public key infrastructures - eindhoven university of ... · public key infrastructures … a public...
TRANSCRIPT
Public Key
Infrastructures
Andreas Hülsing
Public Key Infrastructures
… a public key infrastructure (PKI) is designed to
facilitate the use of public key cryptography.
Source: Housley, R. and Polk, T.: Planning for PKI; Wiley 2001
PAGE 1 19-5-2014
Tasks of a PKI
• Assure that the public key is available
• Assure that the public key is authentic
• Assure that the public key is valid
• Enforce security and interoperability
PAGE 2 19-5-2014
Authenticate Public Keys
• Bind public key to electronic identity
• Seal the binding
• Answer for the binding
Public key certificates
PAGE 3 19-5-2014
Public Key Certificate
Public key certificates are data structures that bind
public key values to subjects. The binding is
asserted by having a trusted CA digitally sign each
certificate …
[From RFC 5280]
PAGE 4 19-5-2014
Public Key Certificate
PAGE 5 19-5-2014
Public Key Certificate
PAGE 6 19-5-2014
Digital Signature
Subject (Name)
Public-key Binding eID public key
protection of authenticity
Certificate Properties
• Protected binding of a key to the key holder
• Its authenticity is independent of the means of
transportation
• It can be used online and offline
• It is a proof of the binding
• It can be used for key servers
PAGE 7 19-5-2014
Certificate Standards
PAGE 8 19-5-2014
• X.509 • X.509 (ITU-T)
• PKIX (RFC 5280)
• Pretty Good Privacy (PGP) • OpenPGP (RFC 4880)
• GNU Privacy Guard (GnuPG or GPG)
• WAP certificates • Like X.509 certificates but smaller
• Card Verifiable Certificates (CVC) • Even smaller than WAP certificates
• Simple PKI / Simple Distributed Security Infrastructure • SPKI, pronounced spoo-key
• SDSI, pronounced sudsy
Validity of Public Keys
• Monitor binding public key electronic identity
key owner
• Establish time constraints
• Provide means to revoke binding
Certificate revocation
PAGE 9 19-5-2014
Certificate Revocation
PAGE 10 19-5-2014
• Abortive ending of the binding between
• subject and key (public key certificate)
OR
• subject and attributes (attribute certificate)
• The revocation is initiated by
• the subject
OR
• the issuer
• Typical frequency (assumption):
• 10% of the issued certificates will be revoked (See: “Selecting
Revocation Solutions for PKI” by Årnes, Just, Knapskog, Lloyd and Meijer)
Certificate Revocation List
PAGE 11 19-5-2014
Publish Public Key Information
PAGE 12 19-5-2014
• Directories • (L)DAP
• Active Directory
• Web pages • HTTP
• File transfer • FTP
• Services
• OCSP
• SCVP
LDAP
PAGE 13 19-5-2014
Security of Key Pairs
Select suitable algorithms and key sizes
Monitor possible security threads and react adequately
Provide suitable means to generate key pairs
Provide suitable formats and media to store private keys
Provide suitable means of delivering private keys
Personal security environments
PAGE 14 19-5-2014
PSE: Smartcard
PAGE 15 19-5-2014
Interoperability
• Comply to accepted (international) standards
• Certificates / revocations
− X.509, PGP, SPKI/SDSI, …
• Directory services
− (L)DAP, Active Directory, …
• Cryptographic algorithms / protocols / formats
− PKCS, RFC, …
• Constraints on content and processing
− PKIX, ISIS-MTT, …
PAGE 16 19-5-2014
Policy Enforcement
• Certificate policy (CP)
• States what to comply to
• Certificate practice statement (CPS)
• States how to comply
• Policies are enforced by the PKI through:
• Selecting standards, parameters, hardware, …
• Monitor behavior of involved parties
• Reacting on infringement of the policy
PAGE 17 19-5-2014
Trust Models
PAGE 18 19-5-2014
Trust
The perhaps most important part of a PKI is to
establish trust in the binding between an entity and a
certificate
PAGE 19 19-5-2014
Direct Trust
PAGE 20 19-5-2014
• User receives public key directly from owner
OR
• User verifies public key directly with owner
Most Common: Fingerprint comparison
PAGE 21 19-5-2014
Fingerprint = hash value of the certificate (incl. Signature) (e.g. SHA1)
Face-to-Face Verification
PAGE 22 19-5-2014
Phone Verification
PAGE 23 19-5-2014
Web Page Verification
PAGE 24 19-5-2014
http://www.cacert.org/index.php?id=3
Printed Media Verification
PAGE 25 19-5-2014
BNetzA publishes the public key
…and more
PAGE 26 19-5-2014
~# gpg --list-public-keys
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key
sub 2048g/8495160C 2000-10-19 [expires: 2006-02-12]
e.g. public keys on software CD/DVD
Summary: Direct Trust
• Establishes • Which keys are authentic
• Why they are considered authentic
• Bad scalability • n * (n-1) = O(n2) verifications
• Worse complexity than secret key exchange!
• Basis for all other trust models • To be seen
PAGE 27 19-5-2014
PGP (Pretty Good Privacy)
PAGE 28 19-5-2014
Web of Trust
PAGE 29 19-5-2014
[From PGP-Pretty Good Privacy by Simon Garfinkel]
Web of Trust
PAGE 30 19-5-2014
A web of trust is a concept used in PGP, GnuPG, and
other OpenPGP-compatible systems to establish the
authenticity of the binding between a public key and a
user.
Its decentralized trust model is an alternative to the
centralized trust model of a public key infrastructure
(PKI), which relies exclusively on a certificate authority
(or a hierarchy of such).
Source: http://en.wikipedia.org/wiki/Web_of_trust
Key Validity
PAGE 31 19-5-2014
• Alice computes key validity using Bob’s signatures
Carl
Dorian
Bob Alice
Chaining Key Validity
PAGE 32 19-5-2014
• Alice computes key validity using Bob’s and Carl’s
signatures
Alice Bob Carl
Dorian
Eve
Public Keyring
PAGE 33 19-5-2014
Public Keyring
PAGE 34 19-5-2014
Alice’s public keyring
Key Validity vs. Owner Trust
PAGE 35 19-5-2014
• Key Validity:
• Is the key owner who he claims to be?
• Levels: no answer; unknown; marginal; complete;
ultimate
• Owner trust:
• Is the key owner reliable? (in respect to signing keys of others)
• Levels: unknown; none; marginal; complete; ultimate
Key Validity: Levels
PAGE 36 19-5-2014
• no answer
• Nothing is said about this key.
• unknown
• Nothing is known about this key.
• marginal
• The key probably belongs to the name.
• complete
• The key definitely belongs to the name.
• (ultimate)
• (Own keys).
Owner Trust: Levels
PAGE 37 19-5-2014
• unknown
• Nothing can be said about the owner's judgment in key signing.
• none
• The owner is known to improperly sign keys.
• marginal
• The owner is known to properly sign keys.
• complete
• The owner is known to put great care in key signing.
• ultimate
• The owner is known to put great care in key signing, and is allowed to make trust decisions for you.
Assigning Key Validity
• Manually (Key Signing)
OR
• computed from the trust in the corresponding
signers, only considering signers with key validity
“complete” (or better).
PAGE 38 19-5-2014
Assigning Key Validity
PAGE 39 19-5-2014
Alice signs the public key of other users.
Key Signing: Direct Trust
PAGE 40 19-5-2014
Bob’s key validity is complete for Alice because she decided it when signing the key after verifying the fingerprint.
Key Validity Computation: “complete” (1)
PAGE 41 19-5-2014
If the key is signed by at least one user with owner trust complete.
Key Validity Computation: “complete” (2)
PAGE 42 19-5-2014
If the key is signed by at least x (here x=2) names with owner trust marginal.
Key Validity Computation: “marginal”
PAGE 43 19-5-2014
If the key is signed by less than x (here x=2) names with owner trust marginal.
Key Validity Computation: “unknown”
PAGE 44 19-5-2014
If the key is signed by no name with at least owner trust marginal
Assigning Owner Trust
• Manually (Trust Setting)
OR
• computed from the owner trust of signers only using
“ultimate” valid keys.
PAGE 45 19-5-2014
Trust Anchor: Owner Trust
PAGE 46 19-5-2014
Alice assigns owner trust to users.
“Simple” PGP
PAGE 47 19-5-2014
Alice signs Bob’s key (level 0) and trusts him. Alice uses Bob’s signatures on Dorian’s and Frank’s
keys.
Trusted Introducers
PAGE 48 19-5-2014
Alice signs Bob’s key (level 1) and trusts him. Bob signs Carl’s key (level 0) and trusts him. Alice uses Carl’s signatures on Dorian’s and Frank’s
keys. Bob = Trusted Introducer
By allowing more intermediate signers (level >1), Bob becomes a Meta Introducer
PGP Certificates
PAGE 49 19-5-2014
PGP Certificates: Content
PAGE 50 19-5-2014
[From http://www.ece.cmu.edu/~adrian/630-f04/PGP-intro.html]
A Simple PGP Certificate - Example
PAGE 51 19-5-2014
One UserID with one signature
Legend
Public Key Packet
User ID Packet
Signature Packet
Example, cont’d
PAGE 52 19-5-2014
Legend
Public Key Packet
User ID Packet
Signature Packet
One UserID with one signature and
a second UserID without signature
Example, cont’d
PAGE 53 19-5-2014
One UserID with four signatures
Legend
Public Key Packet
User ID Packet
Signature Packet
A More Complicated Example
PAGE 54 19-5-2014
One UserID with one signature and
a second UserID with one signature and
a second key (subkey) with one signature
Legend
Public Key Packet
User ID Packet
Signature Packet
Public Key Packet
PAGE 55 19-5-2014
Creation Time Version
Public Key Algorithm
Public Key
(RSA case)
User ID Packet
PAGE 56 19-5-2014
A User ID packet consists of UTF-8 text that is intended to
represent the name and email address of the key holder. By
convention, it includes an RFC 2822 mail name-addr, but
there are no restrictions on its content. The packet length in
the header specifies the length of the User ID.
[From RFC 4880]
Example:
Andreas Hülsing <[email protected]>
Signature Package
PAGE 57 19-5-2014
…
…
Version Signature Type Public Key Algorithm Hash Algorithm Counter
Hashed Subpackets Unhashed Subpackets 16 bits of signed hash value Signature (RSA Case)
Subpacket Content
PAGE 58 19-5-2014
• signature creation time
• signature expiration time
• exportable certification
• trust signature
• regular expression
• revocable
• key expiration time
• placeholder for backward compatibility
• preferred symmetric algorithms
• revocation key
• issuer key ID
• notation data
• preferred hash algorithms
• preferred compression algorithms
• key server preferences
• preferred key server
• primary user id
• policy URL
• key flags
• signer's user id
• reason for revocation
PGP Revocation
• Uses Key Revocation Certificate
• generated during KeyGen using private key
• Uploading Key Revocation Certificate to one of the
public key servers revokes key pair.
• Key Revocation Certificate can contain new UserID
PAGE 60 19-5-2014