Public Key Infrastructures

Transcription

1 Public Key Infrastructures How to authenticate public keys? Chapter 4 Certificates Cryptography and Computeralgebra Johannes Buchmann 1 2 Authenticated by digital signature 3 4 Click on icon Click on view 5 6 1

2 Certificates Public key certificate Digitally signed documents that establish connection between subject and public key Public key certificates are data structures that bind public key values to subjects. The binding is asserted by having a trusted CA digitally sign each certificate From RFC Certificate PKI: Certificates Public-key Name Digital Signature as on the key-server protection of authenticity 9 Relevant Standard: X.509 (Organisation: ITU-T) Encoding: Abstract Syntax Notation Nr.1: ASN.1 Distinguished Encoding Rules: DER Standard Content (in X.509): Name / Pseudonym of the holder Public Key (and algorithm) of the holder Unique ID of the certificate Validity period of the certificate Identity of the certificate issuer Key usage limitation for the public keys The certificate is digitally signed from its issuer 10 Certificate properties X.509 Certificate The binding of a key and a key holder is directly protected Its authenticity is independent of the repository It can be used online and offline It contains proof of the binding It is compatible to the key server

3 X.509-Certificates Fields Certificate (ASN1) Version 1 (1988) Version 2 (1993) Version 3 (1997) Version (0=v1, 1=v2, 2=v3) Serial Number (Unique within PKI) Certificate Signature Algorithm Issuer Validity Period Subject Subject Public Key Info Subject Unique ID (world wide unique) Issuer Unique ID (world wide unique) Extensions Certificate ::= SEQUENCE { tbscertificate TBSCertificate, signaturealgorithm AlgorithmIdentifier, signaturevalue BIT STRING } To Be Signed (TBS) Certificate This part holds all information; this will be signed. Algorithm The algorithm that is used for signing the TBS part. Signature Value The calculated signature Certificate (ASN1) Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) [... ] Signature Algorithm: ripemd160withrsa 6c:33:30:1f:8c:c9:07:fd:2a:82:66:c1:5a:fb:c2:18:9b:26: f6:59:8b:cc:b7:4e:70:1f:07:0a:6d:44:be:50:8b:a9:a0:97: ed:3c:28:52:e0:4d:be:8c:54:f4:e1:ed:d7:00:1b:0a:13:4f: fa:e7:83:98:8f:f4:bb:62:91:36:fe:bf:b7:87:0e:07:c7:78: 9d:ab:f0:b1:6e:67:9a:49:d2:cd:d6:7a:51:94:d4:7e:60:ab: 9f:a5:c8:75:4b:65:da:19:22:16:54:29:0a:f0:88:04:58:ff: f8:f8:d0:44:c7:68:bd:13:78:d8:44:3d:5d:58:5b:e4:1d:8c: 1a:ff TBSCertificate TBSCertificate ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, serialnumber CertificateSerialNumber, signature AlgorithmIdentifier, issuer Name, validity Validity, subject Name, subjectpublickeyinfo SubjectPublicKeyInfo, issueruniqueid [1] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 subjectuniqueid [2] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 extensions [3] EXPLICIT Extensions OPTIONAL -- If present, version MUST be v3 } Version Holds the version of X.509 that the certificate is. Version ::= INTEGER { v1(0), v2(1), v3(2) }../Certificates/text/BNetz_Root_Version.cxt (text) Serial Number The serial number of the certificate CertificateSerialNumber ::= INTEGER Positive integer Must be unique for the same issuer Two certificates from the same issuer are not allowed to have the same serial number../certificates/text/bnetz_root_serial.cxt (text)

4 Signature Specifies the algorithm that was used to sign the certificate e.g. SHA1withRSA AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } algorithm: the algorithm OID ( ) Parameters: any needed parameters (like the elliptic curve to be used in ECDSA) MUST be the same as the signaturealgorithm of the certificate Issuer Holds the name of the issuer (CA) Looks like: CN = RBG CA,OU = FB Informatik,O = TU Darmstadt,C = DE../Certificates/text/BNetz_Root_Issuer.cxt (text)../certificates/text/bnetz_root_signature.cxt (text) Validity Shows the period of time that a certificate can be used Validity ::= SEQUENCE { notbefore Time, notafter Time }../Certificates/text/BNetz_Root_Validity.cxt (text) Subject Holds the name of the certificate holder Looks like: CN = Vangelis Karatsiolis,OU = FB20, O = TUD,C = DE It is an X.500 DN (distinguished name) Associated to the public key contained in the certificate The same DN is not allowed to be given to two different entities../certificates/text/bnetz_root_subject.cxt (text) Public Key Holds the public key of the entity SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, subjectpublickey BIT STRING }../Certificates/text/BNetz_Root_PublicKey.cxt (text) Unique Identifiers Only by version 2 or 3 Identifies an issuer or subject, in case a DN is reused Rarely used in praxis, not recommended UniqueIdentifier ::= BIT STRING

5 Why Extensions? Extensions: Properties Version 3 (1997) Extensions Drawbacks of X.509v1 und X.509v2: Predetermined naming structure according to X.500 (e.g. usage of addresses is not possible). No statements about the intended usage of the certified key. No statements about the underlying policy (e.g. how was the identity of the certificate owner verified?). Assignment of extra attributes to the owner public or private key issuer Support for better certificate management Specified partially in X.509 Arbitrary extensions Bad interoperability We need flexible extension fields Hold other information Extensions Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension Extension ::= SEQUENCE { extnid OBJECT IDENTIFIER, critical BOOLEAN DEFAULT FALSE, extnvalue OCTET STRING } There are critical and non-critical Authority Key Identifier (AKIE) Identifies the public key that corresponds to the private key that has signed the certificate. MUST be included in all certificates (non-critical) (unless it is a self-signed certificate) AuthorityKeyIdentifier ::= SEQUENCE { keyidentifier [0] KeyIdentifier OPTIONAL, authoritycertissuer [1] GeneralNames OPTIONAL, authoritycertserialnumber [2] CertificateSerialNumber OPTIONAL } KeyIdentifier ::= OCTET STRING../Certificates/text/BNetz_Root_AKIE.cxt (text) Subject Key Identifier (SKIE) Identifies certificates that contain a particular public key. MUST be included in all CA certificates (non-critical) 160 bit hash of the Public Key (exclude tag, length, number of unused bits) Or lsbits of the hash of the public key SubjectKeyIdentifier ::= KeyIdentifier KeyIdentifier ::= OCTET STRING../Certificates/text/BNetz_Root_SKIE.cxt (text) 29 Key Usage Defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. KeyUsage ::= BIT STRING { digitalsignature (0), nonrepudiation (1), keyencipherment (2), dataencipherment (3), keyagreement (4), keycertsign (5), crlsign (6), encipheronly (7), decipheronly (8) }../Certificates/text/BNetz_Root_KeyUsage.cxt (text) 30 5

6 Private Key Usage Indicates the signing lifetime of a private key. SHOULD NOT be used, conformant CAs MUST NOT issue such certificates. PrivateKeyUsagePeriod ::= SEQUENCE { notbefore [0] GeneralizedTime OPTIONAL, notafter [1] GeneralizedTime OPTIONAL }../Certificates/text/CSCA_PKU.cxt (text)../certificates/country_signing_ca.cer (bin) 31 Subject Alternative Name The subject alternative names extension allows additional identities to be bound to the subject of the certificate. for example: Internet electronic mail address a DNS name an IP address uniform resource identifier (URI) All possible combinations This information MUST be verified since it is bound to a public key. 32 Subject Alternative Name (2) SubjectAltName ::= GeneralNames GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName GeneralName ::= CHOICE { othername [0] OtherName, rfc822name [1] IA5String, dnsname [2] IA5String, x400address [3] ORAddress, directoryname [4] Name, edipartyname [5] EDIPartyName, uniformresourceidentifier [6] IA5String, ipaddress [7] OCTET STRING, registeredid [8] OBJECT IDENTIFIER } Issuer Alternative Name Associates Internet style identities with the certificate issuer. SHOULD NOT be marked critical IssuerAltName ::= GeneralNames../Certificates/text/CSCA_SAN.cxt (text)../certificates/country_signing_ca.cer (bin) Subject Directory Attributes Extended Key Usage It is used to convey identification attributes (e.g., nationality) of the subject. The extension is defined as a sequence of one or more attributes. MUST be non-critical SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute Indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension For example: Code signing OCSP signing Timestamping ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId KeyPurposeId ::= OBJECT IDENTIFIER../Certificates/text/BNetz_TSS_EKU.cxt (text)../certificates/bnezta_tsssigner.cer (bin)

7 List of other extensions Subject Directory Attributes Certificate Policies Policy Mappings Policy Constraints Basic Constraints Name Constraints CRLDistributionPoints Inhibit Any-Policy Freshest CRL Authority Information Access Subject Information Access PGP Certificates PGP keys s of PGP keys (v4) One UserID with one signature One UserID with one signature and a second UserID without signature 41 Legend Public Key Packet UserID Packet Signature Packet 42 7

8 One UserID with four signatures One UserID with one signature and a second UserID with one signature and a second key (subkey) with one signature Public Key Signature Packet Subpacket content WAP certificates signature creation time signature expiration time exportable certification trust signature regular expression revocable key expiration time placeholder for backward compatibility preferred symmetric algorithms revocation key issuer key ID notation data preferred hash algorithms preferred compression algorithms key server preferences preferred key server primary user id policy URL key flags signer's user id reason for revocation Are like X.509 certificates but smaller For example: Serial Number: recommendation for not longer than 8 bytes Algorithms: SHA1withRSA, SHA1withECDSA Extensions: not all are included

9 Attribute certificate An attribute certificate (AC) is a structure similar to a PKC the main difference being that the AC contains no public key. An AC may contain attributes that specify group membership, role, security clearance, or other authorization information associated with the AC holder. From RFC3281 Attribute certificate Authorization information may be placed in a PKC extension or placed in a separate attribute certificate (AC). The placement of authorization information in PKCs is usually undesirable for two reasons. First, authorization information often does not have the same lifetime as the binding of the identity and the public key. When authorization information is placed in a PKC extension, the general result is the shortening of the PKC useful lifetime. Second, the PKC issuer is not usually authoritative for the authorization information. This results in additional steps for the PKC issuer to obtain authorization information from the authoritative source. From RFC Attribute Certificate AttributeCertificate ::= SEQUENCE { acinfo AttributeCertificateInfo, signaturealgorithm AlgorithmIdentifier, signaturevalue BIT STRING } Attribute Certificate Information (acinfo) This part holds all information; this will be signed. Signature Algorithm The algorithm that is used for signing the acinfo part. Signature Value The calculated signature. 51 9