Lecture 12

1

PublicKeyDistribution(andCertifications)

(Chapter15inKPS)

2

KDC

A B

(1)Request|B|N1 (2)EKa[Ks|Request|N1|EKb(Ks,A)]

(3)EKb[Ks,A]

(4)EKs[A,N2]

(5)EKs[f(N2)]Notes:• Msg2istiedtoMsg1• Msg2isfresh/new• Msg3ispossiblyold*• Msg1ispossiblyold(KDCdoesn’tauthenticateAlice)• BobauthenticatesAlice• BobauthenticatesKDC• AliceDOESNOTauthenticateBob

ATypicalKDC-basedKeyDistributionScenarioKDC=KeyDistributionCenter

EK[X]=EncryptionofXwithkeyK

PublicKeyDistribution

• GeneralSchemes:

• Publicannouncement(e.g.,inanewsgrouporemailmessage)•Canbeforged

• Publiclyavailabledirectory•Canbetamperedwith

• Public-keycertificates(PKCs)issuedbytrustedoff-lineCertificationAuthorities(CAs)

3

CertificationAuthorities

• CertificationAuthority(CA):bindspublickeytoaspecificentity• Eachentity(user,host,etc.)registersitspublickeywithCA.• Bobprovides“proofofidentity”toCA.• CAcreatescertificatebindingBobtothispublickey.• CertificatecontainingBob’spublickeydigitallysignedbyCA:

CAsays:“thisisBob’spublickey”

4

Bob’spublickey

PKB

Bob’sidentifyinginformation

digitalsignature

CAprivatekey

SKCA

PKB

certificateforBob’spublickey,signedby

CA

• WhenAlicewantstogetBob’spublickey:• GetBob’scertificate(fromBoborelsewhere)• UsingCA’spublickeyverifythesignatureonBob’scertificate• Checkforexpiration• Checkforrevocation(we’lltalkaboutthislater)• ExtractBob’spublickey

5

Bob’sPublicKey

PKB

digitalsignature

CAPublicKey PK

CA

PKB

CertificationAuthority

6

•Serialnumber(uniquetoissuer)• Infoaboutcertificateowner,includingalgorithmandkeyvalueitself(notshown)

• infoaboutcertificateissuer

• validdates• digitalsignaturebyissuer

ACertificateContains

ReflectionAttackandaFix• OriginalProtocol

1. A® B: rA2. B® A: {rA,rB }K3. A® B: rB

• Attack1. A® E: rA2. E® A: rA :Startinganewsession3. A® E: {rA,rA’}K :Replyto(2)4. E® A: {rA,rA’} K :Replyto(1)5. A® E: rA’

Solutions?• Use2differentuni-directionalkeysk” (AàB)andk’ (BàA)• Removesymmetry(direction,msg identifiers)

7

InterleavingAttacks• ProtocolforMutualAuthentication

1. A® B: A,rA,2. B® A: rB,{rB,rA,A}SKB3. A® B: rA’,{rA’,rB,B}SKA

• Attack1. E® B: A,rA2. B® E: rB,{rB,rA,A}SKB3. E® A: B,rB4. A® E: rA’,{rA’,rB,B}SKA5. E® B: rA’,{rA’,rB,B}SKA

• Attackduetosymmetricmessages(2),(3)

8

x.509Authentication&KeyDistributionProtocols

ABSKPKabaaa KotherBrt }][,,,,,1{

9

ABSKPKabaaa KotherBrt }][,,,,,2{

BASKPKbababb KotherrArt }][,,,,,,2{

ABSKPKabaaa KotherBrt }][,,,,,3{

BASKPKbababb KotherrArt }][,,,,,,3{

ASKbr },3{

One-w

ayAàB

Two-w

ayAàB

Tree-way

AßàB

LessonsLearned?

• Designingsecure protocolsishard.Therearemanydocumentedfailuresintheliterature.• Goodprotocolsarealreadystandardized(e.g.,ISO9798,X.509,…)– usethem!• Theproblemofverifyingsecuritygetsmuchharderasprotocolsgetmorecomplex(moreparties,messages,rounds).

10

11

Merkle’s Puzzles(1974)

€

0 < i < 2n = NXi,Yi −− random secret keysindexi = random (secret) value

Puzzle Pi = {indexi,Xi,S}Yi

S −− fixed string, e.g., " Alice to Bob"}20|{ n

i iP <<

jindex

€

Pick random j, 0 < j < 2n

Select Pj

Break Yj by brute forceObtain {index j ,X j ,S}

€

Look up index j

Obtain X j EncryptedcommunicationwithXj

?

Issecuritycomputationalorinformationtheoretic?

12

PK-basedNeedham-Schroeder

TTP

A B3.[Na,A]

PKb

6.[Na,N

b]PKa

7.[Nb]PKb

Here,TTPactsasan“on-line”certificationauthority(CA)andtakescareofrevocation

1.A,B

2.{PKb,B}

SKT

4.B,A

5.{PKa,A}

SKT

13

WhatIf?

• AliceandBobhave:

• NocommonmutuallytrustedTTP(s)

• and/or

• Noon-lineTTP(s)

14

PublicKeyInfrastructure(Distribution)

• Problem: Howtodeterminethecorrectpublickeyofagivenentity• BindingbetweenIDENTITYandPUBLICKEY

• PossibleAttacks• Namespoofing:EveassociatesAlice’snamewithEve’spublickey• Keyspoofing:EveassociatesAlice’skeywithEve’sname• DoS:EveassociatesAlice’snamewithanonsensical(bogus)key

• Whathappensineachcase?

15

PublicKeyDistribution

• Diffie - Hellman(1976)proposedthe“publicfile”concept

• universallyaccessible

• nounauthorizedmodification

• notscalable!

16

PublicKeyDistribution

• Popek - Kline(1979)proposed“trustedthirdparties”(TTPs)asameansofPKdistribution:• Eachorg-nhasaTTPthatknowspublickeysofallof

itsconstituententitiesanddistributesthemon-demand

• On-lineprotocolliketheonewealreadysaw• TTP=singlepointoffailure• Denial-of-Service(DoS)attacks

17

Certificates

• Kohnfelder (BSThesis,MIT,1978)proposed“certificates”asyetanotherpublic-keydistributionmethod

• Certificate=explicitbindingbetweenapublickeyanditsowner’s(unique!)name

• Mustbeissued(andsigned)byarecognizedtrustedCertificateAuthority(CA)

• Issuancedoneoff-line

AuthenticatedPublic-Key-basedKeyExchange(Station-to-StationorSTSProtocol)

18

pay va mod=

Choose random v

Bobabbob

wb

yySIGpay},{

mod=

=

Chooserandom w,Compute

pyK waba mod)(=Compute

( ) mod

{ , }

vab b

alicealice a b

K y pSIG y y

=

=

bobbbob SIGyCERT ,,

alicealice SIGCERT ,

19

Certificates

• Procedure• BobregistersatlocalCA• Bobreceiveshiscertificate:

{PKB,IDB,issuance_time,expiration_time,etc.,...}SKCA

• BobsendscertificatetoAlice• AliceverifiesCA’ssignature

• PKCA hard-codedinsoftware

• AliceusesPKB forencryptionand/orverifyingsignatures

20

WhoIssuesCertificates?

• CA:CertificationAuthority• e.g.,GlobalSign,VeriSign,Thawte,etc.• lookintoyourbrowser...

• Trustworthy(atleasttoitsusers/clients)• Off-lineoperation(usually)• Hasitsownwell-knownlong-termcertificate• Maystore(asbackup)issuedcertificates• Verysecure:physicallyandelectronically

21

Howdoesitwork?

• Apublic/privatekey-pairisgeneratedbyuser• Userrequestscertificateviaalocalapplication(e.g.,web

browser)• Goodideatoproveknowledgeofprivatekeyaspartofthe

certificaterequest.Why?

• Publickeyandowner’snameareusuallypartofacertificate

• Privatekeysonlyusedforsmallamountofdata(signing,encryptionofsessionkeys)

• Symmetrickeys(e.g.,RC5,AES)usedforbulkdataencryption

22

CertificationAuthority(CA)

• CAmustverify/authenticatetheentityrequestinganewcertificate.

• CA’sowncertificateissignedbyahigher-levelCA.RootCA’scertificateisself-signedanditsnameis“well-known.”

• CAisacriticalpartofthesystemandmustoperateinasecureandpredictablewayaccordingtosomepolicy.

23

Whoneedsthem?• Alice’scertificateischeckedbywhomeverwantsto:

1)verifyhersignatures,and/or2)encryptdataforher.

• Asignatureverifier(orencryptor)must:• knowthepublickeyoftheCA(s)• trustallCAsinvolved

• Certificatecheckingis:verificationofthesignatureandvalidity

• Validity:expiration+revocationchecking

24

VerifyingaCertificate(assumingCommonCA)

Tobecoveredlater

25

BTW:• CertificateTypes

• PK(Identity)certificates• BindPKtosomeidentitystring

• Attributecertificates• BindPKtoarbitraryattributeinformation,e.g.,

authorization,groupmembership

• Weconcentrateonformer

26

WhatarePKCertificatesGoodFor?• SecurechannelsinTLS/SSLforwebservers

• Signedand/orencryptedemail(PGP,S/MIME)

• Authentication(e.g.,SSHwithRSA)

• Codesigning!

• Encryptingfiles(EFSinWindows)

• IPSec:encryption/authenticationatthenetwork

layer

27

ComponentsofaCertificationSystem• Requestandissuecertificates(differentcategories)with

verificationofidentity• Storageofcertificates• Publishing/distributionofcertificates(LDAP,HTTP)• Pre-installationofrootcertificatesinatrustedenvironment• SupportbyOSplatforms,applicationsandservices• Maintenanceofdatabaseofissuedcertificates(noprivate

keys!)• Helpdesk(information,lost+compromisedprivatekeys)• Advertisingrevokedcertificates(andsupportforapplications

toperformrevocationchecking)• Storage“guidelines”forprivatekeys

28

CASecurity

• MustminimizeriskofCAprivatekeybeingcompromised

• Besttohaveanoff-lineCA• Requestsmaycomeinelectronicallybutnotprocessed

inrealtime

• Inaddition,usingtamper-resistanthardwarefortheCAwouldhelp(shouldbeimpossibletoextractprivatekey)

29

MappingPersonalCertificatesintoAccounts/Names

• Certificatemustmap“one-to-one”intoanaccount/nameforthesakeofauthentication

• Insomesystems,mappingarebaseduponX.509namingattributesfromtheSubject field

• Example:VerisignissuescertificateasCN=FullName(account)

• Account/nameislocaltotheissuingdomain

30

StorageofPrivateKey

• Theproblemofhavingtheusertomanagetheprivatekey(usersupport,keylossorcompromise)

• ModernOS'soffersProtectedStoragewhichsavesprivatekeys(encrypted).

• Applicationstakeadvantageofthis;Browserssometimessaveprivatekeysencryptedinitsconfigurationdirectory

• Userswhomixapplicationsorplatformsmustmanuallyimport/exportprivatekeysviaPFXfiles.

31

KeyLengths

• StrongencryptionhasbeenadoptedsincetherelaxationofUSexportlaws

• E.g.,512- and1024-bitRSAisnotsafeanymore

• RootCAshouldhavean(RSA)keylengthof>=2048bitsgivenitsimportanceandtypicallifetimeof3-5years

• Apersonal(RSA)certificateshouldhavekeylengthofatleast1536bits

32

January2016RecommendationfromNationalSecurityAgency(NSA)https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf

KeyLengths

33

NamingComesFirst!• Cannothavecertificateswithoutacomprehensivenamingscheme• CannothavePKIwithoutacomprehensivedistribution/access

method• X.509usesX.500naming• X.500DistinguishedNames(DNs)containasubsetof:

• C Country• SP State/Province• L Locality• O Organization• OU OrganizationalUnit• CN CommonName

34

X.500

• ISOstandardfordirectoryservices

• Global,distributed

• Firstsolidversionin1988.(secondin1993.)

• Documentation- severalInternetStandardRequestforComments(RFC)

35

X.500

• DataModel:• Basedonhierarchicalnamespace• DirectoryInformationTree(DIT)• Geographicallyorganized• Entryisdefinedwithitsdn (DistinguishedName)

• Searching:• YoumustselectalocationinDITtobaseyoursearch• A one-levelsearchorasubtreesearch• Subtreesearchcanbeslow

36

X.500- DIT

...

...

World

c=AF c=USA

o=ALQAEDA o=Army

...cn=OsamabinLaden(deceased)

dn: cn=OsamabinLaden,o=AlQaeda,c=AF

...

37

X.500

• Accessiblethrough:• Telnet(clientprogramsknownasdua,dish,...)• WWWinterface• Forexample:http://www.dante.net:8888/

• Hardtouseandveryheavy…

• …thusLDAPwasdeveloped

38

LDAP

• LDAP- LightweightDirectoryAccessProtocol• LDAPv2- RFC1777,RFC1778• LDAPv3- RFC1779• developedtomakeX.500easiertouse• providesbasicX.500functions• referralmodelinsteadoriginalchaining• serverinformsclienttoaskanotherserver

(withoutaskingquestiononthebehalfofclient)• LDAPURLformat:• ldap://server_address/dn

• (ldap://ldap.uci.edu/cn=KasperRasmussen,o=UCI,c=US)

39

SomeRelevantStandards

• TheIETFReferenceSite• http://ietf.org/html.charters/wg-dir.html#Security_Area

• Public-KeyInfrastructure(X.509,PKIX)• RFC2459(X.509v3+v2CRL)

• LDAPv2forCertificateandCRLStorage• RFC2587

• Guidelines&Practices• RFC2527

• S/MIMEv3• RFC2632&2633

• TLS1.0/SSLv3• RFC2246