Upload File

certificate transparency: new part of pki infrastructurecertificate transparency: new part of pki...

  • Home
  • Documents
  • Certificate transparency: New part of PKI infrastructureCertificate transparency: New part of PKI infrastructure A presentation by Dmitry Belyavsky, TCI ENOG 7 Moscow, May 26-27, 2014
13
Certificate transparency: New part of PKI infrastructure A presentation by Dmitry Belyavsky, TCI ENOG 7 Moscow, May 26-27, 2014

Upload: others

Post on 02-Jun-2020

12 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Certificate transparency: New part of PKI infrastructureCertificate transparency: New part of PKI infrastructure A presentation by Dmitry Belyavsky, TCI ENOG 7 Moscow, May 26-27, 2014

Certificate transparency: New part of PKI infrastructure

A presentation by Dmitry Belyavsky, TCI ENOG 7 Moscow, May 26-27, 2014

Page 2: Certificate transparency: New part of PKI infrastructureCertificate transparency: New part of PKI infrastructure A presentation by Dmitry Belyavsky, TCI ENOG 7 Moscow, May 26-27, 2014

About PKI *)

*) PKI (public-key infrastructure) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates

Page 3: Certificate transparency: New part of PKI infrastructureCertificate transparency: New part of PKI infrastructure A presentation by Dmitry Belyavsky, TCI ENOG 7 Moscow, May 26-27, 2014

Check the server certificate

Many trusted CAs

The server certificate

signed correctly by any of them?

We warn the user Everything seems to be ok!

YES NO

Page 4: Certificate transparency: New part of PKI infrastructureCertificate transparency: New part of PKI infrastructure A presentation by Dmitry Belyavsky, TCI ENOG 7 Moscow, May 26-27, 2014

DigiNotar case

OCSP requests for the fake *.google.com certificate Source: FOX-IT, Interim Report, http://cryptome.org/0005/diginotar-insec.pdf

Page 5: Certificate transparency: New part of PKI infrastructureCertificate transparency: New part of PKI infrastructure A presentation by Dmitry Belyavsky, TCI ENOG 7 Moscow, May 26-27, 2014

PKI: extra trust

PKI Independent source

Trusted certificate

DANE (RFC 6698)

Limited browsers support

Certificate pinning

Mozilla Certificate Patrol, Chrome cache for Google certificates

Certificate transparency (RFC 6962)

Inspired by Google (Support in Chrome appeared) One of the authors - Ben Laurie (OpenSSL Founder)

CA support – Comodo

Page 6: Certificate transparency: New part of PKI infrastructureCertificate transparency: New part of PKI infrastructure A presentation by Dmitry Belyavsky, TCI ENOG 7 Moscow, May 26-27, 2014

Certificate Transparency: how it works

•  Log accepts cert => SCT

• Is SCT present and signed correctly? Client

• Is SCT present and signed correctly? Client

• Does log server behave correctly? Auditor

• Any suspicious certs? Monitor

Page 7: Certificate transparency: New part of PKI infrastructureCertificate transparency: New part of PKI infrastructure A presentation by Dmitry Belyavsky, TCI ENOG 7 Moscow, May 26-27, 2014

Certificate Transparency: how it works

Source: http://www.certificate-transparency.org

Page 8: Certificate transparency: New part of PKI infrastructureCertificate transparency: New part of PKI infrastructure A presentation by Dmitry Belyavsky, TCI ENOG 7 Moscow, May 26-27, 2014

Certificate Transparency how it works

Source: http://www.certificate-transparency.org

Page 9: Certificate transparency: New part of PKI infrastructureCertificate transparency: New part of PKI infrastructure A presentation by Dmitry Belyavsky, TCI ENOG 7 Moscow, May 26-27, 2014

Google Chrome Support (33+)

Google Cert EV plan

Certificate Transparency current state

http://www.certificate-transparency.org/ev-ct-plan

http://www.certificate-transparency.org/certificate-transparency-in-chrome

Page 10: Certificate transparency: New part of PKI infrastructureCertificate transparency: New part of PKI infrastructure A presentation by Dmitry Belyavsky, TCI ENOG 7 Moscow, May 26-27, 2014

Open source code

2 pilot logs

Certificate Transparency current state

Page 11: Certificate transparency: New part of PKI infrastructureCertificate transparency: New part of PKI infrastructure A presentation by Dmitry Belyavsky, TCI ENOG 7 Moscow, May 26-27, 2014

Certificate Transparency: protect from what?

Do NOT SAVE from HEARTBLEED!

ü Warning from browser

ü Site owner can watch logs for certs

SAVE from MITM attack

Page 12: Certificate transparency: New part of PKI infrastructureCertificate transparency: New part of PKI infrastructure A presentation by Dmitry Belyavsky, TCI ENOG 7 Moscow, May 26-27, 2014

Certificate transparency and Russian GOST crypto

Russian GOST does not save from the MITM attack

SHA-256 >>> GOSTR34.11-2012

Algorithm

>>> GOST R 34.10-2012

Key

Page 13: Certificate transparency: New part of PKI infrastructureCertificate transparency: New part of PKI infrastructure A presentation by Dmitry Belyavsky, TCI ENOG 7 Moscow, May 26-27, 2014

Q&A

Questions?

Drop ‘em at:

[email protected]


NORMAS DE ALGORITMOS CRIPTOGRÁFICOS PKI -PARAGUAY (DOC PKI ... · PKI Paraguay Infraestructura de Claves Públicas del Paraguay (PKI por sus siglas en inglés, ... autenticación

Windows PKI

ENOG-1 ddos-classification.lyamin

CertLedger: A New PKI Model with Certi cate Transparency ...CertLedger: A New PKI Model with Certi cate Transparency Based on Blockchain Murat Yasin Kubilay1, Mehmet Sabir Kiraz2,

PKI Mecanisme d Authentification Fort PKI

IPv6 Fundamentals & Best Practices - ENOG

MIŠLJENJE OVLAŠ ENOG AKTUARA - takovo-osiguranje.rs · 1 MIŠLJENJE OVLAŠ ENOG AKTUARA O FINANSIJSKIM IZVEŠTAJIMA I GODIŠNJEM IZVEŠTAJU O POSLOVANJU DRUŠTVA U 2007. GODINI

Solutie PKI

Storing PKI Credentials - Cisco...Storing PKI Credentials Publickeyinfrastructure(PKI)credentials,suchasRivest,Shamir,andAdelman(RSA)keysandcertificates canbestoredinaspecificlocationontherouter

Službeni list grada Beograda, br. 18/2006 enog prostora

Fraunhofer Competence Center PKI - contacts.pki.fraunhofer.decontacts.pki.fraunhofer.de/general/PKI-Contacts_CertPolicy_EN.pdf · Folgenden als PKI-Contacts bezeichnet, [PKI-Contacts])

Tutorial PKI

PKI referat

IoT: Taking PKI Where No PKI Has Gone Before

ENOG 9 (2015)

AllSeen Summit 2015: IoT: Taking PKI Where No PKI … · AllSeen Summit 2015: IoT: Taking PKI Where No PKI Has Gone Before Presented by: Scott Rea – DigiCert Sr. PKI Architect

Certificate transparency: New part of PKI infrastructure

MAKALAH PKI

17-enog-vocabulary - Compatibility Mode

PKI Security

Cisco IOS PKI Overview Understanding and Planning a PKI · Cisco IOS PKI Overview Understanding and Planning a PKI CiscoIOSpublickeyinfrastructure(PKI)providescertificatemanagementtosupportsecurityprotocols

Infrestructura pki

PKI Design

PKI history 4 PKI – Public Key Infrastructure

Infraestructura PKI

Palestra PKI

PKI - Fonctionnement d'Une PKI

Materi Pki

ENOG 18 MeetechoGuide Participants

Enog trill-takasima-01

Public Key Infrastructure (PKI) Trust Serviceshecker.org/mozilla/slalom-pki-fact-sheet.pdfyour PKI will be ready for global acceptance Public Key Infrastructure (PKI) Trust Services

Glasnik Srpskoga uēenog društva - Antikvarne knjige

PKI-Contacts - PKI für Fraunhofer Kontakte · Fraunhofer Competence Center PKI PKI-Contacts - PKI für Fraunhofer Kontakte Anleitung für Kommunikationspartner der Fraunhofer-Gesellschaft

Rappels PKI PKI des Impôts PKI de la Carte de Professionnel de Santé

SEJARAH PKI