Online Public Key Infrastructure - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

Online Public Key Infrastructure

Description:

Domain Name System. Lightweight Directory Access Protocol. Modified OCSP ... Domain Name System. DNS is demonstrably reliable and efficient. High availability ... – PowerPoint PPT presentation

Number of Views:31
Avg rating:3.0/5.0
Slides: 31
Provided by: kevin448
Category:

less

Transcript and Presenter's Notes

Title: Online Public Key Infrastructure


1
Online Public Key Infrastructure
  • Queensland University of Technology,
  • Australia

Taho University, Japan
University of Malaga, Spain
Supported by the Telecommunications Advancement
Organisation, Japan
2
Motivation
  • Offline PKI model not really offline
  • requires relying parties to be online and trust
    some entity (eg OCSP)
  • why not merely request the current public key.
  • Offline model reduces risk to CA but increases
    client vulnerability

3
Overview
  • Origins of PKI
  • Methods of Public Key Distribution
  • Offline PKI
  • Requirements of Online PKI
  • Online PKI Efforts
  • Summary

4
Origins of PKI
  • 1976 Diffie and Hellman
  • 1978 Kohnfelder
  • 1988 ISO/CCITT X.500 Series

5
Offline and Online Models
  • Offline
  • Certificates
  • Certificate Revocation
  • Possession of signature verification key
  • Online
  • Network access
  • Trust (Server Authentication / Message
    Authentication)

6
Methods of Public Key Distribution
  • Point-to-Point Delivery
  • Trusted Public File
  • Online Trusted Server
  • Offline Server and Certificates
  • Implicitly Guaranteed Authenticity

7
Offline PKI
  • Currently have offline PKI
  • Supplemented by online checks
  • Identified Problems
  • Certificate Processing
  • Certificate Revocation

8
Certificate Processing
  • Path Processing
  • Policy Mapping
  • Proposed Solutions
  • Synthetic Certificates Russell et. al.
  • Simple Certificate Validation Protocol IETF
  • Delegated Path Validation (DPV) and Delegated
    Path Discovery (DPD) - IETF

9
Certificate Revocation
  • Certificate may be revoked before expiration
  • Certificate Revocation Lists(CRLs)
  • Scalability Problem

10
CRL Scalability?
  • http//crl.verisign.com/
  • May 2002

11
Requirements of Online PKI
  • Availability
  • Distributed architecture
  • Trust
  • Authenticated server
  • Integrity
  • Key material is tamper proof

12
Online PKI Efforts
  • CerteM
  • Domain Name System
  • Lightweight Directory Access Protocol
  • Modified OCSP

13
CerteM
  • Developed at University of Malaga, Spain by Lopez
    et. al
  • Fundamental goal was to avoid the use of
    inefficient CRLs
  • Hierarchical structure based on email addresses
    and Key Service Units (KSUs)

14
CerteM
15
CerteM
edu.au
KSU
qut.edu.au
uq.edu.au
KSU
KSU
Bob
Alice
16
CerteM
edu.au
KSU
qut.edu.au
uq.edu.au
KSU
KSU
Bob
Alice
17
CerteM
edu.au
KSU
qut.edu.au
uq.edu.au
KSU
KSU
Bob
Alice
18
Domain Name System
  • DNS is demonstrably reliable and efficient
  • High availability
  • Questionable integrity
  • Appealing to place application key material in
    the DNS
  • Trust DNS to accurately map names and IPs
  • A single request resolves the IP address of the
    host and provides the current public key

19
Domain Name System
  • DNS has security problems
  • Leading to DNS Security Extensions (DNSSEC)
  • DNSSEC (RFC2065, then 2535)
  • Adds data integrity and authentication services
  • Defined the KEY Resource Record
  • Debate over definition of key

20
Domain Name System
  • Additional extension
  • CERT RR (RFC2538)
  • Drafts for APPKEY RR
  • Mixed opinion in DNS community about using DNS
    for application key distribution

21
Lightweight Directory Access Protocol
  • Designed to be a lightweight X.500 directory
    access protocol, over TCP/IP
  • Well defined interface
  • Widely deployed
  • Replication technology in place

22
Lightweight Directory Access Protocol
  • Security Status
  • Early versions susceptible to masquerading and
    modification attacks
  • SASL Simple Authentication and Security Layer
    (Proposed Standard RFC 2222, 2444)
  • Access control to LDAP records vendor dependent
    at present
  • V3 supports TLS

23
OCSP (review)
Cert Records
CA
CRL
OCSP Responder
?
24
OCSP (review)
Cert Records
CA
CRL
OCSP Responder
?
25
OCSP (review)
Cert Records
CA
CRL
Time stamped status. (Good, Revoked, Unknown)
OCSP Responder
?
26
Modified OCSP
Cert Records
CA
Given a name and requirement
OCSP Responder
?
27
Modified OCSP
Cert Records
CA
Return the appropriate public key
Given a name and requirement
OCSP Responder
?
28
Summary
  • Origins of PKI
  • Offline PKI
  • Online PKI Efforts
  • Current directory service technologies
  • Considered OCSP

29
Summary
  • Outstanding Issues
  • Ensuring availability
  • Decentralised / distributed architecture
  • Maintaining integrity of key material
  • Cryptographic techniques

30
Questions?
Jason Smith smith_at_isrc.qut.edu.au
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Online Public Key Infrastructure" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!