Public Key Infrastructures Trust Models Cryptography and Computer Algebra Prof. Johannes Buchmann Dr. Johannes Braun
We trust certificates because we trust the system(s). Direct trust Web of trust Hierarchical trust 2
Example: Secured website 3
View the website's certificate 4
In the browser The browser is shipped with trusted authorities 5
Direct trust 6
Direct trust User receives public key directly from owner OR User verifies public key directly with owner 7
Most common: Fingerprint comparison Fingerprint = hash value of the certificate (incl. signature) in DER format 8
Face to face verification 9
Phone verification https://www.telesec.de/de/public-key-infrastruktur/support/root-zertifikate file://../certificates/hrz/dt-root-ca-2.der (bin) 10
Phone verification https://www.telesec.de/de/kontakt-de 11
Web page verification http://www.cacert.org/index.php?id=3 12
Printed media verification BNetzA publishes the public key 13
and more e.g. public keys on software CD/DVD root@x230:~# apt-key --keyring /etc/apt/trusted.gpg.d list /etc/apt/trusted.gpg.d//debian-archive-jessie-automatic.gpg ----------------------------------------------------------- pub 4096R/2B90D010 2014-11-21 [expires: 2022-11-19] uid Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org> 14
Example: Certificate installation Step 1: Get certificate https://www.telesec.de/de/public-key-infrastruktur/support/root-zertifikate/category/57-deutsche-telekom-root-ca-1 15
Example: Certificate installation Step 2: View certificate 16
Example: Certificate installation Step 3: View fingerprint 17
Example: Certificate installation Step 3: Compare fingerprint https://www.telesec.de/de/public-key-infrastruktur/support/root-zertifikate/category/57-deutsche-telekom-root-ca-1 18
Example: Certificate installation Step 4: Decide certificate purposes 19
Example: Certificate installation Result: Locally installed certificate 20
Example: Software signing Step 1: Get software and public key Original CD/DVD Customer obtains genuine CD/DVD containing the public key. The medium offers protection against manipulation. Key compromise as well as CD/DVD forgery can become known through the media. Trust in key = Trust in genuine CD/DVD 21
Example: Software signing Step 2: Check signature on updates Signed RPMs RedHat Package Manager Software installation in Linux Source: miscellaneous URLs Is a URL trusted? (e.g. is ftp://ftp.suse.com/.../openssl-1.0.2d.rpm one malicious version of OpenSSL?) Solution: The Linux-Distributor signs the RPM-Packet with GPG (GNU Privacy Guard) Public Key inside the original-cd for verification ~# rpm --checksig./openssl-1.0.2d.rpm openssl-1.0.2d.rpm: sha256 gpg in Ordnung ~# 22
Key validation problem Internet: 3,731,973,423 users 13,927,625,626,246,363,506 validations n*(n-1) validations = O(n 2 ) Even worse than symmetric key exchange [From: http://www.internetlivestats.com/, April 08, 2015] 25
Direct Trust: Summary Establishes Which keys are authentic Why they are considered authentic Bad scalability n * (n-1) = O(n 2 ) verifications Worse complexity than secret key exchange! Basis for all other trust models To be seen 26
Web of trust 27
Web of trust [From PGP-Pretty Good Privacy by Simon Garfinkel] 28
Web of trust A decentralized trust model To establish the authenticity of the binding public key user Used in PGP, GnuPG, and other OpenPGP-compatible systems Each party = end-user & certification authority at the same time All users distribute their own public keys, and certify those of other users From: Encyclopedia of Cryptography and Security, page 975 29
Key validity Alice computes key validity using Bob s signatures Carl Alice Bob Dave 30
Key validity Alice computes key validity using Bob s signatures Carl Alice Dave 31
Chaining key validity Alice computes key validity using Bob s and Carl s signatures Dave Alice Bob Carl Elena 32
Chaining key validity Alice computes key validity using Bob s and Carl s signatures Dave Alice Elena 33
Public keyring 34
Public keyring Alice s public keyring 35
Key validity vs. owner trust Key validity: Is the key owner who he claims to be? Levels: unknown; marginal; complete; ultimate Owner trust: Is the key owner reliable? (in respect to signing keys of others) Levels: unknown; none; marginal; complete; ultimate 36
Key validity levels unknown Nothing is known about this key. marginal The key probably belongs to the name. complete The key definitely belongs to the name. (ultimate) (Own keys). 37
Owner trust levels unknown Nothing can be said about the owner's judgment in key signing. none The owner is known to improperly sign keys. marginal The owner is known to properly sign keys. complete The owner is known to put great care in key signing. ultimate The owner is known to put great care in key signing, and is allowed to make trust decisions for you. 38
Assigning key validity and owner trust Key validity: Manually set (Key signing) OR computed from the trust in the corresponding signers, only considering signers with key validity complete. Owner trust: Manually set (Trust setting) 39
Key signing: Direct trust Bob s key validity is complete for Alice because she decided it when signing the key after verifying the fingerprint. 40
Key validity computation: complete (1) If the key is signed by at least one user with owner trust complete. 41
Key validity computation: complete (2) If the key is signed by at least x (here x=2) names with owner trust marginal. 42
Trust anchor: Owner trust Alice assigns owner trust to users. 45
Trusted introducers Alice signs Bob s key (level 1) and trusts him. Bob signs Carl s key (level 0) and trusts him. Alice uses Carl s signatures on Dave s and Elena s keys. Bob = Trusted introducer Dave Alice Bob Carl By allowing more intermediate signers (level >1), Bob becomes a Meta introducer Elena 46
Trusted introducers Alice signs Bob s key (level 1) and trusts him. Bob signs Carl s key (level 0) and trusts him. Alice uses Carl s signatures on Dave s and Elena s keys. Bob = Trusted introducer Dave Alice By allowing more intermediate signers (level >1), Bob becomes a Meta introducer Elena 47
Example: Thunderbird file://../thunderbirdportable/thunderbirdportable.exe 48
Sign and encrypt message 49
Decrypt and verify message 50
Example: OpenPGP C:\Users\[Benutzername]\AppData\Roaming\gnupg (prune) 51
Some OpenPGP commands Command gpg --gen-key gpg --output revoke.asc -- gen-revoke keyid gpg --output alice.gpg -- export keyid gpg -e -r keyid <filename> gpg -d <filename> gpg -s <filename> Description Generate key Revoke key Export key Encrypt Decrypt Sign... 52
PGP: Disadvantages PGP lacks forward secrecy (Forward secrecy: Exposure of long-term keys, used to negotiate session keys, does not compromise the secrecy of session keys established before the exposure.) From: Encyclopedia_of_cryptography_and_security, page 921 No supervision in regard to upgrading algorithms and parameters (e.g., use of old ciphers) Bad scalability for global use 53
Hierarchical trust 54
Hierarchical trust Certification Authority (CA) issues certificates trust anchor Alice Bob Carl 55
Hierarchical trust Why does Alice trust in Doris key? DFN PCA root CA TUD CA Uni Gießen TUD Student CA TUD Employee CA Alice Bob Carl Doris Emil 56
Hierarchical trust Why does Alice trust in Doris key? DFN PCA root CA TUD CA Uni Gießen TUD Student CA TUD Employee CA Alice Bob Carl Doris Emil 57
Hierarchical trust Emil to Alice DFN PCA TUD CA Uni Gießen TUD Student CA TUD Employee CA Alice Bob Carl Doris Emil 58
Hierarchical trust Emil to Alice DFN PCA TUD CA Uni Gießen TUD Student CA TUD Employee CA Alice Bob Carl Doris Emil 59
Hierarchical trust Emil to Alice DFN PCA TUD CA Uni Gießen TUD Student CA TUD Employee CA Alice Bob Carl Doris Emil 60
Hierarchical trust Emil to Alice DFN PCA TUD CA Uni Gießen TUD Student CA TUD Employee CA Alice Bob Carl Doris Emil 61
Trust models in multiple hierarchies When does Alice accept the certificate of Fred? TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 62
Method 1: Trusted list Every participant has a list of trusted CAs Alice trusts TC2 and TC3 Every user maintains an own list (like in the Web of trust) Used in Web browsers (preinstalled + user defined) TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 63
Trusted list: Certification path Alice to Fred TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 64
Example Trusted list 65
Method 2: Common root Every user who trusts TC1, accepts every other end-user certificate. TC 1 TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 66
Common root: Certification path Alice to Fred TC 1 TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 67
Example Two hierarchies 68
Example Common root 69
Method 3: Cross-certification TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans TC 2 issues a CA-certificate for TC 3. TC 3 issues a CA-certificate for TC 2. Not always bilateral Every user who trusts TC 3, accepts every certificate, that was issued by TC 2 (or a subordinate CA). Every user who trusts TC 2, accepts every certificate, that was issued by TC 3 (or a subordinate CA). 70
Cross-certification: Certification path Alice to Fred TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 71
Cross-certification: Other possibility (1) TC 2 issues one CA-certificate to TC 7 and vice versa. Hans accepts the certificate of Emil and vice versa. Emil does not accept the certificate of Fred. TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 72
Cross-certification: Other possibility (2) TC 4 issues one CA-certificate to TC 6 and vice versa. Alice accepts the certificate of Fred and vice versa. Fred does not accept the certificate of Emil. TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 73
Example 1R root 74
Example 2R root 75
Example 1R-to-2R 2R-to-1R 76
Example 2R as trust anchor 77
Cross-certification problem n*(n-1) cross-certificats = O(n 2 ) 78
Method 4: Bridge Idea: Bridge TC has cross-certifications with TC 2 and TC 3. Alice accepts all certificates beneath TC 3. Fred accepts all certificates beneath TC 2. TC 2 Bridge TC TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 79
Bridge: Certification path Alice to Fred Bridge enforces minimal policy TC 2 Bridge TC TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 80
Bridge trust center The bridge TC acts as a connector This TC is not subordinate to a third CA Interesting for corporate CAs that: want to enable secure communication for their users outside the organisation s borders do not want to be subordinate to a third CA 81
Example European Bridge CA (EBCA) https://www.ebca.de 82
X.509 certificate extension Basic Constraints Identifies whether the subject of the certificate is a CA the maximum number of non-self-issued intermediate certificates that may follow this certificate in a valid certification path. It is marked critical If pathlength is not present => no limit ASN.1: BasicConstraints ::= SEQUENCE { ca BOOLEAN DEFAULT FALSE, pathlenconstraint INTEGER (0..MAX) OPTIONAL } file://../certificates/text/csca_basicconstraints.cxt (text) file://../certificates/country_signing_ca.cer (bin) 83
X.509 certificate extension Basic Constraints: Example Root CA Subordinate CA Subordinate CA ca:true pathlength: ca:true pathlength: ca:false Alice 84
X.509 certificate extension Basic Constraints: Example Root CA Subordinate CA Subordinate CA Alice ca:true pathlength: 1 ca:true pathlength: 0 ca:false minimum values 85
Criticism regarding the power of CAs Honest Achmed https://bugzilla.mozilla.org/show_bug.cgi?id=647959 http://www.heise.de/newsticker/meldung/der-ehrliche- Achmed-bittet-um-Vertrauen-1231083.html 86