1 certificate systems, public key infrastructures and e-mail security
Post on 22-Dec-2015
221 views
TRANSCRIPT
1
Certificate Systems, Public Key Infrastructures and E-mail Security
Distributed Systems 2
Encryption using Public Key Cryptography
Distributed Systems 3
Digital Signature using Public Key Cryptography
Distributed Systems 4
Public Key Distribution
Finding out correct public key of an entity
Possible attacks name spoofing: a person can identify
himself using a bogus name denial of service: the legitimate user
cannot decrypt messages sent to him
Distributed Systems 5
Public Key Distribution
Face to face public key exchange most primitive, but secure method not convenient
Public announcement via newsgroups, web pages, etc. subject to forgeries hard to determine the liar
Distributed Systems 6
Public Key Distribution
Diffie - Hellman (1976) proposed the “public file” concept public-key directory commonly accessible
should be online always
no unauthorized modification secure and authenticated communication
between directory and user is a must
Distributed Systems 7
Public Key Distribution
Popek - Kline (1979) proposed “trusted Public Key Authorities” Public key authorities know public keys
of the entities and distribute them on-demand basis
on-line protocol (disadvantage)
Distributed Systems 8
Public Key Distribution
Distributed Systems 9
Certificates
Kohnfelder (1978) proposed “certificates” as yet another public-key distribution method
Binding between the public-key and its owner
Issued (digitally signed) by the Certificate Authority (CA)
Off-line process
Distributed Systems 10
Certificates
Certificates are verified by the verifiers to find out correct public key of the target entity
In order to verify a certificate, the verifier must know the public key of the CA must trust the CA
Certificate verification is the verification of the signature on certificate
Distributed Systems 11
Certificates
Certified EntityCA
Verifier
Albert Levi
Albert Levi
Albert Levi
Distributed Systems 12
Certificates
Distributed Systems 13
Issues Related Certificates
CA certification policies (Certificate Practice Statement) how reliable is the CA? certification policies describe the
methodology of certificate issuance ID-control practices
loose control: only email addresstight control: apply in person and submit
picture IDs and/or hard documentation
Distributed Systems 14
Issues Related Certificates
TRUST verifiers must trust CAs CAs need not trust the certified entities certified entity need not trust its CA, unless
it is not the verifierWhat is “trust” in certification systems?
Answer to the question: “How correct is the certificate information?”
related to certification policies
Distributed Systems 15
Issues Related CertificatesCertificate types
ID certificates (for authentication)discussed here
authorization certificatesno identitybinding between public key and authorization info
Certificate storage and distribution along with a signed message distributed directories centralized databases
Distributed Systems 16
Issues Related Certificates
Certificate Revocation certificates have lifetimes, but they may be
revoked before the expiration time Reasons:
certificate holder key compromise/lostCA key compromiseend of contract (e.g. certificates for employees)
Certificate Revocation Lists (CRLs) hold the list of certificates that are not expired but revoked
Distributed Systems 17
Real World Analogies
Is a certificate an “electronic identity”?Concerns
a certificate is a binding between an identity and a key, not a binding between an identity and a real person
one must submit its certificate to identify itself, but submission is not sufficient, the key must be used in a protocol
anyone can submit someone else’s certificate
Distributed Systems 18
Real World Analogies
Result: Certificates are not picture IDs
So, what is the real world analogy for certificates? Endorsed document/card that serves as
a binding between the identity and signature
for example, “credit-cards”
Distributed Systems 19
Public Key Infrastructure (PKI)
PKI is a complete system and defined mechanisms for certificates certificate issuance certificate revocation certificate storage certificate distribution
Distributed Systems 20
PKI
Business Practice: Issue certificates and make money several CAs
Several CAs are also necessary due to political, geographical and trust reasons
3 interconnection models hierarchical cross certificates hybrid
Distributed Systems 21
Hierarchical PKI Example
CAs
End users
Upper level CAs
Root CA
Distributed Systems 22
Cross Certificate Based PKI Example
CAs
End users
Cross certificates
Distributed Systems 23
Hybrid PKI example
Distributed Systems 24
Certificate Paths
Distributed Systems 25
Certificate Paths
Verifier must know public key of the first CA
Other public keys are found out one by one
All CAs on the path must be trusted by the verifier
Distributed Systems 26
Certificate Paths with Reverse Certificates
Reverse certificates
Distributed Systems 27
Organization-wide PKI
Local PKI for organizations may have global connections, but the
registration facilities remain local easy to operate less managerial difficulties
Distributed Systems 28
Organization-wide PKI
CP (CA)
Administration
RA CD
PKI Server
Databases / Directories
PKI Client
Architecture of a typical organization-wide PKI
Certificate Processor/Authority
Registration Authority Certificate Distribution
Distributed Systems 29
Hosted vs. Standalone PKI
Hosted PKI PKI vendor acts as CA PKI owner is the RA
Standalone PKI PKI owner is both RA and CA
Distributed Systems 30
Hosted vs. Standalone PKI
Advantages of hosted PKI over standalone PKIStandalone PKI Hosted PKIOrganization has to have a secure serverfor certificate issuance and processing.
Organization does not need to run a secureserver for certificate processing.
Organization must issue cross certificatesor has to have some other arrangements foruniversal connection of its PKI. Otherwise,the PKI remains local.
PKI provider (host) already has sucharrangements. Organization does not haveto worry about worldwide visibility of itsPKI.
More administrative work for organization. Less administrative work for organization.
Distributed Systems 31
Hosted vs. Standalone PKI
Disadvantages of hosted PKI over standalone PKIStandalone PKI Hosted PKINo continuous dependency on the PKIvendor. Organization does not have to payperiodic fees.
Continuous dependency on the PKI vendor(host). The organization must pay regularfees to the host based on the certificatevolume.
Security of the PKI is in the organization’shands.
Although the organization is responsiblefor the security of its PKI, they aredependent on the host’s security.
Ultimate trust to host is indispensable. Organization does not have to trust the PKIvendor as different than its other softwarevendors.
The only user of the private key is theorganization itself.
Private key is being used by the host forcertificate issuance.
Distributed Systems 32
X.509
ITU standardISO 9495-2 is the equivalent ISO
standardDefines certificate structure, not PKIAlso defines authentication protocolsIdentity certificatesSupports both hierarchical model and
cross certificatesEnd users cannot be CAs
Distributed Systems 33
X.509 Certificate Format
Distributed Systems 34
X.509v3 Extensions
Alternative namesPolicy Identifiers
Trust issueRestrictions based one
path length policy identifiers names
No blind trust to CAs
Distributed Systems 35
Some X.509 based PKIs
Privacy Enhanced Mail (PEM) hierarchical, no cross certificates first but discontinued
Secure Electronic Transaction PKI for electronic payment secure but not widely deployed
PKIX general purpose X.509 based PKI
Distributed Systems 36
DNSSEC
Security extension to DNSNot X.509 based, but hierarchical
(uses existing DNS topology)DistributedProvides
authentication of domain information storage and distribution of certificates
Good and practical system
Distributed Systems 37
SSL (Secure Socket Layer)
Security layer over TCP/IPmostly for HTTP connectionsencrypted and authenticated
sessions between web servers and web browsers (clients)
Not a perfect solution, but a convenient solution
Distributed Systems 38
SSL (Secure Socket Layer)
Certificate based systems web servers must have certificate client certificate is optional
CA certificates are embedded in browsers
You trust them (by default), because browser company says so !
The worst, but the most practical !!!
Distributed Systems 39
Using SSL for HTTP Connections
By using SSL we can make sure about the server’s name
(assuming the CA of the server is trusted)authentication
make sure that nobody can see the traffic between client and serverconfidentiality
Distributed Systems 40
Using SSL for HTTP Connections
By using SSL we can NOT provide perfect privacy
server sees all information that client providesimportant in e-payment: merchant sees the
the card number and name
provide non-repudiationboth parties knows the session keyin e-payment: charge-back cost for
merchant’s
Distributed Systems 41
PGP (Pretty Good Privacy)
Effort of Phil ZimmermannStrong cryptography
free of government controlHas not started as a standardization
effortControversial international versionMost widely used security softwareUnique certificate and PKI
Distributed Systems 42
PGP (Pretty Good Privacy)
Free personal useSource code available
very important for “paranoids”Multi-platform softwareBasically “file” encryption/signing
softwareNow it has plug-ins for some E-mail
client programs
Distributed Systems 43
PGP Cryptographic Functions
H : Hash Function KR: Private Key
EP: Public key Encryption DP: Public key Decryption
Z: Compression using Zip KU: Public Key
Distributed Systems 44
PGP Cryptographic Functions
H : Hash Function KR: Private Key Ks: Session Key (Conventional key)
EP: Public key Encryption DP: Public key Decryption
EC: Private key Encryption DC: Private-key decryption
Z: Compression using Zip KU: Public Key
Distributed Systems 45
PGP Cryptographic Functions
H : Hash Function KR: Private Key Ks: Session Key (Conventional key)
EP: Public key Encryption DP: Public key Decryption
EC: Private key Encryption DC: Private-key decryption
Z: Compression using Zip KU: Public Key
Distributed Systems 46
Encoding in PGP
Binary data must be encoded for e-mail compatibility
Radix-64 conversion binary data is grouped 6-bit by 6-bit each 6-bit group is converted to a printable
ASCII character (table look-up) inflates the data 33% Radix-64 applied to after
encryption/signing
Distributed Systems 47
General PGP Message Format
Distributed Systems 48
Key Management in PGP
Public keys are not attached to messages
Instead Public key identifiers are put in messages
Recipient should know/find out sender’s public-key personal exchange PGP public key servers
do not trust the authenticity of the keys there
Distributed Systems 49
Key Management in PGP
2 local “Key Rings” private key ring
to keep your private keys
public key ringto keep yours and other people’s public
keys
Distributed Systems 50
Private Key Ring
Private-key Ring is a table for the private keys
Private keys are stored in encrypted form Encryption key is derived from passphrase
The keys in private-key ring are ultimately trusted
Question: How can we determine whether or not correct passphrase is entered?
Distributed Systems 51
Public-key Ring
Table for locally known public keysAlso contains trust information
PGP user specifies his/her trusted CAstwo levels of trusts to CAs
being in public-key ring does not mean its legitimacya public-key signed by a key in private-key ring is
legitotherwise CAs signatures are checked
• complicated scheme
Distributed Systems 52
Public-key Ring
Distributed Systems 53
PKI of PGP
Global public-key ringPKI from scratchPublic-keys are certificates are
posted in public-key serversThousands of usersNo boss, no governing body
Distributed Systems 54
PKI of PGP
Everybody is end user, everybody is CA chaotic
Distributed Systems 55
S/MIME
A standard way for email encryption and signing
IETF standardIndustry support
commercial reasonsNot a standalone software, a system
that is to be supported by email clients
Distributed Systems 56
History of E-mail
RFC 822 only ASCII messages
MIME (Multipurpose Internet Mail Extensions) content type
Almost any of information can appear in an email message
S/MIME: Secure MIMEnew content types, like signature, encrypted data
Distributed Systems 57
S/MIME
General functionality is similar to PGP digital signature
the hash of message is signed
encrypted data (enveloped data)a conventional session key is used to encrypt the
datathat key is encrypted by the recipient’s public key
The difference between S/MIME and PGP is certificate management
Distributed Systems 58
Certificate Management in S/MIME
CA-centered system like SSLAn ordinary user is not aware of the
CAs that he/she trustsCA certificates come with the client
softwareCertificates are sent along with the
signed messages in S/MIME (unlike PGP)
Distributed Systems 59
Certificate Management in S/MIME
One should get a certificate from a CA in order to send signed messages
Verisign Certificates Class 1 Class 2 Class 3
Increased Security
Harder to issue
Distributed Systems 60
What’s Wrong?
Loose control for Class 1 certificates for commercial reasons visibility market share
The system becomes less secure for the name of security
Distributed Systems 61
What should be done?
Class 1 certificates must be discontinued
All certificate must be issued with a personal presence requirement or by the approval of trusted registration authorities
Distributed Systems 62
Discussion on Personal Certificates (SSL)
Certificates ruin your privacy Do you really need a certificate?
Do you want to get caught when you are at a specific website?
Do you want spammers to get your email address?
Do you want companies to learn your favorites?
Distributed Systems 63
Discussion on Personal Certificates (S/MIME)
There is no wide use of certificatesOnly few email clients are supporting
S/MIMEInteroperability problems among the
email client programs