4. PKI and the Services
♦ CLAIM: PKI can help in all
♦ Question (subjective – GI)
– Where is the source of trust in all these?
– Suggestion (subjective – GI)
• Try to do the same without PKI, using only
symmetric techniques (usually possible!);
find the problem;
see how this problem is manifested and addressed in
the PKI solution.
• Easier to “cheat” (including yourself!) with PKI.
Symmetric techniques are more explicit.
♦ Make all the security & trust assumptions explicit!
6. Pitfalls
♦ Security breaches
– Key compromises
♦ Inherent difficulties
– Revocation
♦ Negligence
– Certificates are routinely not checked or some of the
attributes ignored
– Alarms and warnings ignored
(“certificate not valid. Press OK to proceed.”)
♦ Inconsistencies & human factors
(“that’s not what I meant by this policy!”)
8. Certificates
♦ Introduced in 1978
[Kohnfelder’s Bachelor’s thesis]
♦ X.509 – “the standard standard” today
– v.1 (1988) – not extendable
– v.2 – not much better
– v.3 (1997) is much better – optional extensions
Today, X.509=v.3
– Many other standards extend X.509
♦ Others
– PGP, SPKI, etc.
9. Certificates
♦ Certificates ≠ Signature
– Certificates are implemented using Signatures
♦ Certificates ≠ Authentication
– Authentication can be implemented using
Certificates
– Same for Authorization, etc.
♦ Certificates are static
– Change => Re-Issue
• *This could be challenged, but not in standard x509
11. Certificate Validation
♦ Integrity: signature is valid
♦ Signed by a trusted CA
– or certification path is rooted in a trusted CA
♦ Certificate is valid now:
– We are between Not Valid Before and Not Valid
After time points in the certificate
♦ Not Revoked
♦ Use is consistent with the policy
13. SPKI – A Simple PKI
♦ Authorization certificates
♦ Delegation
♦ SDSI – a Simple Distributed Security
Infrastructure
♦ Question #1:
it may be very nice, but will it ever be used
by anyone?
14. PGP – Pretty Good Privacy
♦ Tendencies
– Email
• Incompatibilities between PGP and S/MIME
• OpenPGP v6.5 supports x509 certs, but still…
– Personal (rather than corporate)
15. SET – Secure Electronic Transaction
♦ Credit card payment protocol
♦ Adopts and extends X.509
– See [AL] pg.84
18. Certificate Policies
♦ Certificate Policy
– “high level what is supported” document
♦ CPS – Certification Practice Statement
– “detailed, comprehensive, technical how policy
is supported” document
♦ No agreement on the roles and meanings of
the above
♦ Might be not public; hard to enforce
19. Certificate Policies
♦ Distinguished by OIDs (Object ID)
– “form letters”
♦ Equivalences
– Policy Mapping ext. declare policies equivalent
♦ Established & registered by
Policy [Management] Authorities
– Internal – e.g. corporate
– External – community
20. CA – Certification Authority
♦ Issuer/Signer of the certificate
– Binds public key w/ identity+attributes
♦ Enterprise CA
♦ Individual as CA (PGP)
– Web of trust
♦ “Global” or “Universal” CAs
– VeriSign, Equifax, Entrust, CyberTrust, Identrus, …
♦ Trust is the key word
21. RA – Registration Authority
♦ Also called LRA – Local RA
♦ Goal: Off-load some work of CA to LRAs
♦ Support all or some of:
– Identification
– User key generation/distribution
• passwords/shared secrets and/or public/private keys
– Interface to CA
– Key/certificate management
• Revocation initiation
• Key recovery
24. Initialization
♦ Registration
– Via RA
– Identity verification
• According to CP/CPS docs
– If on-line, should be protected+authenticated (?)
– Secret shared by user and CA
• New or pre-existing relationship
♦ Key pair generation
♦ Certificate creation & delivery
♦ [Key backup]
25. Key pair generation
♦ Where? (by who?)
– CA
– RA
– Owner (e.g. within browser)
– Other Trusted 3rd Party
♦ What for?
– Non-repudiation ⇒ owner generation
♦ Dual key pair model
– Separate key pairs for authentication,
confidentiality, etc.
26. Key pair generation
♦ Performance
– Laptop, smart cards – used to be too slow
• Today – many smart cards can generate own keys
– Centralized generation
• Scalability: bottleneck for performance & security
♦ Assurance
– “Is the smart card’s random number generator
good enough?”
– Minimal security requirements guarantees
♦ Legal/Liabilities
– Who to sue? Who backs up above assurances?
27. Certificate Creation+Distribution
♦ Creation – CA only
♦ Distribution (to the owner)
– Certificate only
– Certificate + private key
• Deliver key securely!
– X509 rfc2510
– Direct to owner
– To depository
– Both
28. Certificate dissemination
♦ Out-of-band
♦ Public repositories
– LDAP-like directories
– Used mostly for confidentiality
♦ In-band
– E.g. signed e-mail usually carries certificate
Issues:
– Privacy, scalability, etc.
29. Key backup
♦ Backup ≠ Escrow
– Backup= only owner can retrieve the (lost) key
– Escrow= organization/government can retrieve
the key even against owner’s wish
♦ Non-repudiation conflicts with Backup
♦ Where & how to backup securely???
30. Issued Phase
♦ Certificate retrieval
– To encrypt msg or verify signature
♦ Certificate validation
– Verify certificate integrity+validity
♦ Key recovery
– Key backup – automate as much as possible
♦ Key update
– When keys expire: new certificate [+new keys]
31. Certificate Cancellation
♦ Certificate Expiration
– Natural “peaceful” end of life
♦ Certificate Revocation
– Untimely death, possibly dangerous causes
♦ Key history
– For owner: eg to read old encrypted msgs
♦ Key archive
– “For public”: audit, old sigs, disputes, etc.
32. Certificate Expiration
♦ No action
♦ Certificate renewal
– Same keys, same cert, but new dates
– Preferably automatic
– but watch for attributes change!
♦ Certificate update
– New keys, new certificate
34. Certificate Revocation
♦ Requested by
– Owner, employer, arbiter, TTP, ???, …
♦ Request sent to
– RA/CA
♦ Mechanisms for Revocation checks
– Certificate Revocation Lists (CRLs)
– On-line Certificate Status Protocol (OCSP)
• Will it live? (SCVP)
♦ Revocation delay
– According to Certificate Policy
35. Publication Mechanisms
♦ Complete CRLs
♦ Authority Revocation Lists (ARLs)
♦ CRL distribution points (partition CRLs)
♦ Delta CRLs
♦ Indirect CRLs
♦ Enhanced CRL distribution points &
Redirect CRLs
♦ Certificate Revocation Trees (CRTs)
White lists vs Black lists
36. CRL versions
♦ Version 1 (from x509 v1)
– Flaws:
• Scalability
• Not extendable
• Can replace one CRL with another
♦ Version 2 (similar to x509 v3)
– Extensions
• critical and non-critical
• Per-CRL and per-entry
– Format: see [AL] pg.112
37. Complete CRLs
♦ Advantage:
– Self-contained, simple, complete
♦ Problems:
– Scalability
• CRL may grow too big
– Timeliness
• Also results from CRL size
♦ Conclusion: appropriate for some domains
38. Authority Revocation Lists
♦ ARL = CRL for Cas
– Revokes certificates of Cas
– Rarely needed/used
• Decommissioned
• Compromised
39. CRL Distribution Points
♦ Partition CRL into smaller chunks
♦ Static partitions:
– Certificate points to its CRL distribution point
♦ Dynamic partitions
– Enhanced/Redirect CRL DPs
• Certificate points to a Redirect CRL
• Redirect CRL directs to the proper CRL partition
40. Delta CRL
♦ Incremental change
– From Complete or Partition CRL
– CRLnew=BaseCompleteCRLold + DeltaCRL
– Possibly many DeltaCRLs from same BaseCRL
• E.g. complete CRL issued once a week, and a new
DeltaCRL (containing the previous DeltaCRLs)
issued every day
42. Certificate Revocation Trees
– Valicert [Kocher]
– Based on Merkle’s hash trees
– Similar/Relevant work: [Micali; Naor&Nissim]
♦ Construct hash-tree; leaves – certificates
♦ Sign root
♦ To verify a certificate in the tree: path from
the certificate to root + the siblings
♦ Certificate Owner can offer proof of not
being revoked as of the current CRT date!
44. Trust model issues
♦ Who to trust?
– Which certificates can be trusted
♦ Source of Trust
– How it is established?
♦ Limiting/controlling trust in a given
environment
45. Common Trust Models
♦ CA Hierarchy
♦ Distributed
♦ Web
♦ User-centric
Tool
♦ Cross-certification
46. Trust – definition(??)
♦ “A trusts B = A assumes B will behave
exactly as A expects”
– Problem 1: A expects B to try every way of
cheating A that B can find, and A assumes B
will do exactly that == A trusts B?
– Problem 2: Is it a tautology? What’s the
difference between “assumes” and “expects”?
♦ X trusts a CA = X assumes CA will
establish and maintain accurate binding of
attributes and PK’s
– Maintain? Includes secure the binding, CA’s
keys binding, security, etc…
47. Trusted Public Key
♦ PK is trusted by X when X is convinced the
PK corresponds to SK which legitimately
and validly belongs only to a specific
named entity
48. CA Hierarchy
♦ Tree architecture
♦ Single Root CA
– Number of subordinate CA’s
• Etc…
– Parent certifies children
– Leaves are non-CA (end-) entities
♦ Typically CA either certifies other CA’s or
end-entities, but not both
♦ Everyone has Root CA PK
49. Context is important
♦ Privacy Enhanced Mail (PEM) adopted
strict hierarchy of CAs approach and failed
♦ DoD could use hierarchy fine
50. Distributed Trust Architecture
♦ A set of independent hierarchies
– May evolve as independent historically
♦ Cross-certification or PKI networking
– Connect the hierarchies
♦ Fully-meshed – all CAs are cross-certified
♦ Hub & spokes or bridge CA
– Not= Hierarchy
• No root CA: every end-entity holds its CA PK
51. Web Model
♦ A bunch of root CAs pre-installed in
browsers
♦ The set of root CAs can be modified
– But will it be?
♦ Root CAs are unrelated (no cross-
certification)
– Except by “CA powers” of browser
manufacturer
– Browser manufacturer = (implicit) Root CA
52. User-Centric
♦ PGP
♦ User = her own Root CA
– Webs of trust
♦ Good
– User fully responsible for trust
♦ Bad
– User fully responsible for trust
– Corporate/gov/etc. like to have central control
• User-centric not friendly to centralized trust policies
53. Cross-Certification
♦ Mechanism:
– Certificates for CAs (not end-entities)
♦ Intra- vs. Inter- domain
♦ One or two directions
– CA1 certifies CA2 and/or CA2 certifies CA1
♦ Control
– Cross-certificate limits trust
• Name, policy, path length, etc. constraints
54. Entity Naming
♦ What’s the identity?
(the one bound by certificate to the PK [+sk])
– If a certificate is issued to “GeoTrust ”, rather
than “Geotrust”, you may be talking to a
different entity than what you think
55. Name Uniqueness
♦ X.500 Distinguished Name (DN)
– Tree of naming authorities
– X.509 Subject is a DN;
– IP addresses, email, etc. are similar
♦ Problems
– Not too user-friendly
– Central naming authority not always there
• => lots of cooperation required from participating
entities
56. Names (continued)
♦ So, how useful are names?
– SDSI, SPKI, etc – not very
– X.509 allows alternative names
• Extensions subjectAltName
• If this extension is used Subject name (DN) is not
required
– Global uniqueness – not always crucial
– Piggy-back on existing naming/identity
infrastructures
57. Certificate Path
♦ Alice “trusts” CA1
– Alice has CA1’s PK in its browser
• CA1’s PK = “trust anchor”
– “trust anchor” depends on the model
♦ CA1 certifies CA2; CA2 certifies CA3
♦ CA3 certifies Bob
♦ => Alice “trusts” Bob
– Alice associates PK in Bob’s certificate with Bob
58. Certificate Path Processing
♦ Path construction
– Aggregation of necessary certificates
♦ Path validation
– Checking the certificates and the keys
• Includes all steps of certificate validation
59. Path Construction
♦ “Just a [Shortest] Path graph algorithm”
♦ Not so simple – graph is not known
– Edges (certificates) need to be queeried
♦ Once Path Construction is done Path
Validation is straight-forward
One way of adding change without re-issue: Say, certificates are short lived and a new date or new period/generation are required periodically – this is a change. The generation mechanism can be implemented as a hash chain (xi=hash(xi-1)). Some, xn is included in the certificate and every generation the previous x is released.
A more sophisticated change: adding an private attribute. Generate a hash tree on the attributes (with some key bits). Certify root. To add a privilege/attribute send to the owner the attribute leaf value the siblings of the path from the attribute to the root. Can add any subset of attributes. Taking the attributes away is harder. Also, the attributes must be privileges (something the owner wants) – otherwise the owner pretends not to receive the above values.