1. The document discusses two main methods for key distribution: symmetric key distribution using symmetric encryption like Kerberos, and key distribution using asymmetric encryption like X.509 certificates.
2. It provides an overview of how symmetric key distribution works in Kerberos, including the use of a key distribution center and ticket granting tickets.
3. It also summarizes X.509 certificates, how they are issued by a certificate authority with a user's public key and signature, and how they can be used to verify a user's identity.
SSL is an acronym for Secure Sockets Layer. It is a protocol used for authenticating and encrypting web traffic. For web traffic to be authenticated means that your browser is able to verify the identity of the remote server.
This presentation is created for Applied Data Communication lecture of Computer Systems Engineering master programme at Tallinn University of Technology
SSL is an acronym for Secure Sockets Layer. It is a protocol used for authenticating and encrypting web traffic. For web traffic to be authenticated means that your browser is able to verify the identity of the remote server.
This presentation is created for Applied Data Communication lecture of Computer Systems Engineering master programme at Tallinn University of Technology
Diffie–Hellman key exchange is a method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as originally conceptualized by Ralph Merkle and named after Whitfield Diffie and Martin Hellman.
Pretty Good Privacy (PGP) is strong encryption software that enables you to protect your email and files by scrambling them so others cannot read them. It also allows you to digitally "sign" your messages in a way that allows others to verify that a message was actually sent by you. PGP is available in freeware and commercial versions all over the world.
PGP was first released in 1991 as a DOS program that earned a reputation for being difficult. In June 1997, PGP Inc. released PGP 5.x for Win95/NT. PGP 5.x included plugins for several popular email programs.
Defines a framework for authentication service using the X.500 directory.It is the Repository of public-key certificates,Based on use of public-key cryptography and digital signatures.
A brief discussion of network security and an introduction to cryptography. We end the presentation with a discussion of the RSA algorithm, and show how it works with a basic example.
E-Mail Security: Pretty Good Privacy, S/MIME IP Security: IP Security overview, IP Security architecture, Authentication Header, Encapsulating security payload, Combining security associations, Internet Key Exchange Case Studies on Cryptography and security: Secure Multiparty Calculation, Virtual Elections, Single sign On, Secure Inter-branch Payment Transactions, Cross site Scripting Vulnerability.
While computer systems today have some of the best security systems ever, they are more vulnerable than ever before.
This vulnerability stems from the world-wide access to computer systems via the Internet.
Computer and network security comes in many forms, including encryption algorithms, access to facilities, digital signatures, and using fingerprints and face scans as passwords.
This presentation will explain all about why and how email security should be implemented.
> Intro to Email Secuirty
> CIA for Email Security
> Steps to secure mail
> PGP ( All 5 Services)
> S/MIME (With its functions)
It is a presentation on Email Security made to present in one of our PPT lectures during my second year of B.Tech.
A short introduction to cryptography. What is public and private key cryptography? What is a Caesar Cipher and how do we decrypt it? How does RSA work?
Diffie–Hellman key exchange is a method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as originally conceptualized by Ralph Merkle and named after Whitfield Diffie and Martin Hellman.
Pretty Good Privacy (PGP) is strong encryption software that enables you to protect your email and files by scrambling them so others cannot read them. It also allows you to digitally "sign" your messages in a way that allows others to verify that a message was actually sent by you. PGP is available in freeware and commercial versions all over the world.
PGP was first released in 1991 as a DOS program that earned a reputation for being difficult. In June 1997, PGP Inc. released PGP 5.x for Win95/NT. PGP 5.x included plugins for several popular email programs.
Defines a framework for authentication service using the X.500 directory.It is the Repository of public-key certificates,Based on use of public-key cryptography and digital signatures.
A brief discussion of network security and an introduction to cryptography. We end the presentation with a discussion of the RSA algorithm, and show how it works with a basic example.
E-Mail Security: Pretty Good Privacy, S/MIME IP Security: IP Security overview, IP Security architecture, Authentication Header, Encapsulating security payload, Combining security associations, Internet Key Exchange Case Studies on Cryptography and security: Secure Multiparty Calculation, Virtual Elections, Single sign On, Secure Inter-branch Payment Transactions, Cross site Scripting Vulnerability.
While computer systems today have some of the best security systems ever, they are more vulnerable than ever before.
This vulnerability stems from the world-wide access to computer systems via the Internet.
Computer and network security comes in many forms, including encryption algorithms, access to facilities, digital signatures, and using fingerprints and face scans as passwords.
This presentation will explain all about why and how email security should be implemented.
> Intro to Email Secuirty
> CIA for Email Security
> Steps to secure mail
> PGP ( All 5 Services)
> S/MIME (With its functions)
It is a presentation on Email Security made to present in one of our PPT lectures during my second year of B.Tech.
A short introduction to cryptography. What is public and private key cryptography? What is a Caesar Cipher and how do we decrypt it? How does RSA work?
When collection of thing belongs to certain definition, it is known as Set. When these set shows a degree of membership, it is known as Fuzzy Set. Fuzzy Set theory was given by the Professor Lofti Zadeh , University of California 1965. Copy the link given below and paste it in new browser window to get more information on Fuzzy Set:- http://www.transtutors.com/homework-help/statistics/fuzzy-set.aspx
Easy for the signer to sign a message
There is no point in having a digital signature scheme that involves the signer needing to use slow and complex operations to compute a digital signature.
Easy for anyone to verify a message
Similarly we would like the verification of a digital signature to be as efficient as possible.
Hard for anyone to forge a digital signature
It should be practically impossible for anyone who is not the legitimate signer to compute a digital signature on a message that appears to be valid. By “appears to be valid” we mean that anyone who attempts to verify the digital signature is led to believe that they have just successfully verified a valid digital signature on a message.
Kerberos is a computer network authentication protocol which works on the basis of 'tickets' to allow
nodes communicating over a non-secure network to prove their identity to one another in a secure
manner. Its designers aimed it primarily at a client–server model and it provides mutual
authentication—both the user and the server verify each other's identity. Kerberos protocol messages
are protected against eavesdropping and replay attacks.
SECURITY PRACTICE & SYSTEM SECURITY
Authentication applications – Kerberos – X.509 Authentication services – Internet Firewalls for Trusted System: Roles of Firewalls – Firewall related terminology- Types of Firewalls – Firewall designs – SET for E-Commerce Transactions. Intruder – Intrusion detection system – Virus and related threats – Countermeasures – Firewalls design principles – Trusted systems – Practical implementation of
cryptography and security.
#SystemArchitecture Series: #Kerberos Architecture Component and communication flow #architecture
#Kerberos is a ticketing-based #authentication #system, based on the use of #symmetric keys. #Kerberos uses tickets to provide #authentication to resources instead of #passwords. This eliminates the threat of #password stealing via #networksniffing. One of the biggest benefits of #Kerberos is its ability to provide single sign-on (#SSO). Once you log into your #Kerberos environment, you will be automatically logged into other applications in the environment.
To help provide a secure environment, #Kerberos makes use of Mutual #Authentication. In Mutual #Authentication, both the #server and the #client must be authenticated. The client knows that the server can be trusted, and the server knows that the client can be trusted. This #authentication helps prevent man-in-the-middle attacks and #spoofing. #Kerberos is also time sensitive. The tickets in a #Kerberosenvironment must be renewed periodically or they will expire.
Kerberos is a Network Protocol that uses Secret - key cryptography to authenticate client - server applications. It provides the difference between the Firewall and kerberos. And also this slides are gives the information about how does the Kerberos works in ticket granting service and in Application server. Kerberos are work Within networks and small sets of networks.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
2. Overview
• Symmetric Key Distribution using Symmetric Encryption
Kerberos
• Key Distribution using Asymmetric Encryption
X.509 Certificates
2
Raja Khurram Shahzad
3. Symmetric Key Distribution
• Two parties must share same key
Protected from the access of others
Frequent key exchange to limit amount of data
compromised
• Key can be exchanged
1. Physical delivery to B
2. A third party physically deliver it to A and B
3. Re-usage of old key to exchange new key
4. A & B both communicate securely with C, C delivers the key
For option 1 & 2 require manual delivery
For option 3 link encryption or end-to-end encryption, What if old key
is compromised
3
Raja Khurram Shahzad
4. Symmetric Key Distribution
For option 4 two kinds of keys are used
– Session Key: One time key
– Permanent Key: for distributing session key.
– Necessary element, Key Distribution Center (KDC):
determines which systems are allowed to communicate with each
other.
– Operation of KDC
• A wish to communicate B, transmits request to KDC.
Communication is encrypted using a master key
• KDC approves connection and creates one time session key.
Session key is encrypted with permanent keys of A & B and
delivered to A & B.
• A & B set up logical connection and uses session key.
Most widely application to use this approach is KERBEROS
4
Raja Khurram Shahzad
5. Security Concerns
• Key concerns are confidentiality and timeliness
• To provide confidentiality must encrypt identification and session
key info which requires the use of previously shared private or
public keys
• Need timeliness to prevent replay attacks
• Provided by using sequence numbers or timestamps or
challenge/response
5
ET2437 - Network Security
Raja Khurram Shahzad
6. KERBEROS
In Greek mythology, a many headed dog,
the guardian of the entrance of Hades
6
ET2437 - Network Security
Raja Khurram Shahzad
7. KERBEROS
• Users wish to access services on servers.
• Three threats exist:
User pretend to be another user.
User alter the network address of a workstation.
User eavesdrop on exchanges and use a replay attack.
7
ET2437 - Network Security
Raja Khurram Shahzad
8. KERBEROS
• Assumes a distributed client/server architecture
• Provides a centralized authentication server to authenticate
users to servers and servers to users.
• Relies on conventional encryption, making no use of public-
key encryption
• Two versions: version 4 and 5
• Version 4 makes use of DES
8
ET2437 - Network Security
Raja Khurram Shahzad
9. Requirements for Kerberos
• Secure:
Eavesdropper should not be able to obtain the necessary
information to impersonate a user
• Reliable:
Kerberos should employ a distributed server architecture, systems
backing up each other
• Transparent:
User should not be aware that authentication is taking place
• Scalable:
The system should be capable of supporting large number of clients
and servers
9
ET2437 - Network Security
Raja Khurram Shahzad
10. Overview of Kerberos
• AS = Authentication Server
• SS = Service Server
• TGS = Ticket-Granting Server
• TGT = Ticket Granting Ticket
• User Client-based Logon
A user enters a username and password on the client machine.
The client performs a one-way function (hash usually) on the entered
password, and this becomes the secret key of the client/user.
10
Raja Khurram Shahzad
11. Overview of Kerberos
• Client Authentication
The client sends a clear text message of the user ID to the AS
requesting services on behalf of the user. (Note: Neither the secret
key nor the password is sent to the AS.)
– The AS generates the secret key by hashing the password of the
user found at the database.
The AS checks client rights in its database. If valid, the AS sends
back the following two messages to the client:
– Message A: Client/TGS Session Key encrypted using the secret key
of the client/user.
– Message B: Ticket-to Get-Ticket (which includes the client ID, client
network address, ticket validity period, and the client/TGS session
key) encrypted using the secret key of the TGS.
11
Raja Khurram Shahzad
12. Overview of Kerberos
Client receives messages A and B, and decrypt message A to obtain
the Client/TGS Session Key.
– The session key is used for further communications with the TGS.
(Note: The client cannot decrypt Message B, as it is encrypted using
TGS's secret key.)
12
Raja Khurram Shahzad
13. Overview of Kerberos
• Client Service Authorization
When requesting services, the client sends the following two
messages to the TGS:
– Message C: Composed of the TGT from message B and the ID of the
requested service.
– Message D: Authenticator (which is composed of the client ID and the
timestamp), encrypted using the Client/TGS Session Key.
TGS retrieves message B out of message C. It decrypts message B
using the TGS secret key to have "client/TGS session key". Using this
key, the TGS decrypts message D (Authenticator) and sends the
following two messages to the client:
– Message E: Client-to-server ticket (which includes the client ID, client
network address, validity period and Client/Server Session Key)
encrypted using the service's secret key.
– Message F: Client/server session key encrypted with the Client/TGS
Session Key.
13
Raja Khurram Shahzad
14. Overview of Kerberos
• Client Service Authorization
For requesting services, the client sends the following two messages
to the TGS:
– Message C: Composed of the TGT from message B and the ID of the
requested service.
– Message D: Authenticator (which is composed of the client ID and
the timestamp), encrypted using the Client/TGS Session Key.
TGS retrieves message B out of message C.
– It decrypts message B using the TGS secret key. This gives it the
"client/TGS session key". Using this key, the TGS decrypts message
D (Authenticator) and sends the following two messages to the client:
• Message E: Client-to-server ticket (which includes the client ID, client
network address, validity period and Client/Server Session Key)
encrypted using the service's secret key.
• Message F: Client/server session key encrypted with the Client/TGS
Session Key.
14
Raja Khurram Shahzad
15. Overview of Kerberos
• Client Service Request
Client receives messages E and F from TGS.
The client connects to the SS and sends the following two messages:
– Message E from the previous step (the client-to-server ticket,
encrypted using service's secret key).
– Message G: a new Authenticator, which includes the client ID,
timestamp and is encrypted using client/server session key.
The SS decrypts the ticket using its own secret key to retrieve
the Client/Server Session Key. Using the sessions key, SS
decrypts the Authenticator and sends the following message to the
client to confirm its true identity and willingness to serve the client:
– Message H: the timestamp found in client's Authenticator plus 1,
encrypted using the Client/Server Session Key.
ƒ The client decrypts the confirmation using the Client/Server
Session Key and checks whether the timestamp is correctly updated.
If so, then the client can trust the server and can start issuing service
requests to the server.
15
The server provides the requested services to the client.
Raja Khurram Shahzad
17. Kerberos Version 4
• Terms:
C = Client
AS = authentication server
V = server
IDc = identifier of user on C
IDv = identifier of V
Pc = password of user on C
ADc = network address of C
Kv = secret encryption key shared by AS and V
TS = timestamp
|| = concatenation
17
ET2437 - Network Security
Raja Khurram Shahzad
18. A Simple Authentication Dialogue
(1) C AS: IDc || Pc || IDv
(2) AS C: Ticket
(3) C V: IDc || Ticket
• Ticket = EKv[IDc || Pc || IDv]
18
ET2437 - Network Security
Raja Khurram Shahzad
19. Remaining problems
2. Number of times that a user has to enter a password
4. Plain-text transmission of password
19
ET2437 - Network Security
Raja Khurram Shahzad
20. More secure Authentication Dialogue
Once per user logon session:
• C AS: IDC || IDtgs
• AS C: EKc [ Tickettgs ]
Once per type of service:
(3) C TGS: IDC || IDV ||Tickettgs
(4) TGS C: TicketV
Once per service session:
(5) C V: IDC || TicketV
20
ET2437 - Network Security
Raja Khurram Shahzad
21. Remaining problems
3. The lifetime associated with the ticket-granting ticket
5. Servers are not able to authenticate themselves
21
ET2437 - Network Security
Raja Khurram Shahzad
22. Version 4 Authentication Dialogue
Authentication Service Exhange: To obtain Ticket-Granting
Ticket
• C AS: IDc || IDtgs ||TS1
• AS C: EKc [Kc,tgs|| IDtgs || TS2 || Lifetime2 || Tickettgs]
Ticket-Granting Service Echange: To obtain Service-Granting
Ticket
(3) C TGS: IDv ||Tickettgs ||Authenticatorc
(4) TGS C: EKc [Kc,¨v|| IDv || TS4 || Ticketv]
Client/Server Authentication Exhange: To Obtain Service
(5) C V: Ticketv || Authenticatorc
(6) V C: EKc,v[TS5 +1]
22
ET2437 - Network Security
Raja Khurram Shahzad
23. Version 4 Authentication Dialogue
• Problems:
Lifetime associated with the ticket-granting ticket
If to short repeatedly asked for password
If to long greater opportunity to replay
• The threat is that an opponent will steal the ticket and use it before
it expires
23
ET2437 - Network Security
Raja Khurram Shahzad
25. Request for Service in Another Realm
25
ET2437 - Network Security
Raja Khurram Shahzad
26. Difference Between Version 4 and 5
• Encryption system dependence (V.4 DES)
• IP - Internet protocol dependence
• Message byte ordering
• Ticket lifetime
• Authentication forwarding
• Inter realm authentication
26
ET2437 - Network Security
Raja Khurram Shahzad
27. Kerberos - in practice
• Currently have two Kerberos versions:
4 : restricted to a single realm
5 : allows inter-realm authentication, in beta test
• Kerberos v5 is an Internet standard
• Specified in RFC1510, and used by many utilities
• To use Kerberos:
need to have a Key Distribution Center (KDC) on your network
need to have Kerberised applications running on all participating
systems
major problem - US export restrictions
Kerberos cannot be directly distributed outside the US in source format
(& binary versions must obscure crypto routine entry points and have
no encryption)
else crypto libraries must be re-implemented locally
27
ET2437 - Network Security
Raja Khurram Shahzad
28. Key Distribution using Asymmetric Encryption
• Problem : The distribution of Public Keys
What if a fake user imparsionate to be a legitimate user and distribute his
keys
• Solution : Public-Key Certificates
Consists of a public key + User ID of the key owner with whole block
signed by a trusted third party
Third party is a Certificate Authority (CA), trusted by user community
User deliver public key to CA in a secure manner and obtain a certificate
User publish the certificate
Anyone needing this user’s public key can obtain the certificate and verify
it by attached trusted signature
X.509 Certificates
28
Raja Khurram Shahzad
29. Key Distribution using Asymmetric Encryption
29
Public-Key Certificate Use
Raja Khurram Shahzad
30. X.509 Certificates
• Standard for a Public Key Infrastructure (PKI)
Set of hardware, software, people, policies and procedures needed to
create, manage, store, distribute and revoke digital certificates based
on asymmetric cryptography
• Distributed set of servers that maintains a database about users.
• Assumes a strict hierarchical system of certificate authorities (CAs)
for issuing the certificates
• Each certificate contains the public key of a user and is signed with
the private key of a CA.
• Is used in S/MIME, IP Security, SSL/TLS and SET.
30
• RSA is recommended to use.
Raja Khurram Shahzad
31. X.509 Certificates
• A certification authority issues a certificate binding a public key to
a particular distinguished user
A certificate authority or certification authority (CA) is an entity which
issues digital certificates for use by other parties. It is an example of
a trusted third party. There are many commercial CAs that charge for
their services. Institutions and governments may have their own
CAs, and there are free CAs.
• An organization's trusted root certificates can be distributed to all
employees so that they can use the company PKI system
• X.509 also includes standards for certificate revocation list (CRL)
implementations
31
Raja Khurram Shahzad
35. Obtaining a User’s Certificate
• Characteristics of certificates generated by CA:
Any user with access to the public key of the CA can recover the
user public key that was certified.
No part other than the CA can modify the certificate without this
being detected.
35
ET2437 - Network Security
Raja Khurram Shahzad
36. Revocation of Certificates
• Reasons for revocation:
The users secret key is assumed to be compromised.
The user is no longer certified by this CA.
The CA’s certificate is assumed to be compromised.
36
ET2437 - Network Security
Raja Khurram Shahzad
37. 37
ET2437 - Network Security
Raja Khurram Shahzad