PKI

1
PKI

• Chapter 14

2
Public Key Infrastructure (PKI)

• PKI is the combination of software, encryption
  technologies, and services which protects
  business communications and transactions on the
  Internet.
• PKIs integrate digital certificates, public-key
  cryptography, and certificate authorities into a
  total, enterprise-wide network security
  architecture
• A way to verify an individuals identity and to
  ensure that a persons public key is bound to
  their identity
• Uses asymmetrical algorithms
• http//csrc.nist.gov/pki/

3
Cryptography

• Study of complex mathematical formulas and
  algorithms used for encryption and decryption
• Random number generators create numbers that work
  as seed values
• The algorithm uses the seed value as a starting
  place to create the key
• If algorithm used the same seed values over and
  over, similar keys would be generated
• The more random, the more resilient to brute
  force attacks

4
Symmetric versus Asymmetric Algorithms
Type of Algorithm Advantages Disadvantages
Symmetric Single key Requires sender and receiver to agree on a key before transmission of data Security lies only with the key High cost
Asymmetric Encryption and decryption keys are different Decryption key cannot be calculated from encryption key Security of keys can be compromised when malicious users post phony keys
5
Without a PKI, individuals could spoof identities
6
Certificaticate Authority

• CA is trusted authority for certifying
  individuals and creating an electronic document,
  the digital certificate http//www.pki-page.org/C
  A
• Consists of software, hardware, procedures,
  policies
• Every CA outlines how identities are verified,
  keys are secured, what data is placed within a
  digital certificate, and how revocations will be
  handled.

7
Digital Certificates

• Binds an individuals identity to a public key
  and
• Contains all the info needed to prove the public
  key belongs to a legitimate owner and has not
  been compromised
• Consist of
• Owners public key
• Information unique to owner
• Digital signatures or an endorser

8
(No Transcript)
9
Registration Authority

• RA accepts a request for a digital certificate
  and performs the necessary steps of registering
  and authenticating the person. Different type of
  certs available, the higher the class the more id
  required
• Class 1 can digitally sign email and encrypt
  message content
• Class 2 software signing
• Class 3 set up its own certificate authority

10
Steps for obtaining a digital certificate
11
Digital Signatures

• Created by using hash functions (message digest)
• Electronic identification of a person or thing
  created by using a public key algorithm
• Verify (to a recipient) the integrity of data and
  identity of the sender
• Provide same features as encryption

12
(No Transcript)
13
Hash Functions

• Message Digest is a generic version of one of
  three algorithms, all designed to create a
  message digest or hash from plain text.
• MD2 produces hash of 128 bits, optimized for
  8-bit machine
• MD4 optimized for 32-bit machines, fast but not
  secure
• MD5 created to fix security problems of MD4 and
  is slower
• SHA algorithm modeled on MD4. Accepts an input
  of up to 264 bits or less and compresses down to
  a hash of 160 bits.

14
Certificate Repository

• Once the certificate is registered, identity
  proven, and a key pair generated, they are placed
  in a public repository.
• All of the certificates can be in one, large
  distributed database (LDAP)
• Each signing certificate can maintain its own
  repository and have a means of querying the other
  repositories for information for its users
• Business communities and governments are starting
  the process of creating their CAs. They are
  linking them by signing or cross-certifying and
  publishing all of their information in
  business-class repositories.

15
Trust and Certificate Verification

• CAs digital certificate and public keys are
  downloaded onto local PCs.
• Most browsers have a list of trusted CAs by
  default.

First, Maynard checks the CA against his list
16
Trust and Certificate Verification

• If CA and integrity of certificate is trusted,
  still need to check
• Start and stop dates of certificates (life
  cycles)
• Revocation list (CRL)
• Lost laptop or smart card
• Improper software implementation
• Social engineering attack
• Employee leaves company

17
Centralized or Decentralized Infrastructure

• Decentralized approach
• Local computers generate and store cryptographic
  keys local to the system
• Centralized server approach
• Use if the process is resource intensive or has
  large key sizes
• Easier to backup
• Needs to be fault tolerance with redundancy
• Needs to use a secure way to transmit keys to
  local systems
• The it person needs to be trusted

18
Private Key Protection

• The key size should provide the necessary level
  of protection for the environment
• The lifetime should correspond with how often it
  is used and the sensitivity of the data
• Key should be changed and not used past its
  lifetime
• Key should be properly destroy at end of lifetime
• Key should never be exposed in clear test
• No copies of the private key should be made
• Key should not be shared
• Key should be stored securely
• Authentication should be required before it can
  be used
• Key should be transported securely
• Software implementation used for storage needs to
  provide the necessay level of protection

19
Key Escrow

• Process of giving keys to a third party so that
  they can decrypt and read sensitive information
  when this need arises.
• Used by government so they can collect evidence
  during investigations
• Clipper Chip - NSA developed, hardware oriented,
  cryptographic device that implements a symmetric
  encryption/decryption algorithm and a law
  enforcement satisfying key escrow system.

20
PKI Standards

• Business process
• Applications
• Standards/protocols that use PKI
• PKI implementation level

Online banking and shopping
Email, VPNs
S/MIME, SSL, TLS, WTLS, IPsec, PPTP
ISAKMP, CMP, SKMS, X.509, PKIX, PKCS
21
PKI Standards

• PKI Implementation relies on
• PKIX -Public Key Intrastructure
• PKCS - Public Key Cryptography
• X.509
• ISAKMP and XKMS is a key management protocol
• CMP manages certificates
• S/MIME manages email
• SSL, TLS and WTLS for secure packet transmissions
• IPSEC and PPTP for VPN

Online banking and shopping
Email, VPNs
S/MIME, SSL, TLS, WTLS, IPsec, PPTP
ISAKMP, CMP, XKMS, X.509, PKIX, PKCS
22
PKI Standards

• PKIX/PKCS based on the X.509 standard defines
  four components
• The user
• Certificate Authority (CA)
• Registration authority (RA)
• Certificate revocation lists
• X.509 info about data formats and procedures
  used for CA signed PKC

Online banking and shopping
Email, VPNs
S/MIME, SSL, TLS, WTLS, IPsec, PPTP
ISAKMP, CMP, XKMS, X.509, PKIX, PKCS
23
X.509 Certificates

• Late 1980, the X.500 OSI directory standard was
  defined by ISO and the ITU. X.509 addresses the
  structure of certificates used for
  authentication.
• X.509 defines a hierarchical certification
  structure that relies on a root certificate
  authority that is self-certifying.
• Rather than define its own certificate type (like
  PGP), S/MIME relies on X.509
• To obtain a X.509, you must ask a CA to issue you
  one.

24
(No Transcript)
25
Trust Models

• A trust domain is a construct of systems,
  personnel, applications, protocols, technologies,
  and policies that work together to provide
  protection.
• Need to determine criteria of trust
• Drivers license
• Digital signature of trusted entity
• CA

26
Trust Model

• Techniques that establish how users validate
  certificates
• Direct trust not scalable
• Hierarchical trust based on number of root CA
• Web of trust

27
Web of Trust

• Combines concepts of direct trust and
  hierarchical trust
• Adds the idea that trust is relative to each
  requester
• Central theme the more information available,
  the better the decision
• By mixing and matching the basic building blocks,
  network designers can put together PKI for a
  department, a company, many companies or many
  individuals. The design phase is where PKI gets
  tricky.

28
Setting up an Enterprise PKI

• Extremely complex task with enormous demands on
  financial, human, hardware, and software
  resources
• Areas to explore
• Basic support
• Training
• Documentation issues

29
Areas to Explore in Detail When Setting up an
Enterprise PKI

• Support for standards, protocols, and third-party
  applications
• Issues related to cross-certification,
  interoperability, and trust models
• Multiple key pairs and key pair uses
• How to PKI-enable applications and client-side
  software availability

continued
30
Areas to Explore in Detail When Setting up an
Enterprise PKI

• Impact on end user for key backup, key or
  certificate update, and nonrepudiation services
• Performance, scalability, and flexibility issues
  regarding distribution, retrieval, and revocation
  systems
• Physical access control to facilities

31
Common Encryption Algorithms

• Most encryption algorithms in use today are based
  on a structure developed by Horst Feistel of IBM
  in 1973.
• Lucifer (1974) to protect non-classified data.
  It utilizes a 128-bit key and 16 rounds in the
  encryption process. Lucifer suffers from a weak
  key structure and is vulnerable to attacks, yet
  it still can be used in tandem with other
  algorithms effectively.
• Diffie-Hellman (1976) utilizes a public key
  system, which is the oldest public key system in
  use. It is commonly used in IPSec.

32
Common Encryption Algorithms

• RSA (1977) - Named for its developers, Rivest,
  Shamir, and Adleman, the RSA algorithm is based
  on the Diffie-Helman cipher and uses a variable
  key length and block size. Flexible algorithm,
  but with greater key lengths and block sizes, it
  can be slow to compute in some environments.
• DES (1977) The Data Encryption Standard algorithm
  is a modified version of the Lucifer algorithm
  and uses a 56-bit key. In 1998, the Electronic
  Frontier Foundation cracked the DES algorithm in
  less than 3 days. This led to the development of
  Triple DES.

33
Common Encryption Algorithms

• Triple DES (1998) - uses the same algorithm as
  DES, but uses three keys and three executions of
  the algorithm to encrypt and decrypt data,
  resulting in a 168-bit key. It is three times
  slower than DES but much more secure.. Triple DES
  is very easy to implement in encryption systems
  that are currently using DES as its encryption
  algorithm, but it is not foolproof.
• IDEA (1992) - IDEA is a block cipher operating on
  64-bit blocks and using a 128-bit key. IDEA is
  commonly used in PGP and is a substitute for DES
  and Triple DES. There are no known attacks at
  this time for this algorithm.

34
Common Encryption Algorithms

• Blowfish (1993) is a 64-bit block cipher that
  uses variable length keys. Blowfish is
  characterized by its ease of implementation, high
  execution speeds and low memory usage. At this
  time, there are no known attacks for this
  algorithm.
• RC5 (1995) RC5 (1995). The RC5 algorithm was
  created to be suitable for either hardware or
  software functions. Like Blowfish, it is very
  fast, easy to implement, and has low memory
  usage. RC5 uses a variable key length and a
  variable number of rounds that makes it very
  flexible and adaptable. At this time, there are
  no known attacks for this algorithm.