DIGITAL - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

DIGITAL

Description:

internet names: email addresses, host names, URLs. issuer can state policy and usage. good enough for casual email but not for signing checks ... – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 18
Provided by: ravis4
Category:
Tags: digital | hosting

less

Transcript and Presenter's Notes

Title: DIGITAL


1
DIGITAL CERTIFICATES
Prof. Ravi Sandhu
2
PUBLIC-KEY CERTIFICATES
  • reliable distribution of public-keys
  • public-key encryption
  • sender needs public key of receiver
  • public-key digital signatures
  • receiver needs public key of sender
  • public-key key agreement
  • both need each others public keys

3
X.509v1 CERTIFICATE
VERSION SERIAL NUMBER SIGNATURE
ALGORITHM ISSUER VALIDITY SUBJECT SUBJECT PUBLIC
KEY INFO SIGNATURE
4
X.509v1 CERTIFICATE
1 1234567891011121314 RSAMD5, 512 CUS, SVA,
OGMU, OUISE 9/9/99-1/1/1 CUS, SVA, OGMU,
OUISE, CNRavi Sandhu RSA, 1024,
xxxxxxxxxxxxxxxxxxxxxxxxx SIGNATURE
5
CERTIFICATE TRUST
  • how to acquire public key of the issuer to verify
    signature
  • whether or not to trust certificates signed by
    the issuer for this subject

6
PEM CERTIFICATION GRAPH
Internet Policy Registration Authority
IPRA
Policy Certification Authorities (PCAs)
PERSONA
RESIDENTIAL
MID-LEVEL ASSURANCE
HIGH ASSURANCE
Anonymous
MITRE
GMU
Virginia
Certification Authorities (CAs)
Abrams
LEO
Fairfax
ISSE
Subjects
Sandhu
Sandhu
7
SECURE ELECTRONIC TRANSACTIONS (SET) CA HIERARCHY
Root
Brand
Brand
Brand
Geo-Political
Bank
Acquirer
Customer
Merchant
8
CRL FORMAT
SIGNATURE ALGORITHM ISSUER LAST UPDATE NEXT
UPDATE REVOKED CERTIFICATES SIGNATURE
SERIAL NUMBER REVOCATION DATE
9
X.509 CERTIFICATES
  • X.509v1
  • very basic
  • X.509v2
  • adds unique identifiers to prevent against reuse
    of X.500 names
  • X.509v3
  • adds many extensions
  • can be further extended

10
X.509v3 CERTIFICATE INNOVATIONS
  • distinguish various certificates
  • signature, encryption, key-agreement
  • identification info in addition to X.500 name
  • internet names email addresses, host names, URLs
  • issuer can state policy and usage
  • good enough for casual email but not for signing
    checks
  • limits on use of signature keys for further
    certification
  • extensible
  • proprietary extensions can be defined and
    registered
  • attribute certificates
  • ongoing work

11
X.509v2 CRL INNOVATIONS
  • CRL distribution points
  • indirect CRLs
  • delta CRLs
  • revocation reason
  • push CRLs

12
GENERAL HIERARCHICAL STRUCTURE
Z
X
Y
Q
R
S
T
A
C
E
G
I
K
M
O
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
13
GENERAL HIERARCHICAL STRUCTURE WITH ADDED LINKS
Z
X
Y
Q
R
S
T
A
C
E
G
I
K
M
O
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
14
TOP-DOWN HIERARCHICAL STRUCTURE
Z
X
Y
Q
R
S
T
A
C
E
G
I
K
M
O
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
15
FOREST OF HIERARCHIES
16
MULTIPLE ROOT CAs PLUS INTERMEDIATE CAs MODEL
X
S
T
Q
R
A
C
E
G
I
K
M
O
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
17
THE CERTIFICATE TRIANGLE
user
X.509 identity certificate
X.509 attribute certificate
attribute
public-key
SPKI certificate
Write a Comment
User Comments (0)
About PowerShow.com