Download - Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

Transcript
Page 1: Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

pkiuniversity.com

Page 2: Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

Alice Bob

Honest Abe’s CA

Page 3: Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.
Page 4: Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

Simple PKI hierarchy

Page 5: Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

Multi-level hierarchy

Page 6: Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

My personal Certificate(Installed on a Mac)

Page 7: Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

Dartmouth CA’s Certificate(Installed on a Mac)

Page 8: Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

Building a trust path

1. To verify certificate α starting with a set of trusted certificates we need to:a. Identify the issuer of α (i.e., β)b. Verify if β is trusted

2. If β is among the set of trusted certificates, the original cert is trusted

3. Else if β is a root certificate, the original cert is untrusted

4. Else if β is not trusted set α=β and repeat the process until a trusted or a root certificate is identified

Page 9: Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

Typical trust chain

Page 10: Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

Cross certification

Page 11: Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

Multiple cross certification

Page 12: Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

Cross certification fuzziness

Page 13: Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

Cross certification fuzziness

Page 14: Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

Bridge CA

Page 15: Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

Bridge CA advantages

Page 16: Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

Certification Process

Page 17: Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

How to obtain a certificate1 Alice generates a key pair

2 Alice visits (online or in person) the RA, presenting documents attesting to her identity

3 RA verifies Alice’s documents and, if they’re ok, gives Alice a confirmation #. RA then notifies CA (via secure channel) of Alice’s application, RA’s authentication of her documents, and the confirmation #.

4 CA verifies all this, notes Alice’s application and confirmation #, and returns an authorization code to the RA, and the RA gives that to Alice.

5

Alice creates a certificate request, including a) ID info she gave to RA, b) Authorization code, c) Confirmation #, and d) Her Public key Alice signs the request with her private key, and sends it to the CA

6 CA verifies Alice’s signature on the request, then recovers the public key. CA might also do offline checks on Alice’s ID info.

7 CA creates a certificate with Alice’s public key and ID Info and signs it with the CA’s private key.

8 Alice verifies the CA’s signature on the certificate, and verifies that the public key it contains really is hers (the CA didn’t modify her public key or ID Info).

9 The certificate is published.