6.857 Computer and Network Security October 24, 2002Lecture Notes 14 : Certificate chainsLecturer: Ron Rivest Scribe: Alwen/Burns/Ma1 IntroductionWe begin with a quick overview of the structure of the Domain Name System, followed by anintroduction to the X.509 public key infrastructure. After defining the goals for a PKI, SPKI/SDSIis introduced through a series (3) of attempts at designing a PKI. The first approach consists ofACLs which are essentially lists of PK’s. Next, a first level of indirection is introduced, which leadsto problems with PK’s being maintained between domains. Finally, group structures are introduced,and the SPKI/SDSI PKI is presented. We end with a quick example of how such a PKI structuremight look.2 Outline• DNS• X.509• SPKI/SDSI– Certificates– ACL’s Naive Approach– ACL’s with 1 Level of Indirection– ACL’s with Groups (SPKI/SDSI)– Simple Model3 Domain Name System (DNS)DNS is the global system which maps names → IP addresses. (www.poledancing.com → 66.115.151.162for example). DNS is structured as a tree where the root node points to servers which handle com,org, edu, . . .However such a structure is not ideal. For one thing, it has a single point of failure at the root node,as was demonstrated by the Denial of Service attack last Monday on the (13) root servers. Abouthalf of them went down. The DNS SEC project proposes to secure the DNS system.10May be freely reproduced for educational or personal use.1see: http://www.nlnetlabs.nl/dnssec/12 4 PUBLIC KEY INFRASTRUCTURE AND X.509Figure 1: DNS-tree structure4 Public Key Infrastructure and X.509A PKI (such as X.5092for example) maps Names → public keys. X.509 is arranged as a stricttree structure. The first level is the most general, and each subsequent level provides greaterdetail. For example the first level (i.e. root) is an all encompassing node which points to thecountry nodes. Each country node then points to organization nodes, which in turn point to di-vision nodes, which finally point to a specific name. The address of this leaf then consists ofco=us/org=IBM/div=TJWatson/name=Don Coppersmith.Figure 2: X.509-tree structure2http://www.ietf.org/rfc/rfc2459.txt35 Goals for a PKIThe following are goals for a PKI which were considered during the design of the SPKI/SDSI PKI.• A PKI should not be Centralized, instead should be hierarchical with a top-down structure.→ In other words a PKI should be distributed and decentralized, with a bottom-up design.• A PKI should be flexible (should have groups).• A PKI should be easy to use. (So it should use local names rather than global names.)6 SPKI/SDSI6.1 CertificatesThe main cryptographic primitive employed by SPKI/SDSI is certificates. There are two kinds.• ”name certs” which define a local name.• ”authorization certs” which grant authorization.Public keys are the principals, because only things signed by them can be recognized. Compare toX.509 for example, where users are the main objects. Names (also called “identifiers”) are for theinterface (so that people can remember something to refer to the keys), and can be chosen arbitrarily.Each PK has its own namespace, in which it can certify the validity of local names and bind themto a principal by producing a certificate to bind the name to a public key. Such namespaces arenot related to each other. So if K1signs (A, P K1) and K2signs (A, P K2), then A has differentdefinitions in the namespaces of K1and K2. When we say K signs (A, P K) what is meant is thatthe corresponding secret key to K is used to produce a name cert. A name cert is a tuple (K, A, S, V )which is issued by the owner of K (i.e. has SK for K) where:• K A is the local name being validated.• S is the subject = definition of name. This may be a public key or another identifier.• V is the validity period.• K A → S is then signed by K.• KLCScan sign (K rivest, Krivest) which would say “in KLCS’s name space, K rivest isdefined by the PK Krivest”.4 6 SPKI/SDSI6.2 Access Control – Naive ApproachIn the naive approach, the Access Control List (ACL) = {P K0, P K1, etc}. In other words, the ACLis simply a list of public keys. A typical request for access might look something like this:1. P K identifies itself (without proof) and requests access to a resource.2. Guardian checks if P K is in the ACL.3. If not it returns an error message, otherwise it returns the file encrypted with P K.Figure 3: Access Control – Naive ApproachHowever this requires the guardian to maintain potentially unreasonably long lists of public keys foreach resource and things become very messy quickly when users change their public keys.6.3 Access control with 1 level of indirectionSo to avoid the problems of needing to modify the ACL each time a user changes their public key, alevel of indirection is introduced. This means that keys can now be assigned identifiers, so the ACL’sare of the form {KLCSrivest, KLCSkaashoek, KIBMdom, etc}. Therefore, if a key changes, allthat need be done is to issue a new certificate binding the new key to the same identifier, instead ofchanging the entire ACL. With this new scheme a typical request for a resource might look somethinglike this:1. Krivest(= Rivest’s public key) requests access to a resource.2. Gaurdien responds “sorry, resource protected by ACL = ...”.3. Krivestresends request (this time signed) along with proof that Krivestis authorized,(KLCSrivest, Krivest) signed by KLCS.However, the guardian has to maintain other parties’ PKs, e.g., LCS has to maintain PKs is-sued by IBM, MIT, etc. So to avoid this, an extra level of indirection is introduced. To in-clude KMITron rivest in an ACL, the definition KLCSrivest → KMITron rivest is cre-ated (by KLCS). Now for Krivestto get accepted by a guardian, a certificate chain of the form(KLCSrivest → KMITron rivest) and (KMITron rivest → Krivest) is needed. In otherwords, a chain beginning at the public key and ending in a valid identifier listed in LCS’s ACL isrequired. A name can have multiple values (KLCSrivest → P K1) and (KLCSrivest → P K2)6.4 Access Control with Groups (SPKI/SDSI) 5Figure 4: Access Control with 1 Level of Indirectionfor example. Similarly, KLCSfaculty → KLCSrivest means KLCSrivest is a subset of KLCSfaculty.This could lead to the problem of ACLs quickly becoming unreasonably long.6.4 Access Control with Groups (SPKI/SDSI)To solve this problem, the concept of groups is introduced.
View Full Document
Unlocking...