Public Key Infrastructures

Transcription

1 Public Key Infrastructures Trust Models Cryptography and Computer Algebra Prof. Johannes Buchmann Dr. Johannes Braun

2 We trust certificates because we trust the system(s). Direct trust Web of trust Hierarchical trust 2

3 Example: Secured website 3

4 View the website's certificate 4

5 In the browser The browser is shipped with trusted authorities 5

6 Direct trust 6

7 Direct trust User receives public key directly from owner OR User verifies public key directly with owner 7

8 Most common: Fingerprint comparison Fingerprint = hash value of the certificate (incl. signature) in DER format 8

9 Face to face verification 9

10 Phone verification file://../certificates/hrz/dt-root-ca-2.der (bin) 10

11 Phone verification 11

12 Web page verification 12

13 Printed media verification BNetzA publishes the public key 13

14 and more e.g. public keys on software CD/DVD apt-key --keyring /etc/apt/trusted.gpg.d list /etc/apt/trusted.gpg.d//debian-archive-jessie-automatic.gpg pub 4096R/2B90D [expires: ] uid Debian Archive Automatic Signing Key (8/jessie) 14

15 Example: Certificate installation Step 1: Get certificate 15

16 Example: Certificate installation Step 2: View certificate 16

17 Example: Certificate installation Step 3: View fingerprint 17

18 Example: Certificate installation Step 3: Compare fingerprint 18

19 Example: Certificate installation Step 4: Decide certificate purposes 19

20 Example: Certificate installation Result: Locally installed certificate 20

21 Example: Software signing Step 1: Get software and public key Original CD/DVD Customer obtains genuine CD/DVD containing the public key. The medium offers protection against manipulation. Key compromise as well as CD/DVD forgery can become known through the media. Trust in key = Trust in genuine CD/DVD 21

22 Example: Software signing Step 2: Check signature on updates Signed RPMs RedHat Package Manager Software installation in Linux Source: miscellaneous URLs Is a URL trusted? (e.g. is ftp://ftp.suse.com/.../openssl-1.0.2d.rpm one malicious version of OpenSSL?) Solution: The Linux-Distributor signs the RPM-Packet with GPG (GNU Privacy Guard) Public Key inside the original-cd for verification ~# rpm --checksig./openssl-1.0.2d.rpm openssl-1.0.2d.rpm: sha256 gpg in Ordnung ~# 22

23 Key validation problem Internet: 3,731,973,423 users 13,927,625,626,246,363,506 validations n*(n-1) validations = O(n 2 ) Even worse than symmetric key exchange [From: April 08, 2015] 25

24 Direct Trust: Summary Establishes Which keys are authentic Why they are considered authentic Bad scalability n * (n-1) = O(n 2 ) verifications Worse complexity than secret key exchange! Basis for all other trust models To be seen 26

25 Web of trust 27

26 Web of trust [From PGP-Pretty Good Privacy by Simon Garfinkel] 28

27 Web of trust A decentralized trust model To establish the authenticity of the binding public key user Used in PGP, GnuPG, and other OpenPGP-compatible systems Each party = end-user & certification authority at the same time All users distribute their own public keys, and certify those of other users From: Encyclopedia of Cryptography and Security, page

28 Key validity Alice computes key validity using Bob s signatures Carl Alice Bob Dave 30

29 Key validity Alice computes key validity using Bob s signatures Carl Alice Dave 31

30 Chaining key validity Alice computes key validity using Bob s and Carl s signatures Dave Alice Bob Carl Elena 32

31 Chaining key validity Alice computes key validity using Bob s and Carl s signatures Dave Alice Elena 33

32 Public keyring 34

33 Public keyring Alice s public keyring 35

34 Key validity vs. owner trust Key validity: Is the key owner who he claims to be? Levels: unknown; marginal; complete; ultimate Owner trust: Is the key owner reliable? (in respect to signing keys of others) Levels: unknown; none; marginal; complete; ultimate 36

35 Key validity levels unknown Nothing is known about this key. marginal The key probably belongs to the name. complete The key definitely belongs to the name. (ultimate) (Own keys). 37

36 Owner trust levels unknown Nothing can be said about the owner's judgment in key signing. none The owner is known to improperly sign keys. marginal The owner is known to properly sign keys. complete The owner is known to put great care in key signing. ultimate The owner is known to put great care in key signing, and is allowed to make trust decisions for you. 38

37 Assigning key validity and owner trust Key validity: Manually set (Key signing) OR computed from the trust in the corresponding signers, only considering signers with key validity complete. Owner trust: Manually set (Trust setting) 39

38 Key signing: Direct trust Bob s key validity is complete for Alice because she decided it when signing the key after verifying the fingerprint. 40

39 Key validity computation: complete (1) If the key is signed by at least one user with owner trust complete. 41

40 Key validity computation: complete (2) If the key is signed by at least x (here x=2) names with owner trust marginal. 42

41 Trust anchor: Owner trust Alice assigns owner trust to users. 45

42 Trusted introducers Alice signs Bob s key (level 1) and trusts him. Bob signs Carl s key (level 0) and trusts him. Alice uses Carl s signatures on Dave s and Elena s keys. Bob = Trusted introducer Dave Alice Bob Carl By allowing more intermediate signers (level >1), Bob becomes a Meta introducer Elena 46

43 Trusted introducers Alice signs Bob s key (level 1) and trusts him. Bob signs Carl s key (level 0) and trusts him. Alice uses Carl s signatures on Dave s and Elena s keys. Bob = Trusted introducer Dave Alice By allowing more intermediate signers (level >1), Bob becomes a Meta introducer Elena 47

44 Example: Thunderbird file://../thunderbirdportable/thunderbirdportable.exe 48

45 Sign and encrypt message 49

46 Decrypt and verify message 50

47 Example: OpenPGP C:\Users\[Benutzername]\AppData\Roaming\gnupg (prune) 51

48 Some OpenPGP commands Command gpg --gen-key gpg --output revoke.asc -- gen-revoke keyid gpg --output alice.gpg -- export keyid gpg -e -r keyid <filename> gpg -d <filename> gpg -s <filename> Description Generate key Revoke key Export key Encrypt Decrypt Sign... 52

49 PGP: Disadvantages PGP lacks forward secrecy (Forward secrecy: Exposure of long-term keys, used to negotiate session keys, does not compromise the secrecy of session keys established before the exposure.) From: Encyclopedia_of_cryptography_and_security, page 921 No supervision in regard to upgrading algorithms and parameters (e.g., use of old ciphers) Bad scalability for global use 53

50 Hierarchical trust 54

51 Hierarchical trust Certification Authority (CA) issues certificates trust anchor Alice Bob Carl 55

52 Hierarchical trust Why does Alice trust in Doris key? DFN PCA root CA TUD CA Uni Gießen TUD Student CA TUD Employee CA Alice Bob Carl Doris Emil 56

53 Hierarchical trust Why does Alice trust in Doris key? DFN PCA root CA TUD CA Uni Gießen TUD Student CA TUD Employee CA Alice Bob Carl Doris Emil 57

54 Hierarchical trust Emil to Alice DFN PCA TUD CA Uni Gießen TUD Student CA TUD Employee CA Alice Bob Carl Doris Emil 58

55 Hierarchical trust Emil to Alice DFN PCA TUD CA Uni Gießen TUD Student CA TUD Employee CA Alice Bob Carl Doris Emil 59

56 Hierarchical trust Emil to Alice DFN PCA TUD CA Uni Gießen TUD Student CA TUD Employee CA Alice Bob Carl Doris Emil 60

57 Hierarchical trust Emil to Alice DFN PCA TUD CA Uni Gießen TUD Student CA TUD Employee CA Alice Bob Carl Doris Emil 61

58 Trust models in multiple hierarchies When does Alice accept the certificate of Fred? TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 62

59 Method 1: Trusted list Every participant has a list of trusted CAs Alice trusts TC2 and TC3 Every user maintains an own list (like in the Web of trust) Used in Web browsers (preinstalled + user defined) TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 63

60 Trusted list: Certification path Alice to Fred TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 64

61 Example Trusted list 65

62 Method 2: Common root Every user who trusts TC1, accepts every other end-user certificate. TC 1 TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 66

63 Common root: Certification path Alice to Fred TC 1 TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 67

64 Example Two hierarchies 68

65 Example Common root 69

66 Method 3: Cross-certification TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans TC 2 issues a CA-certificate for TC 3. TC 3 issues a CA-certificate for TC 2. Not always bilateral Every user who trusts TC 3, accepts every certificate, that was issued by TC 2 (or a subordinate CA). Every user who trusts TC 2, accepts every certificate, that was issued by TC 3 (or a subordinate CA). 70

67 Cross-certification: Certification path Alice to Fred TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 71

68 Cross-certification: Other possibility (1) TC 2 issues one CA-certificate to TC 7 and vice versa. Hans accepts the certificate of Emil and vice versa. Emil does not accept the certificate of Fred. TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 72

69 Cross-certification: Other possibility (2) TC 4 issues one CA-certificate to TC 6 and vice versa. Alice accepts the certificate of Fred and vice versa. Fred does not accept the certificate of Emil. TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 73

70 Example 1R root 74

71 Example 2R root 75

72 Example 1R-to-2R 2R-to-1R 76

73 Example 2R as trust anchor 77

74 Cross-certification problem n*(n-1) cross-certificats = O(n 2 ) 78

75 Method 4: Bridge Idea: Bridge TC has cross-certifications with TC 2 and TC 3. Alice accepts all certificates beneath TC 3. Fred accepts all certificates beneath TC 2. TC 2 Bridge TC TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 79

76 Bridge: Certification path Alice to Fred Bridge enforces minimal policy TC 2 Bridge TC TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 80

77 Bridge trust center The bridge TC acts as a connector This TC is not subordinate to a third CA Interesting for corporate CAs that: want to enable secure communication for their users outside the organisation s borders do not want to be subordinate to a third CA 81

78 Example European Bridge CA (EBCA) 82

79 X.509 certificate extension Basic Constraints Identifies whether the subject of the certificate is a CA the maximum number of non-self-issued intermediate certificates that may follow this certificate in a valid certification path. It is marked critical If pathlength is not present => no limit ASN.1: BasicConstraints ::= SEQUENCE { ca BOOLEAN DEFAULT FALSE, pathlenconstraint INTEGER (0..MAX) OPTIONAL } file://../certificates/text/csca_basicconstraints.cxt (text) file://../certificates/country_signing_ca.cer (bin) 83

80 X.509 certificate extension Basic Constraints: Example Root CA Subordinate CA Subordinate CA ca:true pathlength: ca:true pathlength: ca:false Alice 84

81 X.509 certificate extension Basic Constraints: Example Root CA Subordinate CA Subordinate CA Alice ca:true pathlength: 1 ca:true pathlength: 0 ca:false minimum values 85

82 Criticism regarding the power of CAs Honest Achmed Achmed-bittet-um-Vertrauen html 86