{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

08_pki - Public Key Infrastructures Peter Sjdin [email protected]

Info iconThis preview shows pages 1–9. Sign up to view the full content.

View Full Document Right Arrow Icon
1 Public Key Infrastructures Peter Sjödin [email protected] Based on material by Vitaly Shmatikov, Univ. of Texas, and by the previous course teachers
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
2 Public Key Infrastructures Trust models and CA organization X.509 and PKIX standards Certificate Revocation
Background image of page 2
3 Certification Authorities One CA for everyone is impractical Multiple CAs Who is in charge of what? Where can we find the certificate of a given user? How are certificates transmitted over the network? What is the format? Deploy a Public Key Infrastructure! Bob’s public key K B + Bob’s identifying information digital signature (encrypt) CA private key K CA - K B + certificate for Bob’s public key, signed by CA
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
4 Hierarchical Approach Use a trusted root authority For example, Verisign Everybody must know the public key for verifying root authority’s signatures Root authority signs certificates for lower-level authorities, lower-level authorities sign certificates for individual networks, and so on Instead of a single certificate, use a certificate chain • sig Verisign (“UT Austin”, PK UT ), sig UT (“Vitaly S.”, PK V ) What happens if root authority is ever compromised?
Background image of page 4
PKI Trust Models Monopoly (Single CA) Oligarchy (Multiple Root CAs) Registration Authorities (RAs) Delegated CAs Anarchy model
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Monopoly models Monopoly CA one global CA that is trusted by everyone single “trust anchor” Monopoly CA + RAs several registration authorities, check the identity of applicants, the RA could be local to a company the CA signs the certificates Monopoly CA + delegated CA certificates are issued by a sub-CA that has a signing certificate signed by the monopoly CA
Background image of page 6
Oligarchy (Web model) A set of trusted CAs are pre-installed and trusted. Large CA vendors pay to get pre-installed in browsers New CAs can be added by “clicking ok” “Do you want to ... ? “ I currently trust 46 CAs in my browser Well, do I really? What happens if a single of these CAs becomes compromised?
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
8 Alternative: “Web of Trust” A.k.a. ”Anarchy model” Used in PGP (Pretty Good Privacy) Instead of a single root certificate authority, each person has a set of keys they “trust”
Background image of page 8
Image of page 9
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}