Certificate Authority
advertisement
Security and Certification; Authentication and Authorization Assaf Gottlieb EGEE Training Team EGEE is funded by the European Union under contract IST-2003-508833 Induction: Security and Certification –December 22-23, 2004 Acknowledgements • Some of these slides have been taken from a longer presentation by Mike Jones of the University of Manchester. • Prepared by John Kewley, CCLRC Daresbury Laboratory Induction: Security and Certification –December 22-23, 2004 Goals of this module Describe … • Security basics • Use of Certificates • Importance of Certificate Authorities Induction: Security and Certification –December 22-23, 2004 Overview • • • • Introduction to Security Public/private keys in action Certificates Certificate Authorities Induction: Security and Certification –December 22-23, 2004 Introduction to Security What aspects of security should we be concerned about? • Authentication (Identification) • Confidentiality (Privacy) • Integrity (non-Tampering) • Authorization Also • Accounting • Delegation • Non-Repudiation Induction: Security and Certification –December 22-23, 2004 Tools of the trade • Encryption • Secret “symmetric” key – both parties need to share the key • DES, RC4 • Comparatively efficient • Public/private key – “asymmetric” - 2 keys mathematically related • RSA, DSA • Slower • Oneway hash / message digest • MD5, SHA-1 • fast Induction: Security and Certification –December 22-23, 2004 Gbbyf bs gur genqr • Rapelcgvba • Frpergt “flzzrgevp” xrl – obgu cnegvrf arrq gb funer gur xrl • QRF, EP4 • Pbzcnengviryl rssvpvrag • Choyvp/cevingr xrl – “nflzzrgevp” - 2 xrlf zngurzngvpnyyl eryngrq • EFN, QFN • Fybjre • Barjnl unfu / zrffntr qvtrfg • ZQ5, FUN-1 • Snfg Induction: Security and Certification –December 22-23, 2004 Tools of the trade • Encryption • Secret “symmetric” key – both parties need to share the key • DES, RC4 • Comparatively efficient • Public/private key – “asymmetric” - 2 keys mathematically related • RSA, DSA • Slower • Oneway hash / message digest • MD5, SHA-1 • fast Induction: Security and Certification –December 22-23, 2004 Encrypting for Confidentiality (1) Sending a message using symmetric keys 1. Encrypt message using shared key 2. Send encrypted message 3. Receiver decrypts message using shared key Only someone with shared key can decrypt message But how do the keys get shared? Sender space key 1 Receiver space key hR3a rearj openssl Hello World Public space 2 hR3a rearj hR3a rearj openssl 3 Hello World Induction: Security and Certification –December 22-23, 2004 Encrypting for Confidentiality(2) Sending a message using asymmetric keys 1. Encrypt message using Receiver’s public key 2. Send encrypted message 3. Receiver decrypts message using own private key Only someone with Receiver’s private key can decrypt message Sender space Public space Receiver’s Public Key openssl 1 Hello World hR3a rearj Receiver’s Public Key 2 hR3a rearj Receiver space Private Key Public Key hR3a rearj 3 openssl Hello World Induction: Security and Certification –December 22-23, 2004 Signing for Authentication 1. 2. 3. 4. Encrypt message with Sender’s private key Send encrypted message Message is readable by ANYONE with Sender’s public key Receiver decrypts message with Sender’s public key Receiver can be confident that only someone with Sender’s private key could have sent the message Public space Sender space Private Key Sender’s Public Key Receiver space Sender’s Public Key Public Key openssl 3 1 openssl Hello World n52krj rer Hello World 2 n52krj rer n52krj rer openssl 4 Hello World Induction: Security and Certification –December 22-23, 2004 Certificates • A statement from someone else (the Certificate Authority), that your public key (and hence your private key) is associated with your identity • A certificate can be checked if you have the public key of the party who signed it Induction: Security and Certification –December 22-23, 2004 Certificate Authority • A Certificate Authority (CA) issues you your certificates. • By signing them it is able to vouch for you to third parties • In return for this service, you must provide appropriate documentary evidence of identity when you apply for a certificate through a Registration Authority (RA) Induction: Security and Certification –December 22-23, 2004 Certificate contents • The certificate that you present to others contains: • • • • • Your distinguished name (DN) Your public key The identity of the CA who issued the certificate Its expiry date Digital signature of the CA which issued it Induction: Security and Certification –December 22-23, 2004 The Full Monty • Server authenticates Client • Client authenticates Server • (Symmetric) Session key exchanged confidentially using public key mechanism • Secure session can now commence using more efficient, agreed “session key” • Secure messages will also contain a message digest to ensure integrity Induction: Security and Certification –December 22-23, 2004 The Israeli Certificate Authority • Each university has one authorized RA. • The CA is located at the Computer Science department at Tel Aviv University • Supply appropriate documentary evidence of your identity to the RA • Once documentary and RA assurance is supplied to the CA, a certificate is supplied to you • A public/private key is generated for you as part of the certificate. Your private key will be put on a floppy disk Induction: Security and Certification –December 22-23, 2004 Summary We have looked at • Security basics • Use of Certificates • Importance of Certification Authorities Induction: Security and Certification –December 22-23, 2004
