PKI Services for CYPRUS STOCK EXCHANGE Introduction

erosjellySécurité

23 févr. 2014 (il y a 3 années et 8 mois)

56 vue(s)

PKI
Services

for CYPRUS STOCK EXCHANGE

Kostas
Nousias

2

AGENDA


ADACOM Profile



Introduction to PKI



Certificate and Key Storage



ADACOM Profile

4

Adacom


Founded
in 1999


80 employees (Commercial, Engineering, R&D,
Consultants
)


12
million
USD turnover


Subsidiaries in Israel, Germany, Greece Bulgaria.


Activities in 28 countries through own operations and
through partners.


ISO 27001:2005 & ISO 9001:2008


Active in IT Security and Enterprise
Software


Operating
the only two Symantec (ex. VeriSign) PKI
Data Centers (main & DR) covering Eastern
Europe (16
countries)


Symantec Affiliate & Platinum Security partner


CheckPoint

Platinum Partner

5

ADACOM IT Security Partnerships

6

ADACOM IT Security Portfolio


Application


Government


Financial


Network



E
-
Commerce


Regulatory
Compliance

Carriers

PKI & Authentication


CA & RA services


Client Certificates


SSL Certificates


Qualified
Certificates


Timestamping



E
-
Invoices

Information Security Solutions


Data Loss Prevention Solutions


Control Compliance Solutions


Vulnerability Solutions


Online Anti
-
Fraud Solutions


Network & Endpoint Security
Solutions


Intrusion Prevention Solutions


Card Management System


HSM & SSCD



Consulting
Services


Compliance


Vulnerability Assessment /
Penetration Testing


Managed Security Services


CP & CPS Consulting


Online Brand Management


gTLD


MDM Solutions


Asset Management


Device/Network
Information


Security & Compliance


OTA Configuration


In
-
premise / cloud



Security

as a Service

PKI

MSS

VIP

E
-
Invoices

TimeStamping

7

ADACOM IT Security References

Introduction to PKI


9

What is PKI?


A

community

of

interest

with

a

defined

set

of

policy

rules

(“Certificate

Policy”)

and

a

set

of

operating

procedures

(“Certificate

Practices

Statement”)

for

the

management

of

user

identities

and

public

keys
.



A

PKI

provides

digital

certificates

that

can

identify

an

individual,

organization

or

device

and

directory

services

that

can

store

the

certificates
.



A

combination

of

standards,

protocol

and

software

that

creates,

edits

and

revokes

digital

public

key

certificates
.



PKI

enable

trust

between

two

or

more

parties

without

prior

knowledge

of

each

other
.




A

PKI

binds

public

keys

to

entities

(Subscriber),

enables

other

entities

(“Rely

Party”)

to

verify

public

key

bindings,

and

provides

the

services

needed

for

ongoing

management

of

keys

in

a

distributed

system
.

FSI Event, May 24
th
, 2012, Athens

10

What PKI provides?

Authentication


to ensure parties are who
they say they are.
Verification that the
people with whom we
are corresponding
actually are who they
claim to be.

Confidentiality


to protect sensitive
information. Means that
the information
contained in the message
is kept private and only
the sender and the
intended recipient will be
able to read it.

Authorization


to ensure parties can
access specific
information.

Integrity


to guarantee the
transaction is not altered.
Verification that the
information contained in
the message is not
tampered with,
accidentally or
deliberately, during
transmission.

Non
-
repudiation


to prove the transaction
occurred. There can be
no denial on the part of
the sender of having sent
a message that is digitally
signed.

FSI Event, May 24
th
, 2012, Athens

11

How does PKI accomplish all of these things?

Data Encryption


Encryption refers to the conversion of a message into an unintelligible form of data, with the aim of ensuring
confidentiality.


Decryption is the reversal of encryption; it is the process of transforming encrypted data back into an intelligible
message.


In public key cryptography, encryption and decryption are performed with the use of a pair of public and private keys.

Digital Signature


Addresses the issues of authenticity, integrity and non
-
repudiation.

Like its hand
-
written counterpart, a digital
signature proves authorship of a particular message. Technically, a digital signature is derived from the content of the
sender's message in combination with his private key, and can be verified by the recipient using the sender's public
key to perform a verification operation.

Digital Certificates


A digital certificate is a digital document that proves the relationship between the identity of the holder of the digital
certificate and the public key contained in the digital certificate. It is issued by a trusted third party called a Certifica
te
Authority (CA.) Our digital certificate contains our public key and other attributes that can identify us.

FSI Event, May 24
th
, 2012, Athens

12

Hash Functions

FSI Event, May 24
th
, 2012, Athens

It was the best of times,

it was the worst of times

It was the best of thymes,

it was the worst of times

Small Difference

Large Difference

3au8 e43j jm8x g84w

Hash Function

b6hy 8dhy w72k 5pqd

Hash Function

13

Public Key


Signature & Verification

Sender

Receiver

Hashing + Encryption = Signature Creation

Hashing + Decryption = Signature Verification

Transmitted

Message

Signature

Message

Digest

Hash Function

If these are the same,

then the message

has not changed

Alice

Bob

Message

Digest

Hash Function

Encrypt

Signature

Expected

Digest

Decrypt

14

Where can I use it?


Applications/protocols enabled for digital signature/encryption and compatible with
X.509 v3 digital certificates:


Secure Mail (S/Mime), Web Access (SSL)


Virtual Private Networking, E
-
Forms, File/Media Encryption


Electronic
Commerce: On
-
line banking


On
-
line banking


On
-
line purchasing


On
-
line payments


E
-
Government
:


On
-
line benefits


On
-
line taxes


On
-
line licenses


On
-
line filings


Most paper
-
based applications can be securely transition to on
-
line using PKI


15

PKI


Basic Components


“Provider”
Side


Certificate Authority (CA)


Registration Authority (RA)


Certificate Distribution System

“Consumer”
Side


PKI enabled applications

FSI Event, May 24
th
, 2012, Athens

16

Certificate Authority
(CA)


Key Generation


Digital Certificate
Generation


Certificate Issuance
and Distribution


Revocation


Key Backup and
Recovery System


Cross
-
Certification

Registration Authority
(RA)


Registration of
Certificate
Information


Face
-
to
-
Face
Registration


Remote Registration


Automatic
Registration


Revocation
procedures


Certificate
Distribution System

Repository for


Digital Certificates


Certificate Revocation
Lists (CRLs)


Online Certificate
Status Protocol

PKI
-
enabled
Applications


Required functionality


Cryptographic
functionality


Secure storage of
Personal Information


Digital Certificate
Handling


Directory Access


Communication
Facilities

17

PKI Trust and Legal Issues


Why should I Trust a certificate?


Certificate Hierarchies,
Cross
-
Certification



How
can I determine the liability of a CA?


Certificate Policies (CP)


A document that sets out the rights, duties and obligations of each party in a Public Key Infrastructure


The Certificate Policy (CP) is a document which usually has legal effect


A CP is usually publicly exposed by CAs, for example on a Web Site (VeriSign, etc.)


Certificate Practice Statement (CPS)


A document that sets out what happens in practice to support the policy statements made in the CP in a PKI


The Certificate Practice Statement (CPS) is a document which may have legal effect


18

PKI Standards


X.509 Certificate and CRL Profiles


PKI Management Protocols


Certificate Request Formats


CP/CPS Framework


LDAP, OCSP, etc.


FSI Event, May 24
th
, 2012, Athens

19

Public or Private CA Hierarchy?




Public” vs. “Private” Certification Authority


Has
nothing

to do with public vs. private keys


Refers to where the
chain of trust

terminates for certificates you will be issuing



Hierarchy
Chain
= chain of certificate Authorities from a root CA down through X number of
intermediate CAs, to the CA that issued your certificate






If
you
trust a given root CA
, you should also
trust all subsidiary CAs
, and therefore all
certificates issued by any of the CAs, in the
hierarchy.


A compromise at one “link” of the chain compromises every thing below it in the
hierarchy.


All certificates in a given hierarchy must reference the same Certification
Policies.


FSI Event, May 24
th
, 2012, Athens

Root
:
Adacom

Class 2 Primary CA

MPKI
:
Adacom

Class 2 MPKI Individual CA

Client
: Alice B. Toklas

20

Public or Private CA Hierarchy?


Public Hierarchy


certificate parentage can be traced back to a public root
certificate, such as a VeriSign public root key embedded in most
browsers.


Private
Hierarchy


certificates parentage belongs to a private organization that
has complete control over the Certification Practices Statement for every certificate in
that hierarchy To use certificates in a private hierarchy, you must install the root
certificate of that hierarchy into the browsers of all
users.



Public Model


Open community


Secure Email


VeriSign root keys embedded in applications


Must meet minimal Root CA CPS/CP



Private
Model


Self
-
Signed
CA


Closed community


Network Access/VPN


Not
dependant

on Root CA CPS/CP


Company

Public Root

Company

Public CA A

Company

Public CA C

Company

Public CA B

VeriSign

Public Class 2

Company

Private Root

Company

Private CA A

Company

Private CA C

Company

Private CA B

21

X.509 Certificate


X.509 version 3 certificate standard



Certificate
is a digitally signed document issued by a Certification Authority



Through
the cryptographic algorithm, certificate can not be altered after it’s issued



Certificate
Filename
extensions


CER
-

CER

encoded certificate


DER
-

DER

encoded certificate


PEM
-

(
Privacy Enhanced Mail
)
Base64

encoded DER certificate


P7B /P7C
-

PKCS#7

SignedData

structure without data, just certificate(s) or CRL(s)


PFX /P12
-

PKCS#12
, contain certificate(s), public and private keys (password protected)


FSI Event, May 24
th
, 2012, Athens

22

X.509 Certificate Profile

The X.509 certificate format has the following fields:


Required
fields


Version


Serial Number


Algorithm ID


Certificate Signature


Certificate Signature Algorithm


Issuer


Validity


Not Before


Not After


Subject


Subject Public key info


Public Key Algorithm


Subject Public Key


Optional Fields


issuerUniqueIdentifier


subjectUniqueIdentifier


Extensions


Issuer and subject unique identifiers were introduced in
Version 2, Extensions in Version 3.


FSI Event, May 24
th
, 2012, Athens

23

X.509 Subject DN Fields


The Subject DN has the following
fields:


Common
Name


Given Name


Sure Name


Country


Pseudonym


Organization Name


Organizational Unit Name


State


Locality


Email


Title


Address


….


FSI Event, May 24
th
, 2012, Athens

24

X.509 Optional Fields

FSI Event, May 24
th
, 2012, Athens

Basic Constrains

NULL

Key Usage

digitalSignature

nonRepudiation

keyEncipherment

dataEncipherment


Certificate Policies

id
-
vtn
-
cp
-
class2 2.16.840.1.113733.1.7.23.2

qcp
-
public
-
with
-
sscd

-

0.4.0.1456.1.1

EDSP DL 2
-

2.16.840.1.113733.1.7.44.2

Authority Key Identifier

keyIdentifier

value (hash of authorities key)

Note:
Issuing CA must have SKI for this option

Subject Key Identifier

keyIdentifier


Subject Alt Name

directoryString


rfc822Name


ipAddress


domainName


registeredID


otherName


CRL Distribution Points

URL LDAP

Authority Info Access


OCSP

Extended Key Usage

clientAuth


emailProtection


encryptedFileSystem


fileRecovery


smartCardLogon


ipsecUser


QC Statement

id
-
etsi
-
qcs
-
QcCompliance

(0.4.0.1862.1.1)


id
-
etsi
-
qcs
-
QcLimitValue

(0.4.0.1862.1.2)


25

Digital Certificates in Use


Secure e
-
mail


Virtual
Private Network (VPN)


Wireless
(Wi
-
Fi)


Web
Servers (SSL/TLS)


Network
Authentication


Code
Signing


Server
to Server


Certificate and Key Storage


27

Key Storage Considerations


Many
different ways to store a certificate and private
key.



Application
will usually dictate the appropriate
method.



Concerns include:


Security


Portability


Functionality


Usability


Manageability


Expense


FSI Event, May 24
th
, 2012, Athens

28

Software
-
Based Certificates


Several different software
stores


Microsoft
CAPI


Netscape certificate database


Macintosh
keyring


Java
keystores


Vendor specific


VeriSign Personal Trust Agent


Pros


Browser based, so easy to use


Inexpensive


no new infrastructure


easy distribution


Cons


Locks user to desktop


Desktop management


Cannot control password use


29

PKI Smart Cards / USB Tokens

Generally provide greater security than software certificates


Can require PINs or passwords, even biometric authentication


Keys usually cannot be exported


Tokens can be locked in a safe when not in use


FIPS (Federal Information Protection Standard) 140 rated

Provide better portability than software certificates


Can be used on multiple machines while maintaining only one copy of the private key


Have the capacity to hold multiple keys and certificates

Challenges


Typically require installation of drivers


May require a separate reader


End user acceptance


Token lifecycle management: distribution, forgotten/lost/broken tokens


Cost

30

QA

FSI Event, May 24
th
, 2012, Athens