pki fundamentals state of the art vulnerabilities
play

PKI FUNDAMENTALS, STATE OF THE ART, VULNERABILITIES by by Bl Fyem - PowerPoint PPT Presentation

DELIVERED AT THE 11TH INTERNATIONAL CONFERENCE OF THE NIGERIA COMPUTER SOCIETY (NCS) DELIVERED AT THE 11TH INTERNATIONAL CONFERENCE OF THE NIGERIA COMPUTER SOCIETY (NCS) HELD AT THE ROYAL PARK HOTEL, ILOKO-IJESA, THE STATE OF OSUN, NIGERIA (24-26


  1. DELIVERED AT THE 11TH INTERNATIONAL CONFERENCE OF THE NIGERIA COMPUTER SOCIETY (NCS) DELIVERED AT THE 11TH INTERNATIONAL CONFERENCE OF THE NIGERIA COMPUTER SOCIETY (NCS) HELD AT THE ROYAL PARK HOTEL, ILOKO-IJESA, THE STATE OF OSUN, NIGERIA (24-26 JULY, 2013) HELD AT THE ROYAL PARK HOTEL, ILOKO-IJESA, THE STATE OF OSUN, NIGERIA (24-26 JULY, 2013) PKI FUNDAMENTALS, STATE OF THE ART, VULNERABILITIES by by Bíólá Fáyemí CISSP, CCNP,CCDP Bíólá Fáyemí CISSP, CCNP,CCDP Founder/CEO Founder/CEO CircuitContext Technologies Inc. CircuitContext Technologies Inc. Oakville,ON, Canada Oakville,ON, Canada

  2. PKI A Public Key Infrastructure is a framework A Public Key Infrastructure is a framework for issuing and managing digital for issuing and managing digital certificates. certificates. A Digital Certificate binds an identity to A Digital Certificate binds an identity to and electronic public key and electronic public key A public key is paired with a corresponding A public key is paired with a corresponding private key to produce a unique key pair private key to produce a unique key pair

  3. A LITTLE ABOUT ME Abíólá Fáyemí CISSP, CCNP, CCDP Abíólá Fáyemí CISSP, CCNP, CCDP Internetworking and Security Consultant Internetworking and Security Consultant 28 years industry experience working on Large Scale 28 years industry experience working on Large Scale Network Design, Vulnerability Research and Internet Network Design, Vulnerability Research and Internet Security at Industry bellwethers : Security at Industry bellwethers : SITA SITA America Online America Online Cisco Systems Cisco Systems Nortel Networks Nortel Networks SOMA Networks SOMA Networks nCircle Network Security nCircle Network Security

  4. INFORMATION SECURITY MANTRA  Protecting information and information systems from:  Protecting information and information systems from:  (unauthorized) access, use, disclosure, perusal, inspection,  (unauthorized) access, use, disclosure, perusal, inspection, recording recording  disruption, modification, software/database failure  disruption, modification, software/database failure  Denial of Service, deterioration, failures or destruction.  Denial of Service, deterioration, failures or destruction.  The words above all fall under one or more of the core  The words above all fall under one or more of the core principles of Information Security , namely: principles of Information Security , namely:  Confidentiality  Confidentiality  Integrity  Integrity  Availability  Availability

  5. AND MORE …  Authenticity (or Authentication)  Authenticity (or Authentication) In information Security, authentication requires that all parties involved In information Security, authentication requires that all parties involved in transactions, communications and information exchanges validate in transactions, communications and information exchanges validate who they claim to be. who they claim to be.  Non-repudiation  Non-repudiation This is the principle that implies that any party to a transaction or This is the principle that implies that any party to a transaction or information exchange cannot deny engagement with that transaction. information exchange cannot deny engagement with that transaction. In Electronic commerce and other secured transaction channels, In Electronic commerce and other secured transaction channels, technologies such as digital signatures and public key encryption are technologies such as digital signatures and public key encryption are deployed to establish authenticity and non-repudiation. deployed to establish authenticity and non-repudiation.

  6. DELIVERED AT THE 11TH INTERNATIONAL CONFERENCE OF THE NIGERIA COMPUTER SOCIETY (NCS) HELD AT THE ROYAL PARK HOTEL, ILOKO-IJESA, THE STATE OF OSUN, NIGERIA (24-26 JULY, 2013) CONFIDENTIALITY  Confidentiality – To keep your information from  Confidentiality – To keep your information from prying eyes prying eyes  Cryptography (Encryption) is used to convert  Cryptography (Encryption) is used to convert intelligible plaintext to unintelligible ciphertext. intelligible plaintext to unintelligible ciphertext.

  7. INTEGRITY – BACK IN THE DAY

  8. INTEGRITY A LA PKI

  9. WHAT DOES PKI PROVIDE ? The foundation for delivering essential elements of secure e- The foundation for delivering essential elements of secure e- Government and e-Commerce Government and e-Commerce – Authentication – Authentication – Access Control – Access Control – Privacy – Privacy – Integrity – Integrity – Non-Repudiation – Non-Repudiation

  10. THE ESSENCE OF PKI  Cryptography provides the foundation of a PKI  Cryptography provides the foundation of a PKI  Cryptographic keys are the foundation  Cryptographic keys are the foundation of cryptographic functions of cryptographic functions  PKI is built around the concept of each entity having a PAIR  PKI is built around the concept of each entity having a PAIR of mathematically related keys of mathematically related keys  Public Key – Known by Many  Public Key – Known by Many  Private Key – Known by ONE  Private Key – Known by ONE  Digital signatures and public key encryption are the bedrock  Digital signatures and public key encryption are the bedrock of Public Key Infrastructure of Public Key Infrastructure

  11. PKI : BRIEF TIMELINE  Public key crypto invented in 1976  Public key crypto invented in 1976  First mention of a public key certificate in 1978  First mention of a public key certificate in 1978  First certificate standards (X.509) issued in 1988  First certificate standards (X.509) issued in 1988  First IETF certificate standard issued in 1993  First IETF certificate standard issued in 1993  Later half of 1990’s were full of hope, and hype  Later half of 1990’s were full of hope, and hype  emergence of the World Wide Web  emergence of the World Wide Web  .com boom  .com boom  VeriSign founded (1995)  VeriSign founded (1995)  SSL invented & deployed in browsers  SSL invented & deployed in browsers  Expiration of Diffie-Hellman & RSA patents  Expiration of Diffie-Hellman & RSA patents

  12. BUILDING BLOCKS  The basic building block of a PKI is a (digital)  The basic building block of a PKI is a (digital) Certificate. Certificate.  The entity creating a certificate is called a  The entity creating a certificate is called a Certification Authority (CA) Certification Authority (CA) The core components of a Certificate are: The core components of a Certificate are: 1. Name(s) of entity that the certificate refers to. 1. Name(s) of entity that the certificate refers to. 2. The public key of the entity. 2. The public key of the entity. 3. A digital signature created by the CA. 3. A digital signature created by the CA.  Certificates and CAs enable a chain of trust to be  Certificates and CAs enable a chain of trust to be built. built.

  13. KEYS ARE THE KEY !!!

  14. SYMMETRIC KEYS

  15. ASYMMETRIC KEYS !!!

  16. OVERVIEW - COMPONENTS OF PKI TECHNOLOGY PKI technology consists of three basic parts: PKI technology consists of three basic parts:  A Registration Authority (RA) - The RA is the authentication  A Registration Authority (RA) - The RA is the authentication process in the network that verifies user requests for a process in the network that verifies user requests for a digital certificate. The RA tells the certificate authority (CA) to digital certificate. The RA tells the certificate authority (CA) to issue the digital certificate. issue the digital certificate.  A Certificate Authority (CA) - The CA issues (and revokes) the  A Certificate Authority (CA) - The CA issues (and revokes) the digital certificate, which contains a public key and the digital certificate, which contains a public key and the identity of the owner. This certificate validates that this identity of the owner. This certificate validates that this public key actually belongs to the certificate. public key actually belongs to the certificate.  A Database - The repository, or database, stores the digital  A Database - The repository, or database, stores the digital certificates. certificates.

  17. WHAT A CERTIFICATE LOOKS LIKE

  18. SECURITY NOTICE

  19. DIGITAL SIGNATURE DETAILS - GENERAL

  20. DIGITAL SIGNATURE DETAILS - ADVANCED

  21. VIEW CERTIFICATE GENERAL

  22. VIEW CERTIFICATE DETAILS

  23. VIEW CERTIFICATE PATH

  24. IMPLEMENTATION – DESIGN (ARCHITECTURE)  A PKI framework may be designed as a  A PKI framework may be designed as a hierarchical Certificate Authority (CA) trust hierarchical Certificate Authority (CA) trust model, which will map with, or closely model, which will map with, or closely approximate the administrative structure of approximate the administrative structure of governance. governance.  This architecture calls for a Root CA and several  This architecture calls for a Root CA and several (accredited) subordinate CAs (accredited) subordinate CAs

  25. MODELS - HIERARCHICAL

Recommend


More recommend