How To Make A Trustless Certificate Authority Secure



Similar documents
Network Security: Public Key Infrastructure

CSC/ECE 574 Computer and Network Security. What Is PKI. Certification Authorities (CA)

10/6/2015 PKI. What Is PKI. Certificates. Certification Authorities (CA) PKI Models. Certificates

Purpose of PKI PUBLIC KEY INFRASTRUCTURE (PKI) Terminology in PKIs. Chain of Certificates

Asymmetric cryptosystems fundamental problem: authentication of public keys

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

Authentication Applications

Introduction to Network Security Key Management and Distribution

DIMACS Security & Cryptography Crash Course, Day 2 Public Key Infrastructure (PKI)

associate professor BME Híradástechnikai Tanszék Lab of Cryptography and System Security (CrySyS)

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Key Management and Distribution

Key Management and Distribution

Cryptography and Network Security Chapter 14. Key Distribution. Key Management and Distribution. Key Distribution Task 4/19/2010

Authentication Applications

Authentication Application

CSE543 - Introduction to Computer and Network Security. Module: Public Key Infrastructure

Cryptography and Network Security Chapter 14

Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 15.1

Computer and Network Security. Outline

TELSTRA RSS CA Subscriber Agreement (SA)

CS 356 Lecture 28 Internet Authentication. Spring 2013

Authentication Types. Password-based Authentication. Off-Line Password Guessing

7 Key Management and PKIs

Chapter 4. Authentication Applications. COSC 490 Network Security Annie Lu 1

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 14 Key Management and Distribution.

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

CS Network Security: Public Key Infrastructure

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Part III-a. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

ITL BULLETIN FOR JULY Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance

Public Key Infrastructure

CSC574 - Computer and Network Security Module: Public Key Infrastructure

PUBLIC-KEY CERTIFICATES

Lecture VII : Public Key Infrastructure (PKI)

Authentication. Computer Security. Authentication of People. High Quality Key. process of reliably verifying identity verification techniques

Lecture 10 - Authentication

Lecture 10 - Authentication

Number of relevant issues

Public Key Infrastructure (PKI)

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

CS 392/681 - Computer Security

Implementing Secure Sockets Layer on iseries

SEZ SEZ Online Manual Digital Signature Certficate [DSC] V Version 1.2

CS Network Security: Public Key Infrastructure

Danske Bank Group Certificate Policy

ESnet SSL CA service Certificate Policy And Certification Practice Statement Version 1.0

Certification Practice Statement

Optimized Certificates A New Proposal for Efficient Electronic Document Signature Validation

Security Digital Certificate Manager

Security Digital Certificate Manager

4.2: Kerberos Kerberos V4 Kerberos V5. Chapter 5: Security Concepts for Networks. Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

Ciphermail S/MIME Setup Guide

Network Security Protocols: A Tutorial. Radia Perlman May 2005 (radia.perlman@sun.com)

Neutralus Certification Practices Statement

Reducing Certificate Revocation Cost using NPKI

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Standards and Products. Computer Security. Kerberos. Kerberos

Concept of Electronic Approvals

Public Key Infrastructures

What Are Certificates?

Class 3 Registration Authority Charter

Chapter 4 Virtual Private Networking

SBClient SSL. Ehab AbuShmais

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

NIST ITL July 2012 CA Compromise

encryption keys, signing keys are not archived, reducing exposure to unauthorized access to the private key.

How To Use Kerberos

Public Key Infrastructure. A Brief Overview by Tim Sigmon

SYMANTEC NON-FEDERAL SHARED SERVICE PROVIDER PKI SERVICE DESCRIPTION

Certification Path Processing in the Tumbleweed Validation Authority Product Line Federal Bridge CA Meeting 10/14/2004

Ericsson Group Certificate Value Statement

UNDERSTANDING PKI: CONCEPTS, STANDARDS, AND DEPLOYMENT CONSIDERATIONS, 2ND EDITION

Certificate Management in Ad Hoc Networks

Kerberos. Login via Password. Keys in Kerberos

Bugzilla ID: Bugzilla Summary:

A Survey of State of the Art in Public Key Infrastructure

Entrust Managed Services PKI

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Certification Practice Statement

HKUST CA. Certification Practice Statement

Certificate Authority Product Overview Technology White Paper

Chapter 7 Managing Users, Authentication, and Certificates

Microsoft Trusted Root Certificate: Program Requirements

EBIZID CPS Certification Practice Statement

Certificates and network security

Security in OSG. Tuesday afternoon, 3:15pm. Igor Sfiligoi Member of the OSG Security team University of California San Diego

The IVE also supports using the following additional features with CA certificates:

THE WALT DISNEY COMPANY PUBLIC KEY INFRASTRUCTURE CERTIFICATE POLICY. July 2011 Version 2.0. Copyright , The Walt Disney Company

Deployment of IEEE 802.1X for Wired Networks Using Microsoft Windows

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Key Management and Distribution

Ciphire Mail. Abstract

epki Root Certification Authority Certification Practice Statement Version 1.2

Transcription:

Network Security: Public Key Infrastructure Guevara Noubir Northeastern University noubir@ccs.neu.edu Network Security Slides adapted from Radia Perlman s slides Key Distribution - Secret Keys What if there are millions of users and thousands of servers? Could configure n 2 keys Better is to use a Key Distribution Center Everyone has one key The KDC knows them all The KDC assigns a key to any pair who need to talk Network Security PKI 2 Key Distribution - Secret Keys Alice KDC Bob A wants to talk to B Randomly choose K ab { B, K ab } Ka { A, K ab } Kb {Message} Kab Network Security PKI 3 1

A Common Variant Alice KDC Bob A wants to talk to B Randomly choose K ab { B, K ab } Ka,{ A, K ab } Kb { A, K ab } Kb,{Message} Kab Network Security PKI 4 KDC Realms KDCs scale up to hundreds of clients, but not millions There s no one who everyone in the world is willing to trust with their secrets KDCs can be arranged in a hierarchy so that trust is more local Network Security PKI 5 KDC Realms Interorganizational KDC Lotus KDC SUN KDC MIT KDC A B C D E F G Network Security PKI 6 2

KDC Hierarchies In hierarchy, what can each compromised KDC do? What would happen if root was compromised? If it s not a name-based hierarchy, how do you find a path? Network Security PKI 7 Key Distribution - Public Keys Certification Authority (CA) signs Certificates Certificate = a signed message saying I, the CA, vouch that 489024729 is Radia s public key If everyone has a certificate, a private key, and the CA s public key, they can authenticate Network Security PKI 8 KDC vs CA Tradeoffs Impact of theft of KDC database vs CA private key What needs to be done if CA compromised vs. if KDC compromised? What if KDC vs CA down temporarily? What s more likely to work behind firewalls? Network Security PKI 9 3

Strategies for CA Hierarchies One universally trusted organization Top-Down, starting from a universally trusted organization s well-known key No rules (PGP, SDSI, SPKI). Anyone signs anything. End users decide who to trust Many independent CA s. Configure which ones to trust Network Security PKI 10 One CA Choose one universally trusted organization Embed their public key in everything Give them universal monopoly to issue certificates Make everyone get certificates from them Simple to understand and implement Network Security PKI 11 One CA: What s wrong with this model? Monopoly pricing Getting certificate from remote organization will be insecure or expensive (or both) That key can never be changed Security of the world depends on honesty and competence of the one organization, forever Network Security PKI 12 4

One CA Plus RAs RA (registration authority), is someone trusted by the CA, but unknown to the rest of the world (verifiers). You can request a certificate from the RA It asks the CA to issue you a certificate The CA will issue a certificate if an RA it trusts requests it Advantage: RA can be conveniently located Network Security PKI 13 What s wrong with one CA plus RAs? Still monopoly pricing Still can t ever change CA key Still world s security depends on that one CA key never being compromised (or dishonest employee at that organization granting bogus certificates) Network Security PKI 14 Oligarchy of CAs Come configured with 50 or so trusted CA public keys Usually, can add or delete from that set Eliminates monopoly pricing Network Security PKI 15 5

Default Trusted Roots in IE Network Security PKI 16 What s wrong with oligarchy? Less secure! Security depends on ALL configured keys Naïve users can be tricked into using platform with bogus keys, or adding bogus ones (easier to do this than install malicious software) Although not monopoly, still favor certain organizations Network Security PKI 17 CA Chains Allow configured CAs to issue certs for other public keys to be trusted CAs Similar to CAs plus RAs, but Less efficient than RAs for verifier (multiple certs to verify) Less delay than RA for getting usable cert Network Security PKI 18 6

Anarchy Anyone signs certificate for anyone else Like configured+delegated, but users consciously configure starting keys Problems Does not scale (too many certs, computationally too difficult to find path) No practical way to tell if a path should be trusted Too much work and too many decisions for user Network Security PKI 19 Name Constraints Trustworthiness of a CA is not binary Complete trust or no trust CA should be trusted for certifying a subset of the users Example: Northeastern University CCS should (only) be trusted to certify users with name x@y.ccs.neu.edu If users have multiple names, each name should be trusted by the name authority Network Security PKI 20 Top Down with Name Subordination Assumes hierarchical names Similar to monopoly: everyone configured with root key Each CA only trusted for the part of the namespace rooted at its name Can apply to delegated CAs or RAs Easier to find appropriate chain More secure in practice This is a sensible policy that users don t have to think about) Network Security PKI 21 7

Bottom-Up Model Each arc in name tree has parent certificate (up) and child certificate (down) Name space has CA for each node in the tree E.g., a certificate for.edu, neu.edu, and ccs.neu.edu Name Subordination means CA trusted only for a portion of the namespace Cross Links to connect Intranets, or to increase security Start with your public key, navigate up, cross, and down Network Security PKI 22 Intranet abc.com nj.abc.com ma.abc.com alice@nj.abc.com bob@nj.abc.com carol@ma.abc.com Network Security PKI 23 Extranets: Crosslinks abc.com xyz.com Network Security PKI 24 8

Extranets: Adding Roots root abc.com xyz.com Network Security PKI 25 Advantages of Bottom-Up For intranet, no need for outside organization Security within your organization is controlled by your organization No single compromised key requires massive reconfiguration Easy configuration: you start with is your own public key Network Security PKI 26 Bridge CA Model Similar to bottom-up, in that each organization controls its destiny, but top-down within organization Trust anchor is the root CA for your org Your org s root points to the bridge CA, which points to other orgs roots Network Security PKI 27 9

Chain Building Call building from target forward, and from trust anchor reverse With the reverse approach it can be easier to find a path from the anchor to A by looking at the path With the forward approach going up we don t know if a link/path starting at A leads to a trust anchor known by B Where should cert be stored? With subject: harder to build chains from trust anchors With issuer: it may become impractical if large fanout at root Network Security PKI 28 X.509 An authentication framework defined by ITU A clumsy syntax for certificates No rules specified for hierarchies X.509 v1 and v2 allowed only X.500 names and public keys in a certificate X.509 v3 allows arbitrary extensions A dominant standard Because it is flexible, everyone willing to use it Because it is flexible, all hard questions remain C: country, CN: common name, O: organization, etc. Network Security PKI 29 X.509 Certificate Contents version # (1, 2, or 3) Serial Number Effective Date Expiration Date Issuer Name Issuer UID (not in V1) Unique ID Subject Name Subject UID (not in V1) Subject Public Key Algorithm Subject Public Key Signature Algorithm Signature Extensions (V3 only) Network Security PKI 30 10

Some X.509 V3 Extensions Public Key Usage Encryption Signing Key Exchange Non-repudiation Subject Alternate Names Issuer Alternate Names Key Identifiers Where to find CRL information Certificate Policies Is a CA flag path length constraints name constraints Extended key usage specific applications Network Security PKI 31 Policies A policy is an OID: Code Signing (1.3.6.1.5.5.7.3.3), Windows Hardware Driver Verification (1.3.6.1.4.1.311.10.3.5) Verifier specifies required OIDs Network Security PKI 32 Policies (as envisioned by X. 509/PKIX) Policy is an OID (Object Identifier) e.g., top-secret, or secret Verifier says what policy OID(s) it wants Every link must have same policy in chain, so if verifier wants A or B or C, and chain has A, AC, ABC, B: not OK Policy mapping: A=X; want A AB, A, A=X, X, X... Policy constraints things like: policies must appear, but it doesn t matter what they are any policy policy not allowed any of these, but specified as taking effect n hops down chain Network Security PKI 33 11

Other Certificate Standards PKIX: http://www.ietf.org/html.charters/pkix-charter.html An IETF effort to standardize extensions to X.509 certificates PKIX is a profile of X.509 Still avoids hard decisions, anything possible with PKIX SPKI: http://www.ietf.org/html.charters/spki-charter.html Simple Public Key Infrastructure A competing IETF effort rejecting X.509 syntax SDSI: http://theory.lcs.mit.edu/~cis/sdsi.html Simple Distributed Security Infrastructure A proposal within SPKI for certificates with relative names only Network Security PKI 34 Revocation Problem Suppose a bad guy learns your password or steals your smart card Notify your KDC and it will stop issuing tickets Notify your CA and it will give you a new certificate How do you revoke your old certificate? Network Security PKI 35 Revocation Problem Tickets can have short lifetimes; they can even be one-use with nonces Certificates have expiration dates, but it is inconvenient to renew them frequently If sufficiently frequent and automated, CA can no longer be off-line Supplement certificate expirations with Certificate Revocation Lists (CRLs) or a blacklist server (On-Line Revocation Server: OLRS) Network Security PKI 36 12

Why not put CA on-line? On-line revocation server is less security sensitive than an on-line CA The worst it can do is fail to report a revoked certificate Damage is more contained Requires a double failure With CRLs, limits OLRS damage Network Security PKI 37 Revocation Ideas Incremental (delta) CRLs Micali s hashing scheme Kaufman-Perlman first valid cert Good lists vs bad lists Network Security PKI 38 Micali s Hashing Components: CA: generates/revokes certificates Directory: Gets daily updates from the CA and gets requests from users It is not trusted Users Technique for efficient revocation: CA generates: Computes: Y n = Hash n (Y 0 ) and N n = Hash N (N 0 ), where Y 0, and N 0 are secret values Certificate = signature of traditional info (e.g., public key, issue date, etc.) and Y n and N n : 100 bits messages unique to the certificate. n is the certificate lifetime Every day i the CA sends the directory: Y n-i or N n-i depending on if the certificate is revoked or not Network Security PKI 39 13

Authorization Access Control Lists (ACL) capabilities: Makes a difference whether you can answer who has access to that or what can he do Groups, nesting, roles On-line group servers Anonymous groups Network Security PKI 40 Suppose want to move subtrees? How would you design certificates if you want to be able to move an entire subtree, for example, com.sun.east.labs.radia becomes com.sun.labs.radia. What would up, down, and cross certs look like? How design cross link if want things not to change if both points move together? Network Security PKI 41 14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information