Add to collection(s) Add to saved
  1. Business
  2. Management

Dual-sided certificates

advertisement 
NETWORK
SECURITY
06
APPLYING CRYPTOGRAPHY
Contents
6.1
6.2
6.3
6.4
Digital Certificates
Pubic Key Infrastructure
Key Management
Cryptographic Transport Protocols
06 APPLYING CRYPTOGRAPHY
2
6.1 Digital Certificates
• Alice receives a package containing an
encrypted document from Bob. It is secure
as it was encrypted.
• Yet how can she know that it came from
Bob? Because Alice’s asymmetric public
key is widely available, anyone could use
it to encrypt the document.
• The answer is to use a digital signature.
06 APPLYING CRYPTOGRAPHY
3
6.1 Digital Certificates
06 APPLYING CRYTOGRAPHY
4
6.1 Digital Certificates
06 APPLYING CRYTOGRAPHY
5
6.1 Digital Certificates
6.1.1
Defining Digital Certificates
– Digital certificates can be used to associate
or “bind” a user’s identity to a public key.
– A digital certificate is the user’s public key
that has itself been “digitally signed” by a
reputable source entrusted to sign it.
06 APPLYING CRYPTOGRAPHY
6
6.1 Digital Certificates
– Digital certificates prevent a man-in-themiddle attack that impersonates the owner of
the public key.
– Digital certificates can also be used to identify
objects other than users, such as servers and
applications.
06 APPLYING CRYPTOGRAPHY
7
6.1 Digital Certificates
– A digital certificate typically contains the
following information:
•
•
•
•
•
•
Owner’s name or alias
Owner’s public key
Name of the issuer
Digital signature of the issuer
Serial number of the digital certificate
Expiration date of the public key
06 APPLYING CRYPTOGRAPHY
8
6.1 Digital Certificates
6.1.2
Authorizing, Storing and
Revoking
• Several entities and technologies are used
for authorizing, storing, and revoking
digital certificates.
• These include the Certificate Authority
(CA) and Registration Authority (RA), a
Certificate Repository (CR), and a
Certificate Revocation List (CRL).
06 APPLYING CRYPTOGRAPHY
9
6.1 Digital Certificates
Authority (CA) & Registration (RA)
• Instead of a user verifying his own identity,
a third-party person or agency is used.
• An entity that issues digital certificates for
others is known as a Certificate Authority
(CA).
06 APPLYING CRYPTOGRAPHY
10
6.1 Digital Certificates
• A user provides information to a CA that
verifies her identity.
• Also, the user generates public and private
keys and sends the public key to the CA
(or in some instances the CA may create
the keys).
• The CA inserts this public key into the
certificate.
06 APPLYING CRYPTOGRAPHY
11
6.1 Digital Certificates
• A CA can be external to the organization,
or it can be a CA internal to the
organization.
• Some organizations set up a subordinate
entity, called a Registration Authority
(RA), to handle some CA tasks such as
processing certificate requests and
authenticating users.
06 APPLYING CRYPTOGRAPHY
12
6.1 Digital Certificates
Certificate Revocation List (CRL)
• Digital certificates normally have an
expiration date.
• Expired digital certificates should then be
revoked.
• Revoked digital certificates are listed in a
Certificate Revocation List (CRL), which
can be accessed to check the certificate
status of other users.
06 APPLYING CRYPTOGRAPHY
13
6.1 Digital Certificates
Certificate Repository (CR)
• It is important that the CA publishes the
certificates and CRLs to a directory.
• This directory can be managed locally or
in a publicly accessible directory, which is
called a Certificate Repository (CR).
06 APPLYING CRYPTOGRAPHY
14
6.1 Digital Certificates
6.1.3
Types of Digital Certificates
• There are different types of digital
certificates.
• In addition, some digital certificates are
single-side while others can be dual-sided.
• Also, standards exist for digital certificates.
06 APPLYING CRYPTOGRAPHY
15
6.1 Digital Certificates
• In addition to being used to verify the
sender’s identity, digital certificates can
also be used to:
– Encrypt channels to provide secure
communication between clients and servers
– Encrypt messages for secure Internet e-mail
communication
– Verify the identity of clients and servers on the
Web
06 APPLYING CRYPTOGRAPHY
16
6.1 Digital Certificates
– Verify the source and integrity of signed
executable code
• There are three basic categories of digital
certificates:
– personal digital certificates,
– Server digital certificates, and
– software publisher digital certificates.
06 APPLYING CRYPTOGRAPHY
17
6.1 Digital Certificates
Personal Digital Certificates
• Personal digital certificates are issued by a
CA or RA directly to individuals.
• Personal digital certificates are typically
used to secure e-mail transmissions.
• Digital certificates can also be used to
authenticate the authors of documents.
06 APPLYING CRYPTOGRAPHY
18
6.1 Digital Certificates
Server Digital Certificates
• Server digital certificates are often issued
from a Web server to a client.
• Typically perform two functions.
– First, they can ensure the authenticity of the
Web server.
– Second, server certificates can ensure the
authenticity of the cryptographic connection to
the Web server.
06 APPLYING CRYPTOGRAPHY
19
6.1 Digital Certificates
06 APPLYING CRYPTOGRAPHY
20
6.1 Digital Certificates
• Most server digital certificates combine
both server authentication and secure
communication between clients and
servers on the Web.
06 APPLYING CRYPTOGRAPHY
21
6.1 Digital Certificates
• Software Publisher Digital Certificates
• Software publisher digital certificates are
provided by software publishers.
• The purpose of these certificates is to
verify that their programs are secure and
have not been tampered with.
06 APPLYING CRYPTOGRAPHY
22
6.1 Digital Certificates
Single Side and Dual Side
• Digital certificates can be either singlesided or dual-sided.
• When Bob sends one digital certificate to
Alice along with his message, that is
known as a single-sided certificate.
06 APPLYING CRYPTOGRAPHY
23
6.1 Digital Certificates
• Dual-sided certificates are certificates in
which the functionality is split between two
certificates.
– The signing certificate is used to sign a
message to prove that that sender is
authentic.
– The encryption certificate is used for the
actual encryption of the message.
06 APPLYING CRYPTOGRAPHY
24
6.1 Digital Certificates
• Dual-sided certificates have two
advantages.
– First, dual-sided certificates reduce the need
for storing multiple copies of the signing
certificate.
– Second, dual-sided certificates facilitate
certificate handling in organizations.
06 APPLYING CRYPTOGRAPHY
25
6.1 Digital Certificates
X.509 Digital Certificates
• The most widely accepted format for
digital certificates is defined by the
International Telecommunication Union
(ITU) X.509 international standard.
• X.509 V1 first appeared in 1988. X.509 V2
supported new issuer and subject identifier
fields that were absent from Version 1.
06 APPLYING CRYPTOGRAPHY
26
6.1 Digital Certificates
• The current version, X.509 V3, was
defined in 1996, and introduced the
extension field.
06 APPLYING CRYPTOGRAPHY
27
6.1 Digital Certificates
06 APPLYING CRYPTOGRAPHY
28
6.2 Public Key Infrastructure
• One of the important management tools
for the use of digital certificates and
asymmetric cryptography is public key
infrastructure.
• Public key infrastructure involves publickey cryptography standards, trust models,
and key management.
06 APPLYING CRYPTOGRAPHY
29
6.2 Public Key Infrastructure
6.2.1
What is Public Key
Infrastructure
• In an organization where multiple users
have multiple digital certificates, it quickly
can become overwhelming to manage all
of these entities.
• In short, there needs to be a consistent
means to manage digital certificates.
• Public key infrastructure (PKI) is just
that.
06 APPLYING CRYPTOGRAPHY
30
6.2 Public Key Infrastructure
• It is a framework for all of the entities
involved in digital certificates—including
hardware, software, people, policies and
procedures—to create, store, distribute,
and revoke digital certificates.
• In short, PKI is digital certificate
management.
06 APPLYING CRYPTOGRAPHY
31
6.2 Public Key Infrastructure
• PKI is often erroneously applied to a
broader range of cryptography topics
beyond managing digital certificates.
• It is sometimes defined as that which
supports “other public key-enabled
security services” or “certifying users of a
security application.”
06 APPLYING CRYPTOGRAPHY
32
6.2 Public Key Infrastructure
6.2.2
Public-Key Cryptographic
Standards (PKCS)
• Public-key cryptography standards
(PKCS) is a numbered set of PKI
standards that have been defined by the
RSA Corporation.
• These standards are based on the RSA
public-key algorithm.
06 APPLYING CRYPTOGRAPHY
33
6.2 Public Key Infrastructure
06 APPLYING CRYPTOGRAPHY
34
6.2 Public Key Infrastructure
06 APPLYING CRYPTOGRAPHY
35
6.2 Public Key Infrastructure
06 APPLYING CRYPTOGRAPHY
36
6.2 Public Key Infrastructure
• Applications and products that are
developed by vendors may choose to
support the PKCS standards.
• For example, Microsoft Windows Vista
provides native support for exporting
digital certificates based on PKCS #7 and
#12.
06 APPLYING CRYPTOGRAPHY
37
6.2 Public Key Infrastructure
6.2.3
Trust Model
• Trust may be defined as confidence in or
reliance on another person or entity.
• A trust model refers to the type of trusting
relationship that can exist between
individuals or entities.
06 APPLYING CRYPTOGRAPHY
38
6.2 Public Key Infrastructure
• In one type of trust model, direct trust, a
relationship exists between two individuals
because one person knows the other
person.
• Direct trust is not feasible when dealing
with multiple users who each have digital
certificates.
06 APPLYING CRYPTOGRAPHY
39
6.2 Public Key Infrastructure
• A third party trust refers to a situation in
which two individuals trust each other
because each trusts a third party.
• This is the role that a CA plays: for
example, it verifies Mary, Amanda, and
Javier to Alice.
06 APPLYING CRYPTOGRAPHY
40
6.2 Public Key Infrastructure
• There are essentially three PKI trust
models that use a CA. These are
– the hierarchical trust model,
– the distributed trust model, and
– the bridge trust model.
06 APPLYING CRYPTOGRAPHY
41
6.2 Public Key Infrastructure
Hierarchical Trust Model
• The hierarchical trust model assigns a
single hierarchy with one master CA called
the root.
• This root signs all digital certificate
authorities with a single key.
• A hierarchical trust model can be used in
an organization where one CA or RA is
responsible.
06 APPLYING CRYPTOGRAPHY
42
6.2 Public Key Infrastructure
06 APPLYING CRYPTOGRAPHY
43
6.2 Public Key Infrastructure
Distributed Trust Model
• Instead of having a single CA as in the
hierarchical trust model, the distributed
trust model has multiple CAs that sign
digital certificates.
• The distributed trust model is the basis for
digital certificates issued by Internet users.
06 APPLYING CRYPTOGRAPHY
44
6.2 Public Key Infrastructure
06 APPLYING CRYPTOGRAPHY
45
6.2 Public Key Infrastructure
Bridge Trust Model
•The bridge trust model is similar to the
distributed trust model in that there is no
single CA that signs digital certificates.
•However, with the bridge trust model there
is one CA that acts as a “facilitator” to
interconnect all other CAs.
06 APPLYING CRYPTOGRAPHY
46
6.2 Public Key Infrastructure
06 APPLYING CRYPTOGRAPHY
47
Related documents
www.certificates.ie
www.certificates.ie
Photo Gallery for QFD 2011 - Weill Cornell Medical College in Qatar
Photo Gallery for QFD 2011 - Weill Cornell Medical College in Qatar
Graeme Tinney Director, Griffiths & Armour Professional Risks
Graeme Tinney Director, Griffiths & Armour Professional Risks
Digital Certificates
Digital Certificates
HardCrypto
HardCrypto
Chapter 10
Chapter 10
Cryptography Applied to Linear Functions
Cryptography Applied to Linear Functions
Cryptography and Secret Codes
Cryptography and Secret Codes
Download
advertisement