Transcription
An Introduction to Public KeyInfrastructure (PKI)Judith A. FurlongProduct ArchitectAnnual Computer Security ApplicationsConferenceDecember 9, 1999
Conventional vs. Public KeyCryptographyConventional(Symmetric)Public Key(Asymmetric)One KeyTwo KeysUsed for bothEncryption and DecryptionMathematically relatedMust be protected, kept privateOne key used for encryption,may be made publicOne key used for decryption,must be protected, kept private
Public Key Cryptography:EncryptionPublic KeyKnown to anyoneSECRETPlaintextEncryptPrivate Key@# % Known only todecryptorCiphertextSECRETDecryptPlaintext
Public Key Cryptography:Digital SignaturePrivate KeyKnown only to signerPublic KeyKnown to anyoneDataSignDataandDigital SignatureVerifyVerifiedSignature
Digital Certificate A digitally signed binding betweenyour identity and your public key Used as an electronic passport toprove your identity andauthenticate you in the electronicworldDigital Certificate Identity Data Public Key Created andPhysical World AnalogiesATM Card A Certificate to conductelectronic bankingDriver’s license - A Certificate to operate avehicleEmployee badge - A Certificate to gain facilityaccessSigned by aCertificationAuthority (CA)
Certification Authority (CA) A trusted entity which issues,manages and distributes digitalcertificates CAs are responsible forauthenticating the identity of anentity prior to binding a public keyto that identityPhysical World- ATM CardIssued byBanks- Driver’s licenseStates- Employee badgeEmployerElectronic WorldA Certificate for InternetbankingA Certificate for onlineregistrationA Certificate to gainfacility and computerresource access
What is a Public Key Infrastructure(PKI)? A PKI is the set of components, people, policies andprocedures which provide the foundation for themanagement of keys and certificates used by publickey-based security services A PKI assures the trustworthiness of public keybased security mechanisms— Confidentiality of the private key— Integrity of the public key PKI functions can include——————Key Generation and DistributionCertificate Issuance and DistributionCertificate ValidationKey Expiry and RevocationKey UpdateKey Escrow and Recovery
What Does PKI Enable? Strong authentication Authenticity and integrity of dataDigitalSignature Nonrepudiation of transactions Confidentiality of data in transit or storage EncryptionAbility to process more sensitive data in shared networksAutomation of sensitive functions previously kept off-lineEnhanced security servicesImproved security interoperability
Components of a PKI Certification Authorities (CA)(Issues and manages certificates) Registration Authorities(RAs)CARepository(Performs Certificate Holderauthentication on behalf of CA) RepositoryVAInternet(Stores and Distributes Certificates,CRLs) Validation Authority (VA)(Provides Certificate Status)RelyingParties Certificate Holders(Certificate subjects) Relying Parties(Verifies signatures and certificatepaths)RACertificateHolders
Where is PKI Used Today?InternetXSecurePaymeVPNntss lec oAc ontrCSecuAcc re Webess(SSL)nicortcEle SigningmForAuthenticationSecure Mail
Secure MailCARAEmail andLDAP ServersRestrictedAccessWeb ServerRAUserCorporate Servers(Purchasing, Payroll)Enterprise UnitNetworkEnterpriseNetworkEmail andLDAP ServersRASigned andEncryptedMessageSigned andEncryptedMessageEnterpriseLDAP ServerEmail Client,Web BrowserEnterpriseWeb ServerWeb ServersUserEnterprise UnitNetworkUserInternet¾ Mati oscnhEmail Client,Web BrowserElectronic Forms,File Encryption¾ Mati oscnh¾ Mtia hcnos¾ Mati hconsEmail Clients,Web BrowsersWeb ServersBusiness PartnersCustomersEmail Client,Browser,File EncryptionRemote UserEmail Clients,Web Browsers
Electronic Form SigningCARAEmail andLDAP ServersRestrictedAccessWeb ServerUserElectronic Forms,File EncryptionUserCorporate Servers(Purchasing, Payroll)Enterprise UnitNetworkEnterpriseNetworkEmail Client,Web BrowserEmail andLDAP ServersRAEnterpriseLDAP ServerEnterpriseWeb ServerWeb ServersUserEnterprise UnitNetworkUserInternet¾ Mati oscnhEmail Client,Web BrowserElectronic Forms,File Encryption¾ Mati oscnh¾ Mtia hcnos¾ Mati hconsEmail Clients,Web BrowsersWeb ServersBusiness PartnersCustomersEmail Client,Browser,File EncryptionRemote UserEmail Clients,Web Browsers
Virtual Private NetworksEmail andLDAP ServersRestrictedAccessWeb ServerCARARAUserCorporate Servers(Purchasing, Payroll)Enterprise UnitNetworkEnterprise UnitNetworkEmail Client,Web BrowserEmail andLDAP ServersRAWeb ServersUserInternetBusiness Partners¾ Mati cosnhEnterprise UnitNetworkEmail Client,Web Browser¾ Mati hcons¾ Mati oscnhUserCustomers¾ Mati oscnh¾ Mtia hcsnoElectronic Forms,File EncryptionWeb Servers¾ Mati hcosnEmail Clients,Web BrowsersEmail Client,Browser,File EncryptionEmail Clients,Web BrowsersRemote User
Secure Web AccessCARAEmail andLDAP ServersRestrictedAccessWeb ServerRAXCorporate Servers(Purchasing, Payroll)UserEnterprise UnitNetworkEnterpriseNetworkEmail Client,Web BrowserEmail andLDAP ServersRAEnterpriseLDAP ServerUserEnterprise UnitNetworkUserElectronic Forms,File EncryptionInternet¾ Mati oscnh¾ Mtia hcnos¾ Mati hconsEmail Clients,Web BrowsersWeb ServersWeb ServersBusiness PartnersCustomers¾ Mati oscnhEmail Client,Web BrowserXEnterpriseWeb ServerEmail Client,Browser,File EncryptionEmail Clients,Web BrowsersRemote User
A Complete PKIRelationships Employee to Employer Supplier to Manufacturer Wholesaler to Retailer Merchant to ConsumerTechnologies Certification Authority Digital Certificates Cryptography Public Key-Based Applications Directories DatabasesIKPPolicies Security Management Policies Training and Education Operational Practices & Procedures LegalRoles Supervisor Human Resource Purchaser Buyer CustomerA complete PKI is much more than technologyIt is a careful blending of business processes, technology,policies and procedures
Contact InformationJudith A. Furlongjudith.furlong@cybertrust.gte.comPhone: 781-455-4968Fax: 781-455-3506www.cybertrust.com
A PKI assures the trustworthiness of public key-based security mechanisms — Confidentiality of the private key — Integrity of the public key PKI functions can include — Key Generation and Distribution — Certificate Issuance and Distribution — Certificate Validation — Key Expiry and Revocation — Key Update — Key Escrow and Recovery