The X.509 standard, PKI and electronic documents

Similar documents
Certification Authority. The X.509 standard, PKI and electronic documents. X.509 certificates. X.509 version 3. Critical extensions.

The X.509 standard, PKI and electronic documents. Certification Authority. X.509 version 3. A.Lioy - Politecnico di Torino ( ) 1

The X.509 standard, PKI and electronic documents

Sicurezza Informatica: esercitazione 2

Public Key Infrastructures

Security Protocols and Infrastructures

Security Protocols and Infrastructures. Winter Term 2015/2016

Digital Certificates. PKI and other TTPs. 3.3

Public Key Infrastructures. Andreas Hülsing

ETSI TS V1.2.2 ( )

ETSI ES V1.1.3 ( )

ETSI TS V1.3.1 ( )

ETSI TS V1.5.1 ( )

Electronic Signature Format. ECOM Interoperability Plug Test 2005

Security Protocols and Infrastructures. Winter Term 2015/2016

PKCS #7: Cryptographic Message Syntax Standard

EXBO e-signing Automated for scanned invoices

Internet Engineering Task Force (IETF) Request for Comments: 5959 Category: Standards Track August 2010 ISSN:

Internet Engineering Task Force (IETF) Request for Comments: 6160 Category: Standards Track April 2011 ISSN:

Internet Engineering Task Force (IETF) Request for Comments: 7192 Category: Standards Track April 2014 ISSN:

Obsoletes: 3369 July 2004 Category: Standards Track

Obsoletes: 2630, 3211 August 2002 Category: Standards Track

Digital signatures: How it s done in PDF

ETSI TS V1.2.1 ( ) Technical Specification

IFY e-signing Automated for scanned invoices

ETSI TS V1.8.3 ( ) Technical Specification. Electronic Signatures and Infrastructures (ESI); CMS Advanced Electronic Signatures (CAdES)

Machine Readable Travel Documents

Electronic Seal Administrator Guide Published:December 27, 2017

Displaying SSL Configuration Information and Statistics

X.509 Certificate and Certificate Revocation List (CRL) Extensions Profile for Personal Identity Verification Interoperable (PIV-I) Cards

Technical Specification Electronic Signatures and Infrastructures (ESI); CMS Advanced Electronic Signatures (CAdES)

Digital Certificates Demystified

CORRIGENDA ISIS-MTT SPECIFICATION 1.1 COMMON ISIS-MTT SPECIFICATIONS VERSION JANUARY 2008 FOR INTEROPERABLE PKI APPLICATIONS

Public Key Infrastructures. Using PKC to solve network security problems

Federal Public Key Infrastructure (PKI) X.509 Certificate and CRL Extensions Profile

Public Key Establishment

Resolution of comments on Drafts ETSI EN to ETSI EN May 2014

The Information Technology (Certifying Authority) Regulations, 2001

SSH Communications Tectia SSH

Internet Engineering Task Force (IETF) Request for Comments: 6032 Category: Standards Track. December 2010

Attestation Service for Intel Software Guard Extensions (Intel SGX): API Documentation. Revision: 3.0

SSL/TSL EV Certificates

Overview & Specification

MTAT Applied Cryptography

Policy for electronic signature based on certificates issued by the hierarchies of. ANF Autoridad de Certificación

Data representation and PKI

Internet Engineering Task Force (IETF) Request for Comments: 5754 Updates: 3370 January 2010 Category: Standards Track ISSN:

Validation Policy r tra is g e R ANF AC MALTA, LTD

a.trust Certificate and CRL Specification

EDTA, itext and INBATEK Conference. Bangkok, July 27, 2017

Request for Comments: TIS Labs March Storing Certificates in the Domain Name System (DNS)

UELMA Exploring Authentication Options Nov 4, 2011

Internet Engineering Task Force (IETF) Request for Comments: Category: Informational ISSN: January 2010

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

Category: Standards Track July Use of the RSAES-OAEP Key Transport Algorithm in the Cryptographic Message Syntax (CMS)

Category: Standards Track W. Ford VeriSign D. Solo Citigroup April 2002

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

VA DELEGATED TRUST MODEL

draft-ietf-smime-cert-06.txt December 14, 1998 Expires in six months S/MIME Version 3 Certificate Handling Status of this memo

SSL Certificates Certificate Policy (CP)

Updating OCSP. David Cooper

DirectTrust X.509 Certificate and Certificate Revocation List (CRL) Profiles

ISO/IEC INTERNATIONAL STANDARD

November 1998 Expires May Storing Certificates in the Domain Name System (DNS)

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

MISPC Minimum Interoperability Specification for PKI Components, Version 1

Advantages of modular PKI for implementation in information systems

Certificateless Public Key Cryptography

IBM i Version 7.2. Security Digital Certificate Manager IBM

OCSP Client Tool V2.2 User Guide

Public Key Infrastructures

July, Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and CRL Profile

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

EUROPEAN STANDARD Electronic Signatures and Infrastructures (ESI); PAdES digital signatures; Part 2: Additional PAdES signatures profiles

Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile draft-ietf-pkix-rfc3280bis-04.

eidas compliant Trust Services with Utimaco HSMs

Elliptic Curve Cryptography (ECC) based. Public Key Infrastructure (PKI) Kunal Abhishek Society for Electronic Transactions & Security (SETS), Chennai

Online Certificate Status Protocol (OCSP) Extensions

Key Management and Distribution

PKI Knowledge Dissemination Program. PKI Standards. Dr. Balaji Rajendran Centre for Development of Advanced Computing (C-DAC) Bangalore

Internet Engineering Task Force (IETF) Obsoletes: 6485 Category: Standards Track August 2016 ISSN:

Internet Engineering Task Force (IETF) Request for Comments: 7193 Category: Informational. J. Schaad Soaring Hawk Consulting April 2014

SONY Certificate Profile V November 15, 2010 V1-1.0

Axway Validation Authority Suite

Network Working Group. Updates: 2634 August 2007 Category: Standards Track

KeyOne. Certification Authority

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Network Security Essentials

Bart Preneel PKI. February Public Key Establishment. PKI Overview. Keys and Lifecycle Management. How to establish public keys?

POLICY ON THE PROVISION OF QUALIFIED CERTIFICATES FOR ADVANCED ELECTRONIC SIGNATURE/SEAL BY BORICA AD. (B-Trust QCP-eIDAS АES/АESeal) Version 1.

PKI Service Certificate Profile V September 15, 2017 V1-1.1

Design and Implementation of a RFC3161-Enhanced Time-Stamping Service

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Information technology Open Systems Interconnection The Directory Part 8: Public-key and attribute certificate frameworks

DIGITALSIGN - CERTIFICADORA DIGITAL, SA.

FIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2

ETSI ESI and Signature Validation Services

HTML5 and Digital Signatures. Signature Creation Service 1.0. October 13, 2014

PKCS #10 v1.7: Certification Request Syntax Standard (Final draft)

SMPTE Standards Transition Issues for NIST/FIPS Requirements

Transcription:

The X.509 standard, PKI and electronic documents Antonio Lioy < lioy @ polito.it > Politecnico di Torino Dipartimento di Automatica e Informatica Certification Authority (1) Kpub, Anna PC Certification Authority (4) cert (Anna,Kpub) (1) Kpri (4) cert repository (cert, CRL) (3) Anna OK Registration Authority (2) Anna A.Lioy - Politecnico di Torino (1997-2011) 1

X.509 certificates standard ITU-T X.509: v1 (1988) v2 (1993) = minor v3 (1996) = v2 + extensions + attribute certificate v1 v3 (2001) = v3 + attribute certificates v2 is part of the standard X.500 for directory services (white pages) is a solution to the problem of identifying the owner of a cryptographic key definition in ASN.1 (Abstract Syntax Notation 1) X.509 version 3 standard completed in June 1996 groups together in a unique document the modifications required to extend the definition of certificate and CRL two types of extensions: public, that is defined by the standard and consequently made public to anybody private, unique for a certain user community A.Lioy - Politecnico di Torino (1997-2011) 2

Critical extensions an extension can be defined as critical or non critical: in the verification process the certificates that contain an unrecognized critical extension MUST be rejected a non critical extension MAY be ignored if it is unrecognized the different (above) processing is entirely the responsibility of the party that performs the verification: the Relying Party (RP) Public extensions X.509v3 defines four extension classes: key and policy information certificate subject and certificate issuer attributes certificate path constraints CRL distribution points A.Lioy - Politecnico di Torino (1997-2011) 3

Key and policy information authority key identifier subject key identifier key usage private key usage period certificate policies policy mappings key usage Key and policy information identifies the application domain for which the public key can be used can be critical or not critical if it is critical then the certificate can be used only for the scopes for which the corresponding option is defined A.Lioy - Politecnico di Torino (1997-2011) 4

Key and policy information key usage the applications that can be defined are: digitalsignature (CA, user) nonrepudiation (user) keyencipherment (user) dataencipherment keyagreement (encipheronly, decipheronly) keycertsign (CA) crlsign (CA) Certificate subject and certificate issuer attributes subject alternative name issuer alternative name subject directory attributes A.Lioy - Politecnico di Torino (1997-2011) 5

Certificate subject and certificate issuer attributes subject alternative name allows to use different formalisms to identify the owner of the certificate (e.g. e-mail address, IP address, URL) always critical if the field subject-name is empty X.509 alternative names various possibilities: rfc822name dnsname ipaddress uniformresourceidentifier directoryname X400Address edipartyname registeredid othername A.Lioy - Politecnico di Torino (1997-2011) 6

CRL distribution point CRL distribution point identifies the distribution point of the CRL to be used in validating a certificate can be: directory entry e-mail or URL critical o non critical Private extensions it is possible to define private extensions, that is extensions common to a certain user community (i.e. a closed group) for example IETF-PKIX defined three private extensions for the Internet user community: subject information access authority information access CA information access A.Lioy - Politecnico di Torino (1997-2011) 7

PKIX private extensions authority information access indicates how to access information and services of the CA that issued the certificate: certstatus certretrieval capolicy cacerts critical or not critical cert issuer AIA CA services Extended key usage in addition or in substitution of keyusage possible values: (id-pkix.3.1) serverauth [DS, KE, KA] (id-pkix.3.2) clientauth [DS, KA] (id-pkix.3.3) codesigning [DS] (id-pkix.3.4) emailprotection [DS, NR, KE, KA] (id-pkix.3.8) timestamping i [DS, NR] A.Lioy - Politecnico di Torino (1997-2011) 8

CRL X.509 Certificate Revocation List list of revoked certificates CRLs are issued periodically and maintained by the certificate issuers CRLs are digitally signed: by the CA that issued the certificates by a revocation authority delegated by the (indirect CRL, icrl) CRL X.509 version 2 CertificateList ::= SEQUENCE { tbscertlist TBSCertList, signaturealgorithm AlgorithmIdentifier, signaturevalue BIT STRING } TBSCertList ::= SEQUENCE { version Version OPTIONAL, -- if present, version must be v2 signature AlgorithmIdentifier, issuer Name, thisupdate Time, nextupdate Time OPTIONAL, revokedcertificates SEQUENCE { usercertificate CertificateSerialNumber, revocationdate Time, crlentryextensions Extensions OPTIONAL } OPTIONAL, crlextensions [0] Extensions OPTIONAL } A.Lioy - Politecnico di Torino (1997-2011) 9

crlentryextensions: reason code Extensions of CRLv2 hold instruction ti code invalidity date certificate issuer crlextensions: authority key identifier issuer alternative name CRL number delta CRL indicator issuing distribution point Certificate revocation timeline key compromise event cert revocation time time CRL n issued cert revocation request CRL n+1 issued A.Lioy - Politecnico di Torino (1997-2011) 10

OCSP RFC-2560: On-line Certificate Status Protocol IETF-PKIX standard to verify online if a certificate is valid: good revoked revocationtime revocationreason unknown response signed by the server (not by the CA!) the OCSP server certificate cannot be verified with OCSP itself! Architecture of OCSP possible pre-computed responses decreases the computational load on the server but makes possible replay attacks! possible to obtain information not from CRL CRL OCSP HTTP FTP... OCSP (embedded) client OCSP server CRL A.Lioy - Politecnico di Torino (1997-2011) 11

Models of OCSP responder Trusted Responder the OCSP server signs the responses with a pair key:cert independent of the CA for which it is responding company responder or TTP paid by the users Delegated Responder the OCSP server signs the responses with a pair key:cert which is (can be) different based on the CA for which it is responding TTP paid by the CA Time-stamping proof of creation of data before a certain point in time TSA (Time-Stamping Authority) RFC-3161: request protocol (TSP, Time-Stamp Protocol) format of the proof (TST, Time-Stamp Token) hash digest TST digest date and time signature (TSA) TSA A.Lioy - Politecnico di Torino (1997-2011) 12

PSE (Personal Security Environment) each user should protect: his own private key (secret!) the certificates of the trusted root CAs (authentic!) software PSE: (encrypted) file of the private key hardware PSE: passive = protected t keys (same as sw PSE) active = protected keys + crypto operations mobility is possible in both cases (but with problems) Cryptographic smart-card chip cards with memory and/or autonomous cryptographic capacity simple: DES complex: RSA length of the key? generation of the private key on board? few memory (EEPROM): 4-32 Kbyte μcontroller ROM cryptographic RAM E 2 PROM coprocessor A.Lioy - Politecnico di Torino (1997-2011) 13

HSM (HW Security Module) cryptographic accelerator for servers secure storage of private key autonomous encryption capabilities (RSA, sometimes symmetric algorithms too) form factor: PCI board or external device (USB, IP, SCSI, ) crypto coprocessor RAM CPU I/O protected memory firmware Security API (low level) PKCS-11 = (only) crypto engine in software in hardware smart card cryptographic card part of the CDSA architecture MS-CAPI CSP (Crypto Service Provider) same functions as PKCS-11 but proprietary API of MS A.Lioy - Politecnico di Torino (1997-2011) 14

Secure data formats PKCS-7 = secure envelope signed and/or encrypted PKCS-10 = certificate request used in the communication among the client and CA / RA PKCS-12 = software PSE (Personal Security Environment) transport of keys and certificates are not application formats: S/MIME? IDUP-GSS-API? XML-DSIG? legal electronic documents? PKCS-7 and CMS formats Cryptographic Message Syntax PKCS-7 is the RSA standard for secure envelope (v1.5 is also RFC-2315) CMS is the evolution of PKCS-7 inside IETF allows signing and/or encryption of data, with symmetric or asymmetric algorithms supports multiple signatures (hierarchical or parallel) on the same object and can include the certs (and revocation info) to verify the signature is a recursive format syntax based on ASN.1-BER (DER solo per signed attributes e authenticated attributes ) A.Lioy - Politecnico di Torino (1997-2011) 15

RFC-2630 (jun 99) Evolution of CMS compatible with PKCS-7 1.5 adds key-agreement and pre-shared keys RFC-3369 (aug 02) adds pwd-based keys and an extension schema for generic key management algorithms specified in a distinct RFC RFC-3852 (jul 04) extension to support generic certificates RFC-5652 (sep 09) clarifications about multiple signatures Algorithms for CMS (I) RFC-3370 = base algorithms digest MD5, SHA-1 signature RSA, DSA key management agrement = DH transport = RSA symmetric wrapping = 3DES, RC2 derivation = PBKDF2 content encryption = 3DES-CBC, RC2-CBC MAC = HMAC-SHA1 A.Lioy - Politecnico di Torino (1997-2011) 16

Algorithms for CMS (II) encryption: (RFC-2984) CAST-128, (3058) IDEA, (3565) AES, (3657) Camellia, (4610) SEED RFC-4056 = RSASSA-PSS for digital signature RFC-4490 = GOST for encryption and digest RFC-5084 = AES-CCM and AES-GCM for auth.enc. RFC-5409 = Boneh-Franklin and Boneh-Boyen for Identity-Based Encryption RFC-5753 + RFC-6161 = ECC RFC-5754 = SHA-2 key transport: (5990) RSA-KEM, (3560) RSAES- OAEP PKCS-7: structure contentinfo contenttype content... 1 N contenttype content A.Lioy - Politecnico di Torino (1997-2011) 17

PKCS-7: contenttype data encoding of a generic sequence of bytes signeddata data + parallel digital signatures (1..N) envelopeddata data encrypted symm. + key encrypted with RSA signedandenvelopeddata RSA encryption of (data + digital it signatures) digestdata data + digest encrypteddata data encrypted with a symmetric algorithm PKCS-7: signeddata signeddata content version digestalgorithm contentinfo certificates crls signerinfo version issuer + SN encrypteddigest A.Lioy - Politecnico di Torino (1997-2011) 18

PKCS-7: envelopeddata envelopeddata version issuer + SN encalgorithm enckey content version encryptedcontentinfo recipientinfo... recipientinfo contenttype encryptionalgorithm encryptedcontent PKCS-10 data to `be certified DN public key attributes DN public key attributes computation of signature signature PKCS#10 private key of the entity to be certified A.Lioy - Politecnico di Torino (1997-2011) 19

PKCS-12 format (security bag) transport of (personal) cryptographic material among applications / different systems transports a private key and one or more certificates transports the digital identity of a user used by Netscape, Microsoft, Lotus, criticized from the technical point of view (especially in the MS implementation) but widely used export.p12.pfx import Formats of signed documents signed data document signature enveloping signature (es. PKCS-7) document document data signature enveloped signature (es. PDF) document signature detached signature (es. PKCS-7) A.Lioy - Politecnico di Torino (1997-2011) 20

Multiple signatures (parallel / independent) doc doc doc ds (doc, X) f (doc, X) f (doc, Y) f (doc, X) f (doc, Y) f (doc, Z) X Y Z Multiple signatures (sequential / hierarchical) doc doc doc f (doc, X) f (doc, X) f (doc, X) f (-, Y) f (-, Y) f (-, Z) X Y Z A.Lioy - Politecnico di Torino (1997-2011) 21

EU Electronic Signature (ES) data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication BEWARE: a scanned signature is an Electronic Signature (!) Advanced Electronic Signature (AES) an ES which meets the following requirements: uniquely linked to the signatory capable of identifying the signatory created using means that the signatory can maintain under his sole control linked to the data to which it relates in such a manner that any subsequent change of the data is detectable AES ES A.Lioy - Politecnico di Torino (1997-2011) 22

Qualified Certificate (QC) a PKC certifying the identity of a person and containing: an indication that it was issued as a QC the name of the signatory or a pseudonym, which shall be identified as such provision for a specific attribute of the signatory to be included if relevant, depending on the purpose for which h the certificate t is intended d limitations on the scope of the certificate, if any limits on the value of transactions, if any RFC-3739 = IETF-PKIX profile for QC Qualified Electronic Signature (QES) an AES (a) based on a QC, and (b) created by a secure-signature-creation device satisfies the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data is admissible as evidence in legal proceedings QES AES ES A.Lioy - Politecnico di Torino (1997-2011) 23

Legal effects Member States shall ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings solely on the grounds that it is: in electronic form, or not based upon a qualified certificate, or not based upon a qualified certificate issued by an accredited d certification-service-provider, i id or not created by a secure signature-creation device ETSI standards for electronic signature CMS Advanced Electronic Signatures (CAdES) ETSI TS 101 733 (version 1.4.0) ETSI TS 102 734 = profiles of CAdES based upon other standards: RFC-2630 [CMS] Cryptographic Message Syntax RFC-2634 [ESS] Enhanced Security Services raw signature format (i.e. binary over a blob) b) evolution to application formats (XML and PDF) www.etsi.org/website/technologies/electronicsignature.aspx A.Lioy - Politecnico di Torino (1997-2011) 24

ETSI: CAdES formats Electronic Signature (ES) signature policy ID other signed attributes digital signature ES-T timestamp over digital signature ES-C complete certificate and revocation references and the extended formats ES-X Extended ES (ES-X) if the CA certificates may be compromised, then the formats ES-X are suggested ES-X-Timestamp (type 1): ES-C with a TS over the whole ES-C useful when OCSP is used ES-X-Timestamp (type 2): ES-C withats over just the references to the certificates and the revocation informations useful when CRL is used A.Lioy - Politecnico di Torino (1997-2011) 25

TSL TSL = Trust service Status List contains TSP (Trust- Service Provider) signed list list of the TSP and their services (certification, revocation, time-stamping, ) state of each TSP (supervised, suspended, revoked, ed, ) history of the state of each TSP schema and schema operator white list for the accredited TSP black list for the not accredited TSP Other ETSI ES formats XML Advanced Electronic Signatures (XAdES) ETSI TS 101 903 ETSI TS 102 904 = profiles of XAdES based upon XML-dsig PDF Advanced Electronic Signature Profiles (PAdES) for the ISO-32000 format (PDF) ETSI TS 102 778-1 = overview ETSI TS 102 778-2 = basic ETSI TS 102 778-3 = enhanced (BES, EPES) ETSI TS 102 778-4 = long-term validation (LTV) ETSI TS 102 778-5 = XML content A.Lioy - Politecnico di Torino (1997-2011) 26

The macro problem e-signing an e-document containing a macro is a bad idea document... document... @today 21-may-03 @today 22-may-03.......... signed on 21-may-2003 verified on 22-may-2003: is the signature valid? WYSIWYS What You See Is What You Sign highly desiderable is a problem of the application developers in Austria, it is a fundamental requirement of the law about e-signatures and e-documents do we really need it? compare it to fine prints in do we really need it? compare it to fine prints in paper documents A.Lioy - Politecnico di Torino (1997-2011) 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback