Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Introduction to PKI, Certificates & Public Key Cryptography

    Enviado por

    Sorin Moldo
    54 visualizações12 páginas

    Título original

    Pki Introduction Lemonnier

    Direitos autorais

    © Attribution Non-Commercial (BY-NC)

    Formatos disponíveis

    PPT, PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato PPT, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    54 visualizações12 páginas

    Introduction to PKI, Certificates & Public Key Cryptography

    Enviado por

    Sorin Moldo

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato PPT, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 12

    Introduction to PKI, Certificates & Public Key Cryptography

    Erwan Lemonnier

    Introduction to PKI, Certificates & Public Key Cryptography erwan@defcom.com

    Role of Computer Security


    CIA
    Confidentiality: protection against data disclosure
    Integrity: Availability: protection against data modification protection against data disponibility

    Identification & Authentication (I&A)


    Provide a way of identifying entities, and controlling this identity

    Non-repudiability
    Bind an entity to its actions

    Introduction to PKI, Certificates & Public Key Cryptography erwan@defcom.com

    How to implement CIA, I&A, N-R ? With Cryptography !


    Main cryptographic tools:

    Hash Functions Secret Key Cryptography Public Key Cryptography

    And their combinations:

    Certificates
    PKI

    Introduction to PKI, Certificates & Public Key Cryptography erwan@defcom.com

    Main cryptographic tools


    Hash Functions:
    Bind one entity with a unique ID => Signature Hash + Encryption => trusted signature

    Symmetric Key Cryptography


    2 users share a secret key S and an algorithm.
    S(S(M)) = M

    Problem: how to exchange secret keys ? =>Secret Key Server (ex: kerberos)

    Introduction to PKI, Certificates & Public Key Cryptography erwan@defcom.com

    Main cryptographic tools


    Public Key Cryptography:
    Each user has a public key P and a private key S, and an algorithm A. P(S(M)) = S(P(M)) = M No shared secret !
    Encryption with Public Key Crypto Authentication with Public Key Crypto

    Introduction to PKI, Certificates & Public Key Cryptography erwan@defcom.com

    Main cryptographic tools, PKI


    How to distribute public keys ? Public Key Server (PKS), key exchange protocols

    Public Key Infrastructure (PKI):


    PKI = N x (Entities with private keys) + public key exchange system

    REM: Public Key algorithms are slow Need to use both Public & Secret Key Cryptography Public Key Protocols work in 3 phases 1. Authentication via Public Key Cryptography (challenge) 2. Exchange of a session Secret Key, encrypted with Public Key Crypto 3. Session encrypted with Symmetric Cryptography

    Introduction to PKI, Certificates & Public Key Cryptography erwan@defcom.com

    Certificate
    A certificate binds an entity with its public key. Its just a digitally signed piece of data. digital ID card Certificate = an entitys description (name, etc.) + entitys public key + expiration date, serial number, etc. + CAs name + a signature issued by a CA The certificate is issued and signed by a trusted Certificate Authority (CA)

    Digital signature: CA signature = certificate hash, encrypted with CAs private key

    Introduction to PKI, Certificates & Public Key Cryptography erwan@defcom.com

    Certificate
    The certificates CA is the only entity able to create/modify the certificate the CA has to be trusted

    Certificates enable:
    Clients to authenticate servers Servers to authenticate clients Public key exchange without Public Key Server No disclosure of private/secret keys. Certificates are usually stored encrypted.

    Special features: chains of CAs, to distribute the task of issuing Certificates Certificate Revocation List, to disable certificates

    Introduction to PKI, Certificates & Public Key Cryptography erwan@defcom.com

    Usual cryptographic algorithms & infrastructures


    Hash: Symmetric Key: MD4, MD5, SHA-1 DES, 3DES, AES (Rijnael), IDEA, RC4 RSA, Diffie-Hellman X509 IPSec, SSL, (kerberos)

    Public/Private Key: Certificat: PKI:

    Introduction to PKI, Certificates & Public Key Cryptography erwan@defcom.com

    example: IPSec
    IPSec works at IP level. Provide authentication and encryption. Used to build VPNs.
    Configuration: 2 transfert modes: tunnel or transport 2 transfert protocols: AH (Authentication Header) ESP (Encapsulating Security Payload)

    => authenticated traffic => encrypted traffic

    Key exchange protocols: Internet Key Exchange (IKE), Internet Security Association and Key Management Protocol (ISAKMP), etc.

    Introduction to PKI, Certificates & Public Key Cryptography erwan@defcom.com

    Weaknesses of PKI and Certificates


    PKI: unsecured server: unsecured client: weak algorithm: Certificate: unsecured computer: certificate password: untrustable CA: users:

    hackable Public Key/Certificate servers private keys/passwords can be stolen/spied short keys, implementation or design breach

    certificates can be stolen, password spied certificates are stored encrypted, with weak password easy to be issued a certificate from a CA they seldom check if CA can be trusted before accepting certificates (netscape GUI)

    Attack example: hack clients computer, steal certificate & password man in the middle

    Introduction to PKI, Certificates & Public Key Cryptography erwan@defcom.com

    Links
    Book: Applied cryptography, Bruce Schneier
    URLs: theory.lcs.mit.edu/~rivest/crypto-security.html www.counterpane.com/pki-risks.html www.csc.gatech.edu/~copeland/8813/slides/ www.iplanet.com/developer/docs/articles/security/pki.html web.mit.edu/6.857/OldStuff/Fall96/www/main.html

    Você também pode gostar