SlideShare a Scribd company logo

ok_mary_pki1234public_key_encryption.ppt

Download as PPT, PDF
S
SmeetaJavalagi

PKI

Engineering
1 of 25
An Introduction to Distributed Security Concepts and Public Key Infrastructure (PKI) Mary Thompson, Oleg Kolesnikov Berkeley National Laboratory, 1 Cyclotron Rd, Berkeley, CA 94720
M.Thompson, O.Kolesnikov, Berkeley National Laboratory Local Computing  User sits down in front of the computer  Responds to the login prompt with a user id and password.  Machine has a list of all the users and their encrypted passwords  Password never goes across the network  Passwords are encrypted with a one-way code  The crypt alogrithm of Unix has been around since mid 70’s. Uses a salt to keep identical passwords from having the same encryption. Uses only 8 characters, case sensitive. Uses 25 iterations of DES.  Typically broken by guessing and verifying guess or snooping the password.
M.Thompson, O.Kolesnikov, Berkeley National Laboratory Remote Access Computing  User logs in to one or more remote machine(s)  Each machine has its own copy of userid and password for each user  Changing a password on one machine does not affect the other machines  Each time a user connects to a different machine, she must login again  In the standard Unix login or rsh commands, the user’s password is sent in clear text over the network or else hosts trust users on the basis of their IP addresses  Ssh  encrypts the password before sending it  or uses a user’s key pair for establishing her identity
M.Thompson, O.Kolesnikov, Berkeley National Laboratory Single Domain Remote Access Computing  User gets access to many machines in a single administrative domain.  He has a single userid and password for all the machines  Can login just once to a central trusted server  Examples  Kerberos freeware from MIT Project Athena  NIS - Sun software with remote access comands
M.Thompson, O.Kolesnikov, Berkeley National Laboratory Kerberos  User - password based authentication based on late-70’s Needham -Schroeder algorithms.  Kerberos Authentication Server aka KDC (Key Distribution Center) shares long-term secret (password) with each authorized user.  User logs in and established a short term session key with the AS which can be used to establish his identity with other entities, e.g. file system, other hosts or services each of which trusts the authority server.  The authorization mechanism needs to be integrated with the each function, e.g. file access, login, telnet, ftp, ...  The central server is a single point of vulnerablity to attack and failure.  Been in use for 20 years. We are now at version 5.
M.Thompson, O.Kolesnikov, Berkeley National Laboratory NIS  Central server has all the user ids and passwords, don’t need to store passwords locally.  Facilitates the same user id and passwords on all machines on a network  Then rlogin and rsh allow the user to have access to all the hosts in the hosts.equiv and .rhost files  No real security, depends IP addresses  Integrated with NFS to allow access to NFS files from any host to which they are exported.
M.Thompson, O.Kolesnikov, Berkeley National Laboratory Cross Domain Authentication  Holy Grail is to allow a user to login in once and get access to a ticket that will identify him to all machines on which he is allowed to run.  Kerberos supports cross realm authentication, but it is politically difficult to achieve. Used for multiple AFS/DFS cells within a single institution. CMU, DOE weapons labs  X.509 Identity certificates. An IETF standard. Contains a multi-part unique name and a public key. The legitimate owner of the certificate has the matching private key.
M.Thompson, O.Kolesnikov, Berkeley National Laboratory Motivation for Universal Identity certificate  Distributed computing environments, collaborative research environments  Resources, stakeholders and users are all distributed  Spanning organizational as well as geographical boundaries, e.g., DOE Collaboratories  Requires a flexible but secure way to identify users  Requires a flexible and secure way to identify stakeholders
M.Thompson, O.Kolesnikov, Berkeley National Laboratory Security Levels  Confidentiality  Protection from disclosure to unauthorized persons  Integrity  Maintaining data consistency  Authentication  Assurance of identity of person or originator of data  Non-repudiation  Originator of communications can't deny it later - requires long- term of keys  Authorization  Identity combined with an access policy grants the rights to perform some action
M.Thompson, O.Kolesnikov, Berkeley National Laboratory Security Building Blocks  Encryption provides  confidentiality, can provide authentication and integrity protection  Checksums/hash algorithms provide  integrity protection, can provide authentication  Digital signatures provide  authentication, integrity protection, and non-repudiation
M.Thompson, O.Kolesnikov, Berkeley National Laboratory Keys  Symetric Keys  Both parties share the same secret key  Problem is securely distributing the key  DES - 56 bit key considered unsafe for financial purposes since 1998  3 DES uses three DES keys  Public/Private keys  One key is the mathematical inverse of the other  Private keys are known only to the owner  Public key are stored in public servers, usually in a X.509 certificate.  RSA (patent expires Sept 2000), Diffie-Hellman, DSA
M.Thompson, O.Kolesnikov, Berkeley National Laboratory Hash Algorithms  Reduce variable-length input to fixed-length (128 or 160bit) output  Requirements  Can't deduce input from output  Can't generate a given output  Can't find two inputs which produce the same output  Used to  Produce fixed-length fingerprint of arbitrary-length data  Produce data checksums to enable detection of modifications  Distill passwords down to fixed-length encryption keys  Also called message digests or fingerprints
M.Thompson, O.Kolesnikov, Berkeley National Laboratory Message Authentication Code MAC  Hash algorithm + key to make hash value dependant on the key  Most common form is HMAC (hash MAC)  hash( key, hash( key, data ))  Key affects both start and end of hashing process  Naming: hash + key = HMAC-hash  MD5 1 HMAC-MD5  SHA-1 1 HMAC-SHA (recommended)
M.Thompson, O.Kolesnikov, Berkeley National Laboratory Digital Signatures  Combines a hash with a digital signature algorithm  To sign  hash the data  encrypt the hash with the sender's private key  send data signer’s name and signature  To verify  hash the data  find the sender’s public key  decrypt the signature with the sender's public key  the result of which should match the hash
M.Thompson, O.Kolesnikov, Berkeley National Laboratory Elements of PKI  Certificate Authorities (CA)  OpenSSL, Netscape, Verisign, Entrust, RSA Keon  Public/Private Key Pairs - Key management  x.509 Identity Certificates - Certificate management  LDAP servers
M.Thompson, O.Kolesnikov, Berkeley National Laboratory X.509 Identity Certificates  Distinguished Name of user  C=US, O=Lawrence Berkely National Laboratory, OU=DSD, CN=Mary R. Thompson  DN of Issuer  C=US, O=Lawrence Berkely National Laboratory, CN=LBNL-CA  Validity dates:  Not before <date>, Not after <date>  User's public key  V3- extensions  Signed by CA  Defined in ANS1 notation - language independent
M.Thompson, O.Kolesnikov, Berkeley National Laboratory Certificate Authority  A trusted third party - must be a secure server  Signs and publishes X.509 Identity certificates  Revokes certificates and publishes a Certification Revocation List (CRL)  Many vendors  OpenSSL - open source, very simple  Netscape - free for limited number of certificates  Entrust - Can be run by enterprise or by Entrust  Verisign - Run by Verisign under contract to enterprise  RSA Security - Keon servers
M.Thompson, O.Kolesnikov, Berkeley National Laboratory LDAP server  Lightweight Directory Access Protocol (IETF standard)  Evolved from DAP and X.500 Identities  Used by CA's to store user's Identity Certificate  Open source implementations  Standard protocol for lookup, entry, etc.  Access control is implemented by user, password.
M.Thompson, O.Kolesnikov, Berkeley National Laboratory SSL / TLS  SSLv3.1 = TLS v1.0; NB: WTLS -- TLS for Wireless Links  Works over TCP; Application Independent. SSL/TLS allows client/server apps to communicate via a protected channel.  Common example -- HTTP over SSL/TLS, e.g. https://www.entrust.com
M.Thompson, O.Kolesnikov, Berkeley National Laboratory SSL Handshake  When you type https://www.entrust.com, browser initiates a new SSL/TLS connection.  For the new connection SSL Handshake must be performed which will:  Negotiate the cipher suite  Authenticate the server to the client [optional]  Use public-key algorithms to establish a shared session key  Authenticate the client to the server [optional]
M.Thompson, O.Kolesnikov, Berkeley National Laboratory SSL Handshake details  Client hello:  Client’s challenge, client’s nonce  Available cipher suites (e.g. DSA/RSA; Triple-DES/IDEA; SHA-1/MD5 et al.)  Server hello:  Server’s certificate, server’s nonce  Session ID  Selected cipher suite  Server adapts to client capabilities  Optional certificate exchange to authenticate server/client  Usually only server authentication is used
M.Thompson, O.Kolesnikov, Berkeley National Laboratory SSL Handshake completed  After the Handshake is completed, SSL session begins  Application Data can be transmitted using the established SSL connection / session  Example of Application Data: HEAD /index.html HTTP/1.1 HTTP/1.1 200 OK Date: Wed, 11 Jul 2001 08:15:47 GMT […] Content-Type: text/html
M.Thompson, O.Kolesnikov, Berkeley National Laboratory Status  Single purpose CA’s e.g. Globus (SSLeay) Collaboratory, DOE-Grid (Netscape)  Enterprises slow to run CA’s  Many different Vendors - Verisign, Entrust, Netscape, RSA Security Keon  Incompatible Key and Certificate management between vendors  Certificates are not integrated with existing applications that need authorization  Large amount of corporate overhead in running a CA  Uncertain legal implications of issuing certificates  Lab is currently looking at the RSA Keon server as it has integration with ssh and NIS authorization
M.Thompson, O.Kolesnikov, Berkeley National Laboratory Public Key Cryptography Standards - PKCS  PKCS 7  Cryptographic Message Syntax Standard  PKCS 10  Certification Request Syntax Standard - used by Netscape browser, IE, and SSL libraries  PKCS 11  Cryptographic Token Interface Standard - An API for signing and verifying data by a device that holds the key  PKCS 12  Personal Information Exchange Syntax Standard - file format for storing certificate and private key - used to move private information between browsers
M.Thompson, O.Kolesnikov, Berkeley National Laboratory References  Peter Guttman's tutorial  http://www.cs.auckland.ac.nz/~pgut001/tutorial/ about 500 slides covering cryptography, secure connection protocols, PKI, politics and more.  RSA Laboratories PKCS specifications  http://www.rsasecurity.com/rsalabs/pkcs/  SSL/TLS  TLS v 1.0 RFC - http://www.ietf.org/rfc/rfc2246.tx.  SSL-v3 http://www.netscape.com/eng/ssl3/draft302.txt  OpenSSL http://www.openssl.org/

Recommended

Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...Information Security Awareness Group
 
ET4045-2-cryptography-3
ET4045-2-cryptography-3ET4045-2-cryptography-3
ET4045-2-cryptography-3Tutun Juhana
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocolBaspally Sai Anirudh
 
Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Michele Orru'
 
SSH.ppt
SSH.pptSSH.ppt
SSH.pptPandiya Rajan
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to KerberosShumon Huque
 
X 509 Certificates How And Why In Vb.Net
X 509 Certificates How And Why In Vb.NetX 509 Certificates How And Why In Vb.Net
X 509 Certificates How And Why In Vb.NetPuneet Arora
 
Lecture17
Lecture17Lecture17
Lecture17Châu Thanh Chương
 

Recommended

Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...Information Security Awareness Group
 
ET4045-2-cryptography-3
ET4045-2-cryptography-3ET4045-2-cryptography-3
ET4045-2-cryptography-3Tutun Juhana
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocolBaspally Sai Anirudh
 
Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Michele Orru'
 
SSH.ppt
SSH.pptSSH.ppt
SSH.pptPandiya Rajan
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to KerberosShumon Huque
 
X 509 Certificates How And Why In Vb.Net
X 509 Certificates How And Why In Vb.NetX 509 Certificates How And Why In Vb.Net
X 509 Certificates How And Why In Vb.NetPuneet Arora
 
Lecture17
Lecture17Lecture17
Lecture17Châu Thanh Chương
 
SSL
SSLSSL
SSLtheekuchi
 
Cryptography
CryptographyCryptography
Cryptographyamiable_indian
 
What is TLS/SSL?
What is TLS/SSL? What is TLS/SSL?
What is TLS/SSL? Shehzad Imran
 
Ssh
SshSsh
SshRaghu nath
 
BCS_PKI_part1.ppt
BCS_PKI_part1.pptBCS_PKI_part1.ppt
BCS_PKI_part1.pptUskuMusku1
 
SSh_part_1.pptx
SSh_part_1.pptxSSh_part_1.pptx
SSh_part_1.pptxShelly119532
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in cryptoTony Nguyen
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in cryptoFraboni Ec
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in cryptoDavid Hoen
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in cryptoJames Wong
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in cryptoHarry Potter
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in cryptoLuis Goldster
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in cryptoYoung Alista
 
Information Security Engineering
Information Security EngineeringInformation Security Engineering
Information Security EngineeringMd. Hasan Basri (Angel)
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesInformation Technology
 
Linux Vulnerabilities
Linux VulnerabilitiesLinux Vulnerabilities
Linux VulnerabilitiesSecurityTube.Net
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7AfiqEfendy Zaen
 
Ericas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-GuideEricas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-GuideErica StJohn
 
Ch15
Ch15Ch15
Ch15raja yasodhar
 
Security
SecuritySecurity
Securitymajstors
 
RM&IPR M5 notes.pdfResearch Methodolgy & Intellectual Property Rights Series 5
RM&IPR M5 notes.pdfResearch Methodolgy & Intellectual Property Rights Series 5RM&IPR M5 notes.pdfResearch Methodolgy & Intellectual Property Rights Series 5
RM&IPR M5 notes.pdfResearch Methodolgy & Intellectual Property Rights Series 5T.D. Shashikala
 
ROAD CONSTRUCTION PRESENTATION.PPTX.pptx
ROAD CONSTRUCTION PRESENTATION.PPTX.pptxROAD CONSTRUCTION PRESENTATION.PPTX.pptx
ROAD CONSTRUCTION PRESENTATION.PPTX.pptxGagandeepKaur617299
 

More Related Content

Similar to ok_mary_pki1234public_key_encryption.ppt

BCS_PKI_part1.ppt
BCS_PKI_part1.pptBCS_PKI_part1.ppt
BCS_PKI_part1.pptUskuMusku1
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in cryptoTony Nguyen
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in cryptoFraboni Ec
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in cryptoDavid Hoen
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in cryptoJames Wong
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in cryptoHarry Potter
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in cryptoLuis Goldster
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in cryptoYoung Alista
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesInformation Technology
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7AfiqEfendy Zaen
 
Ericas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-GuideEricas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-GuideErica StJohn
 

Similar to ok_mary_pki1234public_key_encryption.ppt (20)

SSL
SSLSSL
SSL
 
Cryptography
CryptographyCryptography
Cryptography
 
What is TLS/SSL?
What is TLS/SSL? What is TLS/SSL?
What is TLS/SSL?
 
Ssh
SshSsh
Ssh
 
BCS_PKI_part1.ppt
BCS_PKI_part1.pptBCS_PKI_part1.ppt
BCS_PKI_part1.ppt
 
SSh_part_1.pptx
SSh_part_1.pptxSSh_part_1.pptx
SSh_part_1.pptx
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in crypto
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in crypto
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in crypto
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in crypto
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in crypto
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in crypto
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in crypto
 
Information Security Engineering
Information Security EngineeringInformation Security Engineering
Information Security Engineering
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
 
Linux Vulnerabilities
Linux VulnerabilitiesLinux Vulnerabilities
Linux Vulnerabilities
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7
 
Ericas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-GuideEricas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-Guide
 
Ch15
Ch15Ch15
Ch15
 
Security
SecuritySecurity
Security
 

Recently uploaded

RM&IPR M5 notes.pdfResearch Methodolgy & Intellectual Property Rights Series 5
RM&IPR M5 notes.pdfResearch Methodolgy & Intellectual Property Rights Series 5RM&IPR M5 notes.pdfResearch Methodolgy & Intellectual Property Rights Series 5
RM&IPR M5 notes.pdfResearch Methodolgy & Intellectual Property Rights Series 5T.D. Shashikala
 
ROAD CONSTRUCTION PRESENTATION.PPTX.pptx
ROAD CONSTRUCTION PRESENTATION.PPTX.pptxROAD CONSTRUCTION PRESENTATION.PPTX.pptx
ROAD CONSTRUCTION PRESENTATION.PPTX.pptxGagandeepKaur617299
 
Intelligent Agents, A discovery on How A Rational Agent Acts
Intelligent Agents, A discovery on How A Rational Agent ActsIntelligent Agents, A discovery on How A Rational Agent Acts
Intelligent Agents, A discovery on How A Rational Agent ActsSheetal Jain
 
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024EMMANUELLEFRANCEHELI
 
Teachers record management system project report..pdf
Teachers record management system project report..pdfTeachers record management system project report..pdf
Teachers record management system project report..pdfKamal Acharya
 
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdfInstruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdfEr.Sonali Nasikkar
 
Introduction to Artificial Intelligence and History of AI
Introduction to Artificial Intelligence and History of AIIntroduction to Artificial Intelligence and History of AI
Introduction to Artificial Intelligence and History of AISheetal Jain
 
Interfacing Analog to Digital Data Converters ee3404.pdf
Interfacing Analog to Digital Data Converters ee3404.pdfInterfacing Analog to Digital Data Converters ee3404.pdf
Interfacing Analog to Digital Data Converters ee3404.pdfragupathi90
 
Seismic Hazard Assessment Software in Python by Prof. Dr. Costas Sachpazis
Seismic Hazard Assessment Software in Python by Prof. Dr. Costas SachpazisSeismic Hazard Assessment Software in Python by Prof. Dr. Costas Sachpazis
Seismic Hazard Assessment Software in Python by Prof. Dr. Costas SachpazisDr.Costas Sachpazis
 
Circuit Breaker arc phenomenon.pdf engineering
Circuit Breaker arc phenomenon.pdf engineeringCircuit Breaker arc phenomenon.pdf engineering
Circuit Breaker arc phenomenon.pdf engineeringKanchhaTamang
 
Operating System chapter 9 (Virtual Memory)
Operating System chapter 9 (Virtual Memory)Operating System chapter 9 (Virtual Memory)
Operating System chapter 9 (Virtual Memory)NareenAsad
 
15-Minute City: A Completely New Horizon
15-Minute City: A Completely New Horizon15-Minute City: A Completely New Horizon
15-Minute City: A Completely New HorizonMorshed Ahmed Rahath
 
Diploma Engineering Drawing Qp-2024 Ece .pdf
Diploma Engineering Drawing Qp-2024 Ece .pdfDiploma Engineering Drawing Qp-2024 Ece .pdf
Diploma Engineering Drawing Qp-2024 Ece .pdfJNTUA
 
BURGER ORDERING SYSYTEM PROJECT REPORT..pdf
BURGER ORDERING SYSYTEM PROJECT REPORT..pdfBURGER ORDERING SYSYTEM PROJECT REPORT..pdf
BURGER ORDERING SYSYTEM PROJECT REPORT..pdfKamal Acharya
 
2024 DevOps Pro Europe - Growing at the edge
2024 DevOps Pro Europe - Growing at the edge2024 DevOps Pro Europe - Growing at the edge
2024 DevOps Pro Europe - Growing at the edgePaco Orozco
 
Dairy management system project report..pdf
Dairy management system project report..pdfDairy management system project report..pdf
Dairy management system project report..pdfKamal Acharya
 
The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...
The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...
The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...Roi Lipman
 
ChatGPT Prompt Engineering for project managers.pdf
ChatGPT Prompt Engineering for project managers.pdfChatGPT Prompt Engineering for project managers.pdf
ChatGPT Prompt Engineering for project managers.pdfqasastareekh
 
Artificial Intelligence Bayesian Reasoning
Artificial Intelligence Bayesian ReasoningArtificial Intelligence Bayesian Reasoning
Artificial Intelligence Bayesian Reasoninghotman30312
 
Lab Manual Arduino UNO Microcontrollar.docx
Lab Manual Arduino UNO Microcontrollar.docxLab Manual Arduino UNO Microcontrollar.docx
Lab Manual Arduino UNO Microcontrollar.docxRashidFaridChishti
 

Recently uploaded (20)

RM&IPR M5 notes.pdfResearch Methodolgy & Intellectual Property Rights Series 5
RM&IPR M5 notes.pdfResearch Methodolgy & Intellectual Property Rights Series 5RM&IPR M5 notes.pdfResearch Methodolgy & Intellectual Property Rights Series 5
RM&IPR M5 notes.pdfResearch Methodolgy & Intellectual Property Rights Series 5
 
ROAD CONSTRUCTION PRESENTATION.PPTX.pptx
ROAD CONSTRUCTION PRESENTATION.PPTX.pptxROAD CONSTRUCTION PRESENTATION.PPTX.pptx
ROAD CONSTRUCTION PRESENTATION.PPTX.pptx
 
Intelligent Agents, A discovery on How A Rational Agent Acts
Intelligent Agents, A discovery on How A Rational Agent ActsIntelligent Agents, A discovery on How A Rational Agent Acts
Intelligent Agents, A discovery on How A Rational Agent Acts
 
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
 
Teachers record management system project report..pdf
Teachers record management system project report..pdfTeachers record management system project report..pdf
Teachers record management system project report..pdf
 
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdfInstruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
 
Introduction to Artificial Intelligence and History of AI
Introduction to Artificial Intelligence and History of AIIntroduction to Artificial Intelligence and History of AI
Introduction to Artificial Intelligence and History of AI
 
Interfacing Analog to Digital Data Converters ee3404.pdf
Interfacing Analog to Digital Data Converters ee3404.pdfInterfacing Analog to Digital Data Converters ee3404.pdf
Interfacing Analog to Digital Data Converters ee3404.pdf
 
Seismic Hazard Assessment Software in Python by Prof. Dr. Costas Sachpazis
Seismic Hazard Assessment Software in Python by Prof. Dr. Costas SachpazisSeismic Hazard Assessment Software in Python by Prof. Dr. Costas Sachpazis
Seismic Hazard Assessment Software in Python by Prof. Dr. Costas Sachpazis
 
Circuit Breaker arc phenomenon.pdf engineering
Circuit Breaker arc phenomenon.pdf engineeringCircuit Breaker arc phenomenon.pdf engineering
Circuit Breaker arc phenomenon.pdf engineering
 
Operating System chapter 9 (Virtual Memory)
Operating System chapter 9 (Virtual Memory)Operating System chapter 9 (Virtual Memory)
Operating System chapter 9 (Virtual Memory)
 
15-Minute City: A Completely New Horizon
15-Minute City: A Completely New Horizon15-Minute City: A Completely New Horizon
15-Minute City: A Completely New Horizon
 
Diploma Engineering Drawing Qp-2024 Ece .pdf
Diploma Engineering Drawing Qp-2024 Ece .pdfDiploma Engineering Drawing Qp-2024 Ece .pdf
Diploma Engineering Drawing Qp-2024 Ece .pdf
 
BURGER ORDERING SYSYTEM PROJECT REPORT..pdf
BURGER ORDERING SYSYTEM PROJECT REPORT..pdfBURGER ORDERING SYSYTEM PROJECT REPORT..pdf
BURGER ORDERING SYSYTEM PROJECT REPORT..pdf
 
2024 DevOps Pro Europe - Growing at the edge
2024 DevOps Pro Europe - Growing at the edge2024 DevOps Pro Europe - Growing at the edge
2024 DevOps Pro Europe - Growing at the edge
 
Dairy management system project report..pdf
Dairy management system project report..pdfDairy management system project report..pdf
Dairy management system project report..pdf
 
The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...
The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...
The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...
 
ChatGPT Prompt Engineering for project managers.pdf
ChatGPT Prompt Engineering for project managers.pdfChatGPT Prompt Engineering for project managers.pdf
ChatGPT Prompt Engineering for project managers.pdf
 
Artificial Intelligence Bayesian Reasoning
Artificial Intelligence Bayesian ReasoningArtificial Intelligence Bayesian Reasoning
Artificial Intelligence Bayesian Reasoning
 
Lab Manual Arduino UNO Microcontrollar.docx
Lab Manual Arduino UNO Microcontrollar.docxLab Manual Arduino UNO Microcontrollar.docx
Lab Manual Arduino UNO Microcontrollar.docx
 

ok_mary_pki1234public_key_encryption.ppt

  • 1. An Introduction to Distributed Security Concepts and Public Key Infrastructure (PKI) Mary Thompson, Oleg Kolesnikov Berkeley National Laboratory, 1 Cyclotron Rd, Berkeley, CA 94720
  • 2. M.Thompson, O.Kolesnikov, Berkeley National Laboratory Local Computing  User sits down in front of the computer  Responds to the login prompt with a user id and password.  Machine has a list of all the users and their encrypted passwords  Password never goes across the network  Passwords are encrypted with a one-way code  The crypt alogrithm of Unix has been around since mid 70’s. Uses a salt to keep identical passwords from having the same encryption. Uses only 8 characters, case sensitive. Uses 25 iterations of DES.  Typically broken by guessing and verifying guess or snooping the password.
  • 3. M.Thompson, O.Kolesnikov, Berkeley National Laboratory Remote Access Computing  User logs in to one or more remote machine(s)  Each machine has its own copy of userid and password for each user  Changing a password on one machine does not affect the other machines  Each time a user connects to a different machine, she must login again  In the standard Unix login or rsh commands, the user’s password is sent in clear text over the network or else hosts trust users on the basis of their IP addresses  Ssh  encrypts the password before sending it  or uses a user’s key pair for establishing her identity
  • 4. M.Thompson, O.Kolesnikov, Berkeley National Laboratory Single Domain Remote Access Computing  User gets access to many machines in a single administrative domain.  He has a single userid and password for all the machines  Can login just once to a central trusted server  Examples  Kerberos freeware from MIT Project Athena  NIS - Sun software with remote access comands
  • 5. M.Thompson, O.Kolesnikov, Berkeley National Laboratory Kerberos  User - password based authentication based on late-70’s Needham -Schroeder algorithms.  Kerberos Authentication Server aka KDC (Key Distribution Center) shares long-term secret (password) with each authorized user.  User logs in and established a short term session key with the AS which can be used to establish his identity with other entities, e.g. file system, other hosts or services each of which trusts the authority server.  The authorization mechanism needs to be integrated with the each function, e.g. file access, login, telnet, ftp, ...  The central server is a single point of vulnerablity to attack and failure.  Been in use for 20 years. We are now at version 5.
  • 6. M.Thompson, O.Kolesnikov, Berkeley National Laboratory NIS  Central server has all the user ids and passwords, don’t need to store passwords locally.  Facilitates the same user id and passwords on all machines on a network  Then rlogin and rsh allow the user to have access to all the hosts in the hosts.equiv and .rhost files  No real security, depends IP addresses  Integrated with NFS to allow access to NFS files from any host to which they are exported.
  • 7. M.Thompson, O.Kolesnikov, Berkeley National Laboratory Cross Domain Authentication  Holy Grail is to allow a user to login in once and get access to a ticket that will identify him to all machines on which he is allowed to run.  Kerberos supports cross realm authentication, but it is politically difficult to achieve. Used for multiple AFS/DFS cells within a single institution. CMU, DOE weapons labs  X.509 Identity certificates. An IETF standard. Contains a multi-part unique name and a public key. The legitimate owner of the certificate has the matching private key.
  • 8. M.Thompson, O.Kolesnikov, Berkeley National Laboratory Motivation for Universal Identity certificate  Distributed computing environments, collaborative research environments  Resources, stakeholders and users are all distributed  Spanning organizational as well as geographical boundaries, e.g., DOE Collaboratories  Requires a flexible but secure way to identify users  Requires a flexible and secure way to identify stakeholders
  • 9. M.Thompson, O.Kolesnikov, Berkeley National Laboratory Security Levels  Confidentiality  Protection from disclosure to unauthorized persons  Integrity  Maintaining data consistency  Authentication  Assurance of identity of person or originator of data  Non-repudiation  Originator of communications can't deny it later - requires long- term of keys  Authorization  Identity combined with an access policy grants the rights to perform some action
  • 10. M.Thompson, O.Kolesnikov, Berkeley National Laboratory Security Building Blocks  Encryption provides  confidentiality, can provide authentication and integrity protection  Checksums/hash algorithms provide  integrity protection, can provide authentication  Digital signatures provide  authentication, integrity protection, and non-repudiation
  • 11. M.Thompson, O.Kolesnikov, Berkeley National Laboratory Keys  Symetric Keys  Both parties share the same secret key  Problem is securely distributing the key  DES - 56 bit key considered unsafe for financial purposes since 1998  3 DES uses three DES keys  Public/Private keys  One key is the mathematical inverse of the other  Private keys are known only to the owner  Public key are stored in public servers, usually in a X.509 certificate.  RSA (patent expires Sept 2000), Diffie-Hellman, DSA
  • 12. M.Thompson, O.Kolesnikov, Berkeley National Laboratory Hash Algorithms  Reduce variable-length input to fixed-length (128 or 160bit) output  Requirements  Can't deduce input from output  Can't generate a given output  Can't find two inputs which produce the same output  Used to  Produce fixed-length fingerprint of arbitrary-length data  Produce data checksums to enable detection of modifications  Distill passwords down to fixed-length encryption keys  Also called message digests or fingerprints
  • 13. M.Thompson, O.Kolesnikov, Berkeley National Laboratory Message Authentication Code MAC  Hash algorithm + key to make hash value dependant on the key  Most common form is HMAC (hash MAC)  hash( key, hash( key, data ))  Key affects both start and end of hashing process  Naming: hash + key = HMAC-hash  MD5 1 HMAC-MD5  SHA-1 1 HMAC-SHA (recommended)
  • 14. M.Thompson, O.Kolesnikov, Berkeley National Laboratory Digital Signatures  Combines a hash with a digital signature algorithm  To sign  hash the data  encrypt the hash with the sender's private key  send data signer’s name and signature  To verify  hash the data  find the sender’s public key  decrypt the signature with the sender's public key  the result of which should match the hash
  • 15. M.Thompson, O.Kolesnikov, Berkeley National Laboratory Elements of PKI  Certificate Authorities (CA)  OpenSSL, Netscape, Verisign, Entrust, RSA Keon  Public/Private Key Pairs - Key management  x.509 Identity Certificates - Certificate management  LDAP servers
  • 16. M.Thompson, O.Kolesnikov, Berkeley National Laboratory X.509 Identity Certificates  Distinguished Name of user  C=US, O=Lawrence Berkely National Laboratory, OU=DSD, CN=Mary R. Thompson  DN of Issuer  C=US, O=Lawrence Berkely National Laboratory, CN=LBNL-CA  Validity dates:  Not before <date>, Not after <date>  User's public key  V3- extensions  Signed by CA  Defined in ANS1 notation - language independent
  • 17. M.Thompson, O.Kolesnikov, Berkeley National Laboratory Certificate Authority  A trusted third party - must be a secure server  Signs and publishes X.509 Identity certificates  Revokes certificates and publishes a Certification Revocation List (CRL)  Many vendors  OpenSSL - open source, very simple  Netscape - free for limited number of certificates  Entrust - Can be run by enterprise or by Entrust  Verisign - Run by Verisign under contract to enterprise  RSA Security - Keon servers
  • 18. M.Thompson, O.Kolesnikov, Berkeley National Laboratory LDAP server  Lightweight Directory Access Protocol (IETF standard)  Evolved from DAP and X.500 Identities  Used by CA's to store user's Identity Certificate  Open source implementations  Standard protocol for lookup, entry, etc.  Access control is implemented by user, password.
  • 19. M.Thompson, O.Kolesnikov, Berkeley National Laboratory SSL / TLS  SSLv3.1 = TLS v1.0; NB: WTLS -- TLS for Wireless Links  Works over TCP; Application Independent. SSL/TLS allows client/server apps to communicate via a protected channel.  Common example -- HTTP over SSL/TLS, e.g. https://www.entrust.com
  • 20. M.Thompson, O.Kolesnikov, Berkeley National Laboratory SSL Handshake  When you type https://www.entrust.com, browser initiates a new SSL/TLS connection.  For the new connection SSL Handshake must be performed which will:  Negotiate the cipher suite  Authenticate the server to the client [optional]  Use public-key algorithms to establish a shared session key  Authenticate the client to the server [optional]
  • 21. M.Thompson, O.Kolesnikov, Berkeley National Laboratory SSL Handshake details  Client hello:  Client’s challenge, client’s nonce  Available cipher suites (e.g. DSA/RSA; Triple-DES/IDEA; SHA-1/MD5 et al.)  Server hello:  Server’s certificate, server’s nonce  Session ID  Selected cipher suite  Server adapts to client capabilities  Optional certificate exchange to authenticate server/client  Usually only server authentication is used
  • 22. M.Thompson, O.Kolesnikov, Berkeley National Laboratory SSL Handshake completed  After the Handshake is completed, SSL session begins  Application Data can be transmitted using the established SSL connection / session  Example of Application Data: HEAD /index.html HTTP/1.1 HTTP/1.1 200 OK Date: Wed, 11 Jul 2001 08:15:47 GMT […] Content-Type: text/html
  • 23. M.Thompson, O.Kolesnikov, Berkeley National Laboratory Status  Single purpose CA’s e.g. Globus (SSLeay) Collaboratory, DOE-Grid (Netscape)  Enterprises slow to run CA’s  Many different Vendors - Verisign, Entrust, Netscape, RSA Security Keon  Incompatible Key and Certificate management between vendors  Certificates are not integrated with existing applications that need authorization  Large amount of corporate overhead in running a CA  Uncertain legal implications of issuing certificates  Lab is currently looking at the RSA Keon server as it has integration with ssh and NIS authorization
  • 24. M.Thompson, O.Kolesnikov, Berkeley National Laboratory Public Key Cryptography Standards - PKCS  PKCS 7  Cryptographic Message Syntax Standard  PKCS 10  Certification Request Syntax Standard - used by Netscape browser, IE, and SSL libraries  PKCS 11  Cryptographic Token Interface Standard - An API for signing and verifying data by a device that holds the key  PKCS 12  Personal Information Exchange Syntax Standard - file format for storing certificate and private key - used to move private information between browsers
  • 25. M.Thompson, O.Kolesnikov, Berkeley National Laboratory References  Peter Guttman's tutorial  http://www.cs.auckland.ac.nz/~pgut001/tutorial/ about 500 slides covering cryptography, secure connection protocols, PKI, politics and more.  RSA Laboratories PKCS specifications  http://www.rsasecurity.com/rsalabs/pkcs/  SSL/TLS  TLS v 1.0 RFC - http://www.ietf.org/rfc/rfc2246.tx.  SSL-v3 http://www.netscape.com/eng/ssl3/draft302.txt  OpenSSL http://www.openssl.org/