Information system security wk5-1-pki

IT346 Information
System Security
Week 5-1: PKI

Faculty of Information Technology

Page

Digital Certificate
Secret Key



Key
Distribution Center)

Public Key

Authority (CA)

Public Key
Key

CA
‣
‣

CA

Key
KDC (Key

Certificate

CA

Public

CA

(Digital Certificate)

Page

2

Digital Certificate
 Digital Certificate

Public Key
Digital Certificate

Digital Signature
Owner’s Info

CA

Owner’s public key

Issuer’s Info



Issuer’s signature

Certificate

Public Key
Digital Certificate
Digital
Page

3

Public Key
Infrastructure (PKI)

public key cryptosystem

public/private

key pair

certificate
Trusted
Third Party (TTP)
public/private key pair
identity
certificate
certificate
public
key
certificate

TTP
sign
certificate
Subjec Public Expiratio
…
TTP
private key
TTP Issuer
t ID


Key

n Date
(TTP ID)
Certificate Structure

Signature
Page

4

Public Key
 Certificate Authority (CA)
TTP
certificate



CA 1

certificate

CA
verify certificate
public key
CA
CA
(hierarchy)
Public Key Infrastructure (PKI)
‣

CA
‣

Root CA

certificate

public key

Root
Page

5

Public Key
Root
CertC
A1
CA PKC Sigr CA
1
A1
oot
1
CertAl
ice
Alic PKA Sig
lice
CA1
e

CA

CertC
CA PKC Sigr
CA A2
A2
oot
2
2
CertC
CA2
CA2 A2.2 PKC SigC
CA
.1 Cert
.2
A2
2.2 A2.2
ob
Bob

B

PKB SigC
ob

A2.2

 Alice  Bob: message || CertAlice || CertCA1
 Bob  Alice: message || CertBob || CertCA2.2 || CertCA2

tree
certificate
CA

certificate
CA
hash
certificate

copy

CA

certificate
Page

6

Certificate
Certificate



(Authentication)
(Encryption)
‣ Web Site Certificate:

secure connection
Certificate

Server
Page

Certificates
Windows

 Internet Explorer (IE)

Certificates
Applications
‣

Microsoft

Certificates
IE
Tools  Internet Options


Page



Certificates
Windows

Trusted Root CA
Certificate
Root CA
‣

Certificate
Web Site
Sign
Web Site

Root CA
Web Site

 CA
‣ Verisign
‣ GeoTrust
‣ Thawte Consulting

Page

9

Certificates
Windows
Certificate
IE



Certificate
IE
Certificate
Web Site Certificate

‣

Certificate

IE

Certificate
‣

Certificate

IE

CA
Page

10

Revocation List
(CRL)

Certificate

(Revoke) Certificate

‣ Certificate
‣
Certificate
‣

 CA

Private Key
Certificate
Private Key
Private Key
Certificate

Certificate Revocation
Page

X.509
 X.509

ITU-T (International
Telecommunication Union –
Telecommunication Standardization
Sector)
Public Key Infrastructure
(PKI)
‣

Certificate,
Revocation List,
Certificate


PKI
Certificate

Page

12

X.509 Certificate
X.509
Version 3

certificate
CA

Sign Certificate

CA
Certificate

Sign
Certificate
Certificate
Public Key
Key
Pubic Key

CA

Certificate

Hash
Private Key
CA
Certificate
CA
Hash


Page

13

X.509 PKI
Root
CA
Cert CA
CA1
1
CA2
.1

Cert
Alice

Cert

CA
2

CA2

CA2 CertC
A2.2
.2
Cert

 X.509

‣


Root CA

PKI

Bob

PKI
Root CA

Page

14

X.509 Certification
Signature Chain
Certificate



CA<<Subject>>

CA
Certificate
Subject
‣ Cathy<<Alice>>

Alice
‣ Dan<<Bob>> Dan
Bob


CA 2

Cathy

Certificate

Certificate

cross-certified
CA
Page

15

X.509 Certification
Signature Chain


Certification Signature
Chain
trust
cross-certified
CA
Alice
Cathy
Alice
certificate signature chain
Bob
Cathy<<Dan>> Dan<<Bob>>

‣

• Alice

Dan
Alice


Dan

Certificate

Cathy

Cathy
Bob

Bob
Certificate
Page

16

X.509 Certification
Signature Chain
‣

Bob
Dan
Bob
certificate signature chain
Alice
Dan<<Cathy>> Cathy<<Alice>>
• Bob

Certificate
Alice
Cathy
Certificate
Cathy
Dan
Bob
Dan
Alice


Page

17

(User
Authentication)

Page

18

(Authentication)



‣ Authentication

“authenticus (αὐθεντικός)”,

,

,

‣ Authentication

‣ Authentication

Security Goal(s)



?

(User
Page

Authentication
Process
 Authentication

 Authentication

(access control)
(user accountability)


Page

20

Authentication
Process
 Identification =
‣

‣ Identity

service

:

(identifier)
access control

security

 Verification =
‣

(authentication information)

Page

21

User VS Message
Authentication
 Message Authentication
‣

 User Authentication
‣

identity


Page

22

: User
Authentication
identity


Page

23

Password
Authentication


‣ User

password
(multiuser
systems),
network-based servers,
Web-based e-commerce sites)

‣

name/login

password
login

password

 User ID:
‣

Page

24

Password
Vulnerabilities
Offline
diction
ary
attack
Specific
account
attack


Popula
r
passwo
rd
attack
Passwo

rd
guessin
g
against
single
user

Workst
ation
hijacki
ng

Exploiti
ng
multipl
e
passwo
rd use

Exploiti
ng user
mistak
es

Electro
nic
monito
ring

Page

25

Password
Vulnerabilities
 Offline dictionary attack:
‣

‣

password file
password hashes

password
match
ID

hash

password

 Specific account attack:
‣
account
password
password

Page

26

Password
Vulnerabilities

 Password guessing against single user:
‣ Attacker
password policies
password.
 Workstation hijacking:
‣ Attacker

log-in

 Exploiting multiple password use:
‣ Attack

Page

27

Password
Vulnerabilities
 Exploiting user mistakes:

password,

‣

password

‣

‣ Attacker

passwords

user
password

social engineering

account manager

‣

Page

28

Password
Vulnerabilities
 Electronic monitoring
‣ Password

log on

remote system
(eavesdropping)

‣ Encryption

encrypted password
password
Attacker


Page

29

(Countermeasures)


authentication

password-based

password file
user ID.

password

‣

way hash function
password
 Against offline dictionary attack

one-

‣

password file
‣

detection)
‣

(intrusion

password
compromised passwords
Page

30

(Countermeasures)
 Against popular password attack
‣ Policies

password

‣ Scan

IP addresses
authentication requests
cookies
client
pattern
password

 Against password guessing against

single user
‣
‣ policies

,


password policies
password
password, set

,
Page

31

(Countermeasures)

 Against exploiting user mistakes
‣
,
intrusion detection
‣
passwords
authentication
 Against exploiting multiple password

use

‣ policies

password
network device

 Against electronic monitoring
‣
Replay Attack

Page

32

Information system security wk5-1-pki

Recommandé

Recommandé

Contenu connexe

En vedette

En vedette (9)

Similaire à Information system security wk5-1-pki

Similaire à Information system security wk5-1-pki (20)

Plus de Bee Lalita

Plus de Bee Lalita (11)

Dernier

Dernier (20)

Information system security wk5-1-pki