Introduction to PKI Novell BrainShare 2002 Tammy Green Senior Software Engineer Novell, Inc. TGreen@novell.com Steve Walker Software Engineer SWalker@novell.com IO225—Introduction to PKI
The Problem
One Solution
Symmetric Key Cryptography Bob and Alice agree on key Keys can be passwords, Personal Identification Numbers (PIN), etc. Bob encrypts message to Alice with key Alice decrypts message with same key
It Works, but What If… Alice and Bob don’t know each other Need a trusted third-party Bob wants to send a message to 1,000 people Need an easy way to exchange keys Alice puts the key on a sticky note on her monitor Need a way to notify everyone
Public Key Cryptography Two keys for each person Public key—available to everyone Private key—kept secret Given the public key, “hard” to find private key Encrypt using public key Decrypt using private key
Encryption/Decryption Bob’s message Alice’s private key A Bob’s message Alice’s public key A
Signing/Verification Bob’s message Bob’s message Verified Bob Bob’s private key B Bob’s public key B
Encryption and Signature Bob’s private key B Bob’s public key B Bob Bob’s message Verified Bob’s message Alice’s public key A Alice’s private key A
How Do They Exchange Keys? Put them in the newspaper Send them on a floppy disk Put them in a public directory, e.g., Novell eDirectory™ “All of these methods are vulnerable to substitution or tampering”
Digital Certificate Prevents tampering because it is digitally signed Prevents substitution because it is signed by a “trusted” entity Can put them anywhere Web sites Floppy disks Directories Etc.
Certificate Types X.509 PGP Simple PKI (SPKI) XML certificates “Compact” certificates Wireless TLS certificates Attribute certificates
What Is an X.509 Certificate? It binds a public key to a name The name can be A person A group A machine A program There are four versions v1, v2—seldom used v3—most commonly used v4—not yet used
Format of a X.509 Certificate Public Key Algorithm Signature Algorithm (object Identifier) Public Key (bit string) Subject (name) Issuer Not Before Not After Validity Period (date and time) Signed Optional Extensions Version (Integer)
Who Signs a Certificate? Self-signed I am me because I say that I am me Certificate Authority (CA) Trusted third party
Choosing a CA Organizational CAs Commercial CAs Trusted only within a limited domain Self-signed Commercial CAs Widely trusted (e.g., by all web browsers) Referred to as “trusted roots”
To Sign or Not to Sign CAs sign certificates if predefined criteria are met Subject name and alternative names are reasonable Proof of possession of private key Agrees with data in extensions Public key not already used Criteria are defined in Certification Practice Statement (CPS) Validation may be done by a Registration Authority (RA)
Getting a Certificate 1. Generate key pair 2. Generate certificate request 4. Validate certificate request 3. Send certificate request 8. Return certificate 5. Issue certificate 6. CA issues certificate 7. Publish certificate
But What If…? What if someone else claims to be me? CA must validate identity What if two people have the same name? Need a global unique identifier Qualified certificates ensure uniqueness
Intermediate CAs Signed by another CA Capabilities could be limited Signed by a root CA Signed by another intermediate CA Capabilities could be limited Limits put in certificate May only sign non-CA certificates May only sign certificates for certain names
CA Hierarchy
But What If…? How do I decide which CAs to trust? Applications do it for you Your company could do it for you Can’t a CA just “trust” another CA? CAs can cross-certify each other Bridge CAs can bridge the gap
Bridging the Gap Bridge CA
Certificate Extensions Common extensions Alternative names Key usage Basic constraints CRL distribution point Custom extensions Picture of yourself May be critical
But What If…? What if my certificate expires? Get a new certificate You may need a new key pair What if the information in my certificate is incorrect? What if someone steals my private key? Revoke the certificate
Revoking a Certificate 1. Revoke certificate 2. Approve revocation request 3. Revoke certificate 4. Publish certificate revocation
Publishing Certificate Revocations Typically done by a CA Common methods Certificate Revocation List (CRL) Delta Indirect On-demand Online Certificate Status Protocol (OCSP) Simple Certificate Validation Protocol (SCVP) Location of revocation information is in certificate
But What If…? How long will it take before my certificate is actually revoked? Depends on CA and on method of publishing Caching can a problem What if it takes weeks? Revocation data may include an invalidity date What if the CA is compromised? CAs can be revoked Root CA compromise is very bad
Validating a Certificate Must have entire chain For each pair of certificates make sure Public key in issuer certificate signed other certificate Subject and issuer names match Certificates are within validity period Neither certificate has been revoked No unknown critical extensions At least one certificate in chain is “trusted”
But What If… Isn’t it slow to check if every certificate is revoked? Caching can help OCSP and SCVP can help Revoking certificates isn’t common yet What if the CA doesn’t support revocation? You could create your own revocation list
So, What Can I Do with a Certificate? Sign and encrypt e-mail Authenticate a web site Authenticate yourself Encrypt a data channel (e.g., SSL) Protect data from tampering and substitution Notarize data Timestamp data
SSL Server Side Authentication Browser Server Choose cipher suite Generate R1 Generate R0 R0, cipher suites Validate server certificate Generate R2 Calculate symmetric key Calculate master secret R1, cipher suite, certificate chain [ R2 + … ]Server’s PubK, [ Hash (msgs + …) ]SymK Decrypt R2 Calculate master secret Calculate symmetric key Validate encrypted hash Validate encrypted hash [ Hash (msgs + …) ]SymK
SSL Mutual Authentication Browser Server Choose cipher suite Generate R1 Generate R0 R0, cipher suites Validate server certificate Find user certificate Generate R2 Calculate master secret Calculate symmetric key R1, cipher suite, certificate chain, trusted roots Validate user certificate Decrypt R2 Validate signed hash Calculate master secret Calculate symmetric key Validate encrypted hash certificate chain, [ R2 + … ]Server’s PubK, { Hash (msgs + ...) }User’s PrvK, [ Hash (msgs + …) ]SymK Validate encrypted hash [ Hash (msgs + …) ]SymK
But What If…? What if it really wasn’t me? You must protect your client and your private key Non-repudiation is a misnomer What if I have a 56-bit crypto web browser? Symmetric key will be limited to 56-bits Unless the server has a special certificate
Server-Gated or Step-Up Crypto Certificates are signed by designated CAs (e.g., VeriSign) Called 128-bit SSL Global Server IDs Special extensions in the certificate OID 2.16.840.1.113730.4.1 OID 1.3.6.1.4.1.311.10.3.2 Allows the symmetric key in the handshake to always be 128-bits
Benefits of Public Key Cryptography Alice and Bob don’t know each other A CA is a trusted third party Bob wants to send a message to 1,000 people Publish his certificate to a directory E-mail his certificate to everyone Alice puts the key on a sticky note on her monitor CA revokes her certificate Previous signatures still honored
What Is a PKI? Public Key Infrastructure A collection of components which allow you to create, manage and use public key certificates
PKI Components Public/private key pairs Digital certificates Cryptography provider CAs RAs Revocation mechanism Repository for certificates and revocation information Management tools
Why Is PKI Good for eCommerce? Data confidentiality Data integrity Authentication Standards-based
Vision…one Net Mission A world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries Mission To solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world
Additional Resources www.novell.com/security IETF PKIX Working Group www.ietf.org/html.charters/pkix-charter.html RFC 2459 Net Solutions lab Meet the Experts Night TUT240: Configuring and Troubleshooting the Security Components of NetWare®
wiN big Access and Security table one Net solutions lab visit the in the to obtain an entry form