Pki 202 Architechture Models and CRLs

•

4 gefällt mir•1,970 views

NCC Group

Technologie Bildung

PKI 202 – Architecture Models and CRLs
Aman Hardikar

Agenda
• Architecture Models
• Subordinate
• Cross certified mesh
• Bridge
• Trusted list
• Revocation
• CRL
• OCSP

Overview
Available at www.amanhardikar.com/mindmaps.html
Mindmap:

PKI Trust Models
The fundamental purpose of PKI is to represent
the trust relationship between participating
parties.
The verifier verifies the chain of trust.
Four models exist:
• Subordinate Hierarchy
• Cross Certified Mesh
• Bridge CA
• Trusted List

Subordinate Hierarchy
• Two or more CAs in a hierarchical relationship
• Good for single enterprise applications
• Hard to implement between enterprises

Cross Certified Mesh
• Each internal CA signs the other PKI’s public verification keys
• Good for dynamically changing enterprise PKI applications
• Scalability is a major issue. Need to support n(n-1) cross certifications

Bridge CA
• Only the Root CAs participate in the cross certification
• Solves the issues with the mesh model

Trusted List
• Uses a set of publicly trusted root
certificates
• Ex: Internet Browsers

Traditional CRLs
Relying party checks the certificate against the latest published
CRLs
Disadvantage:
Long CRLs and the number the users directly proportional to the
performance of the network.

Modified CRLs
• Overissued CRLs
• Segmented CRLs
• Delta CRLs
• Sliding window (overissued delta) CRLs

OCSP
Online Certificate Status Protocol
• Client – Server model
• Client requests status of a certificate
• Server sends a signed response back
• Advantages
• Very small request and response
• Disadvantages
• All responses need to be signed increasing the load on the server
• Clients must be online/connected to check the status

SSLAuditor3 Preview
Report generation code needs few fixes

Next Presentations
PKI Applications
SSL
S/MIME
PGP
IKE
SSLAuditor3 demo
PKI Architecture Weakness / Audit
Architecture Weaknesses
Auditing
Mitigation Procedure
Best Practices

UK Offices
Manchester - Head Ofﬁce
Cheltenham
Edinburgh
Leatherhead
London
Thame
North American Offices
San Francisco
Atlanta
New York
Seattle
Australian Offices
Sydney
European Offices
Amsterdam - Netherlands
Munich – Germany
Zurich - Switzerland

Empfohlen

Micro-services architectureFarwa Ansari

Microservices architectureMohammad Dameer

[WSO2Con EU 2017] Container-native ArchitectureWSO2

Microservices architectureAbdelghani Azri

Micro Services ArchitectureRabbani Mohideen

Microservice architecture design principlesSanjoy Kumar Roy

Intro to Microservices ArchitecturePeter Nijem

Microservices-101Subhashish Bhattacharjee

Empfohlen

Micro-services architectureFarwa Ansari

Microservices architectureMohammad Dameer

[WSO2Con EU 2017] Container-native ArchitectureWSO2

Microservices architectureAbdelghani Azri

Micro Services ArchitectureRabbani Mohideen

Microservice architecture design principlesSanjoy Kumar Roy

Intro to Microservices ArchitecturePeter Nijem

Microservices-101Subhashish Bhattacharjee

OpenID Foundation Workshop at EIC 2018 - OpenID Connect Working Group UpdateMikeLeszcz

The Overview of Microservices ArchitectureParia Heidari

[WSO2Con EU 2017] Microservices for EnterprisesWSO2

[WSO2Con EU 2017] Creating Composite Services Using BallerinaWSO2

Microservice ArchitectureRich Lee

OpenID Foundation Workshop at EIC 2018 - OpenID Certification UpdateMikeLeszcz

FILES IN TODAY’S WORLD - #MFSummit2017Micro Focus

[WSO2Con EU 2017] WSO2 Unleashed: Full Stack Automation, Pitfalls and SolutionsWSO2

Micro Focus Filr - #MFSummit2017Micro Focus

Service mesh in Microservice World to Manage end to end service communicationsSatya Syam

OpenID Certification Program Update - 2018-04-02MikeLeszcz

[WSO2Con EU 2017] Microservice Architecture (MSA) and Integration MicroservicesWSO2

Errai CDI Integrationhbraun

Deep-dive into APIs in a Microservice ArchitectureWSO2

[WSO2Con EU 2017] Writing Microservices Using MSF4JWSO2

DEVNET-1184 Microservices PatternsCisco DevNet

OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...OpenIDFoundation

Microservice architecture-api-gateway-considerationsImam Uddin Ahamed - PRINCE2 ® , ITIL ®

Microservices ArchitectureSrinivasan Nanduri

WSO2Con USA 2017: Providing a Pathway from Stovepipe Systems to a Secure SOA ...WSO2

Cryptography101NCC Group

2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0NCC Group

Weitere ähnliche Inhalte

Was ist angesagt?

OpenID Foundation Workshop at EIC 2018 - OpenID Connect Working Group UpdateMikeLeszcz

The Overview of Microservices ArchitectureParia Heidari

[WSO2Con EU 2017] Microservices for EnterprisesWSO2

[WSO2Con EU 2017] Creating Composite Services Using BallerinaWSO2

Microservice ArchitectureRich Lee

OpenID Foundation Workshop at EIC 2018 - OpenID Certification UpdateMikeLeszcz

FILES IN TODAY’S WORLD - #MFSummit2017Micro Focus

[WSO2Con EU 2017] WSO2 Unleashed: Full Stack Automation, Pitfalls and SolutionsWSO2

Micro Focus Filr - #MFSummit2017Micro Focus

Service mesh in Microservice World to Manage end to end service communicationsSatya Syam

OpenID Certification Program Update - 2018-04-02MikeLeszcz

[WSO2Con EU 2017] Microservice Architecture (MSA) and Integration MicroservicesWSO2

Errai CDI Integrationhbraun

Deep-dive into APIs in a Microservice ArchitectureWSO2

[WSO2Con EU 2017] Writing Microservices Using MSF4JWSO2

DEVNET-1184 Microservices PatternsCisco DevNet

OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...OpenIDFoundation

Microservice architecture-api-gateway-considerationsImam Uddin Ahamed - PRINCE2 ® , ITIL ®

Microservices ArchitectureSrinivasan Nanduri

WSO2Con USA 2017: Providing a Pathway from Stovepipe Systems to a Secure SOA ...WSO2

Was ist angesagt? (20)

OpenID Foundation Workshop at EIC 2018 - OpenID Connect Working Group Update

The Overview of Microservices Architecture

[WSO2Con EU 2017] Microservices for Enterprises

[WSO2Con EU 2017] Creating Composite Services Using Ballerina

Microservice Architecture

OpenID Foundation Workshop at EIC 2018 - OpenID Certification Update

FILES IN TODAY’S WORLD - #MFSummit2017

[WSO2Con EU 2017] WSO2 Unleashed: Full Stack Automation, Pitfalls and Solutions

Micro Focus Filr - #MFSummit2017

Service mesh in Microservice World to Manage end to end service communications

OpenID Certification Program Update - 2018-04-02

[WSO2Con EU 2017] Microservice Architecture (MSA) and Integration Microservices

Errai CDI Integration

Deep-dive into APIs in a Microservice Architecture

[WSO2Con EU 2017] Writing Microservices Using MSF4J

DEVNET-1184 Microservices Patterns

OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...

Microservice architecture-api-gateway-considerations

Microservices Architecture

WSO2Con USA 2017: Providing a Pathway from Stovepipe Systems to a Secure SOA ...

Andere mochten auch

Cryptography101NCC Group

2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0NCC Group

2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_designNCC Group

Practical SME Security on a ShoestringNCC Group

How we breach small and medium enterprises (SMEs)NCC Group

Mobile App Security: Enterprise ChecklistJignesh Solanki

Next generation pentest your company cannot buyVlad Styran

Exploiting appliances presentation v1.1-vids-removedNCC Group

NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group

07182013 Hacking Appliances: Ironic exploits in security productsNCC Group

Cryptography - 101n|u - The Open Security Community

Current & Emerging Cyber Security ThreatsNCC Group

USB: Undermining Security BarriersNCC Group

2012 12-04 --ncc_group_-_mobile_threat_war_roomNCC Group

Pki 201 Key ManagementNCC Group

Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsNCC Group

The Mobile Internet of Things and Cyber Security NCC Group

Docking stations andy_davis_ncc_group_slidesNCC Group

SABSA Implementation(Part I)_ver1-0Maganathin Veeraragaloo

Real World Application Threat Modelling By ExampleNCC Group

Andere mochten auch (20)

Cryptography101

2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0

2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design

Practical SME Security on a Shoestring

How we breach small and medium enterprises (SMEs)

Mobile App Security: Enterprise Checklist

Next generation pentest your company cannot buy

Exploiting appliances presentation v1.1-vids-removed

NCC Group 44Con Workshop: How to assess and secure ios apps

07182013 Hacking Appliances: Ironic exploits in security products

Cryptography - 101

Current & Emerging Cyber Security Threats

USB: Undermining Security Barriers

2012 12-04 --ncc_group_-_mobile_threat_war_room

Pki 201 Key Management

Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints

The Mobile Internet of Things and Cyber Security

Docking stations andy_davis_ncc_group_slides

SABSA Implementation(Part I)_ver1-0

Real World Application Threat Modelling By Example

Ähnlich wie Pki 202 Architechture Models and CRLs

Enterprise Blockchain & Data Sovereignty. Carlo Ferrarini, IBMData Driven Innovation

Blockchain explored IBM Sverige

Tokyo Azure Meetup #5 - Microservices and Azure Service FabricTokyo Azure Meetup

API’s and Micro Services 0.5Richard Hudson

Hyperledger Fabric Update - June 2018Arnaud Le Hors

Software Architecture and Architectors: useless VS valuableComsysto Reply GmbH

IBM Blockchain Platform - Architectural Good Practices v1.0Matt Lucas

APIs from the Edge to the MeshNordic APIs

Block chain fundamentals and hyperledgersendhilkumarks

BlockChain-1.pptxHussainPashaShaik1

BlockChain-1.pptxBiswaranjanSwain19

Professor Michael SolomonBLCN 532Blockchain development.docxstilliegeorgiana

Quant Overledger for Mobility, IOT and Automotive sectors - MOBI 20190220 v1Gilbert Verdian

Governance and Security Solution Patterns WSO2

dtechnClouologyassociatepart2Anne Starr

Azure meetup cloud native concepts - may 28th 2018Jim Bugwadia

Microservices.pdfSelmaJelovac1

Pros & Cons of Microservices ArchitectureAshwini Kuntamukkala

Hyperledger Fabric update Meetup 20181101Arnaud Le Hors

Cloud-native Datacornelia davis

Ähnlich wie Pki 202 Architechture Models and CRLs (20)

Enterprise Blockchain & Data Sovereignty. Carlo Ferrarini, IBM

Blockchain explored

Tokyo Azure Meetup #5 - Microservices and Azure Service Fabric

API’s and Micro Services 0.5

Hyperledger Fabric Update - June 2018

Software Architecture and Architectors: useless VS valuable

IBM Blockchain Platform - Architectural Good Practices v1.0

APIs from the Edge to the Mesh

Block chain fundamentals and hyperledger

BlockChain-1.pptx

Professor Michael SolomonBLCN 532Blockchain development.docx

Quant Overledger for Mobility, IOT and Automotive sectors - MOBI 20190220 v1

Governance and Security Solution Patterns

dtechnClouologyassociatepart2

Azure meetup cloud native concepts - may 28th 2018

Microservices.pdf

Pros & Cons of Microservices Architecture

Hyperledger Fabric update Meetup 20181101

Cloud-native Data

Kürzlich hochgeladen

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxnull - The Open Security Community

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106

"ML in Production",Oleksandr BaganFwdays

Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software

Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays

SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero

My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar

Install Stable Diffusion in windows machinePadma Pradeep

Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation

Commit 2024 - Secret Management made easyAlfredo García Lavilla

DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy

Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar

Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz

"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada

Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge

The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2

AI as an Interface for Commercial BuildingsMemoori

Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi

Kürzlich hochgeladen (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics

"ML in Production",Oleksandr Bagan

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation

Developer Data Modeling Mistakes: From Postgres to NoSQL

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...

SIP trunking in Janus @ Kamailio World 2024

My Hashitalk Indonesia April 2024 Presentation

Install Stable Diffusion in windows machine

Connect Wave/ connectwave Pitch Deck Presentation

Commit 2024 - Secret Management made easy

DevoxxFR 2024 Reproducible Builds with Apache Maven

Unleash Your Potential - Namagunga Girls Coding Club

Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost

"Debugging python applications inside k8s environment", Andrii Soldatenko

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024

Designing IA for AI - Information Architecture Conference 2024

The Future of Software Development - Devin AI Innovative Approach.pdf

AI as an Interface for Commercial Buildings

Vertex AI Gemini Prompt Engineering Tips

Pki 202 Architechture Models and CRLs

1. PKI 202 – Architecture Models and CRLs Aman Hardikar

2. Agenda • Architecture Models • Subordinate • Cross certified mesh • Bridge • Trusted list • Revocation • CRL • OCSP

3. Overview Available at www.amanhardikar.com/mindmaps.html Mindmap:

4. Topics Today

5. PKI Trust Models The fundamental purpose of PKI is to represent the trust relationship between participating parties. The verifier verifies the chain of trust. Four models exist: • Subordinate Hierarchy • Cross Certified Mesh • Bridge CA • Trusted List

6. Subordinate Hierarchy • Two or more CAs in a hierarchical relationship • Good for single enterprise applications • Hard to implement between enterprises

7. Cross Certified Mesh • Each internal CA signs the other PKI’s public verification keys • Good for dynamically changing enterprise PKI applications • Scalability is a major issue. Need to support n(n-1) cross certifications

8. Bridge CA • Only the Root CAs participate in the cross certification • Solves the issues with the mesh model

9. Trusted List • Uses a set of publicly trusted root certificates • Ex: Internet Browsers

10. Traditional CRLs Relying party checks the certificate against the latest published CRLs Disadvantage: Long CRLs and the number the users directly proportional to the performance of the network.

11. Modified CRLs • Overissued CRLs • Segmented CRLs • Delta CRLs • Sliding window (overissued delta) CRLs

12. OCSP Online Certificate Status Protocol • Client – Server model • Client requests status of a certificate • Server sends a signed response back • Advantages • Very small request and response • Disadvantages • All responses need to be signed increasing the load on the server • Clients must be online/connected to check the status

13. SSLAuditor3 Preview Report generation code needs few fixes

14. Next Presentations PKI Applications SSL S/MIME PGP IKE SSLAuditor3 demo PKI Architecture Weakness / Audit Architecture Weaknesses Auditing Mitigation Procedure Best Practices

15. UK Offices Manchester - Head Ofﬁce Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland