public key distribution (and certifications)keldefra/teaching/fall2016/uci... · 21 how does it...
TRANSCRIPT
Lecture 12
1
PublicKeyDistribution(andCertifications)
(Chapter15inKPS)
2
KDC
A B
(1)Request|B|N1 (2)EKa[Ks|Request|N1|EKb(Ks,A)]
(3)EKb[Ks,A]
(4)EKs[A,N2]
(5)EKs[f(N2)]Notes:• Msg2istiedtoMsg1• Msg2isfresh/new• Msg3ispossiblyold*• Msg1ispossiblyold(KDCdoesn’tauthenticateAlice)• BobauthenticatesAlice• BobauthenticatesKDC• AliceDOESNOTauthenticateBob
ATypicalKDC-basedKeyDistributionScenarioKDC=KeyDistributionCenter
EK[X]=EncryptionofXwithkeyK
PublicKeyDistribution
• GeneralSchemes:
• Publicannouncement(e.g.,inanewsgrouporemailmessage)•Canbeforged
• Publiclyavailabledirectory•Canbetamperedwith
• Public-keycertificates(PKCs)issuedbytrustedoff-lineCertificationAuthorities(CAs)
3
CertificationAuthorities
• CertificationAuthority(CA):bindspublickeytoaspecificentity• Eachentity(user,host,etc.)registersitspublickeywithCA.• Bobprovides“proofofidentity”toCA.• CAcreatescertificatebindingBobtothispublickey.• CertificatecontainingBob’spublickeydigitallysignedbyCA:
CAsays:“thisisBob’spublickey”
4
Bob’spublickey
PKB
Bob’sidentifyinginformation
digitalsignature
CAprivatekey
SKCA
PKB
certificateforBob’spublickey,signedby
CA
• WhenAlicewantstogetBob’spublickey:• GetBob’scertificate(fromBoborelsewhere)• UsingCA’spublickeyverifythesignatureonBob’scertificate• Checkforexpiration• Checkforrevocation(we’lltalkaboutthislater)• ExtractBob’spublickey
5
Bob’sPublicKey
PKB
digitalsignature
CAPublicKey PK
CA
PKB
CertificationAuthority
6
•Serialnumber(uniquetoissuer)• Infoaboutcertificateowner,includingalgorithmandkeyvalueitself(notshown)
• infoaboutcertificateissuer
• validdates• digitalsignaturebyissuer
ACertificateContains
ReflectionAttackandaFix• OriginalProtocol
1. A® B: rA2. B® A: {rA,rB }K3. A® B: rB
• Attack1. A® E: rA2. E® A: rA :Startinganewsession3. A® E: {rA,rA’}K :Replyto(2)4. E® A: {rA,rA’} K :Replyto(1)5. A® E: rA’
Solutions?• Use2differentuni-directionalkeysk” (AàB)andk’ (BàA)• Removesymmetry(direction,msg identifiers)
7
InterleavingAttacks• ProtocolforMutualAuthentication
1. A® B: A,rA,2. B® A: rB,{rB,rA,A}SKB3. A® B: rA’,{rA’,rB,B}SKA
• Attack1. E® B: A,rA2. B® E: rB,{rB,rA,A}SKB3. E® A: B,rB4. A® E: rA’,{rA’,rB,B}SKA5. E® B: rA’,{rA’,rB,B}SKA
• Attackduetosymmetricmessages(2),(3)
8
x.509Authentication&KeyDistributionProtocols
ABSKPKabaaa KotherBrt }][,,,,,1{
9
ABSKPKabaaa KotherBrt }][,,,,,2{
BASKPKbababb KotherrArt }][,,,,,,2{
ABSKPKabaaa KotherBrt }][,,,,,3{
BASKPKbababb KotherrArt }][,,,,,,3{
ASKbr },3{
One-w
ayAàB
Two-w
ayAàB
Tree-way
AßàB
LessonsLearned?
• Designingsecure protocolsishard.Therearemanydocumentedfailuresintheliterature.• Goodprotocolsarealreadystandardized(e.g.,ISO9798,X.509,…)– usethem!• Theproblemofverifyingsecuritygetsmuchharderasprotocolsgetmorecomplex(moreparties,messages,rounds).
10
11
Merkle’s Puzzles(1974)
€
0 < i < 2n = NXi,Yi −− random secret keysindexi = random (secret) value
Puzzle Pi = {indexi,Xi,S}Yi
S −− fixed string, e.g., " Alice to Bob"}20|{ n
i iP <<
jindex
€
Pick random j, 0 < j < 2n
Select Pj
Break Yj by brute forceObtain {index j ,X j ,S}
€
Look up index j
Obtain X j EncryptedcommunicationwithXj
?
Issecuritycomputationalorinformationtheoretic?
12
PK-basedNeedham-Schroeder
TTP
A B3.[Na,A]
PKb
6.[Na,N
b]PKa
7.[Nb]PKb
Here,TTPactsasan“on-line”certificationauthority(CA)andtakescareofrevocation
1.A,B
2.{PKb,B}
SKT
4.B,A
5.{PKa,A}
SKT
13
WhatIf?
• AliceandBobhave:
• NocommonmutuallytrustedTTP(s)
• and/or
• Noon-lineTTP(s)
14
PublicKeyInfrastructure(Distribution)
• Problem: Howtodeterminethecorrectpublickeyofagivenentity• BindingbetweenIDENTITYandPUBLICKEY
• PossibleAttacks• Namespoofing:EveassociatesAlice’snamewithEve’spublickey• Keyspoofing:EveassociatesAlice’skeywithEve’sname• DoS:EveassociatesAlice’snamewithanonsensical(bogus)key
• Whathappensineachcase?
15
PublicKeyDistribution
• Diffie - Hellman(1976)proposedthe“publicfile”concept
• universallyaccessible
• nounauthorizedmodification
• notscalable!
16
PublicKeyDistribution
• Popek - Kline(1979)proposed“trustedthirdparties”(TTPs)asameansofPKdistribution:• Eachorg-nhasaTTPthatknowspublickeysofallof
itsconstituententitiesanddistributesthemon-demand
• On-lineprotocolliketheonewealreadysaw• TTP=singlepointoffailure• Denial-of-Service(DoS)attacks
17
Certificates
• Kohnfelder (BSThesis,MIT,1978)proposed“certificates”asyetanotherpublic-keydistributionmethod
• Certificate=explicitbindingbetweenapublickeyanditsowner’s(unique!)name
• Mustbeissued(andsigned)byarecognizedtrustedCertificateAuthority(CA)
• Issuancedoneoff-line
AuthenticatedPublic-Key-basedKeyExchange(Station-to-StationorSTSProtocol)
18
pay va mod=
Choose random v
Bobabbob
wb
yySIGpay},{
mod=
=
Chooserandom w,Compute
pyK waba mod)(=Compute
( ) mod
{ , }
vab b
alicealice a b
K y pSIG y y
=
=
bobbbob SIGyCERT ,,
alicealice SIGCERT ,
19
Certificates
• Procedure• BobregistersatlocalCA• Bobreceiveshiscertificate:
{PKB,IDB,issuance_time,expiration_time,etc.,...}SKCA
• BobsendscertificatetoAlice• AliceverifiesCA’ssignature
• PKCA hard-codedinsoftware
• AliceusesPKB forencryptionand/orverifyingsignatures
20
WhoIssuesCertificates?
• CA:CertificationAuthority• e.g.,GlobalSign,VeriSign,Thawte,etc.• lookintoyourbrowser...
• Trustworthy(atleasttoitsusers/clients)• Off-lineoperation(usually)• Hasitsownwell-knownlong-termcertificate• Maystore(asbackup)issuedcertificates• Verysecure:physicallyandelectronically
21
Howdoesitwork?
• Apublic/privatekey-pairisgeneratedbyuser• Userrequestscertificateviaalocalapplication(e.g.,web
browser)• Goodideatoproveknowledgeofprivatekeyaspartofthe
certificaterequest.Why?
• Publickeyandowner’snameareusuallypartofacertificate
• Privatekeysonlyusedforsmallamountofdata(signing,encryptionofsessionkeys)
• Symmetrickeys(e.g.,RC5,AES)usedforbulkdataencryption
22
CertificationAuthority(CA)
• CAmustverify/authenticatetheentityrequestinganewcertificate.
• CA’sowncertificateissignedbyahigher-levelCA.RootCA’scertificateisself-signedanditsnameis“well-known.”
• CAisacriticalpartofthesystemandmustoperateinasecureandpredictablewayaccordingtosomepolicy.
23
Whoneedsthem?• Alice’scertificateischeckedbywhomeverwantsto:
1)verifyhersignatures,and/or2)encryptdataforher.
• Asignatureverifier(orencryptor)must:• knowthepublickeyoftheCA(s)• trustallCAsinvolved
• Certificatecheckingis:verificationofthesignatureandvalidity
• Validity:expiration+revocationchecking
24
VerifyingaCertificate(assumingCommonCA)
Tobecoveredlater
25
BTW:• CertificateTypes
• PK(Identity)certificates• BindPKtosomeidentitystring
• Attributecertificates• BindPKtoarbitraryattributeinformation,e.g.,
authorization,groupmembership
• Weconcentrateonformer
26
WhatarePKCertificatesGoodFor?• SecurechannelsinTLS/SSLforwebservers
• Signedand/orencryptedemail(PGP,S/MIME)
• Authentication(e.g.,SSHwithRSA)
• Codesigning!
• Encryptingfiles(EFSinWindows)
• IPSec:encryption/authenticationatthenetwork
layer
27
ComponentsofaCertificationSystem• Requestandissuecertificates(differentcategories)with
verificationofidentity• Storageofcertificates• Publishing/distributionofcertificates(LDAP,HTTP)• Pre-installationofrootcertificatesinatrustedenvironment• SupportbyOSplatforms,applicationsandservices• Maintenanceofdatabaseofissuedcertificates(noprivate
keys!)• Helpdesk(information,lost+compromisedprivatekeys)• Advertisingrevokedcertificates(andsupportforapplications
toperformrevocationchecking)• Storage“guidelines”forprivatekeys
28
CASecurity
• MustminimizeriskofCAprivatekeybeingcompromised
• Besttohaveanoff-lineCA• Requestsmaycomeinelectronicallybutnotprocessed
inrealtime
• Inaddition,usingtamper-resistanthardwarefortheCAwouldhelp(shouldbeimpossibletoextractprivatekey)
29
MappingPersonalCertificatesintoAccounts/Names
• Certificatemustmap“one-to-one”intoanaccount/nameforthesakeofauthentication
• Insomesystems,mappingarebaseduponX.509namingattributesfromtheSubject field
• Example:VerisignissuescertificateasCN=FullName(account)
• Account/nameislocaltotheissuingdomain
30
StorageofPrivateKey
• Theproblemofhavingtheusertomanagetheprivatekey(usersupport,keylossorcompromise)
• ModernOS'soffersProtectedStoragewhichsavesprivatekeys(encrypted).
• Applicationstakeadvantageofthis;Browserssometimessaveprivatekeysencryptedinitsconfigurationdirectory
• Userswhomixapplicationsorplatformsmustmanuallyimport/exportprivatekeysviaPFXfiles.
31
KeyLengths
• StrongencryptionhasbeenadoptedsincetherelaxationofUSexportlaws
• E.g.,512- and1024-bitRSAisnotsafeanymore
• RootCAshouldhavean(RSA)keylengthof>=2048bitsgivenitsimportanceandtypicallifetimeof3-5years
• Apersonal(RSA)certificateshouldhavekeylengthofatleast1536bits
32
January2016RecommendationfromNationalSecurityAgency(NSA)https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf
KeyLengths
33
NamingComesFirst!• Cannothavecertificateswithoutacomprehensivenamingscheme• CannothavePKIwithoutacomprehensivedistribution/access
method• X.509usesX.500naming• X.500DistinguishedNames(DNs)containasubsetof:
• C Country• SP State/Province• L Locality• O Organization• OU OrganizationalUnit• CN CommonName
34
X.500
• ISOstandardfordirectoryservices
• Global,distributed
• Firstsolidversionin1988.(secondin1993.)
• Documentation- severalInternetStandardRequestforComments(RFC)
35
X.500
• DataModel:• Basedonhierarchicalnamespace• DirectoryInformationTree(DIT)• Geographicallyorganized• Entryisdefinedwithitsdn (DistinguishedName)
• Searching:• YoumustselectalocationinDITtobaseyoursearch• A one-levelsearchorasubtreesearch• Subtreesearchcanbeslow
36
X.500- DIT
...
...
World
c=AF c=USA
o=ALQAEDA o=Army
...cn=OsamabinLaden(deceased)
dn: cn=OsamabinLaden,o=AlQaeda,c=AF
...
37
X.500
• Accessiblethrough:• Telnet(clientprogramsknownasdua,dish,...)• WWWinterface• Forexample:http://www.dante.net:8888/
• Hardtouseandveryheavy…
• …thusLDAPwasdeveloped
38
LDAP
• LDAP- LightweightDirectoryAccessProtocol• LDAPv2- RFC1777,RFC1778• LDAPv3- RFC1779• developedtomakeX.500easiertouse• providesbasicX.500functions• referralmodelinsteadoriginalchaining• serverinformsclienttoaskanotherserver
(withoutaskingquestiononthebehalfofclient)• LDAPURLformat:• ldap://server_address/dn
• (ldap://ldap.uci.edu/cn=KasperRasmussen,o=UCI,c=US)
39
SomeRelevantStandards
• TheIETFReferenceSite• http://ietf.org/html.charters/wg-dir.html#Security_Area
• Public-KeyInfrastructure(X.509,PKIX)• RFC2459(X.509v3+v2CRL)
• LDAPv2forCertificateandCRLStorage• RFC2587
• Guidelines&Practices• RFC2527
• S/MIMEv3• RFC2632&2633
• TLS1.0/SSLv3• RFC2246