La descarga está en progreso. Por favor, espere

La descarga está en progreso. Por favor, espere

Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Security Services in Information Systems.

Publicada porSol Monico Modificado hace 9 años

Presentaciones similares

Presentación del tema: "Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Security Services in Information Systems."— Transcripción de la presentación:

1 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Security Services in Information Systems

2 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Digital Certificates

3 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez What is a Digital Certificate? Electronic counterparts to driver licenses,passports. Enable individuals and organizations to secure business and personal transactions across communication networks.

4 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez How do they secure the data? Authentication Integrity Encryption Token verification

5 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez What certificates are typically used for Secure channel TLS / SSL for web servers Sign emails Authentication Code signing Encrypt files (EFS in Windows/2000) IPsec (encrypt network layer)

6 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Certificates and PKI qA public key certificate consists of some payload and a digital signature over this data. qThe certificate payload consists of a public key and some additional data (e.g. subject and issuer information, validity period, privileges, attributes etc.). qThe digital signature binds these additional data to the public key. qIt is the responsibility of a PKI (Public Key Infrastructure) to generate, distribute, and manage certificates. Signature Public key Additional data: attributes, privileges, etc. Digitally signed hash value

7 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Certificates Certified Entity CA Verifier FJRRH

8 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Real World Analogies Is a certificate an “electronic identity”? Concerns –a certificate is a binding between an identity and a key, not a binding between an identity and a real person –one must submit its certificate to identify itself, but submission is not sufficient, the key must be used in a protocol –anyone can submit someone else’s certificate

9 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Real World Analogies Result: Certificates are not picture IDs So, what is the real world analogy for certificates? –Endorsed document/card that serves as a binding between the identity and signature

10 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Issues Related Certificates TRUST –verifiers must trust CAs –CAs need not trust the certified entities –certified entity need not trust its CA, unless it is not the verifier What is “trust” in certification systems? –Answer to the question: “How correct is the certificate information?” –related to certification policies

11 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Issues Related Certificates Certificate Revocation –certificates have lifetimes, but they may be revoked before the expiration time –Reasons: certificate holder key compromise/lost CA key compromise end of contract (e.g. certificates for employees) –Certificate Revocation Lists (CRLs) hold the list of certificates that are not expired but revoked each CA periodically issues such a list with digital signature on it

12 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Digital Certificate - Lifecycle Key Pair Generated Certificate Issued Certificate valid and in use Private Key compromised Certificate Expires Recertify Certificate Revoked Keypair Expired

13 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez X.509 ITU-T standard (recommendation) –ISO 9495-2 is the equivalent ISO standard part of X.500 family for “directory services” –distributed set of servers that store user information an utopia that has never been carried out –X.509 defines the authentication services and the pubic-key certificate structure (certificates are to be stored in the directory) –so that the directory would contain public keys of the users

14 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez X.509 Defines identity certificates –attribute (authorization) certificates are added in 4 th edition (2000) Defines certificate structure, not PKI Supports both hierarchical model and cross certificates End users cannot be CAs

15 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez X.509 Certificate Format

16 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez X.509v3 Extensions Not enough flexibility in X.509 v1 and v2 –mostly due to “directory” specific fields –real-world security needs are different email/URL names should be included in a certificate key identification was missing (so should be included) policy details should indicate under which conditions a certificate can be used (was not the case in v1 and v2) avoidance of blind trust was not possible in v1 and v2 Rather than explicitly naming new fields a general extension method is defined –extensions consist of extension identifier, value and criticality indicator

17 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Key and policy information –subject & issuer key identifiers –indicators of certificate policies supported by the cert –key usage (list of purposes like signature, encryption, etc) Alternative names, in alternative formats for certificate subject and issuer Certificate path constraints (for CA to CA certs) –to restrict certificate issuance based on path length (restricting number of subordinate CAs) policy identifiers names Verifier could exercise its own restrictions during verification as well –No blind trust to CAs X.509v3 Extensions

18 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Main parts of a digital certificate system Request and issue certificates (different categories) with verification of identity Storage of certificate (including the private key) Publishing of certificates (public part) to anyone (LDAP, HTTP) Pre-install root certificates in a trusted environment Support by platform, applications and services to use certificates Maintain database of issued certificates (no private keys!) Helpdesk (information, lost + compromised private keys) Publishing of CRLs (and enforce apps to do revocation checking)

19 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez X.509 Certificate Format

20 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Certification Authority

21 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Certification Authority(CA) Trusted entity which issue and manage certificates for a population of public-private key-pair holders. A digital certificate is issued by a CA and is signed with CA’s private key.

22 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez CA X Y CRL Verifica certificado ? ? 1235 Verifica CRL

23 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez CA Policies CA certification policies (Certificate Practice Statement) –how reliable is the CA? –certification policies describe the methodology of certificate issuance –ID-control practices loose control: only email address tight control: apply in person and submit picture IDs and/or hard documentation

24 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Arquitectura típica de una AC Certificate Distribution

25 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez VeriSign Certificates Several companies provide CA services: Nortel, GTE, U.S. Postal Service and VeriSign among others. Of those, the most widely used is the latter. Over 35K commercial WEB sites were using VeriSign digital certificates as early as 1998. Over a million consumer digital certificates had been issued to users of Netscape and Microsoft browsers. VeriSign Class1 certificate cost: U.S. $14.95 per year, or free 60-day trial edition

26 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez VeriSign Certificates There are three classes of VeriSign certificates: a)Class 1. VeriSign confirms the user’s e-mail address by sending a PIN and Digital ID pick-up to the e-mail address provided in the application. b)Class 2. VeriSign uses a consumer database in addition to performing the checkings of class 1. Confirmation is sent to the specific postal address alerting the customer that his/her certificate is ready for pick-up. c)Class 3. VeriSign requires a higher level of identity assurance. An individual must prove his/her identity by providing notarized credentials and/or applying in person.

27 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Public Key Infrastructure

28 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Organization-wide PKI Local PKI for organizations –may have global connections, but the registration facilities remain local –generally to solve local problems local secure access to resources

29 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez PKI Business Practice: Issue certificates and make money –several CAs Several CAs are also necessary due to political, geographical and trust reasons 3 interconnection models –hierarchical –cross certificates –hybrid

30 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Public Key Infrastructure (PKI) PKI is a complete system and well-defined mechanisms for certificates –certificate issuance –certificate revocation –certificate storage –certificate distribution

31 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez CAs End users Upper level CAs Root CA Hierarchical PKI Example

32 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez CAs End users Cross certificates Cross Certificate Based PKI Example

33 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Hybrid PKI example

34 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Certificate Paths

35 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Verifier must know public key of the first CA Other public keys are found out one by one All CAs on the path must be trusted by the verifier Certificate Paths

36 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Reverse certificates Certificate Paths with Reverse Certificates

37 Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Hosted vs. Standalone PKI Hosted PKI –PKI vendor acts as CA –PKI owner is the RA Standalone PKI –PKI owner is both RA and CA

Descargar ppt "Seguridad en sistemas de Información verano 2004 Francisco Rodríguez Henríquez Security Services in Information Systems."

Presentaciones similares

PLT EXPERIENCES IN SPAIN

PLT EXPERIENCES IN SPAIN
Learning Achievement in Creativity and Design Subjects according to Professional Profiles (2006) European Transfer Credit System (ECTS) Methodology in.

Learning Achievement in Creativity and Design Subjects according to Professional Profiles (2006) European Transfer Credit System (ECTS) Methodology in.
MOY Meeting Joyce Tucker Meghan Heller November 3, 2011.

MOY Meeting Joyce Tucker Meghan Heller November 3, 2011.
How to Conjugate… SPANISH VERBS.

How to Conjugate… SPANISH VERBS.
MEXICAN CUSTOMS UPDATE

MEXICAN CUSTOMS UPDATE
To be, or not to be? Lets start out with one of the most important verbs in Spanish: ser, which means to be.

To be, or not to be? Lets start out with one of the most important verbs in Spanish: ser, which means to be.
Telling Time Grammar Essential #8.

Telling Time Grammar Essential #8.
© 2006 XBRL International, All Rights Reservedwww.xbrl.org/Legal Ignacio Hernández-Ros Technology development XBRL International Using XQuery to process.

© 2006 XBRL International, All Rights Reservedwww.xbrl.org/Legal Ignacio Hernández-Ros Technology development XBRL International Using XQuery to process.
Grupos de Trabajo 6 - Informe Working Group 6 – Report Transparency.

Grupos de Trabajo 6 - Informe Working Group 6 – Report Transparency.
Grupos de Trabajo # 7 - Informe Working Group # 7 – Report General Business and Operational Risks.

Grupos de Trabajo # 7 - Informe Working Group # 7 – Report General Business and Operational Risks.
Empresa y Sociedad Tema 1. Teoría de la Empresa y de la Sociedad Dr. Antonio Lloret 17 de Enero de 2011.

Empresa y Sociedad Tema 1. Teoría de la Empresa y de la Sociedad Dr. Antonio Lloret 17 de Enero de 2011.
Los Infinitivos ¿Qué es un infinitivo?.

Los Infinitivos ¿Qué es un infinitivo?.
You have already learned that ser and estar both mean to be but are used for different purposes. These charts summarize the key differences in usage between.

You have already learned that ser and estar both mean to be but are used for different purposes. These charts summarize the key differences in usage between.
Game Cluedo: How to Play 1.Your group should have the 21 cards containing 6 cards of suspects, 9 rooms and 6 weapons, a tally card for each member and.

Game Cluedo: How to Play 1.Your group should have the 21 cards containing 6 cards of suspects, 9 rooms and 6 weapons, a tally card for each member and.
Affirmative and Negative Words

Affirmative and Negative Words
Time Expression with Hacer

Time Expression with Hacer
Copyright © 2008 Vista Higher Learning. All rights reserved.5.3-1 You have already learned that ser and estar both mean to be but are used for different.

Copyright © 2008 Vista Higher Learning. All rights reserved You have already learned that ser and estar both mean to be but are used for different.
Expresiones Lección 1 Presentaciones con el verbo presentarle.

Expresiones Lección 1 Presentaciones con el verbo presentarle.
Español 1 El 15 de octubre de 2012 Entrada: Pronouns[en el libro importante] Answer the following questions in complete sentences in English: 1.What is.

Español 1 El 15 de octubre de 2012 Entrada: Pronouns[en el libro importante] Answer the following questions in complete sentences in English: 1.What is.
A Comer Vamos a Poner la Mesa.

A Comer Vamos a Poner la Mesa.

Presentaciones similares

Anuncios Google