Upload
makayla-mackay
View
215
Download
1
Tags:
Embed Size (px)
Citation preview
Use of Public-Key Infrastructure (PKI)
Erik Andersen
Association for the Directory Information and RelatedSearch Industry (EIDQ - http://www.eidq.org )
Andersen's L-Service consultancy
Rapporteur for Directory services, Directory systems, and public-key/attribute certificates
Geneva, 6-7 December 2010 Addressing security challenges on a global scale 1
Geneva, 6-7 December 2010 Addressing security challenges on a global scale 2
Where it all starts
What to cover
Introduction to basic PKI principles
Use of PKI within Identity Management
Use of PKI for IP Security (IPSec)
Use of PKI for RFID identification
Use of PKI within cloud computing
Geneva, 6-7 December 2010 Addressing security challenges on a global scale 3
Public-key Certificates
A public-key certificate providesthe binding between a name and a public key for a user for a given period and is issued andconfirmed by a CertificationAuthority (CA).
Public-key certificate
Name of userPublic key
Signed by Certification Authority (CA)
The public-key certificate is thebasic concept for public-keyinfrastructure (PKI).
Can I trust a certificate?A certificate may have expiredThe corresponding private key may be compromisedThe CA policy for issuing certificates may not be satisfactoryA certificate my be a forgery as the CA's private key may be compromisedEtc.
Geneva, 6-7 December 2010 Addressing security challenges on a global scale 5
Public-Key Infrastructure (PKI)
PKI is an infrastructure for checking the validity or quality of a presented public-key certificateA PKI consists of a number of interworking componentsSomewhere there must be a trust anchor
Geneva, 6-7 December 2010 Addressing security challenges on a global scale 6
Security is about Trust!
Relationship with IdM (Identity proofing)
Geneva, 6-7 December 2010 Addressing security challenges on a global scale 7
Name of userPublic key
Pointer to policy
Name to be verified by the Certification Authority or Registration Authority
UniquenessProof of identityLegal right to nameLevel of verification depending on use of certificatePart of Identity Management (IdM)Guidelines provided byITU-T SG 17 IdM groupCA Browser ForumETSI ESI activity
Rules may be expressed in a Certificate Policy document
Public-key certificate
IP Security (IPsec)
Specified in RFC 4301
Provides end-to-end protection for all applications using this end-to-end connection
Uses shared cryptographic keys for authentication, integrity, and confidentiality of data
Uses Internet Key Exchange (IKE) for establishing shared keys (security association) - RFC 5996
Diffie-Hellman key exchange is used by IKE for that purpose (RFC 3526)
Geneva, 6-7 December 2010 Addressing security challenges on a global scale 8
Problem using Internet Key Exchange without PKI
Geneva, 6-7 December 2010 Addressing security challenges on a global scale
Diffie-Hellman key exchange
AliceBob
AliceBob ”Man-in-the-middle”
Diffie-Hellmankey exchange
Diffie-Hellmankey exchange
Using Internet Key Exchange with PKI
Geneva, 6-7 December 2010 Addressing security challenges on a global scale 10
Diffie-Hellman key exchangeusing digital signature and optionally
certificate information
AliceBob
A man-in-the-middle will be detected!
Radio-Frequency Identification -
Geneva, 6-7 December 2010 Addressing security challenges on a global scale 11
Directory infrastructure
RFIDtag
RFIDreader
Clientsystem
The RFID tag contains information, including a unique identityThe unique identity is used access information associated with the tag
Protecting RFID information
Geneva, 6-7 December 2010 Addressing security challenges on a global scale 12
Pharmaceutical drugsfrom Counterfeit Drugs Inc.
RFID tag says:Pharmaceutical drugs from Roche Ltd.
RFID tagUnique identity
Information
Signature over essential information
Signature produced by private key of vendor (tag creator)Signature not produced using Roche’s private keySignature checked using Rotch’s public keySignature check fails
Radio-Frequency Identification (RFID)
Geneva, 6-7 December 2010 Addressing security challenges on a global scale 13
Directory infrastructure
RFIDtag
RFIDreader
Clientsystem
IdentifierSigned Info
Search using identifier as search criterion
Certificate information
Other Information
Authentication and authority for Cloud Computing
Geneva, 6-7 December 2010 Addressing security challenges on a global scale 14
Name of userPublic key
Privileges
Generally of importanceCheck of identityCheck of privileges
Even of greater importance for Cloud ComputingA Public-key certificate may contain privilege informationAlternatively, an attribute certificate may be used
Public-key certificate
Privileges
Attributecertificate
Identity and privilege issues for hybrid clouds
Geneva, 6-7 December 2010 Addressing security challenges on a global scale 15
Private Private CloudCloud Public Public
CloudCloud
Hybrid CloudHybrid Cloud
CloudCloud
Clouds with multiple service providers/hybrid clouds: Different privilegesdifferent identitiesdanger of complex key management
Authentication and authority for Cloud Computing
ITU-T Study Group 17, Question 11 has the issue on its to-do listIt has relationship with Identity ManagementOne solution may be use of attribute certificatesAttribute certificate:Used for assigning privileges to user
Points to user , e.g., by pointer to user's public-key certificate
Geneva, 6-7 December 2010 Addressing security challenges on a global scale 16
Geneva, 6-7 December 2010 Addressing security challenges on a global scale 17
END