Public Key Infrastructures

Transcription

1 Public Key Infrastructures The Web PKI Cryptography and Computer Algebra Prof. Johannes Buchmann Dr. Johannes Braun TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 1

2 Internet communication E-Commerce Social networks > 3 billion users > 83 Exabyte monthly traffic >1 billion hosts TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 2

3 How to be sure and not TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 3

4 TLS pk sk TLS How to be sure PoP TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 4

5 Web PKI Certificate Authority (CA) pk sk Which CAs are trusted? TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 5

6 Web PKI root stores Sub CA 1 Root CA 1 Regular audits to check operational practices and policy adherence Sub CA 1 Sub CA 2 Only Root CAs Sub CA 3 Sub CA 1 verify : ~160 Cas verify Microsoft: ~264 TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 6

7 Web PKI CA/Browser Forum Baseline Requirements a subset of the requirements that a CA must meet in order to issue digital certificates for SSL/TLS servers to be publicly trusted by browsers Extended Validation Certificate Guidelines Stricter set of guidelines providing stronger guarantees for the identity of the certificate holder TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 7

8 Web PKI ~1,590 CAs, fully trusted 683 organizations 57 different jurisdictions Different organizational practices & security policies What if one of these CAs is not trustworthy? Source: TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 8

9 What if TLS The user is convinced to securely communicate with amazon! Mal. CA CRL In theory: Revocation CertID 1 CertID 2 TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 9

10 What if DigiNotar compromise, fraudulent certificates 1 month until detection +1 month until public disclosure +2 months until revocation of Digiotar s CA certificate >300,000 Iranian Internet users attacked TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 10

11 Problems Weakest link Huge number Governmental access No globally standardized mechanism to ensure a CA s trustworthiness any CA ultimately fallible Revocation CA Detection Distribution of revocation information CRL Too-big-to-fail problem CertID 1 CertID 2 TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 11

12 Requirements & known approaches Scalability Deployability ( ) ( ) ( ) ( ) Standards & backward compatibility Usability ( ) ( ) ( ) ( ) ( ) ( ) TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 12

13 Current Research Maintaining Security and Trust in Large Scale Public Key Infrastructures TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 13

14 Key concepts User-centric CA trust management Application of forward secure signatures Weakest link Revocation: Distribution Revocation: Detection Revocation: too-big-to-fail Non-repudiation & long term verifiability TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 14

15 CA-TMS: User-centric CA trust management Model Simulation & Evaluation Implementation TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 15

16 Model Trust view o kl, o ca ee it, o it o kl, o ca ee it, o it o kl, o ca ee it, o it o kl, o ca ee it, o it o kl, o ca ee it, o it TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 16

17 Model Experience collection Root CA 1 + Bootstrapping o kl, o ca ee it, o it Sub CA 1 Sub CA 2 o kl, o ca ee it, o it + Stereotyping + Inheritance + Reputation System + End entity 1 Sub CA 2 End entity 3 End entity 4 End entity 3 Eval(, ): Local information sufficient insufficient Direct decision External reconfirmation (Validation services) TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 17

18 Model Trust validation 1 ) CertainTrust 1 opinions o kl, o ca ee it, o it o kl, o ca ee it, o it Root CA 1 Key legitimacy, Issuer trust o kl, o ca ee it, o it ee o kl,pk = o kl,pkca o it,ca Sub CA 1 ca o kl,1 o ca it,1 o kl,n = o it,1 o ca ee it,2 o it,n 1 complete End entity 1 Trusted if E(o kl ) l 3 security levels, pre-defined: l min, l med, l max o kl = o ca ee it o it TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 18

19 Relative attack surface Evaluation Attack surface AS rel View = AS(View) AS 0,06 0,05 0,04 0,03 0,02 0,01 0 l_max l max l_med l med l_min l min Number of observed hosts TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 19

20 Security by attack surface reduction TLS TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 20

21 Reconfirmation rate Evaluation Performance 1 0,8 0,6 0,4 0,2 0 l_max l max l_med l med l_min l min Number of observed hosts 1 reconfirmation every days Reconfirmation Average rates of for reconfirmation <1% of TLS connections for blocks of 100 hosts l max l med l min TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 21

22 Cross-cutting Implementation CA-TMS CA-TMS Browser Plugin CA-TMS Client Presentation layer Services layer Lines of Code: ~480 SLOC-P: ~200 Data access layer Business layer Support services access layer Lines of Code: ~ 14,190 SLOC-P: ~8,720 Available at: Certificate Notaries TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 22

23 CA revocation tolerant PKI Model X.509 Integration TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 23

24 CA revocation - consequences Root CA 1 Sub CA 1 Sub CA 2 End entity 1 End entity 2 End entity 3 End entity 4 Root CA certificate Sub CA certificate End entity certificate time validation TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 24

25 Solution approach: chain model Check whether subordinate certfificates existed before revocation (at time of signature generation) Root CA certificate Sub CA certificate Zeit End entity certificate validation TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 25

26 Chain model - problems Signature key compromise Signatures and time information in certificates are unreliable Usage of time stamping? Yes, but Doubling of overhead: Issuance and verification Does not fit to business model, infrastructure and processes TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 26

27 Forward secure digital signatures pk classical sk pk forward sec sk sk 1 sk 2 sk i sk T Key gen. time TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 27

28 Fine grained revocation & path validation Root CA certificate Sub CA certificate time End entity certificate validation TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 28

29 X.509 Integration CRL extension CRL CRL entry CRL entry 1 CRL entry 2 Cert ID Date Extensions Revocation Index Extension Id-ce-revocationIndex OBJECT IDENTIFIER : := { id-ce-xxx } RevocationIndex : := INTEGER ( 0..MAX ) Applicable for OCSP TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 29

30 XMSS performance TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 30

31 Standardization of XMSS Active IETF Internet Draft: Huelsing, Butin, Gazdag, Mohaisen: XMSS: Extended Hash-Based Signatures draft-irtf-cfrg-xmss-hash-based-signatures-09 [ RFC status in near future Reference implementations: OpenSSL integration ongoing TU Darmstadt Cryptography and Computer Algebra Lecture: Public Key Infrastructures 31