Public Key Infrastructure: A Comprehensive Guide by E. Oswald and N.P. Smart, Study notes of Advanced Computer Architecture

An in-depth exploration of public key infrastructure (pki), including its basics, types, issues, and applications. The authors cover pretty good privacy (pgp) and x.509 certificates, trust management, and security concerns. Topics include pki architecture, key distribution, authentication, digital signatures, and real-world applications such as ssl and ipsec.

Typology: Study notes

2010/2011

Uploaded on 09/07/2011

home-alone
home-alone 🇬🇧

4

(1)

18 documents

1 / 52

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
COMSM0213 : Public Key Infrastructure
E. Oswald and N.P. Smart
Department of Computer Science,
University Of Bristol,
Merchant Venturers Building,
Woodland Road,
Bristol, BS8 1UB
United Kingdom.
October 21, 2010
E. Oswald and N.P. Smart
COMSM0213 : Public Key Infrastructure Slide 1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34

Partial preview of the text

Download Public Key Infrastructure: A Comprehensive Guide by E. Oswald and N.P. Smart and more Study notes Advanced Computer Architecture in PDF only on Docsity!

COMSM0213 : Public Key Infrastructure

E. Oswald and N.P. Smart

Department of Computer Science, University Of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB United Kingdom.

October 21, 2010

E. Oswald and N.P. Smart

Outline

PKI Basics Types of PKIs PGP X. Issues related to Certificates Authorization vs. Authentication Long term signatures Key Escrow TTPs Digital Signatures vs. Electronic Signatures Real World Applications SSL IPSec

E. Oswald and N.P. Smart

Distribution of Public Keys

E. Oswald and N.P. Smart

Distribution of Public Keys

E. Oswald and N.P. Smart

Key Authentication

Public Key Distribution I (^) How do you trust the source of the public key? I (^) Potential for masquerading

Certification Authorities (CAs) I (^) Keys are signed by the state, the cooperation or some body you trust

Distribution of Trust I (^) You trust in a key is replaced by trust in a body, the CA.

E. Oswald and N.P. Smart

Revocation

If a user’s public key is compromised I (^) e.g. a third party has gained knowledge of the private key then the corresponding public key must be revoked.

The CA must somehow inform all users that the certificate(s) containing this public key is/are no longer valid.

E. Oswald and N.P. Smart

Pretty Good Privacy (PGP)

E. Oswald and N.P. Smart

PGP certificates

I (^) PGP version number I (^) certificate holder’s public key I (^) certificate holder’s information I (^) identity information like name I (^) user ID, photograph, etc. I (^) digital signature of the certificate owner (signer) I (^) validity period I (^) preferred symmetric encryption algorithm The most remarkable feature of a PGP certificate is that it can contain signatures from more several signers.

E. Oswald and N.P. Smart

Uses of PGP

Authenticating email I (^) Helps to stop problems of email masquerading

Authenticating other transactions I (^) Remote Web updating

Secure email for roaming employees

Known to have been used by human rights activists to help get details of atrocities out to the world, I (^) Without the senders being found out.

E. Oswald and N.P. Smart

Basics Of PGP

Uses RSA public key encryption for low volume data such as session keys.

Session keys are generated by a cryptographic pseudo random number generator, PRNG.

Data is compressed before transmission.

IDEA is the bulk encryption algorithm I (^) 64 bit block size I (^) 128 bit key size I (^) Used in 64 bit CFB mode.

E. Oswald and N.P. Smart

PGP: Key Pair Generation

The initial entropy to seed the PRNG I (^) Obtained from inter-character timings from user at the keyboard.

Finds prime numbers using simple tests for primality I (^) Not guaranteed to use prime numbers, but highly likely.

For RSA I (^) Stores p and q to speed up the private key operations

All private data protected by IDEA under a pass phrase.

E. Oswald and N.P. Smart

Managing PGP Key Rings

Requires inserting information into a local file I (^) Individuals have control over their own local public key store I (^) Does not rule out a centralised public key store, but this is not needed.

Invalidating compromised keys This is a major problem of all systems, particularly PGP I (^) Have an ad-hoc method of tell your friends my key is broken

E. Oswald and N.P. Smart

Cross-Certification and Cert Chains

If more than one CA exists, then a user may not have a trusted copy of the CAs public key needed to verify another users certificate.

This is solved by cross-certificates, i.e. one CA’s public key is signed by another CA.

The user first verifies the appropriate cross-certificate, and then verifies the user certificate itself.

With many CA’s one can get quite long certificate chains

E. Oswald and N.P. Smart

Verisign (say) ^ @@R CA 1 ^

CA 2

@@R CA 3 ^

Bob

Alice

Alice trusts Verisign I (^) She obtains Bobs public key which is signed by the private key of CA I (^) She obtains CA2’s public key which is signed by the private key of Verisign.

Hence she trusts Bob’s public key.

E. Oswald and N.P. Smart