












































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
An in-depth exploration of public key infrastructure (pki), including its basics, types, issues, and applications. The authors cover pretty good privacy (pgp) and x.509 certificates, trust management, and security concerns. Topics include pki architecture, key distribution, authentication, digital signatures, and real-world applications such as ssl and ipsec.
Typology: Study notes
1 / 52
This page cannot be seen from the preview
Don't miss anything!













































E. Oswald and N.P. Smart
Department of Computer Science, University Of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB United Kingdom.
October 21, 2010
E. Oswald and N.P. Smart
PKI Basics Types of PKIs PGP X. Issues related to Certificates Authorization vs. Authentication Long term signatures Key Escrow TTPs Digital Signatures vs. Electronic Signatures Real World Applications SSL IPSec
E. Oswald and N.P. Smart
E. Oswald and N.P. Smart
E. Oswald and N.P. Smart
Public Key Distribution I (^) How do you trust the source of the public key? I (^) Potential for masquerading
Certification Authorities (CAs) I (^) Keys are signed by the state, the cooperation or some body you trust
Distribution of Trust I (^) You trust in a key is replaced by trust in a body, the CA.
E. Oswald and N.P. Smart
If a user’s public key is compromised I (^) e.g. a third party has gained knowledge of the private key then the corresponding public key must be revoked.
The CA must somehow inform all users that the certificate(s) containing this public key is/are no longer valid.
E. Oswald and N.P. Smart
E. Oswald and N.P. Smart
I (^) PGP version number I (^) certificate holder’s public key I (^) certificate holder’s information I (^) identity information like name I (^) user ID, photograph, etc. I (^) digital signature of the certificate owner (signer) I (^) validity period I (^) preferred symmetric encryption algorithm The most remarkable feature of a PGP certificate is that it can contain signatures from more several signers.
E. Oswald and N.P. Smart
Authenticating email I (^) Helps to stop problems of email masquerading
Authenticating other transactions I (^) Remote Web updating
Secure email for roaming employees
Known to have been used by human rights activists to help get details of atrocities out to the world, I (^) Without the senders being found out.
E. Oswald and N.P. Smart
Uses RSA public key encryption for low volume data such as session keys.
Session keys are generated by a cryptographic pseudo random number generator, PRNG.
Data is compressed before transmission.
IDEA is the bulk encryption algorithm I (^) 64 bit block size I (^) 128 bit key size I (^) Used in 64 bit CFB mode.
E. Oswald and N.P. Smart
The initial entropy to seed the PRNG I (^) Obtained from inter-character timings from user at the keyboard.
Finds prime numbers using simple tests for primality I (^) Not guaranteed to use prime numbers, but highly likely.
For RSA I (^) Stores p and q to speed up the private key operations
All private data protected by IDEA under a pass phrase.
E. Oswald and N.P. Smart
Requires inserting information into a local file I (^) Individuals have control over their own local public key store I (^) Does not rule out a centralised public key store, but this is not needed.
Invalidating compromised keys This is a major problem of all systems, particularly PGP I (^) Have an ad-hoc method of tell your friends my key is broken
E. Oswald and N.P. Smart
If more than one CA exists, then a user may not have a trusted copy of the CAs public key needed to verify another users certificate.
This is solved by cross-certificates, i.e. one CA’s public key is signed by another CA.
The user first verifies the appropriate cross-certificate, and then verifies the user certificate itself.
With many CA’s one can get quite long certificate chains
E. Oswald and N.P. Smart
Verisign (say) ^ @@R CA 1 ^
@@R CA 3 ^
Bob
Alice
Alice trusts Verisign I (^) She obtains Bobs public key which is signed by the private key of CA I (^) She obtains CA2’s public key which is signed by the private key of Verisign.
Hence she trusts Bob’s public key.
E. Oswald and N.P. Smart