pki : the role of ttps for the development of secure transaction systems

PKI : The role of TTP’s for the PKI : The role of TTP’s for the Development of secure Development of secure Transaction Systems Transaction Systems Copyright, 1998 © John Iliadis, University of the Aegean EPIC

Upload: john-iliadis

Post on 28-Nov-2014




0 download


Workshop on Software Process Improvement and Formal Methods in Security and Safety, Athens, Greece, March 1998, EPIC Project (Exchanging process information experiences across SMEs by conferencing on the Internet"), 1997-1998, European Commission, ESPRIT Programme


Page 1: PKI : The role of TTPs for the Development of secure Transaction Systems

PKI : The role of TTP’s for the PKI : The role of TTP’s for the Development of secure Development of secure Transaction Systems Transaction Systems

Copyright, 1998 © John Iliadis, University of the Aegean


Page 2: PKI : The role of TTPs for the Development of secure Transaction Systems


• Electronic transactions : how safe are they? Common security threats

• Security schemes and solutions used before the development of PKI

• The role of PKI in securing transactions. Providing secure transactions in insecure networks

Page 3: PKI : The role of TTPs for the Development of secure Transaction Systems


• Identification of security threats in Identification of security threats in electronic transactionselectronic transactions

• Confrontation with security threats Confrontation with security threats through PKI provisionsthrough PKI provisions

• TTP : the cornerstone of a Public Key TTP : the cornerstone of a Public Key Infrastructure. A general overviewInfrastructure. A general overview

• TTP services and functionsTTP services and functions

Page 4: PKI : The role of TTPs for the Development of secure Transaction Systems

Security threats in electronic Security threats in electronic transactionstransactions• monitoring of communication linesmonitoring of communication lines

• Non-authorised modification of (in-transit) Non-authorised modification of (in-transit) informationinformation

• Masquerade - Web spoofingMasquerade - Web spoofing

• Password stealingPassword stealing

• Unauthorised accessUnauthorised access

• Key personnel and physical insecurityKey personnel and physical insecurity

Page 5: PKI : The role of TTPs for the Development of secure Transaction Systems

Insecure electronic Insecure electronic transactionstransactions

Entity1 Entity2

insecure transaction


Page 6: PKI : The role of TTPs for the Development of secure Transaction Systems

Confrontation with security Confrontation with security threats through PKI provisionsthreats through PKI provisions• monitoring of communication linesmonitoring of communication lines

Encryption with randomly generated shared session keyEncryption with randomly generated shared session key

• shared session key stealing/guessingshared session key stealing/guessing--cryptographically secure random key generatorscryptographically secure random key generators-encryption of shared session key with the public key of -encryption of shared session key with the public key of the receiving entitythe receiving entity

• Non-authorised modification of (in-transit) informationNon-authorised modification of (in-transit) informationsecure hashing algorithms for message authentication secure hashing algorithms for message authentication codescodes

Page 7: PKI : The role of TTPs for the Development of secure Transaction Systems

Confrontation with security Confrontation with security threats through PKI provisionsthreats through PKI provisions

• Masquerade - Web spoofingMasquerade - Web spoofingExchange of X509v3 certificates and verification Exchange of X509v3 certificates and verification against a Directoryagainst a Directory

• Password stealingPassword stealingPasswords are never transmitted in the networkPasswords are never transmitted in the network

• Unauthorised accessUnauthorised accessLocal ACL. Authentication by certificate verificationLocal ACL. Authentication by certificate verification

Page 8: PKI : The role of TTPs for the Development of secure Transaction Systems

TTP : Securing electronic TTP : Securing electronic transactionstransactions

Entity1 Entity2

insecure transaction

secure transaction


Issuing certificatesIssuing certificates


Page 9: PKI : The role of TTPs for the Development of secure Transaction Systems

TTP : the cornerstone of a Public Key TTP : the cornerstone of a Public Key Infrastructure. A general overviewInfrastructure. A general overview

TTP : “an impartial organisation delivering business confidence, through commercial and technical security features, to an electronic transaction”

Page 10: PKI : The role of TTPs for the Development of secure Transaction Systems

TTP : the cornerstone of a Public Key TTP : the cornerstone of a Public Key Infrastructure. Technical InfrastructureInfrastructure. Technical Infrastructure

• Directory Services acting as repositories of identification and authentication information of the entities participating in the security scheme.

• Certificate Servers providing the X.509v3 certificates and thusvalidating the signatures of the abovementioned entities

• Content Servers operating as platforms for the dissemination ofdata and the remote execution of application. If the network thatis used is the Internet, then the content servers are Web Servers.

• Network client which provides the capability of accessing theinformation stored in the content servers, executing remote applications and accept and store certificates for use by the entity.If the network used is the Internet, then the network client is a Webbrowser

Page 11: PKI : The role of TTPs for the Development of secure Transaction Systems

TTP : the cornerstone of a Public Key TTP : the cornerstone of a Public Key Infrastructure. Technical InfrastructureInfrastructure. Technical Infrastructure

Web Server



Backup of local


local repository

Web browser

Page 12: PKI : The role of TTPs for the Development of secure Transaction Systems

TTP services and functionsTTP services and functions• Electronic Registration

• Key Personalisation, Generation, and Repository

• Certificates: Structure, Generation, Distribution, Storage, and Retrieval

• Certificate Directory Management

• CRLs: Structure, Generation and Maintenance, Distribution, Storage, and Retrieval

• Auditing