Академический Документы
Профессиональный Документы
Культура Документы
20102011
Curs:
SECURITATEINFORMATICA
Prof.Dr.VictorValeriuPATRICIU
B.ElectronicSignaturesandPKI
Digital Signatures
Digital Signatures
with Message Recovery
Signature
Algorithms
Public-Key Distribution
Public-Key Distribution
Digital Certificate
Is a person really who claim?
How do you know that the public key
you got from a person really bellongs to
this person?
Version number is 3
Serial number is a monotonically
increasing integer value (guaranties
the unicity of serial number for
issuing CA)
Issuer name is populated with X.500
di ti
distinguished
i h d name
Subject public key corresponds to a
standard algorithm
Signature field identifies a standard
signature algorithm.
CRL distribution points extension contains the location where CRL may be
found
End-Entity Certificates
End-Entity Certificates
User certificates
System certificates
Subject name
Validity period
Is critical extension.
Is critical extension
Non-critical extension.
For Web servers
servers-SL
SL and TLS
For routers- IPsec
CA Certificates
Self-Issued Certificates
Certificate Authority
CA
ccertificate
Nam
me, public-key
Certificate Directory
(X.500, DNS, etc.)
User
User
CA Hierarchy
Root CA
CA
CA
CA
CA
10
Certificate Revocation
11
Certificate Verification
with Directory
Certificate Paths
12
Certificate Paths
Two alternative
PKI topologies
13
Cross-Certification
XYZ Co.
MIT
Sales
Sloan
LCS
Research
London
Corporate
NYC
H.R.
Marketing
PKI Components
14
PKI Components
End-Entity (EE)
An End-Entity is defined as a user of PKI
certificate and/or end-user system that is the
subject of a certificate
In a PKI system, End-Entity is a generic term
for a subject that uses some services or
functions of the PKI system, which may be a
certificate owner (human being or organization
or some other entities), or a requestor (it might
be application program) for certificate or CRL.
15
16
Directories
17
X.500 Directories
LDAP
Lightweight Directory Access Protocol- v2
18
19
XML Signature
The explosive growth in the use of the Web for business-to-business
(B2B) e-commerce has intensified attention on the eXtensible Markup
L
Language
(XML) a common, open, Internet
I t
t standard
t d d that
th t facilitates
f ilit t
data exchange over the Internet.
Recognizing that existing Web technologies, such as HTML, are
inadequate for implementing the scale and diversity of transaction
protocols envisioned for the Web, the World Wide Web Consortium
(W3C) and the Internet Engineering Task Force (IETF) have
developed XML and XML-related technologies to meet this requirement.
Like anyy data being
g exchanged
g over a network,, XML communications
and transactions must be secured. In this respect, to maintain the
integrity of the transaction or communication, an XML document, just
like any other document or transaction, should be capable of
authentication and non-repudiation, and its content should remain intact
(integrity) and confidential.
XML Signature
XML is a very powerful, general-purpose meta-language used to enable
data interchange
g between diverse systems,
y
,p
platforms,, and international
languages. This robust, adaptable, easy-to-use data format can capture
both the structure and semantics of data making it possible to create a
wide variety of new Web applications.
Like HTML, XML uses tags (words bracketed by < and >) and
attributes (of the form name="value") to help place structured data into
ASCII files. XML is different from HTML in that it is a meta-language (a
language for describing other languages) and therefore, does not define
specific
ifi tags
t
and
d attributes,
tt ib t
b t rather
but
th provides
id rules
l to
t define
d fi those
th
t
tags
and attributes.
XML makes it easy for diverse Web applications to interact with each
other because it provides a standard way to parse and interpret data.
XML-encoded data becomes its own self-contained database ( intelligent
data data that knows about itself).
20
XML Signature
From a technical point of view, XML is a syntax for describing the
semantics (meaning) and structure of data. The following fragment of
XML illustrates these features:
<cheque>
<payer type="person">
<name>Wally Road</name>
<address>123 Billings Gate</address>
<email>wally@entrust.com</email>
</payer>
</cheque>
The
Th tags
t
enveloping
l i XML data
d t define
d fi the
th semantics
ti off the
th data.
d t In
I the
th
example, the string "Wally Road" is identified as the name of a person
who will be paying something. The tag preceding the data is called the
start tag; the tag following the data is called the end tag.
A start tag and its corresponding end tag define an XML element.
In the example, <name>Wally Road</name> is an element.
XML Signature
W3C and IETF are elaborate the standard format and functions for
XML signing;
g
is a XML data structure wich containes
The XML signature
the signature value and
the data necessary in the verification process;
21
22
23
HTML Signature
1. On client request (Get HTTP), a forms is preparing with
an applet and all are downloaded on client PC;
2. The applet is downloaded by JVM, after the code
signature verification;
3. The user fulfill the forms and request the signature; the
applet show a signature window;
4. By activation, the data are signed and are sended by
applet to the server; the format is S/MIME;
5. The HTTP server route the information on the security
server;
6. Using the public key of sender, the security server
verifies the signature by accessing the LDAP server;
7. The data are sended to the application server.
HTML Signature
24
Timestamping
Timestamping
25
Timestamping
26