About & Beyond PKI. Blockchain and PKI. André Clerc Dipl. Inf.-Ing. FH, CISSP, CAS PM TEMET AG, Zürich. February 9, 2017

Similar documents
BEYOND TRADITIONAL PASSWORD AUTHENTICATION: PKI & BLOCKCHAIN

Keep your fingers off my keys today & tomorrow

Apple Inc. Certification Authority Certification Practice Statement

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

Apple Inc. Certification Authority Certification Practice Statement

Digital Certificates Demystified

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

QUANTUM SAFE PKI TRANSITIONS

PKI Credentialing Handbook

IBM i Version 7.2. Security Digital Certificate Manager IBM

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

An Overview of Secure and Authenticated Remote Access to Central Sites

Apple Inc. Certification Authority Certification Practice Statement. Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA

Digital signatures: How it s done in PDF

Root and Issuing CA Technical Operations Overview

POST-QUANTUM CRYPTOGRAPHY VIENNA CYBER SECURITY WEEK DR. DANIEL SLAMANIG

10 minutes, 10 slides, goals, tech details and why it matters. Decentralized ID & Verifiable Claims

PQ-Crypto Standardization Preparing today for the future of cryptography

IBM. Security Digital Certificate Manager. IBM i 7.1

UNIT - IV Cryptographic Hash Function 31.1

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations

Security Digital Certificate Manager

CERTIFICATE POLICY CIGNA PKI Certificates

Key Security Issues for implementation of Digital Currency, including ITU-T SG17 activities

Certification Authority

Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution

Efficient Quantum-Immune Keyless Signatures with Identity

Axway Validation Authority Suite

Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

Introduction to Bitcoin I

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric

SSL Certificates Certificate Policy (CP)

Dyadic Security Enterprise Key Management

EDTA, itext and INBATEK Conference. Bangkok, July 27, 2017

CSE 565 Computer Security Fall 2018

Secure digital certificates with a blockchain protocol

CT30A8800 Secured communications

Security and Certificates

Exceptional Access Protocols. Alex Tong

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Public Key Infrastructures

Distributed Ledger Technology & Fintech Applications. Hart Montgomery, NFIC 2017

Third public workshop of the Amsterdam Group and CODECS C-ITS Deployment in Europe: Common Security and Certificate Policy

Public. Atos Trustcenter. Server Certificates + Codesigning Certificates. Version 1.2

Key concepts of blockchain

Hash-based Signatures

Chapter 9: Key Management

egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO

Server-based Certificate Validation Protocol

QuoVadis Trustlink Schweiz AG Teufenerstrasse 11, 9000 St. Gallen

Avira Certification Authority Policy

BaFin-Tech 2018 BlockChain & Security (from #developerview)

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.10 Effective Date: June 10, 2013

Public Key Infrastructure. What can it do for you?

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

CertDigital Certification Services Policy

Interagency Advisory Board Meeting Agenda, July 28, 2010

Understanding HTTPS CRL and OCSP

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

The SafeNet Security System Version 3 Overview

KNOWLEDGE SOLUTIONS. MIC2823 Implementing and Administering Security in a Microsoft Windows Server 2003 Network 5 Day Course

Cryptography and Network Security Chapter 14

Designing and Managing a Windows Public Key Infrastructure

Public Key Infrastructure

DIGITALSIGN - CERTIFICADORA DIGITAL, SA.

Apple Inc. Apple IOS 11 VPN Client on iphone and ipad Guidance Documentation

Overview. SSL Cryptography Overview CHAPTER 1

Introducing Hardware Security Modules to Embedded Systems

Bugzilla ID: Bugzilla Summary:

Indeed Card Management Smart card lifecycle management system

Breaking the Blockchain: Real-World Use Cases, Opportunities and Challenges

GLOBAL PKI TRENDS STUDY

Key Management and Distribution

Lecture Notes 14 : Public-Key Infrastructure

Blockchain without Bitcoin. Muralidhar Gopinath October 19, 2017 University at Albany

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

Configuring Certificate Authorities and Digital Certificates

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

Send documentation comments to

HTTPS is Fast and Hassle-free with Cloudflare

Getting to Grips with Public Key Infrastructure (PKI)

DEV. Deviant Coin, Innovative Anonymity. A PoS/Masternode cr yptocurrency developed with POS proof of stake.

A roadmap to migrating the internet to quantum-safe cryptography

Blockstack, a New Internet for Decentralized Apps. Muneeb Ali

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Symantec Managed PKI Overview. v8.15

Elliptic Curve Cryptography (ECC) based. Public Key Infrastructure (PKI) Kunal Abhishek Society for Electronic Transactions & Security (SETS), Chennai

Design Patterns which Facilitate Message Digest Collision Attacks on Blockchains

SSH Communications Tectia SSH

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

Privacy based Public Key Infrastructure (PKI) using Smart Contract in Blockchain Technology

Outline Key Management CS 239 Computer Security February 9, 2004

Owner of the content within this article is Written by Marc Grote

National Identity Exchange Federation. Trustmark Signing Certificate Policy. Version 1.0. Published October 3, 2014 Revised March 30, 2016

Mavenir Systems Inc. SSX-3000 Security Gateway

Protecting Information Assets - Week 11 - Cryptography, Public Key Encryption and Digital Signatures. MIS 5206 Protecting Information Assets

Transcription:

About & Beyond PKI Blockchain and PKI André Clerc Dipl. Inf.-Ing. FH, CISSP, CAS PM TEMET AG, Zürich February 9, 2017 1

Agenda Does blockchain secure PKIs in the longterm? Disadvantages of classic PKIs Facts about blockchain Implementation approaches Advantages and disadvantages of blockchain What can we do if post quantum cryptography (PQC) is not available yet? What shall we do if PQC can be used? 09.02.2017 About & Beyond PKI - Blockchain and PKI 2

Introduction It is assumed that all current PKIs are based on cryptographic procedures which will be broken in the future by quantum computers It s even worse: There are physicists who believe that the breaking of the asymmetric key is more efficient than its creation! The question arise: Will new technologies (e.g. blockchain) help us to solve the above mentioned fact or do we have to look for new solutions? 09.02.2017 About & Beyond PKI - Blockchain and PKI 3

Disadvantages of classic PKIs The identity verification process may be insufficient An offered guarantees of identity retention may not be strong enough A certificate authority (CA) may issue unauthorized certificates The misbehavior of a CA may not be detected Expect log-based PKIs 09.02.2017 About & Beyond PKI - Blockchain and PKI 4

Disadvantages of classic PKIs Responding to CA misbehavior takes time and requires manual effort A CRL check can be based on a outdated list (inadequate update cycle) A CRL or OCSP check can been disabled Revoked certificates will not be detected The CRL distribution point (CDP) may become a single point of failure 09.02.2017 About & Beyond PKI - Blockchain and PKI 5

Disadvantages of classic PKIs All currently used algorithms for PKIs are not safe against quantum computers RSA, DSA, ElGamal, ECC, DH Key Exchange SHA-1, RIPEMD-160, SHA256 Symmetric keys < 128-bit The algorithms Shor and Grover were developed more than 20 years ago! Why don t we use blockchain? 09.02.2017 About & Beyond PKI - Blockchain and PKI 6

Blockchain facts Blockchain is not Bitcoin; it enables it It is a distributed database that maintains an increasing list (ledger) of records (blocks) Each block in the ledger (blockchain) is linked to a previous block hash-tree or hash-calendar In general the ledger is open and not centralized Distributed Open Ledger - DOL 09.02.2017 About & Beyond PKI - Blockchain and PKI 7

Blockchain facts Can built with hash-tree, merkle-hash-tree or hash-calendar Based on proof-of-work (PoW), proof-ofstake (PoS) or proof-based KSI A 512-bit public key is built on a 256-bit private key by using ECDSA Hashes are built with SHA256 and RIPEM-160; SHA3-256 We can not say, that these algorithms are quantum computer proof 09.02.2017 About & Beyond PKI - Blockchain and PKI 8

Implementation approaches Instant Karma PKI (IKP) - Turning a PKI Around with Blockchains Carnegie Mellon University and ETH Zurich, 2016 Based on Ethereum Addresses the problem of log-based PKI, which do not offer sufficient incentives to logs and monitors, and do not offer any actions that domains can take in response to CA misbehavior Describe a blockchain-based enhancement that offers automatic responses to CA misbehavior and incentives for those who help detect misbehavior. 09.02.2017 About & Beyond PKI - Blockchain and PKI 9

Implementation approaches Decentralized Public Key Infrastructure (DPKI) Respect Network, PricewaterhouseCoopers, Open Identity Exchange, and Alacrity Software, Dec. 2015 Based on Namecoin Approach which returns control of online identities to the entities they belong to It enables bootstrapping of online identities and provides to create stronger SSL certificates 09.02.2017 About & Beyond PKI - Blockchain and PKI 10

Implementation approaches Backing Rich Credentials with a Blockchain PKI Karen Lewison and Francisco Corella, Oct. 2016 Based on Ethereum Remote identity proofing Revocation checking is performed on the verifier s local copy of the blockchain without requiring CRLs or OCSP A service that issues certificate revocation lists (CRLs) or responds to online certificate status protocol (OCSP) is not used 09.02.2017 About & Beyond PKI - Blockchain and PKI 11

Implementation approaches KSI Keyless Signature Infrastructure Based on hash trees Guardtime A globally distributed system for providing timestamping and server-supported digital signature services. Global per-second hash trees are created and their root hash values published Are not vulnerable to key compromise and thus provide a solution to the problem of long-term validity of digital signatures KSI in intended to protect integrity of an asset while PKI is intended to protect its confidentiality Is not usable for encryption 09.02.2017 About & Beyond PKI - Blockchain and PKI 12

Pros and Cons of Blockchain Pros Inherently resistant against unwanted modifications High availability Operated by a decentralized authority Open for all participants so that they can verify all modifications Cloud contains data or even code (smart contracts - Ethereum) Cons Scalability and throughput capacity If someone gets more than 50% mining power he controls the ledger The linking process could be extremely wasteful (as it is in Bitcoin) Difficulty: 392,963,262,344 Average 3.1 EH/s or 3.1E+18 (Trillion), require 200MW and more According to the current state of research, all used algorithms are not quantum computer proof 09.02.2017 About & Beyond PKI - Blockchain and PKI 13

Are we helpless? Not at all! 09.02.2017 About & Beyond PKI - Blockchain and PKI 14

But there s still a lot of work to do 09.02.2017 About & Beyond PKI - Blockchain and PKI 15

Steps/Processes before PQC Verify if you know all critical applications that use certificates Verify if your inventory contains all applications and communication channels where asymmetric cryptography is used Verify if you have a process to update your cryptography policy Are there new standards which must be used? Verify if your current PKI strategy is up to date 09.02.2017 About & Beyond PKI - Blockchain and PKI 16

Steps/Processes before PQC Verify if your key or certificate management is in line with your business Clean up all unnecessary keys (certificates) Verify if the current key life cycle process is up to date Verify if your initial identity validation is performed according to your policies Verify if your process to create, replace and revoke asymmetric keys works according to the policies If you have an automatic enrollment process in place ensure that you have also an automatic withdrawal Verify if your certificate validation process is up to date 09.02.2017 About & Beyond PKI - Blockchain and PKI 17

Steps/Processes before PQC Can you answer these questions for your organization: Do I use adequate algorithms and key size? Do I have a cryptography policy and who defines it (Algorithms, key generation, length, storage, archiving and restoration, etc.)? Which instance (entity) uses which keys (certificates)? Who is responsible for which keys and who should update or renew them? When do public keys reach their expiration date? Do I know all communication channels? 09.02.2017 About & Beyond PKI - Blockchain and PKI 18

Steps/Processes before PQC Further questions for your organization: Who creates the key material and the correlating certificate signing request (CSR)? Which CA (internal / external) is responsible for issuing a certificate? Do I know the life cycle of the current PKI regarding hardware (Server and HSM) and software? Do I know how a CA renewal will influence the organization and what steps are involved? Do I know the current (industrial/rfc) standards regarding quantum proofed algorithms? 09.02.2017 About & Beyond PKI - Blockchain and PKI 19

Steps/Processes before PQC GOOD NEWS: There is still time We have the chance to further verify possible disadvantages and find answers to our most important questions QC PKI What if PQC is available? 09.02.2017 About & Beyond PKI - Blockchain and PKI 20

If PQC is available 09.02.2017 About & Beyond PKI - Blockchain and PKI 21

Steps/Processes with PQC Establish a process to verify the maturity of the PQC algorithm Is the algorithm in development, draft or standardized (ETSI, ISO/IEC, ISA/ICE, ISF/SoGP, NIST, etc.)? Is the algorithm commodity or does it only have a military purpose? What degree of integration does the algorithm have by leading companies like Apple, Microsoft, IBM, Intel, etc.? Is an early adoption necessary (because of long term data archiving) or not? Are the algorithm and its implementations resistant regarding other attacks (side channels, etc.)? Are there any legal or regulatory requirements such as FINMA, Swiss government, etc.? 09.02.2017 About & Beyond PKI - Blockchain and PKI 22

Steps/Processes with PQC Integrate a PQC algorithm Which communication channel is relevant Customer Business to Customer Web Server, Web Services Enterprise Web Server, Web Services Business to Business Partner, Suppliers,...... VBS EDA 09.02.2017 About & Beyond PKI - Blockchain and PKI 23

Steps/Processes with PQC Integrate a PQC algorithm Define which applications or topics are affected S/MIME, SSL/TLS, SSH, VPN, LONG TERM ARCHIVE, WIRELESS COMMUNICATION, STRONG AUTHENTICATION, DATA ENCRYPTION/SIGNATURES, SMARTCARDS, ACCESS TOKENS, EXTERNAL/INTERNAL PKI PQCA Define which keys or certificates have to be renewed within which time 09.02.2017 About & Beyond PKI - Blockchain and PKI 24

Steps/Processes with PQC Integrate a PQC algorithm Define a strategy to eliminate legacy applications Define where new keys or certificates have to be distributed (e.g. AD, AIA, CDP, etc.) Update your configuration management system (CM) Involve your change management 09.02.2017 About & Beyond PKI - Blockchain and PKI 25

Steps/Porcesses with PQC Conclusions You might have already done things like that 09.02.2017 About & Beyond PKI - Blockchain and PKI 26

THANK YOU FOR YOUR ATTENTION 09.02.2017 Blockchain and PKI andre.clerc@temet.ch 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback