(n)code solutions cabasics of pki 1 introduction to pki (n)code solutions a division of gnfc
TRANSCRIPT
(n)Code Solutions CA Basics of PKI 2
Introduction to PKI
At the end of this presentation, you will know:
How to achieve secure communications in a public network, including:
Cryptography - Public / Private KeysDigital CertificatesCertification AuthorityPublic Key Infrastructure (PKI)
(n)Code Solutions CA Basics of PKI 3
How do I achieve secure communications in a public network?
We use the Internet to . . .– Send email– Make purchases– Distribute software– Inventory control & order entry
But we have some concerns - How do we . . . – Know a person is who they claim to be?– Know I’m connected to an authentic merchant?– Protect the privacy of my communications?– Know if information has been tampered with?– Prove later that someone sent me the message?
(n)Code Solutions CA Basics of PKI 4
Four Security Needs for Network Communications
?ClaimsNot
SentNot
Received
Privacy / Confidentiality Integrity
Authentication Non-repudiation
Interception Modification
Fabrication
Is my communication private? Has my communication been altered?
Who am I dealing with? Who sent/received it and when?
(n)Code Solutions CA Basics of PKI 5
How do we solve the 4 Security Needs?
Cryptography
• Secret Key
• Public Key
Specialized uses of cryptography:
• Digital Signature
• Digital Certificates
Secret Public
DigitalCertificate
(n)Code Solutions CA Basics of PKI 6
Secret Key Cryptography
Cryptography involves: – encryption– decryption
Secret Key cryptography:• Data is encrypted &
decrypted using the same Secret Key
• Also known as“Symmetric Key”
DES is an example of a secret key algorithm
Secret
Secret KeyalgorithmOriginal
Document
Original
Document
Encrypted
Document
Encrypted
Document
Secret
Secret Keyalgorithm
(n)Code Solutions CA Basics of PKI 7
Secret Key Cryptography
It’s fast, but . . .
• How do I get my secret key to my recipient?
• Do I have a different secret key for everyone with whom I communicate?
INTERNET
– If one key is compromised, all copies of that key must be replaced
– Does not scale well
(n)Code Solutions CA Basics of PKI 8
• Two keys = key pair• Mathematically related,
but not identical, public & private key pairs•Public Keys are widely
distributed•Private Keys are held
securely by owners• Data encrypted with one key
can be decrypted only with the other key of the pair
• a.k.a. “Asymmetric Key” RSA is an example of a public
key algorithm
Public Keyalgorithm
Original
Document
Original
Document
Encrypted
Document
Encrypted
Document
Private
Public Keyalgorithm
Public Key Cryptography
Public
(n)Code Solutions CA Basics of PKI 9
Public Key Cryptography
It’s slower, but . . .
• I don’t have to distribute a secret key because I have my Private Key
• Everyone with whom I communicate can know my Public Key
INTERNET– There’s only one copy of the Private Key
– Scales well
(n)Code Solutions CA Basics of PKI 10
Digital Signature
Everyone has a Signature Key Pair
1) A provides copy of Public Key to B
2) A signs information using Private Key
3) B verifies signature using A’s Public Key
Public Key
Signed Data
Public KeyPublic Key
A B
• Private Key signs data
• Public Key verifies signature on data
• Public Key may be sent with the signed data
(eithermethod)
Public Network or Directory
(n)Code Solutions CA Basics of PKI 11
A Closer Look atDigital Signature
Digital Signature:• Electronic (digital) stamp
appended to data before sending• The result of encrypting the Hash
of the data to be sent on the network• Any change (to data or signature) will
cause the signature verification to fail
Hash - or Digest:• Speeds up the signing (encrypting) process• One-way conversion of the data to a fixed length field that
uniquely represents the original data
So, using a diagram . . .
Data with
electronic stamp
(n)Code Solutions CA Basics of PKI 12
ElectronicData
DigitalSignatur
e
ElectronicData
HashFunction
SigningFunctionHash Result
Private of A
Signed Data
Digital Signing of the Data
Only Private Key holder can sign
(n)Code Solutions CA Basics of PKI 13
Anyone can verify
ElectronicData Hash
Function Hash Result
Valid compareYes / No ?
Signed Data
VerifyFunction
Hash ResultDigitalSignatur
e
Publicof A
Digital Signature Verification
So the receiver can
compare hashes to verify the signature
(n)Code Solutions CA Basics of PKI 14
Security Solutions
Some security mechanisms:• Secret Key encryption• Public Key encryption• Digital signature
— Hashing
How can these security mechanisms solvethe four communications security needs?
• Confidentiality• Integrity• Authentication• Non-repudiation
(n)Code Solutions CA Basics of PKI 15
My Signature & Date
Confidentiality Integrity
AuthenticationNon-Repudiation
Digital
Signature
Encryption:• Secret key• Public key
Digital Signature???
Solving the 4 Security Needs
(n)Code Solutions CA Basics of PKI 16
Authentication
Identification: How you tell someone who you are
Authentication:How you prove to someone you are who you say you are
(n)Code Solutions CA Basics of PKI 17
How Do I Solve Authentication?
Physical Solutions:• Something you know
– Password, combination to safe
• Something you have– Key, token, badge
• Something you are– Signature, iris pattern, fingerprint
Electronic Solution:
So, why does B trust A’s Public Key?
Digital Certificates
(n)Code Solutions CA Basics of PKI 18
Digital Certificates
. . . Because a trusted third party has authenticated that the Public Key belongs to A:
Certification Authority (CA)
• When A provides proof of identity,
the Certification Authority
creates a signed message
containing A’s name and
public key:
Digital Certificate
Signed Message
containingA’s Name
&Public Key
(n)Code Solutions CA Basics of PKI 19
Why trust a Digital Certificate?
• A Digital Certificate becomes a
passport that proves your
identity and authenticates you
– A passport is issued by a trusted Government - when another Government sees it, they trust it
• A Digital Certificate issued by a
trusted CA, again licensed by the
government and can also be
trusted
(n)Code Solutions CA Basics of PKI 20
Certification Authority
Certification Authority assumes the responsibility of authenticating Certificate identity information
– Like a Government for passports
CA authentication techniques:• Check against existing records
– Employee databases
• Examine typical identification– Passport, license
• Background check– Government databases
CA authenticates, issues & manages Certificates
(n)Code Solutions CA Basics of PKI 21
Certification Hierarchy
Issuer=CCASubject=India PKI
Issuer=MTNLSubject=MTNL
Issuer=(n)CodeSubject=GNFC
Issuer=(n)CodeSubject=Powergrid Employee
Issuer=TCSSubject=TCS India
Issuer=TCSSubject=TATA
Employee
Issuer=MTNLSubject=Subscriber
X.509 standard is the general model for certification hierarchy
If you trust the CA that signed the certificate, you can trust the certificate
Root
SubCA SubCA
SubCA EE EE
EE
(n)Code Solutions CA Basics of PKI 22
Certification Hierarchy
Issuer=CCASubject=India PKI
Issuer=MTNLSubject=MTNL
Issuer=(n)CodeSubject=GNFC
Issuer=(n)CodeSubject=Powergrid Employee
Issuer=TCSSubject=TCS India
Issuer=TCSSubject=TATA
Employee
Issuer=MTNLSubject=Subscriber
Root
SubCA SubCA
SubCA EE EE
EECCA(n)CodeTCS
CCA(n)Code
CCAMTNL
Each End Entity has a browser that stores all appropriate certificates
(n)Code Solutions CA Basics of PKI 23
Information Checkpoint
My Signature & Date
Confidentiality Integrity
AuthenticationNon-Repudiation
Digital
Signature
Encryption:• Secret key• Public key
How do we solve the 4 security needs?
Digital Signature Digital Certificates
(n)Code Solutions CA Basics of PKI 24
So . . . What is PKI?
Public Key Infrastructure (PKI) . . .
. . . is the hardware, software, people,
policies, & procedures needed to create,
manage, store, distribute, & revoke
certificates
– Required to support the use of Public Key
cryptography methods for network security
(n)Code Solutions CA Basics of PKI 25
CertificateHolder
Registration Authority
Relying PartyApplication
Web Server
Internet
PKI Components
A Public Key Infrastructure consists of:
• Certification Authorities (CAs) (Issuers)
• Registration Authorities (RAs)(Authorize the binding between Public Key & Certificate Holder)
• Certificate Holders (Subjects)
• Relying Parties (Validate signatures & certificate paths)
• Repositories (Store & distribute certificates & status: expired, revoked, etc.)
RepositoryCertification Authority
(n)Code Solutions CA Basics of PKI 26
PKI Components = Functions
The five components of a PKI are functional roles:• Certification Authority
• Certificate Holder
• Registration Authority
• Relying Party
• Repository
A single entity, such as (n)Code, could perform one or more of these roles:
For example:
When an (n)Code employee applies for a certificate, the CA approves, issues, and uses the certificate, and also copies it to an internal directory
(n)Code Solutions CA Basics of PKI 27
Certification Authority
Certification Authority
• Receives & processes certificate requests
• Consults with a Registration Authority to determine whether to accept or decline a certificate request
• Issues or denies the certificate to the requestor
• Renews certificates
• Manages Certificate Revocation Lists
• Provides on-line status to certificates
• Provides backup service, telephone support, and archival storage for certificates
• Provides trustworthy security infrastructure, policies for secure operations, and audit information for the CA
(n)Code Solutions CA Basics of PKI 28
Certificate Holder
RegistrationAuthority
Relying Party Application
Web Server
Internet
1. User accessesEnrollment page via Browser
2. Enrollment Requeststored for approval
3. Enrollment requestapproved or rejected
4. Certificate Issuedand available for retrieval
5. User downloads Certificate
6. Certificate sent to a Repository
1
3
42
Certification Authority
Repository5
How does (n)Code Solutions issue a Certificate?
6
(n)Code Solutions CA Basics of PKI 29
Status & Future Directions of PKI
Certificate-enabled third-party products: Microsoft, Netscape, Oracle, Gemplus, Datakey
CA Products offered by Entrust, Computer Associates, Baltimore Technologies
CA Hosting Services offered by a number of companies,
notably Entrust and Verisign
New technology - earliest systems released in 1996
(n)Code Solutions CA Basics of PKI 30
Status & Future Directions of PKI
Digital certificates have become the standard for achieving secure communications in a public network
TOMORROWNetwork-based usage:
firewalls, telecommunications device controllers
TODAYPC-based usage:
email, SSL, access control applications (home banking)
(n)Code Solutions CA Basics of PKI 32
Where can you use PKI ?
• Web’s HTTP and other protocols (SSL)
• VPN (PPTP, IPSec, L2TP…)
• Email (S/MIME, PGP, Exchange KMS)
• File Signing (MS Office, Acrobat files, etc.)
• Web Services / Form Signing
• Smartcards (Certificates, private key store )
• Executables (.NET Assemblies, Drivers, Authenticode)
• Copyright protection (Code Signing)
(n)Code Solutions CA Basics of PKI 33
Personal Authentication
Server/Client Authentication
Secure Electronic Transaction
Which Certificate performs each task?
Task X.509 Certificate Type
SET
S/MIME
SSL
Browser• Netscape• Microsoft
IPSec Virtual Private Networks
(n)Code Solutions CA Basics of PKI 34
EnterpriseAccess
e-Commerce
Netscape
Microsoft
Microsoft
Netscape
Web Services,Form Signing
Personal Authentication
Web Server
Authentication
Application
Access Control
Secure Purchasing,
Payments, Authorization
A Closer Look at Applications
SSL
Access Control
SET
(n)Code Solutions CA Basics of PKI 35
Using Digital Certificates for Web-server & Personal Authentication
Secure Socket Layer (SSL) . . . . . . is a protocol used to create a secure
communication session between a client application (browser) and a server application (web server) over
a TCP/IP network
Secret Session Key . . . . . . is a Secret Key used by A and B only for the
duration of this communication session
(n)Code Solutions CA Basics of PKI 36
• A Connects to B
{Exchanged Data}
• A uses B’s public key to encrypt Secret Session Key
• B sends copy of its certificate to A, indicating that SSL 2.0 is enabled
• B uses its private key to decrypt Secret Session Key
A and B use Secret Session Key to encrypt all data exchanged
SSL 2.0 Protocol
SSL 2.0 provides Web-server authentication
Secure Web Server (B) Browser (A)
• A verifies signature on B’s certificate• A generates Secret Session Key
(n)Code Solutions CA Basics of PKI 37
• A Connects to B
• A verifies signature on B’s certificate• A generates Secret Session Key • A uses B’s public key to encrypt Secret Session Key• Browser asks A to select a certificate to access B
• B sends copy of its certificate to A, indicating that SSL 3.0 is enabled with client authentication
• B verifies signature on A’s certificate• B uses its private key to decrypt Secret Session Key
A and B use Secret Session Key to encrypt all data exchanged
SSL 3.0 Protocol
SSL 3.0 adds personal client authentication
Browser (A) Secure Web Server (B)
{Exchanged Data}
• A sends encrypted Secret Session Key & A’s certificate to B
(n)Code Solutions CA Basics of PKI 38
ACCESS
Using Digital Certificates for Access Control
• Access control to data, networks, services– Personal records (medical, employment)– Trusted method for transmitting
‘privileges’ over networks
• After verifying the signature,information inside the certificate can be checked to provide access control:
• Allow Organization = PowerGrid• Allow Organization Unit = Human Resources• Deny User State = Tamil Nadu
• An application enforcing these rules will allow access to an individual from Powergrid’s Human Resources Department as long as that person is not based in Tamil Nadu.
(n)Code Solutions CA Basics of PKI 39
SecretSession
Key
Privateof A
SecretKey
Algorithm
SessionKey
Encrypted+
MessageEncrypted
Hashresul
t
DigitalSignature
Signed Data
SessionKey
Encrypted+
MessageEncrypted
Publicof B
Confidentiality is achieved by encrypting the data with Receiver’s Public Key
Message
______
______
_______
_______
CA has issued and Authenticated a Digital Certificate to Users A & B
Public KeyEncryptFunction
HashFunction
SigningFunction
Typical Send Scenario
(n)Code Solutions CA Basics of PKI 40
Privateof B
Hashresul
t
SecretSession
Key
Message Encrypted
Publicof A
Hashresul
t• Verification will fail if any changes to the data or signature are detected - Integrity
• Verification with public key shows who signed the data (sender can’t deny) - Non-repudiation
Message
______
______
_______
_______
DigitalSignature
Signed Data
SessionKey
Encrypted+
MessageEncrypted
SecretKey
Algorithm
Public KeyEncryptFunction
HashFunction
VerifyFunction
Typical Receive Scenario
(n)Code Solutions CA Basics of PKI 41
Applications for PKI
• GNFC has the following applications already developed on a pilot basis and can be deployed with customization as required by the client
– e-Filing / Form Signing– e-Billing– e-Tendering / e-Procurement– SignIT
(n)Code Solutions CA Basics of PKI 42
e-Filing / Form Signing
• Web based application for submission of digitally signed forms
• Can be used to manage online client interaction for– Online application– Grievance handling– Information sharing– Online payment
• Can seamlessly integrate with any existing application if required
• Can be used very effectively in G2B and G2C interactions or any type of consumer interactions
(n)Code Solutions CA Basics of PKI 43
e-Billing
• PKI enabled web based application
• Online bill presentation and payment application
• A customer can use this application to digitally sign bills and present to their customers online or send digitally signed bills to such customers
• The customer can verify the digital signature for authenticity and integrity of the bill
• The customer can also choose to pay online
(n)Code Solutions CA Basics of PKI 44
e-Tendering / e-Procurement
• PKI enabled web based application for end-to-end procurement management.
• Can manage the entire procurement cycle from raising an internal indent to placing the order
• Any company can realize a substantial saving in processing time and operational costs like printing, logistics and paper flow management
• Can bring transparency to the procurement process
• A multitude of MIS reports can be generated from this applications
(n)Code Solutions CA Basics of PKI 45
SignIT
• PKI enabled web based application that helps in delivering digitally signed documents or forms to clients online as well as by email.
• Many customer services can be automated with this application
• A customer need not install any application or hardware as this is a web based application