08_pki - Public Key Infrastructures Peter Sjdin psj@kth.se...

Info iconThis preview shows pages 1–9. Sign up to view the full content.

View Full Document Right Arrow Icon
1 Public Key Infrastructures Peter Sjödin psj@kth.se Based on material by Vitaly Shmatikov, Univ. of Texas, and by the previous course teachers
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2 Public Key Infrastructures Trust models and CA organization X.509 and PKIX standards Certificate Revocation
Background image of page 2
3 Certification Authorities One CA for everyone is impractical Multiple CAs Who is in charge of what? Where can we find the certificate of a given user? How are certificates transmitted over the network? What is the format? Deploy a Public Key Infrastructure! Bob’s public key K B + Bob’s identifying information digital signature (encrypt) CA private key K CA - K B + certificate for Bob’s public key, signed by CA
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
4 Hierarchical Approach Use a trusted root authority – For example, Verisign – Everybody must know the public key for verifying root authority’s signatures Root authority signs certificates for lower-level authorities, lower-level authorities sign certificates for individual networks, and so on – Instead of a single certificate, use a certificate chain • sig Verisign (“UT Austin”, PK UT ), sig UT (“Vitaly S.”, PK V ) – What happens if root authority is ever compromised?
Background image of page 4
PKI Trust Models Monopoly (Single CA) Oligarchy (Multiple Root CAs) Registration Authorities (RAs) Delegated CAs Anarchy model
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Monopoly models Monopoly CA – one global CA that is trusted by everyone – single “trust anchor” Monopoly CA + RAs – several registration authorities, • check the identity of applicants, • the RA could be local to a company – the CA signs the certificates Monopoly CA + delegated CA – certificates are issued by a sub-CA that has a signing certificate signed by the monopoly CA
Background image of page 6
Oligarchy (Web model) A set of trusted CAs are pre-installed and trusted. – Large CA vendors pay to get pre-installed in browsers New CAs can be added by “clicking ok” – “Do you want to . .. ? “ I currently trust 46 CAs in my browser – Well, do I really? – What happens if a single of these CAs becomes compromised?
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
8 Alternative: “Web of Trust” A.k.a. ”Anarchy model” – Used in PGP (Pretty Good Privacy) Instead of a single root certificate authority, each person has a set of keys they “trust” – If public-key certificate is signed by one of the “trusted” keys, the public key contained in it is considered valid
Background image of page 8
Image of page 9
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 27

08_pki - Public Key Infrastructures Peter Sjdin psj@kth.se...

This preview shows document pages 1 - 9. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online