Post on 23-Feb-2016
description
Geneva, Switzerland, 2 June 2014
Introduction topublic-key infrastructure (PKI)
Erik Andersen,Q.11 Rapporteur,
ITU-T Study Group 17era@x500.eu
ITU Workshop on “Caller ID Spoofing”(Geneva, Switzerland, 2 June 2014)
Geneva, Switzerland, 2 June 2014 2
PKI and PMI
Public-key certificates: The basis for public-key infrastructure (PKI)
Attribute certificates: The basis for privilege management infrastructure (PMI)
Rec. ITU-T X.509 | ISO/IEC 9594-8 base specification for both types of infrastructure
3
Facts about X.509
Geneva, Switzerland, 2 June 2014
Part of the X.500 Series of RecommendationsAlso issued as ISO/IEC 9594-8Issued in seven editionsFirst edition in 1988Eight edition on its wayNumber one in downloadsDefines:
Public key/private key principlesPublic-key certificatesPublic-key infrastructure (PKI)Attribute certificatesPrivilege management infrastructure (PMI)
PKI
4
Asymmetric cryptography
Geneva, Switzerland, 2 June 2014
A B
Action usingprivate key
Resolving usingpublic key
Action usingpublic key
Resolving usingprivate key
Private key Public key
Asymmetric cryptography is basic technology behind PKI and PMI
5
PKI entities
Geneva, Switzerland, 2 June 2014
CRLIssuer
End entity
RegistrationAuthority
CA
Certificate&
CRLrepository(e.g., an LDAP or X.500
directory)
CA
6
Certifying the identity usingpublic-key certificates
Geneva, Switzerland, 2 June 2014
Certification Authority
OK
7
Public-key certificate
Geneva, Switzerland, 2 June 2014
Subject
Serial number
Public key info
Version
Algorithm
ValidityIssuer
Issuer unique idSubject unique id
Extensions
Digital signature of issuer
Version 2 (do not use!)
Version 3 - Important
Extensions
The extension concept allows adding additional information to a public-key certificate.Organizations may define own extensions.If the information changes, the public-key certificate has to be renewed.
Geneva, Switzerland, 2 June 2014 9
Certification authority (CA)
NOT: Certificate authorityVerify the identity of the subject Verify the position of the key-pairVerify the other information as requiredIssues and sign the public-key certificate Maintain revocation statusPublishes revocation status
10
Checking the credentials
Geneva, Switzerland, 2 June 2014
A passport is a type of certificate binding a picture to a subject IDHas to be issued by a trustworthy authorityA passport may be falseIt is checked by the validator, also called the relying party
SubjectRelying party
11
Trust
Geneva, Switzerland, 2 June 2014
Would you buy a certificate of this man?
Would you trust a certificate issued by this man?
Certificates
Hierarchical Structure
Trust anchor
CA CA
EE EE EE EE EE EE EE EE
CA CACACA
CA = Certification authorityEE = End entity
13
Trust anchor
Trusted by a relying partyTrust anchor information:
Configured into relying party
Public-key certificate
or similar information
Geneva, Switzerland, 2 June 2014
Certificate Revocation List (CRLs)
Certificate Serial NumberRevocation Date
VersionAlgorithm
Time for this updateIssuer
Extensions
Digital signature of issuer
Time for next update
CRL Extensions
Certificate Serial NumberRevocation Date
Extensions
Revoked Certificate
Revoked Certificate
15
Online Certificate Status Protocol (OCSP)
Geneva, Switzerland, 2 June 2014
OCSP requestOCSP
response
OCSP responder
OCSP client
Validation procedure
TrustAncho
r
User system A
(end entity)
CA
CA
User system B(Relying Party)
Storing ofTrust AnchorInformation
Check ofrevocation
Signeddata
17
Where to go
Geneva, Switzerland, 2 June 2014
The central source for information on theX.500 Directory Standard including X.509.
www.x500standard.com