Public Key Infrastructure Levi Broderick April 18, 2006 05-899 / 17-500 – USABLE PRIVACY &...
-
date post
15-Jan-2016 -
Category
Documents
-
view
218 -
download
0
Transcript of Public Key Infrastructure Levi Broderick April 18, 2006 05-899 / 17-500 – USABLE PRIVACY &...
Public Key Infrastructure
Levi Broderick
April 18, 2006
05-899 / 17-500 – USABLE PRIVACY & SECURITY – CRANOR, HONG, REITER
The need for PKI
Meet Alice. She has a secret that she wants to send to Bob.
Meet Bob. He looks forward to talking with his good friend Alice.
The need for PKI
Alice and Bob can use a secret key (symmetric cryptography) to communicate over the public channel.
They must have agreed on this key in advance.
100110
The need for PKI
But what if Alice and Bob had never spoken before? Can Alice still send him a secure communication?
This is the primary focus of PKI.
??????
?
Communication under PKI
Both Alice and Bob have their own individual private and public keys signed by a certificate authority. The CA might be an employer, Verisign, or some other
organization.
Communication under PKI
All communicating parties must have each others’ public keys.
Public keys must have a common ancestor to be considered valid. Alternatively, some PKI implementations (Lotus Notes,
Groove Virtual Office, etc.) allow CAs outside the local network to be individually trusted.
Communication under PKI
Company XYZ
Mary Jane AllenDevelopment dept. head
Linda ClayMarketing dept. head
Freddy HaleSupervisor
Ulysses ApplegateSupervisor
Peter Jacobson Jill Tyson
Tyrone KingSupervisor
Kenneth Blue Sheryl Song Jordan Lewis
Jason PetersAsst. Supervisor
Peter and Ulysses can communicate since they share Mary Jane as an ancestor.
Jill and Sheryl can communicate since they share a root element.
Communication under PKI
The public key is used for encryption and digital signature verification.
The private key is used for decryption and the creation of digital signatures.
100110
Bob’s public keyAlice’s public key
X.509 certificates
ITU-T standard for PKI V3 described in RFC 3280
Certificate authority issues binding certificate between public key and name (URI, email, etc.)
Includes validation and revocation policy Certificate Revocation List (CRL) Online Certificate Status Protocol (OCSP)
X.509 certificates
V3 certificate includes: Issuing agency information Subject information Period of validity . . . Cryptographic signature
For root CAs, the issuing agency and the subject of the certificate are the same.
X.509 certificates
amazon.com
name publickey
X.509certificate
X.509 hierarchy
GTE Cybertrust Global Root
Comodo Class 3 Security Services CA
www.cmu.edu
Microsoft Internet Authority
Microsoft Secure Server Authority
www.microsoft.com update.microsoft.com
www.buy.com(a248.e.akamai.net)
issuer
subject
And a demonstration . . .
Non-repudiation
Non-repudiation and repudiation of signatures involved in legal practice for untold generations.
Traditional paper signatures may be repudiated: False signature Real signature, but extenuating circumstances
Unconscionable conduct / inequality of bargaining power Fraud Undue influence, or signature made under duress
Source: http://firstmonday.org/issues/issue5_8/mccullagh/index.html
Non-repudiation
Increasing legislation to allow digital signatures to serve as legally binding.
Non-repudiation as applied to digital signatures: Provides proof of the integrity and origin of data, both
unforgeable, which can be verified by any third party at any time.
An authentication that with high assurance can be asserted to be genuine and that cannot subsequently be refuted.
Thoughts? Comments?
Source: http://firstmonday.org/issues/issue5_8/mccullagh/index.html
Non-repudiation
Carl Ellison speaks out:
It is not achievable. The private key provided the signature, not the human. No provable link exists between the person and the
computer.
It is counter to consumer protection law. Transfers liability from the merchant to the consumer. Corollary: E-commerce will suffer since repudiation
guaranteed by creditors becomes nonexistent.
Source: http://world.std.com/~cme/non-repudiation.htm
Non-repudiation
Carl Ellison continues to speak out:
It circumvents contract practice and law. When does the user ever publicly acknowledge that he
stands behind the signatures created with the private key?
It conflicts with good key management. If there exists no audit log, the user is likely to discover a
compromised key when another party in a transaction reveals use of the key and demands further action.
Source: http://world.std.com/~cme/non-repudiation.htm
X.509 certificate revocation
Sometimes a certificate needs to be invalidated before its natural expiration date Private key compromised Employee fired from company issuing certificate
Two main ways to revoke an X.509 certificate: Certificate Revocation List (CRL) Online Certificate Status Protocol (OCSP)
CRLs
Requires database of all invalidated, unexpired certificates. Verifier queries this database whenever he wants to see
whether a certificate has been revoked.
Two models Pull model: Verifier downloads CRL from CA as needed. Push model: CA sends CRL to verifiers at regular
intervals.
Problems?
Source: http://www.rsasecurity.com/rsalabs/node.asp?id=2283
CRLs
Problems similar to blacklists with credit card companies Database is periodically pruned, but still very large Time delay between certificate being revoked and
revocation being published in CRL
Widely-used CRLs have too many verifiers to be able to effectively use the “push” method.
Susceptible to DOS attacks Is the software default to accept or reject the certificate?
Sources: 18-730 (Reiter), http://www.imc.org/ietf-pkix/old-archive-01/msg02256.html
OCSP
RFC 2560
Request / response protocol Verifier receives up-to-the-minute status info
Status list parsed server-side Responder only sends back relevant info, reducing traffic Responder may require requests to be signed
Allows for billing mechanisms to be put into place
Still vulnerable to DOS attacks
Source: http://www.openvalidation.org/whatisocsp/whatocsp.htm
Encrypting email with PKI
Lotus Notes/Domino makes it easy to encrypt messages because of its use of PKI.
Encrypting email with PKI
If the key exists locally, encrypt and send the message.
If not, contact LDAP server and download key.
Encrypting email with PKI
If key is signed by the CA, not revoked, and owner is correct: Save to local keyring Encrypt message and send
If incorrect owner, revoked, or unsigned, error out.
Encrypting email with PKI
Behind-the-scenes look & demonstration . . .
Problems with PKI
System was originally envisioned as encompassing entire globe. Would require one root CA or a specific and unchanging
list for each government. Governments are fickle and don’t like to trust each other.
Additionally, Balfanz, Durfee, and Smetters identify four usability problems with PKI.
Problems with PKI
Public-key cryptography is counterintuitive. What on earth are public and private keys? What is a certificate?
PKI seems too far removed from application goals. Users do not understand how their tasks require PKI.
PKI tasks are too cumbersome.
Large CAs run into naming collisions. Users shoulder the burden of ensuring that the person they’re
looking up is indeed the person they want.
Source: Security and Usability, ch. 16.
SPKI (Simple PKI)
Similar to X.509, but names are local rather than global.
Certificates are used to bind authorizations rather than identities to public keys.
Possible uses (from RFC 2692): Grants permission to write electronic checks. Digital marriage license / divorce decree. DC Metro farecard Proof of degree earned (M.D., Ph.D., etc.) Permission to issue nuclear launch codes
Thoughts?
Source: http://theworld.com/~cme/html/spki.html
PGP’s Web of Trust
Public / private keys with an attached name, email address, and optional photo.
No centralized CA to sign keys. PGP users sign keys when they’ve verified the owner’s identity,
so in essence each PGP user is acting as a CA. Your trust of a public key is related to how many signing “hops”
you are away from that key and how much you trust each signer along the route.
Decentralized key distribution – users send keys. Key servers have popped up to fill the role of the CA in key
distribution.
PGP’s Web of Trust
PGP’s Web of Trust
PGP’s Web of Trust
Makes key management issues very apparent Web of trust depends on end users verifying and signing large
quantities of keys.
Does a user understand what type of commitment he makes by signing a key?
Just how much trust is placed in a key 3 hops away? What about 4 hops? Trust disappears after a default of 2 hops, maximum 8 hops
(PGP 9.0).
Thoughts?
Robot CAs
Public / private keys without a central CA.
Robot is a trusted, neutral third party whose signatures provide some validation for email addresses:
1. User uploads public key to robot CA.
2. Robot signs key and sends encrypted signature to email address present in public key.
3. Recipient decrypts message to retrieve signed key, then redistributed public key with robot’s signature attached.
Effectively invalidates signatures on keys not belonging to the email addresses listed for them.
Source: http://jameshoward.us/Robot_Certificate_Authority
Robot CAs
Attempts to solve some of the key management issues in PGP:
If key verifier’s software automatically places trust in the robot’s signature, then keys can be downloaded from a key server automatically by the email client.
Burden is on the key creator to get the key signed by robot.
Process can probably be automated even at the creation end with the right software.
Thoughts?
The fun part!
Groove Virtual Office demo . . . www.groove.net