Public Key Management Brent Waters

Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation (RSA)  Went over RSA-based signatures in detail

Page 3 DSA (Digital Signature Algorithm)  Discrete log based signature scheme Similar to El Gamal Signatures  1991 NIST proposed Became first govt. adopted signature scheme  Short signatures bit components  Slow signing and verification Exponentiation  Awkward description Security reduces to funny assumption

Page 4 Why DSA standard? RSA  Patent (until 2000)  Longer sigs ~200 bytes  Encryption (Export Controls) DSA  Patent Free  Short Signatures ~40bytes  No encryption

Page 5 Public Key Management  How does Alice obtain Bob’s public key  Answer: Certificate Authority signs other keys master-key CA I am Public Key Certificate Encrypted Message

Page 6 Certificates  X.509 Standard cert= name, org, address | public key |expiration |... + signature of certificate by C.A. Extensions (Version 3) Sign certs only... Bob obtains certificate offline

Page 7 How do we validate Certificate Auth?  Alice must have public key of certificate authority  Publish in N.Y. Times Everyone see, adversary cannot forge all Make sure Jayson Blair not on staff Not realistic  Ships with Browser or Operating System Done in practice

Page 8 Trust in CA  C.A. is trusted  If compromised can forge a cert for Bob Attack might be detected  CA key should be strongly guarded BBN SafeKeeper: tempest attacks

Page 9 Public Key Generation Algorithm  1) Alice generates pub/priv. key pair sends pub to CA  2) CA verifies Alice knows private key Challenge/response Self-signed certificate  3) CA generates cert and sends to Alice  CA doesn’t know Alice’s key

Page 10 Trust models (Symmetric vs Public) KDC A1 SymmetricPublic Key A2A3A4 CA A1A2 Pub/cert

Page 11 Trust models (Symmetric vs Public) Symmetric  Online KDC  Knows my key  If compromised past+future gone (forward security helps—guesses?) Public  Offline  Knows only public key Harder to do attack  Only future messages exposed

Page 12 Cross Domain Certification CA1CA2 AA Many domains, can’t load them all How does Bob verify if doesn’t even have CA key?

Page 13 Hierarchical solution root Stanford cs Amazon Cert chain: Check cert all way to root Hierarchies are pretty flat in practice

Page 14 Web of Trust No authority: I trust A who trusts B.... Which model do you like better? ABC

Page 15 Certificate Revocation  Revoke Bob’s certificate Private key is stolen Leaves company, doesn’t own ID I. Expiration Date in Cert (1 year) II. CRL Periodically send lists to everyone Long lists, hard to manage III. OSCP (Online Certificate status protocol) Online authority to answer queries Signing key at risk if distribute authorities

Page 16 Certificate Revocation Secure VA VA1 VA2 A Is B revoked Proof of Y/N Order revoked certs and build hash tree Secure VA signs root Either show path of revoked or prove by neighbors

Page 17 A bit disappointing... , but now have an on-line party again

Page 18 Price of Security  How much for 1 year certificate?  $349  40 bit security on some browsers  $995 (Pro Version)

Page 19 Certificates in Practice

Page 20 Certificates in Practice

Page 21 Certificates in Practice

Page 22 How many “root” certs on your browser? I Counted 105