Security Protocols and Infrastructures. Winter Term 2015/2016

Transcription

1 Security Protocols and Infrastructures Winter Term 2015/2016 Nicolas Buchmann (Harald Baier) Chapter 5: Standards for Security Infrastructures

2 Contents Introduction and naming scheme X.509 and its core fields X.509 extensions Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/2016 2

3 Contents Introduction and naming scheme X.509 and its core fields X.509 extensions Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/2016 3

4 ITU-T X.50x family and RFC 5280 ITU-T X.501 resp. ISO/IEC : ITU-T Recommendation X.501: Information Technology - Open Systems Interconnection - The Directory: Models, 1993 Defines directory services ITU-T X.509 resp. ISO/IEC : Information Technology - Open Systems Interconnection - The Directory: Authentication Framework, 1997 Defines certificates and certificate revocation lists (CRL) PKIX: RFC 5280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, 2008 Describes internet profile for X.509-certificates and -CRLs Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/2016 4

5 Format of names: X.501 Format makes use of a hierarchical directory tree Objects are characterised by attributes: Type = Value Container-Objects: Have subordinate objects Leaf-Objects: Do not have subordinate objects Default format of names within X.509-certificates Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/2016 5

6 X.501 object classes Container object classes: Country C State or province SP Locality L Organization O Organizational unit OU Leaf object class: Common name CN Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/2016 6

7 X.501-name: Example Country C = DE Organization O = h_da O = TUD Organizational Unit OU = FBI OU = Administration Common Name CN = Harald Baier CN = Peter Pan Distinguished Name: Whole path through the tree Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/2016 7

8 ASN.1-Struktur of X.501-names ASN.1 type: Name Name ::= CHOICE { RDNSequence } RDNSequence ::= SEQUENCE OF RelativeDistinguishedName RelativeDistinguishedName ::= SET OF AttributeTypeAndValue AttributeTypeAndValue ::= SEQUENCE { type AttributeType, value AttributeValue } AttributeType ::= OBJECT IDENTIFIER AttributeValue ::= ANY DEFINED BY AttributeType Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/2016 8

9 Contents Introduction and naming scheme X.509 and its core fields X.509 extensions Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/2016 9

10 Aim and contents of a X.509-certificate Key objective: Bind a public key to its holder (person, service, URL) Contents of a X.509-certificate: Name / Pseudonym of the certificate holder Public Key (and corresponding algorithm) of its owner Unique ID of the certificate Validity period of the certificate Issuer's identity Signature algorithm (i.e. algorithm used to sign the certificate) Issuer signs relevant data (= to be signed) digitally Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

11 Scheme of a X.509-certificate Version 1 (1988) Version (0=v1, 1=v2, 2=v3) Serial Number (Unique for issuer) Certificate Signature Algorithm Issuer Validity Period Subject Subject Public Key Info Version 2 (1993) Subject Unique ID (unique in the world) Issuer Unique ID (unique in the world) Version 3 (1997) Extensions Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

12 Why extensions? Drawbacks of X.509v1 and X.509v2: Default name representation according to X.501: Mailing addresses not relevant (v2 from 1993!) Details on phone, fax, or URL difficult No statement on key usage: Encryption and/or signature verification key? May certificates be verified using the certified public key? Does the certificate belong to a certification authority? No information about the underlying policy: In which way proved the certificate holder his identity? Where may the verifier download the policy? Solution: Flexible extension fields are needed!! Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

13 Extensions in X.509v3 Extensions enable additional attributes for: End entity (i.e. a participant) Certification Authority (CA) Public or private key The most common extensions are standardised in X.509v3 and in the PKIX standard (RFC 5280) Extendable => May cause interoperability problems Each extension gets an attribute from his issuer: critical non-critical Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

14 How does the client handle the critical flag? critical= Verifying client true false knows extension understands extension understands extension does not know extension must reject certificate can reject or accept certificate Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

15 ASN.1 structure of a X.509-certificate Certificate ::= SEQUENCE { tbscertificate TBSCertificate, signaturealgorithm AlgorithmIdentifier, signaturevalue BIT STRING } TBSCertificate ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, serialnumber CertificateSerialNumber, signature AlgorithmIdentifier, issuer Name, validity Validity, subject Name, subjectpublickeyinfo SubjectPublicKeyInfo, issueruniqueid [1] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version shall be v2 or v3 subjectuniqueid [2] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version shall be v2 or v3 extensions [3] EXPLICIT Extensions OPTIONAL -- If present, version shall be v3 } Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

16 Details of the certificate fields of X.509v1 (1/4) version : Aim: Statement on the underlying X.509 version ASN.1 type: Version ASN.1 definition: Version ::= INTEGER {v1(0),v2(1),v3(2)} serialnumber : Aim: Unique identifier of the certificate for the signing issuer ASN.1 type: CertificateSerialNumber ASN.1 definition: CertificateSerialNumber ::= INTEGER Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

17 Details of the certificate fields of X.509v1 (2/4) signature : Aim: Information on the algorithm used to sign the certificate ASN.1 type: AlgorithmIdentifier ASN.1 definition: AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL} issuer : Aim: Holds the name of the signing CA ASN.1 type: Name ASN.1 definition: See description of X.501 before Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

18 Details of the certificate fields of X.509v1 (3/4) validity : Aim: Indication of the validity period of the certificate ASN.1 type: Validity ASN.1 definition: Validity ::= SEQUENCE { notbefore Time, notafter Time } Time ::= CHOICE { utctime UTCTime, generaltime GeneralizedTime} Key question: Validity period of public or private key??? Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

19 Details of the certificate fields of X.509v1 (4/4) subject : Aim: Statement on the certificate holder (CH) CH possesses the corresponding private key: Natural person, legal body, server, CA,... ASN.1 type: Name (see X.501 before) subjectpublickeyinfo : Aim: Hold the certified public key of the CH ASN.1 type: SubjectPublicKeyInfo ASN.1 def.: SubjectPublicKeyInfo ::= SEQUENCE{ algorithm AlgorithmIdentifier, subjectpublickey BIT STRING } Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

20 Object Identifier Simple data type in ASN.1 Hierarchical numbers seperated by a point or space Aim: Reference of global valid objects E.g. to indicate the public key algorithm within a certificate Owner of the n-th place is responsible for the (n+1)-th place E.g. the owner of the OID assigns OID Top level numbers are assigned by ISO and ITU Further assignment by IANA, DoD, ANSI, BSI Web site of Harald Alvestrand yields a search engine: Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

21 Object Identifier: Examples Top-Level-OIDs: 0: ITU-T assigned 1: ISO assigned 2: Joint ISO/ITU-T assignment Example: id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) } id-ce OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 29 } Technical University of Darmstadt (Germany), Computer Science Department Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

22 Well known OIDs of public key algorithms Public key Algorithm Algorithm Parameter algorithm identifier OID RSA rsaencryption none DSA id-dsa Optional Diffie-Hellman dhpublicnumber Obligatory ECC id-ecpublickey Optional Remark: Algorithm of public key: RSA, DSA, ECC Algorithm of signature: Public key algorithm + hash function (e.g. RSA and SHA-1) Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

23 Details of the certificate fields of X.509v2 issueruniqueid : Aim: Definition of a global and permanent issuer's ID Typically not used ASN.1 type: UniqueIdentifier ASN.1 definition: UniqueIdentifier ::= BIT STRING subjectuniqueid : Aim: Definition of a global and permanent end entity's ID Typically not used ASN.1 type: UniqueIdentifier ASN.1 definition: UniqueIdentifier ::= BIT STRING Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

24 Contents Introduction and naming scheme X.509 and its core fields X.509 extensions Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

25 X.509v3: Extensions extensions : Aim: More information about issuer, subject, key usage, policy, distribution points of revocation information,... Since version 3 of X.509 ASN.1 type: Extensions ASN.1 definition: Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension Extension ::= SEQUENCE { extnid OBJECT IDENTIFIER, critical BOOLEAN DEFAULT FALSE, extnvalue OCTET STRING } Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

26 Extension Classes (1/2) Subject Type: Is the certificate holder a CA or not? Names: Further information on names of issuer or subject Default naming of X.509 is the X.501 format, which is not applicable for internet applications Alternative name information like address or fax Keys: Further information on the certified key pair Key usage of the public / private key Validity period of the private key (no more standardised in RFC 5280) Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

27 Extension Classes (2/2) Policy: Further information on the underlying policy Identity check? Certificate classes: Class 0,..., class 3 Miscellaneous: Further general informationen Revocation information points Validity model Qualified certificate Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

28 Subject Extension: Basic Constraints Indicates, if the certificate belongs to a CA or not ASN.1 structure: BasicConstraints ::= SEQUENCE { ca BOOLEAN DEFAULT FALSE, pathlenconstraint INTEGER (0..MAX) OPTIONAL } ca = TRUE for CA certificates pathlenconstraint: Max. number of intermediate certificates following this CA certificate pathlenconstraint = 0: CA must not issue CA certificates id-ce-basicconstraints OBJECT IDENTIFIER ::= {id-ce 19} MUST critical in CA certificates Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

29 Name Extension: Subject Alternative Name Additional name for certificate holder rfc822name DNS-Name: dnsname (RFC 1035) URI: uniformresourceidentifier (RFC 1630) IP address: ipaddress (RFC 791) Subject field may be empty, if this extension is used id-ce-subjectaltname OBJECT IDENTIFIER ::= {id-ce 17} MUST critical, if subject field is not used Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

30 Name Extension: Issuer Alternative Name Additional name for the issuing CA. Similar to Subject Alternative Name id-ce-issueraltname OBJECT IDENTIFIER ::= {id-ce 18} Extension is not processed within certificate path validition according to PKIX SHOULD NOT critical Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

31 Name Extension: Name Constraints Only in CA certificates Not very common Defines name space for subordinate certificates in the chain Permitted subtrees Excluded subtrees id-ce-nameconstraints OBJECT IDENTIFIER ::= {id-ce 30} MUST critical Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

32 Key Extension: Key Usage Bit setting: KeyUsage ::= BIT STRING { digitalsignature (0), nonrepudiation (1), keyencipherment (2), dataencipherment (3), keyagreement (4), keycertsign (5), crlsign (6), encipheronly (7), decipheronly (8) } id-ce-keyusage OBJECT IDENTIFIER ::= {id-ce 15} SHOULD critical Must be included in a certificate, if certified public key shall be used for validating certificates or CRLs Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

33 Key Extension: Extended Key Usage (1/2) Further key usages besides extension Key Usage Typically in end-user certificates May be critical or non-critical id-ce-extkeyusage OBJECT IDENTIFIER ::= {id-ce 37} ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId KeyPurposeId ::= OBJECT IDENTIFIER Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

34 Key Extension: Extended Key Usage (2/2) Standardised OIDs for extended key usages according to PKIX: TLS Web server authentication: id-pkix 3 1 TLS Web client authentication: id-pkix 3 2 Signed executable code: id-pkix 3 3 protection: id-pkix 3 4 Time stamping services: id-pkix 3 8 OCSP responder: id-pkix 3 9 Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

35 Key Extension: Private Key Usage Period Defines validity period of corresponding private key Should only be used for signature keys May be different from the validity period of the corresponding public key PKIX recommends not to use this extension (it is therefore no more used in RFC 5280) Typical example: Public key shall be valid when private key has become invalid PKI of electronic ID cards uses this extension Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

36 Key Extension: Authority Key Identifier Identifier of the CA public key used to verify a certificate Aim: Enable the establishment of a certificate chain Use case: A CA possesses multiple keys Generation methods for the identifier: SHA-1 value of encoding of the value field of public key Issuer name and serial number of issuer certificate MUST NOT critical id-ce-authoritykeyidentifier OBJECT IDENTIFIER ::= {id-ce 35} Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

37 Key Extension: Subject Key Identifier Identifier of the certified public key Shall be used in CA certificates Aim: Enable the establishment of a certificate chain MUST NOT critical id-ce-subjectkeyidentifier OBJECT IDENTIFIER ::= {id-ce 14} SubjectKeyIdentifier ::= KeyIdentifier KeyIdentifier ::= OCTET STRING Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

38 Policy Extension: Certificate Policies Information on the underlying policy: Conditions under which certificate is issued (e.g. for registration of certificate holders) Purposes for which certificate may be used Relative quality of the certificate: very good, good, mediocre URL where to download the policy or Certification Practice Statement (CPS) Referencing through object identifier (OID) critical oder non-critical id-ce-certificatepolicies OBJECT IDENTIFIER ::= {id-ce 32} Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

39 Policy Extension: Policy Mappings Only allowed within CA certificates Two policies are considered to be equivalent: Client typically only has knowledge of a few OIDs Often used for cross certification Mapping via OID pairs: Issuer Policy: Policy of the issuing CA Subject Policy: Equivalent policy MUST non-critical id-ce-policymappings OBJECT IDENTIFIER ::= { id-ce 33 } Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

40 Further Extensions: CRL Distribution Points Indicates where to get a Certificate Revocation List (CRL) SHOULD non-critical id-ce-crldistributionpoints OBJECT IDENTIFIER ::={id-ce 31} ASN.1 structure: CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint DistributionPoint ::= SEQUENCE { distributionpoint [0] DistributionPointName OPTIONAL, reasons [1] ReasonFlags OPTIONAL, crlissuer [2] GeneralNames OPTIONAL } Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

41 Further Extensions: Freshest CRL Indicates where to get the newest Delta-CRL Delta-CRL are 'partial CRL' Space efficiency MUST non-critical Same syntax as CRL Distribution Point Extension id-ce-freshestcrl OBJECT IDENTIFIER ::= { id-ce 46 } ASN.1 structure: FreshestCRL ::= CRLDistributionPoints Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

42 Further Extensions: Authority Information Access In PKIX defined as a private extension: Only specified within PKIX id-pe OBJECT IDENTIFIER ::= { id-pkix 1 } id-pe-authorityinfoaccess OBJECT IDENTIFIER ::={id-pe 1} Indicates where to get information about: Online-validation services (e.g. OCSP-responder) Further information about the issuer MUST non-critical Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

43 Overview of standardised extensions Subject Key Identifier Key Usage Private Key Usage Period Subject Alternative Name Issuer Alternative Name Basic Constraints Name Constraints CRL Distribution Points Certificate Policies Policy Mappings Authority Key Identifier Policy Constraints Extended Key Usage Freshest CRL Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

44 Further Extensions: Netscape Extensions (1/2) Extensions of Netscape: Superseded Defined at Not all Microsoft clients can evaluate them => SHOULD non-critical Types: netscape-cert-type (similar to [extended] key usage) netscape-base-url (prefix for all URIs in the certificate) netscape-revocation-url (URI for CRL) netscape-ca-revocation-url (URI for CA-CRL) netscape-ca-policy-url (URI for policy) Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

45 Further Extensions: Netscape Extensions (2/2) netscape-cert-type: Bit string to give information about key usage and certificate holder bit-0 SSL client bit-1 SSL server bit-2 S/MIME bit-3 Object Signing (z.b. Java applets and plugins) bit-4 Reserved (for future use) bit-5 SSL CA bit-6 S/MIME CA bit-7 Object Signing CA Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/