• Home

  • Documents

  • Ten Risks of PKI: What You're not Being Told about Public Key
8
CSE 543 Computer Security: Risks of PKI - Josh Schiffman & Archana Viswanath Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure Joshua Schiffman Archana Viswanath

Ten Risks of PKI: What You're not Being Told about Public Key

  • Upload
    hadang

  • View
    212

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Ten Risks of PKI: What You're not Being Told about Public Key

CSE 543 Computer Security: Risks of PKI - Josh Schiffman & Archana Viswanath

Ten Risks of PKI:What You're not Being Told about

Public Key Infrastructure

Joshua SchiffmanArchana Viswanath

Page 2: Ten Risks of PKI: What You're not Being Told about Public Key

CSE 543 Computer Security: Risks of PKI - Josh Schiffman & Archana Viswanath

Computer Security

● Security is a business○ Especially PKI

● PKI needs business to thrive○ Buy certificates○ PKI equipment

● Certificates are the commodity○ How trustworthy are they?

Page 3: Ten Risks of PKI: What You're not Being Told about Public Key

CSE 543 Computer Security: Risks of PKI - Josh Schiffman & Archana Viswanath

Categories of Risk

● Security is a chain○ Only as strong as the weakest link

● We identify three main categories for risk○ Trust in the Certification Authority (CA)○ Trust in the encryption keys○ Trust in the users

Page 4: Ten Risks of PKI: What You're not Being Told about Public Key

CSE 543 Computer Security: Risks of PKI - Josh Schiffman & Archana Viswanath

Certification Authorities

● PKI requires distribution of public keys○ Dangerous to send in the clear

● CAs provide certificates binding name to key○ What makes a CA trusted?○ What guarantee do we have the certificate is real?

Alice CA

KB

Really? This is Bob'spublic key

Page 5: Ten Risks of PKI: What You're not Being Told about Public Key

CSE 543 Computer Security: Risks of PKI - Josh Schiffman & Archana Viswanath

Content Authorities

● Certificates contain more than just a key○ Name / ID○ DNS for SSL

● Who is authorized to provide this content○ CAs are not authorities○ Contrary to many other systems

▶ Business name▶ Licenses

● Does it always matter?○ Offers no added encryption

Page 6: Ten Risks of PKI: What You're not Being Told about Public Key

CSE 543 Computer Security: Risks of PKI - Josh Schiffman & Archana Viswanath

Registration Authority

● Registration Authorities (RA)○ Authority on the contents○ Establish secure communication with the CA

● What guarantees are in the RA+CA model?○ CAs can forge certificates○ More vectors for attack○ Authorities physically possessing the CA helps

▶ Breaks some business models

Page 7: Ten Risks of PKI: What You're not Being Told about Public Key

CSE 543 Computer Security: Risks of PKI - Josh Schiffman & Archana Viswanath

Identifying the Applicant

● Does the CA verify applications?○ Identity checking○ Are the credentials easy to obtain?

● Is there private key verification?○ Possessing the public key for the certificate

▶ Does not prove possession of private key

Alice CA

KA

Really?This is mypublic key

Page 8: Ten Risks of PKI: What You're not Being Told about Public Key

CSE 543 Computer Security: Risks of PKI - Josh Schiffman & Archana Viswanath

Securing the CA

● CAs don't keep secrets○ All verification is done with public keys

● Use “root certificates" to vouch for the certificate○ Self-signed○ Form a chain of trust

▶ Must end at some ultimately trusted party

● Attackers can inject their own root keys○ Spoof public keys

● Physically protect the CA


Pki Training V1.5

Pki Training V1.5

Technology
PKIS: END-TO-END PKI PROVISIONING SYSTEM€¦ · ARRIS PKI Center Evolution PKI CENTER OEM’s OEM’s OEM’s Legacy General Instruments 4 WEB BLOG . 5 END-TO-END PKI PROVISIONING

PKIS: END-TO-END PKI PROVISIONING SYSTEM€¦ · ARRIS PKI Center Evolution PKI CENTER OEM’s OEM’s OEM’s Legacy General Instruments 4 WEB BLOG . 5 END-TO-END PKI PROVISIONING

Documents
Storing PKI Credentials - Cisco...Storing PKI Credentials Publickeyinfrastructure(PKI)credentials,suchasRivest,Shamir,andAdelman(RSA)keysandcertificates canbestoredinaspecificlocationontherouter

Storing PKI Credentials - Cisco...Storing PKI Credentials Publickeyinfrastructure(PKI)credentials,suchasRivest,Shamir,andAdelman(RSA)keysandcertificates canbestoredinaspecificlocationontherouter

Documents
PKI Interoperability

PKI Interoperability

Technology
Reflection PKI Services Manager User Guide - …docs.attachmate.com/reflection/pki/1.3sp1/pki-manager-user-guide.pdfTest Certificate Dialog Box ... 8 Reflection PKI Services Manager

Reflection PKI Services Manager User Guide - …docs.attachmate.com/reflection/pki/1.3sp1/pki-manager-user-guide.pdfTest Certificate Dialog Box ... 8 Reflection PKI Services Manager

Documents
IoT: Taking PKI Where No PKI Has Gone Before

IoT: Taking PKI Where No PKI Has Gone Before

Documents
PKI Interoperability Document

PKI Interoperability Document

Documents
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before

Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before

Technology
Seeing What You're Told: Sentence-Guided Activity ......Seeing What You’re Told: Sentence-Guided Activity Recognition In Video N. Siddharth Stanford University nsid@stanford.edu

Seeing What You're Told: Sentence-Guided Activity ......Seeing What You’re Told: Sentence-Guided Activity Recognition In Video N. Siddharth Stanford University [email protected]

Documents
PKI Interview Questions

PKI Interview Questions

Documents
PKI ( ch 15)

PKI ( ch 15)

Documents
Wireless PKI

Wireless PKI

Documents
AllSeen Summit 2015: IoT: Taking PKI Where No PKI … · AllSeen Summit 2015: IoT: Taking PKI Where No PKI Has Gone Before Presented by: Scott Rea – DigiCert Sr. PKI Architect

AllSeen Summit 2015: IoT: Taking PKI Where No PKI … · AllSeen Summit 2015: IoT: Taking PKI Where No PKI Has Gone Before Presented by: Scott Rea – DigiCert Sr. PKI Architect

Documents
PKI - articol

PKI - articol

Documents
Crypto and PKI

Crypto and PKI

Technology
DoD Public Key Infrastructure (PKI) Partner PKI ...jitc.fhu.disa.mil/projects/pki/documents/DoD_PKI_Interoperability... · UNCLASSIFIED DoD Public Key Infrastructure (PKI) Partner

DoD Public Key Infrastructure (PKI) Partner PKI ...jitc.fhu.disa.mil/projects/pki/documents/DoD_PKI_Interoperability... · UNCLASSIFIED DoD Public Key Infrastructure (PKI) Partner

Documents
PKI Security

PKI Security

Documents
PKI Architecture Lecture2

PKI Architecture Lecture2

Documents
Cryptography Basics Pki

Cryptography Basics Pki

Technology
Cisco IOS PKI Overview Understanding and Planning a PKI · Cisco IOS PKI Overview Understanding and Planning a PKI CiscoIOSpublickeyinfrastructure(PKI)providescertificatemanagementtosupportsecurityprotocols

Cisco IOS PKI Overview Understanding and Planning a PKI · Cisco IOS PKI Overview Understanding and Planning a PKI CiscoIOSpublickeyinfrastructure(PKI)providescertificatemanagementtosupportsecurityprotocols

Documents
PKI in Korea

PKI in Korea

Government & Nonprofit
PKI Setting

PKI Setting

Documents
PKI history 4 PKI – Public Key Infrastructure

PKI history 4 PKI – Public Key Infrastructure

Documents
PKI Robin Burke ECT 582. Outline Discussion Review The need for PKI PKI hierarchical PKI networked PKI bridging Certificate policies rationale examples

PKI Robin Burke ECT 582. Outline Discussion Review The need for PKI PKI hierarchical PKI networked PKI bridging Certificate policies rationale examples

Documents
PKI and LOA

PKI and LOA

Documents
Wp Pki IntroPKILuna

Wp Pki IntroPKILuna

Documents
Pki and OpenSSL

Pki and OpenSSL

Technology
The following printout was generated by real-time ... · OLTL staff will be in the save air stay with you until you're told you can back in or you're evacuated. Everyone must exit

The following printout was generated by real-time ... · OLTL staff will be in the save air stay with you until you're told you can back in or you're evacuated. Everyone must exit

Documents
Unisys Internal PKI Certificate Policyuispki.unisys.com/rep/Unisys_Internal_PKI_Certificate...Unisys Internal PKI. Name: Unisys Internal PKI Certificate Policy Version / Last Revision:

Unisys Internal PKI Certificate Policyuispki.unisys.com/rep/Unisys_Internal_PKI_Certificate...Unisys Internal PKI. Name: Unisys Internal PKI Certificate Policy Version / Last Revision:

Documents
PKI Design

PKI Design

Documents