Professional Documents
Culture Documents
Server Server
W2k Client Client W2k/Linux
W2k W2k
IP phone IP phone
Symmetric Symmetric
Key Key
Alice Bob
Mom’s sXk$% Mom’s
Secret Sikow@ Secret
Apple @dilIF* Apple
Pie lix%kT Pie
Recipe Recipe
• X = clé publique
• Y = clé privé
Laboratoire de transmission de données EIG/HES-SO Ph. Logean 21 novembre 2002 5
Public Key Infrastructure (PKI)
Trusted
Direct Trust Authority Direct Trust
Implicit Trust
Certificate
Pri Database
Certificate
Authority
Pub
Causes:
• Compromission de la clé privée
• Compromission du propriétaire
Server Server
W2k Client Client W2k/Linux
W2k W2k
IP phone IP phone
Domain Admin
Security Policy
Policy
Distribution,
Certificate
Certificate
Enrollment
Publication,
and
etc.
Revocation
eToken
Domain Logon
DC / KDC
Domain Client
Self-signed
CA Keon
ca1.telecomeig
User Certificate (Vectra25)
DC Certificate
Issuer:
ca1.telecomeig Issuer:
Subject: ca2.telecomeig
Alice Subject:
dc1.telecomeig
Client DC
eToken
Win2k Active Directory
host.telecomeig dc1.telecomeig
eToken (Vectra24)
Poste Client
Winlogon
GINA
LSA User@domain User Info
7. AS request 8. 9.
1. DC Certificate
- User Certificate KDC
- Authenticator + Signature
Issuer:
SSP Kerberos ca2.telecomeig
10. AS response AS Subject:
- TGT+ Session Key + KDC Certificate dc1.telecomeig
4. 6. CSP Tracer
TGS
2. 3. CSP
5.
User Certificate GINA: Cryptographic Identification and
Driver eToken
Issuer:
Authentication
ca2.telecomeig
2. 3. 5. Analyseur USB LSA: Local Security Authority
Subject:
Alice
Private Key SSP: Security Support Provider
CSP: Cryptographic Service Provider
Problèmes rencontrés :
• Manque d’information pour l’intégration de la CA Keon
dans AD