A ClientServerModel for PKI Services - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

A ClientServerModel for PKI Services

Description:

PKIs setup by companies and organisations. Allow certificates to be issued and retrieved ... user friendly, not transparent setup. Security enabled software is ... – PowerPoint PPT presentation

Number of Views:61
Avg rating:3.0/5.0
Slides: 18
Provided by: john1477
Category:

less

Transcript and Presenter's Notes

Title: A ClientServerModel for PKI Services


1
A Client-Server-Model for PKI Services
2
Outline
  • Motivation of NSI
  • Problems of PKI use
  • NSI approach
  • Benefits of NSI

3
Public Key Infrastructures (PKI)
  • PKIs setup by companies and organisations
  • Allow certificates to be issued and retrieved
  • Disjoint PKIs
  • May be interconnected through cross-certificates
  • Cross-certificates allow inter-organisational
    communication
  • Authenticated, integrity protected, encrypted
  • Problem PKIs not fully deployed nor easy to use

4
Motivation Slow PKI Deployment
  • Complex
  • Non-user friendly, not transparent setup
  • Security enabled software is complex to write
  • Expensive
  • Development of applications using PKI security
    services
  • Administration cost of configuring and
    maintaining clients
  • Encryption and digital signatures are not in
    widespread use

5
Motivation II Complexities of PKI Trust Path
Construction
  • Initial disjoint PKIs
  • Communication between arbitrary users not
    possible
  • Only internal use of PKI structure
  • Cross-certificates
  • Allows communication between separate PKIs
  • However, makes path building more complicated
  • Using PKIs too complicated for user
  • Validation policies, policy mappings,
    configuration

6
Example Complexity of Trust Path Construction
Fraunhofer
TA
CA
CA
Verifier
CA
CA
CA
CA
CA
CA
IBM
Johns certificate
CA
CA
CA
CA
CA - Certification Authority
Possible certificate path
a
b
a cross-certifies b
TA - Trust Anchor
a
b
a issues certificate b
7
Problems for Security Applications
  • Support of many protocols is necessary
  • Certificate download (HTTP, FTP, LDAP, ...)
  • Certificate Status (OCSP, LDAP)
  • All applications must
  • Support all protocols
  • Know addresses of all needed repositories
  • Have full cryptographic functionality (many
    algorithms)
  • Be able to handle the complexities of PKI
  • Complexity ? Bugs ? Lower security

8
Problems for Users
  • Applications are expensive and large
  • Small devices cannot support storage and
    computational requirements
  • Must configure applications with addresses of
    repositories
  • For path construction and encryption key
    retrieval
  • Trust path construction is slow

9
NSI Solution
  • Develop a Client-Server based PKI
  • Complexity persists
  • Clients are shielded from complexity
  • Introduction of PKI server
  • Reduce complexity on client-side (Thin Client)
    by offering server based services such as
  • Signature validation
  • Trust path construction
  • Management of CRLs and Revocation Status
  • Central management of security policies
  • Simple access to any PKI topology
  • e.g. mesh PKIs

10
Advantages for Clients
  • Need not support multitude of PKI protocols
  • Need to support only one Client-Server-Protocol
  • Need not be configured with repository addresses
  • Addresses configured on server
  • Application only needs to know 1 or 2 PKI-Servers
  • Complex tasks delegated to the PKI Server
  • Signature and certificate validation
  • Encryption key retrieval
  • Thus, applications become smaller and simpler
  • Devices with limited resources can utilize PKI
    functionality
  • Examples Cellular phones, PDAs (Personal Digital
    Assistants)

11
PKI-Server Security Services Scenario
Trust path construction request
Signature validation request
Certificate retrieval request
Centrally managed policies
PKI Server
PKI Server
PKI Server
OCSP B
LDAP 3
OCSP A
LDAP 1
LDAP 2
12
Trust Model
  • Variable client trust in PKI Server
  • Certificate validation complete trust
  • Signature validation complete trust
  • Path construction no trust
  • Certificate retrieval no trust
  • PKI Servers deployed within organisations
  • Clients use organisation validation policy and
    trust server

13
Validity of PKI Server Responses
  • All responses are authenticated
  • Secure connection (e.g. SSL, IPsec) or
  • Digitally signed response
  • Integrity of all requests and responses
    verifiable
  • Hashes, signatures
  • Replay attacks detectable
  • nonces

14
Initial Deployment of PKI server
Organisation B
LDAP
CA
Firm A
Client
OCSP
CA
CA
PKI Server
Client
CA
LDAP
CA
CA
Government C
LDAP
CA
OCSP
CA
CA
15
Infrastructure Next Step
Organisation B
PKI Server
LDAP
CA
Firm A
Client
OCSP
CA
CA
PKI Server
Client
CA
LDAP
Government C
CA
CA
PKI Server
LDAP
CA
OCSP
CA
CA
16
PKI Architecture
17
Who will benefit from the PKI Server?
  • Companies
  • Central management of Security Policies
  • No longer need to reconfigure every client when
    PKI or policy changes
  • Developers for small devices
  • API on client side has low resource requirements
  • More devices able to use PKI services
  • Security application developers
  • Decreased development time and costs
  • Trust Center may provide PKI services
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "A ClientServerModel for PKI Services" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!