ece454/cs594 computer and network security
DESCRIPTION
ECE454/CS594 Computer and Network Security. Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011. Public Key Infrastructure. PKI Trust Models Revocation Directories PKIX and X.509 Authorization. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/1.jpg)
1
ECE454/CS594 Computer and Network Security
Dr. Jinyuan (Stella) SunDept. of Electrical Engineering and Computer ScienceUniversity of Tennessee Fall 2011
![Page 2: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/2.jpg)
Public Key Infrastructure• PKI Trust Models• Revocation• Directories• PKIX and X.509• Authorization
![Page 3: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/3.jpg)
Authenticity of Public Keys
?
Problem: How does Alice know that the public key she received is really Bob’s public key?
private key
AliceBob
public key
Bob’s key
![Page 4: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/4.jpg)
Certificate and CAPublic-key certificate
◦ Signed statement specifying the key and identity sigAlice(“Bob”, PKB)
Common approach: certificate authority (CA)◦ Single agency responsible for certifying public
keys◦ After generating a private/public key pair, user
proves his identity and knowledge of the private key to obtain CA’s certificate for the public key (offline)
◦ Every computer is pre-configured with CA’s public key
![Page 5: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/5.jpg)
Using Public-Key Certificates
Authenticity of public keys is reduced toauthenticity of one key (CA’s public key)
![Page 6: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/6.jpg)
Public Key InfrastructureThe task of PKI is to securely
distribute public keys.PKI consists of
◦certificates◦a repository for retrieving certificates◦a method of revoking certificates◦a method of evaluating a chain of
certificates from a trust anchor to the target name
![Page 7: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/7.jpg)
Hierarchical ApproachSingle CA certifying every public key is
impracticalInstead, use a trusted root authority
◦ For example, Verisign◦ Everybody must know the public key for
verifying root authority’s signaturesRoot authority signs certificates for lower-
level authorities, lower-level authorities sign certificates for individual networks, and so on◦ Instead of a single certificate, use a certificate
chain sigVerisign(“UnB”, PKUT), sigUT(“Manoel”, PKV)
◦ What happens if root authority is ever compromised?
![Page 8: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/8.jpg)
Alternative: “Web of Trust”Used in PGP (Pretty Good Privacy)Instead of a single root certificate
authority, each person has a set of keys they “trust”◦ If public-key certificate is signed by one of the
“trusted” keys, the public key contained in it will be deemed valid
Trust can be transitive◦ Can use certified keys for further certification
AliceFriend of Alice
Friend of friend Bob
sigAlice(“Friend”, Friend’s key)sigFriend(“FoaF”, FoaF’s key)
I trustAlice
![Page 9: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/9.jpg)
Chain of TrustSmall World: Any two people in this
world can be connected via “six degrees of separation”
[Carol’s public key is 123456] Ted
[David’s public key is 789012] Carol
[Bob’s public key is 345678] David
Alice: Ted’s public key is 135790 (Trust anchor)
![Page 10: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/10.jpg)
PKI Trust ModelAnswering the following questions.
◦ Where to get trust anchors?◦ Which chain of trust to follow?
Various models◦ Monopoly Model◦ Monopoly plus Registration Authorities◦ Delegated CAs◦ Oligarchy◦ Anarchy Model◦ Top-Down with Name Constraints◦ Bottom-UP with Name Constraints
![Page 11: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/11.jpg)
Monopoly ModelMonopoly Model
◦ There is a single CA, which is the trust anchor of all principles.
Monopoly Plus Registration Authorities (RAs)◦ CA issues certificates, but delegates the
verification of keys to RAs.
![Page 12: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/12.jpg)
Delegated CAsThe trust anchor CA generates
certificates for delegated CAs, which in turn generates certificates for principles.
More than one certificate is needed in the process of verification of a public key.
![Page 13: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/13.jpg)
Oligarchy ModelMultiple trust anchor CAs are pre-
configured in all principalsUser has an option to modify the list of
trust anchor CAsCommonly used in browsers (SSL/TLS)
![Page 14: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/14.jpg)
Anarchy ModelEach principal selects a set of peers as trust
anchors; Principals sign each others’ certificates.A principal may store a database of known
certificates; Some organization may offer public repository of certificates.
If a chain of trust (certificates) can be found from a trust anchor to a target name, then the public key of the target is verified.
![Page 15: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/15.jpg)
Top-Down with Name ConstraintsName constraints: each CA only trusted
for signing a subset of users. Similar to DNS hierarchy, each domain
may have a CA server. The CA of the parent domain (utk.edu) generates certificates for the CAs responsible of the sub-domains (eecs.utk.edu).
Each principal is pre-configured with the public key of the root.
The only trust path is from the root to the target.
![Page 16: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/16.jpg)
Bottom-Up with Name ConstraintsA parent CA and a child CA generate
certificates for each other.Two CAs without parent-child relationship
may generate a certificate, known as a cross-certificate.
The trust paths start from a trust anchor, follow up-links to an ancestor, possibly follow a cross-link, then follow down-links to the target.
![Page 17: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/17.jpg)
Directories A directory is a distributed hierarchical
database indexed by a hierarchical name, where associated with each name is a repository of information for that name.
E.g., DNS, X.500
![Page 18: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/18.jpg)
PKIX and X.509X.500 (Directory standard) defines a
hierarchical naming scheme.X.509 defines the format of
certificates, using X.500.PKIX defines the trust model, and
specifies which X.509 options should be supported: an architecture of entities (users, CAs, RAs…) and interrelationships (registration, certification, CRL publication)
![Page 19: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/19.jpg)
X.509 Authentication ServiceInternet standard (1988-2000)Specifies certificate format
◦ X.509 certificates are used in IPSec and SSL/TLS
Specifies certificate directory service◦ For retrieving other users’ CA-certified public
keysSpecifies a set of authentication protocols
◦ For proving identity using public-key signaturesDoes not specify crypto algorithms
◦ Can use it with any digital signature scheme and hash function, but hashing is required before signing
![Page 20: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/20.jpg)
X.509 Certificate
Added in X.509 versions 2 and 3 to address
usability and security problems
![Page 21: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/21.jpg)
Certificate RevocationRevocation is very importantMany valid reasons to revoke a certificate
◦ Private key corresponding to the certified public key has been compromised
◦ User stopped paying his certification fee to this CA and CA no longer wishes to certify him
◦ CA’s certificate has been compromised!Expiration is a form of revocation, too
◦ Many deployed systems don’t bother with revocation
◦ Re-issuance of certificates is a big revenue source for certificate authorities
![Page 22: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/22.jpg)
Certificate Revocation MechanismsOnline revocation service (OLRS)
◦ When a certificate is presented, recipient goes to a special online service to verify whether it is still valid Like a merchant dialing up the credit card processor
Certificate revocation list (CRL)◦ CA periodically issues a signed list of revoked
certificates Credit card companies used to issue thick books of
canceled credit card numbers◦ Can issue a “delta CRL” containing only
updatesQuestion: does revocation protect against
forged certificates?
![Page 23: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/23.jpg)
X.509 Certificate Revocation List
Because certificate serial numbers
must be unique within each CA, this is
enough to identify the certificate
![Page 24: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/24.jpg)
X.509 Version 1
Encrypt, then sign for authenticated encryption◦ Goal: achieve both confidentiality and
authentication◦ E.g., encrypted, signed password for access
controlDoes this work?
Alice Bob
“Alice”, sigAlice(TimeAlice, “Bob”, encryptPublicKey(Bob)(message))
![Page 25: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/25.jpg)
Attack on X.509 Version 1
Receiving encrypted password under signature does not mean that the sender actually knows the password!
Proper usage: sign, then encrypt
Alice Bob
“Alice”, sigAlice(TimeAlice, “Bob”, encryptPublicKey(Bob)(password))
Attacker extracts encrypted
password and replays itunder his own signature
“Charlie”, sigCharlie(TimeCharlie, “Bob”, encryptPublicKey(Bob)(password))
![Page 26: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/26.jpg)
Authentication and Authorization
Authentication: verify who you are.Authorization: restrict what you
can do.
![Page 27: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/27.jpg)
AuthorizationAccess Control List (ACL)
◦Given a resource, the ACL specifies which user can have what rights in accessing the resource.
Capability List ◦Given a user, the capability list
specifies what resources the user can access and what are the right for each resource.
![Page 28: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/28.jpg)
Groups and RolesGroups
◦A way to remove redundancy in ACLs or capability lists.
Roles◦A different way of removing
redundancy, other than groups.◦Establish a context for a user to
perform his tasks.
![Page 29: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/29.jpg)
SummaryTrust: PKI trust models
- how to find trust anchors (CA, peer)- how to establish chain-of-trust
Certificate: proof of trust- what is a certificate- why is it needed- format: X.509- revocation: needed whenever a credential is issued
![Page 30: ECE454/CS594 Computer and Network Security](https://reader035.vdocument.in/reader035/viewer/2022081512/56816978550346895de16e6c/html5/thumbnails/30.jpg)
Reading Assignment[Kaufman] Chapter 15