introduction to pki
DESCRIPTION
Introduction to PKI. Mark Franklin September 10, 2003 Dartmouth College PKI Lab. Introduction to PKI Technology. Dartmouth College PKI Lab. P ublic K ey I nfrastructure Comprehensive security technology and policies using cryptography and standards to enable users to: - PowerPoint PPT PresentationTRANSCRIPT
Introduction to PKI
Mark Franklin
September 10, 2003
Dartmouth College PKI Lab
Introduction to PKI Technology
Dartmouth College PKI Lab
What is PKI?• Public Key Infrastructure
• Comprehensive security technology and policies using cryptography and standards to enable users to:– Identify (authenticate) themselves to network services.
– Digitally sign email and other electronic docs and services.
– Encrypt email and other documents to prevent unauthorized access.
Why PKI?
• Uniform way to address securing many applications
• Enables digital signing and encryption
• No passwords on the wire
• No need for shared secrets
• Strong underlying security technology
• Widely included in technology products
Dartmouth PKI Lab• R&D to make PKI a practical component of a
campus network• Multi-campus collaboration sponsored by the
Mellon Foundation• Dual objectives:
– Deploy existing PKI technology to improve network applications (both at Dartmouth and elsewhere).
– Improve the current state of the art.• Identify security issues in current products.• Develop solutions to the problems.
Underlying Key Technology• A pair of asymmetric keys is used, one to encrypt,
the other to decrypt.• Each key can only decrypt data encrypted with the
other.• Invented in 1976 by Whit Diffie and Martin Hellman
• Commercialized by RSA Security
Plain Text Encrypted Text
Encrypt
Decrypt
(anyone with public key)
(possessor of private key only)
Public and Private Keys
• The "public" key is published far and wide.
• The "private" key is kept a secret by its owner.
• No need to exchange a secret "key" by some other channel.
Applications of PKI• Authentication and Authorization of Web users and
servers– This is the basis for the SSL protocol used to secure web
connections using https.– Server authentication is common, user authentication
getting started.• Secure e-mail (signed and encrypted)• Electronic signatures• Data encryption
– Business documents, databases, executable code• Network data protection (VPN, wireless)• Secure instant messaging
What is a certificate?• Signed data structure (x.509 standard) binds some
information to a public key.• Trusted entity asserts validity of information in
certificate, enforces policies for issuing certificates.• Certificate information is usually a personal identity
or a server name.• Think of a certificate with its keys as an electronic:
– ID card,
– encoder/decoder ring, and
– official signet ring for sealing wax or notary-style stamp.
Encryption• Asymmetric encryption prevents need for shared secrets.• Anyone encrypts with public key of recipient.• Only the recipient can decrypt with their private key.• Private key is secret, so “bad guys” can’t read encrypted
data.
Plain Text Encrypted Text
Encrypt
Decrypt
(anyone with public key)
(possessor of private key only)
Digital Signatures• Compute message digest, encrypt with your private key.• Reader decrypts with your public key.• Re-compute the digest and verify match with original –
guarantees no one has modified signed data.• Only signer has private key, so no one else can spoof their
digital signature.
Plain Text Encrypted Text
Compute digest, sign & date,encrypt
Verify signature, check digest
(possessor of private key only)
(anyone with public key)
What is a certificate authority?
• An organization that creates, publishes, and revokes certificates.
• Verifies the information in the certificate.• Protects general security and policies of the
system and its records.• Allows you to check certificates so you can
decide whether to use them in business transactions.
• collegeca.dartmouth.edu
The PKI Lab at Dartmouth
Production PKI Applications at Dartmouth
• Dartmouth certificate authority
• Authentication for:– Library Electronic Journals (including OVID)– Banner SIS– Dartflex totals
• S/MIME email
Development PKI Applications at Dartmouth
• Authentication for:– Blackboard– TuckStreams– VPN concentrator– Hardware tokens
• Digital signatures on documents and forms
For more information
• Dartmouth PKI LabUser information, getting a certificate:
http://www.dartmouth.edu/~pki
PKI Lab information:
http://www.dartmouth.edu/~pkilab