《Sofia University PKI应用培训》由会员分享,可在线阅读,更多相关《Sofia University PKI应用培训(45页珍藏版)》请在金锄头文库上搜索。
1、Public Key Infrastructure and ApplicationsSvetlin NakovSofia University “St. Kliment Ohridski”E-mail: Nikolay NedyalkovLatona DevelopmentE-mail: AgendanPKI Overview nDigital SignaturesnWhat is it?nHow does it work? nDigital Certificates nPublic Key InfrastructurenPKI ComponentsnPolicies nInternet Se
2、curitynWeb Security with SSL nSmart Cards nEmail signing S/MIMEWhats the problem?nInformation over the Internet is Free, Available, Unencrypted, and Untrusted.nNot desirable for many Applicationsn Electronic Commercen Software Productsn Financial Servicesn Corporate Datan Healthcaren Subscriptionsn
3、Legal InformationMultiple Security IssuesPrivacyPrivacyIntegrityIntegrityAuthenticationAuthenticationNon-repudiationNon-repudiationInterceptionSpoofingModificationProof of parties involvedWhy do PKIs need Trust ? CAs could issue certificates without checking the owner identity. CAs could deliberatel
4、y issues false certificates. Private keys could be disclosed by accident, . or on purpose. nFalse certificates could be inserted into your browser. nPortals could contain false URLs. nKnowing a principals identity does not mean that the principal can be trusted.Security AlgorithmsnPublic Key Algorit
5、hmsnRSA, DSA, Diffie-Hellman, Elliptic CurvenSymmetric AlgorithmsnTriple-DES, DES, CAST, RC2, IDEAnHashing AlgorithmsnSHA-1, MD5, RIPEMDSymmetric Key EncryptionnIf any ones key is compromised, all keys need to be replacednNot practical or cost effective for Internet environmentsINTERNETPublic Key Cr
6、yptographyPublicEncryptionOriginal DocumentEncrypted DocumentPrivateDecryptionOriginal DocumentSenderReceiverPublic-Key Cryptography is an encryption scheme that uses mathematically related, but not identical keys. Each user has a key pair (public key/private key).Information encrypted with the publ
7、ic key can only be decrypted using the private key.What is a Digital Signature ? A Digital Signature is the result of encrypting the Hash of the data to be exchanged. A Hash (or Message Digest) is the process of mathematically reducing a data stream down to a fixed length field. The Hash uniquely re
8、presents the original data. The probability of producing the same Hash with two sets of different data is .001%. Signature Process is opposite to Encryption Process Private Key is used to Sign (encrypt) Data Public Key is used to verify (decrypt) Signature Digital Signature ProcessnStep 1. Hash (dig
9、est) the data using one of the supported Hashing algorithms, e.g., MD2, MD5, or SHA-1. nStep 2. Encrypt the hashed data using the senders private key.nStep 3. Append the signature (and a copy of the senders public key) to the end of the data that was signed.DataHashEncryptHashDigital SignatureDigita
10、l SignaturePrivateStep 1.Step 2.Step 3.PublicSignature Verification ProcessnStep 1. Hash the original data using the same hashing algorithm.nStep 2. Decrypt the digital signature using the senders public key. All digital signatures contain a copy of the signers public key.nStep 3. Compare the result
11、s of the hashing and the decryption. If the values match then the signature is verified. If the values do not match, then the data or signature was probably modified in transit.DataHashDecryptHashDigital SignaturePublic KeyStep 2.Step 3.HashStep 1.The Critical QuestionsnHow can the recipient know wi
12、th certainty the senders public key? (to validate a digital signature)nHow can the sender know with certainty the recipients public key? (to send an encrypted message)Digital Certificates Before B accepts a message with As Digital Signature, B wants to be sure that the public key belongs to A and no
13、t to someone masquerading as A on an open network One way to be sure, is to use a trusted third party to authenticate that the public key belongs to A. Such a party is known as a Certification Authority (CA) Once A has provided proof of identity, the Certification Authority creates a message contain
14、ing As name and public key. This message is known as a Digital Certificate. Digital Signature Before two parties exchange data using Public Key cryptography, each wants to be sure that the other party is authenticatedDigital CertificatesnA Digital Certificate is simply an X.509 defined data structur
15、e with a Digital Signature. The data represents who owns the certificate, who signed the certificate, and other relevant informationVersion # Serial # Signature Algorithm Issuer Name Validity Period Subject Name Subject Public Key Issuer Unique ID Subject Unique ID ExtensionsDigital SignatureX.509 C
16、ertificateCA AuthorizedWhen the signature is generated by a Certification Authority (CA), the signature can be viewed as trusted. Since the data is signed, it can not be altered without detection. Extensions can be used to tailor certificates to meet the needs of end applications.Certificate Life CycleKey pair generatedCertificate issuedKey pair in usePriv
