controller of certifying authorities pki technology - role of cca assistant controller (technology)...
TRANSCRIPT
Controller ofCertifying Authorities
PKI Technology -Role of CCA
Assistant Controller (Technology)Controller of Certifying Authorities
Ministry of Communications & Information Technology
Controller of Certifying Authorities
Role of CCA for secure e-Commerce and e-Governance
Authentication of entities in cyberspacePrevention of deliberate or accidental Disclosure and/or Amendment/Deletion of dataPunishment for cyber crimes Licencing of CAs and establishment of PKI
Controller of Certifying Authorities
Security Issues :-
Confidentiality Integrity Authenticity Non-Repudiability
Controller of Certifying Authorities
Threats to Authenticity
Masquerading
Counter MeasuresStrong
Digital Signature - Cryptographically generated credentials.
Controller of Certifying Authorities
Encryption:Transformation of data to Prevent information being read by unauthorised parties.Sender and Receiver have to know the rules which have been used to encrypt the data.Based on Algorithms which are mathematical functions for combining the data with a string of digits called the Key. The result is the encrypted text.Eg: Adding a fixed number of characters, say 5, to each character in the message that is being encrypted.
The word SECURITY then becomes the encrypted text XJHZWNYD
Controller of Certifying Authorities
Document Document
to be sentto be sent
Document Document
to be sentto be sentEncodedEncoded
DocumentDocumentEncodedEncoded
DocumentDocumentEncodedEncoded
DocumentDocumentEncodedEncoded
DocumentDocumentReceivedReceived
DocumentDocument
ReceivedReceived
DocumentDocument
Symmetric
key
Symmetric
Key
Encryption TechnologiesSymmetric Key Cryptography
•Identical keys are used for encryption and decryption.
• Requires both parties to a digital conversation to know the key
Controller of Certifying Authorities
‘n’ Partners means handling n secret keysAuthenticity cannot be proved.
Encryption TechnologiesSymmetric Key Cryptography (contd.)
Controller of Certifying Authorities
Public key cryptographyEach party is assigned a pair of keys –
private – known only by the ownerpublic - known by everyone
Information encrypted with the private key can only be decrypted by the corresponding public key & vice versaFulfils requirements of confidentiality, integrity, authenticity and non-repudiabilityNo need to communicate private keys
Controller of Certifying Authorities
Digital Signatures
Pair of keys for every entity
One Public key – known to everyone
One Private key – known only to the possessor
Controller of Certifying Authorities
Digital Signatures
To digitally sign an electronic document the signer uses his/her Private key.
To verify a digital signature the verifier uses the signer’s Public key.
Controller of Certifying Authorities
Digital Signature
•The message is encrypted with the sender’s private key
• Recipient decrypts using the sender’s public key
Private
SKA
DocumentDocumentDocumentDocument
Digital Digital SignatureSignatureDigital Digital
SignatureSignature
DocumentDocumentDocumentDocument
Public
CONFIRMEDCONFIRMEDDigital Digital
SignatureSignature
CONFIRMEDCONFIRMEDDigital Digital
SignatureSignature
DocumentDocumentDocumentDocument DocumentDocumentDocumentDocument
Digital Digital SignatureSignatureDigital Digital
SignatureSignature
PKA
Controller of Certifying Authorities
Message Integrity
one-way hash functions use no keyoriginal data cannot be generated from hash outputNo two messages will generate the same hash.
SIGN the HASH NOT the entire Message
Controller of Certifying Authorities
Maintaining Message Integrity
message Hash
Hashgeneration
function
CheckHash
message messageHash
HashHashHash
generationfunction
NoRejectMessage
YesAcceptMessage
SENDER RECEIVER
Controller of Certifying Authorities
Public Key Cryptography
Encryption Technologies
Sender A(PKA,SKA)
Receiver B(PKB,SKB)
DocumentDocumentDocumentDocument DocumentDocumentDocumentDocumentEncryptedEncrypted
DocumentDocument
EncryptedEncrypted
DocumentDocument
EncryptedEncrypted
DocumentDocument
EncryptedEncrypted
DocumentDocument
PKB
SKB
Confidentiality
Controller of Certifying Authorities
Signed Messages
Message+
Signature
Message+
Signature
HashHash
VERIFYSignatureWith Sender’s Public Key
VERIFYSignatureWith Sender’s Public Key
SIGN hashWith Sender’s Private key
SIGN hashWith Sender’s Private key
Message+
signature
Message+
signature
COMPARECOMPARE
HashHashMessageMessage
Sender Receiver
HashHash
Using Hash function on the message
Signed Message
DECRYPTDECRYPTMessage + signaturewith Receiver’s Private Key
DECRYPTDECRYPTMessage + signaturewith Receiver’s Private Key
ENCRYPTENCRYPTMessage +signaturewith Receiver’sPublic Key
ENCRYPTENCRYPTMessage +signaturewith Receiver’sPublic Key
Encrypted MessageSent thru’ Internet
Using Hash Function
Confidential
Controller of Certifying Authorities
Authenticity and Confidentiality
A signs message with his own private keyA then encodes the resulting message with B’s Public keyB decodes the message with his own Private keyB applies A’s Public key on the digital signature
Controller of Certifying Authorities
Authenticity and Confidentiality
When A uses his own private key, it demonstrates that
he wants to sign the documenthe wants to reveal his identityhe shows his will to conclude that agreement
The encoded message travels on the Net, but nobody can read it : confidentiality
Controller of Certifying Authorities
Authenticity and Integrity
B needs to know that A and only A sent the message
B uses A’s public key on the signatureOnly A’s public key can decode the messageA cannot repudiate his signature
Digital signature cannot be reproduced from the messageNo one can alter a ciphered message without changing the result of the decoding operation
Controller of Certifying Authorities
Issues in Public key Cryptosystems
How will recipient get senders public key?How will recipient authenticate sender's public key ?How will the sender be prevented from repudiating his/her public key?
Controller of Certifying Authorities
Certifying Authority
An organization which issues public key certificates. • Must be widely known and trusted• Must have well defined methods of assuring the
identity of the parties to whom it issues certificates.• Must confirm the attribution of a public key to an
identified physical person by means of a public key certificate.
• Always maintains online access to the public key certificates issued.
Controller of Certifying Authorities
Public-Key Certification
UserName
User’sPublic
Key
CA’sName
Validationperiod
Signatureof CA
User 1 certificate
User 2 certificate.
Signed by using
CA’sprivate
key
UserName &
other credentials
User’s Public
key
User Certificate Certificate Database
PublishCertificateRequest
Controller of Certifying Authorities
Contents of a Public Key Certificate
Issued by a CA as a data message and always available online
S.No of the CertificateApplicant’s name, Place and Date of Birth, Company NameApplicant’s legal domicile and virtual domicileValidity period of the certificate and the signatureCA’s name, legal domicile and virtual domicileUser’s public keyInformation indicating how the recipient of a digitally signed document can verify the sender’s public keyCA’s digital signature
Controller of Certifying Authorities
Certificate Revocation List
• A list of all known Certificates that have been
revoked and declared invalid
Controller of Certifying Authorities
Technical Infrastructure Controller of Certifying Authorities
as the “Root” Authority certifies the technologies and practices of all the Certifying Authorities licensed to issue Digital Signature Certificates
Controller of Certifying Authorities
Technical Infrastructure..contd
The CCA operates the following :-Root Certifying Authority (RCAI) under section 18(b) of the IT Act, and National Repository of Digital Signature Certificates (NRDC)Web site cca.gov.in
Controller of Certifying Authorities
End entities, subscribers and relying parties
The End entities of RCAI are the Licensed CAs in India. Subscribers and relying parties using the certificates issued by a CA need to be assured that the CA is licensed by the CCA. They should be able to verify the licence under which a PKC has been issued by a CA.
Controller of Certifying Authorities
Strong Room for RCAI
Reinforced walls for room housing RCAI24-hour surveillance through CCTVAccess controls through proximity cards and biometric readersPhysical security including locksSecurity personnel
Controller of Certifying Authorities
National Repository : NRDC
National Repository of Digital CertificatesCertificate Revocation List
Controller of Certifying Authorities
Internet
Directory Client
CA
CA
CA
LAN
Cert/CRL
Cert/CRL
Cert/CRL
RCAI
CCA
NRDC
RelyingParty
SubscriberSubscriber Subscriber
CA Public Keys Certified by RCAI CA’s Revoked Keys
CCA : National Repository of Certificates of Public
Keys of CAs and Certificates issued by CAs
Controller ofCertifying Authorities
Thank you