Use of Public-Key Infrastructure (PKI)
Erik Andersen
Association for the Directory Information and Related
Search Industry (EIDQ - http://www.eidq.org )
Andersen's L-Service consultancy
Rapporteur for Directory services, Directory systems, and publickey/attribute certificates
era@x500.eu
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
1
Where it all starts
Geneva, 6-7 December 2010
Addressing security challenges on a global
scale
2
What to cover
Introduction to basic PKI principles
Use of PKI within Identity Management
Use of PKI for IP Security (IPSec)
Use of PKI for RFID identification
Use of PKI within cloud computing
Geneva, 6-7 December 2010
Addressing security challenges on a global
scale
3
Public-key Certificates
Public-key certificate
Name of user
Public key
The public-key certificate is the
basic concept for public-key
infrastructure (PKI).
A public-key certificate provides
the binding between a name
and a public key for a user for a
given period and is issued and
confirmed by a Certification
Authority (CA).
Signed by Certification Authority (CA)
Can I trust a certificate?
A certificate may have expired
The corresponding private key may be
compromised
The CA policy for issuing certificates may not
be satisfactory
A certificate my be a forgery as the CA's
private key may be compromised
Etc.
Geneva, 6-7 December 2010
Addressing security challenges on a global
scale
5
Public-Key Infrastructure (PKI)
Security is about Trust!
PKI is an infrastructure for checking the
validity or quality of a presented public-key
certificate
A PKI consists of a number of interworking
components
Somewhere there must be a trust anchor
Geneva, 6-7 December 2010
Addressing security challenges on a global
scale
6
Relationship with IdM (Identity proofing)
Public-key certificate
Name of user
Public key
Pointer to policy
Name to be verified by the Certification
Authority or Registration Authority
Uniqueness
Proof of identity
Legal right to name
Level of verification depending on use of
certificate
Part of Identity Management (IdM)
Guidelines provided by
ITU-T SG 17 IdM group
CA Browser Forum
ETSI ESI activity
Rules may be expressed in a Certificate
Policy document
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
7
IP Security (IPsec)
Specified in RFC 4301
Provides end-to-end protection for all applications
using this end-to-end connection
Uses shared cryptographic keys for authentication,
integrity, and confidentiality of data
Uses Internet Key Exchange (IKE) for establishing
shared keys (security association) - RFC 5996
Diffie-Hellman key exchange is used by IKE for that
purpose (RFC 3526)
Geneva, 6-7 December 2010
Addressing security challenges on a global
scale
8
Problem using Internet Key Exchange
Bob
Alice
without PKI
Diffie-Hellman key exchange
Bob
”Man-in-the-middle”
Diffie-Hellman
key exchange
Geneva, 6-7 December 2010
Alice
Diffie-Hellman
key exchange
Addressing security challenges on a global scale
Using Internet Key Exchange with PKI
Bob
Alice
Diffie-Hellman key exchange
using digital signature and optionally
certificate information
A man-in-the-middle will be detected!
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
10
Radio-Frequency Identification Directory
infrastructure
RFID
tag
RFID
reader
Client
system
The RFID tag contains information,
including a unique identity
The unique identity is used access
information associated with the tag
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
11
Protecting RFID information
RFID tag
Unique identity
Pharmaceutical drugs
from Counterfeit Drugs Inc.
Information
Signature over
essential information
RFID tag says:
Pharmaceutical drugs
from Roche Ltd.
Geneva, 6-7 December 2010
Signature produced by private
key of vendor (tag creator)
Signature not produced using
Roche’s private key
Signature checked using Rotch’s
public key
Signature check fails
Addressing security challenges on a global scale
12
Radio-Frequency Identification (RFID)
Directory
infrastructure
RFID
tag
Identifier
Signed Info
RFID
reader
Client
system
Search using identifier
as search criterion
Certificate information
Other Information
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
13
Authentication and authority for Cloud Computing
Generally of importance
Check of identity
Check of privileges
Public-key certificate
Name of user
Public key
Even of greater importance for Cloud
Computing
A Public-key certificate may contain
privilege information
Alternatively, an attribute certificate may
be used
Attribute
certificate
Privileges
Geneva, 6-7 December 2010
Privileges
Addressing security challenges on a global scale
14
Identity and privilege issues for hybrid clouds
Hybrid Cloud
Private
Cloud
Public
Cloud
Cloud
Clouds with multiple service providers/hybrid clouds:
Different privileges
different identities
danger of complex key management
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
15
Authentication and authority for Cloud Computing
ITU-T Study Group 17, Question 11 has the
issue on its to-do list
It has relationship with Identity Management
One solution may be use of attribute
certificates
Attribute certificate:
Used for assigning privileges to user
Points to user , e.g., by pointer to user's public-key
certificate
Geneva, 6-7 December 2010
Addressing security challenges on a global
scale
16
END
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
17