Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public...

Public Key

Infrastructures

Andreas Hülsing

Public Key Infrastructures

… a public key infrastructure (PKI) is designed to

facilitate the use of public key cryptography.

Source: Housley, R. and Polk, T.: Planning for PKI; Wiley 2001

PAGE 1 19-5-2014

Tasks of a PKI

• Assure that the public key is available

• Assure that the public key is authentic

• Assure that the public key is valid

• Enforce security and interoperability

PAGE 2 19-5-2014

Authenticate Public Keys

• Bind public key to electronic identity

• Seal the binding

• Answer for the binding

Public key certificates

PAGE 3 19-5-2014

Public Key Certificate

Public key certificates are data structures that bind

public key values to subjects. The binding is

asserted by having a trusted CA digitally sign each

certificate …

[From RFC 5280]

PAGE 4 19-5-2014

Public Key Certificate

PAGE 5 19-5-2014

Public Key Certificate

PAGE 6 19-5-2014

Digital Signature

Subject (Name)

Public-key Binding eID public key

protection of authenticity

Certificate Properties

• Protected binding of a key to the key holder

• Its authenticity is independent of the means of

transportation

• It can be used online and offline

• It is a proof of the binding

• It can be used for key servers

PAGE 7 19-5-2014

Certificate Standards

PAGE 8 19-5-2014

• X.509 • X.509 (ITU-T)

• PKIX (RFC 5280)

• Pretty Good Privacy (PGP) • OpenPGP (RFC 4880)

• GNU Privacy Guard (GnuPG or GPG)

• WAP certificates • Like X.509 certificates but smaller

• Card Verifiable Certificates (CVC) • Even smaller than WAP certificates

• Simple PKI / Simple Distributed Security Infrastructure • SPKI, pronounced spoo-key

• SDSI, pronounced sudsy

Validity of Public Keys

• Monitor binding public key electronic identity

key owner

• Establish time constraints

• Provide means to revoke binding

Certificate revocation

PAGE 9 19-5-2014

Certificate Revocation

PAGE 10 19-5-2014

• Abortive ending of the binding between

• subject and key (public key certificate)

OR

• subject and attributes (attribute certificate)

• The revocation is initiated by

• the subject

OR

• the issuer

• Typical frequency (assumption):

• 10% of the issued certificates will be revoked (See: “Selecting

Revocation Solutions for PKI” by Årnes, Just, Knapskog, Lloyd and Meijer)

Certificate Revocation List

PAGE 11 19-5-2014

Publish Public Key Information

PAGE 12 19-5-2014

• Directories • (L)DAP

• Active Directory

• Web pages • HTTP

• File transfer • FTP

• Services

• OCSP

• SCVP

LDAP

PAGE 13 19-5-2014

Security of Key Pairs

Select suitable algorithms and key sizes

Monitor possible security threads and react adequately

Provide suitable means to generate key pairs

Provide suitable formats and media to store private keys

Provide suitable means of delivering private keys

Personal security environments

PAGE 14 19-5-2014

PSE: Smartcard

PAGE 15 19-5-2014

Interoperability

• Comply to accepted (international) standards

• Certificates / revocations

− X.509, PGP, SPKI/SDSI, …

• Directory services

− (L)DAP, Active Directory, …

• Cryptographic algorithms / protocols / formats

− PKCS, RFC, …

• Constraints on content and processing

− PKIX, ISIS-MTT, …

PAGE 16 19-5-2014

Policy Enforcement

• Certificate policy (CP)

• States what to comply to

• Certificate practice statement (CPS)

• States how to comply

• Policies are enforced by the PKI through:

• Selecting standards, parameters, hardware, …

• Monitor behavior of involved parties

• Reacting on infringement of the policy

PAGE 17 19-5-2014

Trust Models

PAGE 18 19-5-2014

Trust

The perhaps most important part of a PKI is to

establish trust in the binding between an entity and a

certificate

PAGE 19 19-5-2014

Direct Trust

PAGE 20 19-5-2014

• User receives public key directly from owner

OR

• User verifies public key directly with owner

Most Common: Fingerprint comparison

PAGE 21 19-5-2014

Fingerprint = hash value of the certificate (incl. Signature) (e.g. SHA1)

Face-to-Face Verification

PAGE 22 19-5-2014

Phone Verification

PAGE 23 19-5-2014

Web Page Verification

PAGE 24 19-5-2014

http://www.cacert.org/index.php?id=3

Printed Media Verification

PAGE 25 19-5-2014

BNetzA publishes the public key

…and more

PAGE 26 19-5-2014

~# gpg --list-public-keys

/root/.gnupg/pubring.gpg

------------------------

pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team

<security@suse.de>

pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key

<build@suse.de>

sub 2048g/8495160C 2000-10-19 [expires: 2006-02-12]

e.g. public keys on software CD/DVD

Summary: Direct Trust

• Establishes • Which keys are authentic

• Why they are considered authentic

• Bad scalability • n * (n-1) = O(n2) verifications

• Worse complexity than secret key exchange!

• Basis for all other trust models • To be seen

PAGE 27 19-5-2014

PGP (Pretty Good Privacy)

PAGE 28 19-5-2014

Web of Trust

PAGE 29 19-5-2014

[From PGP-Pretty Good Privacy by Simon Garfinkel]

Web of Trust

PAGE 30 19-5-2014

A web of trust is a concept used in PGP, GnuPG, and

other OpenPGP-compatible systems to establish the

authenticity of the binding between a public key and a

user.

Its decentralized trust model is an alternative to the

centralized trust model of a public key infrastructure

(PKI), which relies exclusively on a certificate authority

(or a hierarchy of such).

Source: http://en.wikipedia.org/wiki/Web_of_trust

Key Validity

PAGE 31 19-5-2014

• Alice computes key validity using Bob’s signatures

Carl

Dorian

Bob Alice

Chaining Key Validity

PAGE 32 19-5-2014

• Alice computes key validity using Bob’s and Carl’s

signatures

Alice Bob Carl

Dorian

Eve

Public Keyring

PAGE 33 19-5-2014

Public Keyring

PAGE 34 19-5-2014

Alice’s public keyring

Key Validity vs. Owner Trust

PAGE 35 19-5-2014

• Key Validity:

• Is the key owner who he claims to be?

• Levels: no answer; unknown; marginal; complete;

ultimate

• Owner trust:

• Is the key owner reliable? (in respect to signing keys of others)

• Levels: unknown; none; marginal; complete; ultimate

Key Validity: Levels

PAGE 36 19-5-2014

• no answer

• Nothing is said about this key.

• unknown

• Nothing is known about this key.

• marginal

• The key probably belongs to the name.

• complete

• The key definitely belongs to the name.

• (ultimate)

• (Own keys).

Owner Trust: Levels

PAGE 37 19-5-2014

• unknown

• Nothing can be said about the owner's judgment in key signing.

• none

• The owner is known to improperly sign keys.

• marginal

• The owner is known to properly sign keys.

• complete

• The owner is known to put great care in key signing.

• ultimate

• The owner is known to put great care in key signing, and is allowed to make trust decisions for you.

Assigning Key Validity

• Manually (Key Signing)

OR

• computed from the trust in the corresponding

signers, only considering signers with key validity

“complete” (or better).

PAGE 38 19-5-2014

Assigning Key Validity

PAGE 39 19-5-2014

Alice signs the public key of other users.

Key Signing: Direct Trust

PAGE 40 19-5-2014

Bob’s key validity is complete for Alice because she decided it when signing the key after verifying the fingerprint.

Key Validity Computation: “complete” (1)

PAGE 41 19-5-2014

If the key is signed by at least one user with owner trust complete.

Key Validity Computation: “complete” (2)

PAGE 42 19-5-2014

If the key is signed by at least x (here x=2) names with owner trust marginal.

Key Validity Computation: “marginal”

PAGE 43 19-5-2014

If the key is signed by less than x (here x=2) names with owner trust marginal.

Key Validity Computation: “unknown”

PAGE 44 19-5-2014

If the key is signed by no name with at least owner trust marginal

Assigning Owner Trust

• Manually (Trust Setting)

OR

• computed from the owner trust of signers only using

“ultimate” valid keys.

PAGE 45 19-5-2014

Trust Anchor: Owner Trust

PAGE 46 19-5-2014

Alice assigns owner trust to users.

“Simple” PGP

PAGE 47 19-5-2014

Alice signs Bob’s key (level 0) and trusts him. Alice uses Bob’s signatures on Dorian’s and Frank’s

keys.

Trusted Introducers

PAGE 48 19-5-2014

Alice signs Bob’s key (level 1) and trusts him. Bob signs Carl’s key (level 0) and trusts him. Alice uses Carl’s signatures on Dorian’s and Frank’s

keys. Bob = Trusted Introducer

By allowing more intermediate signers (level >1), Bob becomes a Meta Introducer

PGP Certificates

PAGE 49 19-5-2014

PGP Certificates: Content

PAGE 50 19-5-2014

[From http://www.ece.cmu.edu/~adrian/630-f04/PGP-intro.html]

A Simple PGP Certificate - Example

PAGE 51 19-5-2014

One UserID with one signature

Legend

Public Key Packet

User ID Packet

Signature Packet

Example, cont’d

PAGE 52 19-5-2014

Legend

Public Key Packet

User ID Packet

Signature Packet

One UserID with one signature and

a second UserID without signature

Example, cont’d

PAGE 53 19-5-2014

One UserID with four signatures

Legend

Public Key Packet

User ID Packet

Signature Packet

A More Complicated Example

PAGE 54 19-5-2014

One UserID with one signature and

a second UserID with one signature and

a second key (subkey) with one signature

Legend

Public Key Packet

User ID Packet

Signature Packet

Public Key Packet

PAGE 55 19-5-2014

Creation Time Version

Public Key Algorithm

Public Key

(RSA case)

User ID Packet

PAGE 56 19-5-2014

A User ID packet consists of UTF-8 text that is intended to

represent the name and email address of the key holder. By

convention, it includes an RFC 2822 mail name-addr, but

there are no restrictions on its content. The packet length in

the header specifies the length of the User ID.

[From RFC 4880]

Example:

Andreas Hülsing <a.t.huelsing@tue.nl>

Signature Package

PAGE 57 19-5-2014

…

…

Version Signature Type Public Key Algorithm Hash Algorithm Counter

Hashed Subpackets Unhashed Subpackets 16 bits of signed hash value Signature (RSA Case)

Subpacket Content

PAGE 58 19-5-2014

• signature creation time

• signature expiration time

• exportable certification

• trust signature

• regular expression

• revocable

• key expiration time

• placeholder for backward compatibility

• preferred symmetric algorithms

• revocation key

• issuer key ID

• notation data

• preferred hash algorithms

• preferred compression algorithms

• key server preferences

• preferred key server

• primary user id

• policy URL

• key flags

• signer's user id

• reason for revocation

PGP Keys

PAGE 59 19-5-2014

http://pgp.jjim.de/sks/

PGP Revocation

• Uses Key Revocation Certificate

• generated during KeyGen using private key

• Uploading Key Revocation Certificate to one of the

public key servers revokes key pair.

• Key Revocation Certificate can contain new UserID

PAGE 60 19-5-2014