Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
21 Cards in this Set
- Front
- Back
|
Public Key Distribution
a. The distribution problem. |
Fake book of public keys
|
|
|
b. Decentralized vice centralized distribution.
|
Every user personally goes up to every other user and identifies themselves (face-to-face, using at least one, maybe two, picture IDs) and gives them their public key.
A trustworthyperson is designated as a “Special User”(SU) 2.The Special User collects everyone’s public keys (using face-to-face verification) 3.Everyone gets the Special User’s public key using face-to-face verification |
|
|
c. Certificate Authority (CA).
|
The “Special User” in the centralized distribution. Distributes keys by digitally signed messages.
|
|
|
d. Registration Authority (RA) and Local Registration Authority (LRA)
|
Perform the face to face identification step.
|
|
|
a. Certificate contents.
|
The essential data in a certificate is:
–a user ID, –the public key for that user and –the CA’s digital signature of the above information b. Certificate creation process. |
|
|
Certificate verification process.
|
A trustworthyperson is designated as a “Special User”(SU)
2.The Special User collects everyone’s public keys (using face-to-face verification) 3.Everyone gets the Special User’s public key using face-to-face verification |
|
|
e. X.509 standard.
|
The current standard for digital certificates.
|
|
|
X.509 content
|
Certificate serial number
•The certificate signature algorithm and parameters •CA identifier •Algorithm and parameters for the user public key •Beginning date •Expiration date |
|
|
f. Multiple certificates
|
An encryption certificate used in the data encryption process
–A signing certificate used in the digital signature process |
|
|
g. Certificate chains
|
If the DoD CA creates a Certificate with the ABC-Bank-CA-pub we can now verify signatures from Bank employees
|
|
|
h. Self signed certificates
|
Often a “self-signed certificate” is used to distribute a CA-pub.
|
|
|
. Private key
|
If someone steals your private key they
–can forge your digital signature (in a complete digital world, they become you) –can decrypt messages that only you are supposed to be able to decrypt |
|
|
. Private key
a. Storage |
On their PC
–On a removable media (CD, etc.) –On a smart card |
|
|
. S/MIME
|
Secure Multi-purpose Internet Mail Extension (S/MIME) protocol works seamlessly with
–DoD certificates (Common Access Cards (CACs)) –Certificates issued by commercial CAs, such as VeriSign •Public keys for commercial CAs come preinstalled in e-mail programs |
|
|
SSL
|
Another excellent example of a PKI-enabled application is the Secure Socket Layer (SSL) protocol
•It is also called Transport Layer Security (TLS) •If you buy things on the web you most likely have used SSL |
|
|
Public Key Certificates
|
The essential data in a certificate is:
–a user ID, –the public key for that user and –the CA’s digital signature of the above information |
|
|
Certificate Authority
|
Trusted organization (or server) that maintains and issues digital certificates
|
|
|
Registration Authority
|
Performs certification registration duties. Confirms the identity of an individual, etc..
Acts as a broker between the user and CA. |
|
|
Local Registration Authority
|
Person assigned duties.
|
|
|
SSL 2nd card
|
•It is also called Transport Layer Security (TLS)
•If you buy things on the web you most likely have used SSL This is called “Server-Authentication”mode of SSL because it lets the user authenticate the server •Clicking on the closed lock icon displays the Website’s certificate •If a website looks like Amazon’s but the certificate is issued to hacker.com you may not want to enter any credit card information The other mode of SSL is called “Client-Authentication”mode because it lets the Web server authenticate the user •It requires the user to have a private key and a certificate •It performs the server-authentication steps already presented and then performs additional steps that are necessary to authenticate the user |
|
|
S/MIME 2nd card
|
Secure Multi-purpose Internet Mail Extension (S/MIME) protocol works seamlessly with
–DoD certificates (Common Access Cards (CACs)) –Certificates issued by commercial CAs, such as VeriSign •Public keys for commercial CAs come preinstalled in e-mail programs If a user has keys issued by the DoD or a commercial CA, they can –digitally sign messages, –verify digitally signed messages, –encrypt messages and –decrypt messages |
