Public-Key Infrastructure (PKI) - SMU

Public-Key Infrastructure (PKI) - SMU

Public-Key Infrastructure (PKI) SMU CSE 5349/7349 What is PKI? Pervasive security infrastructure whose services are implemented and delivered using public-key concepts and techniques -(C. Adams, S. Lloyd) Secure sign-on End-user transparency Comprehensive security SMU

CSE 5349/7349 Business Drivers Cost savings Inter-operability Uniformity Potential for validation/testing Choice of provider Consider the analogy with BUS architecture vs. point-to-point links SMU

CSE 5349/7349 Components and Services Certification authority Certificate repository Certificate revocation Key backup and recovery Automatic key update

Key history Cross-certification Support for non-repudiation Time stamping SMU CSE 5349/7349 Certificates Certificate vs. signature Types of certificates X.509 (v1, v2, v3) Simple Public Key Infrastructure (SPKI) certificates PGP certificates Attribute certificates SMU

CSE 5349/7349 Certificate Format Version number Serial number Signature algorithm identifier

Issuer name Period of validity Subject name Subjects public-key info. Issuer unique ID Subject unique ID Extensions Signature SMU CSE 5349/7349 Key/Certificate Life Cycle Initialization

Registration Key-pair generation (where?) Certificate creation and dissemination Key backup Issued Certificate retrieval Certificate validation Cancellation Expiration Revocation History and archive SMU CSE 5349/7349 Certificate Path Processing

Eventual objective is to determine whether the key in a given certificate can be trusted Path construction aggregation of certificates to form a complete path Path validation validating each certificate in the path Target certificate is trusted only if every certificate in the path are trustworthy SMU CSE 5349/7349 X.509 Hierarchy Forward certificates Certificate of X generated by other CAs Reverse certificates Certificates of other CAs generated by X

Example from the book (showed in last class) SMU CSE 5349/7349 Authentication Procedures One-way Two-way Three-way SMU CSE 5349/7349 Problems with PKI Hierarchical model of trust

Chain of partial trust ending in one fully trusted entity Identifier associated with the key pair Unique distinguished name within the namespace Private-key insecurity Has to protect the private key Technical and Implementation difficulties Assumption of global namespace Difficulty in detecting key compromise Inefficient revocation SMU CSE 5349/7349 PKI Problems (contd) Limited assurance provided in reality

CAs generally protected in case of failure What certificate assure (usually) A particular message was generated by an entity that had available to it a particular private key; and CA that provided the certificate has, at some time in the past, had grounds for believing that that private key was associated with a particular entity. CA that provided the certificate has, at some time in the past, had grounds for believing that the entity had some kind of right to use that identifier, or had used that identifier in the past; and CA that provided the certificate has, at some time in the past, had grounds for believing that the entity had access to the appropriate private key. SMU CSE 5349/7349

Problems (contd) What it does not ensure Private key was originally available to other entities as well as the entity to which it purports to be 'bound'; Private key is now available to other entities as well as the entity to which it purports to be 'bound'; Private key invocation that gave rise to a particular message was performed by the entity; and Private key invocation that gave rise to a particular message was performed with the entity's free and informed consent. Privacy invasiveness Just to talk to your buddy securely, you may need to tell your life story to a third party! Idiosyncrasy:

In order to have trust in the party you are transacting with, you are expected to have trust in organizations you have no relationship with at all SMU CSE 5349/7349 What is Really Needed! Minimal Use of Identifiers Minimal Registration Requirements

Mechanisms for Persistent Anonymity Value Authentication without Identity Attribute Authentication without Identity Recourse in case of violation SMU CSE 5349/7349 Alternatives to PKI Web of trust like in PGP Simple Distributed PKI (SDPKI) Login ID, password

Biometrics Other form of cetificates SMU CSE 5349/7349

Recently Viewed Presentations

  • Algebra for All

    Algebra for All

    The mathematics curriculum in Grades PreK-8 should be streamlined and should emphasize a well-defined set of the most critical topics in the early grades. ... The "New" Common Core Standards. Reinforce current best practices.
  • Cristoforo Colombo: "Buscar el Levante por el Poniente"

    Cristoforo Colombo: "Buscar el Levante por el Poniente"

    Forse per questa sua competenza viene ingaggiato dal re del Portogallo per verificare l'esatta posizione della Terra di Vera Cruz (Brasile); 1501-1504, l'esplorazione delle coste del Brasile rivela che si tratta di una nuova terra di grandi dimensioni. 1507 il...
  • Economic Systems and the Role of Government

    Economic Systems and the Role of Government

    Economic Systems and the Role of Government ... all to ensure everyone's basic needs are met Mixed Economies No economy is purely ONE economic system The USA is a mixed economy, leaning toward a market economy In a pure market...
  • Welcome to the 2014-2015 School Year!

    Welcome to the 2014-2015 School Year!

    * Getting books with audio CD at the public library or download books on your Kindle can help students . raise their AR reading level. Absences. ... * Raz-Kids-possibly * Achieve 3000 * DreamBox * Outlook-Email * Kid Blog. Common...
  • CHAPTER T W O 2 International Economics Twelfth

    CHAPTER T W O 2 International Economics Twelfth

    1.3 Trade Based on Absolute Advantage: Adam Smith A nation has absolute advantage over another nation if it can produce a commodity more efficiently.. When one nation has . absolute advantage . in production of a commodity, but an absolute...
  • Seminar on Design Patterns and Architectural Solutions Discover,

    Seminar on Design Patterns and Architectural Solutions Discover,

    Pattern Types See resources: „A pattern system" and the GOF book or „Head first design patterns" Behavioral: mostly geared towards runtime flexibility and complex interactions (e.g. proxy) Creational: control over the lifecycle of objects - indirectly determining behavior of applications...
  • Brave Irene - Jefferson County Public Schools

    Brave Irene - Jefferson County Public Schools

    A fragment is a group of words that does not tell a complete thought. Spelling Day 2 VCCV Pattern Vowels have the short sound when they are followed by two consonants. happen lettuce basket Look at happen. The a is...
  • The History of Life on Earth

    The History of Life on Earth

    Cenozoic Era - 65 mya to today. Tertiary period - 65to 1.8 mya. Oligocene Epoch - 33.7 to 23.8 mya. Start of Pleistocene ice age. Appearance of grasses, elephants, camels, early horses. Miocene Epoch - 23.8 to 5.3 mya. The...