pki
PKI | Computing @ UW-Madison
FAQ | Prospective Guide | Buying | Software Training | Student Orgs
Productivity Tools | Technical Assistance | Getting Connected | Faculty and Instructors | Research | Publications | Department Guide
Site map of all services | Buying guide
Services A through D: Academic Technology | Accessibility | Applications | Backup | Calendaring | Chat | Computer Labs | Data Access
Services E through L: Email | InfoAccess | Instructional Resources | Kiosks | Laptops | Learn@UW | Lists
Services M through R: Middleware | My UW-Madison | My WebSpace | Network Services | Policies | Printing | Rentals | Repair
Services S through Z: Security | Software | Streaming | Voice/Phone | Training | Web Services | WebSurvey@UW | Wireless
Departmental Store | Personal Store
Human Resources | Billing | Research | Reports | Staff Directory | Departments | About DoIT
Middleware
Access to UDS Data
Background
Teams & Projects
LDAP Directory
Security & Auth.
Glossary
Digital Signing
PKI Technology
Setting Up
UW-Madison/Geotrust PKI Press Release
Help Desk Docs
Presentations
PKI Contents
What is PKI
Public Keys Certificates
Encryption and Signing
Web Browsers and SSL
PKI and OASIS Standards
Your Private Key
Certificate Authorities
Your Password
Authorization
Other Tools
PKI
Public Key Infrastructure
Public Key Cryptography Demystified
By Robert J. Brentrup
As the technology of computing has become more integrated into our daily
lives, information security is becoming an increasing challenge. More and
more confidential personal information, legal documents, commercial
transactions, and sensitive data are being transmitted over campus networks
and the Internet every day.
At the same time, the network environment is becoming more hostile and
vulnerable to attack. Public key technology has an important role to play in
helping us protect our information and to be able to rely on the network to
handle transactions of increasing value.
Public key systems enable separate parties to conduct a trusted exchange of
information even if they have never met or shared no secrets beforehand.
Such systems help to address the basic problems of digital security:
authentication (Are you who you say you are?); authorization (What are you
allowed to do or access?); protection (You might intercept my information,
but you can't decipher it.); information integrity (Can we agree that what I
sent is exactly what you received?); and private channels (Can we open a
communication link that others can't access and can we assure ourselves of
the integrity of that channel?).
Back to top
What is PKI?
PKI is the acronym for Public Key Infrastructure. The technology is called
Public Key because unlike earlier forms of cryptography, it works with a
pair of keys. One of the two keys may be used to encrypt information, which
can only be decrypted with the other key. One key is made public and the
other is kept secret. The secret key is usually called the private key.
Since anyone may obtain the public key, users may initiate secure
communications without having to previously share a secret through some
other medium with their correspondent. The Infrastructure part of PKI is the
underlying systems needed to issue keys and certificates and to publish the
public information.
Back to top
Public Key Certificates
A public key needs to be associated with the name of its owner. This is done
using a public key certificate, which is a data structure containing the
owner's name, their public key and e-mail address, validity dates for the
certificate, the location of revocation information, the location of the
issuer's policies, and possibly other information, such as their affiliation
with the certificate issuer (often an employer or institution).
The certificate data structure is signed with the private key of the issuer
so that a recipient can verify the identity of the signer and prove that
data in the certificate has not been altered. Public key certificates are
then published, often in an institutional LDAP directory, so that users of
the PKI can locate the certificate for an individual with whom they wish to
communicate securely.
Back to top
Encryption and Signing
A secret key allows two transformations of data to occur. Plain text is
transformed to cipher text, which is unreadable until it is transformed back
to plain text using the secret key. A public-key system uses the encryption
and decryption functions in turn to implement two primitive operations, data
encryption and signatures.
To encrypt data you use the public key of the recipient to transform a plain
text message to cipher text. The cipher text of the message can be converted
back to plain text only by using the corresponding private key. Because this
private key is known only by the intended recipient, only that individual
can decrypt the message.
A signature is created by transforming plain text to cipher text using the
private key of the signer. A signature is verified by looking up the public
key of the signer and attempting to transform the cipher text of the
signature back to plain text. If the operation is successful, this verifies
that the data encryption was done with the corresponding private key. This
implies that the signature was produced by the owner of that private key.
The most common PKI-based applications include authentication to-and
authorization for-the use of Web resources, signed and secured e-mail
messages, and electronic document signatures. Each of these functions is
implemented in appropriate software applications.
Back to top
Web Browsers and SSL
PKI is built in to all Web browsers that use Secure Sockets Layer (SSL). SSL
is a protocol used to protect data transmitted between a client application
and a server. An SSL connection is secured by using the PKI certificate of
the Web server to share a symmetric key with the Web browser, which is used
to encrypt data exchanged between them.
When SSL is being used to communicate with a Web server, the "security"
functions of the Web browser allow the end user to check the validity of and
view the associated Web server's certificate.
This is currently the most common application of SSL. Because it works with
no further user interaction, most people are unaware of the other PKI
certificate and security features.
Some Web browsers also allow you to store and use personal PKI certificates
for authentication. The key pair and certificate are used with Web servers
and sites that require authentication through client-side SSL connections.
In a client-side SSL connection, your Web browser authenticates you by using
your private key to decrypt a message encrypted by your public key.
Depending on the features of the browser, you may need to specify which
certificate is to be used if you have several. Some browsers will select a
certificate that will work based on which other certificates were used to
sign it.
Back to top
PKI and OASIS Standards
In November 2002 the PKI Forum, which originally developed PKI, joined OASIS
(Organization for the Advancement of Structured Information Standards), the
non-profit global standards consortium. PKI has now been integrated into
OASIS projects, including Security Assertion Markup Language (SAML), XML
Access Control Markup Language (XACML), Service Provisioning Markup Language
(SPML), and Digital Signature Services (DSS) protocol. The OASIS vision is
to develop standards, based on the eXtensible Markup Language (XML), that
will provide security for transactions and user interactions via the Web.
Security Assertion Markup Language (SAML) is a standard used to define how
users will be authenticated and authorized to access computer systems or
information.
XML Access Control Markup Language (XACML) allows the IT department to
assign users specific access privileges, controlling who will be allowed to
access certain documents and who can make changes to them.
Service Provisioning Markup Language (SPML) is used to set up a structure
for authenticating and encrypting user requests for access to computer
systems and data. Beyond the security of who is allowed to access these
assets, SPML also helps system managers balance computer resources with user
demands.
Digital Signature Services (DSS) protocol will be used to set up a standard
way of handling digital signatures and will assure, through a time stamp,
that the signature was authorized with a valid PKI. DSS is under development
with an OASIS technical committee.
For more information visit www.oasis-open.org.
Back to top
Your Private Key
In a PKI-based protocol, transforming some data using the private key is
needed to provide the identity of the person or device participating in the
application.
This private key is connected to a certificate containing the corresponding
public key. Showing that you can use that private key demonstrates the
connection to the name of the subject in the certificate. Simply having a
public key certificate in your possession proves nothing.
Use of the private key is generally controlled by a password set in the
browser. Depending on the features of the browser, you may be asked for the
password whenever the private key is used. This is the preferred way to set
the configuration. Otherwise, once the password has been provided, anyone
with access to the computer can use the private key.
Web browsers typically have features that let you examine, import, and
export certificates and keys. Certificates can be personal or accepted by
the users for certain trusted companies or authorities. Once an SSL
connection is established, the server certificate in use can usually be
examined by looking at the properties of the page transmitted over the SSL
connection.
Certificates and keys are most commonly stored on the hard disk of the
computer you are using. In addition to providing the password when the
private key is used, usually the password is also required to import or
export keys and certificates. Some browsers also support key and certificate
storage in a secure external device. Again, a password is often used to gain
access to the key and certificate.
Back to top
Certificate Authorities
Certificates issued to Web servers and individuals are signed by a
Certificate Authority (CA). The signature on a certificate identifies the
particular CA that issued a certificate. The CA in turn has a certificate
that binds its identity to its public key, so you can verify its identity. A
CA publishes a policy defining its practices so users of certificates issued
by that authority have a basis to make a trusted judgment for transactions
based on PKI.
To enable separate institutions to establish trust relationships between
themselves, CAs can have their certificates signed by other authorities that
audit their practices. These chains of certificates do finally end with a
certificate that is self-signed, which is known as a "root" certificate.
Both Web browsers and Web servers begin with a list of known root
certificates that they "trust." You can add other root certificates to a Web
browser or Web server certificate store for additional CAs that you are
willing to trust.
Web browsers alert you when you begin a transaction that involves a new CA.
To proceed with the transaction, you must accept the new certificate either
temporarily or permanently. The alert dialog allows you to view the new
certificate so you can make a decision.
Back to top
Your Password
You will need to set a password for your browser certificate store. The
password controls use of your key pair and should be kept secret.
The security of your personal password is a critical element in maintaining
the security of your private key. You should not share your password with
anyone. The password used to protect a certificate store is only known on
your computer and can't be recovered by your local computer support staff.
Encrypting a file and then finding yourself unable to decrypt it is a
painful lesson. So it is very important to create a password that you will
remember. Give your choice some thought in advance of starting to obtain
your key pair and certificate.
Back to top
Authorization
It is important to remember that authentication and authorization are
separate issues. Any non-trivial application needs to address both
questions.
The SSL protocol using a client-side certificate will have established the
identity of the end user by having the Web server check the personal
certificate's validity. The Web server's SSL code checks that the
certificate is not expired and is signed by a chain of valid and accepted
institutional and root certificates. The server can be additionally
configured to check a Certificate Revocation List (CRL) for revoked
certificates.
Depending upon the application, satisfying these conditions may be adequate
authorization. However, the contents of the client certificate are available
to the Web server in environment variables.
An application can implement additional required authorization-checking
logic using the certificate contents and other information retrieved from
other sources.
Back to top
Other Tools
A number of modern e-mail clients use the MIME standard for encoding data.
S/MIME is an extension of MIME that allows PKI signatures and encryption of
the mail contents. To use S/MIME you need to have a public/private key pair
and an associated public key certificate. Using S/MIME features in an e-mail
client requires the same use of the private key, public key certificate, and
certificate store password, as described earlier, for using SSL in a Web
browser.
A number of applications are also available to electronically sign documents
using PKI. You will need to archive the public keys used to sign documents
in order to be able to verify the signatures in the future.
Effective PKI tools for higher education will greatly facilitate academic
and administrative communications. PKI can address much of higher
education's needs for the secure control, access, and usage of digital
information. As institutions of higher learning, we have a responsibility to
contribute to the creation of new systems and the development of new
safeguards and lead the way in their adoption.
Back to top
Division of Information Technology - UW-Madison
Feedback, questions or accessibility issues | Privacy policy
Copyright © 2008 The Board of Regents of the University of Wisconsin
System
разделы
диспетчеризация
прамышленый альпинизм
vps vds
metrobond
электропечь dimplex model elba
зубной камень
предохранитель пкн
медикаментозный прерывание беременность
измеритель петля фаза нуль
корпоративный обслуживание
мини пекарня
электромонтажный стол
измерительный комплекс к2-79
папиллома
валерий билет
помещение шиномонтаж
срок реализация рак
телематические служба
детский гинеколог
neri karra кожгалантерея
этнический психология
автобетононасосы
антиобледенительные система
цвет ламината класс 32
съемный зубной протез
туба машина
фосфорецирующая краска
госпиталь мэш
купить джойстик
подбор контрацепция
силуэт слимент лифт
индустриальный монитор
поглощение радиоволна
вино заказ
5440.13 (крышка)
thuraya sg 2520
хосе карерас билет
метрореклама нижнийновгород
fargo
кислородный концентратор
отбеливание
mobil cut
путевой стена
решетка дренажный
рак кишка
видеорегистраторы
облицовка панель
цепной конвейер
жаропрочный фарфор revol
органический растворитель
растворитель
фосфорецирующая краска
деловой костюм
чувствительный кожа
нужный билет
сухой мороженый
лучший ковры
охота зверь
вызов врач
дулевский фарфор
shell omala
аэробика мячом
маршрутизатор
купить электроэнцефалограф
thuraya
электросчетчик гамма
поглощение радиоволна
iridium motorola
универсам красный площадь
snr roulements
билет мхат
время кострома
классический аэробика
анимация 3d график
купить минимойку
лак эмаль
лечение щитовидный железа
купить ниппель радиат
touch screen
fag
охота легавый
доставка кулеров
стимулирующий лотерея
озеленение
скс
позитивный психология
куллер 478
гипсокартон
промышленный аккумулятор
консультирование организация
холодильник zanussi
предохранитель пкт
пежо
шампанский заказ
прайс зеркало
электрокардиограф
восстановление бухучета
информационный валаам
искать фотограф
инвертор
knauf гипсокартон
бордюр
асбест а7-450
restart плита
5004.10 (крышка)
доставка напиток
вакансия красноярск
регестрация пбоюл
билет цдкж
выведение бородавка
легранд
купить актуатор
облицовка электрокамин
слимент лифт
qtek
авиатакси
многотарифные электросчетчик
изготовление презентация
ножной пластырь
компания петрокатридж
пбоюл
холодильный агрегат
три цвета: синий
билет russia music awards
укв радиосвязь
сэндвич кофе-бар
ротационный rvg
силуэт слимент лифт
измерительный комплекс к2-79
катетер
магнитный доска
электрокамин dimplex model silver (sp4)
вызов врач
фирменый цвет
шелкография
охота бабочка
кс-4361а
лечение папиллома
штамповка
селин дион билет
кулер бесшумный
билет ммдм
культура танго
средство самооборона
зубной камень
получение выписка егрп
цвет камуфлир
ларсен центр
очки защитный
силуэт слимент лифт
macintosh
международный конкурс дебютант
три цвета: красный
травертин
лекарство рак
ipsec
тонировка стекол
создание анимационный клип
прамышленый альпинизм
колокейшн
вытяжка
электроинструмент метабо
холодный обзвон
помидор купля
фризер
купить автотехнику
бак накопитель
хоссе карерас билет
скс
виниловый дирижабль
купить nokia 8910
купить nokia 9300i
компания сент-люсии
спб доставка
градирня вентиляторные
купить архиватор
решетка ливнесборная
итальянский вина
спб доставка
braas
southpark
охота гончий
купить tomb raider
купить tomb raider
инвертор
trinity hi-fi
iridium motorola
переработка резина
услуга кострома
компания сент-лючии
купить nokia 9300i
бордюр обоев
купить чейнджер
бюгельные зубной протез
лечение слух
автоматический оповещение
флюоресцентный краска
pki