Open source Book: PKI Implementation

A guide to PKIs and Open–source Implementations

Symeon (Simos) Xenitellis

OpenCA Team

Copyright © 1999, 2000 by Symeon (Simos) Xenitellis

This document describes Public Key Infrastructures, the PKIX standards, practical PKI functionality and gives an overview of available open–source PKI implementations. Its aim is foster the creation of viable open–source PKI implementatations.

The latest version of this document can be found at the OSPKI Book WWW site athttp://ospkibook.sourceforge.net/.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with the Invariant Sections being the chapters Chapter 13("Contributions") and the Colophon ("About this document"), with Front-Cover Texts being the text "The Open–source PKI Book, A guide to PKIs and Open–source Implementations" and with Back-Cover Texts being the text "The author's studies are funded by State's Scholarship Foundation (SSF) of Greece". A copy of the license is included in Appendix Eentitled "GNU Free Documentation License".

Table of Contents

1. Purpose of this document

2. Introduction to Cryptography

• Cryptographic Algorithms
• Message Digests
• Digital Signatures
• Certificates
• Certification Authority

3. Basic functionality of a Public Key Infrastructure[TODO]

• Creation of the key–pair and the certificate request
• Signing of the certificate request by the Certification Authority
• Certification Authority chains
• Typical uses of public key cryptography

4.General implementation overview

• Prerequisites
• Useful open–source software
• Initialisation of the Certification Authority
• Generate the RSA key–pair for the CA
• Create a self–signed CA Certificate
• User/Server key generation and signing
• Generate the RSA key–pair for a user/server
• Generate a certificate request
• Ask the CA to sign the certificate request

5. PKI standards and specifications

• Internet X.509 Public Key Infrastructure (PKIX)
• Architecture for Public-Key Infrastructure (APKI)
• The NIST Public Key Infrastructure Program

6. Internet X.509 Public Key Infrastructure (PKIX)

• Abbreviations
• Concepts
• Certificate–using Systems and PKIs
• Certificate–using Systems and PMIs
• Overview of the PKIX approach
• PKIX standardisation areas
• Public–key infrastructure functionality
• Public–Key Infrastructure (PKI)
• Privilege Management Infrastructure (PMI)

7. Open-Source Implementations

• The pyCA Certification Authority
• The OpenCA Project[TODO]
• OpenCA Layout
• OpenCA Abbreviations
• Software packages
• Functionality of the CA Server (CAServer)
• Functionality of the RA Server (RAServer)
• Functionality of the RA Operators (RAOperators)
• Status of the OpenCA Project
• Future OpenCA work
• The Oscar Public Key Infrastructure Project
• Jonah: Freeware PKIX reference implementation
• Mozilla Open Source PKI projects
• Personal Security Manager (PSM)
• Network Security Services (NSS)
• JavaScript API for Client Certificate Management
• MISPC Reference Implementation

8. How to get software support

9. Supported Crypto hardware and Software architectures

• TrustWay Crypto PCI 2000
• PowerCrypt Encryption Accelerator
• CryptoSwift eCommerce Accelerator
• Movement for the Use of Smart Cards in a Linux Environment (MUSCLE)
• Linux Smart Card Starter's Kit from Schlumberger
• The gpkcs11 PKCS#11 open–source implementation
• Common Data Security Architecture (CDSA)
• Single Sign–on
• The KeyMan PKI Management Tool
• Distributed Audit Service (XDAS)
• Generic Security Service API (GSS-API)
• Simple Network Time Protocol (SNTP)
• Lightweight Directory Access Protocol (LDAP)
• S/MIME CMS [TODO]

10. Critical discussion[TODO]

11. Benefits of an Open–Source PKI implementation[TODO]

12. Trademarks

13. Contributions

A. Perl modules

• Locating Perl modules
• Installing Perl modules

B. Sample Certificate Documents

• Sample Encrypted Private Key in PEM format (2048 bits)
• Sample Private Key in PEM format (2048 bits)
• Sample Private Key in TXT format (2048 bits)
• Sample CA Certificate in PEM format
• Sample CA Certificate in TXT format
• Sample certificate request in PEM format
• Sample certificate request in TXT format

C. Description of Public Key Algorithms

• How does RSA work?
• Description
• Practical example
• How does El Gamal work?

D. OpenCA Installation details

• Software installation sequence
• Installation of Perl modules
• Installation of OpenCA–specific modules
• Installation of OpenCA
• WWW Server installation
• LDAP installation
• openssl.cnf configuration for OpenCA

E. License

• GNU Free Documentation License
• PREAMBLE
• APPLICABILITY AND DEFINITIONS
• VERBATIM COPYING
• COPYING IN QUANTITY
• MODIFICATIONS
• COMBINING DOCUMENTS
• COLLECTIONS OF DOCUMENTS
• AGGREGATION WITH INDEPENDENT WORKS
• TRANSLATION
• TERMINATION
• FUTURE REVISIONS OF THIS LICENSE

Colophon

Glossary

Bibliography

List of Tables

• 6-1. PKIX Terms
• 6-2. Table of RFCs for PKIX documents
• 6-3. PKI functionality
• 6-4. PKI components
• 6-5. PMI components
• 7-1. OpenCA Abbreviations
• 7-2. Current Versions of OpenCA prerequisite software
• 8-1. WWW Support Locations
• D-1. Software installation matrix
• D-2. CAServer installation parameters
• D-3. RAServer WWW Server installation parameters
• D-4. RAServer installation parameters
• D-5. RAServer WWW Server installation parameters
• D-6. RAOperator WWW Server installation parameters
• D-7. openssl.cnf default values

List of Figures

• 6-1. PKI Entities
• 6-2. Attribute Certificate Exchanges
• 7-1. Current OpenCA Layout

Black hat 2010

Two researchers at the Black Hat conference in Las Vegas on Thursday exposed 24 ways hackers can hijack seemingly secure browser sessions.

Robert Hansen and Josh Sokol demonstrated methods attackers can use to take over users' accounts or assume control of a website without the need for any exploits, due to the way browsers implement "HTTPS." HTTPS, a combination of the Hypertext Transfer Protocol with the SSL/TLS Protocol, allows a website owner to encrypt a session using a digital certificate.

For any of the two dozen attacks to work, however, a criminal would have to have assumed control of a user's computer via a man-in-the-middle (MITM) exploit, by which an attacker intercepts communications between two systems.

But the researchers wanted to show that HTTPS protection alone won't stop bad things from happening.

continue reading..

Videos