Upload
regina-austin
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
Deploying a Certification Authority for
Networks Security
Prof. Dr. VICTOR-VALERIU PATRICIUCdor.Prof. Dr. AUREL SERB
Computer Engineering DepartmentMilitary Technical Academy
Bucharest, Romania
Information Security Requirements
Confidentiality• protection from disclosure to unauthorized persons
Integrity• Maintaining data consistency
Authentication• Assurance of identity of person or data originator
Non-repudiation• Communication originator can’t deny it later
Public-Key Encryption
Confidentiality
Digital Signatures-creation-
Public Key Distribution
Public Key Distribution
Digital Certificate • Is a person really who claim?
• The public key really belongs to this person?
Certificate Structure
What is PKI-Public Key
Infrastructure-PKI refers to the services providing: • generation, production, distribution,
control,revocation,archive of certificates• management of keys,• support to applications providing
confidentiality and authentication of network transactions.
PKI for Military Use• provide secure interoperability throughout
the military organizations and with its partners- government, industry and academia;
• standards based;• uses commercial PKI products to minimize
the investment;• support digital signature and key exchange;• support key recovery;• support Federal Information Processing
Standards- FIPS compliance requirements.
General PKI Structure
CA’s are Trusted to Do • A central administration - issues certificates:
-company to its employees-university to its students-public CA (like VeriSign) to clients
• The CA must keep confidential his Private Key used to sign certificates
• The CA does not assign different certificates the same serial number
• The CA makes sure all the information in a certificate is correct
• Up to date Certificate Revocation List (CRL)
Our PKI Research/ Study -directions-
• Understanding PKI technology and establish – applications demanding PKI– PKI architecture
• Analysis of the possibilities/facilities of a vendor CA software-RSA Keon
• Developing our own CA software, using Eric Young Open SSL library
• Defining an adequate certificate policy and practice statement
PKI Main Applications
• Paperless Office -Document & E-mail Signing and Protecting
• Secure Web - User Authentication and Secure Communications
• Security in Organization’s Intranet/Extranet-VPN
• Certificate Authority -for the Romanian (Military) Internet Users
Deploying a PKI -Main steps-
•Analysis of Operational Requirements•Establish PKI Applications•Defining security policies
•Defining a deployment road map•Establish the infrastructure (PKI & CA Design)
•Personnel Selection•Hardware and Software Acquisition
•PKI Training•Management & Administration
Defense PKI (DPKI) Generation, production, distribution,
control, revocation, archive of public key certificates;
Management of keys; Support to applications providing
confidentiality and authentication of network transactions;
Data integrity; Non-repudiation.
Certificate ClasesFor DPKI, it can adopt a certificate policy, which uses 3
classes of certificates:Low Class Certificates (for unclassified/sensitive
information on classified network)- May be used for: Digital signatures for classified information on
encrypted network; Key exchange for the protection (confidentiality) of
communities of persons on encrypted networks; Non-repudiation for medium value financial or for
electronic commerce applications.
Certificate Clases Medium Class Certificates (for unclassified/sensitive
information on classified network)-. May be used for: Digital signatures for unclassified mission critical and national
security information on un encrypted network Key exchange for the confidentiality of high valued
compartmented information on encrypted networks or classified data over unencrypted networks
Protection information crossing classification boundaring Non-repudiation for large financial or for electronic commerce
applications.
.
Certificate Clases High Class Certificates (for classified
information on open network)- May be used for: Digital signatures for authentication of subscriber
identity for accessing classified information over unprotected networks
Key exchange for confidentiality of classified information over unencrypted networks
Digital signatures for authentication of key material in support of providing confidentiality for classified information over unprotected networks.
.
CONCLUSIONS • PKI -simplifies the management of security • RAF structures and organizations can spend
less time worrying about security, and more energy on their main activities (confidential documents no longer need to wait for days to be physically shipped; instead, they can be securely sent through e-mail)
• Web servers can allow secure access for only designated users
• Military organization networks can securely extend over the Internet, eliminating expensive leased data lines
• PKI’s possibilities are limitless
CONCLUSIONS• For Romanian Armed Forces, the Public Key
Infrastructure (PKI) capability may adopt the following components: -Root Certificate Authority
-Certificate Authorities -Local Registration Authorities, -Certificate Directory, and principles: -use commercial and/or proprietary products,
-use smart cards for protection of private keys and certificates, processing digital signature, access control.
CONCLUSION ?
Steve BellovinAT&T Security Guru
“-What are the strongest defenses?
-There aren’t any”