Date post: | 12-Jan-2016 |
Category: |
Documents |
Upload: | dominic-george |
View: | 261 times |
Download: | 3 times |
CryptographyEncryption/Decryption
Franci Tajnik CISAFranci Tajnik CISA
Franci Tajnik
CISA 2002 Franci Tajnik
cryptographic system
cryptographic algoritm ( math. function)cryptographic algoritm ( math. function) keys ( word, number, phrase )keys ( word, number, phrase ) protokolprotokol
convert plain text to cipher textconvert plain text to cipher text
CISA 2002 Franci Tajnik
Symmetric method DES
Cipher text
Plaintext
SymetricKeySender Receiver
Plaintext
Cipher text
CISA 2002 Franci Tajnik
Asymmetric Key Generation
SeedData
GenerationProgram
SecretKey
PublicKey
AsymmetricRelationship
CISA 2002 Franci Tajnik
Asymmetric method RSA
Cipher text
Plaintext
Sender Receiver
Plaintext
Cipher text
Public
Private
Secrecy
CISA 2002 Franci Tajnik
Asymmetric method RSA Authentication
Cipher text
Plaintext
Sender Receiver
Plaintext
Cipher text
Public
Private
Plaintext
Plaintext
Plaintext
CISA 2002 Franci Tajnik
PGP princip
Plaintext
Sender Receiver
Plaintext
Public
Private
One time Session key
Encry. Sessionkey
Cipher text
Cipher textEncry. Session
.key
Cipher text
Encry. Sessionkey
CISA 2002 Franci Tajnik
Digital signatures
Cipher text
Plaintext
Sender Receiver
Plaintext
Cipher text
Public
Private
CISA 2002 Franci Tajnik
Digital signature
Plaintext
Sender
Receiver
Public
Private
message digest160
hash
signature Plaintext
signature Plaintext
message digest160
hash
message digest160
CISA 2002 Franci Tajnik
Digital signature
Plaintext
SenderReceiver
Private S
message digest160
hash
signature Plaintext
signature Plaintext
message digest160
hash
message digest160
Public R
Private R
Public S
CISA 2002 Franci Tajnik
E-mail security
Plaintext
Sender
Receiver
Private S
message digest160
hash
signature Plaintext
signature Plaintext
message digest160
hash
message digest160
Public R
Private R
Public S
One time Session key
Dec.SESS.
KeY
ENC.SESS.
KEY
CISA 2002 Franci Tajnik
Certification Authority Registration Authority
Holder
Certificate information
Public Holder
CA
Digital signature
Private
Public Holder
Digital certificate
RA
CISA 2002 Franci Tajnik
Digital signature
Plaintext
SenderReceiver
Private S
message digest160
hash
signaturePlaintext
signature Plaintext
message digest160
hash
message digest160
Public R
Private R
Dig.cert.
Dig.cert.
Dig.cert.CA S
CISA 2002 Franci Tajnik
Certification Authority
software for issue the certificatessoftware for issue the certificates creates certificatescreates certificates digitaly signs certificatedigitaly signs certificate
Registration AuthorityRegistration Authority people, processes, toolspeople, processes, tools administration of usersadministration of users
CISA 2002 Franci Tajnik
Problems
Do you trust the certification company?Do you trust the certification company? What validation process does the company What validation process does the company
undertake to ensure that an entity is who undertake to ensure that an entity is who they claim to be before issuing a certificate?they claim to be before issuing a certificate?
Who certifies the Certification Authority?Who certifies the Certification Authority?
CISA 2002 Franci Tajnik
Certification Process
CertificationAuthority
User
VerifiesCredentials
CreatesCertificate
GeneratesKey Set
Presents PublicKey and
Credentials
ReceivesCertificate
PublicDistribution
CISA 2002 Franci Tajnik
Requirements for a CA
Outstanding integrity - recognised by othersOutstanding integrity - recognised by others
Financial backing to cover potential Financial backing to cover potential liabilitiesliabilities
CISA 2002 Franci Tajnik
Requirements of a CA
Physically secure environmentPhysically secure environment Tamper resistant modules for its Tamper resistant modules for its
cryptographic processingcryptographic processing Ability to generate key pairsAbility to generate key pairs Random number generatorRandom number generator Ability to check signaturesAbility to check signatures Ability to sign certificatesAbility to sign certificates
CISA 2002 Franci Tajnik
Requirements of a CA
Software to support all certificate formatsSoftware to support all certificate formats Clear security policyClear security policy Secure, auditable procedures for certificate Secure, auditable procedures for certificate
productionproduction Directory of certificates (including archived Directory of certificates (including archived
certificates)certificates)
CISA 2002 Franci Tajnik
PGP certificate format
PGP version numberPGP version number certificate holders public keycertificate holders public key certificate holders informationcertificate holders information digital signature of certificate ownerdigital signature of certificate owner
using holders private key (self signature)using holders private key (self signature) certificate validity periodcertificate validity period encryption algorrthmencryption algorrthm
CISA 2002 Franci Tajnik
X.509 certificate format X.509 version numberX.509 version number certificate holders public keycertificate holders public key serial number of certificateserial number of certificate certificate holders unique identifiercertificate holders unique identifier certificate validity periodcertificate validity period unique name of CAunique name of CA digital signature of CAdigital signature of CA signature algorithmsignature algorithm
CISA 2002 Franci Tajnik
Cross Verification
Where there is more than one Certification Where there is more than one Certification Authority there must be a way of relying on Authority there must be a way of relying on certificates provided by other Certification certificates provided by other Certification AuthoritiesAuthorities
CISA 2002 Franci Tajnik
Conclusions
The auditor has to accept the integrity of the The auditor has to accept the integrity of the underlying algorithmsunderlying algorithms
The role of the Certification Authority is The role of the Certification Authority is critical to the operational processcritical to the operational process
Certification Authorities will be the key to Certification Authorities will be the key to the entire Public Key Infrastructure (PKI) the entire Public Key Infrastructure (PKI) processprocess