Certificates Robin Burke ECT 582. Last class Public key cryptography Solves what problem? New problem public key  identity.

Slides:



Advertisements
Similar presentations
Chapter 14 – Authentication Applications
Advertisements

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Chapter 14
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Public Key Infrastructure (PKI)
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Public Key Management and X.509 Certificates
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Lecture 23 Internet Authentication Applications
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
Lecture 12 Overview.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.
Cryptology Digital Signatures and Digital Certificates Prof. David Singer Dept. of Mathematics Case Western Reserve University.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Lecture 10 Overview. Key Management public-key encryption helps address key distribution problems have two aspects of this: – distribution of public keys.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Lecture 5.3: Key Distribution: Public Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena.
Unit 1: Protection and Security for Grid Computing Part 2
Configuring Directory Certificate Services Lesson 13.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
23-1 Last time □ P2P □ Security ♦ Intro ♦ Principles of cryptography.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Digital Signatures, Message Digest and Authentication Week-9.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Protocols for public-key management. Key management –two problems Distribution of public keys (for public- key cryptography) Distribution of secret keys.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Certificates Robin Burke ECT 582. Last class Public key cryptography Solves what problem? New problem public key  identity.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.
Creating and Managing Digital Certificates Chapter Eleven.
Cryptography and Network Security Chapter 14
1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
Fall 2006CS 395: Computer Security1 Key Management.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Key management issues in PGP
Cryptography and Network Security
Information Security message M one-way hash fingerprint f = H(M)
Digital Certificates and X.509
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Presentation transcript:

Certificates Robin Burke ECT 582

Last class Public key cryptography Solves what problem? New problem public key  identity

Man-in-the-middle attack Eve intercepts all communications Masquerades as both Bob and Alice Bob thinks he has Alice's public key but he doesn't How can Bob know for sure?

Complex This issue highlights the problems of trust in the digital world A lot of infrastructure needs to be in place Digital certificates Multiple collaborating certification authorities Registration authorities Certificate directories Certificate revocation servers

Trust We can't trust the public key associated with a message We might trust an authoritative source to vouch for Alice

Trusted third party Certification authority (CA) CA can meet with Alice look at her driver's license / birth certificate / etc take her fingerprints CA will then sign her public key

Man-in-the-middle? When Eve tries to substitute her public key for Alice's Bob will either notice that the key isn't certified, or Notice that it is certified but not for Alice, for someone else

Masquerading as CA? Eve could falsely issue a certificate and sign the certificate pretending to be the CA But the CA is a big institution strong interest in making its correct public key well known Multiple sources to access the CA's public key Some public keys are actually bundled with IE

Public key certificate A public key An identifier whose key? The whole package signed by the CA

Benefits of certification Alice and Bob can exchange certificates directly no need for a separate way to communicate public keys certificate is self-protecting Many users can participate only need to know CA's public key

Issues Trust in the CA issuance policies Security of the CA's private key very important!!!

Multiple CAs If there is only one CA all is simple Multiple CAs Alice's public key is signed by C1 Bob's public key is signed by C2 How can Bob be confident? maybe C1 is really Eve in disguise

Solutions Full distribution every user has the public key for every CA impractical Cross certification Suppose Alice presents Bob with C1's public key Signed by C2 Bob can verify the certificate C1's public key can be trusted Therefore Alice's public key can be trusted

Hierarchical trust model Root CA a generally-trusted CA Federal Reserve Bank all parties trust root Non-root CAs have certificates signed by root CA, or signed by another non-root CA closer to the root CA Certification path the chain of certifications from the root to a particular public key certificate More about this next week

CA relationships Intra-organization communication Bank ATM network Organization can be its own CA Open communication CA is an independent entity third party CA The third party CA is like a notary public is evaluating the truth of a person's representation may be liable if due diligence is not performed

Validity Public key is not valid forever limits risk associated with key compromise 1 year is typical Certificates have a valid period expired certificate may still be useful (non- repudiation) new certificate issued when old one expires Possibly the same key re-certified

Certificate assumptions During the valid period public key is valid for use association with identity assumed correct revocation notifications will be published

Revocation What if Eve hacks into Bob's computer and steals his private key? Alice will still be sending encrypted messages, but now Eve can read Certificate must be revoked can no longer be trusted new certificate issued how does Alice find this out?

Revoking a certificate Reasons for revocation Detected or suspected compromise Change of data e.g. subject name Change of relationship between subject and CA e.g. employee quitting a job from an organization which uses the current CA

Who can revoke? who revokes? the subject the CA an authorized third party e.g. the organization with an employee quitting Authentication of the source of revocation request is needed.

What happens? The CA determines that the revocation request is valid Then adds the certificate to its "certificate revocation list" CRL

CRL is a time-stamped list of revoked certificates, digitally signed by the CA available to all users Each revoked cert is identified by a certificate serial number CRL contains digital signatures, thus can be sent via unprotected channels Users of public key certificates should check a suitably-recent CRL

Note The user of a public key must check the CRL every time the key is used not enough to check when the certificate is originally accepted CA must keep a revoked certificate in the CRL until it expires list could get large

Suitably recent? Question of risk what is the risk associated with a possibly out-of-date CRL CRLs are distributed regularly e.g. hourly, daily, biweekly, etc “off-cycle” CRL can be issued how to detect missing off-cycle CRL?

Example Eve steals Bob's private key Bob discovers break-in requests certificate revocation Eve sends a forged message to Alice Alice verifies message checks CRL no problems with Bob's public key CA publishes CRL with Bob's revocation too late

CRL Distribution Pull method CA periodically updates CRL depository users check when using a public key Push method broadcast new CRL when it changes Both subject to denial of service attacks

Online status checking Online Certificate Status Protocol Alice checks Bob's public key directly with the CA most effective most costly Costs handling traffic for every public key use handling cryptographic operations at high speed maintaining high security in Internet environment Also subject to denial of service attack

Short-Lived Certificates Certificate valid for 1 day at a time re-requested each day possibly the same public key Revocation not necessary client stops asking for a new certificate Suitable for limited resource systems e.g. mobile wireless systems Assumes efficient certificate generation

Liability Who gets sued? depends on the timeline depends on legal framework b. Key Compromise a. Issue of CRL 1 c. Revocation Request d. Revocation Time e. Issue of CRL2 Time

Key pair management Public and private keys are generated together Afterwards, different lives Private key some kind of secure storage Public key self-signed certificate certification then public distribution

Generation Local generation private key never leaves the environment where it is used required by ANSI security standards Central generation private key must be communicated to user

Protecting the private key Smart card more secure but more expensive less portable Encrypted data file PGP's key ring Centralized credentials server digital wallet

Key pair management Public key functions encryption digital signature Different requirements

Encryption Encrypted files and messages may be stored indefinitely If private key is lost the data is effectively garbage Private key may need to archived more or less permanently

Key life cycle: encryption Encryption Decryption Certificate validity: Public key usage: Private key usage: Alice encrypts a message to Bob. Will use public key if certificate is in valid period certificate not revoked

Signature Key compromise extremely hazardous even for historical documents non-repudiation lost A lost signature key can always be replaced for signing the next document Private key must be securely destroyed

Key life cycle: signature Signing Validation Cert validity: Cert usage: Public key usage: Private key usage: Alice validates a signed message from Bob. Will use public key if valid period and certificate not revoked Will keep public key for historical validation

Key life cycle: real-time validation Alice installs software sold by Bob Bob's signature verifies uncorrupted code Will use software if certificate is valid at installation time Private key may have short life Sign Install Cert validity: Public key usage: Private key usage:

Also Different constraints on signature vs encryption encryption may be regulated different algorithms may be preferred DSA doesn't support encryption reason for development

Solution Multiple key pairs Encryption Signing PGP allows generation of either an encryption or signing key

Issuing a certificate Alice generates a key pair private key stored on hardware device public key self-signed Alice sends the self-signed public key to who? Possibly the CA more likely an intermediary for the CA

Registration authority An agent for the CA Deals with people Frees the CA to deal with bits May be internal to an organization even if CA is external

RA's responsibility Gets Alice's certificate request public key Verify Alice's identity testimonial ping documents personal presence etc. Forward request to CA Handle all of Alice's other key management needs revocation expiry updated information

CA's responsibility Verification of identity or requisite trust in RA (Very) Secure signing operation Certificate returned to requestor possibly archived possibly made available to public Transaction recorded in audit journal

CA's key management CA keys have many uses signing (real-time validation) historical validation Short-use private keys better security But a signed certificate can't have a valid period beyond the signer's certificate CA will need multiple keys for different purposes

Break

Certificate distribution Alice sends Bob a two line signed signature ≈ message size certificate > message size Alice's public key + CA's signature certificate for each CA in certification path Certification info could easily be 10x the message size What if Bob already has Alice's public key?

Certificate + Signature Inefficient Not practical in network environment Different users might need different certification paths can't predict which certificates to include Doesn't work for encryption

Directory services General case for public key discovery Online access to a directory request a public key certificate for a given user In this case Alice sends only the signed message Bob is responsible for getting Alice's certificate

Directory services Proprietary Novell MS Active Directory Lotus Notes Older standard X.500 Newer LDAP

X.500 Developed by the international standards bodies Extremely general look up by name browse available entities representing people, devices, applications, etc. Extension for public key certificates X.509

LDAP Useful subset of X.500 Easier to implement than X.500 Widely available Uses X.509 certificates

X.509 A certificate is a data structure Typically communicated in a binary format ASN.1 If we were starting over today we'd use XML XML didn't exist in 1988

Certificate format

Certificate fields Version 1,2,3 or 4 3 is the most widely used Serial no assigned by CA Signature algorithm id for CA's signature CA id Subject id Subject algorithm id Public key Some other stuff CA's digital signature

IDs Many things need to be identified what algorithm? who is the CA? whose key are we signing? X.500 Names every unique individual must have a unique name hierarchical naming scheme X.500 Object Identifiers for things like algorithms also hierarchical but with integer components

Directory Information Tree Country C=US, Canada, Mexico, etc. Organization O=DePaul University, UIC, Northwestern University, etc. Organizational uint OU=CTI, LA&S, Commerce, Theater, etc. Common Name CN=Robin Burke, Yonghe Yan, etc.

Distinguished name A collection of choices at each level of the DIT leading to an individual Not necessarily a person printer, router, application, web server DN {C=US, O=DePaul University, OU=CTI, CN=Robin Burke}

Name collision Typically we augment the common name with some other identifier employee / student id address

Object identifiers Problem different organization may want their own "objects" impossible to create a list of legal values in advance Like DIT tree but with integers Used to label algorithms certificate types

Example this is a digital signature algorithm SHA-1 from RSA Labs How do we know this? 1 = ISO 2 = Indicates a member of the organization 840 = the USA = RSA's organizational id RSA chooses the rest of the identifiers

Id tree

X.509 Version 3 Versions 1 and 2 of X.509 did not work well for public key management Problems multiple public keys per user additional required information for some purposes all certificates not created equal

X.509 Extensions Instead of fixing all the fields in v. 3 an "extension mechanism" allow organizations to define their own certificate components Extensions must be registered (object identifier) criticality indicator

Standard extensions Authority key id CA's may have multiple signing keys helps to build certification path Key usage what the certified key is for Certificate policies under what policy was the certificate issued degree of authentication Path constraints what is a legal certification path from this certificate

Version 3 naming Much more flexible naming scheme X.500 names OK Others address domain name IP address URL

X.509 CRL format Similar to certificate itself Also date/time of issue of this CRL date/time of issue of next CRL List of revoked certs: user certificate: cert serial number revocation date CRL extensions

Java and X.509 Certificate Java provides a standard API for X.509 certificate version 3 X509Certificate class is in java.security.cert

Java Certificate Management JRE provides a keystore of trusted certificate authorities It is in directory $JREHOME/lib/security/cacerts Access via "keytool" part of Java Development Kit

Keytool Allows many certificate management functions create self-signed certificate import / export certificates generate Certificate Signing Requests, etc.

Example keytool -certreq -file mycert.csr Generates a certificate signing request for your public key can send to CA to be turned into a certificate

Example Printing a certificate