Key Note - Path to Agility 2013 - Kanban - the alternative path to agility
Public Key Infrastructures - CDC · How path construction ... Indicates if policy mapping is...
Transcript of Public Key Infrastructures - CDC · How path construction ... Indicates if policy mapping is...
Public Key Infrastructures
Cryptography and Computer Algebra
Prof. Johannes BuchmannDr. Johannes Braun
Path Validation
2
RFC 5280
Certification path validation
▪ Path validation
▪ Verify the binding between a subject distinguished name (SDN) or subject alternative name (SAN) and a subject public key.
▪ How path construction is performed is outside the scope of the algorithm
▪ Any algorithm behaving exactly like the proposed one is seen as valid
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
3TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
4TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
5
RFC 5280 – Certification path validation
Steps
1. Initialization
Performed exactly once
2. Basic certificate processing
Once for each certificate
3. Preparation for next certificate
Once for each certificate (except the last one)
4. Wrap-up
Performed exactly once
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
6
RFC 5280 – Certification path validation
Flowchart
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
START
Initialization
Process cert
IF last cert in path
Prepare for next cert
NO
Wrap-up
STOP
YES
7
RFC 5280 – Certification path validation
Input variables
1. a prospective certification path of length n (without trust anchor)
2. the current date/time
3. user-initial-policy-set
4. trust anchor information
a. the trusted issuer name
b. the trusted public key algorithm
c. the trusted public key
d. optionally, the trusted public key parameters associated with the public key.
5. initial-policy-mapping-inhibit
6. initial-explicit-policy
7. initial-anyPolicy-inhibit
8. initial-permitted-subtrees (RFC5280)
9. initial-excluded-subtress (RFC5280)
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
8
Input variables – 1
Prospective certification path of length n
▪ The certification path to be validated
▪ Note: A certificate MUST NOT appear more than once in a prospective certification path.
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
9
Example
Certification path
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
TC3
TC6
Fred
TC1Path length?
certificate 1
certificate 2
certificate 3
n=3
trust anchor
10
Example
Certification path
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
TC3
TC6
Fred
TC1
certificate 1
certificate 2
certificate 3
trust anchorWhy are repetitions prohibited?
11
Example
Certification path
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
TC3
TC6
Fred
TC1Why are repetitions prohibited? certificate 1
certificate 2 / 5
certificate 6
trust anchor
TC4
certificate 3
certificate 4
Prevention of loops
12
Input variables – 2
Current date/time
▪ This is the time at which the path validation runs
Shell model …
Hybrid model by „cheating“ …
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
13
Input variables – 3
User-initial-policy-set
▪ A set of certificate policy identifiers
▪ The policies acceptable to the certificate user
▪Contains “anyPolicy” if the user is not concerned about certificate policies
▪ Example:
▪ { 1.2.3.4, 9.8.7.6}
▪ or more “readable” {gold, silver}
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
14
Input variables – 4
Trust anchor information
TC3
TC6
Fred
TC1(1) the trusted issuer name
(2) the trusted public key algorithm,
(3) the trusted public key,
and
(4) optionally, the trusted public key parameters associated with the public key.
trust anchor
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
15
Input variables – 4
Trust anchor information
TC3
TC6
Fred
TC1 trust anchor
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
▪May be provided in form of a self-signed certificate
▪ Is trusted because it was delivered by some trustworthy out-of-band procedure
16
Input variables – 5
Initial-policy-mapping-inhibit
▪ Indicates if policy mapping is allowed in the certification path.
▪ Either true or false.
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
17
X.509 extension
Policy Mappings
▪ Only for CA certificates
▪ Should be marked critical
▪ Contains pairs of (policy) OIDs the issuing CA considers equivalent
▪ Each pair: Indicates equivalence of an issuing CA’s policy with a subject CA’s policy
PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { issuerDomainPolicy CertPolicyId,
subjectDomainPolicy CertPolicyId }
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
18TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
User requires “Gold”
Valid or invalid?
Examples
Policy evaluation
19TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
User requires “Gold”
Valid
Existing mapping Gold Cyan
Examples
Policy evaluation
20TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
User requires “Gold”
Invalid
No mapping Gold Red
Fix: Include mapping
Examples
Policy evaluation
21TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
User requires “Gold”
Invalid
No mapping Gold Gold
Fix: Issue Diana under Silver
Examples
Policy evaluation
22TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
User requires “Gold”
Invalid
No mapping Gold [COLOR]
Fix: HRZ with Gold + mappings
Examples
Policy evaluation
23
Input variables – 6
Initial-explicit-policy
▪ Indicates if the path must be valid for at least one of the certificate policies in the user-initial-policy-set.
▪ Either true or false
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
24
X.509 extension
Policy Constraints
▪ Only for CA certificates
▪Must be marked critical
▪ Contains two integers:
▪Allowed number of subsequent certificates before an explicit policy is required
▪Allowed number of subsequent certificates before policy mapping is no longer permitted
PolicyConstraints ::= SEQUENCE { requireExplicitPolicy [0] SkipCerts OPTIONAL, inhibitPolicyMapping [1] SkipCerts OPTIONAL }
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
25
Input variables – 7
Initial-anyPolicy-inhibit
▪ Indicates whether the anyPolicy OID should be processed if it is included in a certificate.
▪ Either true or false
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
26
X.509 extension
Inhibit anyPolicy
▪ Only for CA certificates
▪Must be marked critical
▪ Contains one integer:
▪ Allowed number of subsequent certificates before anyPolicy is no longer permitted
▪ Self-issued certificates not counted, may still use anyPolicy
E.g. Value of one anyPolicy may be processed in nextcertificate in the path, but not in additional ones.
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
27TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
User requires “Gold”
Valid or invalid?
Examples
Policy evaluation
28TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
User requires “Gold”
Invalid
Chipcard certificate lacks explicit
policy
Examples
Policy evaluation
29TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
User requires “Gold”
Invalid
Chipcard certificate prohibits
anyPolicy used by Employee
certificate
Examples
Policy evaluation
30TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
User requires “Gold”
Valid
All certificates have explicit policies
+ no anyPolicy used
Examples
Policy evaluation
31
Input variables – 8
Initial-permitted-subtrees
▪ Indicates which names are allowed for subject names in the path
▪ For each name type (e.g., X.500 distinguished names, email addresses, or IP addresses): a set of subtrees defining the acceptable names
▪ New in RFC 5280, was not contained in RFC 3280
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
32
Input variables – 9
Initial-excluded-subtrees
▪ Indicates which names are not allowed for subject names in the path
▪ For each name type: a set of subtrees defining the prohibited names
▪ New in RFC 5280, was not contained in RFC 3280
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
33
X.509 extension
Name Constraints
▪ Only for CA certificates
▪Must be marked critical
▪ Indicates the name space for allowed subject names in subsequent certificates
▪ Applys to SubjectDN and SubjectAlternativeName
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
34
X.509 extension
Name Constraints
Example subtree:
▪ {base .tu-darmstadt.de}, minimum 0, maximum 2}
includes <…>.tu-darmstadt.de, <…>.<…>.tu-darmstadt.de
but not <…>.<…>.<…>.tu-darmstadt.de
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
NameConstraints extension
excludedSubtrees permittedSubtrees
General
Subtree
General
Subtree
General
Subtree
General
Subtree
General
Subtree
General
Subtree……
base GeneralName, minimum [0] BaseDistance DEFAULT 0,maximum [1] BaseDistance OPTIONAL
35
RFC 5280 – Certification path validation
Initialization
Eleven (11) variables are set:
1. valid_policy_tree
2. permitted_subtrees
3. excluded_subtrees
4. explicit_policy
5. inhibit_anyPolicy
6. policy_mapping
7. working_public_key_algorithm
8. working_public_key
9. working_public_key_parameters
10. working_issuer_name
11. max_path_length
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
0 if respective input variable is “true”, else n+1
n
Set to respective input variables
See next slides
According to trust anchor information
36
Algorithm variable
Valid_policy_tree
▪ A tree of certificate policies + their optional qualifiers
▪ Leaves represent valid policies at respective stage in the certification path validation
▪ If valid policies exist: tree depth = the number of processed certificates
▪ If valid policies do not exist:The tree is set to NULL, policy processing ceases
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
37
Valid_policy_tree
Nodes
anyPolicy
{ anyPolicy }
{ }
valid_policy
expected_policy_set
qualifier set
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
Single policy OID representing a valid policy for the path of length x
Set of policy qualifiers associated with the valid policy in certificate x
Contains one or more policy OIDs that would satisfy the policy in the certificate x+1
Note: In RFC 5280 criticality indicator was removed (compared to RFC 3280)
38
Valid_policy_tree
Initial state
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
depth 0
anyPolicy
{ anyPolicy }
{ }
valid_policy
expected_policy_set
qualifier set
39
RFC 5280 – Certification path validation
Basic certificate processing
▪ Once for each certificate:
1. Basic verification
a) Certificate signature can be verified with the working_public_key_algorithm, working_public_key, and working_public_key_parameters?
b) Certificate is valid in time?
c) Not revoked or on hold?
d) Issuer Name = working_issuer_name?
2. SDN and SANs belong to permitted_subtrees?
3. SDN and SANs do not belong to excluded_subtrees
4. Policy processing
5. If policies not present, then set valid_policy_tree to NULL
6. Verify explicit_policy or valid_policy_tree
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
40
Basic certificate processing – policy processing
Exact match
Red
{ Gold, White }
{ }
Gold
{ Gold }
{ }
Node of depth i-1
Node of depth i
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
41
Basic certificate processing – policy processing
Leaf node – anyPolicy
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
anyPolicy
{ anyPolicy }
{ }
Gold
{ Gold }
{ }
node of depth i-1
nodes of
depth i
Silver
{ Silver }
{ Q-Silver }
42
Basic certificate processing – policy processing
Certificate - anyPolicy
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
Red
{ Gold, Silver }
{ }
Gold
{ Gold }
{ }
node of depth i-1
nodes of
depth i
Silver
{ Silver }
{ }
43
Basic certificate processing – policy processing
Deletion of nodes w/o children
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
will be deleted from the tree, since no children
will be deleted from the tree, too
node of depth i-3
nodes of
depth i-2
nodes of
depth i-1
nodes of
depth i
44
RFC 5280 – Certification path validation
Preparation for next certificate
▪ Once for each certificate (except the last one)
▪ Process policy mappings
▪ Update algorithm variables
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
45
Preparation for next certificate
Policy mapping
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
Red
{ Gold, Silver }
{ }
node of depth iRed
{ Red }
{ }replace
if mapping existsfor each issuerDomainPolicy ID-Pif Policy_mapping > 0apply mapping
elsedelete ID-P leavesdelete inner nodes without children
endifendfor
endif
46
Preparation for next certificate
Policy mapping to ANY
This is not allowed!
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
47
Preparation for next certificate
Policy mapping from ANY
This is not allowed!
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
48
Preparation for next certificate
Update variables
working_issuer_name subject DN
working_public_key subjectPublicKey
working_public_key_parameters parameters from subjectPublicKeyInfo
working_public_key_algorithm subjectPublicKey algorithm
Permitted_Subtrees Permitted_Subtrees ∩ permittedSubtrees
Excluded_Subtrees Excluded_Subtrees ∪ excludedSubtrees
explicit_policy MIN(- - explicit_policy, requireExplicitPolicy)
policy_mapping MIN(- - policy_mapping, inhibitPolicyMapping)
inhibit_anyPolicy MIN(- - inhibit_anyPolicy, inhibitAnyPolicy)
max_path_length MIN(- - max_path_length, pathLenConstraint)
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
from currently processed certificate
49
RFC 5280 – Certification path validation
Wrap-up
▪ Only for certificate n
▪ Update (some) algorithm variables
▪ Recognize and process extensions of certificate n
▪ Finalize valid_policy_tree: Calculate the intersection of the valid_policy_tree and the user-initial-policy-set
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
50
Wrap-up
Update variables
explicit_policy 0 if requireExplicitPolicy == 0
else MAX(- - explicit_policy, 0)
working_public_key subjectPublicKey
working_public_key_parameters parameters from subjectPublicKeyInfo
working_public_key_algorithm subjectPublicKey algorithm
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
from certificate n
51
Any
{ Any }
{ }
Cyan
{ Cyan }
{ }
Gold
{ Gold }
{ }
Red
{ Red }
{ }
Any
{ Any }
{ }
Cyan
{ Cyan }
{ }
Gold
{ Gold }
{ }
Red
{ Red }
{ }
Any
{ Any }
{ }
uips = {Gold,Green}
Wrap-up
Finalize valid_policy_tree
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
52
Any
{ Any }
{ }
Cyan
{ Cyan }
{ }
Gold
{ Gold }
{ }
Red
{ Red }
{ }
Any
{ Any }
{ }
Cyan
{ Cyan }
{ }
Gold
{ Gold }
{ }
Red
{ Red }
{ }
Any
{ Any }
{ }
uips = {Gold,Green}
Wrap-up
Finalize valid_policy_tree
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
Determine the set of policy nodes whose parent nodes have a valid_policy of anyPolicy. This is the valid_policy_node_set.
53
Any
{ Any }
{ }
Cyan
{ Cyan }
{ }
Gold
{ Gold }
{ }
Red
{ Red }
{ }
Any
{ Any }
{ }
Cyan
{ Cyan }
{ }
Gold
{ Gold }
{ }
Red
{ Red }
{ }
Any
{ Any }
{ }
uips = {Gold,Green}
Wrap-up
Finalize valid_policy_tree
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
If the valid_policy of any node in the valid_policy_node_set is not in the user-initial-policy-set and is not anyPolicy, delete this node and all its children.
54
Any
{ Any }
{ }
Gold
{ Gold }
{ }
Any
{ Any }
{ }
Gold
{ Gold }
{ }
Any
{ Any }
{ }
uips = {Gold,Green}
Wrap-up
Finalize valid_policy_tree
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
55
Wrap-up
Finalize valid_policy_tree
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
If the valid_policy_treeincludes a node of depth n with the valid_policyanyPolicy and the user-initial-policy-set is not any-policy, perform the following steps:
▪ For each P-OID in the user-initial-policy-set that is not the valid_policy of a node in the valid_policy_node_set, create a child node whose parent is the node of depth n-1 with the valid_policy anyPolicy.
▪ Delete the node of depth n with the valid_policyanyPolicy.
Any
{ Any }
{ }
Gold
{ Gold }
{ }
Any
{ Any }
{ }
Gold
{ Gold }
{ }
Green
{ Green }
{ }
Any
{ Any }
{ }
uips = {Gold,Green}
56
Wrap-up
Finalize valid_policy_tree – result
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures
Any
{ Any }
{ }
Gold
{ Gold }
{ }
Any
{ Any }
{ }
Gold
{ Gold }
{ }
Green
{ Green }
{ }
uips = {Gold,Green}
57
RFC 5280 – Certification path validation
Output
▪ If either (1) the value of explicit_policy variable is greater than zero or (2) the valid_policy_tree is not NULL, then path processing has succeeded.
▪ If successful
▪ success indicator
▪ valid_policy_tree
▪ working_public_key
▪ working_public_key_algorithm
▪ working_public_key_parameters
▪ Else
▪ failure indicator
TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures