Overall cryptography and pki introduction

Public Key Infrastructure in Brief

January 31, 2002

What is a PKI?

• A common misperception is that a PKI is a thing. In fact, it’s a capability—the capability to easily publish, manage, and use public keys.

• a PKI consists of a group of discrete components that work together to allow you to use public keys, and public-key cryptography, seamlessly and transparently

• A system that establishes and maintains trustworthy e-business environments through the generation and distribution of keys and certificates.

Value-Add of PKI

Feature Benefit

Authentication Allows your e-business to engage

trusted customers, partners and

employees

Authorization/ Allows business rules to dictate

Access Control who uses what resources, under

what conditions

Confidentiality Data is obscured and protected from

view or access by unauthorized

individuals

Value-Add of PKI

Feature Benefit

Integrity Prevents any transaction

from being tampered with

Non-repudiation Prevents any party from

denying an e-business

transaction after the fact

Audit controls Provides audit trails and

recourse for e-business

transactions

PKI: e-Business Enabler

• Makes trusted e-business possible• Enables new e-business processes• Provides integrated,comprehensive:

- Authorization- Confidentiality- Authentication- Integrity- Non-repudiation- Audit controls

...Transparently to users across applications and platforms

Digital Signature

Encryption

ALL OF THESE REQUIRE A PKI

AUTHENTICATION &NON-REPUDIATION

CONFIDENTIALITY &ACCESS CONTROL

INTEGRITY

Encryption Digital Signature Digital Signature

Public Private Keys

Certificates

PUBLIC KEY INFRASTRUCTUREPUBLIC KEY INFRASTRUCTURE

Created Market for PKIProducts and Services

*Source: NationsBank Montgomery/Gartner Group

0

200

400

600

800

1000

1200

1400

1998 1999 2000 2001 2002

Revenue

$100M$200M

$400M

$1,200M

$800M

PKI MarketSecure Transactions & Communications

InternalEnterprise

B2B

B2CG2C

Other98

99

00

01

Total Mkt

$800M

$400M

$200M

$110M

$1,200M02

Source: NationsBank Montgomery/Soundview/Entrust

$128 $6$50 $16

$16$154$200 $30

$40$350$350 $60

$60$540$500 $100

$79 $3$22 $6

Certification Authority

Certificate

Repository

Certificate

Revocation

Key Backup

& Recovery

Support for

non-repudiation

Automatic

Key Update

Key Histories

Timestamping

Cross-certification

Applicationsoftware

General PKI Requirements

PKIX-1: Chaired and edited by Entrust staff

PKIX-2: LDAP portion authored by Sharon Boeyen

PKIX-3: CMP portion authored by Carlisle Adams

PKIX-4: participation by Sharon Boeyen & others

PKIX-5: authored by Carlisle Adams, Robert Zuccherato

PKIX-6: authored by Carlisle Adams, Robert Zuccherato

PKIX Overview for IEEE: authored by Carlisle Adams and Steve Lloyd

PKIX Standards Participation

Internet Security ModelsStrongSecurity

MinimalSecurity

Level 1Unsecured session with user name and password

Level 2Secure Session with server Digital ID authentication only

Level 3Secure Session with user name and password

Level 6

Secure Session with Managed User and Server Digital ID

Support for non-repudiation of transactions

Level 5Secure Session with Managed User Digital ID authentication

Managed Digital IDs

Unmanaged Digital IDsLevel 4Secure Session with user Digital ID authentication

Managed Trust

Unmanaged Trust

Internet Security ModelsStrongSecurity

MinimalSecurity

Level 1Unsecured session with user name and password

Level 2

Level 3

Level 6

Level 5

Managed Digital IDs

Unmanaged Digital IDsLevel 4

Managed Trust

Unmanaged Trust

Entrust/Direct™

Entrust/Unity™, Entrust/TruePass™

Entrust/Web Connector

Entrust.net™

Acrobat Document

Cryptography in Brief

September 12, 2000

Cryptographic Algorithms

• Two types of cryptographic algorithms:

• Symmetric algorithms

• Public-key algorithms

• Two types of algorithms are highly complementary

Alice Bob

Symmetric Cryptography

• Also called secret-key cryptography• Single key used to encrypt and decrypt• Examples: CAST, DES, T-DES

Public-key Cryptography

• Keys come in pairs (public + private)

• Public key is available to anyone– like a phone number in the telephone book

• Private key is kept secret by the owner– like ATM PIN

• Examples: RSA, DSA, Diffie-Hellman

AliceBob

Directory of Public Keys

Bob’s Public Key Bob’s Private Key

CiphertextDECRYPTENCRYPT

Public-key Encryption

• Alice encrypting a file for Bob• Encryption provides:

– confidentiality– access control

How Public-key Encryption Works

Encryption Process Decryption Process

encrypt file usingsymmetric key

encrypt symmetric keyfor recipients using

their public keys

+

combine header withprotected data in one file

extract symmetrickey using

private key

decrypt file usingsymmetric key

recoveroriginal file

Alice Bob

Alice’s Private Key

Signed Plaintext

Alice’s Public Key

SIGN VERIFY

Public-key Digital Signature

• Alice signing a file– Bob verifying Alice’s signature

• Digital signature provides:– integrity– authenticity– non-repudiation

Signing Process Verification Process

calculate hash

sign hashwith private key

signed plaintext

calculate freshhash

verify original hashwith public key

=compare verified hash

with fresh hash

How Digital Signature Works

D ata

Digital Signature

(A ctua l)

P ub lic K ey o fA lice

f(d)

f(h)

D igestD igest

(E xpected)

Bob

D ata

C O M P A R EA ctua l = E xpected

If Y es , in teg rity o f the m essage is res to red and non-repud ia tion is es tab lished

E ncrypted D igest o rH ash o f M essage

P riva te K ey o fA lice

D igest

f(e)

f(h)

Hashing

Algorithm

D ata

Alice

ALICE’SPRIVATE KEY

BOB’SPUBLIC KEY

ENCRYPT

SIGN

ALICE’SPUBLIC KEY

BOB’SPRIVATE KEY

DECRYPT

VERIFY

e-mail floppyfile transfer

Putting it all Together ...

Signing & Sending

Receiving & Verification