Distributed Systems Security. Authentication Practice - 2. Prof. Steve Wilbur

Transcription

1 Distribted Systems Secrity Athentication Practice - 2 Prof. Steve Wilbr s.wilbr@cs.cl.ac.k MSc in Data Commnications Networks and Distribted Systems, UCL Lectre Objectives Examine X.509 as a practical example of Pblic Key services MSc in Data Commnications Networks and Distribted Systems, UCL 4-2 Page 1 1

2 X.500 Directory Service X.500 is a family of standards for directory services providing information abot sers Developed in late-1980s by ITU X.509 defines a certificate strctre and protocols which are widely sed, eg.: o S/MIME o IP Secrity o SSL/TLS o SET X.509: o V1: 1988; V2: 1993; V3: 1995 MSc in Data Commnications Networks and Distribted Systems, UCL 4-3 X.509 Strctre Example of early definition of strctre in ASN.1 LHS = identifier; RHS = type certificate ::= SIGNED SEQUENCE { signatre AlgorithmIdentifier, isser Name, validity Validity, sbject Name, sbjectpkinfo SbjectPblicKeyInfo} Validity ::= SEQUENCE { notbefore UTCTime, notafter UTCTime} SbjectPblicKeyInfo ::= SEQUENCE{ algorithm AlgorithmIdentifier, sbjpk BITSTRING} AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL} MSc in Data Commnications Networks and Distribted Systems, UCL 4-4 Page 2 2

3 X.509 s Issed by trsted Certification Athority Directory Service only stores and distribtes them MSc in Data Commnications Networks and Distribted Systems, UCL 4-5 X.509 Strctre Version Serial Nmber Signatre Alg. ID Algorithm Parameters Isser Name Not Before Not After Validity Period Sbject Name Algorithms Versions 1, 2 and 3 Versions 2 and 3 Version 3 only Sbject PK Info. Isser Uniqe ID Sbject Uniqe ID Extensions Signatre Parameters Key Algorithms Parameters Encrypted Hash MSc in Data Commnications Networks and Distribted Systems, UCL 4-6 Page 3 3

4 X.509 s - 2 Version: Indicates format of certificate (1, 2 or 3) Serial Nmber: Integer associated with this C, niqe in issing CA Sig. Alg. ID: Algorithm sed to sign the C and any parameters (repeated in the Signatre field) Isser Name: Name of CA that created C Validity Period: First and last dates on which C is valid Sbject Name: Name of ser to whom C applies Sbject PK Info.: Pblic key, algorithm and any relevant parameters of sbject Isser Uniqe ID: Optional bit string to identify niqely CA in case name is not niqe Sbject Uniqe ID: Optional bit string to identify niqely CA in case name is not niqe Signatre: Covers all other fields of C MSc in Data Commnications Networks and Distribted Systems, UCL 4-7 X.509 s - 3 Inter-domain certification by CA s prodcing certificates for each other s Pblic Keys o Forward : of X generated by other Cas o Reverse s: s generated by X for another CA Generally arranged hierarchically so that easy for sers to find certification chain and reqest relevant certificates Otherwise, similar to theory MSc in Data Commnications Networks and Distribted Systems, UCL 4-8 Page 4 4

5 X.509 Revocation s sally issed for appropriate length of time, eg. stdents: 1 academic year May need to nllify C earlier if: o ser s secret key compromised o ser no longer within jrisdiction of CA, eg. left job o CA s certificate has been compromised Each CA keeps a list of all revoked bt not expired certificates Periodically pblished to directory via Revocation List (CRL) If end ser caches C s they mst also cache relevant CRL s MSc in Data Commnications Networks and Distribted Systems, UCL 4-9 X.509 Revocation List Signatre Alg. ID Isser Name This pdate date Next pdate date Revoked Algorithm Parameters Serial Nmber Revocation Date... Revoked Signatre Algorithms Parameters Encrypted Hash MSc in Data Commnications Networks and Distribted Systems, UCL 4-10 Page 5 5

6 X.509 s V.3 Limitations of V.2 Sbject field inadeqate to flly convey identity of owner (which j smith in that domain esp. if domain is broad eg. ISP) May be several different identities for a given ser, eg. mail address, URL, etc. - need to specify and relate them Need to indicate secrity policy information, so protocols can relate specific for this Need to limit damage from falty or malicios CA Important to keep separate keys sed by same owner at different times - key life cycle management MSc in Data Commnications Networks and Distribted Systems, UCL 4-11 X.509 s V.3 Flexible strctre to deal with these and other needs: extensions Each extension consists of: o extension identifier o criticality indicator o extension vale Criticality indicator indicates whether this extension can safely be ignored o if indicator is TRUE and application/protocol cannot deal with this extension type, then the certificate mst be treated as invalid MSc in Data Commnications Networks and Distribted Systems, UCL 4-12 Page 6 6

7 X.509 s V.3 Key and Policy Information -1 Athority Key Identifier: Identifies which of CAs keys to se to validate C. Allows CAs key pairs to be pdated Sbject Key Identifier: Similar to above. Key Usage: Policy restrictions on key, eg. digital signatre, data encryption, key encryption etc. MSc in Data Commnications Networks and Distribted Systems, UCL 4-13 X.509 s V.3 Key and Policy Information -2 Private-key Usage Period: Private key may be valid for a mch shorter period than the pblic key, eg. signing (private) key validity less than verifying (pblic) key Policies: Lists policies this certificate spports and optional qalifier information Policy Mappings: For s for CAs issed by other CAs. Indicates policies in isser domain which are eqivalent in the sbject CAs domain MSc in Data Commnications Networks and Distribted Systems, UCL 4-14 Page 7 7

8 X.509 s V.3 Sbject & Isser Attribtes Provide alternative names in alternative formats Increase ser s confidence that C relates to particlar person or entity Examples: o postal address o position within organisation o pictre Sbject Alternative Name: One or more alternative names. Some apps se their own name forms MSc in Data Commnications Networks and Distribted Systems, UCL 4-15 X.509 s V.3 Sbject & Isser Attribtes -2 Sbject Alternative Name: One or more alternative names. Some apps se their own name forms Isser Alternative Name: Similar to above, bt for isser Sbject Directory Attribtes: X.500 directory attribtes for the sbject MSc in Data Commnications Networks and Distribted Systems, UCL 4-16 Page 8 8

9 X.509 s V.3 Certification Path Constraints May provide constraints on which crosscertificates may appear in certification chains May constrain the types of certificates that the sbject CA can isse Basic Constraints: Indicates if sbject may act as CA. May inclde a max. certification path length. Name Constraints: Limits name space for all sbject names in sbseqent Cs in a path Policy Constraints: May enforce explicit policy specification in the rest of the certification path MSc in Data Commnications Networks and Distribted Systems, UCL 4-17 Creation Algorithmically, this is easy BUT, need to think careflly abot processes within organisation or domain Following diagrams show schematics of isse nder athority of a commercial or government isser Assmes that sbject s company has established its credential beforehand with issing athority MSc in Data Commnications Networks and Distribted Systems, UCL 4-18 Page 9 9

10 Generation User Credentials LA Creds SK LA Pblic Key Generation PK U Reqest Generation SK U M Remote Site Key Store Generation SKCA CA Directory M is of form: LA, {RQCert, LA, User, Creds, PK}SK LA CA - Certification Athority LA - Local Athority MSc in Data Commnications Networks and Distribted Systems, UCL 4-19 Local Generation User Credentials LA Creds Athenticate Pblic Key Generation SK U PK U Generation SKCA CA Key Store Directory CA - Certification Athority LA - Local Athority MSc in Data Commnications Networks and Distribted Systems, UCL 4-20 Page 10 10

11 Issing Isses How do yo prove to someone who yo are? o Driving licence? o P45? o Letter of reference? o Birth? How mch certainty is reqired? If yo by/program key-pair generation software how do yo know it is sond? What tests wold yo apply to it? MSc in Data Commnications Networks and Distribted Systems, UCL 4-21 Issing Isses - 2 Are copies of Private Keys kept - escrowed? All of them, non, some? How are Private Keys stored? How secre is this? If PKs are encrypted while not in se (key chain) how secre is the encryption? Based on password or phrase? What procedres does CA expect LA to carry ot? What aditing needs to be done? Does this introdce potential weaknesses MSc in Data Commnications Networks and Distribted Systems, UCL 4-22 Page 11 11

12 Frther Reading Stallings W, Cryptography and Network Secrity: Principles and Practice, 2ed, Prentice Hall, 1999, o X.509 Athentication and s: pp Pfleeger C, Secrity in Compting, 2ed, Prentice Hall, 1997, o s: pp Ford W, Advances in Pblic-Key Standards, ACM SIGSAC Review, Jly 1995 MSc in Data Commnications Networks and Distribted Systems, UCL 4-23 Frther Reading - 2 Ford W, Advances in Pblic-Key Standards, ACM SIGSAC Review, Jly 1995 MSc in Data Commnications Networks and Distribted Systems, UCL 4-24 Page 12 12