Public Key Infrastructures (PKI)jain/cse571-09/ftp/l_12pki.pdf · Public Key Infrastructures (PKI)...
Transcript of Public Key Infrastructures (PKI)jain/cse571-09/ftp/l_12pki.pdf · Public Key Infrastructures (PKI)...
12-1©2009 Raj JainCSE571SWashington University in St. Louis
Public Key Infrastructures Public Key Infrastructures (PKI)(PKI)
Raj Jain Washington University in Saint Louis
Saint Louis, MO [email protected]
Audio/Video recordings of this lecture are available at:http://www.cse.wustl.edu/~jain/cse571-09/
12-2©2009 Raj JainCSE571SWashington University in St. Louis
OverviewOverview
PKI, X.509 and PKIXPKI Trust ModelsObject ID and X.509 PoliciesX.500 X.509 Certificate Fields and ExtensionsAuthorizations, Anonymous groups, Blind Signatures
12-3©2009 Raj JainCSE571SWashington University in St. Louis
What is PKI?What is PKI?
Infrastructure to find public keysS/MIME, PGP, SSL use asymmetric cryptography and make use of PKICertificate authoritiesStandards for certificates
12-4©2009 Raj JainCSE571SWashington University in St. Louis
X.509 and PKIXX.509 and PKIX
X.509 is the ISO standard for Certificate formatsPKIX is the IETF group on PKIPKIX adopted X.509 and a subset of its optionsPKIX is a "Profile" of X.509TLS, IPSec, SSH, HTTPS, Smartcard, EAP, CableLabs, use X.509
12-5©2009 Raj JainCSE571SWashington University in St. Louis
ConceptsConcepts
Subject: Whose certificate is it?Target: Whose certificate do we want?Relying Party: Who wants to check the certificateVerifier: Relying PartyIssuer: Who issued the certificate?Certification Authority: IssuerTrust Anchor: The CA that we trustRoot CA: Issuer = SelfPrincipal: Subject, Verifier, Issuer
12-6©2009 Raj JainCSE571SWashington University in St. Louis
PKI Trust ModelsPKI Trust Models
How Many CAs?Monopoly = OneOligarchy = ManyAnarchy = Any
How is the name space divided among CAs?Top-DownBottom-Up
12-7©2009 Raj JainCSE571SWashington University in St. Louis
Monopoly Model: Single Root CAMonopoly Model: Single Root CA
Registrars to check identityDelegated CAs
Issues:Single point of failureWhole world cannot trust just one organizationYou may not want internal principals to be certified by external CA
CA
CA CA
12-8©2009 Raj JainCSE571SWashington University in St. Louis
OligarchyOligarchy
Multiple Root CA'sUsed in browsersCan select which root CA's to trustNo Monopoly ⇒ Price efficient
CACA CA
CACA CA
CACA CA
12-9©2009 Raj JainCSE571SWashington University in St. Louis
Oligarchy ExampleOligarchy Example
12-10©2009 Raj JainCSE571SWashington University in St. Louis
Anarchy ModelAnarchy Model
User drivenUsed in PGPTrust Ring, Web of TrustVolunteer Databases
U2
U6 U3
U1
U5 U4
12-11©2009 Raj JainCSE571SWashington University in St. Louis
Name ConstraintsName Constraints
Which part of name space?1. Top Down:2. Bottom-Up:
Two-way certification: Parent → Child, Child → ParentCross links
12-12©2009 Raj JainCSE571SWashington University in St. Louis
Relative NamesRelative Names
H to J: Absolute: D/B/E/J or A/B/E/JRelative:../../E/J⇒ No changes required if the parents change name
A
B CD
I
E F G
H J K L M N O
12-13©2009 Raj JainCSE571SWashington University in St. Louis
OIDOID
Object IdentifierIdentify objects by a universally unique sequence of numbersSimilar to what is done in SNMP to name objects
12-14©2009 Raj JainCSE571SWashington University in St. Louis
Global Naming Hierarchy [SNMP]Global Naming Hierarchy [SNMP]
fddimib (73)
fddi (15)
dod (6)
internet (1)
directory (1) mgmt(2) experimental (3)private (4)
mib (1)
system (1) interfaces (2) transmission(10)
ccitt(0) iso (1) joint-iso-ccitt (2)
standard (0)
iso9314 (9314)
fddiMIB (1)
org (3)
fddi (8)
12-15©2009 Raj JainCSE571SWashington University in St. Louis
X.509 PoliciesX.509 Policies
Policies in X.509 are identified by OIDCompany XX.1 = Security LevelX.1.1 = ConfidentialX.1.2 = SecretX.1.3 = Public
12-16©2009 Raj JainCSE571SWashington University in St. Louis
X.509 RevocationsX.509 RevocationsCertificate Revocation Lists:
Too much work on the client Too much traffic on the net⇒ Not used
On-Line Revocation Server (OLRS):On-line Certificate Status Protocol (OCSP)RFC 2560Provides current informationSaves traffic on the netAlso allows chaining of OCSP responders
12-17©2009 Raj JainCSE571SWashington University in St. Louis
X.500X.500Series of standards covering directory servicesSimilar to white/yellow pagesDirectory Access Protocol (DAP) designed by ISOLightweight Directory Access Protocol (LDAP) designed by IETFLDAPv3 is RFC4510Each entry has a "Distinguished Name" and a set of attributesFormed by combining Relative distinguished namesX.500 Example: C= US, O=WUSTL, OU=CSE, CN=Raj JainDNS Example: [email protected]
12-18©2009 Raj JainCSE571SWashington University in St. Louis
X.509 Certificate FieldsX.509 Certificate FieldsVersion: X.509 Version 1, 2, or 3Serial Number: Certificate Serial #Signature: Signing algorithmIssuer:Validity:Subject: Issued toSubject Public Key Info: Algorithm/parameters, and Public KeyIssuer Unique Identifier: OID of the Issuer (not used)Subject Unique Identifier: OID of the subject (not used)Algorithm Identifier: Signature algorithm (again)Encrypted: SignatureExtensions: Only in Version 3. Specified by OID
12-19©2009 Raj JainCSE571SWashington University in St. Louis
X.509 ExtensionsX.509 ExtensionsAuthority Key Identifier: Serial # of CA's keySubject Key Identifier: Uniquely identifies the subjects key. Serial # or hash.Key Usage: Allowed usage - email, business, ...Private Key Usage Period: Timestamps for when key can be used (similar to validity)Certificate PoliciesPolicy Mappings: from Issuer's domain to subject's domainSubject Alt Name: Alternative name. DNS.Subject Directory Attributes: Other attributes
12-20©2009 Raj JainCSE571SWashington University in St. Louis
X.509 Extensions (Cont)X.509 Extensions (Cont)
Basic Constraints: Whether CA and length of chainName Constraints: Permitted and excluded subtreesPolicy Constraints: OIDsExtended Key Usage: Additional key usagesCRL Distribution Points:Inhibit Any Policy: “Any Policy” is not allowedFreshest CRL: How to obtain incremental CRLsAuthority Info Access: How to find info on issuersSubject Info Access: How to find info on subject
12-21©2009 Raj JainCSE571SWashington University in St. Louis
Sample X.509 CertificateSample X.509 CertificateInternet Explorer
12-22©2009 Raj JainCSE571SWashington University in St. Louis
X.509 Sample (Cont)X.509 Sample (Cont)
12-23©2009 Raj JainCSE571SWashington University in St. Louis
X.509 CRL FieldsX.509 CRL FieldsSignature: Signature Algorithm for this CRLIssuer: X.500 name of issuing CAThis Update: Time of this CRLNext Update: Time next CRL will be issuedFor each revoked Certificate:
User Certificate:Serial Number of revoked CertificateRevocation Date:CRL Entry Extensions: Reason code, etc.
CRL Extensions: optional informationAlgorithm Identifier: Repeat of signatureEncrypted: Signature
12-24©2009 Raj JainCSE571SWashington University in St. Louis
Entrusted CertificatesEntrusted Certificates
12-25©2009 Raj JainCSE571SWashington University in St. Louis
AuthorizationsAuthorizations
Access Control Lists: List of usersGroups: User provides certificate of membershipRole: User provides credentials
12-26©2009 Raj JainCSE571SWashington University in St. Louis
Anonymous GroupsAnonymous Groups
User could authenticate to group serverCertificate ⇒ the owner of the private key is a member of groupUser will need lots of public/private key pairsGroup servers need not know key/member associationGroup server can do a blind signature
12-27©2009 Raj JainCSE571SWashington University in St. Louis
Blind SignatureBlind Signature
Client wants server to sign a certificate CServer's public key is <e, n>Client picks a random number R and computes C(Re mod n)Server decrypts it with his private key Cd (Red) mod n = CdRClient just divides by R and gets Cd = Certificate signed by server
12-28©2009 Raj JainCSE571SWashington University in St. Louis
SummarySummary
PKIX is a profile of the X.509 PKI standardBrowsers have a built-in list of root CAs⇒ OligarchyX.509 uses X.500 names. DNS names in Alternate Name field.X.509 policies are specified using OIDs.OCSP is used to check revocationAuthorization is best done by user, group, role levelAnonymous group certification is possible. Blind signatures allow even the group server to not know the public key
12-29©2009 Raj JainCSE571SWashington University in St. Louis
Homework 12Homework 12
Read chapter 15 of the textbook.Study the root certificates in your Internet ExplorerFind the certificate for “Thawte Premium Server CA”
What is the X.500 name of the CA?What version of X.509 does this CA use?What are the two key usage of the certificates issued by this CA?
What is the title of RFC810?