0% found this document useful (0 votes)
62 views50 pages

Lec 06 - Components of PKI

Information Secuirty Notes

Uploaded by

vabepi7064
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
62 views50 pages

Lec 06 - Components of PKI

Information Secuirty Notes

Uploaded by

vabepi7064
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 50

Network Security

Punjab University Gujranwala Campus.

Lecture 06 – Public Key Infrastructure


Lecture Objectives
• Problems in the Public Key Cryptography
– Distribution of Public Keys
• Public Key Infrastructure (PKI)
• Components of PKI
• Digital Certificate
– Comparison with a Passport
– X.509 Format
• Difference between CA and RA
• Digital Certificate Creation Steps
• CA Hierarchies
• Self Signed Certificates and Cross-Certifications

2
PKI

3
Public Key Cryptography
• Key Distribution is easier with Public Key
Cryptography
• Each Node is responsible for knowing its own
private key and all the public keys can be
accessible in one place.
• But there are problems with Public Keys as well

4
Problems with the Public Key

• Example: If all the Public Keys are published in


some Newspaper or in some directory service,
how you can be sure that the information is
correct?
• An Intruder (bad guy),might have overwritten
the information in the directory service or taken
his own ad in the newspaper.
• If the bad guy can trick you into mistaking his
public key for Alice’s, he can impersonate Alice
to you.

5
Public Key Distribution Problem
• A bad guy creates a key pair (private/public) and
quickly tells the world that the public key he
published belongs to Alice

• People send confidential stuff to Alice

• Alice does not have the private key to read them…

• Intruder (bad guy) reads Alice’s messages

6
How to verify a Public Key?
Two approaches:
• Before you use Alice’s public key, call her or
meet her and check that you have the right one

• Get someone you already trust to certify that the


key really belongs to Alice
– By checking for a trusted digital signature
on the key

7
PKI Provides the Answer
• Everyone trusts the root Certificate Authority
(Verisign, Thawte, BT etc.)

• CA digitally signs keys of anyone having


checked their credentials by traditional
methods

• CA may even nominate others to be CAs, and


you would trust them automatically too

8
Solution of Public key Problem
• A typical solution for this is to have a trusted node
known as a Certificate Authority (CA) that
generates Certificates
• Certificates are signed message specifying a name
(Alice) and the corresponding Public Key
• All nodes need to pre-configured with CA’s public
key so that they can verify its signatures on
certificates.

9
Public Key Infrastructure
• A Public Key Infrastructure (PKI) consists of the
components necessary to securely distribute public
keys.
• Public Key Infrastructure is a combination of
software, encryption technologies, and services
application that allows users to encrypt and send
information securely over a public network.
• PKI mainly includes message digests, digital
signatures, and encryption services

10
PKI Features

• User authentication stronger than traditional


“passwords on servers” mechanisms

• Digital signing of email and other documents


proving the originator’s identity and faster, more
efficient, paper free business processes

• Encryption to protect critical email and other


data in user-focused manner

11
Components of PKI

12
Components of PKI

Digital Certificate
Certification Authorities (CAs)
Registration Authorities (RAs)
Certificate Holders
Repository/Directory
Validation Server

13
Digital Certificate

14
Digital Certificates
• Digital certificate is a digital document providing
linkage between the public key and the
identification data of its owner by the digital
signature of a trusted third party

• Certificate represents a credential which allows to


prove the identity of its owner similarly to the
passport or the driving license

15
Digital Certificates

Certificate
Attributes
Public Key of
Certificate holder
Encrypted hash
of certificate

Certificate
Authority

16
Similarities Between A Passport And A
Digital Signature
Passport Entry Corresponding digital
certificate entry
Full name Subject name

Passport number Serial number

Valid from Same

Valid to Same

Issued by Issuer name

Photograph and signature Public key

17
Certification Authority (CA)

18
Certification Authority
A CA can certify the binding between a public key and
the owner.

The function of a Certification Authority (CA) is the


production of certificates and revocation lists
(Revocation system).

The CA must accept requests for certificates, as well


as processing and making results available to the
user over the Directory Service.

19
Registration Authority (RA)

20
Registration Authority

The RA commonly provides the following services

Accepting and verifying registration information


about new users

Generating Keys on the behalf of end users

Accepting and authorizing request for key backup


and recovery

Accepting and authorizing the request for


certification revocation

21
Difference Between CA and RA

22
Difference between CA and RA
• RA is an intermediate entity between CA and end
user

• RA assists the CA in its day-to-day operation

• RA cannot issue digital certificate

• CA is responsible for certificate management

23
Difference between CA and RA

End User

Registration Authority Certificate Authority


End User (RA)

End User Highly protected


communication
link

24
Directory

25
Directory
Directories are databases that stores the copies
of certificates issued by CA to facilitate a
single-point access for certificate management
and distribution (similar to telephone directories)

26
Directory

• It contains information about server, printers,


network resources and user personal information

• It is X.500/LDAP-compliant, this means directory


contain certificates in the X.509 format, and that
they provide specific search facilities as specified in
the LDAP standards published by the IETF.

• Directories may be made publicly available or they


may be private to a specific organization .

– LDAP: Lightweight Directory Access Protocol

27
PKI: Used To Support
Identification and Authentication
Non-Repudiation
Integrity
Confidentiality

28
Digital Certificate
Creation Steps

29
Digital Certificate Creation Steps

Key Generation

Registration

Verification

Certificate Creation

30
Step 1: Key Generation

31
KEY Generation
• There are two different approaches for key
generation
– User creates a private and public key pair
using some software. Then user keeps the
private key and sends public key along with
other information to RA
– RA generates a key pair on the behalf of user
( i.e user does not aware of the technicalities
or it there is a requirement of centrally
generated or distributed keys )

32
USER GENERATING ITS OWN KEY PAIR

Key Generation
Subject

Keep this secret This would be


Sent to the RA
private public

33
RA GENERATING A KEY PAIR ON BEHALF
OF THE USER

For user X

Key Generation

Registration Authority

private public

Private Key Public


for user X Key for
user X
34
Step 2: Registration

35
Registration
• User sends public key, associated registration
information, evidence ( i.e copy of passport or tax
statement ) about himself to RA.

• Certificate Signing Request (CSR) is a standard


format for certificate request

36
Step 3: Verification

37
Verification

After the registration process is completed, the RA is


responsible to verify the user’s credentials. This
verification is in two respects, as follows.

RA needs to verify the user’s credentials

RA checks to ensure that user possess the private


key corresponding to public key. This check is called
Proof Of Possession , this can be done in three ways

38
Proof Of Possession

• RA asks the user to digitally sign the CSR using


his private key

• RA create a random challenge number, encrypt


it with user’s public key and send the
encrypted challenge number to the user. RA
then asks the user to decrypt it with its private
key

• RA generate a dummy certificate, encrypt it


with user’s public key and send it to the user. It
then asks the user to decrypt it with its private
key
39
Step 4: Generation of Digital
Certificate

40
Certificate Creation

RA passes on all the details of the user to the CA

CA does its own verification (if required)

CA creates a digital certificate

CA sends the certificate to the users

CA retains a copy of the certificate

41
Digital Certificate
Certificate Serial Number Hash Function
(SHA, MD5)
Issuer Name
Validity
Subject Name
Issuer Unique Identifier Message Digest
Subject Unique Identifier
CA’s Digital Signature
private
Digital Signature
Algo

Digital Signature CA’s Private


This digital signature of CA is stored as Key
the last field of Digital Certificate

42
A message digest of all but the last
Digital Certificate field is created
Certificate Serial Number
Hash Function
Issuer Name
(SHA, MD5)
Validity
Subject Name
Issuer Unique Identifier Message Digest
Issuer Unique Identifier MD1

CA’s Digital Signature

Is MD1
Digital Signature = MD2
public

De-Signing Algo Yes No


(Decryption)

CA’s Public Certificate Certificate


Key Message Digest is Valid is Invalid
MD2 Accept it Reject43it
Authentication with Certificates
1. Melinda gets Bill’s certificate
2. She verifies its digital signature
She can trust that the public key really belongs to
Bill
But is it Bill standing if front of her, or is that Scott?
3. Melinda challenges Bill to encrypt for her a phrase etc.
she just made up (“I really need more shoes”)
4. Bill has, of course, the private key that matches the
certificate, so he responds
(“*&$^%£$&£fhsdf*&EHFDhd62^&£”)
5. Melinda decrypts this with the public key she has in
the certificate (which she trusts) and if it matches the
phrase she challenged Bill with then it must really be
Bill himself!

45
INTERNET EXPLORER

IT-6302-3 Network Security, PUCIT, University of the Punjab, Pakistan 47


X.509
• The basic fields of an X.509 certificate.

55
Certificate Hierarchies
• To verify the Digital Certificates, the receiver must
have to know the Issuer CA’s Public Key.
• If the CA of Alice and Bob are same, then this is
not a problem
• But this cannot always be guaranteed
• Alice and Bob may not have obtained their
certificates from the same CA
• How can Alice obtain the public Key of the CA of
Bob?
• To resolve such problems, a Certification
Authority Hierarchy is created.
• This is also called “Chain of Trust”

57
Self Signed Certificate & Cross Certification
• Self signed certificate means that a certification
authority (e.g. root CA) signs its own certificate
• Cross Certification
– Generally every country appoints its own root
certificate.
– In real life, CA s are implemented in
decentralized manner.
– Cross Certification allows CA s and end users
from different PKI domains to interact

58
Certificate Revocation
• If your credit card is lost, or if it gets stolen, you
would normally report the loss to the concerned
bank. The bank would cancel your credit card
• Similarly, the digital certificates can also be
revoked

59
Certificate Revocation
• Most common reasons can be:
– The holder of the digital certificate reports that
the private key corresponding to the public key
specified in the digital signatures is
compromised.
– CA realized that it has made some mistake in
issuing it
– The certificate holder leaves a job and the
certificate was issued specifically while the
person was employed in that job

60

You might also like