Professional Documents
Culture Documents
Ok Mary Pki
Ok Mary Pki
Ok Mary Pki
Central server has all the user ids and passwords, don’t
need to store passwords locally.
Facilitates the same user id and passwords on all machines
on a network
Then rlogin and rsh allow the user to have access to all the
hosts in the hosts.equiv and .rhost files
No real security, depends IP addresses
Confidentiality
Protection from disclosure to unauthorized persons
Integrity
Maintaining data consistency
Authentication
Assurance of identity of person or originator of data
Non-repudiation
Originator of communications can't deny it later - requires long-
term of keys
Authorization
Identity combined with an access policy grants the rights to
perform some action
M.Thompson, O.Kolesnikov, Berkeley National Laboratory
Security Building Blocks
Encryption provides
confidentiality, can provide authentication and integrity
protection
Checksums/hash algorithms provide
integrity protection, can provide authentication
Digital signatures provide
authentication, integrity protection, and non-repudiation
Symetric Keys
Both parties share the same secret key
Problem is securely distributing the key
DES - 56 bit key considered unsafe for financial purposes
since 1998
3 DES uses three DES keys
Public/Private keys
One key is the mathematical inverse of the other
Private keys are known only to the owner
Public key are stored in public servers, usually in a X.509
certificate.
RSA (patent expires Sept 2000), Diffie-Hellman, DSA
Client hello:
Client’s challenge, client’s nonce
Available cipher suites (e.g. DSA/RSA; Triple-DES/IDEA;
SHA-1/MD5 et al.)
Server hello:
Server’s certificate, server’s nonce
Session ID
Selected cipher suite
Server adapts to client capabilities
Optional certificate exchange to authenticate server/client
Usually only server authentication is used
M.Thompson, O.Kolesnikov, Berkeley National Laboratory
SSL Handshake completed
PKCS 7
Cryptographic Message Syntax Standard
PKCS 10
Certification Request Syntax Standard - used by Netscape
browser, IE, and SSL libraries
PKCS 11
Cryptographic Token Interface Standard - An API for
signing and verifying data by a device that holds the key
PKCS 12
Personal Information Exchange Syntax Standard - file
format for storing certificate and private key - used to move
private information between browsers
http://www.cs.auckland.ac.nz/~pgut001/tutorial/
about 500 slides covering cryptography, secure connection
protocols, PKI, politics and more.
RSA Laboratories PKCS specifications
http://www.rsasecurity.com/rsalabs/pkcs/
SSL/TLS
TLS v 1.0 RFC - http://www.ietf.org/rfc/rfc2246.tx.
SSL-v3
http://www.netscape.com/eng/ssl3/draft302.txt
OpenSSL http://www.openssl.org/