Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
-
Upload
beryl-holland -
Category
Documents
-
view
221 -
download
0
Transcript of Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
![Page 1: Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acab71/html5/thumbnails/1.jpg)
Wolfgang SchneiderWolfgang Schneider
NSI: A Client-Server-Model for PKI NSI: A Client-Server-Model for PKI ServicesServices
![Page 2: Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acab71/html5/thumbnails/2.jpg)
Page 2
Public Key InfrastructuresPublic Key Infrastructures
• PKIs setup by companies and organizations• Allow certificates to be issued and retrieved• May be interconnected through cross-certificates• Allows for inter-organizational communication
– Authenticated, integrity protected, encrypted
• Problem: PKIs not fully deployed nor easy to use
![Page 3: Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acab71/html5/thumbnails/3.jpg)
Page 3
Motivation: Slow PKI DeploymentMotivation: Slow PKI Deployment
• Expensive– Development of applications using PKI security services– Administration cost of configuring and maintaining
clients
• Complex– Security enabled software is complex to write– Non-user friendly, not transparent
• Encryption and digital signatures are not in widespread use
![Page 4: Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acab71/html5/thumbnails/4.jpg)
Page 4
Motivation II: Complexities of PKI Motivation II: Complexities of PKI – Trust Path Construction– Trust Path Construction
• Initial disjoint PKIs– Communication between arbitrary users not possible– Only useful within single PKI structure
• Cross-certificates – Allows communication between separate PKIs– However, makes path building more complicated
• PKIs too complicated for user– Validation policies, policy mappings, configuration
Client-Server model
![Page 5: Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acab71/html5/thumbnails/5.jpg)
Page 5
Complexity of Trust Path ConstructionComplexity of Trust Path Construction
Possible certificate patha cross certifies ba ba issues certificate ba b
CA - Certificate AuthorityTA - Trust Anchor
IBM
Fraunhofer
Verifier
CA
CA CA
CA CA
CA
CA
CA
CA
TA
CACA CA
John‘scertificate
![Page 6: Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acab71/html5/thumbnails/6.jpg)
Page 6
Problems for Security ApplicationsProblems for Security Applications
• Support of many protocols is necessary– Certificate and CRL download (HTTP, FTP, LDAP, ...)– Certificate Status (OCSP, LDAP)
• All applications must– Support all protocols– Know addresses of all needed repositories– Have cryptographic functionality– Be able to handle the complexities of PKI
• Complexity = Bugs = Less security
![Page 7: Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acab71/html5/thumbnails/7.jpg)
Page 7
Problems for UsersProblems for Users
• Applications are expensive and large– Small devices cannot support storage and
computational requirements
• Must configure applications with addresses of repositories– For path construction and encryption key retrieval
• Trust path construction is slow
![Page 8: Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acab71/html5/thumbnails/8.jpg)
Page 8
NSI SolutionNSI Solution
• Develop a Client-Server based PKI• Reduce complexity on client-side („Thin Client“)
by offering server based services such as:– Signature validation– Trust path construction– Management of CRLs and Revocation Status‘– Central management of certificate policies
• Simple access to non-hierarchical interconnected PKIs
![Page 9: Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acab71/html5/thumbnails/9.jpg)
Page 9
Advantages for ClientsAdvantages for Clients
• Need not support multitude of PKI protocols– Need support only one Client-Server-Protocol
• Need not be configured with repository addresses– Application only needs to know 1 or 2 PKI-Servers
• Complex tasks delegated to the PKI Server– Signature and certificate validation– Encryption key retrieval
• Thus, applications become smaller and simpler• Devices with limited resources can utilize PKI
functionality– Examples: Cellular phones, PDAs (Personal Digital Assistants)
![Page 10: Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acab71/html5/thumbnails/10.jpg)
Page 10
PKI-Server Security Services ScenarioPKI-Server Security Services Scenario
PKI Server
PKIServer
PKIServer
OCSPLDAP LDAPLDAP DNS OCSP
Centrally managed policies
Trust path construction
request
Certificate retrieval request
Signature validation
request
![Page 11: Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acab71/html5/thumbnails/11.jpg)
Page 11
Who will benefit from the PKI Server?Who will benefit from the PKI Server?
• Companies– Central management of Security Policies– No longer need to reconfigure every client when PKI or
policy changes
• Developers for small devices– API on client side has low resource requirements– More devices able to use PKI services
• Security application developers– Decreased development time and costs– More robust security code
• TrustCentre may provide PKI services
![Page 12: Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acab71/html5/thumbnails/12.jpg)
Page 12
NSI GoalsNSI Goals
• Develop concrete protocols• Develop client library such that clients with
limited resources may use it• Develop a working PKI Server that is
deployable• Run field tests
![Page 13: Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acab71/html5/thumbnails/13.jpg)
Page 13
Issues with NSI approachIssues with NSI approach
• What is the architecture?• Interconnection within existing PKIs• What trust relationships are needed?
![Page 14: Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acab71/html5/thumbnails/14.jpg)
Page 14
PKI ArchitecturePKI Architecture
PKIClient
ApplicationLocal Database
DirectRoutes
Server ’sKeys
TrustAnchors
Ind irectRoutes
CertificatePolic ies
CoreFunctionality
Adm inistratorInterface
PK IS LDAP O CSP DNS ...
Protocol M odules
Acc
ess
Pro
toco
l Ma
nag
er
- PKI -Server
PK
I Ro
uti
ng
ValidationPolic ies
CacheStorage
...PK I C lient A PI
M aintenance APICom m unication API
![Page 15: Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acab71/html5/thumbnails/15.jpg)
Page 15
Comparison: Internet Routing <-> PKIComparison: Internet Routing <-> PKI
• IP Routing– Cooperation of many IP routers– No computer knows every IP Address in the Internet– Network changes are known only to routers, not clients– Personal computer knows 1 to n DNS servers
• PKI– Little cooperation between PKIs– Application must know all repositories (incl. PKI
meshes)– Every client must be updated for every PKI change
![Page 16: Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acab71/html5/thumbnails/16.jpg)
Page 16
InterconnectionInterconnection
(A) Client-Server-Protocol(B) Server-Server-Protocol(C) Standard-Protocols
(LDAP,OCSP,etc.)
![Page 17: Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acab71/html5/thumbnails/17.jpg)
Page 17
NSI‘s role within PKINSI‘s role within PKI
• PKI Server is separate from CA– Accesses available repositories to build paths– Does not need to be certified by CA
• Trust in PKI Server is through PKI Server‘s certificate– Must be configured on each client– Revocation check of certificate not defined
![Page 18: Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acab71/html5/thumbnails/18.jpg)
Page 18
Trust RelationshipsTrust Relationships
• Client trust in PKI Server– Certificate validation: complete trust– Signature validation: complete trust– Path construction: no trust– Certificate retrieval: no trust
• PKI Servers deployed within organizations– Clients use organization validation policy and trust
server
![Page 19: Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acab71/html5/thumbnails/19.jpg)
Page 19
Validity of PKI Server ResponsesValidity of PKI Server Responses
• All responses are authenticated– Secure connection (eg. SSL, IPsec) or– Digitally signed response
• Integrity of all requests and responses verifiable– Hashes, signatures, encryption
• Replay attacks detectable– nonces
![Page 20: Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acab71/html5/thumbnails/20.jpg)
Page 20
NSI comparison with XKMSNSI comparison with XKMS
• Certificate retrieval and validation services supported
• NSI needs no connection with an RA or CA– XKMS offers registration and revocation services
• Size of sent and stored responses– XKMS uses XML tags– NSI uses ASN.1 (support embedded within client
library)
• Small storage requirements for audits
![Page 21: Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649dd35503460f94acab71/html5/thumbnails/21.jpg)
Page 21
NSI: A Client-Server-Model for PKI NSI: A Client-Server-Model for PKI ServicesServices
Wolfgang [email protected]
Fraunhofer-Institute for Secure Telecooperation
http://www.sit.fhg.de/NSI/