s certificate, and so onthe CA that signed Bob’s certificate, and so on
up to the root CA’s self signed certificate.up to the root CA’s self signed certificate.
Alice also needs each CRL for each CA.Alice also needs each CRL for each CA.
Only then can Alice verify that Bob’s certificateOnly then can Alice verify that Bob’s certificate
is valid and trusted and so verify the Bob’sis valid and trusted and so verify the Bob’s
signature.signature.
TrustedTrusted
RootRoot
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
11
22 33
1.1. Multiple RootsMultiple Roots
2.2. Simple cross-certificateSimple cross-certificate
3.3. Complex cross-certificateComplex cross-certificate
Cross-Certification andCross-Certification and
Multiple HierarchiesMultiple Hierarchies
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Things are getting more and moreThings are getting more and more
complex if Hierarchies andcomplex if Hierarchies and
Cross-Certifications are usedCross-Certifications are used
X509 PKIX509 PKI
Approach to Trust : ProblemsApproach to Trust : Problems
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Trusted
Root
3
TrustedTrusted
RootRoot

Cross-Certification andCross-Certification and
Path DiscoveryPath Discovery
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
X509 PKIX509 PKI
Approach to Legal AspectsApproach to Legal Aspects
Certificate PolicyCertificate Policy
AndAnd
Certificate Practice StatementCertificate Practice Statement
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Certificate Policy (CP)Certificate Policy (CP)
• A document that sets out the rights, duties andA document that sets out the rights, duties and
obligations of each party in a Public Keyobligations of each party in a Public Key
InfrastructureInfrastructure
• The Certificate Policy (CP) is a document whichThe Certificate Policy (CP) is a document which
usually has legal effectusually has legal effect
• A CP is usually publicly exposed by CAs, forA CP is usually publicly exposed by CAs, for
example on a Web Site (VeriSign, etc.)example on a Web Site (VeriSign, etc.)
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Certificate Policy (CP)Certificate Policy (CP)
POLICY OUTLINEPOLICY OUTLINE
COMMUNITY &COMMUNITY &
APPLICABILITYAPPLICABILITY
RIGHTS, LIABILITIESRIGHTS, LIABILITIES
& OBLIGATIONS& OBLIGATIONS
OPERATIONALOPERATIONAL
REQUIREMENTSREQUIREMENTS
CERTIFICATE &CERTIFICATE &
CRL PROFILESCRL PROFILES
IDENTIFICATION &IDENTIFICATION &
AUTHENTICATIONAUTHENTICATION
CPCP
TECHNICALTECHNICAL
SECURITY CONTROLSECURITY CONTROL
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
• Liability IssuesLiability Issues
• Repository Access ControlsRepository Access Controls
• Confidentiality RequirementsConfidentiality Requirements
• Registration ProceduresRegistration Procedures
- Uniqueness of Names
- Authentication of Users/Organisations
• Suspension and Revocation (Online/CRL)Suspension and Revocation (Online/CRL)
• Physical Security ControlsPhysical Security Controls
• Certificate AcceptanceCertificate Acceptance
Policy Issues (CP)Policy Issues (CP)
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Certificate Policy StatementCertificate Policy Statement
(CPS)(CPS)
• A document that sets out what happens in practiceA document that sets out what happens in practice
to support the policy statements made in the CPto support the policy statements made in the CP
in a PKIin a PKI
• The Certificate Practice Statement (CPS) is aThe Certificate Practice Statement (CPS) is a
document which may have legal effect in limiteddocument which may have legal effect in limited
circumstancescircumstances
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
PHYSICAL,PHYSICAL,
PROCEDURAL &PROCEDURAL &
PERSONNELPERSONNEL
CERTIFICATE &CERTIFICATE &
CRL PROFILESCRL PROFILES
INTRODUCTIONINTRODUCTION
GENERALGENERAL
PROVISIONSPROVISIONS
IDENTIFICATION &IDENTIFICATION &
AUTHENTICATIONAUTHENTICATION
OPERATIONALOPERATIONAL
REQUIREMENTSREQUIREMENTS
SPECIFICATIONSPECIFICATION
ADMINISTRATIONADMINISTRATION
TECHNICALTECHNICAL
SECURITYSECURITY
CONTROLSCONTROLS
CPSCPS
Certificate Policy StatementCertificate Policy Statement
(CPS)(CPS)
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
IETF (PKIX) StandardsIETF (PKIX) Standards
• X.509 Certificate and CRL Profiles
• PKI Management Protocols
• Certificate Request Formats
• CP/CPS Framework
• LDAP, OCSP, etc.
http://www.ietf.org/http://www.ietf.org/
HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Identity is Not Enough:Identity is Not Enough:
Attribute CertificatesAttribute Certificates
IETF (PKIX WG) is also defining standards for AttributeIETF (PKIX WG) is also defining standards for Attribute
Certificates (ACs):Certificates (ACs):
• Visa Card (Attribute) vs. Passport (Identity)Visa Card (Attribute) vs. Passport (Identity)
• Attribute Certificates specify Attributes associatedAttribute Certificates specify Attributes associated
to an Identityto an Identity
• Attribute Certificates don’t contain a Public keyAttribute Certificates don’t contain a Public key
but a link to an Identity Certificatebut a link to an Identity Certificate

More Related Content

What's hot

Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructureAditya Nama
 
Digital signature
Digital  signatureDigital  signature
Digital signatureAJAL A J
 
Digital certificates & its importance
Digital certificates & its importanceDigital certificates & its importance
Digital certificates & its importancesvm
 
Presentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesPresentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesVivaka Nand
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key InfrastructureTheo Gravity
 
Digital certificates
Digital certificates Digital certificates
Digital certificates Sheetal Verma
 
Digital certificates
Digital certificatesDigital certificates
Digital certificatesSimmi Kamra
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeDigiCert, Inc.
 
What is digital signature or DSC
What is digital signature or DSCWhat is digital signature or DSC
What is digital signature or DSCAdv Prashant Mali
 
Seminar ppt on digital signature
Seminar ppt on digital signatureSeminar ppt on digital signature
Seminar ppt on digital signaturejolly9293
 
Digital signature & eSign overview
Digital signature & eSign overviewDigital signature & eSign overview
Digital signature & eSign overviewRishi Pathak
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network securityrhassan84
 

What's hot (20)

Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructure
 
Digital signature
Digital  signatureDigital  signature
Digital signature
 
Public key Infrastructure (PKI)
Public key Infrastructure (PKI)Public key Infrastructure (PKI)
Public key Infrastructure (PKI)
 
Digital certificates & its importance
Digital certificates & its importanceDigital certificates & its importance
Digital certificates & its importance
 
Presentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesPresentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificates
 
Final ppt ecommerce
Final ppt ecommerceFinal ppt ecommerce
Final ppt ecommerce
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
 
Digital certificates
Digital certificates Digital certificates
Digital certificates
 
Pki for dummies
Pki for dummiesPki for dummies
Pki for dummies
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
 
Digital Signature ppt
Digital Signature pptDigital Signature ppt
Digital Signature ppt
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
 
What is digital signature or DSC
What is digital signature or DSCWhat is digital signature or DSC
What is digital signature or DSC
 
Digital Certificate
Digital CertificateDigital Certificate
Digital Certificate
 
Seminar ppt on digital signature
Seminar ppt on digital signatureSeminar ppt on digital signature
Seminar ppt on digital signature
 
Digital signature & eSign overview
Digital signature & eSign overviewDigital signature & eSign overview
Digital signature & eSign overview
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
 
Digital signature
Digital signatureDigital signature
Digital signature
 

Similar to Marco Casassa Mont: Pki overview

Castle Presentation 08-12-04
Castle Presentation 08-12-04Castle Presentation 08-12-04
Castle Presentation 08-12-04Howard Hellman
 
Module 21 (cryptography)
Module 21 (cryptography)Module 21 (cryptography)
Module 21 (cryptography)Wail Hassan
 
PresentationonCRYPTOGRAPHYppt.ppt
PresentationonCRYPTOGRAPHYppt.pptPresentationonCRYPTOGRAPHYppt.ppt
PresentationonCRYPTOGRAPHYppt.pptPrabhatMishraAbvp
 
PresentationonCRYPTOGRAPHYppt.ppt
PresentationonCRYPTOGRAPHYppt.pptPresentationonCRYPTOGRAPHYppt.ppt
PresentationonCRYPTOGRAPHYppt.pptvinitajain703
 
Presentationon ON THE TOPIC CRYPTOGRAPHY
Presentationon ON THE TOPIC CRYPTOGRAPHYPresentationon ON THE TOPIC CRYPTOGRAPHY
Presentationon ON THE TOPIC CRYPTOGRAPHYBARATH800940
 
Security everywhere digital signature and digital fingerprint v1 (personal)
Security everywhere digital signature and digital fingerprint v1 (personal)Security everywhere digital signature and digital fingerprint v1 (personal)
Security everywhere digital signature and digital fingerprint v1 (personal)Paul Yang
 
Symmetric key encryption
Symmetric key encryptionSymmetric key encryption
Symmetric key encryptionmdhar123
 
CRYPTOGRAPHY-PAYAL CHOPRA.ppt
CRYPTOGRAPHY-PAYAL CHOPRA.pptCRYPTOGRAPHY-PAYAL CHOPRA.ppt
CRYPTOGRAPHY-PAYAL CHOPRA.pptPayalChopra9
 
Encryption symmetric key
Encryption symmetric keyEncryption symmetric key
Encryption symmetric keymdhar123
 
cryptography ppt free download
cryptography ppt free downloadcryptography ppt free download
cryptography ppt free downloadTwinkal Harsora
 
PresentationonCRYPTOGRAPHYppt.ppt - Read-Only - Compatibility Mode.ppt
PresentationonCRYPTOGRAPHYppt.ppt  -  Read-Only  -  Compatibility Mode.pptPresentationonCRYPTOGRAPHYppt.ppt  -  Read-Only  -  Compatibility Mode.ppt
PresentationonCRYPTOGRAPHYppt.ppt - Read-Only - Compatibility Mode.pptso6281019
 
Computer Security (Cryptography) Ch01
Computer Security (Cryptography) Ch01Computer Security (Cryptography) Ch01
Computer Security (Cryptography) Ch01Saif Kassim
 
Public Digital Identity as a Service
Public Digital Identity as a ServicePublic Digital Identity as a Service
Public Digital Identity as a ServicePT Datacomm Diangraha
 

Similar to Marco Casassa Mont: Pki overview (20)

Castle Presentation 08-12-04
Castle Presentation 08-12-04Castle Presentation 08-12-04
Castle Presentation 08-12-04
 
Module 21 (cryptography)
Module 21 (cryptography)Module 21 (cryptography)
Module 21 (cryptography)
 
PresentationonCRYPTOGRAPHYppt.ppt
PresentationonCRYPTOGRAPHYppt.pptPresentationonCRYPTOGRAPHYppt.ppt
PresentationonCRYPTOGRAPHYppt.ppt
 
PresentationonCRYPTOGRAPHYppt.ppt
PresentationonCRYPTOGRAPHYppt.pptPresentationonCRYPTOGRAPHYppt.ppt
PresentationonCRYPTOGRAPHYppt.ppt
 
Presentationon ON THE TOPIC CRYPTOGRAPHY
Presentationon ON THE TOPIC CRYPTOGRAPHYPresentationon ON THE TOPIC CRYPTOGRAPHY
Presentationon ON THE TOPIC CRYPTOGRAPHY
 
Cryptography ppt
Cryptography pptCryptography ppt
Cryptography ppt
 
Security everywhere digital signature and digital fingerprint v1 (personal)
Security everywhere digital signature and digital fingerprint v1 (personal)Security everywhere digital signature and digital fingerprint v1 (personal)
Security everywhere digital signature and digital fingerprint v1 (personal)
 
Symmetric key encryption
Symmetric key encryptionSymmetric key encryption
Symmetric key encryption
 
Cryptointro
CryptointroCryptointro
Cryptointro
 
CRYPTOGRAPHY-PAYAL CHOPRA.ppt
CRYPTOGRAPHY-PAYAL CHOPRA.pptCRYPTOGRAPHY-PAYAL CHOPRA.ppt
CRYPTOGRAPHY-PAYAL CHOPRA.ppt
 
Whatisdigitalsignature
WhatisdigitalsignatureWhatisdigitalsignature
Whatisdigitalsignature
 
Whatisdigitalsignature
WhatisdigitalsignatureWhatisdigitalsignature
Whatisdigitalsignature
 
Encryption symmetric key
Encryption symmetric keyEncryption symmetric key
Encryption symmetric key
 
Fundamentals of cryptography
Fundamentals of cryptographyFundamentals of cryptography
Fundamentals of cryptography
 
cryptography ppt free download
cryptography ppt free downloadcryptography ppt free download
cryptography ppt free download
 
Data encryption
Data encryptionData encryption
Data encryption
 
PresentationonCRYPTOGRAPHYppt.ppt - Read-Only - Compatibility Mode.ppt
PresentationonCRYPTOGRAPHYppt.ppt  -  Read-Only  -  Compatibility Mode.pptPresentationonCRYPTOGRAPHYppt.ppt  -  Read-Only  -  Compatibility Mode.ppt
PresentationonCRYPTOGRAPHYppt.ppt - Read-Only - Compatibility Mode.ppt
 
cryptography
cryptographycryptography
cryptography
 
Computer Security (Cryptography) Ch01
Computer Security (Cryptography) Ch01Computer Security (Cryptography) Ch01
Computer Security (Cryptography) Ch01
 
Public Digital Identity as a Service
Public Digital Identity as a ServicePublic Digital Identity as a Service
Public Digital Identity as a Service
 

More from Information Security Awareness Group

Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Information Security Awareness Group
 
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
 Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf... Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...Information Security Awareness Group
 
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...Information Security Awareness Group
 
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...Information Security Awareness Group
 
Big data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceBig data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceInformation Security Awareness Group
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
 Authorization Policy in a PKI Environment  Mary Thompson Srilekha Mudumbai A... Authorization Policy in a PKI Environment  Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...Information Security Awareness Group
 
Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...Information Security Awareness Group
 
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...Information Security Awareness Group
 
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...Information Security Awareness Group
 

More from Information Security Awareness Group (20)

Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
 
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
 Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf... Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
 
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
 
IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,
 
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
 
Big data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceBig data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security Alliance
 
Big data analysis concepts and references
Big data analysis concepts and referencesBig data analysis concepts and references
Big data analysis concepts and references
 
PKI by Tim Polk
PKI by Tim PolkPKI by Tim Polk
PKI by Tim Polk
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
 Authorization Policy in a PKI Environment  Mary Thompson Srilekha Mudumbai A... Authorization Policy in a PKI Environment  Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
 
Pki by Steve Lamb
Pki by Steve LambPki by Steve Lamb
Pki by Steve Lamb
 
PKI by Gene Itkis
PKI by Gene ItkisPKI by Gene Itkis
PKI by Gene Itkis
 
Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...
 
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
 
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
 
THE OPEN SCIENCE GRID Ruth Pordes
THE OPEN SCIENCE GRID Ruth PordesTHE OPEN SCIENCE GRID Ruth Pordes
THE OPEN SCIENCE GRID Ruth Pordes
 
Open Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob CowlesOpen Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob Cowles
 
Security Open Science Grid Doug Olson
Security Open Science Grid Doug OlsonSecurity Open Science Grid Doug Olson
Security Open Science Grid Doug Olson
 
Open Science Group Security Kevin Hill
Open Science Group Security Kevin HillOpen Science Group Security Kevin Hill
Open Science Group Security Kevin Hill
 
Xrootd proxies Andrew Hanushevsky
Xrootd proxies Andrew HanushevskyXrootd proxies Andrew Hanushevsky
Xrootd proxies Andrew Hanushevsky
 
Privilege Project Vikram Andem
Privilege Project Vikram AndemPrivilege Project Vikram Andem
Privilege Project Vikram Andem
 

Recently uploaded

Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 

Recently uploaded (20)

Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 

Marco Casassa Mont: Pki overview

  • 1. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Public Key InfrastructurePublic Key Infrastructure (X509 PKI)(X509 PKI) Trusted E-Services Laboratory - HP Labs - BristolTrusted E-Services Laboratory - HP Labs - Bristol Marco Casassa MontMarco Casassa Mont
  • 2. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) OutlineOutline • Basic Problem of Confidence and TrustBasic Problem of Confidence and Trust • Background: Cryptography, Digital Signature,Background: Cryptography, Digital Signature, Digital CertificatesDigital Certificates • (X509) Public Key Infrastructure (PKI)(X509) Public Key Infrastructure (PKI) • (X509) PKI: Trust and Legal Issues(X509) PKI: Trust and Legal Issues
  • 3. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Confidence and TrustConfidence and Trust Issues in the DigitalIssues in the Digital WorldWorld
  • 4. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Basic ProblemBasic Problem IntranetIntranet ExtranetExtranet InternetInternet AliceAliceBobBob Bob and Alice want to exchange data in a digital world.Bob and Alice want to exchange data in a digital world. There are Confidence and Trust Issues …There are Confidence and Trust Issues …
  • 5. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) ConfidenceConfidence and Trust Issuesand Trust Issues • In the Identity of an Individual or ApplicationIn the Identity of an Individual or Application AUTHENTICATIONAUTHENTICATION • That the information will be kept PrivateThat the information will be kept Private CONFIDENTIALITYCONFIDENTIALITY • That information cannot be ManipulatedThat information cannot be Manipulated INTEGRITYINTEGRITY • That information cannot be DisownedThat information cannot be Disowned NON-REPUDIATIONNON-REPUDIATION IntranetIntranet ExtranetExtranet InternetInternet AliceAliceBobBob
  • 6. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Starting Point:Starting Point: CryptographyCryptography
  • 7. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Starting Point: CryptographyStarting Point: Cryptography CryptographyCryptography It is the science of making the cost of acquiring or alteringIt is the science of making the cost of acquiring or altering data greater than the potential value gaineddata greater than the potential value gained CryptosystemCryptosystem It is a system that provides techniques for mangling aIt is a system that provides techniques for mangling a message into an apparently intelligible form and thanmessage into an apparently intelligible form and than recovering it from the mangled formrecovering it from the mangled form PlaintextPlaintext EncryptionEncryption DecryptionDecryption PlaintextPlaintextCiphertextCiphertext KeyKey KeyKey Hello WorldHello World &$*£(“!273&$*£(“!273 Hello WorldHello World
  • 8. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Cryptographic AlgorithmsCryptographic Algorithms All cryptosystems are based only onAll cryptosystems are based only on three Cryptographicthree Cryptographic AlgorithmsAlgorithms:: • MESSAGE DIGESTMESSAGE DIGEST (MD2-4-5, SHA, SHA-1, …)(MD2-4-5, SHA, SHA-1, …) • SECRET KEYSECRET KEY (Blowfish, DES, IDEA, RC2-4-5, Triple-DES, …)(Blowfish, DES, IDEA, RC2-4-5, Triple-DES, …) • PUBLIC KEYPUBLIC KEY (DSA, RSA, …)(DSA, RSA, …) Maps variable length plaintext into fixed length ciphertextMaps variable length plaintext into fixed length ciphertext No key usage, computationally infeasible to recover the plaintextNo key usage, computationally infeasible to recover the plaintext Encrypt and decrypt messages by using the same Secret KeyEncrypt and decrypt messages by using the same Secret Key Encrypt and decrypt messages by using two different Keys: Public Key,Encrypt and decrypt messages by using two different Keys: Public Key, Private Key (coupled together)Private Key (coupled together)
  • 9. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) • Efficient and fast AlgorithmEfficient and fast Algorithm • Simple modelSimple model  Provides Integrity, ConfidentialityProvides Integrity, Confidentiality ConsCons • The same secret key must be shared by all the entities involved in the data exchangeThe same secret key must be shared by all the entities involved in the data exchange • High riskHigh risk • It doesn’t scaleIt doesn’t scale (proliferation of secrets)(proliferation of secrets)  No Authentication, Non-RepudiationNo Authentication, Non-Repudiation PlaintextPlaintext EncryptionEncryption DecryptionDecryption PlaintextPlaintextCiphertextCiphertext Private KeyPrivate Key Private KeyPrivate Key ProsPros Cryptographic Algorithms basedCryptographic Algorithms based on Private Keyon Private Key
  • 10. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) PlaintextPlaintext EncryptionEncryption DecryptionDecryption PlaintextPlaintextCiphertextCiphertext Alice’s Public KeyAlice’s Public Key Alice’s Private KeyAlice’s Private Key IntranetIntranet ExtranetExtranet InternetInternet AliceAliceBobBob • Private key is only known by the owner: less riskPrivate key is only known by the owner: less risk • The algorithm ensuresThe algorithm ensures IntegrityIntegrity andand ConfidentialityConfidentiality by encrypting withby encrypting with the Receiver’s Public keythe Receiver’s Public key ProsPros Cryptographic Algorithms basedCryptographic Algorithms based on Public Keyon Public Key
  • 11. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) PlaintextPlaintext EncryptionEncryption DecryptionDecryption PlaintextPlaintextCiphertextCiphertext Bob’s Private KeyBob’s Private Key Bob’s Public KeyBob’s Public Key IntranetIntranet ExtranetExtranet InternetInternet AliceAliceBobBob • The algorithm ensuresThe algorithm ensures Non-RepudiationNon-Repudiation by encrypting withby encrypting with the Sender’s Private keythe Sender’s Private key ProsPros Cryptographic Algorithms basedCryptographic Algorithms based on Public Keyon Public Key
  • 12. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Cryptographic Algorithms basedCryptographic Algorithms based on Public Keyon Public Key ConsCons • Algorithms are 100 – 1000 times slower than secret key onesAlgorithms are 100 – 1000 times slower than secret key ones They are initially used in an initial phase of communication and thenThey are initially used in an initial phase of communication and then secrets keys are generated to deal with encryptionssecrets keys are generated to deal with encryptions • How are Public keys made available to the other people?How are Public keys made available to the other people? • There is still a problem ofThere is still a problem of AuthenticationAuthentication!!!!!! Who ensures that the owner of a key pair is really the person whoseWho ensures that the owner of a key pair is really the person whose real life name is “Alice”?real life name is “Alice”? IntranetIntranet ExtranetExtranet InternetInternet AliceAliceBobBob Moving towards PKI …Moving towards PKI …
  • 13. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Digital SignatureDigital Signature
  • 14. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Digital SignatureDigital Signature A Digital Signature is a data item that vouches the originA Digital Signature is a data item that vouches the origin and the integrity of a Messageand the integrity of a Message • The originator of a message uses a signing key (Private Key) to sign theThe originator of a message uses a signing key (Private Key) to sign the message and send the message and its digital signature to a recipientmessage and send the message and its digital signature to a recipient • The recipient uses a verification key (Public Key) to verify the origin ofThe recipient uses a verification key (Public Key) to verify the origin of the message and that it has not been tampered with while in transitthe message and that it has not been tampered with while in transit IntranetIntranet ExtranetExtranet InternetInternet AliceAliceBobBob
  • 15. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Digital SignatureDigital Signature Hash FunctionHash Function MessageMessage SignatureSignature Private KeyPrivate Key EncryptionEncryption DigestDigest MessageMessage DecryptionDecryption Public KeyPublic Key ExpectedExpected DigestDigest ActualActual DigestDigest Hash FunctionHash Function SignerSigner ReceiverReceiverChannelChannel DigestDigest AlgorithmAlgorithm DigestDigest AlgorithmAlgorithm
  • 16. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Digital SignatureDigital Signature There is still a problem linked to theThere is still a problem linked to the ““Real Identity”Real Identity” of the Signer.of the Signer. Why should I trust what the Sender claims to be?Why should I trust what the Sender claims to be? Moving towards PKI …Moving towards PKI …
  • 17. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Digital CertificateDigital Certificate
  • 18. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Digital CertificateDigital Certificate A Digital Certificate is a binding between an entity’sA Digital Certificate is a binding between an entity’s Public Key and one or more Attributes relating its Identity.Public Key and one or more Attributes relating its Identity. • The entity can be a Person, an Hardware Component, a Service, etc.The entity can be a Person, an Hardware Component, a Service, etc. • A Digital Certificate is issued (and signed) by someoneA Digital Certificate is issued (and signed) by someone • A self-signed certificate usually is not very trustworthyA self-signed certificate usually is not very trustworthy -- Usually the issuer is a Trusted Third PartyUsually the issuer is a Trusted Third Party
  • 19. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) CERTIFICATE Digital CertificateDigital Certificate IssuerIssuer SubjectSubject IssuerIssuer DigitalDigital SignatureSignature Subject Public KeySubject Public Key
  • 20. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Digital CertificateDigital Certificate • How are Digital Certificates Issued?How are Digital Certificates Issued? • Who is issuing them?Who is issuing them? • Why should I Trust the Certificate Issuer?Why should I Trust the Certificate Issuer? • How can I check if a Certificate is valid?How can I check if a Certificate is valid? • How can I revoke a Certificate?How can I revoke a Certificate? • Who is revoking Certificates?Who is revoking Certificates? ProblemsProblems Moving towards PKI …Moving towards PKI …
  • 21. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Public Key InfrastructurePublic Key Infrastructure (PKI)(PKI)
  • 22. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Public Key InfrastructurePublic Key Infrastructure (PKI)(PKI) A Public Key Infrastructure is an InfrastructureA Public Key Infrastructure is an Infrastructure to support and manage Public Key-basedto support and manage Public Key-based Digital CertificatesDigital Certificates
  • 23. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Public Key InfrastructurePublic Key Infrastructure (PKI)(PKI) ““A PKI is a set of agreed-upon standards, CertificationA PKI is a set of agreed-upon standards, Certification Authorities (CA), structure between multiple CAs,Authorities (CA), structure between multiple CAs, methods to discover and validate Certification Paths,methods to discover and validate Certification Paths, Operational Protocols, Management Protocols,Operational Protocols, Management Protocols, Interoperable Tools and supporting Legislation”Interoperable Tools and supporting Legislation” ““Digital Certificates” book – Jalal Feghhi, Jalil Feghhi, Peter WilliamsDigital Certificates” book – Jalal Feghhi, Jalil Feghhi, Peter Williams
  • 24. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Public Key InfrastructurePublic Key Infrastructure (PKI)(PKI) Focus on:Focus on: • X509 PKIX509 PKI • X509 Digital CertificatesX509 Digital Certificates  Standards defined by IETF, PKIX WG:Standards defined by IETF, PKIX WG: http://www.ietf.org/http://www.ietf.org/ …… even if X509 is not the only approach (e.g. SPKI)even if X509 is not the only approach (e.g. SPKI)
  • 25. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) X509 PKI – Technical ViewX509 PKI – Technical View Basic Components:Basic Components: • Certificate Authority (CA)Certificate Authority (CA) • Registration Authority (RA)Registration Authority (RA) • Certificate Distribution SystemCertificate Distribution System • PKI enabled applicationsPKI enabled applications ““Consumer” SideConsumer” Side ““Provider” SideProvider” Side
  • 26. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) X509 PKI – Simple ModelX509 PKI – Simple Model CACA RARA CertificationCertification EntityEntity DirectoryDirectory ApplicationApplication ServiceService RemoteRemote PersonPerson LocalLocal PersonPerson Certs,Certs, CRLsCRLs Cert. RequestCert. Request SignedSigned CertificateCertificate InternetInternet
  • 27. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) X509 PKIX509 PKI Certificate Authority (CA)Certificate Authority (CA) Basic Tasks:Basic Tasks: • Key GenerationKey Generation • Digital Certificate GenerationDigital Certificate Generation • Certificate Issuance and DistributionCertificate Issuance and Distribution • RevocationRevocation • Key Backup and Recovery SystemKey Backup and Recovery System • Cross-CertificationCross-Certification
  • 28. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) X509 PKIX509 PKI Registration Authority (RA)Registration Authority (RA) Basic Tasks:Basic Tasks: • Registration of Certificate InformationRegistration of Certificate Information • Face-to-Face RegistrationFace-to-Face Registration • Remote RegistrationRemote Registration • Automatic RegistrationAutomatic Registration • RevocationRevocation
  • 29. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) X509 PKIX509 PKI Certificate Distribution SystemCertificate Distribution System Provide Repository for:Provide Repository for: • Digital CertificatesDigital Certificates • Certificate Revocation Lists (CRLs)Certificate Revocation Lists (CRLs) Typically:Typically: • Special Purposes DatabasesSpecial Purposes Databases • LDAP directoriesLDAP directories
  • 30. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Certificate Revocation List Revoked CertificatesRevoked Certificates remain in CRLremain in CRL until they expireuntil they expire Certificate Revocation ListCertificate Revocation List
  • 31. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Certificate Revocation List (CRL)Certificate Revocation List (CRL) • CRLs are published by CAs at well definedCRLs are published by CAs at well defined interval of timeinterval of time • It is a responsibility of “Users” of certificates toIt is a responsibility of “Users” of certificates to ““download” a CRL and verify if a certificate hasdownload” a CRL and verify if a certificate has been revokedbeen revoked • User application must deal with the revocationUser application must deal with the revocation processesprocesses
  • 32. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Online Certificate Status ProtocolOnline Certificate Status Protocol (OCSP)(OCSP) • An alternative to CRLsAn alternative to CRLs • IETF/PKIX standard for a real-time check if aIETF/PKIX standard for a real-time check if a certificate has been revoked/suspendedcertificate has been revoked/suspended • Requires a high availability OCSP ServerRequires a high availability OCSP Server
  • 33. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) CRL vs OCSP ServerCRL vs OCSP Server UserUser CACA CRLCRL DirectoryDirectory Download CRLDownload CRL CRLCRL UserUser CACA CRLCRL DirectoryDirectory DownloadDownload CRLCRL Certificate IDsCertificate IDs to be checkedto be checked Answer aboutAnswer about Certificate StatesCertificate States OCSPOCSP ServerServer OCSPOCSP
  • 34. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) X509 PKIX509 PKI PKI-enabled ApplicationsPKI-enabled Applications Functionality Required:Functionality Required: • Cryptographic functionalityCryptographic functionality • Secure storage of Personal InformationSecure storage of Personal Information • Digital Certificate HandlingDigital Certificate Handling • Directory AccessDirectory Access • Communication FacilitiesCommunication Facilities
  • 35. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) X509 PKIX509 PKI Trust and Legal IssuesTrust and Legal Issues
  • 36. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) X509 PKIX509 PKI Trust and Legal IssuesTrust and Legal Issues • Why should I Trust a CA?Why should I Trust a CA? • How can I determine the liability of a CA?How can I determine the liability of a CA?
  • 37. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) X509 PKIX509 PKI Approaches to Trust andApproaches to Trust and Legal AspectsLegal Aspects • Why should I Trust a CA?Why should I Trust a CA? • How can I determine the liability of a CA?How can I determine the liability of a CA? Certificate Hierarchies, Cross-CertificationCertificate Hierarchies, Cross-Certification Certificate Policies (CP) and Certificate PolicyCertificate Policies (CP) and Certificate Policy Statement (CPS)Statement (CPS)
  • 38. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) X509 PKIX509 PKI Approach to TrustApproach to Trust Certificate HierarchiesCertificate Hierarchies andand Cross-CertificationCross-Certification
  • 39. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Try to reflectTry to reflect Real world Trust ModelsReal world Trust Models CA CA CA RA RA CA RA LRALRA CA CA RA CA CA RA RA Directory Services InternetInternet InternetInternet CA Technology EvolutionCA Technology Evolution
  • 40. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Each entity has its own certificate (and may have more than one). The root CA’s certificate is self signed and each sub-CA is signed by its parent CA. Each CA may also issue CRLs. In particular the lowest level CAs issue CRLs frequently. End entities need to “find” a certificate path to a CA that they trust. Simple Certificate HierarchySimple Certificate Hierarchy Root CARoot CA Sub-CAsSub-CAs End EntitiesEnd Entities
  • 41. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)  Alice Bob Simple Certificate PathSimple Certificate Path Alice trusts the root CAAlice trusts the root CA Bob sends a message to AliceBob sends a message to Alice Alice needs Bob’s certificate, the certificate ofAlice needs Bob’s certificate, the certificate of the CA that signed Bob’s certificate, and so onthe CA that signed Bob’s certificate, and so on up to the root CA’s self signed certificate.up to the root CA’s self signed certificate. Alice also needs each CRL for each CA.Alice also needs each CRL for each CA. Only then can Alice verify that Bob’s certificateOnly then can Alice verify that Bob’s certificate is valid and trusted and so verify the Bob’sis valid and trusted and so verify the Bob’s signature.signature. TrustedTrusted RootRoot
  • 42. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) 11 22 33 1.1. Multiple RootsMultiple Roots 2.2. Simple cross-certificateSimple cross-certificate 3.3. Complex cross-certificateComplex cross-certificate Cross-Certification andCross-Certification and Multiple HierarchiesMultiple Hierarchies
  • 43. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Things are getting more and moreThings are getting more and more complex if Hierarchies andcomplex if Hierarchies and Cross-Certifications are usedCross-Certifications are used X509 PKIX509 PKI Approach to Trust : ProblemsApproach to Trust : Problems
  • 44. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Trusted Root 3 TrustedTrusted RootRoot  Cross-Certification andCross-Certification and Path DiscoveryPath Discovery
  • 45. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) X509 PKIX509 PKI Approach to Legal AspectsApproach to Legal Aspects Certificate PolicyCertificate Policy AndAnd Certificate Practice StatementCertificate Practice Statement
  • 46. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Certificate Policy (CP)Certificate Policy (CP) • A document that sets out the rights, duties andA document that sets out the rights, duties and obligations of each party in a Public Keyobligations of each party in a Public Key InfrastructureInfrastructure • The Certificate Policy (CP) is a document whichThe Certificate Policy (CP) is a document which usually has legal effectusually has legal effect • A CP is usually publicly exposed by CAs, forA CP is usually publicly exposed by CAs, for example on a Web Site (VeriSign, etc.)example on a Web Site (VeriSign, etc.)
  • 47. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Certificate Policy (CP)Certificate Policy (CP) POLICY OUTLINEPOLICY OUTLINE COMMUNITY &COMMUNITY & APPLICABILITYAPPLICABILITY RIGHTS, LIABILITIESRIGHTS, LIABILITIES & OBLIGATIONS& OBLIGATIONS OPERATIONALOPERATIONAL REQUIREMENTSREQUIREMENTS CERTIFICATE &CERTIFICATE & CRL PROFILESCRL PROFILES IDENTIFICATION &IDENTIFICATION & AUTHENTICATIONAUTHENTICATION CPCP TECHNICALTECHNICAL SECURITY CONTROLSECURITY CONTROL
  • 48. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) • Liability IssuesLiability Issues • Repository Access ControlsRepository Access Controls • Confidentiality RequirementsConfidentiality Requirements • Registration ProceduresRegistration Procedures - Uniqueness of Names - Authentication of Users/Organisations • Suspension and Revocation (Online/CRL)Suspension and Revocation (Online/CRL) • Physical Security ControlsPhysical Security Controls • Certificate AcceptanceCertificate Acceptance Policy Issues (CP)Policy Issues (CP)
  • 49. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Certificate Policy StatementCertificate Policy Statement (CPS)(CPS) • A document that sets out what happens in practiceA document that sets out what happens in practice to support the policy statements made in the CPto support the policy statements made in the CP in a PKIin a PKI • The Certificate Practice Statement (CPS) is aThe Certificate Practice Statement (CPS) is a document which may have legal effect in limiteddocument which may have legal effect in limited circumstancescircumstances
  • 50. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) PHYSICAL,PHYSICAL, PROCEDURAL &PROCEDURAL & PERSONNELPERSONNEL CERTIFICATE &CERTIFICATE & CRL PROFILESCRL PROFILES INTRODUCTIONINTRODUCTION GENERALGENERAL PROVISIONSPROVISIONS IDENTIFICATION &IDENTIFICATION & AUTHENTICATIONAUTHENTICATION OPERATIONALOPERATIONAL REQUIREMENTSREQUIREMENTS SPECIFICATIONSPECIFICATION ADMINISTRATIONADMINISTRATION TECHNICALTECHNICAL SECURITYSECURITY CONTROLSCONTROLS CPSCPS Certificate Policy StatementCertificate Policy Statement (CPS)(CPS)
  • 51. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) IETF (PKIX) StandardsIETF (PKIX) Standards • X.509 Certificate and CRL Profiles • PKI Management Protocols • Certificate Request Formats • CP/CPS Framework • LDAP, OCSP, etc. http://www.ietf.org/http://www.ietf.org/
  • 52. HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Identity is Not Enough:Identity is Not Enough: Attribute CertificatesAttribute Certificates IETF (PKIX WG) is also defining standards for AttributeIETF (PKIX WG) is also defining standards for Attribute Certificates (ACs):Certificates (ACs): • Visa Card (Attribute) vs. Passport (Identity)Visa Card (Attribute) vs. Passport (Identity) • Attribute Certificates specify Attributes associatedAttribute Certificates specify Attributes associated to an Identityto an Identity • Attribute Certificates don’t contain a Public keyAttribute Certificates don’t contain a Public key but a link to an Identity Certificatebut a link to an Identity Certificate