Why Password- Enabled PKI

Transcription

1 Password Enabled Public-Key Infrastructure (PKI): Virtual Smartcards vs. Virtual Soft Tokens Ravi Sandhu Chief Scientist SingleSignOn.Net & Professor, George Mason University Mihir Bellare Chief Cryptographer SingleSignOn.Net & Professor, Univ. of California--San Diego Ravi Ganesan Chief Executive Officer SingleSignOn.Net Sunset Hills Rd., Reston, V Why Password- Enabled PKI Smartcards have not happened It s the smartcard readers stupid! Roaming capability is critical Even DoD is stretched in large-scale deployment Trends are not in favor of smartcards Deployment scale of 10 s or even 100 s of millions of users Computing devices are proliferating Large installed base of reader-less computers Smartcards are likely to remain a highassurance niche application 2 1

2 Solve PKI Gap and Silo Problem Result Phased migration path No quantum jump PKI integral, not silo d PKI with Password Convenience Strong PKI Systems Password Usability PKI Hardened Passwords PKI Capability Weak Password Systems No change for users No change for issuer Eliminate weaknesses 3 Common Misperception Fact: Password based systems are often vulnerable to attacks Myth: Passwords are inherently insecure. Fact: It is completely possible to design a sufficiently secure password system. Designing sufficiently secure password-based systems is non-trivial but it is possible. 4 2

3 nother Common Misperception Fact: Users hate current password systems that require too many passwords and force too many changes Myth: Users inherently hate passwords. Fact: It is completely possible to design a user friendly password system with PKIenabled Single Sign On. Designing user-friendly and sufficiently secure password-enabled PKI systems is non-trivial but it is possible. 5 Password Vulnerabilities and Counter-Measures Bad password selection enforce complexity rules On-line guessing attack throttling mechanism Off-line guessing (dictionary attacks) don t reveal required information (we know how to design such protocols) Undetected theft and sharing online intrusion detection to discover deter sharing, e.g., sharing reveals sensitive user information Use of same password at strong and weak servers user awareness and education Password reuse don t force unnecessary password changes Server spoofing use secure protocols to prove knowledge of password w/o sending it limit password exposure to trusted servers Server compromise use hardened servers or multiple servers 6 3

4 Instant roaming capability Proven user acceptance Password Benefits 100 s of millions of passwords usages per day in cyberspace Cheap Self-maintained Password resets Password change 7 How to distribute public-keys Digital Certificates Certificate Revocation Lists Traditional Public-Key Infrastructure (PKI) How to distribute private-keys (long-term) Smartcards The private key never leaves the smartcard Often called a hard token How to distribute private-keys (short-term) Password protected on the hard disk Not very mobile Password protected on a floppy disk Often called a soft token 8 4

5 Modern Public-Key Infrastructure (PKI) How to distribute public-keys Digital Certificates Certificate Revocation Lists On-line servers for certificate validation How to distribute private-keys (long-term) Smartcards The private key never leaves the smartcard Often called a hard token How to distribute private-keys (short-term) Password protected on the hard disk Not very mobile Password protected on a floppy disk Often called a soft token On-line servers for password-enabled mobility 9 pproaches How to marry PKI and Passwords? pproach 1: Virtual Soft Token Use password to encrypt private key and store it on remote server(s). Need password to RETREIVE private key. pproach 2: Virtual Smartcard The password is part of the composite private key. Need password to USE private key. 10 5

6 Trivial Insecure Virtual Soft Token Private key encrypted with user s password is stored on an on-line server E pwd (private-key) nyone is allowed to retrieve the encrypted private key Only the user can decrypt it using the password Unacceptable risk due to dictionary attack 11 E pwd (private-key) Cryptographic Camouflage, Hoover and Kausik Dictionary attack Knowledge of public key allows attacker to obtain known plaintext So prohibit knowledge of public key resulting in closed public-key system 12 6

7 EKE Roaming, Bellovin-Merritt et al Store E pwd (private-key) on server Transmit E K (E pwd (private-key)) where K is a strong symmetric key K is established using passwordbased authenticated key exchange protocol (such as EKE or SPEKE) Immune to off-line dictionary attack 13 Hardened Password Roaming, Kaliski-Ford User s hardened password is retrieved at any computer from two on-line servers Compromise of both servers is required to compromise hardened password Successful retrieval of hardened password requires knowledge of user s password User s private key is retrieved by means of hardened password Once retrieved the user s private key can be freely used on this computer 14 7

8 lice knows Password, P a Security Servers 1 & 2 Step 1: lice sends P a Step 3 : Get H1 Step 5 : sk for Credentials Step 2: Client Computer starts process Step 8: Use H to decrypt private key D Step 4 : Get H2 Client Computer Step 7: Return Cert and H (D) Step 9: Finally get around to logon or sign operation! Credential Servers 1 & 2 Long term private key is locked with hardened password H. Need duplicate credentials server for redundancy. Step 6: Check if Cert is revoked Revocation Servers 1 & 2 Security server with partial knowledge of H (H1). Need duplicate server for redundancy. Security Servers 3 & 4 OCSP server to check for revocation Security server with remaining knowledge of H (H2). Need duplicate server for redundancy. 15 pproaches How to marry PKI and Passwords? pproach 1: Virtual Soft Token Use password to encrypt private key and store it on remote server(s). Need password to RETREIVE private key. pproach 2: Virtual Smartcard The password is part of the composite private key. Need password to USE private key. 16 8

9 Trivial Insecure Virtual Smart Card Keep the private key on an on-line server Use the password as authentication to enable use of the private key on the server Lose non-repudiation 17 We want: 1. ppliance takes ID: Castle Corp FN: Castle LN: CCorp C. C nd creates 2. lice takes 3. But (presto!) nd creates 18 9

10 Password Secure Identity ppliance C ID: Castle Corp FN: Castle C LN: Corp. C. The Practical PKI TM pproach lice has password P which ONLY she knows. Password P expands to key d1 on computer. Secure Identity ppliance has key d2 for lice which ONLY it knows. s before, lice has public cert, with public key e, C signed by a C. Process 1. lice authenticates to appliance, sets up secure channel and sends M. 2. ppliance performs partial signature on M with its key for lice d2. 3. lice completes signature with her key d1. 19 Comparison Traditional PKI Keys: a) lice Public = e b) lice Private = d c) lice Cert = C Signing: a) S = Sign (M,d) Send [S, C] to Bob Practical PKI TM Keys: a) lice Public = e b) lice PKCS5(password, salt, iteration count) = d1 c) lice Cert = C d) lice appliance key = d2 Signing: a) lice logs on to appliance using d1 and creates secure channel a) Spartial = Sign(M,d2) b) S = Sign(Spartial,d1) Send [S, C] to Bob Bob: Gets e from C Does Verify(S,e) = M? Bob: Gets e from C Does Verify(S,e) = M? 20 10

11 Traditional PKI Keys: a) lice Public = e b) lice Private = d c) lice Cert = C Signing: a) S = Sign (M,d) Send [S, C] to Bob Difference #2: lice has to interact with appliance to sign. Difference #1: lice has short convenient password Comparison Practical PKI TM Keys: a) lice Public = e b) lice PKCS5(password, salt, iteration count) = d1 c) lice Cert = C d) lice appliance key = d2 Signing: a) lice logs on to appliance using d1 and creates secure channel a) Spartial = Sign(M,d2) b) S = Sign(Spartial,d1) Send [S, C] to Bob Bob: Gets e from C Does Verify(S,e) = M? Bob: Gets e from C Does Verify(S,e) = M? 21 Comparison Traditional PKI Keys: a) lice Public = e b) lice Private = d c) lice Cert = C Signing: a) S = Sign (M,d) Send [S, C] to Bob Practical PKI TM Keys: a) lice Public = e b) lice PKCS5(password, salt, iteration count) = d1 c) lice Cert = C d) lice appliance key = d2 Signing: a) lice logs on to appliance using d1 and creates secure channel a) Spartial = Sign(M,d2) b) S = Sign(Spartial,d1) Send [S, C] to Bob NOTHING ELSE CHNGES!!!! Bob: Gets e from C Does Verify(S,e) = M? Bob: Gets e from C Does Verify(S,e) = M? 22 11

12 ID: lice FN: lice.. ID: lice FN: lice.. C C Strong Fraud Management Velocity Checking Easy to report ID CNNOT BE USED NY FURTHER! INSTNT, COMPLETE, REVOCTION LN: Smith alice@cc.com ID stolen Theft detected Theft reported C revokes ID Recipient (we hope) stops accepting ID 23 Every signature requires appliance interaction. So appliance logs can be used for velocity checking. Consumer or CSR can use password to revoke instantly! Strong Fraud Management Every signature requires appliance interaction. Once revoked key cannot be used further! Instant, complete revocation! Velocity Checking Easy to report ID CNNOT BE USED NY FURTHER! INSTNT, COMPLETE, REVOCTION LN: Smith alice@cc.com ID stolen Theft detected Theft reported C revokes ID Recipient (we hope) stops accepting ID 24 12

13 SingleSignOn.Net Practical PKI TM solution Ease of use: password based Quick to deploy Simple to manage with least privilege Velocity checking and instant revocation Reusable for multiple applications Web, Wireless, VPN, , etc. Use existing standards and widely deployed technologies 25 Summary Password enabled solutions are poised to jump start the stalled PKI car. Major vendors jumping into password enabled solutions using on-line servers is a good sign. Many servers are not all good, and have quality/security downside. Making password a part of the composite private key (virtual smartcards) provides substantial advantages over using password to retrieve private key (virtual soft tokens)