overall cryptography and pki introduction
TRANSCRIPT
Public Key Infrastructure in Brief
January 31, 2002
What is a PKI?
• A common misperception is that a PKI is a thing. In fact, it’s a capability—the capability to easily publish, manage, and use public keys.
• a PKI consists of a group of discrete components that work together to allow you to use public keys, and public-key cryptography, seamlessly and transparently
• A system that establishes and maintains trustworthy e-business environments through the generation and distribution of keys and certificates.
Value-Add of PKI
Feature Benefit
Authentication Allows your e-business to engage
trusted customers, partners and
employees
Authorization/ Allows business rules to dictate
Access Control who uses what resources, under
what conditions
Confidentiality Data is obscured and protected from
view or access by unauthorized
individuals
Value-Add of PKI
Feature Benefit
Integrity Prevents any transaction
from being tampered with
Non-repudiation Prevents any party from
denying an e-business
transaction after the fact
Audit controls Provides audit trails and
recourse for e-business
transactions
PKI: e-Business Enabler
• Makes trusted e-business possible• Enables new e-business processes• Provides integrated,comprehensive:
- Authorization- Confidentiality- Authentication- Integrity- Non-repudiation- Audit controls
...Transparently to users across applications and platforms
Digital Signature
Encryption
ALL OF THESE REQUIRE A PKI
AUTHENTICATION &NON-REPUDIATION
CONFIDENTIALITY &ACCESS CONTROL
INTEGRITY
Encryption Digital Signature Digital Signature
Public Private Keys
Certificates
PUBLIC KEY INFRASTRUCTUREPUBLIC KEY INFRASTRUCTURE
Created Market for PKIProducts and Services
*Source: NationsBank Montgomery/Gartner Group
0
200
400
600
800
1000
1200
1400
1998 1999 2000 2001 2002
Revenue
$100M$200M
$400M
$1,200M
$800M
PKI MarketSecure Transactions & Communications
InternalEnterprise
B2B
B2CG2C
Other98
99
00
01
Total Mkt
$800M
$400M
$200M
$110M
$1,200M02
Source: NationsBank Montgomery/Soundview/Entrust
$128 $6$50 $16
$16$154$200 $30
$40$350$350 $60
$60$540$500 $100
$79 $3$22 $6
Certification Authority
Certificate
Repository
Certificate
Revocation
Key Backup
& Recovery
Support for
non-repudiation
Automatic
Key Update
Key Histories
Timestamping
Cross-certification
Applicationsoftware
General PKI Requirements
PKIX-1: Chaired and edited by Entrust staff
PKIX-2: LDAP portion authored by Sharon Boeyen
PKIX-3: CMP portion authored by Carlisle Adams
PKIX-4: participation by Sharon Boeyen & others
PKIX-5: authored by Carlisle Adams, Robert Zuccherato
PKIX-6: authored by Carlisle Adams, Robert Zuccherato
PKIX Overview for IEEE: authored by Carlisle Adams and Steve Lloyd
PKIX Standards Participation
Internet Security ModelsStrongSecurity
MinimalSecurity
Level 1Unsecured session with user name and password
Level 2Secure Session with server Digital ID authentication only
Level 3Secure Session with user name and password
Level 6
Secure Session with Managed User and Server Digital ID
Support for non-repudiation of transactions
Level 5Secure Session with Managed User Digital ID authentication
Managed Digital IDs
Unmanaged Digital IDsLevel 4Secure Session with user Digital ID authentication
Managed Trust
Unmanaged Trust
Internet Security ModelsStrongSecurity
MinimalSecurity
Level 1Unsecured session with user name and password
Level 2
Level 3
Level 6
Level 5
Managed Digital IDs
Unmanaged Digital IDsLevel 4
Managed Trust
Unmanaged Trust
Entrust/Direct™
Entrust/Unity™, Entrust/TruePass™
Entrust/Web Connector
Entrust.net™
Acrobat Document
Cryptography in Brief
September 12, 2000
Cryptographic Algorithms
• Two types of cryptographic algorithms:
• Symmetric algorithms
• Public-key algorithms
• Two types of algorithms are highly complementary
Alice Bob
Symmetric Cryptography
• Also called secret-key cryptography• Single key used to encrypt and decrypt• Examples: CAST, DES, T-DES
Public-key Cryptography
• Keys come in pairs (public + private)
• Public key is available to anyone– like a phone number in the telephone book
• Private key is kept secret by the owner– like ATM PIN
• Examples: RSA, DSA, Diffie-Hellman
AliceBob
Directory of Public Keys
Bob’s Public Key Bob’s Private Key
CiphertextDECRYPTENCRYPT
Public-key Encryption
• Alice encrypting a file for Bob• Encryption provides:
– confidentiality– access control
How Public-key Encryption Works
Encryption Process Decryption Process
encrypt file usingsymmetric key
encrypt symmetric keyfor recipients using
their public keys
+
combine header withprotected data in one file
extract symmetrickey using
private key
decrypt file usingsymmetric key
recoveroriginal file
Alice Bob
Alice’s Private Key
Signed Plaintext
Alice’s Public Key
SIGN VERIFY
Public-key Digital Signature
• Alice signing a file– Bob verifying Alice’s signature
• Digital signature provides:– integrity– authenticity– non-repudiation
Signing Process Verification Process
calculate hash
sign hashwith private key
signed plaintext
calculate freshhash
verify original hashwith public key
=compare verified hash
with fresh hash
How Digital Signature Works
D ata
Digital Signature
(A ctua l)
P ub lic K ey o fA lice
f(d)
f(h)
D igestD igest
(E xpected)
Bob
D ata
C O M P A R EA ctua l = E xpected
If Y es , in teg rity o f the m essage is res to red and non-repud ia tion is es tab lished
E ncrypted D igest o rH ash o f M essage
P riva te K ey o fA lice
D igest
f(e)
f(h)
Hashing
Algorithm
D ata
Alice
ALICE’SPRIVATE KEY
BOB’SPUBLIC KEY
ENCRYPT
SIGN
ALICE’SPUBLIC KEY
BOB’SPRIVATE KEY
DECRYPT
VERIFY
e-mail floppyfile transfer
Putting it all Together ...
Signing & Sending
Receiving & Verification