diff options
| author | Holger Dengler <dengler@linutronix.de> | 2013-04-02 18:33:21 +0200 |
|---|---|---|
| committer | Holger Dengler <dengler@linutronix.de> | 2015-02-20 16:32:50 +0100 |
| commit | fca02ba4f66802961312bf4c6cfbfbde89a6153b (patch) | |
| tree | 25ad8be1c8b9665d4be6fdc97e818480764aa7d5 /security/crypto/pres_pki_en.tex | |
| parent | c027e8700874182c476f18e5b89514b5ad5aaf16 (diff) | |
Add presentation for cryptography basics and PKI
Signed-off-by: Holger Dengler <dengler@linutronix.de>
Diffstat (limited to 'security/crypto/pres_pki_en.tex')
| -rw-r--r-- | security/crypto/pres_pki_en.tex | 218 |
1 files changed, 218 insertions, 0 deletions
diff --git a/security/crypto/pres_pki_en.tex b/security/crypto/pres_pki_en.tex new file mode 100644 index 0000000..67af31a --- /dev/null +++ b/security/crypto/pres_pki_en.tex @@ -0,0 +1,218 @@ +\def\lximg{/usr/share/lx/icons/fueller.png} + +\newcommand{\superscript}[1]{\ensuremath{^{\textrm{#1}}}} +\newcommand{\subscript}[1]{\ensuremath{_{\textrm{#1}}}} + +\input{configpres} + +\subsection{Public Key Infrastructure} + +\title{Public Key Infrastructure} +\maketitle + +\def\lximg{none} + +\begin{frame} +\frametitle{Contents} +\tableofcontents +\end{frame} + +% ---------------------------- +\subsubsection{Fundamentals} + +\begin{frame}[fragile] +\frametitle{Overview} +\begin{figure}[h] +\centering +\includegraphics[scale=0.6]{images/pki-overview.png} +\end{figure} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{Roles} +\begin{itemize} +\item Certificate Authority +\begin{itemize} +\item Issue CA-Certificate (CA Public Key) +\item Sign Public Keys (with CA Private Key) +\end{itemize} +\item Validation Authority +\begin{itemize} +\item Provide signed Certificates +\item Unique relation between Client and Certificate +\end{itemize} +\item Registration Authority +\begin{itemize} +\item Process Certificate Signing Requests +\item Ensure Clients Identity +\end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{Elements (1)} +\begin{itemize} +\item Key Pair +\begin{itemize} +\item Public and Private Key +\end{itemize} +\item Signature (of Payload) +\begin{itemize} +\item Payload-Hash, encrypted with the Private Key of the Signee +\end{itemize} +\item Certificate Sign Request +\begin{itemize} +\item Public Key of the Requester +\item Meta-Information about the Requester +\item Signature from the Requester (self-signed) +\end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{Elements (2)} +\begin{itemize} +\item Certificate (of Owner) +\begin{itemize} +\item Public Key of the Owner +\item Verified Meta-Information about the Owner +\item Signature from the Owner (self-signed) +\item Signatures of others (e.g. the CA) +\end{itemize} +\item Certificate Revocation List +\begin{itemize} +\item Revoked Certificates +\end{itemize} +\item Directory Server +\begin{itemize} +\item Certification Directory +\item e.g. LDAP- or X.500-Server +\end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{Workflows} + +\begin{frame} +\frametitle{Create CA-Certificate} +\begin{itemize} +\item Create Key-Pair +\item Self-Sign Public Key +\item opt: generate Certificate Signing Request for Root CA +\item Send CA-Certificate to Directory Server and/or Validation Authority +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{Process Client Certificate} +\begin{itemize} +\item Requester +\begin{itemize} +\item Create Key-Pair +\item Create Certificate Signing Request (Meta-Info) +\item Send it to the RA +\end{itemize} +\item Registration Authority +\begin{itemize} +\item Validate Signature in CSR +\item Validate Meta-Information of Requester +\item Forward CSR to the CA +\end{itemize} +\item Certificate Authority +\begin{itemize} +\item Validate Signature in CSR +\item Sign CSR +\item Send Certificate to Requester and Directory Server +\end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{Working with Client Certificate} +\begin{itemize} +\item Client +\begin{itemize} +\item Send signed Request to Server +\end{itemize} +\item Server +\begin{itemize} +\item Send Signature Validation Request to VA +\end{itemize} +\item Validation Authority +\begin{itemize} +\item Retrieve Clients Certificate in Directory Server +\item Check Certificate Revocation List +\item Validate Clients Certificate with CA-Certificate +\item Validate Signature with Clients Certificate +\end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{Trust} + +\begin{frame} +\frametitle{Trust Models} +\begin{itemize} +\item Strict Hierarchy +\begin{itemize} +\item No Signing between Levels +\item Simple and efficient +\item Compromising Root affects whole Tree +\end{itemize} +\item Cross-Signing +\begin{itemize} +\item Certificates signed by multiple CAs +\item More than one Root must be compromised to affect the Tree +\end{itemize} +\item Web of Trust +\begin{itemize} +\item High Security +\item Individual Trust +\item High Maintenance Effort +\end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{Tools} + +\begin{frame} +\frametitle{Tools} +Commandline +\begin{itemize} +\item OpenSSL +\item easy-rsa +\end{itemize} +GUI/Web +\begin{itemize} +\item OpenCA +\item XCA (UI for Linux, Mac and Windows) +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{Related Links} + +\begin{frame} +Starting point on Wikipedia +\begin{itemize} +\item \url{https://en.wikipedia.org/wiki/Public\_key\_infrastructure} +\end{itemize} +Tools +\begin{itemize} +\item \url{http://www.openssl.org/} +\item \url{http://openvpn.net/easyrsa.html} +\item \url{http://www.openca.org/} +\item \url{http://xca.sourceforge.net/} +\end{itemize} +\end{frame} + +\subsection{} +\input{tailpres} |