Scribd
Upload
11 views16 pages

INS - Lecture11 - Key Management and Distribution

The document outlines various methods for distributing public keys, including public announcements, publicly available directories, public-key authorities, and public-key certificates. It emphasizes the importance of security in key management and introduces the X.509 standard for authentication services and public key infrastructure (PKI). The PKIX model is also described, detailing the roles of end entities, certification authorities, and registration authorities in managing digital certificates.

Uploaded by

telacet362
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
11 views16 pages

INS - Lecture11 - Key Management and Distribution

The document outlines various methods for distributing public keys, including public announcements, publicly available directories, public-key authorities, and public-key certificates. It emphasizes the importance of security in key management and introduces the X.509 standard for authentication services and public key infrastructure (PKI). The PKIX model is also described, detailing the roles of end entities, certification authorities, and registration authorities in managing digital certificates.

Uploaded by

telacet362
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 16

Key Management

and Distribution
Distribution of the Public Keys

• Public announcement
• Publicly available directory
• Public-key authority
• Public-key certificates
Public Announcement
• Broadcast your public key to the public
• via newsgroups, mailing lists, from personal website, etc.
• major weakness is anyone can create a key claiming to be
someone else and broadcast it
• so attacks are possible
Public Announcement
Publicly available directory

• A greater degree of security can be achieved by


maintaining a publicly available dynamic directory of
public keys.
• Maintenance and distribution of the public directory
would have to be the responsibility of some trusted entity.
Publicly available directory

• The authority maintains a directory with a {name, public key}


entry for each
participant.
• Each participant registers a public key with the directory authority.
• A participant may replace the existing key with a new one at any
time.
Publicly available directory
Public-key authority

• Improve security by tightening control over distribution of


keys from directory
• has properties of directory and requires users to know
public key for the directory
• users interact with directory to obtain any desired public
key securely
● does require real-time access to directory when keys
are needed
Public-key certificates

• certificates allow key exchange without real-time access to


public-key authority
• a certificate binds identity to public key
• usually with other info such as period of validity, rights of use etc
• with all contents signed by a trusted Public-Key or
Certificate Authority (CA)
• can be verified by anyone who knows the public-key
authorities public-key
Public-key certificates
X.509 Authentication Service

• X.509 defines a framework for the provision of authentication services


by the X.500 directory to its users.
• A distributed set of servers that maintain a database about users.
• The X.509 public key infrastructure (PKI) standard identifies the
format of public key certificates.
• X.509 is an important standard because the certificate structure and
authentication protocols defined in X.509 are used in a variety of
contexts. For example, the X.509 certificate format is used in S/MIME,
IP Security and SSL/TLS.
• Each certificate contains the public key of a user and is signed with
the private key of a CA.
X.509 Certificates
• issued by a Certification Authority (CA), containing:
• version (1, 2, or 3)
• serial number (unique within CA) identifying certificate
• signature algorithm identifier
• issuer X.500 name (CA)
• period of validity (from - to dates)
• subject X.500 name (name of owner)
• subject public-key info (algorithm, parameters, key)
• issuer unique identifier (v2+)
• subject unique identifier (v2+)
• extension fields (v3)
• signature (of hash of all fields in certificate)
Public Key Infrastructure (PKI)

• Public-key infrastructure (PKI) is a set of hardware,


software, people, policies, and procedures needed to
create, manage, distribute, use, store, and revoke
digital certificates.
• The principal objective for developing a PKI is to enable
secure, convenient and efficient acquisition of public
keys.
PKIX Model
• End entity: A generic term used to denote
end users, devices (e.g., servers, routers), or
any other entity that can be identified in the
subject field of a public-key certificate.

• Certification authority (CA): The issuer of


certificates and (usually) certificate
revocation lists (CRLs).

• Registration authority (RA): The RA is


often associated with the end entity
registration process but can assist in a
number of other areas as well.
PKIX Model
• CRL issuer: An optional component
that a CA can delegate to publish CRLs.

• Repository: A generic term used to


denote any method for storing
certificates and CRLs so that they can
be retrieved by end entities.

You might also like