Lecture Notes 14 : Public-Key Infrastructure

Similar documents
Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

ECE 646 Lecture 3. Key management

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

CSE 565 Computer Security Fall 2018

Lecture 15 Public Key Distribution (certification)

Security & Privacy. Larry Rudolph. Pervasive Computing MIT SMA 5508 Spring 2006 Larry Rudolph

Distributed Access Control. Trust Management Approach. Characteristics. Another Example. An Example

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Key management. Required Reading. Stallings, Cryptography and Network Security: Principles and Practice, 5/E or 6/E

ECE 646 Lecture 3. Key management. Required Reading. Using the same key for multiple messages

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

Key management. Pretty Good Privacy

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Security Digital Certificate Manager

IBM. Security Digital Certificate Manager. IBM i 7.1

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Authenticating People and Machines over Insecure Networks

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

Digital Certificates Demystified

Cryptography and Network Security

CT30A8800 Secured communications

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Public Key Infrastructures

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

6 Public Key Infrastructure 6.1 Certificates Structure of an X.509 certificate X.500 Distinguished Name and X.509v3 subjectalternativename

Public Key Infrastructures. Using PKC to solve network security problems

Certificateless Public Key Cryptography

Fall 2010/Lecture 32 1

Chapter 9: Key Management

Overview of Authentication Systems

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Configuring SSL. SSL Overview CHAPTER

ECE 646 Lecture 3. Key management. Required Reading. Using Session Keys & Key Encryption Keys. Using the same key for multiple messages

Public Key Infrastructure

Cryptography (Overview)

Configuring SSL CHAPTER

IBM i Version 7.2. Security Digital Certificate Manager IBM

Public Key Algorithms

Configuring SSL. SSL Overview CHAPTER

Crypto meets Web Security: Certificates and SSL/TLS

Key Agreement Schemes

APNIC Trial of Certification of IP Addresses and ASes

Version 3 X.509 Certificates

Anonymous Credentials: How to show credentials without compromising privacy. Melissa Chase Microsoft Research

Server-based Certificate Validation Protocol

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

Cryptography and Network Security

Overview. SSL Cryptography Overview CHAPTER 1

X.509 CERTIFICATE X.509 CERTIFICATE PUBLIC-KEY CERTIFICATES THE CERTIFICATE TRIANGLE CERTIFICATE TRUST. INFS 766 Internet Security Protocols

Public-Key Infrastructure NETS E2008

PROVING WHO YOU ARE TLS & THE PKI

Managing Certificates

Cryptographic Protocols 1

CERTIFICATE POLICY CIGNA PKI Certificates

Lecture 2 Applied Cryptography (Part 2)

PUBLIC-KEY CERTIFICATES

Certificate implementation The good, the bad, and the ugly

Configuring Certificate Authorities and Digital Certificates

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Send documentation comments to

Outline Key Management CS 239 Computer Security February 9, 2004

Network Security Essentials

The SafeNet Security System Version 3 Overview

KEY DISTRIBUTION AND USER AUTHENTICATION

Some Lessons Learned from Designing the Resource PKI

FPKIPA CPWG Antecedent, In-Person Task Group

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

APNIC Trial of Certification of IP Addresses and ASes

Authentication in Distributed Systems

Lecture 16 Public Key Certification and Revocation

Grid Security Infrastructure

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

A PKI For IDR Public Key Infrastructure and Number Resource Certification

CS Certificates, part 2. Prof. Clarkson Spring 2017

Public Key Establishment

Information Security CS 526

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Policy-directed certificate retrieval

Diffie-Hellman. Part 1 Cryptography 136

Key Management and Distribution

T Cryptography and Data Security

by Amy E. Smith, ShiuFun Poon, and John Wray

Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

Smart Grid Security. Selected Principles and Components. Tony Metke Distinguished Member of the Technical Staff

ING Corporate PKI G3 Internal Certificate Policy

Introduction to Cryptography Lecture 10

L8: Public Key Infrastructure. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Certificates, Certification Authorities and Public-Key Infrastructures

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

Certificate Revocation : A Survey

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

CS Computer and Network Security: PKI

User Authentication. Modified By: Dr. Ramzi Saifan

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Designing and Managing a Windows Public Key Infrastructure

Apple Inc. Certification Authority Certification Practice Statement

Trust Infrastructure of SSL

What is a Digital Certificate? Basic Problem. Digital Certificates, Certification Authorities, and Public Key Infrastructure. Sections

Digital Certificates, Certification Authorities, and Public Key Infrastructure. Sections

Transcription:

6.857 Computer and Network Security October 24, 2002 Lecture Notes 14 : Public-Key Infrastructure Lecturer: Ron Rivest Scribe: Armour/Johann-Berkel/Owsley/Quealy [These notes come from Fall 2001. These notes are neither sound nor complete. There is more material than is covered in lecture, and some is missing. Check with students notes for new topics brought up in 2002.] 1 Outline Public-Key Infrastructure X.509 SPKI/SDSI 2 Public-Key Infrastructure (PKI) 2.1 Introduction In cyberspace there is a need to verify the identities of individuals for a number of purposes. Some of these events include sending and receiving secure email, sending and receiving signed email, setting up a secure session (SSL), and accessing a protected resource. The way in which this goal of authentication is accomplished is by verifying that a public key belongs to an individual that you know and trust. Public-Key Infrastructure is designed to allow this kind of authentication. 2.2 Diffie Hellman Public-Key Encryption Public-Key Directory One way to associate public keys to individuals is by publishing a mapping of names to keys. This directory would act much like the WhitePages does for distributing phone numbers based on name. The directory must be trusted, therefore it must be authentic but need not be secret. Entries would be of the form: Alice (RSA, n =..., e = 3) Bob (RSA, n =..., e = 17) Problem: Need to authenticate the issuer of the directory. Solution: A possible solution would be for the issuer to sign the whole directory. (how do we get the issuer s PK? must be recursive) 0 May be freely reproduced for educational or personal use. 1

2 2 PUBLIC-KEY INFRASTRUCTURE (PKI) Digital Certificates Digital Certificates were proposed by Loren Kohnfelder here at MIT in a B.S. thesis in 78. They are an authenticated identifier pairing the public key to a significant name. This allows any user to identify themselves and establishes trust between themselves and a verifier who trusts the certificate authority. The CA is assumed to correctly identify the person who has requested the certificate. This is the structure of a signed digital certificate. { Alice, (RSA,...)} CA Here is a representation of the exchange between a user with a certificate and a verifier. (M) SKA,cert Bob relying party Question: How does PKI deal with issues of dynamics in naming such as changing email addresses? Answer: This does present a problem since information can change. The major issue becomes one of database update however. Advantages Alice can include her certificate in an email or post it on the Web Bob only needs to know the Certificate Authority and its PK Alice may have more than one key (e.g., one for signing, one for encryption) Certificates can have a validity period (not before / not after a certain time) Difficulty Issues Scalability - need multiple CAs - naming (unique? human-readable?) Robustness -compromised keys? (especially the root key!) -revoked certificate Certificate as Credential (Attribute Certificate instead of ID certificate) Trustworthiness of CA and procedures; liability? Privacy, Anonymity Question: How do we deal with privacy issues in the CA? Answer: Use certificate serial numbers instead of names.

2.3 Naming 3 2.3 Naming PK infrastructure has a very intimate link with naming. We want a system that is easy to use for people, similar to that of file names. The naming relationship should be as follows: Names are for people to use. Keys are for machines to use. PKI can provide a binding between the two. Naming is a large issue. Since the CA has the burden of properly identifying and labeling the parties with certificates, names must be made clear and accurate. Naming provides an interface between people and cyberspace. People must then write security policy based on the name associated with a PK used to sign message. Writers of such policies need to know/understand the relationship between keys and names. Desirable naming properties Descriptive Global uniqueness Dynamic Examples Role (purchasing agent at IBM) Legal names Email Phone # s ( enum ) Mail address Certificates can also be used for identifying much more about an individual than just identity. Attributes of a person can be given by certificates. For attributes, what exactly is the CA allowed to certify? Example: John has brown hair. How do they know? Why should we believe them?

4 3 X.509 3 X.509 X.509 is one of the most popular standards specifying the contents of a digital certificate. One of the main goals of X.509 is global uniqueness of names. 3.1 X.509 Hierarchical Structure X.509 maintains properties of distinguished names (DNs) and is organized in a hierarchical structure. This naming scheme for certificates traverses through local CAs until arriving at a specific name. Each local CA is responsible for only certificates in its specific domain. Below is the graphical representation of the path between the root CA and John Smith. /root/us/ibm/ibmsales/john-smith Some major problems with DN here is that single points of failure disrupt the system. The structure itself is also awkward. Question: What happens if the root CA is compromised? Answer: Instead of having one root CA we can implement a threshold system. This would help eliminate single points of failure.

3.2 What s included in X.509 version 3 certificates? 5 3.2 What s included in X.509 version 3 certificates? Version # Certificate Serial # Signature Algorithm Identifier Issuer Distinguished Name (DN) Validity Period Subject DN Subject PK Information - algorithm identifier - associated key parameters Issuer Unique # Subject Unique # Extensions - key usage - certificate policies - subject/issuer alternate names - path constraints - criticality bits 3.3 Revocation or Compromised Key Is the assertion of the certificate ( Public Key is Alice s PK ) valid any more? Who s decision is it to revoke a certificate? Revocation is hard to do. It is much easier to have certificates expire. A good method is to use short validity periods. Certificate Revocation Lists (CRLs) CRLs provide a listing of serial numbers of revoked certificates. For example, if Alice s Laptop were stolen and her secret key compromised, we would want her certificate to be revoked. CRLs could also include the reasons why certificates were revoked. A consideration with CRLs is how frequently they should be updated (daily?, weekly?, monthly?). Another option for updating CRLs is to post CRLs which only update CRLs whenever a change occurs. CRLs present a problem since they place the burden of certificate validity upon the CA and not the verifier. For example, if the CA only updated CRLs monthly but Bob wants daily verification, a conflict arises. One possible solution for Bob would be to refuse certificates that had not been signed within the last 24 hours. In this way Bob can set his own security policies.

6 4 SPKI/SDSI For maximum verification of certificates there should be short validity periods and then the relying party can determine what is fresh enough. Question: What if certificates were stored on a piece of hardware such as a smart card? Answer: This is not a primary concern because we are currently focused upon the theory behind certificate freshness. Question: Would X.509 have to redo the US certificate every day? Answer: Yes. This shows the limitations of X.509. At each level new certificates are reissued for desired freshness. Another possible solution is to reveal a new hash value for the certificate each day. Assuming that we use a OW hash, the values guarantee the certificate is still valid. x 31 x 4 x 3 x 2 x 1 x 0... In this diagram the certificate originally has the value x 0. On day one value x 1 is sent to the certificate holder such that the hash of x 1 = x 0. This is repeated everyday the certificate is still valid. This hashing technique is due to Silvio Micali. 4 SPKI/SDSI SPKI/SDSI is a novel PKI emphasizing naming, groups, ease-of-use, and flexible authorization. To access a protected resource, a client must present to the server a proof that the client is authorized. This proof takes the form of a certificate chain proving that the clients public key is in one of the groups on the resource s ACL, or that the clients public key has been delegated authority from a key in one of the groups on the resource s ACL. How it works No global names Each key has its own local name space Two types of certificates: Name and Authority Name Cert: K = your key K Alice (local name) value (PK, or another name) K 0 = MIT K 1 = EECS Example 1 K Alice K 0 AliceSmith K 0 AliceSmith K s

7 Example 2 K Alice K s K Alice K 0 EECS AliceSmith K 0 EECS K 1 Example 3, Groups K 1 AliceSmith K s K F riends K 1 Alice K F riends K 1 Bob K F riends K 0 EECS student This a bottom-up approach to authentication. As opposed to the top-down approach outlined in X.509.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback