Deploying a

Certification Authority
for Networks Security
Prof. Dr. VICTOR-VALERIU PATRICIU
Cdor.Prof. Dr. AUREL SERB

Computer Engineering Department

Military Technical Academy
Bucharest, Romania
 Information Security
Requirements
Confidentiality
• protection from disclosure to unauthorized persons
Integrity
• Maintaining data consistency
Authentication
• Assurance of identity of person or data originator
Non-repudiation
• Communication originator can’t deny it later
Public-Key Encryption
Confidentiality
Digital Signatures
-creation-
Public Key Distribution
Public Key Distribution
 Digital Certificate
• Is a person really who claim?
• The public key really belongs to this person?
Certificate Structure
 What is PKI
-Public Key Infrastructure-
PKI refers to the services providing:
• generation, production, distribution,
control,revocation,archive of certificates
• management of keys,
• support to applications providing confidentiality
and authentication of network transactions.
 PKI for Military Use
• provide secure interoperability throughout the military
organizations and with its partners- government, industry
and academia;
• standards based;
• uses commercial PKI products to minimize the
investment;
• support digital signature and key exchange;
• support key recovery;
• support Federal Information Processing Standards- FIPS
compliance requirements.
General PKI Structure
 CA’s are Trusted to Do
• A central administration - issues certificates:
-company to its employees
-university to its students
-public CA (like VeriSign) to clients
• The CA must keep confidential his Private Key used to sign
certificates
• The CA does not assign different certificates the same serial
number
• The CA makes sure all the information in a certificate is
correct
• Up to date Certificate Revocation List (CRL)
 Our PKI Research/ Study
-directions-
• Understanding PKI technology and establish
– applications demanding PKI
– PKI architecture
• Analysis of the possibilities/facilities of a
vendor CA software-RSA Keon
• Developing our own CA software, using Eric
Young Open SSL library
• Defining an adequate certificate policy and
practice statement
 PKI Main Applications

• Paperless Office -Document & E-mail Signing

and Protecting

• Secure Web - User Authentication and Secure

Communications

• Security in Organization’s Intranet/Extranet-

VPN

• Certificate Authority -for the Romanian

(Military) Internet Users
 Deploying a PKI
-Main steps-
• Analysis of Operational Requirements
• Establish PKI Applications
• Defining security policies
• Defining a deployment road map
• Establish the infrastructure (PKI & CA Design)
• Personnel Selection
• Hardware and Software Acquisition
• PKI Training
• Management & Administration
 Defense PKI (DPKI)
   Generation, production, distribution, control,
revocation, archive of public key certificates;
     Management of keys;
 Support to applications providing
confidentiality and authentication of network
transactions;
      Data integrity;
      Non-repudiation.
 Certificate Clases
For DPKI, it can adopt a certificate policy, which uses 3 classes of
certificates:
Low Class Certificates (for unclassified/sensitive information on
classified network)- May be used for:
  Digital signatures for classified information on encrypted
network;
  Key exchange for the protection (confidentiality) of communities
of persons on encrypted networks;
  Non-repudiation for medium value financial or for electronic
commerce applications.
 Certificate Clases
      Medium Class Certificates (for unclassified/sensitive information on
classified network)-. May be used for:
  Digital signatures for unclassified mission critical and national security
information on un encrypted network
  Key exchange for the confidentiality of high valued compartmented
information on encrypted networks or classified data over unencrypted
networks
  Protection information crossing classification boundaring
  Non-repudiation for large financial or for electronic commerce applications.
     
.
 Certificate Clases
            High Class Certificates (for classified information on open
network)- May be used for:
  Digital signatures for authentication of subscriber identity for
accessing classified information over unprotected networks
  Key exchange for confidentiality of classified information over
unencrypted networks
  Digital signatures for authentication of key material in support of
providing confidentiality for classified information over
unprotected networks.
.
 CONCLUSIONS
• PKI -simplifies the management of security
• RAF structures and organizations can spend less time
worrying about security, and more energy on their main
activities (confidential documents no longer need to wait
for days to be physically shipped; instead, they can be
securely sent through e-mail)
• Web servers can allow secure access for only designated
users
• Military organization networks can securely extend over
the Internet, eliminating expensive leased data lines
• PKI’s possibilities are limitless
 CONCLUSIONS
• For Romanian Armed Forces, the Public Key
Infrastructure (PKI) capability may adopt the following
components:
-Root Certificate Authority
       -Certificate Authorities
       -Local Registration Authorities,
       -Certificate Directory,
and principles:
      -use commercial and/or proprietary products,
-use smart cards for protection of private keys and
certificates, processing digital signature, access control.
 CONCLUSION ?
Steve Bellovin
AT&T Security Guru

“-What are the strongest defenses?

-There aren’t any”