Advantages of modular PKI Ing Ji Mrnutk jiri
- Slides: 23
Advantages of modular PKI Ing. Jiří Mrnuštík jiri. mrnustik@aec. cz Ing. Petr Vaněk petr. vanek@aec. cz
Unconventional view of PKI - I would like to hold this lecture a little less conservative - Implementation of PKI in practice is not limited only on technical an organizational establishing of a trusted third party for issuing of certificates -The aim to implement PKI in massive practice have not only a governments but private firms as well -PKI is in the place for a many years and analytics with the surprising recognized that such useful technology is still not massively used and implemented -Surprising, isn’t it?
Unconventional view of PKI My good friend and ex-boss Tor-Aksel Frolyland from Norman data Defense company wrote me several days ago: „Together we had been developing PKI for many years as well as application operating over it. We spent a lot of financial and human resources in our R&D team, but the sales of this software in civilian sector was not good enough. Only now, when I am working in the bank as ICT security chef officer I start to understand reasons. We spoke to our clients with the language of techies which they didn’t understand“.
Unconventional view of PKI -The key is to use the appropriate language -Implementation of PKI in the civilian sector is more complicated that in the military sector -In the army there is necessary to persuade responsible officers only and they can give the order to use technology to all units which need it -Nevertheless with this officer is necessary to communicate with the appropriate language as well. PKI technology is not so transparently useful like for example laser tracking system for intelligent bombs
Unconventional view of PKI -On the other side ONLY to give an orders to units is not so easy -In these days, in the time of armies and wars of third generation it is necessary more do than simple order -Soldier has to have high quality education -Soldier needs to speak fluently with more than one human language and he needs to know some programming languages -He needs to understand believe in technologies which he is using -And now we are again talking about appropriate common language
Unconventional view of PKI -The age of brutal and massive attacks is history -Most of recent conflicts are waged on the level of local LIC (low intensity conflicts) -And with utilities more sophisticated than is usual M 16. -Most of LIC takes a place in invisible sphere of battle for information - in Cyberspace is the battle field for conflicts of third generation
Unconventional view of PKI -It is unquestionable that information acquired by special force units is necessary to protect during its way to command analytical center. -In the same way it is necessary to protect information going vice versa from command center to special operational units. -Small operative, highly educated and well trained units with the continuous and PROTECTED data flow of information, this is the model for LIC of third generation. Therefore structured and modular PKI is necessary
Basic definitions of PKI What PKI is It is an complex system, which supports a ciphering with public keys and services connected with the electronic signatures. Basic purpose of Public Key Infrastructure is the public keys and certificates management. PKI enables usage of services connected with the ciphering and electronic signatures in the huge range of applications.
Basic definitions of PKI Well designed and realized PKI has to have a several basic features: - Export of user and management interfaces - Possibility to add centralized key and certificate management - Centralized security policy management - Modularity is basic and inevitable feature of PKI
Basic definitions of PKI Basic components of PKI is the combination of: - Knowledge - software - hardware - Practice standards, legislative rules, politics, and procedures
Structure of PKI system Security policy of PKI Practices and procedures, which defines how the keys and certificates will be generated, managed, distributed and used Security practice of PKI Crash recovery policy PKI Certification Authority and Time stamp Authority Document base for CA Support for Time Stamp (TS) Software (hardware) key generation and their secure storage and management Software (hardware) for certificate management outside of CA system
Processes in PKI system Key generation Key management Certificate generation Certificate management, and also outside of CA system Export interfaces for key and certificate usage Possibility of third party software operation over the PKI
Functions of PKI single modules What such modules are: Key and certificate management Electronic signature as inevitable module executable module operating over the PKI Certification Authority TSA
Cryptographic Message Standard, RFC 2630 Electronically signed data – what to do with it ? header data Certs, CRLs Signed. Data : : = SEQUENCE { version CMSVersion, digest. Algorithms Digest. Algorithm. Identifiers , encap. Content. Info Encapsulated. Content. Info , certificates [0] IMPLICIT Certificate. Set OPTIONAL, crls [1] IMPLICIT Certificate. Revocation. Lists OPTIONAL, signer. Infos Signer. Infos } signatures • • • compact format for signature (signatures) and data itself separated signature (extra signature), where the data are stored separately certificate and/or CRL wrapping either separately or with signatures
Signer Info & Trustful signature time Signer Identifier Signed Attributes Signature Unsigned Attributes Time Stamp & Signature Time. Stamp Signer. Info : : = SEQUENCE { version CMSVersion, sid Signer. Identifier, digest. Algorithm Digest. Algorithm. Identifier, signed. Attrs [0] IMPLICIT Signed. Attributes OPTIONAL, signature. Algorithm Signature. Algorithm. Identifier, signature Signature. Value, unsigned. Attrs [1] IMPLICIT Unsigned. Attributes OPTIONAL }
Data in electronic envelope Enveloped. Data : : = SEQUENCE { version CMSVersion, originator. Info [0] IMPLICIT Originator. Info OPTIONAL, recipient. Infos Recipient. Infos , encrypted. Content. Info Encrypted. Content. Info , unprotected. Attrs [1] IMPLICIT Unprotected. Attributes OPTIONAL } Recipient. Info : : = SEQUENCE { version Version, issuer. And. Serial. Number Issuer. And. Serial. Number , key. Encryption. Algorithm Key. Encryption. Algorithm. Identifier , encrypted. Key Encrypted. Key }
S/MIME Package Redundancy ? MIME encoding signature CMS MIME encoding Signed data Or ? signature CMS Signed data encryption CMS send Enveloped data
Key, certificate … – – – Key pair generation, algorithms, key length Request, selfsigned certificates Hw storages – tokens, smart cards Key backup - tokens Signing request, revocate certificate Certificate share, LDAP, web, . .
Certification Authority Root CA LDAP Locality A On-line CA with hw. Engine (Luna, . . ) LUNA Server HTTPS SQL CA core DB Name RA (RAO) WEB browser Locality B RA (RAO) WEB browser Locality C RA (RAO) WEB browser Locality D Server
Time Stamp Authority • RFC 3161, ETSI TS 101 861 http: //time. trustport. cz: 8000/
SDK- Software Development Kit Client – server technology Digital signature Cert. requests Data encryption Signing CRL, Cert Time Stamp TSA File, DB storages for CRL, Certs, Keys SSL, … Objects providers MS storages, … LDAP client/server support Objects exchanger, . . USB tokens Smart Cards
Real Application SDK colaboration OS integration Obtain key pair l. Result = pki_Init(&pki_ses, NULL); if(l. Result != RET_OK) { printf("Failed to initialize PKI session EC: %dn", l. Result); } else { l. Result = pki_Init. Bucket(pki_ses, &pki_col); if(l. Result != RET_OK) { printf("Failed to initialize PKI bucket EC: %dn", l. Result); } else { Managing PKI // verify digitally signed file l. Result = pki_CBDecrypt. Sgn(pki_ses, pki_col, g_psz. Signed. File, g_psz. Gathered. File, NUL 3 rd party sw RA & CA IS implementation
Thank you for your attention
- Pki advantages and disadvantages
- Mám jednu tetu v bechyni
- Páni kluci jiří žáček
- Jiří chvojka
- Jiří wolker prezentace
- Jiri wolker postovni schranka
- Jiri z podebrad
- Autor
- Jiří houdek muzeum
- žlutý tulipán báseň
- Rotunda svatého jiří
- Jiri z podebrad
- Jan jiří benda
- Team nursing
- Pki rfc
- Pki architecture diagram
- Pgp vs pki
- Pki itu
- Paulo magina
- Peta perjanjian kmb
- Pki sertifikat
- Pki-025
- Pki forum
- Pki définition