Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network. Topics • Understanding the technology – Cryptography, Digital Signatures, Third Party Trust, and Public Key Certificates. • Public Key Infrastructure – Definitions, Components, Infrastructure, Processes, and Issues. • Western’s PKI Cryptography Methods • 2 Types of Cryptography being used. – Symmetric Key (shared secret) Cryptography – Public Key Cryptography • Each has a role in a Public Key Infrastructure. Symmetric Key Cryptography • 1 Key known by both parties (shared) • A message encrypted by the key can only be decrypted using the same key. Hello Ijfd82*7df Hello • Issue: Hard to share the key securely. Public Key Cryptography • 2 keys generated. 1 private, 1 public. • A message encrypted by 1 key can only be decrypted by the other. Private Public Hello 9klfms83f Hello Bye Jf#f9j3f92 Bye • Public keys are stored in a public repository and are freely available. • Private keys are stored on local system protected by a password. Never transmitted over the network. Public key Cryptography • 2 way encrypted communication possible using 2 sets of public keys. Party A Party B’s Public Hello Party B’s Private 9klfms83f Party A’s Private Bye Party B Hello Party A’s Public Jf#f9j3f92 • Issue: Large resources required. Bye Their roles in PKI • Public keys are used • to securely transmit a symmetric session key. Step 1: Party A creates symmetric key and transmits it to Party B using their public key. Step 2: Secure communications setup using the symmetric key. Party A Hello The symmetric key is used to setup secure encrypted communications. Party B’s Public Party B’s Private Ijfd82*7df Party B Hello Digital Signature • Private keys can be used to sign a document. • The public key is used to decrypt the signature which verifies that the message came from the person who owns the private key. Party A Hello Bob signed Jonny Party A’s Private Party A’s Public Hello Bob signed dfjlf9#fsi Party B Hello Bob signed Jonny • Issue: How does party B verify Party’s A Public Key. Trusted Third Party • A trusted third party is someone both communicating parties trusts. • This party authenticates Party A using older style methods (ID Card) and verifies they own the private key. • This party then uses its own private key to digitally sign party A’s public key. • Since party B trusts the public key of the third party, when it decrypts the signature on party A’s Public key it can then trust A’s public key. • Signed public keys can be used for authentication. Public Key Certificate (PKC) • A public key certificate is a document that: – Contains the public key of its owner. – Contains a set of attributes that identifies its owner – Is digitally signed by a trusted third party called a Certificate Authority (CA). – Has an life span (expiry date). • Certificates are stored in public repositories. • Used to authenticate, setup secure communications and trust a digital signature. Public Key Infrastructure (PKI) • Defined by the IETF PKIX Working Group as: “The set of hardware, software, people, policies and procedures needed to create, manage, store, distribute, and revoke public key certificates based on public key cryptography.” PKI Component Definitions • Certificate Authority (CA) : An authority trusted to create and assign public key certificates. Required to validate user information and verify they own the private key. Required to maintain CRLs. • Registration Authority (RA) : An optional authority that can act on behalf of a CA to validate user information and verify they own the private key. • Repository : A data base or directory used to store and distribute Public Key Certificates and CRLs. • Certificate Revocation Lists (CRL) : A list of certificates that have been revoked due to their owners breaking one of the rules in the certificate policy or by having its private key compromised. • Certificate Policy (CP) : A set of rules which indicates how a certificate is to be used by a community of users or set of applications. • Certificate Practice Statement (CPS) : A set of guidelines a CA follows when issuing certificates. The Infrastructure Governed by Certificate Practice Statement. Repository for PKCs and CRLs Certificate and revocation list storage. Certificate Authority Registration process Registration Authority Certificate requests Certificate and revocation list retrieval. Application or Server Authentication and Secure communication User Governed by Certificate Policy. Certificate use. • During setup of connection between a server and user: – Certificates are withdrawn from the repository for both parties. – Digital signatures are decrypted using the CA’s public key. – The Certificate revocation list for the signing CA is referenced to verify that the certificate has not been revoked. – If all passes then authentication of the server and user has been accomplished (i.e. each trusts that the private key is owned by the person identified in the certificate). • Secure communications are then setup by the user generating a symmetric session key and transmitting it to the server using the servers public key to encrypt it. Once the server has decrypted the session key using its private key a secure socket is setup using the session key. The Repository(LDAP) • A Repository: – Requires an efficient directory capable of authentication, replication and redundancy – should be capable of storing more data than just certificates and must be capable of complicated searches • LDAP provides all the requirements plus: – can use Public Keys during its authentication – is being integrated into many other technologies – Has a good set of standard APIs Issues with PKI • Certificate Revocation is still in its infancy. • Trust – Do we trust the commercial CAs out there. Why do we trust them to authenticate information they are not the authority of. – How do we trust repositories. • Non PKI security holes – How secure are clients, CAs, and repository systems from hackers and virus attacks. Are they physically secure. – How well guarded are private keys. • Is the data in the certificate being check thoroughly. • The idea of Non-Repudiation. • Roaming Access (Smart Cards) Western’s PKI • Western currently has an agreement with Thawte Certification (owned by VeriSign) to provided signed certificates and be our Certificate Authority (CA). • A representative of ITS acts as a Registration authority (RA) on behalf of Thawte Certification. • Currently only Secure Socket Layer (SSL) certificates are in use to provide encrypted web communications (Authentication of web server only). • Thawte offers other types of certificates but they have not been investigates for use at Western yet and may be cost prohibitive to use. Western’s PKI Repository for PKCs and CRLs SSL Certificates are stored in the web server and distributed by the web server. 2. Thawte asks ITS if request is good. CA: Thawte Certification 1.Web server admin generates and send a certificate request to Thawte. Web Server 3. ITS Verifies request and say yes. RA: ITS Representative 4. Thawte signs certificate and returns it to the web server admin who loads it into web serer configuration. 5. User generates session key and transmits it to web server using public key. A secure socket is then setup. (SSL) UWO web user.