Lecture 8 Public-Key Infrastructure Stefan Dziembowski University of Rome La Sapienza BiSS 2009...
-
date post
21-Dec-2015 -
Category
Documents
-
view
219 -
download
0
Transcript of Lecture 8 Public-Key Infrastructure Stefan Dziembowski University of Rome La Sapienza BiSS 2009...
Lecture 8 Public-Key Infrastructure
Stefan DziembowskiUniversity of Rome
La Sapienza
BiSS 2009Bertinoro International Spring School 2-6 March 2009
Modern Cryptography www.dziembowski.net/Studenti/BISS09
Plan
1. Qualified signatures2. PKI and trust management3. Introduction to the key
establishment protocols
Remember the slide from the previous lectures?
P5
P1
P3P2
P4
pk1
pk2
pk3
pk4
pk5
public register:
sk3
sk5
sk4sk1
sk2
Question:How to maintain the public register?
1. We start with the case when the public keys are used for signing that is legally binding.
2. Then we consider other cases.
A problem
Alice Bob
(m, σ =Signsk(m))
skA pkA
m є {0,1}*
Judge
I got (m,σ) from AliceIt’s not true!I never signed m!
Vrfy(pk,m,σ) = yesso you cannot repudiate signing m...
But pk is not my public key!
Solution: certification authoritiesA simplified view:
comes with her ID and pkAlice
(pkCert,skCert)
checks the ID of Alice and issues a certificate:
SignskCert(“pkAlice is a public key of Alice”)
Alice
Now, everyone can verify that pkAlice is a public key of Alice. So Alice can attach it to every signature
Certification Authority
really everyone?
What is needed to verify the certificate
To verify the certificate coming from Cert one needs:
1. to know the public key of the Cert2. to trust Cert.
It is better if Cert also keeps a document:“I, Alice certify that pkAlice is my public key”
with a written signature of Alice.
How does it look from the legal point of view?
What matters at the end is if you can convince the judge.
Many countries have now a special law regulating these things.
In Italy it is:
Decreto Legislativo 7 marzo 2005, n. 82"Codice dell'amministrazione digitale"
pubblicato nella Gazzetta Ufficiale n. 112 del 16 maggio 2005 - Supplemento Ordinario n. 93
The qualified signature is equivalent to the written one!
A signature obtained this way is called a qualified digital signature (in Italian: firma elettronica qualificata).
A certificate issued by such an authority is called a qualified certificate (in Italian: certificato qualificato)
This law defines the conditions to become an official certification authority (in Italian: certificatore).
Some of the Italian Certificate Authorities:
Banca Monte dei Paschi di Siena S.p.A. (dal 03/08/2004)Lombardia Integrata S.p.A. (dal 17/08/2004)Banca Intesa S.p.A. (dal 09/09/2004 - Società soggetta a cambio di denominazione
sociale; ora Intesa Sanpaolo S.p.A.)Banca di Roma S.p.A. (dal 09/09/2004)(cessata attività dal 13/02/2008 - certificatore sostitutivo: nessuno)CNIPA (dal 15/03/2001)I.T. Telecom S.r.l. (dal 13/01/2005)Comando Trasmissioni e Informazioni Esercito (dal 10/04/2003 - già Comando C4 - IEW -
cessata attività dal 21/09/2007 - certificatore sostitutivo: nessuno)Consorzio Certicomm (dal 23/06/2005)
.
.
.
So, what to do if you want to issue the qualified signatures?
You have to go to one of this companies and get a qualified certificate (it costs!).
The certificate is valid just for some given period.
What if the secret key is lost?
1. In this case you have to revoke the certificate.Every authority maintains a list of revoked certificates.
2. The certificates come with some insurance.
Plan
1. Qualified signatures2. PKI and trust management3. Introduction to the key
establishment protocols
In many case one doesn’t want to use the qualified signatures
1. The certificates cost.
2. It’s risky to use them:
How do you know what your computer is really signing?Computers have viruses, Trojan horses, etc.
You can use external (trusted) hardware but it should have a display (so you can see what is signed).
Remember: qualified signatures are equivalent to the written ones!
In many cases the qualified signatures are an overkill.
The certificates are distributed using a public-key infrastructure (PKI).
Instead, people use non-qualified signatures.
Practical solution
Users can certify keys of the other users
P1 P3P2
pk3pk1 pk2
knows pk2 knows pk3
“trusts” P2
P2 certifies that pk3 is a public key of P3 signature of P2
P1 believesthat pk3 is a public key of P3
this should be done only if P2 really met P3 in person and verified his identity
P1 P3P2
pk3pk1 pk2
knows pk2 knows pk3
“trusts” P2
P4
pk4
knows pk4
“trusts” P3
P2 certifies that pk3 is a public key of P3 signature of P2
P3 certifies that pk4 is a public key of P4 signature of P3
P1 believesthat pk3 is a public key of P3
P1 P3P2
pk3pk1 pk2
knows pk2 knows pk3
“trusts” P2
P4
pk4
P2 certifies that pk3 is a public key of P3 signature of P2
P3 certifies that pk4 is a public key of P4 signature of P3
P1 believesthat pk3 is a public key of P3
“trusts” P3
knows pk4
P5
pk4
“trusts” P4
P4 certifies that pk5 is a public key of P5 signature of P4
This is called acertificate chain
knows pk5
A problem
What if P1 does not know P3?How can he trust him?
Answer: P2 can recommend P3 to P1.
P1 P3P2
pk3pk1 pk2
knows pk2 knows pk3
“trusts” P2
P4
pk4
“trusts” P3
knows pk4
A question: is trust transitive?
P1 P3P2
pk3pk1 pk2
“trusts” P2 “trusts” P3
P1 P3P2
pk3pk1 pk2
“trusts” P3
Does:
imply:
?
Example
P1 P3P2
pk3pk1 pk2
trusts thatP2 is a veryhonest person
P1 P3P2
pk3pk1 pk2
doesn’t trust that P3
is honest, because he thinks that P2 is honest but naive
trusts thatP3 is a veryhonest person
I can recommend P3
Moral
Trust is not transitive:
“P1 trusts in the certificates issued by P2”
is not the same as saying:
“P1 trusts that if
P2 says you can trust the certificates issued by P3
thenone can trust the certificates issued by P3”
level 1 recommendation:
A: ”you can trusts in all the certificates issued by B”
level 2 recommendation:
A : “you can trust that all the level 1 recommendations issued by B”
level 3 recommendation:
B : “you can trust that all the level 2 recommendations issued by B”
and so on. . .
Recommendation levels
Recursively:level i+1 recommendation:A : “you can trust that all the level i recommendations issued by B”
P1 P3P2 P4
P1 P3P2 P4
trusts the certificates issued by P4
Now, if:
then
Of course the recommendations also need to be signed.
Starts to look complicated...
P2 issues a recommendationof level 2 for P3
P3 issues a recommendationof level 1 for P4
P2 trustin all the recommendations issued by P2
How is it solved in practice?In popular standard is X.509 the recommendation is included
into a certificate.
Here the level of recommendations is bounded using a field called basic constraints.
X.509 is used for example in SSL.
SSL is implemented is implemented in every popular web-browser.
So, let’s look at it.
this field limits the recommendation
depth(here it’s unlimited)
Concrete exampleLet’s go to the Banca Di Roma website
a certificatechain
the second certificate wassigned by ”Verisign Primary Authority” for“Verisign Inc”.
(it’s not strange, we willdiscuss it)
Look here
The third certificatewas issued by Verisign Inc.for Banca di Roma
The typical pictureweb browser knows these certificates
Verisign DigiCert Entrust . . .
VerisignEurope
VerisignUSA
VerisignItaly
Banca di Roma
a certificate path
Implicit assumptions:
• the author of the browser is honest,• the author of the browser is competent• nobody manipulated the browser
is it always true?
CA1
CA2
CA3
CAn
client
cert1
cert2
cert3
certn-1
certn
Moreover:each certi has a number di denoting a maximal depth of certificate chain from this point (this limits the recommendation depth)
That is, we need to have:di ≥ n - i
All these certificates have tohave a flag “Is a Certification Authority” switched on.
d1
d2
d3
dn
Is it so important to check it?
Yes!
For example: the last element in the chain can be anybody (who paid to Verising for a certificate).
For sure we do not want to trust the certificates issued by anyone.
So, what happens when a user contacts the bank?
Alice
sends(cert1,..., certn)
If Alice’s browser knows cert1 it canverify the chain and read the public key of the bank from certn
Bank
What happens if the certification path is invalid?
For example if the first certificate in the path is not known to the user.
Experiment: let’s delete the Verisign certificate for the configuration of the browser...
What happens?
Another popular PKI
Pretty Good Privacy (PGP) – every user can act as a certification authority.
Hence the name:Web of Trust
Plan
1. Qualified signatures2. PKI and trust management3. Introduction to the key
establishment protocols
Suppose Alice and Bob want to authenticate to each other...
Alice Bobinternet
Observation: authentication itself is not very useful.More useful: key establishment
Protocols for key establishment
Suppose Alice and Bob want to establish a fresh session key in an authentic way.
When is it possible?
• Using symmetric cryptography: Alice and Bob can use some trusted server S.
• Using asymmetric cryptography: e.g. using PKI.
Symmetric cryptography
The server can help Alice and Bob to establish a session key.(in reality it’s not so trivial to design a secure protocol)
Alice Bob
server S
share a private keyKAS
share a private keyKBS
The public-key cryptography
Alice
sends(cert1,..., certn)
If they accepted the certificate paths they can establish a session key:
1. Alice selects a random key K. 2. Alice encrypts K with Bob’s public key, and sign is it with her
private key, and sends it to Bob.3. Bob verifies the signature and decrypts the K.
Again: in reality it’s not that simple...
Bob
sends(cert’1,..., cert’n)
What if one of the parties doesn’t have a certificate?
Typical situation in real life...
E.g. a bank can verify authenticity of Alice by asking her for a secret password.
This password is provided to her (in a physical way) when she opened an account.
How to prevent the dictionary attacks?
Not so trivial...
Designing the key establishment protocols
It is an active area of research.
It’s more complicated than one may think...
On the next slides we show some common errors.
An idea (1)
Alice Bob
server S
key shared by Alice and the server: KAS
key shared by Bob and the server: KBS
(“A,B”)
EncKAS(KAB),
EncKBS(KAB)
(EncKBS (KAB),”A”)
selects a random KAB
An attack
Alice Bob
server S
key shared by Alice and the server: KAS
key shared by Bob and the server: KBS
(A,B)
EncKAS(KAB),
EncKBS(KAB)
(EncKBS(KAB),”A”)
selects a random KAB
(EncKBS (KAB),”D”)
I’m talking to D
An idea (2)
Alice Bob
server S
key shared by Alice and the server: KAS
key shared by Bob and the server: KBS
(A,B)
EncKAS(KAB,”B”),
EncKBS(KAB,”A”)
EncKBS(KAB,”A”)
selects a random KAB
A replay attack
Alice Bob
(A,B)
EncKAS(K’AB,”B”),EncKBS(K’AB,”A”)
EncKBS(K’AB,”A”)
the adversary stores the values that the server sent in the previous session and replays them.
So, the key is not fresh...
How to protect against the replay attacks?
Nonce – “number used once”.
Nonce is a random number generated by one party and returned to that party to show that a message is newly generated.
An idea (3): Needham Schreoder 1972.
Alice Bob
server S
key shared by Alice and the server: KAS
key shared by Bob and the server: KBS
(“A,B”,NA)
EncKAS(KAB, “B”, NA, EncKBS
(KAB,”A”))
EncKBS(KAB,”A”)
selects a random KAB
EncKAB(NB – 1)
EncKAB(NB)
An attack on Needham Schroeder
Bob
EncKBS(K’AB,”A”)
EncK’AB(NB – 1)
EncK’AB(NB)
Assume that an old session key K’AB is known to the adversary.
The final solution
Alice Bob
server S
key shared by Alice and the server: KAS
key shared by Bob and the server: KBS
(“A,B”,NA,NB)
EncKAS(KAB, “B”, NA)
EncKBS(KAB, “A”, NB)
selects a random KAB
EncKBS(KAB, “A”, NB)
(“B”,NB)
Other desirable features1. Forward-security:
if an adversary breaks into the machine at some time t the previous session keys remain secret.
2. Deniability:A user can always deny that he sent some message.
3. Resistance to denial-of-service attacks(don’t put to much work on the server!).
Another (real-life) problemAlice and Bob may use different versions of the protocol.
Therefore at the beginning of the protocol they have to agree on the ciphers that they will use.
How to do agree in a secure way?
AliceBob
Alice:I prefer to use AES, but I can also use DES
Alice:I can onlyuse DES,
Bob:I can onlyuse DES,
Bob:I prefer to use AES, but I can also use DES
They’ll end up using DES!
Protocols used in practice
• Symmetric: Kerberos
• Asymmetric: SSL, SSH, IPSec...
©2009 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.