Introduction To PKI, Certificates & Public Key Cryptography: Erwan Lemonnier
Introduction To PKI, Certificates & Public Key Cryptography: Erwan Lemonnier
Introduction To PKI, Certificates & Public Key Cryptography: Erwan Lemonnier
Erwan Lemonnier
Non-repudiability
Bind an entity to its actions
Certificates
PKI
Problem: how to exchange secret keys ? =>Secret Key Server (ex: kerberos)
REM: Public Key algorithms are slow Need to use both Public & Secret Key Cryptography Public Key Protocols work in 3 phases 1. Authentication via Public Key Cryptography (challenge) 2. Exchange of a session Secret Key, encrypted with Public Key Crypto 3. Session encrypted with Symmetric Cryptography
Certificate
A certificate binds an entity with its public key. Its just a digitally signed piece of data. digital ID card Certificate = an entitys description (name, etc.) + entitys public key + expiration date, serial number, etc. + CAs name + a signature issued by a CA The certificate is issued and signed by a trusted Certificate Authority (CA)
Digital signature: CA signature = certificate hash, encrypted with CAs private key
Certificate
The certificates CA is the only entity able to create/modify the certificate the CA has to be trusted
Certificates enable:
Clients to authenticate servers Servers to authenticate clients Public key exchange without Public Key Server No disclosure of private/secret keys. Certificates are usually stored encrypted.
Special features: chains of CAs, to distribute the task of issuing Certificates Certificate Revocation List, to disable certificates
example: IPSec
IPSec works at IP level. Provide authentication and encryption. Used to build VPNs.
Configuration: 2 transfert modes: tunnel or transport 2 transfert protocols: AH (Authentication Header) ESP (Encapsulating Security Payload)
Key exchange protocols: Internet Key Exchange (IKE), Internet Security Association and Key Management Protocol (ISAKMP), etc.
hackable Public Key/Certificate servers private keys/passwords can be stolen/spied short keys, implementation or design breach
certificates can be stolen, password spied certificates are stored encrypted, with weak password easy to be issued a certificate from a CA they seldom check if CA can be trusted before accepting certificates (netscape GUI)
Attack example: hack clients computer, steal certificate & password man in the middle
Links
Book: Applied cryptography, Bruce Schneier
URLs: theory.lcs.mit.edu/~rivest/crypto-security.html www.counterpane.com/pki-risks.html www.csc.gatech.edu/~copeland/8813/slides/ www.iplanet.com/developer/docs/articles/security/pki.html web.mit.edu/6.857/OldStuff/Fall96/www/main.html