Individual Certificates and PKI
Download
Report
Transcript Individual Certificates and PKI
Individual Digital Certificates
and PKI
Chris Connolly
Peter van Dijk
Galexia Consulting
http://www.galexia.com.au
1
1.
Slide 2
Introduction
Galexia Consulting
Federal Privacy Commissioner’s
Discussion Paper on Digital Certificates –
forthcoming
Importance of authentication technologies
– why PKI?
Scope of this presentation – focus on ‘trust’
issues
2. Why Public Key Technology?
Public Key Technology involves the use of
digital signatures. These signature are
used for:
– Authentication - confirm who you are
– Integrity - what you sent
– Non-repudiation - you can’t deny it
Additionally
– Confidentiality - what you can see - enables
the encryption and decryption of information
sent between two parties
Slide 3
2. What is PKI?
Public Key Infrastructure (PKI) is the combination of
software, encryption technologies (PKT), and
services that enables organisations to protect the
security of their communications and business
transactions on the Internet
PKIs integrate digital certificates, public-key
cryptography, and certificate authorities into a
shared network security architecture, including:
–
–
–
–
Slide 4
issuance of digital certificates to individual users
end-user enrolment software
integration with corporate certificate directories
tools for managing, renewing, and revoking certificates
2. Components of a PKI
http://www.baltimore.com
Slide 5
2. Components of a PKI
A PKI comprises the following components:
Certificate Authorities (CAs): These are responsible for issuing
and revoking certificates.
Registration Authorities (RAs): These verify the binding between
public keys and the identities of their holders. They conduct the initial
verification of a potential subscriber’s identity and/or attributes; .
Subscribers/Digital Certificate holders: People, machines or
software agents that have been issued with certificates and can use
them to sign digital documents.
Clients: These validate digital signatures and their certification paths
from a trusted CA's public key.
Relying parties: Rely on the contents of a digital certificate in
communicating with subscribers.
Repositories/Directories: These store and make available
certificates and certificate revocation lists.
Security policy: This sets out and defines the organization's toplevel direction on information security, as well as the processes and
principles for the us of cryptography.
Slide 6
2. What is a Digital Certificate?
A digital form of identification
– Similar to a passport or driver’s licence
– Binds subject’s public key (a mathematical value)
to one or more attributes relating to their identity
A certificate is valid for a period of time, (often
one, three or ten years)
Certificates can do different things. For
example:
–
–
–
–
Slide 7
Encrypt a document
Sign a document – for non-repudiation
Secure a WWW server
Provide authentication - Enable the holder to
access a corporate new work
2. Example Certificate (1)
Certificate Summary
Slide 8
2. Example Certificate (2)
Slide 9
Certificate Attribute details : Key Usage
2. Example Certificate (3)
Slide 10
Certificate Attribute details : Subject
3. PKI Models
There are a number of factors that
differentiate PKI applications:
– The level of identification (ranging from
anonymous to fully identified);
– The use of attributes;
– The potential for multi-purpose/multi-use
certificates; and
– The use of online services, tokens and mobile
devices.
Slide 11
3. Case Studies
Slide 12
Case study 1 – Australian State
government agency applications
Case study 2 – Multi agency application
Case study 3 – Health smart card
Case study 4 – Patent application
Case study 5 – Banking application
3. Case Studies - Commonwealth
Australian Federal Agency applications
– Centrelink
– Australian Electoral Commission
– Health Insurance Commission
– Customs
– Electronic Tenders
– Jobsearch
Slide 13
Case study 6 – The Australian Business
Number – Digital Signature Certificate
(ABN-DSC)
4. Overview of privacy implications
1. Collection, use, and disclosure of
personal information
– By Certification Authorities and Registration
Authorities:
– By Relying Parties:
Slide 14
2. Storage and destruction
3. Certificate Revocation Lists (CRLs)
4. Privacy (continued)
Slide 15
4. Logging of CRL lookups
5. Revocation of a certificate
6. Cooperation with law enforcement
agencies
7. Access and correction rights
8. Security
4. Privacy (Continued)
Slide 16
9. Identification requirements
10. Unique identifiers
11. Potential for additional use of data
(“function creep”)
12. Risk management practices
13. Limits on user choice
5. Conclusion
Slide 17
Tools to build ‘trust’ in digital certificates
Future trends/issues in PKI
Ongoing discussion and consultation