Public Key Infrastructures

Similar documents
Public Key Infrastructures. Andreas Hülsing

Public Key Cryptography, OpenPGP, and Enigmail. 31/5/ Geek Girls Carrffots GVA

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

6 Public Key Infrastructure 6.1 Certificates Structure of an X.509 certificate X.500 Distinguished Name and X.509v3 subjectalternativename

CSE 565 Computer Security Fall 2018

Security PGP / Pretty Good Privacy. SANOGXXX July, 2017 Gurgaon, Haryana, India

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Chapter 9: Key Management

L8: Public Key Infrastructure. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Using Cryptography CMSC 414. October 16, 2017

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

But where'd that extra "s" come from, and what does it mean?

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

Cryptography and Network Security

What is a Digital Certificate? Basic Problem. Digital Certificates, Certification Authorities, and Public Key Infrastructure. Sections

Digital Certificates, Certification Authorities, and Public Key Infrastructure. Sections

An Introduction to How PGP Works

CT30A8800 Secured communications

Cryptography (Overview)

Public Key Infrastructures

Outline Key Management CS 239 Computer Security February 9, 2004

Public Key Infrastructure

Learn PGP. SIPB Cluedump, 19 October Anish Athalye (aathalye), Merry Mou (mmou), Adam Suhl (asuhl) 1 / 22

Certificateless Public Key Cryptography

Chapter 10: Key Management

INF3510 Information Security University of Oslo Spring Lecture 3 Key Management and PKI. Audun Jøsang

Key Management and PKI

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

Sharing Secrets using Encryption Facility - Handson

Overview. SSL Cryptography Overview CHAPTER 1

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Cryptography and Network Security Chapter 14

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

Public-key Cryptography: Theory and Practice

Investigating the OpenPGP Web of Trust

CS Computer Networks 1: Authentication

Cryptography. Cryptography is everywhere. German Lorenz cipher machine

Spring 2010: CS419 Computer Security

CSC 482/582: Computer Security. Security Protocols

Cryptography: Practice JMU Cyber Defense Boot Camp

INF3510 Information Security University of Oslo Spring Lecture 6 Key Management and PKI. Audun Jøsang

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

L13. Reviews. Rocky K. C. Chang, April 10, 2015

ECE646 Fall Lab 1: Pretty Good Privacy. Instruction

Information Security CS 526

ECE646 Fall Lab 1: Pretty Good Privacy. Instruction

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Pretty Good Privacy (PGP)

UNIT - IV Cryptographic Hash Function 31.1

Digital Signatures. Cole Watson

Public Key Algorithms

Key Management and Distribution

Cryptographic Protocols 1

Lab: Securing with PGP

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Putting Taiwan on the Kernel.org Keysigning Map. Tsai, Chen-Yu

PGP Key Verification. Version 1.1, 08/26/2002. Stephen Gill Published: 08/26/2002

Cryptographic Checksums

Fall 2010/Lecture 32 1

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

ECE 646 Lecture 4A. Pretty Good Privacy PGP. Short History of PGP based on the book Crypto by Steven Levy. Required Reading

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Pretty Good Privacy PGP. Required Reading. Stallings, Cryptography and Network Security: Principles and Practice, 5/E or 6/E

Overview of Authentication Systems

PKI Contacts PKI for Fraunhofer Contacts

ECE 646 Lecture 4. Pretty Good Privacy PGP

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

Managing Certificates

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

User Authentication. Modified By: Dr. Ramzi Saifan

CS 425 / ECE 428 Distributed Systems Fall 2017

Lecture Notes 14 : Public-Key Infrastructure

Public Key Infrastructure. What can it do for you?

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

ECE 646 Fall Lab 1: Pretty Good Privacy Setup

14. Internet Security (J. Kurose)

PROVING WHO YOU ARE TLS & THE PKI

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Most Common Security Threats (cont.)

Certificates, Certification Authorities and Public-Key Infrastructures

The PGP Trust Model. Alfarez Abdul-Rahman

Ralph Durkee Independent Consultant Security Consulting, Security Training, Systems Administration, and Software Development

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

T Cryptography and Data Security

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Configuring Certificate Authorities and Digital Certificates

Public-Key Infrastructure NETS E2008

The most common type of certificates are public key certificates. Such server has a certificate is a common shorthand for: there exists a certificate

DidiSoft OpenPGP Library for Java version 3.1

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Public Key Infrastructures Chapter 11 Trust Center (Certification Authority)

CSC/ECE 774 Advanced Network Security

Send documentation comments to

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Digital Certificates Demystified

EEC-682/782 Computer Networks I

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Transcription:

Public Key Infrastructures Trust Models Cryptography and Computer Algebra Prof. Johannes Buchmann Dr. Johannes Braun

We trust certificates because we trust the system(s). Direct trust Web of trust Hierarchical trust 2

Example: Secured website 3

View the website's certificate 4

In the browser The browser is shipped with trusted authorities 5

Direct trust 6

Direct trust User receives public key directly from owner OR User verifies public key directly with owner 7

Most common: Fingerprint comparison Fingerprint = hash value of the certificate (incl. signature) in DER format 8

Face to face verification 9

Phone verification https://www.telesec.de/de/public-key-infrastruktur/support/root-zertifikate file://../certificates/hrz/dt-root-ca-2.der (bin) 10

Phone verification https://www.telesec.de/de/kontakt-de 11

Web page verification http://www.cacert.org/index.php?id=3 12

Printed media verification BNetzA publishes the public key 13

and more e.g. public keys on software CD/DVD root@x230:~# apt-key --keyring /etc/apt/trusted.gpg.d list /etc/apt/trusted.gpg.d//debian-archive-jessie-automatic.gpg ----------------------------------------------------------- pub 4096R/2B90D010 2014-11-21 [expires: 2022-11-19] uid Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org> 14

Example: Certificate installation Step 1: Get certificate https://www.telesec.de/de/public-key-infrastruktur/support/root-zertifikate/category/57-deutsche-telekom-root-ca-1 15

Example: Certificate installation Step 2: View certificate 16

Example: Certificate installation Step 3: View fingerprint 17

Example: Certificate installation Step 3: Compare fingerprint https://www.telesec.de/de/public-key-infrastruktur/support/root-zertifikate/category/57-deutsche-telekom-root-ca-1 18

Example: Certificate installation Step 4: Decide certificate purposes 19

Example: Certificate installation Result: Locally installed certificate 20

Example: Software signing Step 1: Get software and public key Original CD/DVD Customer obtains genuine CD/DVD containing the public key. The medium offers protection against manipulation. Key compromise as well as CD/DVD forgery can become known through the media. Trust in key = Trust in genuine CD/DVD 21

Example: Software signing Step 2: Check signature on updates Signed RPMs RedHat Package Manager Software installation in Linux Source: miscellaneous URLs Is a URL trusted? (e.g. is ftp://ftp.suse.com/.../openssl-1.0.2d.rpm one malicious version of OpenSSL?) Solution: The Linux-Distributor signs the RPM-Packet with GPG (GNU Privacy Guard) Public Key inside the original-cd for verification ~# rpm --checksig./openssl-1.0.2d.rpm openssl-1.0.2d.rpm: sha256 gpg in Ordnung ~# 22

Key validation problem Internet: 3,731,973,423 users 13,927,625,626,246,363,506 validations n*(n-1) validations = O(n 2 ) Even worse than symmetric key exchange [From: http://www.internetlivestats.com/, April 08, 2015] 25

Direct Trust: Summary Establishes Which keys are authentic Why they are considered authentic Bad scalability n * (n-1) = O(n 2 ) verifications Worse complexity than secret key exchange! Basis for all other trust models To be seen 26

Web of trust 27

Web of trust [From PGP-Pretty Good Privacy by Simon Garfinkel] 28

Web of trust A decentralized trust model To establish the authenticity of the binding public key user Used in PGP, GnuPG, and other OpenPGP-compatible systems Each party = end-user & certification authority at the same time All users distribute their own public keys, and certify those of other users From: Encyclopedia of Cryptography and Security, page 975 29

Key validity Alice computes key validity using Bob s signatures Carl Alice Bob Dave 30

Key validity Alice computes key validity using Bob s signatures Carl Alice Dave 31

Chaining key validity Alice computes key validity using Bob s and Carl s signatures Dave Alice Bob Carl Elena 32

Chaining key validity Alice computes key validity using Bob s and Carl s signatures Dave Alice Elena 33

Public keyring 34

Public keyring Alice s public keyring 35

Key validity vs. owner trust Key validity: Is the key owner who he claims to be? Levels: unknown; marginal; complete; ultimate Owner trust: Is the key owner reliable? (in respect to signing keys of others) Levels: unknown; none; marginal; complete; ultimate 36

Key validity levels unknown Nothing is known about this key. marginal The key probably belongs to the name. complete The key definitely belongs to the name. (ultimate) (Own keys). 37

Owner trust levels unknown Nothing can be said about the owner's judgment in key signing. none The owner is known to improperly sign keys. marginal The owner is known to properly sign keys. complete The owner is known to put great care in key signing. ultimate The owner is known to put great care in key signing, and is allowed to make trust decisions for you. 38

Assigning key validity and owner trust Key validity: Manually set (Key signing) OR computed from the trust in the corresponding signers, only considering signers with key validity complete. Owner trust: Manually set (Trust setting) 39

Key signing: Direct trust Bob s key validity is complete for Alice because she decided it when signing the key after verifying the fingerprint. 40

Key validity computation: complete (1) If the key is signed by at least one user with owner trust complete. 41

Key validity computation: complete (2) If the key is signed by at least x (here x=2) names with owner trust marginal. 42

Trust anchor: Owner trust Alice assigns owner trust to users. 45

Trusted introducers Alice signs Bob s key (level 1) and trusts him. Bob signs Carl s key (level 0) and trusts him. Alice uses Carl s signatures on Dave s and Elena s keys. Bob = Trusted introducer Dave Alice Bob Carl By allowing more intermediate signers (level >1), Bob becomes a Meta introducer Elena 46

Trusted introducers Alice signs Bob s key (level 1) and trusts him. Bob signs Carl s key (level 0) and trusts him. Alice uses Carl s signatures on Dave s and Elena s keys. Bob = Trusted introducer Dave Alice By allowing more intermediate signers (level >1), Bob becomes a Meta introducer Elena 47

Example: Thunderbird file://../thunderbirdportable/thunderbirdportable.exe 48

Sign and encrypt message 49

Decrypt and verify message 50

Example: OpenPGP C:\Users\[Benutzername]\AppData\Roaming\gnupg (prune) 51

Some OpenPGP commands Command gpg --gen-key gpg --output revoke.asc -- gen-revoke keyid gpg --output alice.gpg -- export keyid gpg -e -r keyid <filename> gpg -d <filename> gpg -s <filename> Description Generate key Revoke key Export key Encrypt Decrypt Sign... 52

PGP: Disadvantages PGP lacks forward secrecy (Forward secrecy: Exposure of long-term keys, used to negotiate session keys, does not compromise the secrecy of session keys established before the exposure.) From: Encyclopedia_of_cryptography_and_security, page 921 No supervision in regard to upgrading algorithms and parameters (e.g., use of old ciphers) Bad scalability for global use 53

Hierarchical trust 54

Hierarchical trust Certification Authority (CA) issues certificates trust anchor Alice Bob Carl 55

Hierarchical trust Why does Alice trust in Doris key? DFN PCA root CA TUD CA Uni Gießen TUD Student CA TUD Employee CA Alice Bob Carl Doris Emil 56

Hierarchical trust Why does Alice trust in Doris key? DFN PCA root CA TUD CA Uni Gießen TUD Student CA TUD Employee CA Alice Bob Carl Doris Emil 57

Hierarchical trust Emil to Alice DFN PCA TUD CA Uni Gießen TUD Student CA TUD Employee CA Alice Bob Carl Doris Emil 58

Hierarchical trust Emil to Alice DFN PCA TUD CA Uni Gießen TUD Student CA TUD Employee CA Alice Bob Carl Doris Emil 59

Hierarchical trust Emil to Alice DFN PCA TUD CA Uni Gießen TUD Student CA TUD Employee CA Alice Bob Carl Doris Emil 60

Hierarchical trust Emil to Alice DFN PCA TUD CA Uni Gießen TUD Student CA TUD Employee CA Alice Bob Carl Doris Emil 61

Trust models in multiple hierarchies When does Alice accept the certificate of Fred? TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 62

Method 1: Trusted list Every participant has a list of trusted CAs Alice trusts TC2 and TC3 Every user maintains an own list (like in the Web of trust) Used in Web browsers (preinstalled + user defined) TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 63

Trusted list: Certification path Alice to Fred TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 64

Example Trusted list 65

Method 2: Common root Every user who trusts TC1, accepts every other end-user certificate. TC 1 TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 66

Common root: Certification path Alice to Fred TC 1 TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 67

Example Two hierarchies 68

Example Common root 69

Method 3: Cross-certification TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans TC 2 issues a CA-certificate for TC 3. TC 3 issues a CA-certificate for TC 2. Not always bilateral Every user who trusts TC 3, accepts every certificate, that was issued by TC 2 (or a subordinate CA). Every user who trusts TC 2, accepts every certificate, that was issued by TC 3 (or a subordinate CA). 70

Cross-certification: Certification path Alice to Fred TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 71

Cross-certification: Other possibility (1) TC 2 issues one CA-certificate to TC 7 and vice versa. Hans accepts the certificate of Emil and vice versa. Emil does not accept the certificate of Fred. TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 72

Cross-certification: Other possibility (2) TC 4 issues one CA-certificate to TC 6 and vice versa. Alice accepts the certificate of Fred and vice versa. Fred does not accept the certificate of Emil. TC 2 TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 73

Example 1R root 74

Example 2R root 75

Example 1R-to-2R 2R-to-1R 76

Example 2R as trust anchor 77

Cross-certification problem n*(n-1) cross-certificats = O(n 2 ) 78

Method 4: Bridge Idea: Bridge TC has cross-certifications with TC 2 and TC 3. Alice accepts all certificates beneath TC 3. Fred accepts all certificates beneath TC 2. TC 2 Bridge TC TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 79

Bridge: Certification path Alice to Fred Bridge enforces minimal policy TC 2 Bridge TC TC 3 TC 4 TC 5 TC 6 TC 7 Alice Bob Carl Doris Emil Fred Gerd Hans 80

Bridge trust center The bridge TC acts as a connector This TC is not subordinate to a third CA Interesting for corporate CAs that: want to enable secure communication for their users outside the organisation s borders do not want to be subordinate to a third CA 81

Example European Bridge CA (EBCA) https://www.ebca.de 82

X.509 certificate extension Basic Constraints Identifies whether the subject of the certificate is a CA the maximum number of non-self-issued intermediate certificates that may follow this certificate in a valid certification path. It is marked critical If pathlength is not present => no limit ASN.1: BasicConstraints ::= SEQUENCE { ca BOOLEAN DEFAULT FALSE, pathlenconstraint INTEGER (0..MAX) OPTIONAL } file://../certificates/text/csca_basicconstraints.cxt (text) file://../certificates/country_signing_ca.cer (bin) 83

X.509 certificate extension Basic Constraints: Example Root CA Subordinate CA Subordinate CA ca:true pathlength: ca:true pathlength: ca:false Alice 84

X.509 certificate extension Basic Constraints: Example Root CA Subordinate CA Subordinate CA Alice ca:true pathlength: 1 ca:true pathlength: 0 ca:false minimum values 85

Criticism regarding the power of CAs Honest Achmed https://bugzilla.mozilla.org/show_bug.cgi?id=647959 http://www.heise.de/newsticker/meldung/der-ehrliche- Achmed-bittet-um-Vertrauen-1231083.html 86

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback