crypto and pki
DESCRIPTION
TRANSCRIPT
![Page 1: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/1.jpg)
Introducing cryptography and PKI
David Galichet
mercredi 23 novembre 2011
![Page 2: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/2.jpg)
Cryptography challenges
mercredi 23 novembre 2011
![Page 3: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/3.jpg)
Authentication
• Application authentication
• Single Sign On
• One Time Password
• Remember me
• ...
mercredi 23 novembre 2011
![Page 4: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/4.jpg)
Integrity
• Data are not corrupted
• Data are not intentionally altered
mercredi 23 novembre 2011
![Page 5: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/5.jpg)
Privacy
• Protect data transfer
• Protect stored data
mercredi 23 novembre 2011
![Page 6: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/6.jpg)
Identity
• Authentication (user and server side)
• Signature (document, application packages ...)
• Non repudiation
• Trusted Timestamps
• Anonymity (electronic vote, alternative currency ...)
• ...
mercredi 23 novembre 2011
![Page 7: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/7.jpg)
Cryptography basis
• Hash functions
• Symmetric ciphering
• Asymmetric ciphering
mercredi 23 novembre 2011
![Page 8: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/8.jpg)
Hash algorithms
• Generate a constant size fingerprint whatever data in entry
• It’s hard to find the message from the given hash (First Preimage Resistance)
• It’s hard to modify a message without hash being changed (Second Preimage Resistance)
• It’s hard to find two different messages with the same hash (Resistance to Collisions)
• Very fast calculationmercredi 23 novembre 2011
![Page 9: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/9.jpg)
Hash algorithms
• Generate a constant size fingerprint whatever data in entry
• It’s hard to find the message from the given hash (First Preimage Resistance)
• It’s hard to modify a message without hash being changed (Second Preimage Resistance)
• It’s hard to find two different messages with the same hash (Resistance to Collisions)
• Very fast calculation
infeasible
infeasible
infeasible
Cryptographic
mercredi 23 novembre 2011
![Page 10: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/10.jpg)
Hash functionsIntegrity checking :
File hash()415a15b606eff4d4ba97ef64ecd2e598
mercredi 23 novembre 2011
![Page 11: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/11.jpg)
Hash functionsIntegrity checking :
File hash()415a15b606eff4d4ba97ef64ecd2e598
Fingerprint or checksum
mercredi 23 novembre 2011
![Page 12: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/12.jpg)
Hash functionsIntegrity checking :
File hash()415a15b606eff4d4ba97ef64ecd2e598
Fingerprint or checksum
Fast algorithm !
Very low probability of collision !Hard to change file without changing hash !
mercredi 23 novembre 2011
![Page 13: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/13.jpg)
Hash functions
Password encryption :
passwordhash()
415a15b606eff4d4ba97ef64ecd2e598
mercredi 23 novembre 2011
![Page 14: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/14.jpg)
Hash functions
Password encryption :
passwordhash()
415a15b606eff4d4ba97ef64ecd2e598
Hard to calculate password from the hash !
mercredi 23 novembre 2011
![Page 15: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/15.jpg)
Hash functions
Remember me tokens :
username + expiration date + hash(password)
hash()
415a15b606eff4d4ba97ef64ecd2e598
Remember me token = hash(...) + username + expiration date
mercredi 23 novembre 2011
![Page 16: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/16.jpg)
Password hashing leaks
• Brute force
• Dictionary
• Rainbow table
mercredi 23 novembre 2011
![Page 17: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/17.jpg)
Password hashing leaks
• Brute force
• Dictionary
• Rainbow table
mercredi 23 novembre 2011
![Page 18: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/18.jpg)
Salted hash functions
Salted hash password :
salt + passwordhash()
hash(salt+password)
mercredi 23 novembre 2011
![Page 19: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/19.jpg)
Salted hash functions
Salted hash password :
salt + passwordhash()
hash(salt+password)
secret and / or user dependent
mercredi 23 novembre 2011
![Page 20: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/20.jpg)
Salted hash functions
Salted hash password :
salt + passwordhash()
hash(salt+password)
secret and / or user dependent
Prevents from dictionary and rainbow table attacks !
mercredi 23 novembre 2011
![Page 21: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/21.jpg)
Hash function algorithms
• Message Digest 5
• 128 bits fingerprint size
• Secured Hash Algorithm
• many version (SHA1, SHA256 ...)
• 160 to 512 bits fingerprint size
mercredi 23 novembre 2011
![Page 22: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/22.jpg)
Hash function algorithms
• Message Digest 5
• 128 bits fingerprint size
• Secured Hash Algorithm
• many version (SHA1, SHA256 ...)
• 160 to 512 bits fingerprint size
@deprecated
mercredi 23 novembre 2011
![Page 23: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/23.jpg)
Symmetric algorithms
• Shared secret key algorithm
• Same key used to cipher and decipher
• Fast algorithm
mercredi 23 novembre 2011
![Page 24: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/24.jpg)
Popular symmetric algorithms
• Advanced Encryption Standard
• Blowfish
• Digital Encryption Standard and 3DES
mercredi 23 novembre 2011
![Page 25: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/25.jpg)
Popular symmetric algorithms
• Advanced Encryption Standard
• Blowfish
• Digital Encryption Standard and 3DES@deprecated
mercredi 23 novembre 2011
![Page 26: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/26.jpg)
Private message exchange
mercredi 23 novembre 2011
![Page 27: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/27.jpg)
Private message exchange
Shared secret key
mercredi 23 novembre 2011
![Page 28: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/28.jpg)
Private message exchange
Shared secret key
Cipheringwith Ks
mercredi 23 novembre 2011
![Page 29: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/29.jpg)
Private message exchange
Shared secret key
Cipheringwith Ks
Decipheringwith Ks
mercredi 23 novembre 2011
![Page 30: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/30.jpg)
Secret key exchange problem
mercredi 23 novembre 2011
![Page 31: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/31.jpg)
Secret key exchange problem
High number of secret keys to manage !
mercredi 23 novembre 2011
![Page 32: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/32.jpg)
Secret key exchange problem
High number of secret keys to manage !
How to share the secret key ?mercredi 23 novembre 2011
![Page 33: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/33.jpg)
Asymmetric algorithm
• Key pair based algorithm
• Shared public key
• Protected private key
• Key size :1024 to 4096 bits
• Slow algorithm
• Max encryption size = key size
mercredi 23 novembre 2011
![Page 34: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/34.jpg)
Popular asymmetric algorithm
• Rivest, Shamir and Adelman (signing and encryption)
• Digital Signature Algorithm (signature only)
• Elliptic Curves Cryptography
mercredi 23 novembre 2011
![Page 35: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/35.jpg)
Asymmetric ciphering analogy
mercredi 23 novembre 2011
![Page 36: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/36.jpg)
Asymmetric ciphering analogy
Public key
Private key
mercredi 23 novembre 2011
![Page 37: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/37.jpg)
Asymmetric ciphering analogy
Public key
Private key
mercredi 23 novembre 2011
![Page 38: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/38.jpg)
Asymmetric ciphering analogy
Public key
Private key
mercredi 23 novembre 2011
![Page 39: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/39.jpg)
Asymmetric ciphering analogy
Public key
Private key
mercredi 23 novembre 2011
![Page 40: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/40.jpg)
Asymmetric ciphering
mercredi 23 novembre 2011
![Page 41: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/41.jpg)
Asymmetric ciphering
Cipheringwith Bob Public Key
mercredi 23 novembre 2011
![Page 42: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/42.jpg)
Asymmetric ciphering
Decipheringwith Bob Private KeyCiphering
with Bob Public Key
mercredi 23 novembre 2011
![Page 43: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/43.jpg)
Digital signature
mercredi 23 novembre 2011
![Page 44: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/44.jpg)
Digital signature
Alice sign withher private keyOnly hash of the
message is signed
dsa(hash(ˮHello.ˮ),PrK.alice
mercredi 23 novembre 2011
![Page 45: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/45.jpg)
Digital signature
mercredi 23 novembre 2011
![Page 46: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/46.jpg)
Digital signature
Bob checks signaturewith Alice public key
Unchanged hash means unaltered message
compare hash("hello.")with :
dsa("er2f@!e..", PuK.alice)
mercredi 23 novembre 2011
![Page 47: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/47.jpg)
Diffie-Hellmankey exchange
algorithm
mercredi 23 novembre 2011
![Page 48: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/48.jpg)
Diffie-Hellmankey exchange
algorithm
mercredi 23 novembre 2011
![Page 49: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/49.jpg)
Diffie-Hellmankey exchange
algorithm
mercredi 23 novembre 2011
![Page 50: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/50.jpg)
Diffie-Hellmankey exchange
algorithm
mercredi 23 novembre 2011
![Page 51: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/51.jpg)
Diffie-Hellmankey exchange
algorithm
mercredi 23 novembre 2011
![Page 52: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/52.jpg)
Diffie-Hellmankey exchange
algorithm
mercredi 23 novembre 2011
![Page 53: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/53.jpg)
Diffie-Hellmankey exchange
algorithm
mercredi 23 novembre 2011
![Page 54: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/54.jpg)
Diffie-Hellmankey exchange
algorithm
mercredi 23 novembre 2011
![Page 55: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/55.jpg)
Public key sharing
mercredi 23 novembre 2011
![Page 56: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/56.jpg)
Public key management
mercredi 23 novembre 2011
![Page 57: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/57.jpg)
Public Key Infrastructure !
• Public key certificate
• Certificate management
mercredi 23 novembre 2011
![Page 58: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/58.jpg)
Public key certificates• Binds public key with Identity
• Can be used to :
• authenticate a user
• cipher data (email, communications ...)
• prove identity (SSL)
• signing a document
• signing a certificate (CA certificate)
• ...
mercredi 23 novembre 2011
![Page 59: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/59.jpg)
Public key certificate anatomy
(TLS certificate)
mercredi 23 novembre 2011
![Page 60: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/60.jpg)
Public key certificate anatomy -Issuer
mercredi 23 novembre 2011
![Page 61: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/61.jpg)
Public key certificate anatomy -Issuer
Issuer Distinguished Name
mercredi 23 novembre 2011
![Page 62: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/62.jpg)
Public key certificate anatomy -Issuer
Issuer ≠ Subject :• Not a CA certificate• Not a self signed certificate
Issuer Distinguished Name
mercredi 23 novembre 2011
![Page 63: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/63.jpg)
Public key certificate anatomy -Subject
mercredi 23 novembre 2011
![Page 64: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/64.jpg)
Public key certificate anatomy -Subject
Certificate validity
mercredi 23 novembre 2011
![Page 65: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/65.jpg)
Public key certificate anatomy -Subject
Subject Distinguished Name Certificate validity
mercredi 23 novembre 2011
![Page 66: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/66.jpg)
Public key certificate anatomy -Subject
Subject Distinguished Name Certificate validity
Certified URL
mercredi 23 novembre 2011
![Page 67: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/67.jpg)
Public key certificate anatomy -Subject
Subject Distinguished Name
Public key
Certificate validity
Certified URL
mercredi 23 novembre 2011
![Page 68: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/68.jpg)
Public key certificate anatomy -Extensions
mercredi 23 novembre 2011
![Page 69: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/69.jpg)
Public key certificate anatomy -Extensions
Not a CA certificate
mercredi 23 novembre 2011
![Page 70: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/70.jpg)
Public key certificate anatomy -Extensions
Not a CA certificate
Revocation List
mercredi 23 novembre 2011
![Page 71: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/71.jpg)
Public key certificate anatomy -Extensions
Not a CA certificate
Revocation List
Certificate usage (TLS)
mercredi 23 novembre 2011
![Page 72: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/72.jpg)
Public key certificate anatomy -Extensions
Not a CA certificate
Revocation List
Certificate usage (TLS)
Issuer CA certificate location
mercredi 23 novembre 2011
![Page 73: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/73.jpg)
Public key certificate anatomy -Certificate signature
mercredi 23 novembre 2011
![Page 74: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/74.jpg)
Public key certificate anatomy -Certificate signature
The certificate SHA1 fingerprint is signed with Issuer private key
mercredi 23 novembre 2011
![Page 75: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/75.jpg)
Certificate fingerprint signature
• Self signed or signed by CA
• Prevents certificate corruption
• CA signing proves identity if the CA is trusted
mercredi 23 novembre 2011
![Page 76: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/76.jpg)
Certification chain of trust(certification path)
mercredi 23 novembre 2011
![Page 77: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/77.jpg)
Certificate management
mercredi 23 novembre 2011
![Page 78: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/78.jpg)
Certificate management
mercredi 23 novembre 2011
![Page 79: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/79.jpg)
Certificate management
mercredi 23 novembre 2011
![Page 80: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/80.jpg)
Certificate management
mercredi 23 novembre 2011
![Page 81: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/81.jpg)
Certificate management
mercredi 23 novembre 2011
![Page 82: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/82.jpg)
Certificate managementCR is signed withCA private key
mercredi 23 novembre 2011
![Page 83: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/83.jpg)
Certificate managementCR is signed withCA private key
mercredi 23 novembre 2011
![Page 84: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/84.jpg)
Certificate managementCR is signed withCA private key
mercredi 23 novembre 2011
![Page 85: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/85.jpg)
Certificate managementCR is signed withCA private key
mercredi 23 novembre 2011
![Page 86: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/86.jpg)
Certificate managementManage CRL or OCSPCR is signed with
CA private key
mercredi 23 novembre 2011
![Page 87: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/87.jpg)
Certificate managementManage CRL or OCSPCR is signed with
CA private key
mercredi 23 novembre 2011
![Page 88: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/88.jpg)
Certificate managementManage CRL or OCSP
Check Bob certificatewith CA certificate
CR is signed withCA private key
mercredi 23 novembre 2011
![Page 89: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/89.jpg)
Certificate managementManage CRL or OCSP
Check Bob certificatewith CA certificate
CR is signed withCA private key
mercredi 23 novembre 2011
![Page 90: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/90.jpg)
Certificate managementManage CRL or OCSP
Check Bob certificatewith CA certificate
Check Bob certificate validity
CR is signed withCA private key
mercredi 23 novembre 2011
![Page 91: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/91.jpg)
Private key storage• Password protected PKCS12 file
• Cryptographic token :
• password protected
• key pair generation (not possible to take the private key out)
• process asymmetric algorithms (RSA, DSA, Diffie-Hellman ...)
mercredi 23 novembre 2011
![Page 92: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/92.jpg)
Private key storage• Password protected PKCS12 file
• Cryptographic token :
• password protected
• key pair generation (not possible to take the private key out)
• process asymmetric algorithms (RSA, DSA, Diffie-Hellman ...)Two Factors Authentication :
protect with something you know and something you have
mercredi 23 novembre 2011
![Page 93: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/93.jpg)
Certificate revocation
• Two protocols :
• Certificate Revocation List
• Online Certificate Status Protocol
• CRL provides a full certificates revocation list
• OCSP is request/response protocol
mercredi 23 novembre 2011
![Page 94: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/94.jpg)
One Time Password
• Token and password (PIN) based authentication system
• Token uses a clock and a secret algorithm to generate a OTP
• OTP server use the same algorithm to validate the OTP
mercredi 23 novembre 2011
![Page 95: Crypto and PKI](https://reader034.vdocuments.mx/reader034/viewer/2022050815/546b8fa3b4af9f702c8b4d07/html5/thumbnails/95.jpg)
Conclusion
• What’s going on if you loose your ciphering private key (or PKCS12 password) ?
• Are the Registration Authority validation process safe ?
mercredi 23 novembre 2011