PhD Thesis Presentation

1
PhD Thesis Presentation

• DSV

Department of Computer and Systems Sciences
Stockholm University/Royal Institute of
Technology
2
Introduction

• Researcher
• Nada Kapidzic Cicovic
• Research Topic
• Extended Certificate Management System Design
  and Protocols.
• Fulfillment
• Submitted to KTH in partial fulfillment of the
  requirement for the degree of Doctor of
  Technology
• Report Series No. 97-010
• ISSN 1101-8526
• ISRN SU-KTH/DSV/R97/10SE 1997

3
Topics of Discussion

• Research Overview
• Research Methodology
• Conclusion

4
Research Overview

• PhD Expectation
• Research topic Overview
• Research topic Relevance

5
Research Overview

• PhD Expectation

Researcher Contribution
Knowledge After Research
Knowledge Before Research
6
Research Overview

• The Core of research
• Authentication
• Integrity
• Confidentiality
• Access Control
• Non-Repudiation

7
Research Overview

• Negative Heuristic
• Any researcher who subscribe to IT security
  research domain must agree on the security
  services discussed above
• Positive Heuristic
• She worked to improve the PKI. This is part of
  the Protective belt which protects the core(as
  referred by Lakatos )

8
Research Overview

• Research topic Overview

9
Research Overview

10
Research Overview

• Thesis Relevance
• The Thesis presents possible solution for a
  global certification infrastructure that spans
  over
• Individual users
• Small organizations to
• Arbitrary complex organizations
• (I.e different security domains)

11
Research Methodology

• Historical background
• Analysis of Current knowledge
• Contribution
• Publications Overview

12
Research Methodology

• History Consideration
• Chapter One highlights the historical background
  of the PKI
• 1976 Public key cryptography appeared providing
  solution to the key management problem.
• Existing status of knowledge is discussed in
  Chapter Two
• Nine public key infrastructures are described
• Future Work is discussed in Chapter six
• She suggests 10 improvements to ECMS

13
Research Methodology

• Chapter One
• Provides summary of Public Key Cryptography
• Contribution, Outline of the Thesis, Publications
  Overview
• Chapter Two
• Overview of existing Standard
• Chapter Three
• CMS Certification Management system Strict
  Hierarchy Solution
• Chapter Four
• ECMS Extended Certificate Management System
• Chapter Five
• ECMS Client Structure
• Chapter Six
• Summary, Conclusion and Future research

14
Research Methodology

• Chapter One
• Provides summary of Public Key Cryptography
• Historical background In 1976 Public key
  cryptography appeared providing solution for the
  key management problem
• Contribution
• Overview of the work done in the period from 1993
  to 1997 She developed CMS then ECMS
• Outline of the Thesis
• Summary of every chapter and the appendix
• Publications Overview
• Six papers were published during 1993 to 1997.
  The work done by the author on CMS and ECMS is
  not yet presented.

15
Existing Standards

• Chapter Two
• Overview of existing Standard
• The X.509 Standard
• Describes the general mode of the CA
  infrastructure
• Makes use of X.500 distributed directory
  recommendation to store the certificates
• The CA must make sure the distinguished names are
  unique
• The CA vouches the binding between the user
  identity and the public key.
• Each user trusts the CA by trusting its public
  key.

16
Existing Standards

• PEM-Privacy Enhanced Mail
• Is a secure e-mail system consisting of a global
  certification infrastructure and security
  extensions of any SMTP mailer.
• Includes a specification of supporting public key
  certification infrastructure based on X.509
  certificates
• SET Secure Electronic Transaction
• Is a technical specification for securing payment
  card transaction over open network such as the
  Internet.
• PKIX Internet Public Key Infrastructure
• Is developed by IETF to facilitate the use of
  X.509 certificates in application which make use
  of Internet
• PGP Pretty Good Privacy
• E-mail security program it is free and is based
  on public key cryptography (RSA algorithm)
• Does not require pre-set PKI
• It is based on users ultimate trust on
  themselves

17
Research Methodology

• ICE-TEL General Trust Model
• The aim was to establish a Large scale PKI in a
  number of European countries to support secure
• e-mail and secure WWW .
• Policy Maker
• Supports implementation of decentralized trust
  management
• The signing is based on the actions that are
  trusted to sign for.
• The holder of the private can sign only when
  filters accept the action description

18
Research Methodology

• SDSI A Simple Distributed Security
  Infrastructure
• Is a simple PKI with group definitions
• The identity of members that hold the keys are
  not important as opposed to X.509
• Provides easy auditable access control list
• SPKI Simple Public Key Infrastructure
• Is base on the Authorization certificate rather
  than identity like X.509 and PGP
• It can support identity certificate as well

19
Research Methodology

• Chapter Three
• CMS Certification Management system

User A
User B
20
Research Methodology

• Chapter Three
• CMS Certification Management system
• Strict Hierarchy Solution Each co-operating CA
  is certified by only one parent CA
• Represents authors initial work in the area PKI
• Is based on X.509 Certificates and PEM
• Can operate as autonomous hierarchy or as an
• Integral part of the global certification system
• It defines storage and distribution of
  Certificates
• The functions involves CMS establishment,
  Certificate retrieval, Certificate update and
  Certificate revocation
• CMS described here assumes non global hierarchies
  

21
Research Methodology

• CMS Draw backs
• Does not provide easy retrieval of expired and
  outdated certificates
• Is base on X.509 Version 1 Certificates does not
  provide any authorization information
• All entities are required to uphold specific
  naming Pattern
• A huge infrastructure need to be in place before
  users start using the service
• Certificates are stored locally by every CA

22
Research Methodology

• Chapter Four
• ECMS Extended Certificate Management System
• Supported and CRL Extension
• Use of X.509 Certificate V3 Extension
• Key and Policy Information Extension
• Subject and Issuer Attribute Extensions
• Certification Path Constraints Extensions
• CRL distribution Point Extension
• Certification and Cross Certification Policies
• System Entities and their roles
• Function of the ECMS User registration, CAs
  registration, Registration of Plateau of trust,
  key generation and certification, Certificate
  revocation, Key update, Certificate validity
  update,CRL Publication, Certificate verification

23
Research Methodology

• Chapter Five
• ECMS Client Structure
• The main functional module
• Communication module
• Database management module
• Graphical user interface
• ECMS application programming interface

24
Research Methodology

• ECMS Client Functions
• User authentication
• Key generation and certification
• Certificate and CRL retrieval
• Certificate verification and
• Certificate revocation
• ECMS Client Application Programming Interface
• GetECMSStatus
• RetrieveAndVerifyCertificate
• GetPublicKey and
• VerifyCertificate

25
Research Methodology

• Chapter Six
• Summary
• The thesis presents one possible solution for
  global certification Infrastructure called the
  ECMS.
• Conclusion
• ECMS is scalable to large number of users
• It is based on X.509 Version 3 Providing identity
  certificate.
• Efficient certificate verification procedure
• It implements its own mechanism for certificate
  and CRL distribution mechanism.

26
Research Methodology

• Future Research
• Embedded security domains
• ECMS can be extended to provide real TTPs I.e.
  Trusted third parties
• Separate key for encryption and separate for
  digital signature

27
Research Methodology

• THANS FOR LISTENING