The PKIX Standards and PKI implementations The PKIX Standards and PKI Implementations Simos Xenitellis University of London S.Xenitellis@rhbnc.ac.uk 1 16th May, 2000, University of London
The PKIX Standards and PKI implementations Agenda We are going to discuss about • open-source software • public key cryptography • PKI functionality about • the PKIX Standards and finally about • PKI implementations 2 16th May, 2000, University of London
The PKIX Standards and PKI implementations Open-source is • a new trend • a new software development model • is based on the almost zero distribution costs • quick initial distribution • not expensive life-cycle In short • availability of source code • covered by suitable unencumbered licence 3 16th May, 2000, University of London
The PKIX Standards and PKI implementations Public Key Cryptography Algorithms • RSA • El Gamal • Elliptic curves can • encrypt/decrypt • sign/verify 4 16th May, 2000, University of London
The PKIX Standards and PKI implementations Example of Public Key Cryptography: RSA Setup • Find strong primes p and q. • Set n = p * q • Pick e co-prime with (p-1)(q-1) • and find d so that (d * e) mod ((p-1)(q-1)) = 1 the keys are • Public: n and e • Private: d 5 16th May, 2000, University of London
The PKIX Standards and PKI implementations Creation of a Certification Authority In the beginning, the CA • generates public/private key pair • generates certificate request • make a certificate out of the certificate request (sign) • gives that certificate, the root CA certificate to everyone • keeps private key very private 6 16th May, 2000, University of London
The PKIX Standards and PKI implementations Client sign-up Procedure • user creates own certificate request • sends over to RA to authorise • if RA says ok, sends over to CA • CA signs the request, thus creating a Certificate • CA sends Certificate back to RA • RA publishes it somehow • user gets Certificate 7 16th May, 2000, University of London
The PKIX Standards and PKI implementations Why PKIs? To improve Internet Security • S/MIME • TLS • IPSec To provide • confidentiality • data integrity • data-origin authentication • non-repudiation 8 16th May, 2000, University of London
The PKIX Standards and PKI implementations Historical Events • Everything started from X.500, circa 1984 • X.500 was about directory services • became standard at end of 80s • defined the X.509 certificate format • X.509 too generic and untested in real applications • someone had to stand-up and define area of applicability 9 16th May, 2000, University of London
The PKIX Standards and PKI implementations X.509 v2 ’93 X.500 revision in 1993 Two fields added in certificate • subjectUniqueIdentifier • issuerIniqueIdentifier Support directory access control PEM made use of v2 10 16th May, 2000, University of London
The PKIX Standards and PKI implementations X.509 v3 ’96 PEM implementation showed deficiences ISO/IEC/ITU and ANSI X9 standard Standard extensions • additional subject identification information • key attribute information • policy information • certification path constraints 11 16th May, 2000, University of London
The PKIX Standards and PKI implementations Enter IETF Still X.509 Certificates were lacking Formed PKIX Working Group (Oct95) Specified Internet PKI profile In detail • for X.509 v3 PKCs • for X.509 v2 CRLs Gone through 11 drafts Now it official, RFC2459 12 16th May, 2000, University of London
The PKIX Standards and PKI implementations PKIX Definitions Certificate • Attribute Certificate • Public Key Certificate Authority • Certification Authority • Attribute Authority • and maybe Registration Authority End Entity 13 16th May, 2000, University of London
The PKIX Standards and PKI implementations PKIX Definitions (cont’) Infrastructures • Public Key Infrastructure (PKI) • Privilege Management Infrastructure (PMI) Documents • Certificate Policy (CP) • Certification Practice Statement (CPS) 14 16th May, 2000, University of London
The PKIX Standards and PKI implementations More PKIX • Profiles for Certs/CRLs • Management protocols • Operational protocols • Certificate Policy and Certification Practice Statement • Time-stamping and data-certification services 15 16th May, 2000, University of London
The PKIX Standards and PKI implementations PKIX: Profiles • Basic Certificate Fields • Certificate extensions • CRL and CRL extensions • Certificate Path Validation • Algorithm support • plus ASN.1 structures and OIDs 16 16th May, 2000, University of London
The PKIX Standards and PKI implementations PKIX: Management protocols For on-line interactions of client with management entities Certificate Management Protocol (CMP) • CMP-TCP • CMP-HTTP 17 16th May, 2000, University of London
The PKIX Standards and PKI implementations PKIX: Operational protocols Delivery of Certs/CRLs/status to client systems Good to have variety here Currently • FTP • HTTP • OCSP • LDAPv2 • LDAPv3 18 16th May, 2000, University of London
The PKIX Standards and PKI implementations PKIX: CP and CPS Addresses • physical and personal security • subject identification requirements • revocation policy • etc. Has examples 19 16th May, 2000, University of London
The PKIX Standards and PKI implementations PKIX: Time stamps (1/2) • Still draft, on 6th revision • Talks about TSA, the Time Stamp Authority Simple (c) • Receives request • Appends current time • Signs • Sends back Offers non-repudiation 20 16th May, 2000, University of London
The PKIX Standards and PKI implementations PKIX: PKIX and DVCS Data Validation and Certification Service What does it do? • certify existence • certifcy correctness of • message • signature Offers non-repudiation 21 16th May, 2000, University of London
The PKIX Standards and PKI implementations PKIX: PKI Entities Operational transactions and management transactions End entity Management transactions PKI users Certificate/CRL Repository Publish Certificate PKI management entities RA CA Publish certificate Publish CRL Management transactions CA 22 16th May, 2000, University of London
The PKIX Standards and PKI implementations PKIX: AC Exchange Server Acquisition AC Issuer Client Acquisition AC "push" Client Server (part of app. protocol) Client Server Lookup Lookup Repository 23 16th May, 2000, University of London
The PKIX Standards and PKI implementations Implementations #1 pyCA and OpenCA • set of CGI scripts • OpenSSL for crypto needs • run ok on Unix/Unix-like • support Netscape • no strict compliance with PKIX • allow RAD testing/implementation 24 16th May, 2000, University of London
The PKIX Standards and PKI implementations Implementations #2 OSCAR • Open Secure Certificate ARchitecture • comes from DTSC, Australia • good support for X.509v3, crypto, PKCS, PKIX • very good Netscape support • source code available, but can’t redistribute/sell freely • should open license 25 16th May, 2000, University of London
The PKIX Standards and PKI implementations Implementaions #3 Mozilla Open Source PKI Projects Provides two libraries • NSS, Network Security Services • PSM, Personal Security Manager Comments • For integration with Netscape/iPlanet products • License is MPL or GPL, you choose • Crypto still in trouble • No strict PKIX compliance • Crypto must get fixed, then go fast 26 16th May, 2000, University of London
The PKIX Standards and PKI implementations Implementations #4 MISPC or Minimum Interoperability Specifications for PKI Components • Brought to you by NIST • CD-only distribution (still waiting for it) • Only for Windows • Has some PKIX support • No crypto for US, yet • Gloomy future 27 16th May, 2000, University of London
The PKIX Standards and PKI implementations Implementations #5 Reference Implementation from IBM PKIX compliance with • RFC 2459 Profiles • RFC 2510 Management • RFC 2511 CRMF • LDAPv2 draft Comments • no crypto for US • they verified the PKIX docs, found errata • uses CDSA • code needs clean-up, looks nice • is freeware, me says they changed their mind 28 16th May, 2000, University of London
The PKIX Standards and PKI implementations Fin We talked about • open-source software • public key cryptography • PKI functionality about • the PKIX Standards and finally about • PKI implementations 29 16th May, 2000, University of London
Recommend
More recommend