0% found this document useful (0 votes)
10 views38 pages

Cryptography U IV

The document covers Digital Certificates and Public Key Infrastructure (PKI), detailing the roles of Certification Authorities (CA) and Registration Authorities (RA) in issuing digital certificates. It outlines the steps for creating a digital certificate, including key generation, registration, verification, and certificate creation, along with the standards PKIX and PKCS. Additionally, it discusses XML encryption and digital signatures, emphasizing their importance in securing web services.

Uploaded by

ekta soni
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
10 views38 pages

Cryptography U IV

The document covers Digital Certificates and Public Key Infrastructure (PKI), detailing the roles of Certification Authorities (CA) and Registration Authorities (RA) in issuing digital certificates. It outlines the steps for creating a digital certificate, including key generation, registration, verification, and certificate creation, along with the standards PKIX and PKCS. Additionally, it discusses XML encryption and digital signatures, emphasizing their importance in securing web services.

Uploaded by

ekta soni
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 38

Unit-IV

Digital Certificates
and Public Key
Infrastructure (PKI)
2

syllaBUS

Introduction,
Digital Certificates,
Private Key Management,
The PKIX Model,
Public Key Cryptography Standards(PKCS),
XML,PKI and Security,
Creating Digital Certificate
Introduction
3

Public Key Infrastructure (PKI) technology.


Digital certificates are termed as passports on the Web.
Certification Authorities (CA), Registration Authorities (RA).
PKIX and PKCS are the two popular standards for digital
certificates and PKI
Digital Certificates
4

A digital certificate is simply a small computer file.


5

Certification Authority (CA).


A Certification Authority (CA) is a trusted
agency that can issue digital certificates.

Two of the world’s most famous CAs are VeriSign and


Entrust.

Safescrypt Limited, a subsidiary of Satyam Infoway


Limited, became the first Indian CA in February 2002
6

Technical Details of Digital Certificate

A standard called as X.509 defines the structure of a digital certificate.


7

BIG CONCEPT
8
9
10

Digital Certificate Creation


11
Certificate Creation Steps

Step 1: Key generation


The action begins with the subject (i.e. the
user/organization) who wants to obtain a
certificate.
a) The subject can create a private key and
public key pair using some software. This
software is usually a part of the Web
browser or Web server.
12

Step 1: Key generation

The action begins with the subject (i.e. the


user/organization) who wants to obtain a
certificate.

a) The subject can create a private key and


public

b) Alternatively, the RA can generate a key


pair on the subject’s (user’s) behalf key
pair using some software.
13
Step 2: Registration

This step is required only if the user generates


the key pair in the first step.

If the RA generates the key pair on the user’s


behalf, this step will also be a part of the first
step itself.

The format for the certificate requests has been


standardized and is called as Certificate Signing
Request (CSR).

This is one of the Public Key Cryptography


Standards (PKCS) PKCS#10.
14
Step 3: Verification
The RA has to verify the user’s credentials. This verification is in two
respects,

a) Firstly, the RA needs to verify the user’s credentials such as the evidences
provided are correct and that they are acceptable.
(Organization and Individual)

b) Proof Of Possession (POP) of the private key

1. The RA can demand Certificate Signing Request (CSR)


2. The RA can create a random number challenge
3. The RA can generate a dummy certificate for the user
15

Step 4: Certificate creation

The RA passes details to the CA.

The CA does its own verification and creates a digital


certificate.

Certificate directory.

Lightweight Directory Access Protocol (LDAP).


16
17

Private Key Management


18

The PKIX Model

✖ X.509 standard defines the digital


certificate structure, format and fields

✖ The Internet Engineering Task Force


(IETF) formed the Public Key
Infrastructure X.509 (PKIX).
19

PKIX Services
• Registration – It is the process where an end-entity (subject)
makes itself known to a CA. Usually, this is via an RA.
• Initialization – This deals with the basic problems, such as
how the end-entity is sure that it is talking to the right CA? We
have seen how this can be tackled.
• Certification – In this step, the CA creates a digital certificate
for the end-entity and returns it to the end-entity, maintains a
copy for its own records and also copies it in public directories,
if required.
• Key pair recovery – Keys used for encryption may be required
to be recovered at a later date for decrypting some old
documents. Key archival and recovery services can be provided
by a CA or by an independent key recovery system.
20

• Key generation – PKIX specifies that the end-entity should be able


to generate private and public key pairs or the CA/RA should be able
to do this for the end-entity (and then distribute these keys securely
to the end-entity).
• Key update – This allows a smooth transition from one expiring
key pair to a fresh one, by the automatic renewal of digital
certificates. However, there is a provision for manual digital
certificate renewal request and response.
• Cross-certification – Helps in establishing trust models, so that
end-entities that are certified by different CAs can cross-verify each
other.
• Revocation – PKIX provides support for the checking of the
certificate status in two modes: online (using OCSP) or offline (using
CRL).
21
PKIX Architectural Model

PKIX has developed comprehensive documents


that describe five areas of its architectural model.

• X.509 V3 certificate and V2 certificate revocation


list profiles.
• Operational protocols
• Management protocols
• Policy outlines
• Timestamp and Data certification services
Public Key Cryptography Standards (PKCS) 22
23
PKCS#5 - Password Based Encryption (PBE) Standard
24

✖ Password-Based Encryption (PBE) is a


solution for keeping the symmetric
session keys safe.
✖ This technique ensures that the
symmetric keys are protected from an
unauthorized access.
✖ We first encrypt the plain text message
with the symmetric key and then encrypt
the symmetric key with a Key Encryption
Key (KEK)
25
26

✖ Since many times, passwords are simple


English words, this attack may succeed and
the attacker could have access to the KEK.

✖ To prevent such an attack, apart from the


password, two additional pieces of
information are used in the key generation
mechanism.

✖ They are: salt and iteration count.


27

✖ Salt is simply a bit string, which is


combined with the password to produce
the KEK.
✖ Iteration count specifies the number of
operations that must be performed on
the combination of the password and the
salt to generate the KEK.
28
XML, PKI and Security

✖ XML forms the backbone of the upcoming


technologies, such as Web services.
✖ Every aspect of Internet programming is
concerned with XML.
29

XML Encryption
We can encrypt one or all of the following portions
of an XML document:

✖ • The entire XML document


✖ • An element and all its sub-elements
✖ • The content portion of an XML document
✖ • A reference to a resource outside of an XML
document
30
The steps involved in XML encryption

1. Select the XML to be encrypted (one of


the items listed earlier, i.e. all or part of
an XML document).
2. Convert the data to be encrypted in a
canonical form (optional).
3. Encrypt the result using public key
encryption.
4. Send the encrypted XML document to
the intended recipient.
31
32
33
XML Digital Signature
34

The steps in performing XML digital signatures are as follows.

✖ 1. Create a SignedInfo elementwith SignatureMethod,


CanonicalizationMethod and References.
✖ 2. Canonicalize the XML document.
✖ 3. Calculate the SignatureValue, depending on the
algorithms specified in the SignedInfo element.
✖ 4. Create the digital signature (i.e. Signature element),
which also includes the SignedInfo, KeyInfo and
SignatureValue elements.
35

<Signature></Signature>- This block identifies the start and end of


the XML digital signature.

<SignedInfo><SignedInfo>- This block specifies the algorithm


used: firstly for calculating the message digest (which is SHA-1, in
this case) and then for preparing the XML digital signature. (which
is RSA, in this case).

<SignatureValue>< SignatureValue >- This block contains the


actual XML digital signature
36
37

XML digital signatures can be classified into three types:


enveloped, enveloping and detached
38

The difference between these types of XML digital


signatures is easy to understand.
✖ In the enveloped XML digital signatures, the
signature is inside the original document (which
is being digitally signed).
✖ In the enveloping XML digital signatures, the
original document is inside the signature.
✖ A detached digital signature has no enveloping
concept at all, it is separate from the original
document.

You might also like