Public Key Infrastructure Content Prerequisites Public key infrastructure

Public Key Infrastructure

Content • Prerequisites • Public key infrastructure • X 509 and Openssl • Domain name system • Lab materials • Issuing and Revoking Certificates • Hierarchy of Certificate Authority • Threat to Public Key Infrastructure

Public Key Infrastructure

Symmetric Cryptography

Symmetric Cryptography Enck( )

Asymmetric Cryptography

Symmetric Cryptography Encpk_A( ) Encpk_B( )

Confidentiality and Authenticity

Confidentiality and Authenticity

Computational Complexity

Key Exchange Protocols I will use the key Ok

Key Exchange Protocols Encpk. A( )

Man in the Middle attack Encpk. C( ) Encpk. A( )

Certificate Give me your Public key and certificate is the certificate and public key

Transport Layer Security client hello, crypto info server hello, ciphersuite, certificate Encpk. A(pre_master_key) Client finished Server finished Exchange message

Public Key Infrastructure

x 509 and Openssl

x 509 • Standard format of public key certificates • Used in TLS/SSL, electronic signature • Self-signed or signed by certificate authority • Certificate revocation list • Path validation algorithm

Openssl CSR Entities Private keys

Openssl CSR Entities Private keys

Openssl CSR Entities Private keys

Sample commands • Generate a Private Key and a CSR openssl req -newkey rsa: 2048 -nodes -keyout domain. key -out domain. csr • Generate a Self-Signed Certificate openssl req -newkey rsa: 2048 -nodes -keyout domain. key -x 509 -days 365 -out domain. crt • Sign a certificate openssl x 509 -req -days 360 -in <CSR-for-the-new-device> -CA <your-intermediate-CA-certificate> -CAkey <yourintermediate-CA-key> -out <your-new-certificate> -set_serial <a random number>

Domain Name System

Domain names and IP addresses Go ask edu Where www. cs. jhu. edu exactly is? root Go ask jhu edu It is XX. . XX jhu

Connect to DNS through DHCP and ARP Got a DHCP offer, the DNS server is …

Lab Materials

Issuing and Revoking Certificates • Draw topology and reserve resources • Set up LAMP for web application • Set up Certificate Authority • Generate certificate and configurate it • Revoke the certificate

Hierarchy of Certificate Authority • Basically the same as the previous one • Replace a single CA with a chain of CA

Threat to Public Key Infrastructure • Setup DNS server on attacker’s node • Setup web server on server’s node • Install tool-sslsplit on attacker’s node • Connect web server from client • Check whether attacker did intercept messages