semnaturi PKC

8/10/2019 semnaturi PKC

1/26

1

AcademiaTehnicaMilitaraBucuresti

20102011

Curs:Curs:

SECURITATE INFORMATICASECURITATE INFORMATICA

Prof.Dr.VictorValeriuPATRICIU

B.ElectronicSignaturesandPKIB.ElectronicSignaturesandPKI


2/26

2

AUTENTIFICAREA PRIN SEMNATURI ELECTRONICEAUTENTIFICAREA PRIN SEMNATURI ELECTRONICE

Semnaturi, Certificate digitale,

Liste de revocare, Cai de certificare

Componente PKI : CA, RA, Repository, Useri

Arhitectur PKI

Certificate X.509 CRL-uri

Construirea si validarea cailor de certificare

Time-Stamping

Digital (Electronic) Signature

-creating & verifying-


3/26

3

Digital Signatures

It signs a message digest

Two digital algorithm types:

- digital signature with message recovery (ex.RSA)

- digital signature without message recover (ex.DSA)

Digital Signatureswith Message Recovery without Message Recovery


4/26

4

Recommended Signature Key Length and Algorithms

-for e-commerce use-

Signature Algorithms

-1024 bits key RSA;

-1024 bits key DSA;

-160 bits key DSA with elliptic curves

Hash Functions:

-RIPEMD 160

-SHA-1

Public-Key Distribution


5/26

5

Public-Key Distribution

Digital Certi ficate

Is a person really who claim?

How do you know that the public keyyou got from a person really bellongs to

this person?

Solution: CERTIFICATE- like anInformation Highway Driver Licence


6/26

6

Digital Certificate X 509 V3

Certifi cate contents:

Version number is 3

Serial number is a monotonicallyincreasing integer value (guarantiesthe unicity of serial number forissuing CA)

Issuer name is populated with X.500s ngu s e name

Subject public key corresponds to astandard algorithm

Signature field identifies a standardsignature algorithm.

Digital Certif icate X 509 V3-extensions-

X.509 v3 standard extensionsstandard extensions -separated into groups :

1. key information (authority key identifier, subject key identifier, key

,

2. policy information (certificate policies and policy mappings)

3. user and CA attribu tes (subject alternative name, issuer alternative

name, subject directory attributes)

4. certification path constraints (basic constraints, name constraints,

policy constraints)

Authority key identifier extension contains a key identifier, if not necessary

the issuer name and the serial number

CRL distribution points extension contains the location where CRL may be

found

Authority information access extension contains the repository in which the

own CA certificate may be found


7/26

7

Sample Digital Certif icate

End-Entity Certif icates

Are issued to sub ects that are not CAs

Contain public keys used for verifying digital

signatures or for performing key management

Subject: human user or system (Web server orrouter)

- User certificates

- System certificates


8/26

8

End-Entity CertificatesUser certificates System certificates

.distinguished name or DNSstyle

.distinguished name or DNSstyle

Validity period No more than 3 years No more than 3 years

Key usage extension Is critical extension. Is critical extension

Extended key usage Non-critical extension.

or e servers- an

For routers- IPsec

Certificate policiesextension

Non-critical extension. A singlepolicy

Non-critical extension. A singlepolicy

Subject alternative nameextension

Non-critical extension. Includesthe user e-mail address.

Non-critical extension. Includesthe computer DNS name. Forrouters contains the IP address.

CA Certif icates

Are issued to subjects that are CAs

Contain public keys used for verifying digital signatures on

certificates and CRLs

Must contain sufficient information for certificate users to

construct certification paths and locate CRLs

Subject: other CA in the same enterprise or a CA in other

3 types:- CA certificates within an enterprise PKI

- CA certificates between enterprise PKIs

- CA certificates in a Bridge CA Environment


9/26

9

Self-Issued Certif icates

Issuer and Subject are the same

Used to establish trust oints distribute a new si ninpublic key or modify the certificate policies supportedin a PKI

3 types:- Trust point establishment

- Rollover certificates (Introduce a new certificate or CRLsigning key. A CA issues a pair of key rollover certificates

-. ,the new private key. Second - contain the new public key,signed with the old private key. In this way subscribers withcertificates signed with the old private key and subscriberswith certificates signed with the new private key can validateeach others certificates.

- Policy rollover certificates

Public Key Infrastructure

PKI- Set of components (hard & soft), that workto ether for usin in a secure manner ublic-ketechnology

CA- a trusted authority -which provides astatement (the Digital Certificate) that the enclosed

public key belongs to the person whose name isattached

- -

-organization to its employees-company to its employees

-university to its students

-public CA (like VeriSign) to their clients


10/26

10

Certificate Authority

CA

Certificate Directory

(X.500, DNS, etc.)

e,public-key

e

rtificate

Encrypted & Signed Message

Na

UserUser

Root CA

CA Hierarchy

CA CA

CACA


11/26

11

Certificate Revocation

A certificate must be revoked when:-the private key pair is compromised ;-the private key pair is lost;-the person leaves the company.

All users know to no longer trust in certificates; Relaying parties check CRL before using a certificate; Caching a CRL in a local cache Rather than one long CRL, keep multiple shorter CRLs .

Distribute the CRL to multi le laces and s read the loadusing the certificate extension fieldcRLDistributionPoints.

Use a sufficiently scalable and powerfulCR server. OCSP-On-line Certificate Status Protocol: inquires of

issuing CA wheter a certificate is still valid. (resp. YES/NO)

X.509 CRL format


12/26

12

Certificate Verificationwith Directory

Certificate Paths

A Certif ication path is an ordered sequence of certificates between the end entity and the trusted

. ., .certificate chain that begins at the end entity andends at the root CA

Certificates may be chained to form a certification

path. This is illustrated in figure; User B has beenissued a certificate by CA 3, which has been issueda certificate by CA 2, which in turn has been issued a

. ,public key, he can verify each certificate in thecertification path until he reaches User B certificateand verifies it. At that point, A now knows Bs publickey and can verify his signatures.


13/26

13

Certificate Paths

Two alternative

PKI topologies


14/26

14

Cross-Certification

MIT

ABC Co. XYZ Co.

CorporateSales

MarketingResearch

London NYC H.R.

LCS

Sloan

PKI Components

The End-Entities (EE)

The Certificate Authority (CA)

The Certificate Repository (CR)

Digital Certificates (X.509 V3)


15/26

15

PKI Components

End-Entity (EE)

An End-Entity is defined as a user of PKIcertificate and/or end-user system that is the

subject of a certificate

In a PKI system, End-Entity is a generic term

for a subject that uses some services orfunctions of the PKI system, which may be a

or some other entities), or arequestor(it might

be application program) for certificate or CRL.


16/26

16

Certificate Authority (CA)

The Certificate Authority (CA) is the signer of the

cer ca es. e , o en oge er w e , e

Registration Authority (RA), has the responsibility of

the certificate subject entity's identification.

The logical domain in which a CA issues and manages

certificates is called security domain, which might be

implemented to cover an organization, company, alarge department, a test cell, or another logical

community in real cases.

A CAs primary operations include certificate issuance,

certificate renewal, and certificate revocation.

Registration Authority (RA)

Registration Author ity (RA) is an optional

component in a PKI.

In some cases, the CA incorporates the role of an

RA. Where a separate RA is used, the RA is a trusted

End-Entity certified by the CA, acting as a subordinate

server of the CA. The CA can delegate some of its management

unc ons o e . or examp e, e may per orm

personal authentication tasks, report revoked

certificates, generate keys, or archive key pairs.

The RA, however, does not issue certificates or

CRLs.


17/26

17

Certificate Repository (CR)

CR store, issues & revokes certificates. X.509 certificate format fit to anX.500 directory, a CR is

best implemented as a directory, accessed byLightweight

Directory Access Protocol (LDAP v3).

RFC 2587, Internet X.509 PKI Operational Protocols -

LDAPv2, defines theaccess method to a repository with

which an End-Entity or a CA can retrieve or modify the

certificate and CRL information stored in a CR. CR can beaccessed with LDAP commands or procedures (bind,

search,modify, unbind).

RFC 2559,Internet X.509 PKI LDAPv2 Schema, defines the

attributes and object classes to be supported by an

LDAP CR server.

Directories

RFC 2587 specifies 3 object classes user- use or cer ca e o er en r es; mus con a n

a user certificate attribute; all certificates whose subjectname matches the name of entry should be stored in thisattribute

PKI CA- used for CA entries; may contain a CAcertificate, CRL, ARL and cross-certificate pair attributes;CA certificate attribute contains CA certificates whosesubject name matches the name of entry; thesecertificates may be self-issued or issued by other CAs;

CRL distribution point- may include CRL, ARL, and deltaCRL attributes; the name of the entry will match the namein the CRL distribution point extension;


18/26

18

X.500 Directories

Various servers called Directory Server Agents

DSA

Clients called Directory User Agent (DUA)

DSA responds to DUA queries with information

X.500 Directory uses 2 basic protocols:

- Directory Access Protocol (DAP)- supports information

- Directory Service Protocol (DSP)- supports information

requests between DSAs; DSAs may augment DSP by

shadowing, with the Directory Information Shadowing

Protocol (DISP), used to replicate the contents of a DSA;

LDAPLightweight Directory Access Protocol- v2

Developed by the University of Michigan

Standardised in IETF;

If a LDAP directory receives a request for an entry that is notlocally held, it checks a table of remote directories; if one directoryis likely to contain the entry, the directory returns a referral to theother directory;

The referral contains the directory name and the system thatsupport them;

The architecture does not rovide trans arenc a client mustdetermine the physical location before it obtains any information;

Generally, if certificates or CRLs are not available in the firstLDAP directory checked, they will not be found.

PKI repositories based on LDAP generally use a single repository.

Most CA products include an LDAP client and can performauthenticated directory updates automatically.


19/26

19

Signed Document Format

ETSI Electronic Signature Format- these specificationsdefine an electronic si nature that remains valid overlong periods (see next figure);

to archive this goal, the signature format includesevidence of its validity, by using a TSA to provideverifiable time;

the format of signature includes 3 levels of signature:

ES (Electronic Signature) - containes the policy identifier,

ES-T- adds the timestamp over digital signature

ES-C- adds references to all the certificates and statusinformation that apply to this signature(usually CRLs);

ETSI Electronic Signature Format


20/26

20

XML Signature

The explosive growth in the use of the Web for business-to-business(B2B) e-commerce has intensified attention on the eXtensible Markup

anguage a common, open, n erne s an ar a ac a es

data exchange over the Internet.

Recognizing that existing Web technologies, such as HTML, are

inadequate for implementing the scale and diversity of transaction

protocols envisioned for the Web, the World Wide Web Consortium

(W3C) and the Internet Engineering Task Force (IETF) have

developed XML and XML-related technologies to meet this requirement.

Like an data bein exchan ed over a network XML communicationsand transactions must be secured. In this respect, to maintain the

integrity of the transaction or communication, an XML document, just

like any other document or transaction, should be capable of

authentication and non-repudiation, and its content should remain intact

(integrity) and confidential.

XML Signature

XML is a very powerful, general-purpose meta-language used to enabledata interchan e between diverse s stems latforms and internationallanguages. This robust, adaptable, easy-to-use data format can capture

both the structure and semantics of data making it possible to create a

wide variety of new Web applications.

Like HTML, XML uses tags (words bracketed by < and >) and

attributes (of the form name="value") to help place structured data intoASCII files. XML is different from HTML in that it is a meta-language (a

language for describing other languages) and therefore, does not define

spec c ags an a r u es, u ra er prov es ru es o e ne ose ags

and attributes.

XML makes it easy for diverse Web applications to interact with each

other because it provides a standard way to parse and interpret data.

XML-encoded data becomes its own self-contained database ( intelligent

data data that knows about itself).


21/26

21

XML Signature

From a technical point of view, XML is a syntax for describing thesemantics (meaning) and structure of data. The following fragment of

XML illustrates these features:

Wally Road

123 Billings Gate

[email protected]

e ags enve op ng a a e ne e seman cs o e a a. n e

example, the string "Wally Road" is identified as the name of a person

who will be paying something. The tag preceding the data is called the

start tag; the tag following the data is called the end tag.

A start tag and its corresponding end tag define an XML element.

In the example, Wally Road is an element.

XML Signature

W3C and IETF are elaborate the standard format and functions forXML signing;

The XML si nature is a XML data structure wich containes

the signature value and

the data necessary in the verification process;

The XML signature makes the following fonctions :

represent the digital signature of documents (XML or non XML) in

a XML format; 3 types of digital signature :

- the signature encapsulates the data being signed (enveloppe)-

within itself (enveloppante)

- the object to be signed can be separate from the XML Signature,but reside within the same resource as the signature (dtache)

it uses pointers for selection the document zones to be included in

signature process;

permits URL references for documents.


22/26

22

XML Signature Structure

XML Signature Types


23/26

23

XML Signature Creation

1. Determine the resources to be signed.

2. Calculate the digest of each resource. In XML Signatures, each

reference is specifed by a element and its digest is placed

in a child element.

3. Collect the elements (with their associated digests) within

a element.

4. Calculate the digest of the element, sign the digest using

a valid private signature key, and put the signature value in a

element. Determine the resources to be signed.

. ey ng n orma on s o e nc u e , p ace n e ey n o

element.

6. Place the , , and elements

into the element. The element is the XML

Signature.

XML Signature Verification

1. Obtain the ublic ke certificate, either from or from an

external source, and retrieve the public verification key.

2. Re-calculate the digest of the element. Use the public

verification key to verify that the value of the element

is correct when compared with the digest of the element.

3. If step 2 passes, re-calculate the digests on the related data objects ofthe references contained within the element using

either the URI it contains, or by other means. Compare the calculated

element's corresponding element.

4. If step 3 passes, validate the public verification certificate by finding a

certificate path to the trusted certificate (root of trust), such that this

path, and the certificates it contains, are valid.


24/26

24

HTML Signature

1. On client request (Get HTTP), a forms is preparing with

an a let and all are downloaded on client PC

2. The applet is downloaded by JVM, after the code

signature verification;

3. The user fulfill the forms and request the signature; the

applet show a signature window;

4. By activation, the data are signed and are sended by

applet to the server; the format is S/MIME;5. The HTTP server route the information on the security

server;

6. Using the public key of sender, the security server

verifies the signature by accessing the LDAP server;

7. The data are sended to the application server.

HTML Signature


25/26

25

Timestamping

PKI can enable new services between clients andrus e - r ar es y suppor ng

confidentiality and mutual authentication;

Timestamp Servers- allow a client to prove at a laterdate that some datum existed before a particular time(ex. A signature was generated before a particulartime);

A rotocol was recentl com leted b IETF PKIXWorking Group and become RFC 3161 in 2001-Internet X.509 PKI Time Stamp Protocol (TSP);

TSP describes the format of a request sent to a TimeStamping Authority (TSA) and the response returned;

Timestamping

a timestamp so that she can prove that it existsat this point in time:

- Alice digitally signs the document;

- Alice sends the document hash and the signature to the TSA ina TSP request;

- Alice sends the hash, not the document (the contents of

- TSA authenticates Alice;

- TSA generates a signed response to Alice;

- Alice validates the digital signature and stores the response forlater use before a legal authority;


26/26

Timestamping

Documents

semnaturi PKC