(n)code solutions cabasics of pki 1 introduction to pki (n)code solutions a division of gnfc

(n)Code Solutions CA Basics of PKI 1

Introduction to PKI

(n)Code Solutions

A division of GNFC


Introduction to PKI

At the end of this presentation, you will know:

How to achieve secure communications in a public network, including:

Cryptography - Public / Private KeysDigital CertificatesCertification AuthorityPublic Key Infrastructure (PKI)


How do I achieve secure communications in a public network?

We use the Internet to . . .– Send email– Make purchases– Distribute software– Inventory control & order entry

But we have some concerns - How do we . . . – Know a person is who they claim to be?– Know I’m connected to an authentic merchant?– Protect the privacy of my communications?– Know if information has been tampered with?– Prove later that someone sent me the message?


Four Security Needs for Network Communications

?ClaimsNot

SentNot

Received

Privacy / Confidentiality Integrity

Authentication Non-repudiation

Interception Modification

Fabrication

Is my communication private? Has my communication been altered?

Who am I dealing with? Who sent/received it and when?


How do we solve the 4 Security Needs?

Cryptography

• Secret Key

• Public Key

Specialized uses of cryptography:

• Digital Signature

• Digital Certificates

Secret Public

DigitalCertificate


Secret Key Cryptography

Cryptography involves: – encryption– decryption

Secret Key cryptography:• Data is encrypted &

decrypted using the same Secret Key

• Also known as“Symmetric Key”

DES is an example of a secret key algorithm

Secret

Secret KeyalgorithmOriginal

Document

Original

Document

Encrypted

Document

Encrypted

Document

Secret

Secret Keyalgorithm


Secret Key Cryptography

It’s fast, but . . .

• How do I get my secret key to my recipient?

• Do I have a different secret key for everyone with whom I communicate?

INTERNET

– If one key is compromised, all copies of that key must be replaced

– Does not scale well


• Two keys = key pair• Mathematically related,

but not identical, public & private key pairs•Public Keys are widely

distributed•Private Keys are held

securely by owners• Data encrypted with one key

can be decrypted only with the other key of the pair

• a.k.a. “Asymmetric Key” RSA is an example of a public

key algorithm

Public Keyalgorithm

Original

Document

Original

Document

Encrypted

Document

Encrypted

Document

Private

Public Keyalgorithm

Public Key Cryptography

Public


Public Key Cryptography

It’s slower, but . . .

• I don’t have to distribute a secret key because I have my Private Key

• Everyone with whom I communicate can know my Public Key

INTERNET– There’s only one copy of the Private Key

– Scales well


Digital Signature

Everyone has a Signature Key Pair

1) A provides copy of Public Key to B

2) A signs information using Private Key

3) B verifies signature using A’s Public Key

Public Key

Signed Data

Public KeyPublic Key

A B

• Private Key signs data

• Public Key verifies signature on data

• Public Key may be sent with the signed data

(eithermethod)

Public Network or Directory


A Closer Look atDigital Signature

Digital Signature:• Electronic (digital) stamp

appended to data before sending• The result of encrypting the Hash

of the data to be sent on the network• Any change (to data or signature) will

cause the signature verification to fail

Hash - or Digest:• Speeds up the signing (encrypting) process• One-way conversion of the data to a fixed length field that

uniquely represents the original data

So, using a diagram . . .

Data with

electronic stamp


ElectronicData

DigitalSignatur

e

ElectronicData

HashFunction

SigningFunctionHash Result

Private of A

Signed Data

Digital Signing of the Data

Only Private Key holder can sign


Anyone can verify

ElectronicData Hash

Function Hash Result

Valid compareYes / No ?

Signed Data

VerifyFunction

Hash ResultDigitalSignatur

e

Publicof A

Digital Signature Verification

So the receiver can

compare hashes to verify the signature


Security Solutions

Some security mechanisms:• Secret Key encryption• Public Key encryption• Digital signature

— Hashing

How can these security mechanisms solvethe four communications security needs?

• Confidentiality• Integrity• Authentication• Non-repudiation


My Signature & Date

Confidentiality Integrity

AuthenticationNon-Repudiation

Digital

Signature

Encryption:• Secret key• Public key

Digital Signature???

Solving the 4 Security Needs


Authentication

Identification: How you tell someone who you are

Authentication:How you prove to someone you are who you say you are


How Do I Solve Authentication?

Physical Solutions:• Something you know

– Password, combination to safe

• Something you have– Key, token, badge

• Something you are– Signature, iris pattern, fingerprint

Electronic Solution:

So, why does B trust A’s Public Key?

Digital Certificates


Digital Certificates

. . . Because a trusted third party has authenticated that the Public Key belongs to A:

Certification Authority (CA)

• When A provides proof of identity,

the Certification Authority

creates a signed message

containing A’s name and

public key:

Digital Certificate

Signed Message

containingA’s Name

&Public Key


Why trust a Digital Certificate?

• A Digital Certificate becomes a

passport that proves your

identity and authenticates you

– A passport is issued by a trusted Government - when another Government sees it, they trust it

• A Digital Certificate issued by a

trusted CA, again licensed by the

government and can also be

trusted


Certification Authority

Certification Authority assumes the responsibility of authenticating Certificate identity information

– Like a Government for passports

CA authentication techniques:• Check against existing records

– Employee databases

• Examine typical identification– Passport, license

• Background check– Government databases

CA authenticates, issues & manages Certificates


Certification Hierarchy

Issuer=CCASubject=India PKI

Issuer=MTNLSubject=MTNL

Issuer=(n)CodeSubject=GNFC

Issuer=(n)CodeSubject=Powergrid Employee

Issuer=TCSSubject=TCS India

Issuer=TCSSubject=TATA

Employee

Issuer=MTNLSubject=Subscriber

X.509 standard is the general model for certification hierarchy

If you trust the CA that signed the certificate, you can trust the certificate

Root

SubCA SubCA

SubCA EE EE

EE


Certification Hierarchy

Issuer=CCASubject=India PKI

Issuer=MTNLSubject=MTNL

Issuer=(n)CodeSubject=GNFC

Issuer=(n)CodeSubject=Powergrid Employee

Issuer=TCSSubject=TCS India

Issuer=TCSSubject=TATA

Employee

Issuer=MTNLSubject=Subscriber

Root

SubCA SubCA

SubCA EE EE

EECCA(n)CodeTCS

CCA(n)Code

CCAMTNL

Each End Entity has a browser that stores all appropriate certificates


Information Checkpoint

My Signature & Date

Confidentiality Integrity

AuthenticationNon-Repudiation

Digital

Signature

Encryption:• Secret key• Public key

How do we solve the 4 security needs?

Digital Signature Digital Certificates


So . . . What is PKI?

Public Key Infrastructure (PKI) . . .

. . . is the hardware, software, people,

policies, & procedures needed to create,

manage, store, distribute, & revoke

certificates

– Required to support the use of Public Key

cryptography methods for network security


CertificateHolder

Registration Authority

Relying PartyApplication

Web Server

Internet

PKI Components

A Public Key Infrastructure consists of:

• Certification Authorities (CAs) (Issuers)

• Registration Authorities (RAs)(Authorize the binding between Public Key & Certificate Holder)

• Certificate Holders (Subjects)

• Relying Parties (Validate signatures & certificate paths)

• Repositories (Store & distribute certificates & status: expired, revoked, etc.)

RepositoryCertification Authority


PKI Components = Functions

The five components of a PKI are functional roles:• Certification Authority

• Certificate Holder

• Registration Authority

• Relying Party

• Repository

A single entity, such as (n)Code, could perform one or more of these roles:

For example:

When an (n)Code employee applies for a certificate, the CA approves, issues, and uses the certificate, and also copies it to an internal directory




• Receives & processes certificate requests

• Consults with a Registration Authority to determine whether to accept or decline a certificate request

• Issues or denies the certificate to the requestor

• Renews certificates

• Manages Certificate Revocation Lists

• Provides on-line status to certificates

• Provides backup service, telephone support, and archival storage for certificates

• Provides trustworthy security infrastructure, policies for secure operations, and audit information for the CA


Certificate Holder

RegistrationAuthority

Relying Party Application

Web Server

Internet

1. User accessesEnrollment page via Browser

2. Enrollment Requeststored for approval

3. Enrollment requestapproved or rejected

4. Certificate Issuedand available for retrieval

5. User downloads Certificate

6. Certificate sent to a Repository

1

3

42


Repository5

How does (n)Code Solutions issue a Certificate?

6


Status & Future Directions of PKI

Certificate-enabled third-party products: Microsoft, Netscape, Oracle, Gemplus, Datakey

CA Products offered by Entrust, Computer Associates, Baltimore Technologies

CA Hosting Services offered by a number of companies,

notably Entrust and Verisign

New technology - earliest systems released in 1996


Status & Future Directions of PKI

Digital certificates have become the standard for achieving secure communications in a public network

TOMORROWNetwork-based usage:

firewalls, telecommunications device controllers

TODAYPC-based usage:

email, SSL, access control applications (home banking)


Ways to Use Digital Certificates

Where can you go?


Where can you use PKI ?

• Web’s HTTP and other protocols (SSL)

• VPN (PPTP, IPSec, L2TP…)

• Email (S/MIME, PGP, Exchange KMS)

• File Signing (MS Office, Acrobat files, etc.)

• Web Services / Form Signing

• Smartcards (Certificates, private key store )

• Executables (.NET Assemblies, Drivers, Authenticode)

• Copyright protection (Code Signing)


Personal Authentication

Server/Client Authentication

email

Secure Electronic Transaction

Which Certificate performs each task?

Task X.509 Certificate Type

SET

S/MIME

SSL

Browser• Netscape• Microsoft

IPSec Virtual Private Networks


EnterpriseAccess

e-Commerce

Netscape

Microsoft

Microsoft

Netscape

Web Services,Form Signing

Personal Authentication

Web Server

Authentication

Application

Access Control

Secure Purchasing,

Payments, Authorization

A Closer Look at Applications

SSL

Access Control

SET


Using Digital Certificates for Web-server & Personal Authentication

Secure Socket Layer (SSL) . . . . . . is a protocol used to create a secure

communication session between a client application (browser) and a server application (web server) over

a TCP/IP network

Secret Session Key . . . . . . is a Secret Key used by A and B only for the

duration of this communication session


• A Connects to B

{Exchanged Data}

• A uses B’s public key to encrypt Secret Session Key

• B sends copy of its certificate to A, indicating that SSL 2.0 is enabled

• B uses its private key to decrypt Secret Session Key

A and B use Secret Session Key to encrypt all data exchanged

SSL 2.0 Protocol

SSL 2.0 provides Web-server authentication

Secure Web Server (B) Browser (A)

• A verifies signature on B’s certificate• A generates Secret Session Key


• A Connects to B

• A verifies signature on B’s certificate• A generates Secret Session Key • A uses B’s public key to encrypt Secret Session Key• Browser asks A to select a certificate to access B

• B sends copy of its certificate to A, indicating that SSL 3.0 is enabled with client authentication

• B verifies signature on A’s certificate• B uses its private key to decrypt Secret Session Key

A and B use Secret Session Key to encrypt all data exchanged

SSL 3.0 Protocol

SSL 3.0 adds personal client authentication

Browser (A) Secure Web Server (B)

{Exchanged Data}

• A sends encrypted Secret Session Key & A’s certificate to B


ACCESS

Using Digital Certificates for Access Control

• Access control to data, networks, services– Personal records (medical, employment)– Trusted method for transmitting

‘privileges’ over networks

• After verifying the signature,information inside the certificate can be checked to provide access control:

• Allow Organization = PowerGrid• Allow Organization Unit = Human Resources• Deny User State = Tamil Nadu

• An application enforcing these rules will allow access to an individual from Powergrid’s Human Resources Department as long as that person is not based in Tamil Nadu.


SecretSession

Key

Privateof A

SecretKey

Algorithm

SessionKey

Encrypted+

MessageEncrypted

Hashresul

t

DigitalSignature

Signed Data

SessionKey

Encrypted+

MessageEncrypted

Publicof B

Confidentiality is achieved by encrypting the data with Receiver’s Public Key

Message

______

______

_______

_______

CA has issued and Authenticated a Digital Certificate to Users A & B

Public KeyEncryptFunction

HashFunction

SigningFunction

Typical Send Scenario


Privateof B

Hashresul

t

SecretSession

Key

Message Encrypted

Publicof A

Hashresul

t• Verification will fail if any changes to the data or signature are detected - Integrity

• Verification with public key shows who signed the data (sender can’t deny) - Non-repudiation

Message

______

______

_______

_______

DigitalSignature

Signed Data

SessionKey

Encrypted+

MessageEncrypted

SecretKey

Algorithm

Public KeyEncryptFunction

HashFunction

VerifyFunction

Typical Receive Scenario


Applications for PKI

• GNFC has the following applications already developed on a pilot basis and can be deployed with customization as required by the client

– e-Filing / Form Signing– e-Billing– e-Tendering / e-Procurement– SignIT


e-Filing / Form Signing

• Web based application for submission of digitally signed forms

• Can be used to manage online client interaction for– Online application– Grievance handling– Information sharing– Online payment

• Can seamlessly integrate with any existing application if required

• Can be used very effectively in G2B and G2C interactions or any type of consumer interactions


e-Billing

• PKI enabled web based application

• Online bill presentation and payment application

• A customer can use this application to digitally sign bills and present to their customers online or send digitally signed bills to such customers

• The customer can verify the digital signature for authenticity and integrity of the bill

• The customer can also choose to pay online


e-Tendering / e-Procurement

• PKI enabled web based application for end-to-end procurement management.

• Can manage the entire procurement cycle from raising an internal indent to placing the order

• Any company can realize a substantial saving in processing time and operational costs like printing, logistics and paper flow management

• Can bring transparency to the procurement process

• A multitude of MIS reports can be generated from this applications


SignIT

• PKI enabled web based application that helps in delivering digitally signed documents or forms to clients online as well as by email.

• Many customer services can be automated with this application

• A customer need not install any application or hardware as this is a web based application


Thank You.

(n)code solutions cabasics of pki 1 introduction to pki (n)code solutions a division of gnfc

Documents

copy of public key

different secret key

private key scales

public key internet

signature key pair

asymmetric key rsa

symmetric key des

pki ncode solutions