blob: 67af31ad072a83a28e0616bddeb13045d2a0b174 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
|
\def\lximg{/usr/share/lx/icons/fueller.png}
\newcommand{\superscript}[1]{\ensuremath{^{\textrm{#1}}}}
\newcommand{\subscript}[1]{\ensuremath{_{\textrm{#1}}}}
\input{configpres}
\subsection{Public Key Infrastructure}
\title{Public Key Infrastructure}
\maketitle
\def\lximg{none}
\begin{frame}
\frametitle{Contents}
\tableofcontents
\end{frame}
% ----------------------------
\subsubsection{Fundamentals}
\begin{frame}[fragile]
\frametitle{Overview}
\begin{figure}[h]
\centering
\includegraphics[scale=0.6]{images/pki-overview.png}
\end{figure}
\end{frame}
% ----------------------------
\begin{frame}
\frametitle{Roles}
\begin{itemize}
\item Certificate Authority
\begin{itemize}
\item Issue CA-Certificate (CA Public Key)
\item Sign Public Keys (with CA Private Key)
\end{itemize}
\item Validation Authority
\begin{itemize}
\item Provide signed Certificates
\item Unique relation between Client and Certificate
\end{itemize}
\item Registration Authority
\begin{itemize}
\item Process Certificate Signing Requests
\item Ensure Clients Identity
\end{itemize}
\end{itemize}
\end{frame}
% ----------------------------
\begin{frame}
\frametitle{Elements (1)}
\begin{itemize}
\item Key Pair
\begin{itemize}
\item Public and Private Key
\end{itemize}
\item Signature (of Payload)
\begin{itemize}
\item Payload-Hash, encrypted with the Private Key of the Signee
\end{itemize}
\item Certificate Sign Request
\begin{itemize}
\item Public Key of the Requester
\item Meta-Information about the Requester
\item Signature from the Requester (self-signed)
\end{itemize}
\end{itemize}
\end{frame}
% ----------------------------
\begin{frame}
\frametitle{Elements (2)}
\begin{itemize}
\item Certificate (of Owner)
\begin{itemize}
\item Public Key of the Owner
\item Verified Meta-Information about the Owner
\item Signature from the Owner (self-signed)
\item Signatures of others (e.g. the CA)
\end{itemize}
\item Certificate Revocation List
\begin{itemize}
\item Revoked Certificates
\end{itemize}
\item Directory Server
\begin{itemize}
\item Certification Directory
\item e.g. LDAP- or X.500-Server
\end{itemize}
\end{itemize}
\end{frame}
% ----------------------------
\subsubsection{Workflows}
\begin{frame}
\frametitle{Create CA-Certificate}
\begin{itemize}
\item Create Key-Pair
\item Self-Sign Public Key
\item opt: generate Certificate Signing Request for Root CA
\item Send CA-Certificate to Directory Server and/or Validation Authority
\end{itemize}
\end{frame}
% ----------------------------
\begin{frame}
\frametitle{Process Client Certificate}
\begin{itemize}
\item Requester
\begin{itemize}
\item Create Key-Pair
\item Create Certificate Signing Request (Meta-Info)
\item Send it to the RA
\end{itemize}
\item Registration Authority
\begin{itemize}
\item Validate Signature in CSR
\item Validate Meta-Information of Requester
\item Forward CSR to the CA
\end{itemize}
\item Certificate Authority
\begin{itemize}
\item Validate Signature in CSR
\item Sign CSR
\item Send Certificate to Requester and Directory Server
\end{itemize}
\end{itemize}
\end{frame}
% ----------------------------
\begin{frame}
\frametitle{Working with Client Certificate}
\begin{itemize}
\item Client
\begin{itemize}
\item Send signed Request to Server
\end{itemize}
\item Server
\begin{itemize}
\item Send Signature Validation Request to VA
\end{itemize}
\item Validation Authority
\begin{itemize}
\item Retrieve Clients Certificate in Directory Server
\item Check Certificate Revocation List
\item Validate Clients Certificate with CA-Certificate
\item Validate Signature with Clients Certificate
\end{itemize}
\end{itemize}
\end{frame}
% ----------------------------
\subsubsection{Trust}
\begin{frame}
\frametitle{Trust Models}
\begin{itemize}
\item Strict Hierarchy
\begin{itemize}
\item No Signing between Levels
\item Simple and efficient
\item Compromising Root affects whole Tree
\end{itemize}
\item Cross-Signing
\begin{itemize}
\item Certificates signed by multiple CAs
\item More than one Root must be compromised to affect the Tree
\end{itemize}
\item Web of Trust
\begin{itemize}
\item High Security
\item Individual Trust
\item High Maintenance Effort
\end{itemize}
\end{itemize}
\end{frame}
% ----------------------------
\subsubsection{Tools}
\begin{frame}
\frametitle{Tools}
Commandline
\begin{itemize}
\item OpenSSL
\item easy-rsa
\end{itemize}
GUI/Web
\begin{itemize}
\item OpenCA
\item XCA (UI for Linux, Mac and Windows)
\end{itemize}
\end{frame}
% ----------------------------
\subsubsection{Related Links}
\begin{frame}
Starting point on Wikipedia
\begin{itemize}
\item \url{https://en.wikipedia.org/wiki/Public\_key\_infrastructure}
\end{itemize}
Tools
\begin{itemize}
\item \url{http://www.openssl.org/}
\item \url{http://openvpn.net/easyrsa.html}
\item \url{http://www.openca.org/}
\item \url{http://xca.sourceforge.net/}
\end{itemize}
\end{frame}
\subsection{}
\input{tailpres}
|
