Public Key Public Key Infrastructure Infrastructure A Quick Look Inside PKI A Quick Look Inside PKI Technology Investigation Technology Investigation Center Center [email protected] [email protected] 3/27/2002 3/27/2002
Mar 31, 2015
Public Key Public Key InfrastructureInfrastructure
A Quick Look Inside PKIA Quick Look Inside PKITechnology Investigation CenterTechnology Investigation Center
[email protected]@mail.state.ar.us3/27/20023/27/2002
Inside PKIInside PKI
VocabularyVocabulary
How PKI WorksHow PKI Works
When it Doesn’tWhen it Doesn’t
VocabularyVocabulary
Asymmetric CryptographyAsymmetric Cryptography
Use of algorithms Use of algorithms that use different that use different keys for encryption keys for encryption than decryption than decryption and the decryption and the decryption key cannot be key cannot be derived from the derived from the encryption key.encryption key.
AuthenticationAuthentication
Verifying the identity of a person Verifying the identity of a person or a computer system.or a computer system.
Certificate Authority (CA)Certificate Authority (CA)
The authority in a network (PKI) that issues The authority in a network (PKI) that issues and manages security credentials and and manages security credentials and public keys for message encryption.public keys for message encryption.
Certificate Practice StatementCertificate Practice StatementCPSCPS
Provides a detailed explanation of how the Provides a detailed explanation of how the certificate authority manages the certificate authority manages the certificates it issues and associated certificates it issues and associated services such as key management. The services such as key management. The CPS acts as a contact between the CA CPS acts as a contact between the CA and users, describing the obligations and and users, describing the obligations and legal limitations and setting the foundation legal limitations and setting the foundation for future audits.for future audits.
CiphertextCiphertext
Encrypted text. Plaintext or cleartext is what Encrypted text. Plaintext or cleartext is what you have before encryption and ciphertext you have before encryption and ciphertext is the encrypted result.is the encrypted result.
Digital CertificateDigital Certificate
A digital document which is generally stored A digital document which is generally stored and administered in a central directory. It and administered in a central directory. It contains the certificate holder's name, a contains the certificate holder's name, a serial number, expiration dates, public key, serial number, expiration dates, public key, and the digital signature of the certificate and the digital signature of the certificate issuing authority.issuing authority.
Digital SignatureDigital Signature
An electronic signature that authenticates An electronic signature that authenticates the identity of the sender, ensures the the identity of the sender, ensures the original content of the message is original content of the message is unchanged, is easily transportable, cannot unchanged, is easily transportable, cannot be easily repudiated, cannot be imitated, be easily repudiated, cannot be imitated, and can be automatically time-stamped.and can be automatically time-stamped.
DirectoryDirectory
A specialized, highly available database A specialized, highly available database organized to be primarily used for lookup.organized to be primarily used for lookup.
Directory ServiceDirectory Service
A collection of software, hardware, A collection of software, hardware, processes, policies and administrative processes, policies and administrative procedures involved in organizing the procedures involved in organizing the information in a directory and making it information in a directory and making it available to users.available to users.
HashingHashing
A mathematical summary that can be used A mathematical summary that can be used to provide message integrity popular to provide message integrity popular because it is simple and small.because it is simple and small.
IntegrityIntegrity
The state of being unaltered.The state of being unaltered.
NonrepudiationNonrepudiation
The basis of insisting that the document The basis of insisting that the document signed by a particular private key signed by a particular private key represents acknowledgement by the represents acknowledgement by the private key owner.private key owner.
Private KeyPrivate Key
The private part of a two-part, public key The private part of a two-part, public key asymmetric cryptography system. The asymmetric cryptography system. The private key is provided by a certificate private key is provided by a certificate authority, kept secret and never authority, kept secret and never transmitted over a network.transmitted over a network.
Public KeyPublic Key
The public part of a two-part, public key The public part of a two-part, public key asymmetric cryptography system. The asymmetric cryptography system. The public key is provided by a certificate public key is provided by a certificate authority and can be retrieved over a authority and can be retrieved over a network.network.
Public Key Infrastructure Public Key Infrastructure (PKI)(PKI)
A system that enables users of a public A system that enables users of a public network to exchange data securely and network to exchange data securely and privately through the use of a public and privately through the use of a public and private cryptographic key pair that is private cryptographic key pair that is obtained and shared through a trusted obtained and shared through a trusted authority.authority.
Registration AuthorityRegistration Authority
The authority in a Public Key Infrastructure The authority in a Public Key Infrastructure that verifies user requests for a digital that verifies user requests for a digital certificate and tells the certificate authority certificate and tells the certificate authority it is alright to issue a certificate.it is alright to issue a certificate.
Rivest-Shamir-Adleman (RSA)Rivest-Shamir-Adleman (RSA)
An algorithm used for key pairs used for An algorithm used for key pairs used for authentication, encryption and decryption.authentication, encryption and decryption.
How PKI WorksHow PKI Works
Get a CertificateGet a Certificate Send a Signed MessageSend a Signed Message Receive a Signed MessageReceive a Signed Message Send an Encrypted MessageSend an Encrypted Message Receive an Encrypted MessageReceive an Encrypted Message Different Answers!Different Answers!
Get a CertificateGet a Certificate
Supply information to a Certificate Supply information to a Certificate AuthorityAuthority
Certificate Authority generates the keysCertificate Authority generates the keys Certificate Authority creates the certificateCertificate Authority creates the certificate Registration Authority may authorize the Registration Authority may authorize the
certificatecertificate The private key is delivered to the userThe private key is delivered to the user The certificate is stored in a directoryThe certificate is stored in a directory
Digital CertificateDigital Certificate
Version of certificate formatVersion of certificate format Certificate serial numberCertificate serial number Signature algorithm identifierSignature algorithm identifier Certificate authority (CA) X.500 nameCertificate authority (CA) X.500 name Validity period (start, expiration)Validity period (start, expiration) Subject X.500 nameSubject X.500 name Subject public key info (algorithm, public key)Subject public key info (algorithm, public key) Issuer unique identifier (optional)Issuer unique identifier (optional) Subject unique identifier (optional)Subject unique identifier (optional) ExtensionsExtensions Certificate Authority's digital signatureCertificate Authority's digital signature
Private KeyPrivate Key
One of two numeric keys derived from an One of two numeric keys derived from an algorithmalgorithm
Can be stored on a computerCan be stored on a computer Can be memorized (not practical)Can be memorized (not practical) Can be held in a tokenCan be held in a token Can be combined with a biometric or tokenCan be combined with a biometric or token Must be kept secureMust be kept secure Is not stored in the certificateIs not stored in the certificate
Get a CertificateGet a Certificate
RA approves the Certificate
Information is given to CA
The CA creates keys and certificate
The Certificate, which contains the Public Key, is filed in a DirectoryPrivate Key
goes to the User
Send a Signed MessageSend a Signed Message
Compose the messageCompose the message Sign with your own (sender’s) private keySign with your own (sender’s) private key
Create a message hashCreate a message hash Encrypt hash with private keyEncrypt hash with private key
Send the message and the digital Send the message and the digital signaturesignature
Receive a Signed MessageReceive a Signed Message
Receive the message and the signatureReceive the message and the signature Get the sender’s public keyGet the sender’s public key Use the key to decrypt the signature Use the key to decrypt the signature
(hash)(hash) Generate a new hash of the messageGenerate a new hash of the message Compare the two hashes to assure the Compare the two hashes to assure the
integrity of the message and the integrity of the message and the authentication of the senderauthentication of the sender
Signed MessageSigned MessageCompose the Message
Sign the Message with Private Key
Send the Message and Digital Signature
Receive the Message and Digital Signature
Get the Sender’s Public Key
Compare the hashes
SENDER
RECIPIENT
Send an Encrypted MessageSend an Encrypted Message
Compose the messageCompose the message Get the receiver’s public keyGet the receiver’s public key Encrypt the message Encrypt the message Send the messageSend the message But can be more complex, especially for But can be more complex, especially for
long messageslong messages
Receive an Encrypted Receive an Encrypted MessageMessage
Receive the messageReceive the message Decrypt with you own (receiver’s) private Decrypt with you own (receiver’s) private
keykey But can be more complex, especially for But can be more complex, especially for
long messageslong messages
Encrypted MessageEncrypted MessageCompose the Message
Get the Recipient’s Public Key
Encrypt the Message with Public Key
Send the Encrypted Message
Get the Encrypted Message
Decrypt with Private Key
Different AnswersDifferent AnswersDepending On:Depending On:
Where the public key is stored and how it Where the public key is stored and how it is managedis managed
If a user has multiple public keysIf a user has multiple public keys If multiple encryption algorithms are usedIf multiple encryption algorithms are used If both message encryption and digital If both message encryption and digital
signature are requiredsignature are required
When PKI Doesn’t WorkWhen PKI Doesn’t Work
When it isn’t trustedWhen it isn’t trusted When the private key isn’t secureWhen the private key isn’t secure When the CA isn’t trusted by all partiesWhen the CA isn’t trusted by all parties When the authentication required by the CA When the authentication required by the CA
isn’t adequate for all partiesisn’t adequate for all parties When there’s more than one John SmithWhen there’s more than one John Smith
When the sender and receiver can’t When the sender and receiver can’t interoperateinteroperate
Longer Looks at PKILonger Looks at PKI
This GroupThis Group HandoutHandout Office of Information TechnologyOffice of Information Technology Other StatesOther States VendorsVendors