public key infrastructures - technische universität darmstadt · download certificate 71...
TRANSCRIPT
![Page 1: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/1.jpg)
1
Public Key InfrastructuresPublic Key Infrastructures
Chapter 6Private Keys
Cryptography and ComputeralgebraVangelis KaratsiolisAlexander Wiesmaier
2
How to store private keys?
3
Personal Security Environment (PSE)
Private keys are stored in PSEs
4
Realisation of PSEs : Tokens
Secure storing of private keys
in Software in Hardware
PKCS#12Application specific
(e.g. Netscape)Java KeyStore SmartcardUSB-Token
HardwareSecurityModule(HSM)
![Page 2: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/2.jpg)
5
Token properties
Compatibility
Portability
Availability
Access protection
6
PKCS#12
Software based PSE
Format for secure transport and storing
Most typical format for software PSEs
Available at:http://www.rsa.com/rsalabs/node.asp?id=2138
7
PKCS#12: Modes
Public Key Privacy Mode:Encryption with a symmetric key. This symmetric key is encrypted with the public key of the receiver.
Password Privacy Mode:Encryption with one symmetric key, which is derived from a password.
Public Key Integrity Mode:Signed with a private key. The receiver can verify the message.
Password Integrity Mode:A MAC is calculated which can be verified by the receiver.
8
PKCS#12: StructureAuthenticatedSafe
ContentInfo
Plain data
Encrypted data
Enveloped data
![Page 3: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/3.jpg)
9
Example
Personal nformation Exchange
Password: 123456
10
11
Java Keystores
Implementation of the KeyStore Class
Two types:JKS
Proprietary algorithmsWeak encryption
JCEKSStandard algorithmsStrong encryptionPart of the JCE (Java Cryptography Extensions)Since Java 1.4
Easy Administration with keytool 12
KeyStore example
keytool -genkey -alias test -keyalg RSA-keysize 1024 -keypass 123456-storepass 123456 -keystore test.ks
Run: ../Certificates/keytool.bat
![Page 4: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/4.jpg)
13
Application specific
Examples:
MozillaWindows
14
Private key import in Firefox
15
Private key access in Firefox
16
Private key import in Windows
![Page 5: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/5.jpg)
17
Private key access in Windows
18
Application specific
Netscape FamilyMozilla, Firefox, Thunderbird, SeaMonkeyThrough Software Security ModuleThe standard implementation is proprietaryThe format for the import is PKCS#12
Windows Internet Explorer, Outlook/ExpressThe standard implementation is proprietaryThrough Cryptographic Service ProviderThe format for the import is PKCS#12
19
Hardware Security Module
Secure storage and use of keys
(Pseudo)random number generation
Key pair generation
Calculation of digital signatures
Key archiving
Acceleration for cryptographic schemes
20
Hardware Security Module
Protect the keys against
Mechanical attacks
Temperature attacks
Manipulation of the voltage
Chemical attacks
The keys are destroyed in case of danger
![Page 6: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/6.jpg)
21
Hardware Security Module
But…
Keys can be accidentally destroyed
e.g. due to mechanical influence during transport
22
Network Attached HSM
Speed
Availability
Robustness
23
Smartcards
Secure key storing and use
Key pair generation (not all)
Calculation of digital signatures
Decryption
24
Access over PKCS#11
Interface to the card
Support functions like:Change PIN, Sign, Decrypt, Write certificate
But:Some functions are not supported (e.g. change PUK)Possibly many libraries are needed for supporting different cards and readers.
Available at:http://www.rsa.com/rsalabs/node.asp?id=2133
![Page 7: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/7.jpg)
25
PKCS#15
Specifies the structure of the card in the card
Every directory in the card is an application
Pointers to cryptographic objekts (ODF)
PrivateKey
PublicKey
Certificate
There is a a newer specification based on it: ISO 7816-15
Available at:
http://www.rsa.com/rsalabs/node.asp?id=2141 26
Structure PKCS#15
DescriptorDF(PKCS#15)
FurtherDFs/EFs
UserdataEF (DIR)
TokenInfo
MasterFile
ADFCDFPrKDFODF
Pointer to PrivateKey Data, Certificate Data, Authentication Data (PIN) and Token Information (Serial number)
27
E4 NetKey (TeleSec)
E4 evaluated (according to ITSEC)
Global files (serial number, etc.)
SigG application
Pre-keyd with one key-pair according to SigG(Signature Act)
NetKey application
3 key pairs (pre-keyed)
Null-PIN scheme (patented)
28
Java Cards
No filesystem but applets
JCRE (Java Card Runtime Environment)
manages:
the resources of the card
the communication with the outside world
the execution of the applets
controls:
the compliance with the security limitations
![Page 8: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/8.jpg)
29
Java Cards
Like normal Java code but not:
Long, double, float
Characters and strings
Multidimensional arrays
Threads
Object serialisation und cloning
Dynamic loading of classes (like drivers)
Security Manager
Garbage Collector not always present
30
Examples
Of secure signature-creation devices
Secure signature-creation devices
31
Use
Destruction
Transport
Storing
Backup
Recovery
Generation
Life cycle of private keys
start state
state
end state
32
Use
Destruction
Transport
Storing
Backup
Recovery
GenerationGeneration
Life cycle of private keys
appropriate parameters
secure random number generator
shielding against eavesdropping
•…
![Page 9: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/9.jpg)
33
Use
Destruction
Transport
StoringStoring
Backup
Recovery
Generation
Life cycle of private keys
persistent storing
deletion from the generator
appropriate access protection
…
34
Use
Destruction
TransportTransport
Storing
Backup
Recovery
Generation
Life cycle of private keys
correct receiver
guaranteed delivery
appropriate transport security mechanisms…
35
UseUse
Destruction
Transport
Storing
Backup
Recovery
Generation
Life cycle of private keys
easy for the authorised users
impossible for the unauthorisedusers
protection of the private key
…36
Use
DestructionDestruction
Transport
Storing
Backup
Recovery
Generation
Life cycle of private keys
unrecoverable
easy for authorised users
impossible for unauthorisedusers
•…
![Page 10: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/10.jpg)
37
Use
Destruction
Transport
Storing
BackupBackup
Recovery
Generation
Life cycle of private keys
persistent storing
only for certain keys
appropriate access protection
…
38
Use
Destruction
Transport
Storing
Backup
RecoveryRecovery
Generation
Life cycle of private keys
correct reestablishment
easy for authorised users
impossible for unauthorisedusers
…
39
User generates key
Example 1:
User generates key (PGP)
40
Generation
![Page 11: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/11.jpg)
41
Generation
42
Generation
43
Generation
44
Generation
![Page 12: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/12.jpg)
45
Generation
46
Generation
47
Generation
48
Storing
![Page 13: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/13.jpg)
49
Transport
50
Transport
51
Transport
File contents
../Certificates/Test User.cxt
52
Use
![Page 14: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/14.jpg)
53
Use
54
Destruction
55
Destruction
56
Destruction
![Page 15: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/15.jpg)
57
Backup
58
Backup
59
Backup
60
Backup
![Page 16: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/16.jpg)
61
Recovery
62
Recovery
63
Recovery
64
Trust center generates key
Example 2:
Trust center generates key (X.509)
TUDCard
![Page 17: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/17.jpg)
65
Generation
The manufacturer creates the keys
input
output 66
Storing
Contains the private key
A file exists that holds the private key.
Security condition:
PSO (Perform Security Operation) after PIN has been correctly given.
67
TransportBy snail mail
68
Use
First Use detection
Null-PIN technique
![Page 18: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/18.jpg)
69
Use
PIN-Entry
necessary
for PSO
70
Use
Set PINSee PUKDownload certificate
71
Destruction
Physical destruction of the card.
high temperature, etc…
72
Backup
input
output
Every key is stored in a PKCS#12 file
![Page 19: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/19.jpg)
73
User generates key
Example 3:
User generates key (X.509)
The user generates its own private key
74
Generate
keytool -genkey -keyalg RSA -keystore keystore.ks -alias myalias
75
Store
keytool -genkey -keyalg RSA -keystore keystore.ks -alias myalias
76
Transport
The key is already at the client side.
![Page 20: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/20.jpg)
77
UseIn order to use the private key, the public key is certified by a CA.
Thawte example
78
79 80
![Page 21: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/21.jpg)
81 82
83 84
Hi! Please use your browser to go to the following URL: https://www.thawte.com/cgi/enroll/personal/step8.exeOnce you have connected successfully to the above address, you must copy and paste the "probe" and "ping" values below into the appropriate text boxes:Probe: value Ping: valueYou should save this message until you have completed the enrollment process, just in case. But you MUST go to the above URL within 24 hours, or we will delete your request information and you'll have to start over! If you have problems completing the above please contact our support team by going to the following URL: https://www.thawte.com/cgi/support/contents.exeRegards, The thawte team thawte Certification
![Page 22: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/22.jpg)
85 86
87 88
![Page 23: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/23.jpg)
89 90
91
email address
92
![Page 24: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/24.jpg)
93 94
95
keytool -certreq -keystore keystore.ks -file csr.txt -alias myalias
96
-----BEGIN NEW CERTIFICATE REQUEST-----MIIBrDCCARUCAQwbDELMAkGA1UEBhMCREUxDjAMBgNVBTBUhlc3NlMRIwEAYDVQQHEwlEYXJtN57qbnyAfAAAAAAAc3RhZHQxDDKBgNVATA1RVRDEMMAoGA1UECxMDQ0RDMRwGwYDVQQDExRWY5nZWxpcyBLYXJhN57qbnyAfAAAAAAAdHNpb2xpcznzANBqhkiG9w0BAQEFAAOBjQAwgYkCgYEAroJITHFBR5orQ9dB4qkP/gMhS1hCNiowdM2CrJINiowdM2CCCCE+Qrzut77pzzjlEBLQeeMC0Q88LF8tTJfFoUKdGni/PAAiOPHxvNXFFH0YZs4/P7gXMAX+9eEgGNiowdM2CrJINiowdM2CCCCEjL2ig7PyQlkGGwIbvxYQmEX2TKk9tKWqCvFjl6BKTjIIjErmgolyi79dk3Cdwx26Z8CAwEAAaAANiowdM2CrJINiowdM2CCCCEEEMA0GCSqGSIb3DEBBAUAAGBAIvbaheW+lVaDdRN57qbnyAf3qqxD2GcjmBcCcO8v3TN9zc4mSENiowdM2CrJINiowdM2CCCCpXXTFQg4UqO0urJINiowdM2CtrPzlEtORJNtoxxiRLHp9+LLNXnER43nYvcLZ/QIChlfIX6KiPrJINiowdM2CrJINiowdM2CCCCElr81bvYRq6G/bGxrz4K55c17UIqPtlGN7yQEDxYZ5e+-----END NEW CERTIFICATE REQUEST-----
![Page 25: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/25.jpg)
97 98
99 100
The user receives a URL that contains thecertificate inside a PKCS#7 structure
![Page 26: Public Key Infrastructures - Technische Universität Darmstadt · Download certificate 71 Destruction Physical destruction of the card. high temperature, etc… 72 Backup input output](https://reader030.vdocuments.mx/reader030/viewer/2022040701/5d616ddc88c993b8618bd6c9/html5/thumbnails/26.jpg)
101
keytool -import -file test.crt -alias myalias -trustcacerts -keystore keystore.ks
102
Destruction
103
Backup
A simple copy of the file to:a CDa USB stickan external hard disc… or similar
The password may be changed.
104
Recovery
Recovery from the copy location.
Password is needed.