Professional Documents
Culture Documents
Public Key Infrastructure
Public Key Infrastructure
Public Key Infrastructure
(X509 PKI)
Marco Casassa Mont
Intranet
Extranet
Internet
Bob Alice
Intranet
Extranet
Internet
Bob Alice
Intranet
Extranet
Internet Moving towards PKI …
Bob Alice
• The recipient uses a verification key (Public Key) to verify the origin of
the message and that it has not been tampered with while in transit
Intranet
Extranet
Internet
Bob Alice
Digest Digest
Hash Function Hash Function
Algorithm Algorithm
Digest
Public Key
Issuer
Subject
Subject Public Key
Issuer
Digital
Signature
Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK
Digital Certificate
Problems
• How are Digital Certificates Issued?
• Who is issuing them?
• Why should I Trust the Certificate Issuer?
• How can I check if a Certificate is valid?
• How can I revoke a Certificate?
• Who is revoking Certificates?
Moving towards PKI …
“Consumer” Side
• PKI enabled applications
Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK
X509 PKI – Simple Model
Certification
CA Entity
Cert. Request
Application Signed
Certificate
RA
Service Internet
Certs, Directory
CRLs
Remote Local
Person Person
Revoked Certificates
remain in CRL
until they expire
Directory CRL
Certificate IDs
to be checked Download
CRL
User OCSP CRL
CA
Answer about Server
Certificate States
Directory
OCSP
Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK
X509 PKI
PKI-enabled Applications
Functionality Required:
• Cryptographic functionality
• Secure storage of Personal Information
• Digital Certificate Handling
• Directory Access
• Communication Facilities
Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK
X509 PKI
Trust and Legal Issues
Certificate Hierarchies
and
Cross-Certification
RA CA CA CA
RA RA Internet RA
RA RA Internet
Try to reflect
Real world Trust Models
LRA LRA
1. Multiple Roots
2. Simple cross-certificate
3. Complex cross-certificate
Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK
X509 PKI
Approach to Trust : Problems
Certificate Policy
And
Certificate Practice Statement
RIGHTS, LIABILITIES
& OBLIGATIONS
CERTIFICATE &
CRL PROFILES CP
IDENTIFICATION &
AUTHENTICATION
TECHNICAL OPERATIONAL
SECURITY CONTROL REQUIREMENTS
IDENTIFICATION &
SPECIFICATION
AUTHENTICATION
ADMINISTRATION
CPS
CERTIFICATE & OPERATIONAL
CRL PROFILES REQUIREMENTS
TECHNICAL PHYSICAL,
SECURITY PROCEDURA
CONTROLS L&
PERSONNEL
Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK
IETF (PKIX) Standards
• X.509 Certificate and CRL Profiles
• PKI Management Protocols
• Certificate Request Formats
• CP/CPS Framework
• LDAP, OCSP, etc.
http://www.ietf.org/