demystifying pki: introduction to the cryptography behind public key infrastructure
TRANSCRIPT
![Page 1: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/1.jpg)
Demystifying PKI:
Introduction to
The Cryptography BehindPublic Key Infrastructure
![Page 2: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/2.jpg)
Security Services
• Data Integrity– Verification that the data has not been modified
• Authentication– e.g., your personal signature
• Non-Repudiation– e.g., Sender/Receiver in a financial transaction
• Confidentiality– i.e., scrambled text
![Page 3: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/3.jpg)
Data Integrity
• The Assurance That the Data Has Arrived Intact, With No Tampering or Corruption of the Bits.
• Data Integrity Is Achieved Electronically Through the Use of Cryptographic Checksums (One-way Hashes) Over the Data.
![Page 4: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/4.jpg)
Data Integrity Hash Functions
• Hash Functions are Complex Mathematical Functions Which Generate a Unique “Fingerprint” of the Data. Each String of Data is Mathematically Reduced to a Fixed-Size Output Block, Regardless of the Amount of Input Data
• The Same Output is Always Produced From The Same Input
“$” “1” “0” “9”
36 49 48 57User Data
3725
HashFunction
The Result Produced By a Hashing Function is Called a Message Digest
Two Examples:Secure Hash Algorithm (SHA)Message Digest #5 [RSA] (MD-5)
![Page 5: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/5.jpg)
Authentication
• The Binding of the Sender’s (or Issuer’s) Credentials to the Data. This Process Can Be Likened to Your Personal Signature– It Is Unique to You and Can Be Recognized (Verified)
Later by All Parties Involved
![Page 6: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/6.jpg)
Non-Repudiation
• The Fact That a Third Party Can Verify Your Authentication (e.g., Your Signature) on a Transaction Means That You Cannot Deny Participation in the Transaction
![Page 7: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/7.jpg)
Confidentiality/Privacy
• Encryption (scrambling) of the data to prevent unauthorized disclosure.
![Page 8: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/8.jpg)
Mechanics of Security
• Cryptographic algorithms (mathematical processes) used to implement security
• Symmetric vs. Asymmetric• Key Generation• Digital Signatures• Encryption• Public Key Infrastructure
![Page 9: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/9.jpg)
Symmetric Cryptography
![Page 10: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/10.jpg)
Encryption Algorithms
• Encryption Has Historically Been Used in Military Applications to Secure Tactical or Intelligence Related Information During Wartime.
For This Reason, Encryption Is Classified As a Munition or Instrument of War by Most Countries. The Improper Use of Encryption Is Often Considered a Terrorist Act.
Many Countries Place Restrictions on the Import and Export of Encryption, as Well as the Use of Encryption Within the Country.
![Page 11: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/11.jpg)
“The problem of good cipher design is essentially one of
finding difficult problems..... we may construct our
cipher in such a way that breaking it is equivalent to...
the solution of some problem known to be laborious.”
- Claude Shannon (1949)
Encryption Algorithms
![Page 12: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/12.jpg)
Conventional Algorithms
Encryption Decryption
Key=010011..1 Key=010011..1
• Also Called Secret-Key Algorithms– Symmetric - Use The Same Key For Encryption and Decryption– Security Depends on Keeping the Session Key Secret
![Page 13: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/13.jpg)
Symmetric Encryption/Decryption
• Secret Key used to encrypt data• Sender and receiver must have same key• Key distribution and compromise recovery are difficult
KeyGeneration
DESThis is plain text. It can be a document, image, or any other data file
12A7BC544109FD00A6293FECC7293B9BCAA12020384AC6F4D93B8
DESThis is plain text. It can be a document, image, or any other data file
SecretKey
SecretKey
SENDER RECEIVER
Same Key
![Page 14: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/14.jpg)
Conventional Algorithms
• Stream Ciphers
– Perform a Mathematical Transformation Using One Bit From the Key String and One Bit From the Data Stream.
The Classic Stream Cipher Is Called a Vernam Cipher
It is Based on the Exclusive OR Function
![Page 15: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/15.jpg)
Repeating Key
Stream
+
Stream Ciphers Vernam Cipher
= 101001011101001011 101001011 101001011 ...
= 101101011101101011101101011 ...
MessageDebit $500
.XOR.
CryptoTextE%f2$Uz7@W
![Page 16: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/16.jpg)
Block Ciphers• Perform a Mathematical Transformation On Data In Fixed-Size Blocks, One
At a Time.• The Cipher Mode Determines How The Algorithm Is Applied To Data Streams,
Block-By-Block• Block Ciphers are Fairly Similar From a Functional Point-of-View• We’ll Now Look at an Example of One Well-Known Block Cipher in Detail...
![Page 17: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/17.jpg)
DES Algorithm
Message EncryptedMessage
DES Key
Encrypt
![Page 18: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/18.jpg)
Anatomy of DES
Original Message Stream is Broken Into 64-Bit Blocks (8 Ascii Characters)
64-Bit Block of Original Text
Each Block is Separately Fed Into The DES Algorithm
(Hence the Term Block Cipher)
![Page 19: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/19.jpg)
56-Bit Key
The Reduced 56-Bit Key Becomes The Working DES Session Key
The Keysize is Reduced to 56 Bits During The Initial Permutation
Bits 8,16,24,32,40,48,56,64
The Original DES Key is 64 Bits
Anatomy of DES64-Bit Block of Original Text
Initial Permutation
![Page 20: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/20.jpg)
64-Bit Block of Original Text 56-Bit Key
Anatomy of DES
Original Right Half is
Copied to New Left Half
The 32-Bit Right Half of The Input Block is Copied Into the Left Half of The Output Block
32-Bit Right Half
48-Bit ExpandedRight Half
Expansion
Blocking
The 32-Bit Right Half of The Input Block is Then Expanded to 48-Bits
Old Right Half
Old Right Half
![Page 21: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/21.jpg)
64-Bit Block of Original Text 56-Bit Key
32-Bit Right Half
48-Bit ExpandedRight Half
48-Bit SubKey
Expansion
Blocking
Permutation
Original Right Half is
Copied to New Left Half
Anatomy of DES
Old Right Half
The 56-Bit Session Key is Further Reduced to a 48-Bit SubKey
![Page 22: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/22.jpg)
Anatomy of DES
S5 S6 S7 S8S1 S2 S3 S4
Inside Each Register, 2-bits are Used as Control Bits, and 4-bits as Data
A Substitution Table is Used Inside Each Register to Calculate Its Output
The Input is Shifted Into the S-Registers in 6-bit groups.
The S-Registers Perform Substitution and Compaction, Converting the 48-Bit Block to 32-Bits
![Page 23: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/23.jpg)
Anatomy of DES
S-Register 1 2 3 4
Control Left (CL)
Control Right (CR)
For Each of the Four Choices of the Two “Control Bits” , the S-register Performs a Different Substitution on the Half-byte Values of the Four “Input Bits”
CL CR 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
0 1 0 15 7 4 14 2 13 1 10 6 12 11 4 5 3 8
1 0 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
1 1 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
Example: S(1, 0, 1, 1, 1, 0) {
7
11 00 11 11 11 00
= (1, 0, 1, 1){
11
1111 00 11
![Page 24: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/24.jpg)
New Right Half
64-Bit Block of Original Text 56-Bit Key
32-Bit Right Half
48-Bit ExpandedRight Half
48-Bit SubKey
S5 S6 S7 S8S1 S2 S3 S4
Permutation
Expansion
Blocking
Permutation
Original Right Half is
Copied to New Left Half
Substitution and Compaction
Anatomy of DESOld Left Half
Old Right Half New Right Half
![Page 25: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/25.jpg)
64-Bit Block of Original Text 56-Bit Key
32-Bit Right Half
48-Bit ExpandedRight Half
48-Bit SubKey
New 64-Bit Block (To Next Round)
S5 S6 S7 S8S1 S2 S3 S4
Permutation
Expansion
Blocking
Permutation
Original Right Half is
Copied to New Left Half
New Right Half
Substitution and Compaction
Anatomy of DESNew 64-Bit Block
![Page 26: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/26.jpg)
Triple Des Algorithm (TDES)
DESDecrypt
EncryptedData
%4Jb3xy
• Implements 3 Successive Iterations of DES
DESEncrypt
DESEncrypt
CryptoTextE%f2$Uz7@W
MessageDebit $500
Key #1
Key #2
EncryptedData
vG$uvbpA
Key #1 or #3
• Uses Two or Three 56-Bit Keys (112-bit or 168-bit)
![Page 27: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/27.jpg)
Encryption Algorithms
• Strengthening Encryption Algorithms– Strength of an Algorithm Measures How Long It Would Take an
Adversary to Deduce the Key
The More Difficult the Mathematics, the Stronger the Algorithm
The Longer the Key, the Stronger the Algorithm
The More Often the Key Is Changed, the Stronger the Security
The Stronger the Algorithm, the Slower it Usually is Due to the Mathematical Overhead Required
![Page 28: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/28.jpg)
Asymmetric Cryptography
Most commonly known as Public Key Cryptography
![Page 29: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/29.jpg)
1. Key Generation
• Key pair is use in public key cryptography– Key generation provides the basis for trust– Private key protected and never shared– Public key bound in certificate and shared
Key PairGeneration
PrivateKey
PublicKey
CertificationAuthorityUser Name
OrganizationLocation Digital
Certificate
End UserToken
X.509Directory
![Page 30: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/30.jpg)
A Digital Signature Is a Special Block That is Appended
to an Electronic Message.
Signature Block
Stock PurchaseOrder
2. Digital Signature
Allows for Verification of the AUTHENTICATION of
the Sender and of the INTEGRITY of the content of an Electronic Message.
Only Public-key Techniques Can Provide This.
![Page 31: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/31.jpg)
2. Digital Signature
How Alice Creates A How Alice Creates A Digital SignatureDigital Signature
AA AliceAlice
Alice’s Private KeyAlice’s Private Key
SSecureecureHHashashAAlgorithmlgorithm
Dear Sir,Dear Sir,
Please Send Please Send
Me The Me The
Widget. Widget.
Please Please
Charge VISA Charge VISA
Card 4123...Card 4123...
![Page 32: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/32.jpg)
2. Digital Signature
How Alice Creates A How Alice Creates A Digital SignatureDigital Signature
AA AliceAlice
Alice’s Private KeyAlice’s Private Key
Message Digest (160 bits)
Dear Sir,Dear Sir,
Please Send Please Send
Me The Me The
Widget. Widget.
Please Please
Charge VISA Charge VISA
Card 4123...Card 4123...
SSecureecureHHashashAAlgorithmlgorithmSignatureSignature
Encrypt
Digital Signature
![Page 33: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/33.jpg)
VERIFIED
2. Digital Signature
• Sender uses private key to sign• Receiver uses sender’s public key to verify• Result is Pass or Fail
Sign
Sender’sPrivate
Key
SENDER
DigitallySigned
RECEIVER
Verify
Sender’sPublicKey
Sender’sCertificateSender’s
Token
VERIFIED
This is plain
text. It can
be a document,
image, or any
other data file
This is plain
text. It can
be a document,
image, or any
other data file
![Page 34: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/34.jpg)
Algorithms for Digital Signature
• Digital Signature Algorithm (DSA)– Federal Standard (FIPS 186)
• Secure Hash Algorithm (SHA-1)• Rivest Shamir Adleman (RSA)
• Message Digest #5 (MD5)• Elliptic Curve Digital Signature Algorithm (ECDSA)
r=(gk mod p) mod qs=(k-1(H(m)+xr)) mod q
c=me mod nm=cd mod n
![Page 35: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/35.jpg)
Digitized vs. Digital SignatureDigitized vs. Digital Signature
A A DigitizedDigitized signature is a scanned image that can be pasted signature is a scanned image that can be pasted on any documenton any document
A A DigitalDigital Signature is a numeric value that is created by Signature is a numeric value that is created by performing a cryptographic transformation of the data using performing a cryptographic transformation of the data using the “signer’s” private key the “signer’s” private key
1A56B29FF6310CD3926109F200D5EF719A274C66821B09AC3857FD62301AA2700AB3758B6FE93DD
Digitized Signature Digital Signature
![Page 36: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/36.jpg)
Digital Certificates
• Analogous to a Driver’s License or Employee Badge– Issued By Some Authority That Members Have in
Common– Issued Under Some Set of Rules (Policies)– Document Issued Contains Public Information
• Not Sensitive• Not Compromising
– Provides Trust to Peers, Identification to Others
![Page 37: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/37.jpg)
1. Message Encryption
• Use token to generate a random message key• Encrypt message with symmetric algorithm (DES)
Sender’s Token
DES
This is plain text. It can be a document, image, or any other data file
12A7BC544109FD00A6293FECC7293B9BCAA12020384AC6F4D93B8
MessageKey
SENDER
Use RNG toGENERATE
![Page 38: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/38.jpg)
2. Key Transport (Wrap)
• Encrypt message key with sender’s private key and recipient’s public key and a public key algorithm (RSA)
RSA
Sender’sPrivate
Key
SENDER
Sender’s Token
MessageKey
Recipient’sPublicKey
Recipient’sCertificate
(From previous step)
WrappedMessage Key
![Page 39: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/39.jpg)
3. Compose Message
• Send wrapped message key, encrypted message, and (optionally) sender’s certificate to recipient
WrappedMessage Key
12A7BC544109FD00A6293FECC7293B9BCAA12020384AC6F4D93B8
EncryptedMessage
SENDER
Sender’sCertificate
S/MIME, MSPS/MIME, MSP
![Page 40: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/40.jpg)
4. Key Transport (Unwrap)
• Use the sender’s public key and the recipient’s private key to unwrap the message key with public key algorithm (RSA)
RSA
MessageKey
WrappedMessage Key
Recipient’sPrivate
Key
Recipient’s Token
Sender’sPublicKey
Sender’sCertificate
RECIPIENT
![Page 41: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/41.jpg)
• Diffie-Hellman Works Because of a One-Way Function – The Function Is “Easy” to Compute but the Inverse Is “Hard” to Compute.
• Specifically D-H Uses Discrete Exponents and Discrete Logs.
Bob Alicegb
gagb mod p ga mod p
logg (x)
(easy)(easy) (hard)(hard)
Alternative Key Exchange MethodThe Diffie-Hellman Public Key System
![Page 42: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/42.jpg)
Bob Alice
80
110
Secret = 8 Secret = 11
Igor knows 1010, 80 & 110Division Required!
Public = 8 x 10 10 = 80 Public = 11 x 10 10 = 110
Diffie-Hellman• Return to the 3rd Grade...
– Multiplication Is “Easy” and Division Is “Hard”• Diffie-Hellman Is Based on “X” and “/”• Bob and Alice Share a Generator (a) Value “10”
= 11 x 80 = 880= 8 x 110 = 880 MessageKey
![Page 43: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/43.jpg)
5. Message Decryption
• Use unwrapped (RSA) or computed shared (D-H) message key to decrypt the data using a symmetric algorithm (e.g., DES)
12A7BC544109FD00A6293FECC7293B9BCAA12020384AC6F4D93B8
DESThis is plain text. It can be a document, image, or any other data file
MessageKey
RECIPIENT
![Page 44: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/44.jpg)
This is a critical noteon our 1999revenue ...
$):”<(%$%&(@?<:”^%:)(*&%@#%(*^$+#@
KRFKEY
RECOVERYAGENT
KEYRECOVERY
AGENT
Basic Key Recovery
Encrypted DataEncrypted Data
KRF Key Recovery FieldKey Recovery FieldMessage KeyMessage Key
Private KeyPrivate Key
Public KeyPublic Key
![Page 45: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/45.jpg)
Using Security Services
![Page 46: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/46.jpg)
Using Security Services
• Client Authentication on a Web Server– Netscape, Microsoft– Compared to Access Control List on Server
• Server Authentication on a Web Client– Netscape, Microsoft– Stops Man-in-the-middle Attack
• Message Authentication– S/MIME E-mail Message– Netscape, MS Outlook Express 98
• Audit– Authentication of User Provides Non-repudiation of Client Access – May Provide Legal Proof for Later Arbitration
Digital Signatures
![Page 47: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/47.jpg)
Using Security Services
• Confidentiality– Link Encryption
• IPSec (Layers 2/3)– Secure tunnel between VPN boxes
• SSL (Layers 4/5)– Secure “tunnel” to web server– Netscape, Microsoft
• FTP (Layers 6/7)– Secure file transfer
![Page 48: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/48.jpg)
PKIPublic Key
Infrastructure
![Page 49: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/49.jpg)
Digital Certificates
X.509User Info +
Public Key
Certification Authority
• Certification Authority acts as a trusted third party:– Binds user information to public key.– Issues an unforgeable certificate.
• Digital certificate can be published in a public directory/repository.• Digital certificate can be used to provide the required security services: integrity,
confidentiality, authentication, authorization, and non-repudiation.• ITU Recommendation X.509 is the accepted standard for digital certificates in
Government and industry.
Digital Certificate
![Page 50: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/50.jpg)
X.509 Certificates (cont.)
• X.509 Version 3 certificates:– Defined extensions that can be added to the base
certificate:• public key information• policy information• additional subject attribute information• constraint information• CRL information
– Widely accepted in Gov’t and industry.– Commercial and Gov’t implementations.
![Page 51: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/51.jpg)
Public Key Infrastructure
Public KeyCertificates
CertificationAuthorities
PKIServices
Public Key Infrastructure
InformationDist. & Mgmt
RegistrationManagement
Public KeyManagement
CertificateManagement
X.509
TokenManagement
![Page 52: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/52.jpg)
Risk Reduction and PKI
BusinessRequirements
Legal Requirements
Technology Requirements
X.509
![Page 53: Demystifying PKI: Introduction to The Cryptography Behind Public Key Infrastructure](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56649eda5503460f94be8c6f/html5/thumbnails/53.jpg)
Cryptographic Security Solutions:
Provide Security Assurances: Privacy/Confidentiality Data Integrity Source and Destination (Client/Server/User) Authentication Access Control Non-Repudiation
Support The Emerging PKI Marketplace
PKI Security Solutions: Enable Enterprise E-Commerce
Issue, Manage, Revoke Certificates Apply Enterprise Certificate Policies and Procedures
Summary