ITU Workshop on Caller ID Spoofing Geneva Switzerland

ITU Workshop on “Caller ID Spoofing” (Geneva, Switzerland, 2 June 2014) Introduction to public-key infrastructure (PKI) Erik Andersen, Q. 11 Rapporteur, ITU-T Study Group 17 era@x 500. eu Geneva, Switzerland, 2 June 2014

PKI and PMI Public-key certificates: The basis for public-key infrastructure (PKI) Attribute certificates: The basis for privilege management infrastructure (PMI) Rec. ITU-T X. 509 | ISO/IEC 9594 -8 base specification for both types of infrastructure Geneva, Switzerland, 2 June 2014 2

Facts about X. 509 PK I Part of the X. 500 Series of Recommendations Also issued as ISO/IEC 9594 -8 Issued in seven editions First edition in 1988 Eight edition on its way Number one in downloads Defines: Public key/private key principles Public-key certificates Public-key infrastructure (PKI) Attribute certificates Privilege management infrastructure (PMI) Geneva, Switzerland, 2 June 2014 3

Asymmetric cryptography is basic technology behind PKI and PMI A B Private key Public key Action using private key Resolving using public key Resolving using private key Action using public key Geneva, Switzerland, 2 June 2014 4

PKI entities End entity Certificate & CRL repository (e. g. , an LDAP or X. 500 directory) Registration Authority CA CRL Issuer CA Geneva, Switzerland, 2 June 2014 5

Certifying the identity using public-key certificates Certification Authority OK Geneva, Switzerland, 2 June 2014 6

Public-key certificate Version Serial number Algorithm Issuer Validity Subject Public key info Issuer unique id Subject unique id Extensions Version 2 (do not use!) Version 3 - Important Digital signature of issuer Geneva, Switzerland, 2 June 2014 7

Extensions The extension concept allows adding additional information to a publickey certificate. Organizations may define own extensions. If the information changes, the public-key certificate has to be renewed.

Certification authority (CA) NOT: Certificate authority Verify the identity of the subject Verify the position of the key-pair Verify the other information as required Issues and sign the public-key certificate Maintain revocation status Publishes revocation status Geneva, Switzerland, 2 June 2014 9

Checking the credentials Subject Relying party A passport is a type of certificate binding a picture to a subject ID Has to be issued by a trustworthy authority A passport may be false It is checked by the validator, also called the relying party Geneva, Switzerland, 2 June 2014 10

Trust Would you buy a certificate of this man? Certificates Geneva, Switzerland, 2 June 2014 Would you trust a certificate issued by this man? 11

Hierarchical Structure Trust anchor CA CA CA EE EE CA = Certification authority EE = End entity EE CA EE EE EE

Trust anchor Trusted by a relying party Trust anchor information: Configured into relying party Public-key certificate or similar information Geneva, Switzerland, 2 June 2014 13

Certificate Revocation List (CRLs) Version Algorithm Issuer Time for this update Time for next update Certificate Serial Number Revocation Date Extensions CRL Extensions Digital signature of issuer Revoked Certificate

Online Certificate Status Protocol (OCSP) OCSP responder OCSP client OCSP request OCSP response Geneva, Switzerland, 2 June 2014 15

Validation procedure Storing of Trust Anchor Information User system B (Relying Party) Check of revocation Signed data Trust Ancho r CA CA User system A (end entity)

Where to go The central source for information on the X. 500 Directory Standard including X. 509. www. x 500 standard. com Geneva, Switzerland, 2 June 2014 17