1 / 16

About PKI Key Stores

About PKI Key Stores. Dartmouth College PKI Lab. Key Store Defined. Protected “vault” to hold user’s private key with their copy of their x.509 certificate A function of their client computer and software Should be locally password protected

doane
Download Presentation

About PKI Key Stores

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. About PKI Key Stores Dartmouth College PKI Lab

  2. Key Store Defined • Protected “vault” to hold user’s private key with their copy of their x.509 certificate • A function of their client computer and software • Should be locally password protected • Should be encrypted and/or protected by specialized hardware • May be provided by OS or by application(s) • May hold the only copy of a private key

  3. Key Store Anatomy(first look before we launch into details)

  4. Key Store Interfaces • Microsoft Windows CAPI • RSA PKCS#11 • Application specific

  5. Browsers and Key Stores • Browsers provide one of the most common ways to access key stores • GUI for key generation and certificate enrollment • Viewing and manipulating certificates and keys • Import/export Mozilla/Netscape does PKCS#11 Internet Explorer/Windows does CAPI

  6. Key Store Types • “Software” • Keys encrypted in a file • “Hardware” • Keys stored on specialized hardware tokens

  7. OS Key Stores • CAPI: Microsoft Windows CryptoAPI • “Keychain” from Apple Many Windows applications use CAPI; others have their own key store.

  8. “Software” Key Store • Stores certificates and encrypted keys on the local computer’s file system • Encryption is password protected • Relatively vulnerable to key theft (depending on implementation) • Requires exporting and importing to use the key on another computer or in a different key store on the same computer All PKI applications support this type of key store – for some it is the only type supported.

  9. “Hardware” Key Store • Stores certificates and keys in special purpose hardware (typically USB token or smart card and reader) • Much higher assurance - the key cannot be used without the user’s password, but still not unbreakable • Allows easy private key mobility between computers and applications • Two-factor security (need token plus password to do anything) makes hardware key stores much more secure than software key stores

  10. PKCS#11 • Standard developed by RSA to provide applications with a key store and PKI cryptographic functions http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/ • Used by Mozilla on all OSes (even Windows) • Has a lower-level API for plugging in different implementations (enables hardware tokens) • Open source implementations available • Similar to MS CAPI – unfortunately MS opted to not support PKCS#11

  11. Microsoft CAPI (AKA CryptoAPI) • Microsoft Windows “standard” API for providing PKI functionality to applications http://msdn.microsoft.com/library/en-us/security/security/cryptography_portal.asp? • Provides: • Key store function • Cryptographic operations using the key store and certificate • GUI for managing certificates and keys • Facilities to create, import, and export certificates and keys • Cryptographic Service Provider (CSP) layer allows 3rd party software, token, and smartcard solutions • Microsoft’s software key store CSP has some issues

  12. Key Store Anatomy(revisited now that we are familiar with the pieces)

  13. Application Key Stores • Some applications don’t use either CAPI or PKCS#11 • Adds undesirable complexity • Incompatible with hardware keys (since they can only support PKCS#11 and CAPI/CSP interfaces) • Require exporting and importing certificates/keys • AOL AIM has its own key store

  14. How PKI Uses Passwords • Passwords protect local key stores • Stored and managed locally by the user • Never stored on servers (an important feature – passwords on servers and traversing a network are more vulnerable) • User provides the password to “unlock” their private key – all other operations use asymmetric key cryptography

  15. User Accounts • Windows CAPI stores software keys in each user’s profile • If user accounts are secure, then CAPI keys are protected by the Windows logon security

  16. PKCS#7 and PKCS#12 • More RSA standards • No awards for imaginative names… • PKCS#7 is general syntax for data that may have cryptography applied to it http://www.rsasecurity.com/rsalabs/pkcs/pkcs-7/index.html • PKCS#12 specifies secure containers for transporting PKI certificates with private keys http://www.rsasecurity.com/rsalabs/pkcs/pkcs-12/index.html

More Related