Administration Computer Security CS477 Homework 2 Test review Lecture 11 Ching Hua Chuan October 8st 2008 Today s Outline Authentication Applications October 15th X 509 Authentication Service X 501 Chap 4 2 Public key infrastructure October 13th Test 2 October 13th X 509 is part of the X 500 series of recommendations that define a directory service A directory a server or distributed set of servers that maintains a database about users Each certificate contains the public key of a user and is signed with the private key of a CA X 509 is used in S MIME IP Security SSL TLS and SET RSA is recommended to use Certificates The Typical Digital Signature Approach Certificate CA A CA V SN AI CA TA A Ap where Y X certificate of user X signed by CA Y Y I the signing I of Y It consists of I with an encrypted hash code appended Obtaining a User s Certificate Characteristics of certificates generated by CA CA In a Large Community Any user with access to the public key of the CA can recover the user public key that was certified No part other than the CA can modify the certificate without this being detected Because of the unforgeable characteristics certificates can be put in a directory without special protection transmitted between users directly Subscribing to a common CA is infeasible user Everyone needs to have CA s public key The public key must be securely delivered to every user Solution multiple CAs Each CA securely provides its public key to some fraction of users A Simple Scenario X 509 Hierarchy PBX2 CA X1 CA X2 PBX1 Hierarchy 1 Forward certificate X1 X2 2 user A Certif of X generated by other CAs Reverse certificate X2 B CAs U V Z Users A B C user B 3 Certif generated by X that are the certif of other CAs A chain of certificates X1 X2 X2 B X 509 Hierarchy A acquires B s certificate X W W V V Y Y Z Z B Revocation of Certificates Reasons for revocation B acquires A s certificate Z Y Y V V W W X X A User s PR key is compromised User is no longer certified by this CA CA s certificate is compromised Certificate Revocation List CRL Every CA has one Keep revoked but not expired certificates issued by this CA Public Key Infrastructure X 509 PKIX Authentication Procedures One way Signed by A Two way Three way Summary Authentication Applications X 501 Chap 4 2 Certificate content chain of certificate hierarchy authentication procedures Public key infrastructure Architecture model management functions PKIX Architecture Model optional