Public Key Infrastructure (PKI)

Jen-Chang Liu, 2004

Ref1: Ch.10, “Cryptography and Network Security”, Stalling, 2003.Ref2: Ch.5, “Cryptography and Network Security”, A. Kahate, McGraw Hill, 2003.Ref3: Ch. 6, “RSA Security’s Official Guide to Cryptography”, 2001

Outline

Key management in public-key cryptosystem

Public Key Certificate (PKC) X.509 standard

Public Key Infrastructure (PKI)

Key management (Ref1)

Two issues for public-key cryptosystem Distribution of public keys The use of public-key encryption to

distribute secret keys (keys for symmetric cipher)

Distribution of public keys Public announcement Public available directory Public-key authority Public-key certificates

1. Public announcement

Drawback: the opponent can pretend to be another user

Ex. post public keys to public forums, such as USENET newsgroup and Internet mailing list

2. Public available directory

Some trusted entity maintains a publicly available dynamic directory of public keys

Register the public key

Register the public key

{A, KUa }{B, KUb }

…

Attack: an opponent invades the public-key directory, and counterfeit public keys

3. Public-key authority (Fig 10.3)

Central authority: 1. Maintain directory of public keys2. Each participant knows the public key for the

authority

A can confirmthe message fromthe authority

N1 :認證 B的身份N2 :認證 A的身份

Outline

Key management in public-key cryptosystem

Q: How to authenticate the association between the public key with the owner ?

Public Key Certificate (PKC) X.509 standard

Public Key Infrastructure (PKI)

Public key certificate (PKC 公開金鑰憑證 )

A public key certificate signifies the association between my public key and me Ex. Like a driver license

or passport

Q: Who can approve the association ?

A: A trusted entity – Certificate Authority (CA)

Q: What is the content of a digital certificate?

A: X.509 standard

Example: Digital certificate

X.509 certificate format 1988, ITU X.509 version

1

X.509 V2 extensions: unique identifier

V2 extensions: Issuer unique identifier Subject unique identifier

Motivation: Deal with the possibility that the issuer (CA’s name) name and the subject name (certificate holder’s name) might be duplicated over time

RFC2459 specifies that these two names should never be reused, so V2 extensions are made optional

X. 509 V3 certificate extensions

Certificate Revocation List (CRL 憑證廢止列 )

Certificate policies

Authority key identifier: CA may havemultiple private-public key pairs. Thisfield defines which of these key pairsis used to sign the certificate

Key usage: 1. digital signature2. Certificate signing3. CRL signing4. Key enciphering5. Data enciphering6. Diffie-Hellman key exchange

Certificate Authority (CA 憑證簽發機構 )

CA is a trusted agency that can issue digital certificate. Ex. VeriSign, Entrust, …

Outline

Key management in public-key cryptosystem

Public Key Certificate (PKC) X.509 standard

Public Key Infrastructure (PKI) PKI components Certification creation steps Certificate hierarchies Certificate revocation

* Distribution of public keys is non-trivial

PKI components The interaction

between PKI components End user Registration

authority (RA) CA Key recovery

server X.500 directory

Registration authority (RA)

RA: an intermediate entity between the end users and the CA Share the workload of CA

Accept and verify registration info about new users Generate keys on behalf of the end users Accept and authorize requests for key backups

and recovery Accept and authorize requests for certificate

revocation RA does not generate certificate

CA becomes an isolated entity, which makes it less susceptible to security attacks

Key recovery server

Q: End users lose their private keys? A: CA must revoke the corresponding PKC,

a new key pair must be generated, a new corresponding PKC must be

created A2: provide a key recovery server

CA backs up private keys at the time of creation

Certificate directory

Q: where to store the certificates? A1: end user stores on his local machine A2: CAs use a certificate directory (or a centr

al storage location) Provide a single point for certificate administrati

on and distribution (ex. for later certificate revocation)

Certificate directories need not to be trusted

Outline

Key management in public-key cryptosystem

Public Key Certificate (PKC) X.509 standard

Public Key Infrastructure (PKI) PKI components Certification creation steps (Ref2) Certificate hierarchies Certificate revocation

Certificate creation steps

Key generation

Registration

Verification

Certificate creation

1. Subject generating his own key pair

2. RA generating a key pair for subject

1. RA knows private key!2. How to transmit it to user?

Registration ( 註冊、登錄 )

Certificate signing request (CSR)(PKCS#10, part of the Public KeyCryptography Standard)

On-line registration example

Verification

1. RA verify the user’s credentials2. Check the Proof of Possession of the private

key Q: What if a user claims that she never

possessed the private key, when a document signed with her private key causes legal problems?

Sol 1: RA demands user to sign her CSR Sol 2: RA generates a random number, encrypt

it with the user’s public key, then challenge the user

…

Certificate creation

CA creates a digital certificate for the user Certificates in X.509 standard format Q: Why should we trust digital certificates?

Certificate goes to RA (or user) Certificate directory Backup user private key (if necessary)

Questions about certificate

Why should we trust digital certificate? Similar to: how do we verify a passport? How does the CA sign a digital certificate? How can we verify a digital certificate?

X.509 certificate format

Question about CA’s public key

How do we get CA’s public key of some certificate ? Get CA’s certificate – which approve the assoc

iation between the public key with CA Who signs CA’s certificate?

The organization of CAs CA hierarchies and self-signed certificate Cross-certification

CA hierarchy

Purpose: root CA can delegate job to lower CAs

Chain of trust

Self-signed certificate for root CA

Who signs for root CA?

1. Root CA is automatic consideredas trusted CA2. Software contains a pre-programmed,hard coded certificated of the root CA3. The root CA signs its own certificate (self-signed certificate)

Example: Self-signed root certificate

Cross-certificationRoot CAs in different countries

Outline

Key management in public-key cryptosystem

Public Key Certificate (PKC) X.509 standard

Public Key Infrastructure (PKI) PKI components Certification creation steps (Ref2) Certificate hierarchies Certificate revocation

Certificate revocation 憑證廢止 Ex. lost of credit card, driver license, … Reasons for certification revocation:

The private key is compromised The CA made mistakes while issuing a

certificate The certificate holder leaves a job,…

Before using a certificate, we check Does the certificate belong to the owner?

(check certificate signature) Is the certificate valid, or is it revoked?

How to revoke a certificate?

Certificate has been issued, how to revoke it?

Certificate revocation list (CRL)

CRL is a list of revoked certificates published regularly by CA

Validating a certificate using CRL

Problems with CRL

1. CRL can be a large file -> long transmission time

Sol: delta CRL

2. CRL are published Periodically => cannot check online status

Sol: online certificate status check

Online Certificate Status Protocol

(HTTP)

CA setup this server

Key management (Ref1)

Two issues for public-key cryptosystem Distribution of public keys The use of public-key encryption to

distribute secret keys (keys for symmetric cipher)

Distribution of public keys Public announcement Public available directory Public-key authority Public-key certificates

4. Public-key certificates 憑證 (Fig 10.4)

Certificate: contain public key and other information, generate from the certificate authority

Application mustbe in person or bysecure channel

1. Anyone can read, verify2. Only CA can create

Time: verify currency of certificate

Simple secret key distribution

Public-key scheme has slow data rate use public key to distribute secret key use secret key scheme for data encryption

session key(secret key)

E

KUe || IDA

intercept

KUe[ Ks ]E

KUa[ Ks ] Ks

Secret key distribution with confidentiality and authentication

Against active and passive attacks

Authenticate B

Authenticate A

Confidentiality(only B can read)

authentication(only A can create it)

A hybrid and hierarchical scheme

KDC

A B C

Use public-key schemeto distribute master key

MKA

MKA

MKB

MKB

Use master keys with KDC to distribute session key

Ks Ks

Advantage: 1. Use master key to distribute session keys, instead of using

public-key scheme => faster !2. Backward compatible to old KDC scheme (master +

session key)