induction: security and certification april 26-28, 2004 - 1 security and certification;...
DESCRIPTION
Induction: Security and Certification –April 26-28, Acknowledgements Some of these slides have been taken from a longer presentation by Mike Jones of the University of Manchester. Prepared by John Kewley, CCLRC Daresbury LaboratoryTRANSCRIPT
Induction: Security and Certification –April 26-28, 2004 - 1
Security and Certification; Authentication and Authorisation
John Kewley
EGEE is funded by the European Union under contract IST-2003-508833
Induction: Security and Certification –April 26-28, 2004 - 2
Security and Certification; Authentication and Authorisation
EGEE Training Team
EGEE is funded by the European Union under contract IST-2003-508833
Induction: Security and Certification –April 26-28, 2004 - 3
Acknowledgements
• Some of these slides have been taken from a longer presentation by Mike Jones of the University of Manchester.
• Prepared by John Kewley, CCLRC Daresbury Laboratory
Induction: Security and Certification –April 26-28, 2004 - 4
Goals of this module
Describe …• Security basics• Use of Certificates• Importance of Certificate Authorities
Induction: Security and Certification –April 26-28, 2004 - 5
Overview
• Introduction to Security• Public/private keys in action• Certificates• Certificate Authorities
Induction: Security and Certification –April 26-28, 2004 - 6
Introduction to Security
What aspects of security should we be concerned about?
• Authentication (Identification)• Confidentiality (Privacy)• Integrity (non-Tampering)• AuthorisationAlso• Accounting• Delegation• Non-Repudiation
Induction: Security and Certification –April 26-28, 2004 - 7
Tools of the trade
• Encryption• Secret “symmetric” key – both parties need to share the key
• DES, RC4• Comparatively efficient
• Public/private key – “asymmetric” - 2 keys mathematically related• RSA, DSA• Slower
• Oneway hash / message digest• MD5, SHA-1• fast
Induction: Security and Certification –April 26-28, 2004 - 8
Gbbyf bs gur genqr
• Rapelcgvba• Frpergt “flzzrgevp” xrl – obgu cnegvrf arrq gb funer gur xrl
• QRF, EP4• Pbzcnengviryl rssvpvrag
• Choyvp/cevingr xrl – “nflzzrgevp” - 2 xrlf zngurzngvpnyyl eryngrq• EFN, QFN• Fybjre
• Barjnl unfu / zrffntr qvtrfg• ZQ5, FUN-1• Snfg
Induction: Security and Certification –April 26-28, 2004 - 9
Tools of the trade
• Encryption• Secret “symmetric” key – both parties need to share the key
• DES, RC4• Comparatively efficient
• Public/private key – “asymmetric” - 2 keys mathematically related• RSA, DSA• Slower
• Oneway hash / message digest• MD5, SHA-1• fast
Induction: Security and Certification –April 26-28, 2004 - 10
Encrypting for Confidentiality (1)
Sending a message using symmetric keys1. Encrypt message using shared key2. Send encrypted message3. Receiver decrypts message using shared keyOnly someone with shared key can decrypt message
But how do the keys get shared?
Sender space Receiver spacePublic space
Hello World
openssl
hR3a rearj hR3a
rearjhR3a rearj openssl
Hello World
21 3
keykey
Induction: Security and Certification –April 26-28, 2004 - 11
Encrypting for Confidentiality
Sending a message using asymmetric keys1. Encrypt message using Receiver’s public key2. Send encrypted message3. Receiver decrypts message using own private keyOnly someone with Receiver’s private key can decrypt message
Sender space Receiver spacePublic space
Hello World
Receiver’s Public Key
Public Key Private KeyReceiver’s Public Key
openssl hR3a rearj hR3a
rearj
hR3a rearj
openssl
Hello World
21
3
Induction: Security and Certification –April 26-28, 2004 - 12
Encrypting for Confidentiality (2)
Sending a message using asymmetric keys1. Encrypt message using Receiver’s public key2. Send encrypted message3. Receiver decrypts message using own private keyOnly someone with Receiver’s private key can decrypt message
Sender space Receiver spacePublic space
Hello World
Receiver’s Public Key
Public Key Private KeyReceiver’s Public Key
openssl hR3a rearj hR3a
rearj
hR3a rearj
openssl
Hello World
21
3
Induction: Security and Certification –April 26-28, 2004 - 13
Signing for Authentication
1. Encrypt message with Sender’s private key2. Send encrypted message3. Message is readable by ANYONE with Sender’s public key4. Receiver decrypts message with Sender’s public key
Receiver can be confident that only someone with Sender’s private key could have sent the message
Sender space Receiver spacePublic space
Hello World
Sender’s Public Key
openssl n52krj rer
n52krj rer
n52krj rer openssl
Hello World
Public KeyPrivate Key Sender’s Public Key
openssl
Hello World
13
42
Induction: Security and Certification –April 26-28, 2004 - 14
Certificates
• A statement from someone else (the Certificate Authority), that your public key (and hence your private key) is associated with your identity
• A certificate can be checked if you have the public key of the party who signed it
Induction: Security and Certification –April 26-28, 2004 - 15
Certificate Authority
• A Certificate Authority (CA) issues you your certificates.• By signing them it is able to vouch for you to third parties• In return for this service, you must provide appropriate
documentary evidence of identity when you apply for a certificate through a Registration Authority (RA)
Induction: Security and Certification –April 26-28, 2004 - 16
Certificate contents
• The certificate that you present to others contains:• Your distinguished name (DN)• Your public key• The identity of the CA who issued the certificate• Its expiry date• Digital signature of the CA which issued it
Induction: Security and Certification –April 26-28, 2004 - 17
The Full Monty
• Server authenticates Client• Client authenticates Server • (Symmetric) Session key exchanged confidentially using
public key mechanism• Secure session can now commence using more efficient,
agreed “session key”• Secure messages will also contain a message digest to
ensure integrity
Induction: Security and Certification –April 26-28, 2004 - 18
Summary
We have looked at• Security basics• Use of Certificates• Importance of Certification Authorities