public key infrastructure 101

Public Key Infrastructure 101

Mark L. Silverman, CISSPDHHS PKI Program Manager

December 7, 2005

2

A Riddle

You are standing in a room. On the wall are threetoggle light switches, clearly marked on/off and currently all in the off position. One of the switches controls a normal 100 watt table lamp, located in the room next door. It does not matter what the other two switches control. From your room, there is no waythat you can see the light from the lamp (no mirrors, extension cords, etc.).

By entering the room with the lamp only once, howcan you determine which switch controls the lamp?

3

Today’s Objectives

Why PKI Legislative Requirements E-Authentication HSPD-12

PKI Tutorial Cryptographic Overview SMIME and Digital Signatures PKI Components and Operations

HHS PKI Overview Certificate Issuance System Certificate Validation Service Obtaining HHS Digital Certificates

4

Today’s Objectives (continued)

Microsoft Outlook Configuring Sending signed/encrypted email Receiving signed/encrypted email

Signing with Adobe 7.0 Signing a MS Word Document Managing Certificates

Backup (Export) Copy/Restore (Import)

Web based authentication and signatures (LRA)

5

Why PKI?

6

Extended Trust

PKI is the only technology that extends trust beyond the enterprise with no a priori relationship between the trusted parties.

7

President’s Management Agenda

Agencies will undertake a Federal Public Key Infrastructure (PKI) to promote digital signatures for transactions within the federal government, between government and businesses and between government and citizens.

8

Federal PKI Drivers Government Paperwork Elimination Act (GPEA) 1998

Requires Agencies to accept transactions, and maintain records electronically, when practicable

Electronic Signatures in Global and National Commerce Act (E-Sign) 2000An electronic signatures can not be denied legal status.

E-Government Act of 2002Achieve interoperable implementation of electronic signatures for appropriately secure electronic transactions with Government. OMB to oversee implementation of electronic Government.

Memorandum Streamlining Authentication and Identity Management (OMB 7/03/03)Agencies will acquire PKI services from shared service providers (see also OMB M 05-05)

E-Authentication Guidance for Federal Agencies (OMB M-04-04 - 12/16/03)Ensure that authentication processes provide the appropriate level of assurance.SP 800-63 - Electronic Authentication Guideline

Policy for a Common Identification Standard for Federal Employees and Contractors (HSPD-12 – 8/27/04)Smartcard ID badge for logical access to Agency IT systems.FIPS 201 - Personal Identity Verification (PIV) of Federal Employees and Contractors

9

E-Authentication OMB M-04-04

PKI level 3 & 4

AnonymousAccess level 1

Web Pages Time Card

User IDPassword

level 2

Patient DataAu

then

tica

tio

n M

ech

anis

m

Business Processes

Potential Impact of Authentication Errors

1 2 3 4

Inconvenience, distress, reputation Low Mod Mod High

Financial loss or agency liability Low Mod Mod High

Harm to agency program or public interests

-- Low Mod High

Unauthorized release of sensitive information

-- Low Mod High

Civil or criminal violations -- Low Mod High

Personal safety -- -- Low Mod

E-Authentication Risk Assessment: http://www.cio.gov/eauthentication/documents/eraguide.pdf

10

Mandates new Federal ID Badge that is: Based on sound criteria to verify an individual employee’s identity Resistant to fraud, tampering, counterfeiting, and terrorist exploitation Rapidly verified electronically Issued only by providers whose reliability has been established by an official

accreditation process

Agencies shall, to the maximum extent practicable, require the use of identification by Federal employees and contractors that meets the Standard in gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems.

FIPS 201 - Personal Identity Verification of Federal Employees and Contractors

PIV-1: Identity proofing process October 2005 PIV-2: Smartcard ID Badge October 2006

Homeland Security Presidential Directive 12Policy for a Common Id Standard for Federal Employees and Contractors

11

FIPS 201 PIV Process

AuthorizeLocal sponsor fills out applicant’s badge request form, which is then approved by an Authorizing Official and forwarded to the Registration Authority.

RegisterRegistration Authority checks applicant’s identity documents; obtains applicant’s photograph, fingerprints and other background check data. Background check must be completed before badge issuance.

Each step must be performed independently by different people.Entire process and support systems must be accredited.

IssueIssuing Authority verifies applicant against registrationdata. Then creates and issues badge.

UseBadge accepted / electronically validated by all Agencies.PIN / biometrics used for stronger physical authentication.PKI certificates used for logical authentication to IT systems.

PIV-1Oct 05

PIV-2Oct 06

Badge loaded with applicant’s biometrics (fingerprints and photograph), PIN and PKI certificate information.

12

Tutorial

13

Foundations of PKI

14

Cryptography

Science of secret (hidden) writing kryptos – hidden graphen –to write

Encrypt / encipher Convert plaintext into ciphertext

Decrypt / decipher Convert ciphertext into plaintext

15

Early Examples of Cryptography

Shift Algorithm3 characters

Ciphertext: HW WX EUXWH

Plaintext: ET TU BRUTE

Julius Caesar (49 BC) substitution cipher

Spartan Scytale – fifth century BC

16

Symmetric Key Cryptography

Dear Bob:

I am leaving you.Goodbye forever.

Alice

011100111001001110011100111001001110000111111

ciphertext

encrypt decrypt

Dear Bob:

I am leaving you.Goodbye forever.

Alice

Alice Bob

Computationally fast Data Encryption Standard (DES)

Block Cipher, 56 bit key Triple DES 112 bit key

Advanced Encryption Standard (AES) Rijndael Algorithm Belgian cryptographers, Joan Daemen and Vincent Rijmen. 128, 192, 256 bit keys

Same key used to encrypt and decrypt

17

Symmetric Encryption Issues

Key (shared secret) vulnerable to discovery

Need to share a unique secret key with each party that you wish to securely communicate N * (N – 1) Problem Key management becomes unmanageable

18

Asymmetric Key Cryptography

011100111001001110011100111001001110000111111

decrypt encryptBob:

Leave me alone! Carol

Bob:

Leave me alone!

Carol

011100111001001110011100111001001110000111111

decryptencrypt

Carol’sPublic Key

Carol’sPrivate Key

Dear Carol:Alice is gone. Now we can be together

Love, Bob

Two mathematically related keys Unable to derive one from the other Based upon hard problem

RSA - Integer Factorization (large primes) Diffie-Hellman - Discrete Logarithms ECES - Elliptic Curve Discrete Logarithm

Public Key Cryptography One public key published for all to see Other is private key kept secret by owner

Dear Carol:

Alice is gone. Now we can be together

Love, Bob

Bob

Carol

Works both ways Can encrypt with either key – decrypt with the other

19

Asymmetric Advantages

No shared secret key Public key is public

Can be freely distributed or published Key management is much easier

Private key known ONLY to owner Less vulnerable, easier to keep secret

Supports Non-repudiation Encrypt with sender’s private key (only known by

sender) Sender can not deny sending message Basis for digital signatures

20

Electronic Signatures

Electronic Signature != Digital Signature

Electronic Signatures in Global and National Commerce Act (E-Sign) defines:

The term ‘‘electronic signature’’ means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.

21

Digital Signatures

A digital signature is a a type of electronic signature.It is a hash of a document encrypted with the author’s private key

Dear Mr. Bob:

We have asked theCourt to issue a restraining order against you to stayaway from Carol.

Sincerely,

Sue YewDewey, Cheatam & Howe, Law Firm

encrypt

Sue’sPrivate Key

01010111100001101011011110101111010111

DigitalSignature

0F47CEFFAE0317DBAA567C29

HashValue

HashFunction

Dear Mr. Bob:

We have asked theCourt to issue a restraining order against you to stayaway from Carol.

Sincerely,

Sue YewDewey, Cheatam & Howe, Law Firm

Sue

22

Validating a Digital Signature

Dear Mr. Bob:

We have asked theCourt to issue a restraining order against you to stayaway from Carol.

Sincerely,

Sue YewDewey, Cheatam & Howe, Law Firm

01010111100001101011011110101111010111

Sue’sPublic Key

0F47CEFFAE0317DBAA567C29

1. Re-compute the hash value2. Obtain the author’s public key

decrypt0F47CEFFAE0317DBAA567C29

3. Decrypt the original hash4. Compare hash values – if match signature is valid

Hash proves document unchanged integrity

Public key proves authorship non-repudiation

23

Asymmetric Issues

More computationally intensive 100x symmetric encryption

Generally not used to encrypt data Encrypt symmetric key (S/MIME) SSL session key

24

SMIME Encryption

Dear Carol:

I am still hoping when I get out of prison we can be together.

Love, Bob

encrypt

Carol'sPublic Key

encrypt011100111011001110010011100001

A032F17634E57BC43356743212b9c98FA29173425633A22201807732ECF13344567520ABCE4567CD

decrypt

Carol'sPrivate Key

decrypt

Dear Carol:

I am still hoping when I get out of prison we can be together.

Love, Bob

Bob Carol

Encrypted email uses the recipient's public key

25

Source of Public Key

Keys can be published anywhere Attached as a signature to e-mail

Pretty Good Privacy (PGP)

-----BEGIN PGP SIGNATURE-----Version: PGP 7.0.4

iQCVAwUBOx6SgoFNSxzKNZKFAQGK+gP6AnCVghZqbL3+rM5JMSqoC5OEYIkbvYZN92CL+YSCj/EkdZnjxFmU9+wGsWiCwxvs/TzSX6SZxlpG1bHFKf0OPu7+JEfJ7J5zcPCSqbFXiXzmukMl5KNx0p0veIDW4DmwleDpkmhT05qnCheweoNyvTSzfA1TGeLlmpjBi6zUjiY==Xq10-----END PGP SIGNATURE-----

26

But…

How do you know for sure who is the owner of a public key?

27

Public Key Infrastructure

Public Key Infrastructure (PKI) provides themeans to bind public keys to their owners and helps in the distribution of reliable public keys in large heterogeneous networks. NIST

The set of hardware, software, people, policies and procedures needed to create, manage, store, distribute, and revoke Public Key Certificates based on public-key cryptography. IETF PKIX working group

PKI is electronic identity management!

28

X509.V3 Digital Certificate

Issued by a TRUSTED third party Certificate Authority (CA)

Creates and digitally signs Certificates Issues Certificate Revocation Lists (CRLs) or

Online Certificate Status Protocol (OCSP) Identity Proofing done by Local Registration Authority

(LRA)

29

PKI Users

Subscribers Entity who obtains certificates from a CA

Person, device, application, etc. Owns private key associated with public key in

certificate Non-repudiation requires only subscriber has access to

private key CA may escrow private key used for encrypted email Owner must protect private key

Password Safer with hardware token / smart card

Relying Party Entity who receives digital certificate Trusts CA who attests to certificate holder’s identity

30

How Certificates are used

Relying Party A

Relying Party Bencrypts messageto Subscriber

010111102101

Subscriber signsmessage to A

Get Subscriber'sCertificate

Directory

Get CRL to ValidateCertificate

Private key

Certificate

31

SSL Server Authentication

WWW

1. Client sends https request to server

2. Server sends its certificate to the client

3. Client decides if certificate (and issuing CA) is trustworthy4. Client validates certificate

5. Client sends to server session key - encrypted with server’s public key 6. Server decrypts session key with its private key

7. Client – Server transactions are now encrypted with session key

1

2Trust Issuing CA?

3

ValidateCertificate

CRL

4

5 6

7

32

Ever See this?

What do you do?

33

Trusted Third Party

PKI is built upon the concept of the trusted third party (i.e., CA)

But, who are you going to trust?

34

Who do you Trust?

Everyone trusts their own CA (trust anchor) Trust all certificates issued by their CA

CA

George Martha Clark

Single CA model does not scale well Difficult to manage across large or diverse

user communities

35

Hierarchical PKI

CAs have superior-subordinate relationships Higher level CAs issue certificates to subordinate CAs Subordinate CA issues certificate to subscriber

Forms a certification path (aka certificate chain) Chain of certificates from subscriber to root CA Root CA is top-level, self-signed (i.e., certified) CA

36

Certificate Chain

Root CARoot CA

Certificate Info

Root Signature

Sub CARoot Signature

Subordinate CA

Certificate Info

Root CA's Private Key

Root CA's Private Key

Subordinate CA's Private Key

SubCA's Signature

Subscriber

Certificate Info

Subscriber's Signature

Text

DocumentSubscriber's Private Key

Self Signed

37

Relying Party Certification Path

Green CA

Yellow

Gold

Mark

Blue

Red

Phyllis

A relying party builds a certificate path from the other subscriber to the relying party’s trust anchor

Mark gets cert from Phyllis

1. Phyllis's cert signed by Red CA

2. Red's cert signed by Blue CA

3. Blue's cert signed by Green CA

Green CA is Mark's trust anchor,therefore Mark trust's Phyllis's cert

38

What about other CAs?

How do you know if you can trust the CA?

Then, how much do you trust them?

39

Trust Lists

Commercial CAs often come pre-loadedWhy and how much do you trust a CA?

40

PKI Policies

Certificate Policy (CP) High level document Describes security policy for operating the CA Defines roles and responsibilities

How CA will be managed How registration will be performed (i.e., identity proofing

requirements) How subscribers use and handle their certificates and keys

Certification Practices Statement (CPS) Detailed document Describes mechanisms and procedures followed by CA to

meet the requirements of their CP Effectively the CA's operations manual.

Together, Determines Assurance Level How much you should trust the CA’s certificates

PKI CP

CPS

PKI CP

CPS

41

However….

Users generally don’t examine policies

Most users just click YES

to trust CA

for expediency

42

Cross-Certified PKIs Peer-to-peer trust relationship

Between CAs or hierarchical PKI root CAs CAs review polices and issue certificates to each

other Advantages

CAs are organizationally independent Have independent policies

CA compromise does not effect others

Disadvantages Can form a MESH PKI CA needs to maintain multiple relationships

with other CAs Hard to build certification path

Multiple possible paths Loops and dead ends

Green CA Blue CA

Gold CA Red CA

Mark Phyllis

43

Bridge PKI Architecture

Bridge is trust arbitrator Only cross-certifies with other

CAs Relationships still peer-to-peer

Bridge is NOT a root CA Certification path construction is

much easier Bridge does all policy

management Less work for the CAs Maintains list of revoked CAs

(CARL)

Green CA Blue CA

Gold CA Red CA

Mark Phyllis

BridgeCA

44

Federal Bridge Certificate Authority

NFCPKI

HigherEd

BCA

NASAPKI

DOD PKI

Illinois PKI

University PKI

CANADA PKI

HospitalPKI

HealthCareBCA

All trust relationships handled by bridge CA

45

In HHS CA we Trust

DST is cross-certified with the FBCA DST root is preloaded in browser/outlook trust lists DST/ACES part of Federal PKI HHS Certificates issued by Digital Signature Trust, (a

commercial CA under GSA ACES) Trusted TLS (SSL) certificates also available

46

HHS PKI Program

47

Project Goals

PKI

Maintain and operate a public key infrastructure (PKI) to issue digital certificates to HHS entities (e.g., staff, applications, devices).

CAI

Maintain and operate a certificate acceptance infrastructure (CAI) to validate the certificates that we receive from inside and outside HHS.

PKE

Assist in PK-enabling (PKE) HHS business processes.

48

Subscriber follows URL to web page and enters their pass phrase

Pass phrase

SSL

Certificate Issuance System

Edith EntityHHS/NIH/CITBldg 66, Room 99(301) 495-7734eenity@nih.gov

Edith Entity

Edith EntityHHS/NIH/CITBldg 66, Room 99(301) 495-7734eenity@nih.gov

Edith EntitySubscriber prints (bar-coded) registration form

Email sent to subscriberSubscriber

data

Validated subscriber is redirected to CA along with subscriber’s data

AD record is downloaded

DirectoryRecord

AD

Subscriber’s data stored in RA database Subscriberdata

RA App

Subscriber selects pass phrasePass phrase

Subscriber goes to registration web site enters MS credentials

LoginSSL

LRA scans form, validates informationand approves subscriber

Approval

Data

SSL

Subscriber takes form to LRA.Border

Directory

Certificates downloaded to subscriber’s browser and posted into Border Directory (and subsequently imported into AD)

49

Certificate Validation Service

PKE

1. Application receives certificate

1

2. PKI-enabled applications calls CAM

2

OTHERPKI

d. Other CAs trusted through FBCA

3d

3a

HHSPKI

3. CAM validates certificate with:a. HHS CA (DST)

b. Other ACES CAs

3b

TrustedPKI

c. Other CAs directly trusted by HHS

3c

4. CAM logs validation to meet GPEA/NARA electronic records requirements

4

50

Putting it all together

SSL

Subscriber

CRLs

Relying Party A

EncryptedEmail

CertificateStatus

FBCA

Relying Party B

Digitally Signed Document

Archive

CertificateRecords

Signature Validation records

Subscriber

Cross-Certification

TLS Reg Staff RegBorder

Directory Certificate Status Information to other PKIs

Signed Documents

From other PKIs

Other PKI

CertificateStatus

+

+

51

Obtaining your HHS Certificate

52

Request Your Certificates

53

Identify Yourself

54

ActiveX Requirements

55

Review Steps

56

Identify your Employer

57

Verify Your Information

If incorrect, see your local system administrator

58

Pick One-Time Pass phrase

You will need this pass phrase to get your certificates in the last step

59

Download/Print Request Form

Click here to download form

60

PKI Certificate Request Form

Notary information is ONLY collected if can not appear in-person before LRA

Second form of ID is needed ONLY if Federal badge doesn’t have unique ID number

Photocopy Governmentpicture ID onto form

Don’t sign / date until you are before an LRA

Contractors need customer’s signature(e.g., PM, AO)

61

Take Completed Form to LRA

62

Enabling ActiveX

Tools -> Internet Options -> Security

63

Email Notification

Click on this URL to obtain your certificates

64

Enters Pass Phrase

If you forgot your passphrase, you will need to repeat the form creation and LRA process

Enter pass phrase

65

Install Active-X Module

Click YES to install. Some “locked down”desktops may (currently) require system admin. support

66

Review & Accept Subscriber Agreement

Check this box

67

Download Instructions

Click link to download PDF

Click box

Then click next

68

Begin Retrieval Process

Click

69

Microsoft Warning

Click YES

70

Change Security Level

You MUST click here to set security level to HIGH

in order to password protect your private key

71

Set Security Level to High

Check HIGHThen click Next

72

Set Password for Private Key

You must REMEMBER this password. It can not be reset by an administrator.

73

Click OK to Save Setting

After setting security level to HIGH

You may now click OK

74

Processing...

75

Review Your Certificates

76

Download Encryption Certificate

77

Repeated Microsoft Warning

Click YES

78

Repeat Setting Security Level to High

79

Set Encryption Password

You may use the SAME password you entered for your signing Certificate

80

Certificate Download Complete

81

Configuring Outlook

Tools → Options

82

Tools → Options → Security → Settings…

Click Settings

Security tab

83

Specify Signing Certificate

Specify ANY name you like

ClickChoose

84

Select DST ACES Certificate

If more than one pick Certificate issued byDST ACES Federal Employee CA

85

Specify Encryption Certificate

ClickChoose

86

Publish to GAL

87

Enter Certificate Password

You will be prompted to enter your password each time you use your certificate

Do NOT Check

88

Using Your Certificates

89

Sending Signed/Encrypted Email

90

If using Microsoft Office Word to edit e-mail messages

Message Options

91

Security Settings

92

Send

NEVER

Enter PKI private key password to sign email

93

Receiving Secure Email

94

Click Ribbon for Details

Lock showsMessage was

encrypted

95

Add Buttons to toolbar

Uncheck to set to default

message editor

96

Configure Message Editor

Buttons automatically migrate to Word editor as well

97

Adobe 7.0

98

Create Adobe Signature

99

Position Adobe Signature

100

Select Certificate

101

Specify Reason for Signature

102

Private Key Password

NEVER

103

First Time – May not be Trusted

104

Enable Windows Trust

105

Validate Signature

Right Click

106

Add Trusted CA (Macintosh)

Right Click

107

Signing a Word Document

108

Signed Document

DoubleClick

109

Managing Your Certificates

110

Export (backup/move)

111

Pick First Certificate

112

Specify File and Password

This is a NEW password to protect the FILE!

Filename

Password

113

Enter Certificate Password

This is the OLD password used to protect your private key

114

Repeat for Second Certificate

115

Import Certificate

Filename andpasswordfrom export

Must enter aname. Useany name you like.

116

Set Security Level to High

Import/export is way to password protect private key if you failedto set security level when initially obtaining your certificates.

117

Create New Password

This is the password to protect your private key.

118

Repeat for Second Certificate

119

Internet Explorer

120

Tools → Internet Options → Content…

Content Tab

ClickCertificates….

121

Can Export/Import/Delete

122

LRA Subscriber Registration

123

HHS PKI LRA Home Page

124

Certificate Authentication

125

First Time Download

126

LRA Management Page

127

Collect Registration Data

128

Approve Request

129

Registration Complete

130

Questions

Answers: http://www.pki.hhs.govhttp://www.pki-page.org/http://www.rsasecurity.com/rsalabs/faq/http://csrc.nist.gov/pki/mls@nih.gov