A Certification Authority for Elliptic Curve X.509v3 Certificates

Transcription

1 A Certification Authority for Ellitic Curve X509v3 Certificates Maria-Dolores Cano, Ruben Toledo-Valera, Fernando Cerdan Det of Information Technologies & Communications Technical University of Cartagena (UPCT) Cartagena, Sain Abstract Wireless networks are more and more common in current communications networks Nevertheless, wireless communications entail a big concern: security The use of X509v3 certificates to carry out authentication tasks is an aroach to imrove security These certificates are usually emloyed with the RSA algorithm Ellitic Curve Crytograhy (ECC) is a crytograhic technique eminently suited for small devices, like those used in wireless communications, and is gaining momentum The main advantage of ECC versus RSA is that for the same level of security it requires a much sorter key length The urose of this work is to design and imlement a free oen-source Certification Authority able to issue X509v3 certificates using ECC This research is an imlementation study on free oen-source tools to issue digital certificates using ECC Moreover, it contributes to the develoment of free oen-source tools for network security based on ECC The result of this research may assist organizations to increase their security level in wireless devices and networks, in a costless way, by including authentication techniques based on ECC digital certificates Keywords- digital certificates; ellitic curve crytograhy; security; wireless communications I INTRODUCTION Wireless networks have suffered a dramatic increase in recent years Wireless technology is more and more resent in our society and millions of wireless equiment are sold every year However, one of the major concerns about wireless communications is security RSA is the most common method emloyed in ublic key crytograhy, for instance in X509 digital certificates These certificates are oriented to verify the identity of a erson or an entity However, new concerns are rising about the security of 1024-bit RSA [1] Ellitic Curve Crytograhy (ECC) is an innovative crytograhic technique Its security resides in the same roblem as RSA or Diffie-Hellman algorithms, but instead of using integers as symbols of the alhabet to be cihered, it uses oints in a mathematical object called ellitic curve The real ECC otential is that, with a much smaller key length, it achieves the same security level as other roosals Therefore, ECC resents some key attributes truly imortant in scenarios where the following resources are limited: rocessing ower, storage sace, bandwidth and ower consumtion [2] [3] There are even some organizations working towards ECC standardization (IEEE, IETF, ISO, etc), and leading enterrises develoing new ECC roducts Nevertheless, to favor the widesread use of ECC it is also essential romoting free oensource ECC tools In this aer we introduce a free oen-source Certification Authority (CA) for ECC X509v3 digital certificates The CA we roose is able to generate its own root certificate and to issue clients certificates We also develo the software a client requires to create a certificate request This certificate request is the one that the CA should sign after some verification stes The tool we roose is mainly oriented to environments with limited resources As it will be shown in next sections, its advantages are clearly noticeable The rest of this aer is organized as follows In section 2, we give a brief overview about Ellitic Curve Crytograhy, and the ECC mechanisms we use for the new X509v3 ECC digital certificates In section 3, we exlain the design of the certification tool In section 4, we describe the ECC CA working scenario Section 5 shows and discusses the exerimental imlementation The aer ends with the most imortant concluding remarks in section 6 II OVERVIEW OF ELLIPTIC CURVE CRYPTOGRAPHY Public key (asymmetric) crytograhy uses two keys (a rivate key and a ublic key), differing from rivate key (symmetric) crytograhy, where there must be a shared secret key Ellitic Curve Crytograhy was discovered in 1985 by V Miller [4] as an alternative method for ublic key crytograhy At that time, it was very difficult to erform the necessary calculations With time, imlementations were much more efficient, what allowed the erformance of ellitic curve mathematics to take the same amount of time as imlementations of integer factoring schemes for the same number of bits This, in its turn, imlies a reduction in cost, size, and rocessing time because ellitic curves require fewer bits for the same security level An ellitic curve is described by a cube equation, similar to those used to calculate an ellitic circumference Usually, the cube equation of an ellitic curve is indicated by (1), where a, b, c, d, and e are usually real numbers that comly with some condition Then, the ellitic curve is defined by the oints (x,y) that satisfy this equation The addition oeration can be defined for an ellitic curve, together with the element oint at infinity

2 0 This addition oeration fulfills the associative and commutative roerties y + axy + by = x + cx + dx + e (1) Ellitic curves used in crytograhy are defined over two tyes of finite fields: fields of odd characteristics ( F, where is a large rime number), and fields of characteristics two ( F 2 ) For the sake of simlicity we focus on m F Observe that the field F only emloys the numbers from 0 to (-1), and all comutations end by taking the remainder on division by In articular, crytograhy is interested in ellitic curve grous over F If we chose two ositive integers, a and b, smaller than such that (2) is true, then E ( a, b) denotes the ellitic curve grou in F, whose elements (x,y) are airs of ositive integers smaller than that satisfy the ellitic curve equation (3) 3 2 4a + 27b (mod ) 0 (2) 2 3 y (mod ) = x + ax + b (mod ) (3) To create a cryto system using ellitic curves is necessary to find a difficult roblem such factorizing the roduct of two rime numbers or calculating a discrete logarithm Consider the equation P = k G, where P and G are oints belonging to E ( a, b), and k is smaller than It is quite easy to assess P given k and G, but it is very comlex to calculate k given P and G This is called the Ellitic Curve Discrete Logarithm Problem (ECDLP) In fact, the G oint is called the generator oint The criterion to select G is as follows: the smallest value of n such that n G = 0 must be a large rime number Most of the ellitic curve crytograhic methods are related to the discrete logarithm schemes, which were originally formulated for usual modular arithmetic In order to use ECC, all arties must agree on all the elements defining the ellitic curve, that is, all arties should know the domain arameters For the field F, the domain arameters are: the rime number, constants a and b, the generator oint G, and the integer n The generation of these domain arameters is not straightforward Several standards bodies ublish domain arameters of ellitic curves [5] [6] [7] Next, we briefly exlain the two ECC algorithms that we use in this work to generate the ECC X509v3 certificates: ECDSA to sign a digital certificate, and ECIES to generate the ublic key included in a digital certificate A ECIES The Ellitic Curve Integrated Encrytion Scheme (ECIES), also known as Ellitic Curve Augmented Encrytion Scheme or Ellitic Curve Encrytion Scheme, is an ECC ublic-key encrytion technique ECIES is based on the Diffie-Hellman method Let us exlain briefly how it works [6] [7] [8] First, one entity (eg A) should establish what key derivation function (KDF) to use (eg ANSI-X963-KDF with SHA-1 otion [7], IKEv2-KDF [10] or TLS-KDF [11]) A KDF is used to derive keying data from a shared secret octet string Entity A should also select: the MAC (Message Authentication Code) scheme (eg, HMAC-SHA with 160-bit keys, HMAC-SHA-1-80 with 160-bit keys, etc), the symmetric encrytion scheme (eg AES), and any otion involved in them A should decide on whether to use the standard ellitic curve Diffie-Hellman rimitive or the ellitic curve cofactor Diffie-Hellman In addition, A should establish the ellitic curve domain arameters (a, b, G, n, etc) at the desired security level Next, the other entity (eg B) should obtain in an authentic manner the selections made by A After that, A should set u an ellitic curve key air associated with the ellitic curve domain arameters determined during the setu rocedure Let s call K PA to the A s ublic key and K A to the A s rivate key K A is an integer chosen randomly in the range [1, n-1] K PA is calculated as indicated by exression (4): K PA = K A G (4) Then, entity B should obtain in an authentic way the ellitic curve ublic key selected by A, ie K PA From now on, B (A) should encryt (decryt) messages using the keys and arameters established reviously For instance, if B wants to send a cihered message to A, then B does the following actions: B generates a random number r [1, n-1] and assesses R = r G B obtains a shared secret K S = r K Note that R and PA K S are oints in the ellitic curve B uses the KDF to derive a symmetric encrytion and MAC keys, K E and K M resectively B cihers the message using K E and the symmetric encrytion scheme selected during the setu hase B comutes the tag of the cihered message using K M The decrytion rocess is straightforward knowing the Diffie-Hellman rocedure In this work, we use ECIES to generate the ublic key of an entity, which can be used for cihering in later services The legitimacy of this ublic key is guaranteed by the digital certificate ECC X509v3 that our roosed Certification Authority issues The ECIES arameters that we have selected in our imlementation are shown below in Table 1 B ECDSA Ellitic Curve Digital Signature Algorithm (ECDSA) is a variant of the Digital Signature Algorithm (DSA) that oerates with ellitic curves Signature schemes are designed to be used

3 when an entity A wants to send a message M to an entity B in an authenticated way, and B wants to verify the authenticity of M ECDSA acts as follows [7] [8] [12] First, an entity A should select what hash function to use (eg SHA) Moreover, A should establish the curve domain arameters (a, b, G, n, etc) at the desire security level Entity B should get in an authentic manner the selections made by A Next, A and B should erform a key deloyment rocedure to be reared to use ECDSA A should set u an ellitic curve key air associated with the ellitic curve domain arameters agreed on the setu rocedure to use with ECDSA Let s call K PA to the A s ublic key, as shown in (4), and K A to the A s rivate key (randomly selected in [1, n-1]) B should obtain the ellitic curve ublic key selected by A, ie K PA To sign a message M, A should roceed according to the following stes: A alies the hash function to the message, and derives an integer e from the obtained hash A selects a random integer k in the range [1, n-1], and calculates K = k G = x A, y ) ( A A assesses r = x (mod n) A A calculates s = k 1 ( e + K r)(modn) The signature is the air (r, s) To verify the signature, the entity B should roceed as follows: B checks if r and s are integers, otherwise the signature is not valid B alies the hash function to the message, and derives an integer e from the obtained hash A B calculates u 1 1 = e s (mod n) and 1 u = r s (mod ) 2 n B comutes K = ( xa, y A) = u1 G + u2 K PA The signature is valid if x A = r(mod n) In this work, the Certification Authority uses ECDSA to sign an ECC X509v3 digital certificate containing an ECIES ublic key, thus verifying the authenticity of the ublic key and its owner III ECC CERTIFICATION AUTHORITY DESIGN We choose Java as rogramming language due to its latform indeendence After a searching hase, we leaned on the oen source library BouncyCastle [13] to write the code Next, we give details about the ECC CA design Our work can be divided into three blocks: classes to create the CA, classes to create the certificate request by the client, and classes so that the CA can sign the certificate request In addition, we define three classes (included in Fig 1) that are shared by all blocks: KeyGeneration is in charge of generating an ellitic curve key air It uses the ECIES scheme secified in ANSIX963 and IEEE P1363 takes the comonent of the client data, slits it into its minimum units, and comoses it again to eliminate ossible missellings CertificateUtils generates cer certificates (certificates signed by the CA, ie, the identity of the user has been verified), and der certificates (certificates that have not been signed yet, ie a client certificate request) In the first block, classes to make the CA, we define the class CAcertEC shown in Fig 2 Its main task is to generate the X509v3 root certificate and the PKCS#12 (Public Key Crytograhy Standard, PKCS) with the corresonding CA s rivate key A root certificate is a certificate that contains the ublic key of a CA Clients can trust a CA only if a coy of the CA root certificate is in its trusted root certificate store Moreover, the CA ublic key included in the CA root certificate is needed to verify the validity of any certificate that the CA issues PKCS is a set of standard rotocols to exchange secure information on the Internet using a ublic key infrastructure PKCS#12 is a standard that secifies a ortable format for storing a user s rivate key In the second block, classes to create the certificate request by the client, we characterize the classes illustrated in Fig 3 They involve the following tasks: GrahicClient launches an alet that the client uses to fill in the data necessary for the certificate request Manager catures the alet events KeyGeneration Static KeyGeneration(int): KeyPair TABLE I Parameter a b G n ELLIPTIC CURVE DOMAIN PARAMETERS Value 0x7fffffffffffffffffffffff7fffffffffff ffffffffffc 0x6b016c3bdcf18941d0d ca71a9db 2fb27d1d c2942c0a 0x020ffa963cdca8816ccc33b8642bedf905c3d d3f27fbbd3b3cb9aaaf Static decode(string) : string CertificateUtils Static X509Certificate gencert Static createcertmaster(publickey, PrivateKey, string, int, string): X509Certificate Static createcertder(publickey, PrivateKey, string, string): PKCS10CertificateRequest Figure 1 Shared classes

4 CAcertEC nameca string deartmentca string organizationca string cityca string countryca string ostalcodeca string asswdca string ca string caissuer string sizeclave int monthdurationcacertificate int signalgorithm string keypairca KeyPair caprivkey PrivateKey capubkey PublicKey fxpath string cerpath string Public CAcertEC( ) Figure 2 Classes to create the CA CertificateUtilss KeyGeneration UserCertEC_DER generates a der certificate (a certificate request) This is a certificate without a signature, hence, not valid yet The der certificate should be sent to the CA for signing This class also generates a PKCS#12 to store the rivate key MinimumClient takes the client der certificate and sends it to the CA In the last block, classes so that the CA signs the certificate request, we create the classes included in Fig 4 The goals of these classes are: MinimumServer, the CA is listening, waiting for a client request When a client connects to the CA, the CA checks if the client is authorized to demand the service If the client is authorized then the CA signs the client certificate request using the DER2CER class Afterwards, the CA returns the signed certificate (cer), IV ready for use, back to the client The CA kees waiting for new client requests DER2CER, this class firstly edits the client certificate request (PKCS#10), and adds new data such as key length, certificate serial number, eriod of validity (valid from-to), and signature algorithm In our case, the CA uses the ECDSAwithSHA-1 (Ellitic Curve Digital Signature Algorithm with Secure Hash Algorithm 1) to sign certificates DER2CER needs to know the key (usually known as suerkey) to access the CA secret key, which is located in the file serverfx It is necessary to know the CA secret key otherwise the CA would not be able to sign the client certificate Afterwards, the client certificate (cer) is created with CertificateUtils ECC CERTIFICATION AUTHORITY PROTOCOL APPROACH In this section we exlain the general rocedure to obtain an ECC X509v3 certificate (see Fig 5) First of all, the client asks the CA to issue a certificate (ste 1) In further services, the client could be authenticated with this certificate, or the ublic key included in the certificate could be used for cihering Then, the CA sends its root certificate (servercacer) and the software needed by the client to generate the certificate request (ste 2) The client installs the CA root certificate in its trusted store Although not imlemented, the software could also be signed so that the client can trust in it The client executes the software to generate a key air and a certificate request (clientder) (ste 3) The client sends its certificate request to the CA (ste 4) The CA receives the certificate request and some information from the user to validate him/her Different aroaches can be taken to decide if a user is authorized or not to ask for an ECC X509v3 certificate and verify his/her identity For instance, if this system were used in a re-aid hotsot (eg airort, hotel, etc), the user could send a code number to be validated This code could be obtained when a re-aid card is bought In other environments, like a small comany, the user validation could be done in erson UserCertEC_DER String name String organization String city String country String asswd String X509Certificate UserCert KeyPair Keys PrivateKey PrivKey PublicKey PubKey int keysize int monthdurationusercertificate String signalgorithm String fxpath String cerpath init( ): void Manager TextField text1, text2, text3, text4, text5, text6, text8, text9 Jassw String Name String Det String Organization String City String Country String PC String wd String String athcert Public Manager(TextField, TextField, TextField, TextField, TextField, TextField, JPassword Field, TextField, TextField) PublicactionPerformed(ActionEvent): void Figure 3 Classes to generate a certificate request GrahicClient init( ): void CertificateUtils

5 DER2CER String cerpath String derpath String fxcapath String keypfxca String userparam String caparam String caissue KeyPair keypairca PrivateKey caprivkey PublicKey capubkey X509Certificate cacer String nameca String organizationca String cityca String countryca String ostalcodeca String asswdca String ca String name String deartment String organization String city String country String ostalcode String String asswd int keysize long nserie int monthdurationusercertificate String signalgorithm Public MinimumClient( ) Figure 4 Classes to sign the client certificate request Figure 5 General rocedure If the user is authorized to demand this service, and his/her identity has been confirmed, the CA rocesses the certificate request, signing it with its rivate key and sending the final X509v3 certificate (clientcer) to the client Using this certificate, the client can be authenticated for later network services Note that the entire rocess is transarent from the user side V ECC CERTIFICATION AUTHORITY IMPLEMENTATION In this section we resent the imlementation of our free oen-source ECC Certification Authority The imlementation can be downloaded from [14] For simlicity, we follow the 2 5 MinimumServer Static Main(args[]) : void CertificateUtils same nomenclature (ste 1, ste 2, etc) than we used in the revious section At first, the server is waiting for client requests In our imlementation, we assume that the client already has the software to generate the certification request (stes 1 and 2 in Fig 5) To make the rest of the rocess easier, we have included a web age where the user can introduce some of the data needed for his/her certificate (eg: name, affiliation, etc) Therefore, in the third ste the client loads the web age (Fig 6) When the form is filled in, the client clicks the send button At that time, the client software creates a key store PKCS#12, where the rivate ECC key is stored and the certificate request clientder is generated The client automatically sends the clientder certificate to the Certification Authority (ste 4 in Fig5) The CA receives the certificate request clientder, the name of the client host, and its IP address Received data belonging to clientder is shown in the screen We assume that the client has roer access to the service, so the CA should only issue the final client certificate Once the clientcer certificate is ready, the CA sends it back to the client At this moment, the client has three files: clientcer, clientder, and clientfx The file clientcer is the X509v3 ECC certificate The file clientder is the certificate request that can be deleted The file clientfx is the key store, where the client s rivate key is ket These three files are located in the directory reviously indicated in the form, in the box ath to store the certificate (Fig 6) In Fig 7 and Fig 8, we observe the details of the certificate (clientcer) The certificate is issued to Paco by the Certification Authority CA4ec and is valid from 10/12/2005 (following the date format dd/mm/yy) to 09/05/2006 We see in Fig 8 that the signature algorithm corresonds to the OID (Object Identifier) This OID matches the ECDSAwithSHA1 algorithm From Fig 8, we observe that the ublic key algorithm is ECIES, identified by the OID OIDs can be checked in [15] Regarding the certification ath, we note from Fig 7 and Fig 9 that the certificate aears as not valid (red cross in Fig 9) This is due to the fact that Windows XP oerating system does not include yet any library (or module) to use ECDSA That is, it does not understand yet the algorithms ECIES or ECDSA Consequently, it is not able to verify the integrity of the certificate VI CONCLUSIONS In this aer, we roose, design, and imlement a free oen-source Certification Authority that generates X509v3 certificates by using ellitic curve crytograhy We exlain the classes needed to create the Certification Authority, the classes needed to create a client certificate request, and the classes to sign and generate the final validated client certificate We also show a real imlementation With the use of this tye of alication, we aim to hel to sread the use of ellitic curve crytograhy Our imlementation is notably useful for small wireless devices with rocessing ower, storage sace, or ower consumtion restrictions

6 Figure 6 Client web age The user can fill in: name, surname, deartment, organization, city, country code, ostal code, secret key to access his/her rivate key, address, and the ath to store the certificate Figure 7 Certificate information Figure 8 Details of the certificate Figure 9 Certificate ath REFERENCES [1] S Vanstone, Next generation security for wireless: ellitic curve crytograhy, Comuters & Security, Vol 22, No 5, , 2003 [2] N R Potlaally, S Ravi, A Raghunathan, N K Jha, A study of the energy consumtion characteristics of crytograhic algorithms and security rotocols, IEEE Transactions on Mobile Comuting, Vol 5, No 2, , 2005 [3] W Rao, Q Gan, The erformance analysis of two digital signatures schemes based on secure charging rotocol, Proc International Conference on Wireless Communications, Networking, and Mobile Comuting, Vol 2, , Setember 2005 [4] V S Miller, Use of Ellitic Curves in Crytograhy, Proc CRYPTO 85, Sringer-Verlag, New York, , 1986 [5] National Institute of Standards FIPS-PUB Recommended Ellitic Curves for Federal Government Use, 1999 Available online <htt://csrcnistgov/crytotoolkit/dss/ecdsa/nistrecurdf> Last accessed 3 rd March 3 rd, 2006 [6] Certicom, Standards for efficient crytograhy Sec2:Recommended Ellitic Curve Domain Parameters, Released Standard Version 10, 2000 Available online <htt://wwwsecgorg> Last accessed March 3 rd, 2006 [7] ANSI X963, Public-Key Crytograhy for the Financial Services Industry, Key Agreement and Key Transort Using Ellitic Curve Crytograhy, 2001 [8] D R Brown, Standards for efficient crytograhy Sec1: Ellitic Curve Crytograhy, Released Standard Version 10 and Working Draft v15, 2005 Available online <htt://wwwsecgorg> Last accessed March 3 rd, 2006 [9] IEEE1363 Working Grou IEEE Std P1363a-2004 (Amendment to IEEE Std P ) IEEE Standard Secifications for Public-Key Crytograhy Amendment 1: Additional Techniques, 2004 [10] C Kaufman, Internet Key Exchange (IKEv2) Protocol, Internet Draft, 2005 [11] V Guta, S Blake-Wilson, B Möller, C Hawk, N Bolyard, ECC Ciher suites for TLS, Internet Draft, 2004 [12] ANSI X962 (2005) Public-Key Crytograhy for the Financial Services Industry, the Ellitic curve Digital Signature Algorithm (ECDSA) [13] The Legion of the BouncyCastle Available online <htt://wwwbouncycastleorg> Last accesed March 3 rd, 2006 [14] M D Cano, R Toledo Valera, F Cerdan corresonding author for code donwload [15] ASN1 Information Site OID Reository, 2006 Available online <htt://asn1elibeltmfr/oid/indexhtm> Last accesed March 3 rd, 2006