Public Key Infrastructures - win.tue.nl · ECC challenges 12-11-2015 PAGE 12 ECC Field Size Days...
Transcript of Public Key Infrastructures - win.tue.nl · ECC challenges 12-11-2015 PAGE 12 ECC Field Size Days...
Key Exchange Problem
PAGE 112-11-2015
n*(n-1)/2 keys = O(n2)
[From: http://www.internetworldstats.com/stats.htm , June 30, 2012]
Internet: 2,405,518,376 users
2,892,056,568,246,079,500 keys≈2,9* 1018 keys
Authentication Center
PAGE 312-11-2015
• The authentication center (AC) in mobile
communications knows all the keys.
It stores them in a database.[From “IT-Sicherheit”, page 785, 800]
Solution 2: Use Public Key Crypto
PAGE 412-11-2015
Public-Key-Server
The server does not know any private information!
Asymmetric encryption problems
Performance
Key availability
Key ownership
Key validity
Public-Key-Server
PAGE 512-11-2015
Hybrid encryption
PAGE 612-11-2015
plaintextdecrypt
Sdkfj
kj
djd
fj
djf
jkj
encryptplaintext
decryptencrypt
symmetric session key
Bob’s
public
Bob’s
private
Digital signature problems
PAGE 712-11-2015
Key availability
Key ownership
Key validity
Public-Key-Server
Lifetime of Hash Functions
PAGE 912-11-2015
Source: http://valerieaurora.org/hash.html
RSA - published in 1978
PAGE 1012-11-2015
…using 200 digits provides
a margin of safety against
future developments…
RSA Factoring Challenge
PAGE 1112-11-2015
number digits prize factored
RSA-100 100 Apr. 1991
RSA-110 110 Apr. 1992
RSA-120 120 Jun. 1993
RSA-129 129 $100 Apr. 1994
RSA-130 130 Apr. 10, 1996
RSA-140 140 Feb. 2, 1999
RSA-150 150 Apr. 16, 2004
RSA-155 155 Aug. 22, 1999
RSA-160 160 Apr. 1, 2003
RSA-200 200 May 9, 2005
RSA-576 174 $10,000 Dec. 3, 2003
RSA-640 193 $20,000 Nov. 4, 2005
RSA-704 212 $30,000 July 2, 2012
RSA-768 232 $50,000 Dec. 12, 2009
RSA-896 270 $75,000 not factored
RSA-1024 309 $100,000 not factored
RSA-1536 463 $150,000 not factored
RSA-2048 617 $200,000 not factored
Challenge is no longer active, original webpage unavailablebut you can see results
https://en.wikipedia.org/wiki/RSA_Factoring_Challenge
ECC challenges
PAGE 1212-11-2015
ECC Field Size Days Date
ECC2-79 79 352 1997
ECC2-89 89 11278 1998
ECC2K-95 97 8637 1998
ECC2-97 97 180448 1999
ECC2K-108 109 1.3x10^6 2000
ECC2-109 109 2.1x10^7 2004
ECCp-79 79 146 1997
ECCp-89 89 4360 1998
ECCp-97 97 71982 1998
ECCp-109 109 9x10^7 2002
[From www.certicom.com/images/pdfs/challenge-2009.pdf]
Post-Quantum Crypto
• Hash-based signatures
• Lattice-based cryptography
• Coding-based cryptography
• Multivariate cryptography
PAGE 1612-11-2015
Public Key Infrastructures
… a public key infrastructure (PKI) is designed to
facilitate the use of public key cryptography.
Source: Housley, R. and Polk, T.: Planning for PKI; Wiley 2001
PAGE 1712-11-2015
Tasks of a PKI
• Assure that the public key is available
• Assure that the public key is authentic
• Assure that the public key is valid
• Enforce security and interoperability
PAGE 1812-11-2015
Authenticate Public Keys
• Bind public key to electronic identity
• Seal the binding
• Answer for the binding
Public key certificates
PAGE 1912-11-2015
Public Key Certificate
Public key certificates are data structures that bind
public key values to subjects. The binding is
asserted by having a trusted CA digitally sign each
certificate …
[From RFC 5280]
PAGE 2012-11-2015
Public Key Certificate
PAGE 2212-11-2015
Digital Signature
Subject (Name)
Public-keyBinding eID public key
protection of authenticity
Certificate Properties
• Protected binding of a key to the key holder
• Its authenticity is independent of the means of
transportation
• It can be used online and offline
• It is a proof of the binding
• It can be used for key servers
PAGE 2312-11-2015
Certificate Standards
PAGE 2412-11-2015
• X.509• X.509 (ITU-T)
• PKIX (RFC 5280)
• Pretty Good Privacy (PGP)• OpenPGP (RFC 4880)
• GNU Privacy Guard (GnuPG or GPG)
• WAP certificates• Like X.509 certificates but smaller
• Card Verifiable Certificates (CVC)• Even smaller than WAP certificates
• Simple PKI / Simple Distributed Security Infrastructure• SPKI, pronounced spoo-key
• SDSI, pronounced sudsy
Validity of Public Keys
• Monitor binding public key electronic identity
key owner
• Establish time constraints
• Provide means to revoke binding
Certificate revocation
PAGE 2512-11-2015
Certificate Revocation
PAGE 2612-11-2015
• Abortive ending of the binding between
• subject and key (public key certificate)
OR
• subject and attributes (attribute certificate)
• The revocation is initiated by
• the subject
OR
• the issuer
• Typical frequency (assumption):
• 10% of the issued certificates will be revoked (See: “Selecting
Revocation Solutions for PKI” by Årnes, Just, Knapskog, Lloyd and Meijer)
Publish Public Key Information
PAGE 2812-11-2015
• Directories• (L)DAP
• Active Directory
• Web pages• HTTP
• File transfer• FTP
• Services
• OCSP
• SCVP
Security of Key Pairs
Select suitable algorithms and key sizes
Monitor possible security threads and react adequately
Provide suitable means to generate key pairs
Provide suitable formats and media to store private keys
Provide suitable means of delivering private keys
Personal security environments
PAGE 3012-11-2015
Interoperability
• Comply to accepted (international) standards
• Certificates / revocations
− X.509, PGP, SPKI/SDSI, …
• Directory services
− (L)DAP, Active Directory, …
• Cryptographic algorithms / protocols / formats
− PKCS, RFC, …
• Constraints on content and processing
− PKIX, ISIS-MTT, …
PAGE 3212-11-2015
Policy Enforcement
• Certificate policy (CP)
• States what to comply to
• Certificate practice statement (CPS)
• States how to comply
• Policies are enforced by the PKI through:
• Selecting standards, parameters, hardware, …
• Monitor behavior of involved parties
• Reacting on infringement of the policy
PAGE 3312-11-2015
Trust
The perhaps most important part of a PKI is to
establish trust in the binding between an entity and a
certificate
PAGE 3512-11-2015
Direct Trust
PAGE 3612-11-2015
• User receives public key directly from owner
OR
• User verifies public key directly with owner
Most Common: Fingerprint comparison
PAGE 3712-11-2015
Fingerprint = hash value of the certificate (incl. Signature) (e.g. SHA1)
Web Page Verification
PAGE 4012-11-2015
http://www.cacert.org/index.php?id=3
…and more
PAGE 4212-11-2015
~# gpg --list-public-keys
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key
sub 2048g/8495160C 2000-10-19 [expires: 2006-02-12]
e.g. public keys on software CD/DVD
Summary: Direct Trust
• Establishes• Which keys are authentic
• Why they are considered authentic
• Bad scalability• n * (n-1) = O(n2) verifications
• Worse complexity than secret key exchange!
• Basis for all other trust models• To be seen
PAGE 4312-11-2015
Web of Trust
PAGE 4612-11-2015
A web of trust is a concept used in PGP, GnuPG, and
other OpenPGP-compatible systems to establish the
authenticity of the binding between a public key and a
user.
Its decentralized trust model is an alternative to the
centralized trust model of a public key infrastructure
(PKI), which relies exclusively on a certificate authority
(or a hierarchy of such).
Source: http://en.wikipedia.org/wiki/Web_of_trust
Key Validity
PAGE 4712-11-2015
• Alice computes key validity using Bob’s signatures
Carl
Dorian
BobAlice
Chaining Key Validity
PAGE 4812-11-2015
• Alice computes key validity using Bob’s and Carl’s
signatures
Alice Bob Carl
Dorian
Eve
Key Validity vs. Owner Trust
PAGE 5112-11-2015
• Key Validity:
• Is the key owner who he claims to be?
• Levels: no answer; unknown; marginal; complete;
ultimate
• Owner trust:
• Is the key owner reliable? (in respect to signing keys of others)
• Levels: unknown; none; marginal; complete; ultimate
Key Validity: Levels
PAGE 5212-11-2015
• no answer
• Nothing is said about this key.
• unknown
• Nothing is known about this key.
• marginal
• The key probably belongs to the name.
• complete
• The key definitely belongs to the name.
• (ultimate)
• (Own keys).
Owner Trust: Levels
PAGE 5312-11-2015
• unknown
• Nothing can be said about the owner's judgmentin key signing.
• none
• The owner is known to improperly sign keys.
• marginal
• The owner is known to properly sign keys.
• complete
• The owner is known to put great care in keysigning.
• ultimate
• The owner is known to put great care in keysigning, and is allowed to make trust decisions foryou.
Assigning Key Validity
• Manually (Key Signing)
OR
• computed from the trust in the corresponding
signers, only considering signers with key validity
“complete” (or better).
PAGE 5412-11-2015
Key Signing: Direct Trust
PAGE 5612-11-2015
Bob’s key validity is complete for Alice because she decided it when signing the key after verifying the fingerprint.
Key Validity Computation: “complete” (1)
PAGE 5712-11-2015
If the key is signed by at least one user with owner trust complete.
Key Validity Computation: “complete” (2)
PAGE 5812-11-2015
If the key is signed by at least x (here x=2) names with owner trust marginal.
Key Validity Computation: “marginal”
PAGE 5912-11-2015
If the key is signed by less than x (here x=2) names with owner trust marginal.
Key Validity Computation: “unknown”
PAGE 6012-11-2015
If the key is signed by no name with at least owner trust marginal
Assigning Owner Trust
• Manually (Trust Setting)
OR
• computed from the owner trust of signers only using
“ultimate” valid keys.
PAGE 6112-11-2015
“Simple” PGP
PAGE 6312-11-2015
Alice signs Bob’s key (level 0) and trusts him. Alice uses Bob’s signatures on Dorian’s and Frank’s
keys.
Trusted Introducers
PAGE 6412-11-2015
Alice signs Bob’s key (level 1) and trusts him. Bob signs Carl’s key (level 0) and trusts him. Alice uses Carl’s signatures on Dorian’s and Frank’s
keys. Bob = Trusted Introducer
By allowing more intermediate signers (level >1), Bob becomes a Meta Introducer
PGP Certificates: Content
PAGE 6612-11-2015
[From http://www.ece.cmu.edu/~adrian/630-f04/PGP-intro.html]
How to share Keys with PGP
• Attach to mail
• Use Key Server
→ Still need to verify key validity!
PAGE 6712-11-2015
PGP Revocation
• Uses Key Revocation Certificate
• generated during KeyGen using private key
• Uploading Key Revocation Certificate to one of the
public key servers revokes key pair.
• Key Revocation Certificate can contain new UserID
PAGE 7012-11-2015
DFN PCA
TUD CA Uni Gießen
Alice Bob Carl Doris Emil
TUD Student CA TUD Employee CA
Hierarchical trust
root CA
Why does Alice trust in Doris’ key?
Why does Alice trust in Doris’ key?
DFN PCA
TUD CA Uni Gießen
Alice Bob Carl Doris Emil
TUD Student CA TUD Employee CA
Hierarchical trust
root CA
Alice
TUD Student CA
TUD CA
TUD Employee CATUD Student CA
DFN PCADFN PCA
TUD CA Uni Gießen
Alice Bob Carl Doris Emil
Hierarchical trust
Emil to Alice
Trust anchor
Certification path
Public-key in question
Intermediate CAs
Trust models in multiple hierarchies
TC2
Alice Bob Carl Doris Emil
TC4 TC5
TC3
TC6 TC7
Fred Gerd Hans
When does Alice accept the certificate of Fred?
Method 1: Trusted List
TC2
Alice Bob Carl Doris Emil
TC4 TC5
TC3
TC6 TC7
Fred Gerd Hans
Every participant has a list of trusted CAs. Alice trusts TC2 and TC3 Every user maintains an own list (like in the Web of Trust) Used in Web Browsers (preinstalled + user defined)
Trusted List: certification path
TC2
Alice Bob Carl Doris Emil
TC4 TC5
TC3
TC6 TC7
Fred Gerd Hans
Alice to Fred
Method 2: Common Root
Every user who trusts TC1, accepts every other end-user certificate.
TC2
Alice Bob Carl Doris Emil
TC4 TC5
TC3
TC6 TC7
Fred Gerd Hans
TC1
Common Root: certification path
TC2
Alice Bob Carl Doris Emil
TC4 TC5
TC3
TC6 TC7
Fred Gerd Hans
TC1
Alice to Fred
Method 3: Cross-certification
TC2 issues a CA-certificate for TC3.
TC3 issues a CA-certificate for TC2.
Every user who trusts TC3, accepts every certificate, that was issued by TC2
(or a subordinate CA). Every user who trusts TC2, accepts every certificate, that was issued by TC3
(or a subordinate CA).
Not always bilateral
TC2
Alice Bob Carl Doris Emil
TC4 TC5
TC3
TC6 TC7
Fred Gerd Hans
Cross-certification: Another possibility
TC2
Alice Bob Carl Doris Emil
TC4 TC5
TC3
TC6 TC7
Fred Gerd Hans
TC2 issues one CA-certificate to TC7 and vice versa.
Hans accepts the certificate of Emil and vice versa.
Emil does not accept the certificate of Fred.
TC2
Alice Bob Carl Doris Emil
TC4 TC5
TC3
TC6 TC7
Fred Gerd Hans
TC4 issues one CA-certificate to TC6 and vice versa.
Alice accepts the certificate of Fred and vice versa.
Fred does not accept the certificate of Emil.
Cross-certification: Another possibility
Method 4: Bridge
Idea: Bridge TC has cross-certifications with TC2 and TC3.
Alice accepts all certificates beneath TC3.
Fred accepts all certificates beneath TC2.
TC2
Alice Bob Carl Doris Emil
TC4 TC5
TC3
TC6 TC7
Fred Gerd Hans
Bridge TC
Bridge: certification path
TC2
Alice Bob Carl Doris Emil
TC4 TC5
TC3
TC6 TC7
Fred Gerd Hans
Bridge TC
Alice to Fred
Bridge enforces minimal policy
Bridge Trust Center
• The bridge TC acts as a connector.
• This TC is not subordinate to a third CA.
• Interesting for corporate CAs that:
• want to enable secure communication for their users outside the organisation’s borders.
• do not want to be subordinate to a third CA.
Shell model
time
root
certificate
CA
certificate
participant
certificate
signature
time
verification
time
Modified or hybrid model
time
root
certificate
CA
certificate
participant
certificate
signature
time
verification
time
Chain model
time
root
certificate
CA
certificate
participant
certificate
signature
time
verification
time
Shell model
Certificate 1
Certificate 2
Certificate 3
Signed Document
Sig. valid creation
Signature valid verification
Signature invalid verification
Time
Signed Document
Chain model
Sig. valid creation
Signature valid
Certificate 1
Certificate 3
Certificate 2
verification
Time
Chain model:
multiple-
validation Document A
Document B
Document C
Signature verification:
Certificate 1
Certificate 3
Certificate 2
Document A
Time
Document B
Document C
?
!
Algorithms
Certificate 1
Certificate 2
Shell model
Chain model
Hybrid model
Time
Signature valid Signature invalid
Sig. valid creation
Signature valid
Sig. valid creation
Signature valid
Root CA
CA
Participant
Chain model
Hybrid model
Time [a]
Sig. valid creation (max. 3 a)
Signature valid
Sig. valid creation (max. 1 a)
Signature valid
1 2 3 4 5 6
X.509 Certificates
Relevant Standard:
X.509 (ITU-T)
PKIX (RFC 5280)
Content (excerpt):
Name / Pseudonym of the holder
Public Key (and algorithm) of the holder
Unique ID of the certificate
Validity period of the certificate
Identity of the certificate issuer
Key usage limitation for the public keys
Encoding:
Abstract Syntax Notation Nr.1: ASN.1
Distinguished Encoding Rules: DER
PAGE 11512-11-2015
X.509 Certificates: Contents
Version (0=v1, 1=v2, 2=v3)Serial Number (Unique within PKI)Certificate Signature AlgorithmIssuerValidity PeriodSubjectSubject Public Key Info
Version 1
(1988)
Subject Unique ID (worldwide unique)Issuer Unique ID (worldwide unique)Version 2
(1993)
ExtensionsVersion 3
(1997)
PAGE 11712-11-2015
X.509 Extensions: Properties
• Assignment of extra attributes to
• the owner
• public or private key
• issuer
• Support for better certificate management
• Arbitrary extensions Bad interoperability
PAGE 11812-11-2015
X.509 (Non)critical extensions
Critical Non-Critical
Known valid valid
Unknown invalid valid
PAGE 11912-11-2015
Key Usage
Defines the purpose of the key contained in the certificate.
KeyUsage ::= BIT STRING {
digitalSignature (0),
nonRepudiation (1),
keyEncipherment (2),
dataEncipherment (3),
keyAgreement (4),
keyCertSign (5),
cRLSign (6),
encipherOnly (7),
decipherOnly (8) }
http://www.ietf.org/rfc/rfc5280.txt (pp 29ff)
PAGE 12012-11-2015
Extended Key Usage (1)
Indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension
For example:
• Code signing
• OCSP signing
• Timestamping
ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
KeyPurposeId ::= OBJECT IDENTIFIER
PAGE 12112-11-2015
Extended Key Usage (2)
If a certificate contains both a key usage extension and
an extended key usage extension, then both
extensions MUST be processed independently and the
certificate MUST only be used for a purpose consistent
with both extensions. If there is no purpose consistent
with both extensions, then the certificate MUST NOT
be used for any purpose.
Source: RFC 4334
PAGE 12212-11-2015
Based on a lecture by
Johannes Braun, Johannes Buchmann, Alexander
Wiesmaier
https://www.cdc.informatik.tu-darmstadt.de/en/students/teaching/ss14/
vorlesung/pki/pki-unterlagen-kopie-1/
Book: J. Buchmann, E. Karatsiolis, and A. Wiesmaier
Introduction to Public Key Infrastructures
Springer-Verlag Berlin Heidelberg, 2013.
PAGE 12312-11-2015