Advantages of modular PKI Ing Ji Mrnutk jiri

  • Slides: 23
Download presentation
Advantages of modular PKI Ing. Jiří Mrnuštík jiri. mrnustik@aec. cz Ing. Petr Vaněk petr.

Advantages of modular PKI Ing. Jiří Mrnuštík jiri. mrnustik@aec. cz Ing. Petr Vaněk petr. vanek@aec. cz

Unconventional view of PKI - I would like to hold this lecture a little

Unconventional view of PKI - I would like to hold this lecture a little less conservative - Implementation of PKI in practice is not limited only on technical an organizational establishing of a trusted third party for issuing of certificates -The aim to implement PKI in massive practice have not only a governments but private firms as well -PKI is in the place for a many years and analytics with the surprising recognized that such useful technology is still not massively used and implemented -Surprising, isn’t it?

Unconventional view of PKI My good friend and ex-boss Tor-Aksel Frolyland from Norman data

Unconventional view of PKI My good friend and ex-boss Tor-Aksel Frolyland from Norman data Defense company wrote me several days ago: „Together we had been developing PKI for many years as well as application operating over it. We spent a lot of financial and human resources in our R&D team, but the sales of this software in civilian sector was not good enough. Only now, when I am working in the bank as ICT security chef officer I start to understand reasons. We spoke to our clients with the language of techies which they didn’t understand“.

Unconventional view of PKI -The key is to use the appropriate language -Implementation of

Unconventional view of PKI -The key is to use the appropriate language -Implementation of PKI in the civilian sector is more complicated that in the military sector -In the army there is necessary to persuade responsible officers only and they can give the order to use technology to all units which need it -Nevertheless with this officer is necessary to communicate with the appropriate language as well. PKI technology is not so transparently useful like for example laser tracking system for intelligent bombs

Unconventional view of PKI -On the other side ONLY to give an orders to

Unconventional view of PKI -On the other side ONLY to give an orders to units is not so easy -In these days, in the time of armies and wars of third generation it is necessary more do than simple order -Soldier has to have high quality education -Soldier needs to speak fluently with more than one human language and he needs to know some programming languages -He needs to understand believe in technologies which he is using -And now we are again talking about appropriate common language

Unconventional view of PKI -The age of brutal and massive attacks is history -Most

Unconventional view of PKI -The age of brutal and massive attacks is history -Most of recent conflicts are waged on the level of local LIC (low intensity conflicts) -And with utilities more sophisticated than is usual M 16. -Most of LIC takes a place in invisible sphere of battle for information - in Cyberspace is the battle field for conflicts of third generation

Unconventional view of PKI -It is unquestionable that information acquired by special force units

Unconventional view of PKI -It is unquestionable that information acquired by special force units is necessary to protect during its way to command analytical center. -In the same way it is necessary to protect information going vice versa from command center to special operational units. -Small operative, highly educated and well trained units with the continuous and PROTECTED data flow of information, this is the model for LIC of third generation. Therefore structured and modular PKI is necessary

Basic definitions of PKI What PKI is It is an complex system, which supports

Basic definitions of PKI What PKI is It is an complex system, which supports a ciphering with public keys and services connected with the electronic signatures. Basic purpose of Public Key Infrastructure is the public keys and certificates management. PKI enables usage of services connected with the ciphering and electronic signatures in the huge range of applications.

Basic definitions of PKI Well designed and realized PKI has to have a several

Basic definitions of PKI Well designed and realized PKI has to have a several basic features: - Export of user and management interfaces - Possibility to add centralized key and certificate management - Centralized security policy management - Modularity is basic and inevitable feature of PKI

Basic definitions of PKI Basic components of PKI is the combination of: - Knowledge

Basic definitions of PKI Basic components of PKI is the combination of: - Knowledge - software - hardware - Practice standards, legislative rules, politics, and procedures

Structure of PKI system Security policy of PKI Practices and procedures, which defines how

Structure of PKI system Security policy of PKI Practices and procedures, which defines how the keys and certificates will be generated, managed, distributed and used Security practice of PKI Crash recovery policy PKI Certification Authority and Time stamp Authority Document base for CA Support for Time Stamp (TS) Software (hardware) key generation and their secure storage and management Software (hardware) for certificate management outside of CA system

Processes in PKI system Key generation Key management Certificate generation Certificate management, and also

Processes in PKI system Key generation Key management Certificate generation Certificate management, and also outside of CA system Export interfaces for key and certificate usage Possibility of third party software operation over the PKI

Functions of PKI single modules What such modules are: Key and certificate management Electronic

Functions of PKI single modules What such modules are: Key and certificate management Electronic signature as inevitable module executable module operating over the PKI Certification Authority TSA

Cryptographic Message Standard, RFC 2630 Electronically signed data – what to do with it

Cryptographic Message Standard, RFC 2630 Electronically signed data – what to do with it ? header data Certs, CRLs Signed. Data : : = SEQUENCE { version CMSVersion, digest. Algorithms Digest. Algorithm. Identifiers , encap. Content. Info Encapsulated. Content. Info , certificates [0] IMPLICIT Certificate. Set OPTIONAL, crls [1] IMPLICIT Certificate. Revocation. Lists OPTIONAL, signer. Infos Signer. Infos } signatures • • • compact format for signature (signatures) and data itself separated signature (extra signature), where the data are stored separately certificate and/or CRL wrapping either separately or with signatures

Signer Info & Trustful signature time Signer Identifier Signed Attributes Signature Unsigned Attributes Time

Signer Info & Trustful signature time Signer Identifier Signed Attributes Signature Unsigned Attributes Time Stamp & Signature Time. Stamp Signer. Info : : = SEQUENCE { version CMSVersion, sid Signer. Identifier, digest. Algorithm Digest. Algorithm. Identifier, signed. Attrs [0] IMPLICIT Signed. Attributes OPTIONAL, signature. Algorithm Signature. Algorithm. Identifier, signature Signature. Value, unsigned. Attrs [1] IMPLICIT Unsigned. Attributes OPTIONAL }

Data in electronic envelope Enveloped. Data : : = SEQUENCE { version CMSVersion, originator.

Data in electronic envelope Enveloped. Data : : = SEQUENCE { version CMSVersion, originator. Info [0] IMPLICIT Originator. Info OPTIONAL, recipient. Infos Recipient. Infos , encrypted. Content. Info Encrypted. Content. Info , unprotected. Attrs [1] IMPLICIT Unprotected. Attributes OPTIONAL } Recipient. Info : : = SEQUENCE { version Version, issuer. And. Serial. Number Issuer. And. Serial. Number , key. Encryption. Algorithm Key. Encryption. Algorithm. Identifier , encrypted. Key Encrypted. Key }

S/MIME Package Redundancy ? MIME encoding signature CMS MIME encoding Signed data Or ?

S/MIME Package Redundancy ? MIME encoding signature CMS MIME encoding Signed data Or ? signature CMS Signed data encryption CMS send Enveloped data

Key, certificate … – – – Key pair generation, algorithms, key length Request, selfsigned

Key, certificate … – – – Key pair generation, algorithms, key length Request, selfsigned certificates Hw storages – tokens, smart cards Key backup - tokens Signing request, revocate certificate Certificate share, LDAP, web, . .

Certification Authority Root CA LDAP Locality A On-line CA with hw. Engine (Luna, .

Certification Authority Root CA LDAP Locality A On-line CA with hw. Engine (Luna, . . ) LUNA Server HTTPS SQL CA core DB Name RA (RAO) WEB browser Locality B RA (RAO) WEB browser Locality C RA (RAO) WEB browser Locality D Server

Time Stamp Authority • RFC 3161, ETSI TS 101 861 http: //time. trustport. cz:

Time Stamp Authority • RFC 3161, ETSI TS 101 861 http: //time. trustport. cz: 8000/

SDK- Software Development Kit Client – server technology Digital signature Cert. requests Data encryption

SDK- Software Development Kit Client – server technology Digital signature Cert. requests Data encryption Signing CRL, Cert Time Stamp TSA File, DB storages for CRL, Certs, Keys SSL, … Objects providers MS storages, … LDAP client/server support Objects exchanger, . . USB tokens Smart Cards

Real Application SDK colaboration OS integration Obtain key pair l. Result = pki_Init(&pki_ses, NULL);

Real Application SDK colaboration OS integration Obtain key pair l. Result = pki_Init(&pki_ses, NULL); if(l. Result != RET_OK) { printf("Failed to initialize PKI session EC: %dn", l. Result); } else { l. Result = pki_Init. Bucket(pki_ses, &pki_col); if(l. Result != RET_OK) { printf("Failed to initialize PKI bucket EC: %dn", l. Result); } else { Managing PKI // verify digitally signed file l. Result = pki_CBDecrypt. Sgn(pki_ses, pki_col, g_psz. Signed. File, g_psz. Gathered. File, NUL 3 rd party sw RA & CA IS implementation

Thank you for your attention

Thank you for your attention