DOC PREVIEW
WUSTL CSE 571S - Public Key Infrastructures

This preview shows page 1-2-3-27-28-29 out of 29 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

12-1©2007 Raj JainCSE571SWashington University in St. LouisPublic Key Infrastructures Public Key Infrastructures (PKI)(PKI)Raj Jain Washington University in Saint LouisSaint Louis, MO [email protected]/Video recordings of this lecture are available at:http://www.cse.wustl.edu/~jain/cse571-07/12-2©2007 Raj JainCSE571SWashington University in St. LouisOverviewOverview! PKI, X.509 and PKIX! PKI Trust Models! Object ID and X.509 Policies! X.500 ! X.509 Certificate Fields and Extensions! Authorizations, Anonymous groups, Blind Signatures12-3©2007 Raj JainCSE571SWashington University in St. LouisWhat is PKI?What is PKI?! Infrastructure to find public keys! S/MIME, PGP, SSL use asymmetric cryptography and make use of PKI! Certificate authorities! Standards for certificates12-4©2007 Raj JainCSE571SWashington University in St. LouisX.509 and PKIXX.509 and PKIX! X.509 is the ISO standard for Certificate formats! PKIX is the IETF group on PKI! PKIX adopted X.509 and a subset of its options! PKIX is a "Profile" of X.509! TLS, IPSec, SSH, HTTPS, Smartcard, EAP, CableLabs, use X.50912-5©2007 Raj JainCSE571SWashington University in St. LouisConceptsConcepts! Subject: Whose certificate is it?! Target: Whose certificate do we want?! Relying Party: Who wants to check the certificate! Verifier: Relying Party! Issuer: Who issued the certificate?! Certification Authority: Issuer! Trust Anchor: The CA that we trust! Root CA: Issuer = Self! Principal: Subject, Verifier, Issuer12-6©2007 Raj JainCSE571SWashington University in St. LouisPKI Trust ModelsPKI Trust Models! How Many CAs?" Monopoly = One" Oligarchy = Many" Anarchy = Any! How is the name space divided among CAs?" Top-Down" Bottom-Up12-7©2007 Raj JainCSE571SWashington University in St. LouisMonopoly Model: Single Root CAMonopoly Model: Single Root CA! Registrars to check identity! Delegated CAs! Issues:" Single point of failure" Whole world cannot trust just one organization" You may not want internal principals to be certified by external CACACACA12-8©2007 Raj JainCSE571SWashington University in St. LouisOligarchyOligarchy! Multiple Root CA's! Used in browsers! Can select which root CA's to trust! No Monopoly ⇒ Price efficientCACACACACACACACACA12-9©2007 Raj JainCSE571SWashington University in St. LouisOligarchy ExampleOligarchy Example12-10©2007 Raj JainCSE571SWashington University in St. LouisAnarchy ModelAnarchy Model! User driven! Used in PGP! Trust Ring, Web of Trust! Volunteer DatabasesU2U6 U3U1U5 U412-11©2007 Raj JainCSE571SWashington University in St. LouisName ConstraintsName Constraints! Which part of name space?! 1. Top Down:! 2. Bottom-Up:" Two-way certification: Parent → Child, Child → Parent" Cross links12-12©2007 Raj JainCSE571SWashington University in St. LouisRelative NamesRelative NamesH to J: ! Absolute: D/B/E/J or A/B/E/J! Relative:../../E/J⇒ No changes required if the parents change nameABCDIEFGHJKLMNO12-13©2007 Raj JainCSE571SWashington University in St. LouisOIDOID! Object Identifier! Identify objects by a universally unique sequence of numbers! Similar to what is done in SNMP to name objects12-14©2007 Raj JainCSE571SWashington University in St. LouisGlobal Naming Hierarchy [SNMP]Global Naming Hierarchy [SNMP]fddimib (73)fddi (15)dod (6)internet (1)directory (1) mgmt(2) experimental (3)private (4)mib (1)system (1) interfaces (2) transmission(10)ccitt(0) iso (1) joint-iso-ccitt (2)standard (0)iso9314 (9314)fddiMIB (1)org (3)fddi (8)12-15©2007 Raj JainCSE571SWashington University in St. LouisX.509 PoliciesX.509 Policies! Policies in X.509 are identified by OID! Company X! X.1 = Security Level! X.1.1 = Confidential! X.1.2 = Secret! X.1.3 = Public12-16©2007 Raj JainCSE571SWashington University in St. LouisX.509 RevocationsX.509 Revocations! Certificate Revocation Lists:" Too much work on the client " Too much traffic on the net⇒ Not used! On-Line Revocation Server (OLRS):" On-line Certificate Status Protocol (OCSP)" RFC 2560" Provides current information" Saves traffic on the net" Also allows chaining of OCSP responders12-17©2007 Raj JainCSE571SWashington University in St. LouisX.500X.500! Series of standards covering directory services! Similar to white/yellow pages! Directory Access Protocol (DAP) designed by ISO! Lightweight Directory Access Protocol (LDAP) designed by IETF! LDAPv3 is RFC4510! Each entry has a "Distinguished Name" and a set of attributes! Formed by combining Relative distinguished names! X.500 Example: C= US, O=WUSTL, OU=CSE, CN=Raj Jain! DNS Example: [email protected]©2007 Raj JainCSE571SWashington University in St. LouisX.509 Certificate FieldsX.509 Certificate Fields! Version: X.509 Version 1, 2, or 3! Serial Number: Certificate Serial #! Signature: Signing algorithm! Issuer:! Validity:! Subject: Issued to! Subject Public Key Info: Algorithm/parameters, and Public Key! Issuer Unique Identifier: OID of the Issuer (not used)! Subject Unique Identifier: OID of the subject (not used)! Algorithm Identifier: Signature algorithm (again)! Encrypted: Signature! Extensions: Only in Version 3. Specified by OID12-19©2007 Raj JainCSE571SWashington University in St. LouisX.509 ExtensionsX.509 Extensions! Authority Key Identifier: Serial # of CA's key! Subject Key Identifier: Uniquely identifies the subjects key. Serial # or hash.! Key Usage: Allowed usage - email, business, ...! Private Key Usage Period: Timestamps for when key can be used (similar to validity)! Certificate Policies! Policy Mappings: from Issuer's domain to subject's domain! Subject Alt Name: Alternative name. DNS.! Subject Directory Attributes: Other attributes12-20©2007 Raj JainCSE571SWashington University in St. LouisX.509 Extensions (Cont)X.509 Extensions (Cont)! Basic Constraints: Whether CA and length of chain! Name Constraints: Permitted and excluded subtrees! Policy Constraints: OIDs! Extended Key Usage: Additional key usages! CRL Distribution Points:! Inhibit Any Policy: “Any Policy” is not allowed! Freshest CRL: How to obtain incremental CRLs! Authority Info Access: How to find info on issuers! Subject Info Access: How to find info on subject12-21©2007 Raj JainCSE571SWashington University in St. LouisSample X.509 CertificateSample X.509 CertificateInternet Explorer12-22©2007 Raj JainCSE571SWashington University in St. LouisX.509 Sample (Cont)X.509 Sample (Cont)12-23©2007 Raj JainCSE571SWashington University in St. LouisX.509 CRL FieldsX.509 CRL Fields! Signature: Signature Algorithm


View Full Document

WUSTL CSE 571S - Public Key Infrastructures

Documents in this Course
IP sec

IP sec

28 pages

Load more
Download Public Key Infrastructures
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Public Key Infrastructures and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Public Key Infrastructures 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?