Public Key Infrastructures - CDC · How path construction ... Indicates if policy mapping is...

Public Key Infrastructures

Cryptography and Computer Algebra

Prof. Johannes BuchmannDr. Johannes Braun

Path Validation

2

RFC 5280

Certification path validation

▪ Path validation

▪ Verify the binding between a subject distinguished name (SDN) or subject alternative name (SAN) and a subject public key.

▪ How path construction is performed is outside the scope of the algorithm

▪ Any algorithm behaving exactly like the proposed one is seen as valid

TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures

3TU Darmstadt | Cryptography and Computer Algebra | Lecture: Public Key Infrastructures

5

RFC 5280 – Certification path validation

Steps

1. Initialization

Performed exactly once

2. Basic certificate processing

Once for each certificate

3. Preparation for next certificate

Once for each certificate (except the last one)

4. Wrap-up

Performed exactly once


6


Flowchart


START

Initialization

Process cert

IF last cert in path

Prepare for next cert

NO

Wrap-up

STOP

YES

7


Input variables

1. a prospective certification path of length n (without trust anchor)

2. the current date/time

3. user-initial-policy-set

4. trust anchor information

a. the trusted issuer name

b. the trusted public key algorithm

c. the trusted public key

d. optionally, the trusted public key parameters associated with the public key.

5. initial-policy-mapping-inhibit

6. initial-explicit-policy

7. initial-anyPolicy-inhibit

8. initial-permitted-subtrees (RFC5280)

9. initial-excluded-subtress (RFC5280)


8

Input variables – 1

Prospective certification path of length n

▪ The certification path to be validated

▪ Note: A certificate MUST NOT appear more than once in a prospective certification path.


9

Example

Certification path


TC3

TC6

Fred

TC1Path length?

certificate 1

certificate 2

certificate 3

n=3

trust anchor

10

Example

Certification path


TC3

TC6

Fred

TC1

certificate 1

certificate 2

certificate 3

trust anchorWhy are repetitions prohibited?

11

Example

Certification path


TC3

TC6

Fred

TC1Why are repetitions prohibited? certificate 1

certificate 2 / 5

certificate 6

trust anchor

TC4

certificate 3

certificate 4

Prevention of loops

12


Current date/time

▪ This is the time at which the path validation runs

Shell model …

Hybrid model by „cheating“ …


13


User-initial-policy-set

▪ A set of certificate policy identifiers

▪ The policies acceptable to the certificate user

▪Contains “anyPolicy” if the user is not concerned about certificate policies

▪ Example:

▪ { 1.2.3.4, 9.8.7.6}

▪ or more “readable” {gold, silver}


14


Trust anchor information

TC3

TC6

Fred

TC1(1) the trusted issuer name

(2) the trusted public key algorithm,

(3) the trusted public key,

and

(4) optionally, the trusted public key parameters associated with the public key.

trust anchor


15


Trust anchor information

TC3

TC6

Fred

TC1 trust anchor


▪May be provided in form of a self-signed certificate

▪ Is trusted because it was delivered by some trustworthy out-of-band procedure

16


Initial-policy-mapping-inhibit

▪ Indicates if policy mapping is allowed in the certification path.

▪ Either true or false.


17

X.509 extension

Policy Mappings

▪ Only for CA certificates

▪ Should be marked critical

▪ Contains pairs of (policy) OIDs the issuing CA considers equivalent

▪ Each pair: Indicates equivalence of an issuing CA’s policy with a subject CA’s policy

PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { issuerDomainPolicy CertPolicyId,

subjectDomainPolicy CertPolicyId }



User requires “Gold”

Valid or invalid?

Examples

Policy evaluation



Valid

Existing mapping Gold Cyan

Examples

Policy evaluation



Invalid

No mapping Gold Red

Fix: Include mapping

Examples

Policy evaluation



Invalid

No mapping Gold Gold

Fix: Issue Diana under Silver

Examples

Policy evaluation



Invalid

No mapping Gold [COLOR]

Fix: HRZ with Gold + mappings

Examples

Policy evaluation

23


Initial-explicit-policy

▪ Indicates if the path must be valid for at least one of the certificate policies in the user-initial-policy-set.

▪ Either true or false


24

X.509 extension

Policy Constraints


▪Must be marked critical

▪ Contains two integers:

▪Allowed number of subsequent certificates before an explicit policy is required

▪Allowed number of subsequent certificates before policy mapping is no longer permitted

PolicyConstraints ::= SEQUENCE { requireExplicitPolicy [0] SkipCerts OPTIONAL, inhibitPolicyMapping [1] SkipCerts OPTIONAL }


25


Initial-anyPolicy-inhibit

▪ Indicates whether the anyPolicy OID should be processed if it is included in a certificate.

▪ Either true or false


26

X.509 extension

Inhibit anyPolicy



▪ Contains one integer:

▪ Allowed number of subsequent certificates before anyPolicy is no longer permitted

▪ Self-issued certificates not counted, may still use anyPolicy

E.g. Value of one anyPolicy may be processed in nextcertificate in the path, but not in additional ones.




Valid or invalid?

Examples

Policy evaluation



Invalid

Chipcard certificate lacks explicit

policy

Examples

Policy evaluation



Invalid

Chipcard certificate prohibits

anyPolicy used by Employee

certificate

Examples

Policy evaluation



Valid

All certificates have explicit policies

+ no anyPolicy used

Examples

Policy evaluation

31


Initial-permitted-subtrees

▪ Indicates which names are allowed for subject names in the path

▪ For each name type (e.g., X.500 distinguished names, email addresses, or IP addresses): a set of subtrees defining the acceptable names

▪ New in RFC 5280, was not contained in RFC 3280


32


Initial-excluded-subtrees

▪ Indicates which names are not allowed for subject names in the path

▪ For each name type: a set of subtrees defining the prohibited names

▪ New in RFC 5280, was not contained in RFC 3280


33

X.509 extension

Name Constraints



▪ Indicates the name space for allowed subject names in subsequent certificates

▪ Applys to SubjectDN and SubjectAlternativeName


34

X.509 extension

Name Constraints

Example subtree:

▪ {base .tu-darmstadt.de}, minimum 0, maximum 2}

includes <…>.tu-darmstadt.de, <…>.<…>.tu-darmstadt.de

but not <…>.<…>.<…>.tu-darmstadt.de


NameConstraints extension

excludedSubtrees permittedSubtrees

General

Subtree

General

Subtree

General

Subtree

General

Subtree

General

Subtree

General

Subtree……

base GeneralName, minimum [0] BaseDistance DEFAULT 0,maximum [1] BaseDistance OPTIONAL

35


Initialization

Eleven (11) variables are set:

1. valid_policy_tree

2. permitted_subtrees

3. excluded_subtrees

4. explicit_policy

5. inhibit_anyPolicy

6. policy_mapping

7. working_public_key_algorithm

8. working_public_key

9. working_public_key_parameters

10. working_issuer_name

11. max_path_length


0 if respective input variable is “true”, else n+1

n

Set to respective input variables

See next slides

According to trust anchor information

36

Algorithm variable

Valid_policy_tree

▪ A tree of certificate policies + their optional qualifiers

▪ Leaves represent valid policies at respective stage in the certification path validation

▪ If valid policies exist: tree depth = the number of processed certificates

▪ If valid policies do not exist:The tree is set to NULL, policy processing ceases


37

Valid_policy_tree

Nodes

anyPolicy

{ anyPolicy }

{ }

valid_policy

expected_policy_set

qualifier set


Single policy OID representing a valid policy for the path of length x

Set of policy qualifiers associated with the valid policy in certificate x

Contains one or more policy OIDs that would satisfy the policy in the certificate x+1

Note: In RFC 5280 criticality indicator was removed (compared to RFC 3280)

38

Valid_policy_tree

Initial state


depth 0

anyPolicy

{ anyPolicy }

{ }

valid_policy

expected_policy_set

qualifier set

39


Basic certificate processing

▪ Once for each certificate:

1. Basic verification

a) Certificate signature can be verified with the working_public_key_algorithm, working_public_key, and working_public_key_parameters?

b) Certificate is valid in time?

c) Not revoked or on hold?

d) Issuer Name = working_issuer_name?

2. SDN and SANs belong to permitted_subtrees?

3. SDN and SANs do not belong to excluded_subtrees

4. Policy processing

5. If policies not present, then set valid_policy_tree to NULL

6. Verify explicit_policy or valid_policy_tree


40

Basic certificate processing – policy processing

Exact match

Red

{ Gold, White }

{ }

Gold

{ Gold }

{ }

Node of depth i-1

Node of depth i


41


Leaf node – anyPolicy


anyPolicy

{ anyPolicy }

{ }

Gold

{ Gold }

{ }

node of depth i-1

nodes of

depth i

Silver

{ Silver }

{ Q-Silver }

42


Certificate - anyPolicy


Red

{ Gold, Silver }

{ }

Gold

{ Gold }

{ }

node of depth i-1

nodes of

depth i

Silver

{ Silver }

{ }

43


Deletion of nodes w/o children


will be deleted from the tree, since no children

will be deleted from the tree, too

node of depth i-3

nodes of

depth i-2

nodes of

depth i-1

nodes of

depth i

44


Preparation for next certificate

▪ Once for each certificate (except the last one)

▪ Process policy mappings

▪ Update algorithm variables


45


Policy mapping


Red

{ Gold, Silver }

{ }

node of depth iRed

{ Red }

{ }replace

if mapping existsfor each issuerDomainPolicy ID-Pif Policy_mapping > 0apply mapping

elsedelete ID-P leavesdelete inner nodes without children

endifendfor

endif

46


Policy mapping to ANY

This is not allowed!


47


Policy mapping from ANY

This is not allowed!


48


Update variables

working_issuer_name subject DN

working_public_key subjectPublicKey

working_public_key_parameters parameters from subjectPublicKeyInfo

working_public_key_algorithm subjectPublicKey algorithm

Permitted_Subtrees Permitted_Subtrees ∩ permittedSubtrees

Excluded_Subtrees Excluded_Subtrees ∪ excludedSubtrees

explicit_policy MIN(- - explicit_policy, requireExplicitPolicy)

policy_mapping MIN(- - policy_mapping, inhibitPolicyMapping)

inhibit_anyPolicy MIN(- - inhibit_anyPolicy, inhibitAnyPolicy)

max_path_length MIN(- - max_path_length, pathLenConstraint)


from currently processed certificate

49


Wrap-up

▪ Only for certificate n

▪ Update (some) algorithm variables

▪ Recognize and process extensions of certificate n

▪ Finalize valid_policy_tree: Calculate the intersection of the valid_policy_tree and the user-initial-policy-set


50

Wrap-up

Update variables

explicit_policy 0 if requireExplicitPolicy == 0

else MAX(- - explicit_policy, 0)

working_public_key subjectPublicKey

working_public_key_parameters parameters from subjectPublicKeyInfo

working_public_key_algorithm subjectPublicKey algorithm


from certificate n

51

Any

{ Any }

{ }

Cyan

{ Cyan }

{ }

Gold

{ Gold }

{ }

Red

{ Red }

{ }

Any

{ Any }

{ }

Cyan

{ Cyan }

{ }

Gold

{ Gold }

{ }

Red

{ Red }

{ }

Any

{ Any }

{ }

uips = {Gold,Green}

Wrap-up

Finalize valid_policy_tree


52

Any

{ Any }

{ }

Cyan

{ Cyan }

{ }

Gold

{ Gold }

{ }

Red

{ Red }

{ }

Any

{ Any }

{ }

Cyan

{ Cyan }

{ }

Gold

{ Gold }

{ }

Red

{ Red }

{ }

Any

{ Any }

{ }

uips = {Gold,Green}

Wrap-up



Determine the set of policy nodes whose parent nodes have a valid_policy of anyPolicy. This is the valid_policy_node_set.

53

Any

{ Any }

{ }

Cyan

{ Cyan }

{ }

Gold

{ Gold }

{ }

Red

{ Red }

{ }

Any

{ Any }

{ }

Cyan

{ Cyan }

{ }

Gold

{ Gold }

{ }

Red

{ Red }

{ }

Any

{ Any }

{ }

uips = {Gold,Green}

Wrap-up



If the valid_policy of any node in the valid_policy_node_set is not in the user-initial-policy-set and is not anyPolicy, delete this node and all its children.

54

Any

{ Any }

{ }

Gold

{ Gold }

{ }

Any

{ Any }

{ }

Gold

{ Gold }

{ }

Any

{ Any }

{ }

uips = {Gold,Green}

Wrap-up



55

Wrap-up



If the valid_policy_treeincludes a node of depth n with the valid_policyanyPolicy and the user-initial-policy-set is not any-policy, perform the following steps:

▪ For each P-OID in the user-initial-policy-set that is not the valid_policy of a node in the valid_policy_node_set, create a child node whose parent is the node of depth n-1 with the valid_policy anyPolicy.

▪ Delete the node of depth n with the valid_policyanyPolicy.

Any

{ Any }

{ }

Gold

{ Gold }

{ }

Any

{ Any }

{ }

Gold

{ Gold }

{ }

Green

{ Green }

{ }

Any

{ Any }

{ }

uips = {Gold,Green}

56

Wrap-up

Finalize valid_policy_tree – result


Any

{ Any }

{ }

Gold

{ Gold }

{ }

Any

{ Any }

{ }

Gold

{ Gold }

{ }

Green

{ Green }

{ }

uips = {Gold,Green}

57


Output

▪ If either (1) the value of explicit_policy variable is greater than zero or (2) the valid_policy_tree is not NULL, then path processing has succeeded.

▪ If successful

▪ success indicator

▪ valid_policy_tree

▪ working_public_key

▪ working_public_key_algorithm

▪ working_public_key_parameters

▪ Else

▪ failure indicator


Public Key Infrastructures - CDC · How path construction ... Indicates if policy mapping is...

Documents

Transcript of Public Key Infrastructures - CDC · How path construction ... Indicates if policy mapping is...