Public Key Infrastructurechester/courses/19e_ns/slides/7_PKI.pdf · Attacks Surfaces on PKI ....
Transcript of Public Key Infrastructurechester/courses/19e_ns/slides/7_PKI.pdf · Attacks Surfaces on PKI ....
Public Key Infrastructure
ChesterRebeiroIITMadras
• KeyEstablishment:“AliceandBobwanttouseablockcipherforencryption.Howdotheyagreeuponthesecretkey”
2
AliceandBobagreeuponaprimepandageneratorg.Thisispublicinformation
chooseasecretacomputeA=gamodp
chooseasecretbcomputeB=gbmodp
B A
ComputeK=Bamodp ComputeK=Abmodp
Abmodp=(ga)bmodp=(gb)amodp=Bamodp
Recollect Diffie-Hellman Key Exchange
Man in the Middle Attack
3
Alicesendshispublickey
Alicedecryptswithherprivatekey
Bobencrypts
withSally’spu
blickey
ManinthemiddleInterceptsmessages
Sallysendsherpublickey
Sallydecryptswithherprivatekeyandre-encryptsWithAlice’spublickey
Man in the Middle Attack
4
Alicesendshispublickey
Alicedecryptswithherprivatekey
Sallyencrypt
s
withMallory’
spublickey
ManinthemiddleInterceptsmessages
Sallysendsherpublickey
Sallydecryptswithherprivatekeyandre-encryptsWithAlice’spublickey
FundamentalProblem:WhoisAlice?Bob has no way to tell whether the public key he receivedbelongstoAliceornot.
5
chooseasecretacomputeA=gamodp
chooseasecretbcomputeB=gbmodp
DigitallycertificatePublickeyofBob(B)
ComputeK=Bamodp ComputeK=Abmodp
Certifying Authority
DigitallycertificatePublickeyofAlice(A)
X.509 Digital Certificates
Contains• SerialNumber• Issueràthecertifyingauthoritydetails• Subjectàinformationabouttheowner(whoown’sthepublickeyforexampleAlice)• PublicKeyàAlice’spublickey• Validity• SignatureàThesignatureofthecertificatesignedbythecertifyingauthority
6
7
A more practical Perspective
8
A more practical Perspective
VerifythesubjectEnsurethatthepersonapplyingforthecertificateeitherownsorrepresentstheidentityinthesubjectfield.
2,VerifyIdentityofAlice
9
A more practical Perspective
SigningdigitalcertificatesCAgeneratesadigitalsignatureforthecertificateusingitsprivatekey.Oncethesignatureisapplied,thecertificatecannotbemodified.SignaturescanbeverifiedbyanyonewiththeCA’spublickey.
2,VerifyIdentityofAlice3.DigitallySign
10
4.Alice’scertificateSignedbyCA
A more practical Perspective
Alicecanadvertisethecertificateonherwebsite
2,VerifyIdentityofAlice3.DigitallySign
11
chooseasecretacomputeA=gamodp chooseasecretb
computeB=gbmodp
Alice’scertificateSignedbyCA
ComputeK=Bamodp ComputeK=Abmodp
A more practical Perspective
Bob’scertificateSignedbyCA
Alice’scertificateBob’scertificate
Fetching certificates with openssl
12
Hostname:portheader
Certificate1
header
Certificate2
--BEGINCERTIFICATE----ENDCERTIFICATE--
Fetching certificates with openssl
13
Hostname:port
Cutandpasteinafilepaypal.pem(PEM:privacyenhancedmail)Toviewtextequivalentofthis,useopenssl x509 –in paypal.pem –text -noout
Example of X.509 Certificate (1st Part)
TheCA’sidentity(Symantec)
Theownerofthecertificate(paypal)
Example of X.509 Certificate (2nd Part)
Publickey
CA’ssignature
Who Certifies the CA?
16
TherearemanyCAsintherealworld,andtheyareorganizedinahierarchicalstructure.
Root CAs and Self-Signed Certificate
• A root CA’s public key is also stored in an X.509 certificate. It is self-signed.
• Self-signed:theentriesfortheissuerandthesubjectareidentical.• Howcantheybetrusted?
• PublickeysofrootCAsarepre-installedintheOS,browsersandothersoftware
Same
Root CAs in Mac OS
18
Intermediate CAs and Chain of Trust
Paypal’scertificate
IntermediateCA’scertificate
AisusedtoverifyB
B
A
SomethingelseisneedtoverifyA(certificatefromanotherintermediateCAorrootCA)
Fetching certificates with openssl
20
Hostname:portheader
Certificate1
header
Certificate2
--BEGINCERTIFICATE----ENDCERTIFICATE--
21
22
Manually Verifying a Certificate Chain
• Paypal.pem:SavePaypal’scertificatetoafilecalled• Symatec-g3.pem:Savecertificatefrom“SymantecClass3EVSSLCA–G3”• VeriSign-G5.pem:SavetheVeriSign-G5’scertificatefromthebrowser
RootCA’scertificate
Chainofcertificates
The Entire Process
24
1.SetuptheCA
CA
25
1.SetuptheCA
CA’sselfsignedcertificate
CA’spublic-privatekey(passwordprotected)
26
1.SetuptheCA
modelCA’scertificate
Selfsigned
The Entire Process
27
1.SetuptheCA
1.GenerateKeys
CA
user
28
1.UserGenerateKeys
29
1.UserGenerateKeys
n=pxqn
Publickey(A)
Privatekey(a)
p
q
ap
aq
q-1
The Entire Process
30
1.SetuptheCA
1.GenerateKeys
CA
user
2.GenerateCSR(certisigningreq)
31
2.GenerateCSR(certisigningreq)
32
2.GenerateCSR(certisigningreq)
Signedwiththebank’sprivatekey(selfsigned)
The Entire Process
33
1.SetuptheCA
1.GenerateKeys
CA
user
2.GenerateCSR(certisigningreq) 2.CreateCertificateSendcsrfile
34
2.CreateCertificate
The Entire Process
35
1.SetuptheCA
1.GenerateKeys
CA
user
2.GenerateCSR(certisigningreq) 2.CreateCertificate
Sendcertificate
3.Deploy(httpsserver)
36
3.Deploy
The Entire Process
37
1.SetuptheCA
1.GenerateKeys
CA
user
2.GenerateCSR(certisigningreq) 2.CreateCertificate
3.Deploy(httpsserver)
client
38
clientAclientfailstoconnectbecauseitcannotverifythefirst(root)Certificate(modelCA)
39
client
AclientconnectsifthemodelCAscertificateisknown
40
https://localhost:44330
41
https://cse.iitm.ac.in:44330
42
RegistermodeCAinyoursystem(needtoselectthatyoutrustthisCA)
43
https://cse.iitm.ac.in:44330
Attacker forwards authentic certificate
44
3,VerifyIdentityofAlice4.DigitallySign
Bank.com
Attacker changes public key with her own
45
3,VerifyIdentityofAlice4.DigitallySign
RequestatCAisgoingtobefailBecausesignaturedoesnotmatchpublickey
Bank.com
Attacker sends her own public key + signature
46
3,VerifyIdentityofAlice4.DigitallySign
Verifyshouldfail
Bank.com
47
Alice’scertificateSignedbyCA
Consider this Situation
Bank.comCertificateSignedbyCA
Bank’scertificate
1. Attackermodifiespublickeys2. AttackerreplacesBob’scertificatewithhis/herown
48
Alice’scertificateSignedbyCA
Consider this Situation
Bank’scertificate
1. Attackerforwardsfakecertificate2. AttackerreplacesBob’scertificatewithhis/herown
(WhatistherequirementtohaveaMIMA?)
Bank.comCertificateSignedbyCA
Attacker Sends His/Her Own Certificate
• Attacker’scertificateisvalid.• BrowserchecksiftheidentityspecifiedinthesubjectfieldofthecertificatematchestheAlice’sintent.• Thereisamismatch:attacker.com≠example.com
• Browserterminateshandshakeprotocol:MITMfails
Emulating an MITM Attack • DNSAttackisatypicalapproachtoachieveMITM
• WeemulateanDNSattackbymanuallychangingthe/etc/hostsfileontheuser’smachinetomapexample.comtotheIPaddressoftheattacker’smachine.
• Onattacker’smachinewehostawebsiteforexample.com.• Weusetheattacker’sX.509certificatetosetuptheserver• TheCommonnamefieldofthecertificatecontainsattacker32.com
• Whenwevisitexample.com,wegetanerrormessage:
Attacks Surfaces on PKI
Attack on CA’s Verification Process
• CA’sjobhastwoparts:• Verifytherelationshipbetweencertificateapplicantandthesubjectinformationinsidethecertificate
• Putadigitalsignatureonthecertificate
• Casestudy:ComodoBreach[March2011]• PopularrootCA.• TheapprovalprocessinSouthernEuropewascompromised.• Ninecertificateswereissuedtosevendomainsandhencetheattackercouldprovidefalseattestation.
• Oneoftheaffecteddomain(akeydomainfortheFirefoxbrowser):addons.mozilla.org
Attack on CA’s Signing Process
• IftheCA’sprivatekeyiscompromised,attackerscansignacertificatewithanyarbitrarydatainthesubjectfield.
• CaseStudy:theDigiNotarBreach[June-July2011]
• AtopcommercialCA• AttackergotDigiNotar’sprivatekey• 531roguecertificateswereissued.• TrafficintendedforGooglesubdomainswasintercepted:MITMattack.
• HowCAsProtectTheirPrivateKey• HardwareSecurityModel(HSM)
Attacks on Algorithms
• DigitalCertificatesdependontwotypesofalgorithms• one-wayhashfunctionanddigitalsignature
• CaseStudy:theCollision-ResistantPropertyofOne-WayHash• AtCRYPTO2004,XiaoyunWangdemonstratedcollisionattackagainstMD5.• InFebruary2017,GoogleResearchannouncedSHAtteredattack
• Attackbrokethecollision-resistantpropertyofSHA-1• TwodifferentPDFfileswiththesameSHA-1haswascreated.
• Countermeasures:usestrongeralgorithm,e.g.SHA256.
Attacks on User Confirmation
• Afterverifyingthecertificatefromtheserver,clientsoftwareissurethatthecertificateisvalidandauthentic
• Inaddition,thesoftwareneedstoconfirmthattheserveriswhattheuserintendstointeractwith.
• Confirmationinvolvestwopiecesofinformation
• Informationprovidedorapprovedbyuser• Thecommonnamefieldinsidetheserver’scertificate• Somesoftwaredoesnotcomparethesetwopiecesofinformation:securityflaw
Attacks on Confirmation: Case Study PhishingAttackonCommonNamewithUnicode
• ZhengfoundoutseveralbrowsersdonotdisplaythedomainnamecorrectlyifnamecontainsUnicode.
• xn—80ak6aa92e.comis encoded using Cyrillic characters. But domain name displayed by browser likes like apple.com
• Attack:• Getacertificateforxn—80ak6aa92e.com• Getusertovisitxn—80ak6aa92e.com,sothecommonnameismatched• User’sbrowsershowsthatthewebsiteisapple.com.Usercanbefooled.
• Hadthebrowsertoldtheuserthattheactualdomainisnottherealapple.com,theuserwouldstop.