Computer Science CSC/ECE 574 Computer and Network Security Topic 7.2 Public Key Infrastructure (PKI) CSC/ECE 574 Dr. Peng Ning 1 Computer Science CSC/ECE 574 Dr. Peng Ning 2 What Is PKI • Informally, the infrastructure supporting the use of public key cryptography. • A PKI consists of – Certificate Authority (CA) – Certificates – A repository for retrieving certificates – A method of revoking certificates – A method of evaluating a chain of certificates from known public keys to the target name Computer Science CSC/ECE 574 Dr. Peng Ning 3 Certification Authorities (CA) • A CA is a trusted node that maintains the public keys for all nodes (Each node maintains its own private key) 1 2 3 4 5 6 CA If a new node is inserted in the network, only that new node and the CA need to be configured with the public key for that nodeComputer Science CSC/ECE 574 Dr. Peng Ning 4 Certificates • A CA is involved in authenticating users’ public keys by generating certificates • A certificate is a signed message vouching that a particular name goes with a particular public key • Example: 1. [Alice’s public key is 876234]carol 2. [Carol’s public key is 676554]Ted & [Alice’s public key is 876234]carol • Knowing the CA’s public key, users can verify the certificate and authenticate Alice’s public key Computer Science CSC/ECE 574 Dr. Peng Ning 5 Certificates • Certificates can hold expiration date and time • Alice keeps the same certificate as long as she has the same public key and the certificate does not expire • Alice can append the certificate to her messages so that others know for sure her public key Computer Science CSC/ECE 574 Dr. Peng Ning 6 CA Advantages 1. The CA does not need to be online. [Why?] 2. If a CA crashes, then nodes that already have their certificates can still operate. 3. Certificates are not security sensitive (in terms of confidentiality).  Can a compromised CA decrypt a conversation between two parties?  Can a compromised CA fool Alice into accepting an incorrect public key for Bob, and then impersonate Bob to Alice?Computer Science CSC/ECE 574 Dr. Peng Ning 7 CA Problems • What if Alice is given a certificate with an expiration time and then is revoked (fired) from the system? – Alice can still use her certificate till the expiration time expires. – What kind of harm can this do? – Alice can still exchange messages with Bob using her un-expired certificate. • Solution: – Maintain a Certificate Revocation List (CRL) at the CA. A Certificate is valid if (1) it has a valid CA signature, (2) has not expired, and (3) is not listed in the CA’s CRL list. Computer Science CSC/ECE 574 Dr. Peng Ning 8 Terminology • A CA signing a certificate for Alice’s public key – CA → issuer Alice → subject  Alice wants to find the Bob’s public key  Bob → target  Anyone with a public key is a principal  Alice is verifying a certificate (or a chain of certificates)  Alice → verifier  Trust anchor → A CA with a trusted public key Computer Science CSC/ECE 574 Dr. Peng Ning 9 PKI Models 1. Monopoly model 2. Monopoly + RA 3. Delegated CAs 4. Oligarchy model 5. Anarchy model 6. Name constraints 7. Top-down with name constraints 8. Bottom-up with name constraintsComputer Science CSC/ECE 574 Dr. Peng Ning 10 Monopoly Model • One CA universally trusted by everyone • Everyone must get certificates from this CA • The public key to this organization is the only PKI trust anchor and is embedded in all software and hardware Computer Science CSC/ECE 574 Dr. Peng Ning 11 Problems 1. There is NO universally trusted organization 2. Monopoly control. CA could charge any fees. 3. Once deployed, it is hard to switch to a different CA 4. Entire world’s security relies on this CA 5. Inconvenient. Computer Science CSC/ECE 574 Dr. Peng Ning 12 PKI Models 1. Monopoly model 2. Monopoly + RA 3. Delegated CAs 4. Oligarchy model 5. Anarchy model 6. Name constraints 7. Top-down with name constraints 8. Bottom-up with name constraintsComputer Science CSC/ECE 574 Dr. Peng Ning 13 Monopoly + Registration Authorities (RA) • RAs are affiliated with the single CA and are trusted by this CA. • RAs check identities and provide the CA with relevant information (identity and public key information) to generate certificates. • More convenient (more places to be certified). • Still a monopoly. All the monopoly problems still hold. Computer Science CSC/ECE 574 Dr. Peng Ning 14 PKI Models 1. Monopoly model 2. Monopoly + RA 3. Delegated CAs 4. Oligarchy model 5. Anarchy model 6. Name constraints 7. Top-down with name constraints 8. Bottom-up with name constraints Computer Science CSC/ECE 574 Dr. Peng Ning 15 Delegated CAs • The trust anchor (known CA) issues certificates to other CAs (delegated CAs) vouching for their trustworthiness as CAs. • Users can obtain their certificates from delegated CAs instead of the trust anchor CA. • Example: – [Carol’s public key is 676554]Ted & [Alice’s public key is 876234]carol – Ted: trust anchor CA & Carol: delegated CAComputer Science CSC/ECE 574 Dr. Peng Ning 16 PKI Models 1. Monopoly model 2. Monopoly + RA 3. Delegated CAs 4. Oligarchy model 5. Anarchy model 6. Name constraints 7. Top-down with name constraints 8. Bottom-up with name constraints Computer Science CSC/ECE 574 Dr. Peng Ning 17 Oligarchy Model • A few trusted CAs and a certificate issued by any one of them is accepted • Competition between CAs is good • Problems: Not as secure as the monopoly case – Need to protect more CAs (instead of only one) – Might be easier to trick a naïve user by inserting a bogus trust anchor in the list of trusted CAs – It is hard to examine the set of trust anchors and determine whether some has modified the set Computer Science CSC/ECE 574 Dr. Peng Ning 18 PKI Models 1. Monopoly model 2. Monopoly + RA 3. Delegated CAs 4. Oligarchy model 5. Anarchy model 6. Name constraints 7. Top-down with name constraints 8. Bottom-up with name constraintsComputer Science CSC/ECE 574 Dr. Peng Ning 19 Anarchy Model (Web of Trust) • Fully