6.857 Computer and Network Security October 24, 2002Lecture Notes 14 : Public-Key InfrastructureLecturer: Ron Rivest Scribe: Armour/Johann-Berkel/Owsley/Quealy[These notes come from Fall 2001. These notes are neither sound nor complete. There is morematerial than is covered in lecture, and some is missing. Check with students’ notes for new topicsbrought up in 2002.]1 Outline• Public-Key Infrastructure• X.509• SPKI/SDSI2 Public-Key Infrastructure (PKI)2.1 IntroductionIn cyberspace there is a need to verify the identities of individuals for a number of purposes. Someof these events include sending and receiving secure email, sending and receiving signed email,setting up a secure session (SSL), and accessing a protected resource. The way in which this goal ofauthentication is accomplished is by verifying that a public key belongs to an individual that youknow and trust. Public-Key Infrastructure is designed to allow this kind of authentication.2.2 Diffie Hellman Public-Key Encryption“Public-Key Directory”One way to associate public keys to individuals is by publishing a mapping of names to keys. Thisdirectory would act much like the WhitePages does for distributing phone numbers based on name.The directory must be trusted, therefore it must be authentic but need not be secret. Entries wouldbe of the form:Alice −→(RSA, n = ..., e = 3)Bob −→(RSA, n = ..., e = 17)Problem: Need to authenticate the issuer of the directory.Solution: A possible solution would be for the issuer to sign the whole directory. (how do we getthe issuer’s PK? must be recursive)0May be freely reproduced for educational or personal use.12 2 PUBLIC-KEY INFRASTRUCTURE (PKI)Digital CertificatesDigital Certificates were proposed by Loren Kohnfelder here at MIT in a B.S. thesis in ’78. Theyare an authenticated identifier pairing the public key to a significant name. This allows any user toidentify themselves and establishes trust between themselves and a verifier who trusts the certificateauthority. The CA is assumed to correctly identify the person who has requested the certificate.This is the structure of a signed digital certificate.{“Alice00, (RSA, ...)}CAHere is a representation of the exchange between a user with a certificate and a verifier.(M)SKA,cert−→Bob “relying party”Question: How does PKI deal with issues of dynamics in naming such as changing email addresses?Answer: This does present a problem since information can change. The major issue becomes oneof database update however.Advantages• Alice can include her certificate in an email or post it on the Web• Bob only needs to know the Certificate Authority and its PK• Alice may have more than one key (e.g., one for signing, one for encryption)• Certificates can have a validity period (not before / not after a certain time)Difficulty Issues• Scalability- need multiple CAs- naming (unique? human-readable?)• Robustness-compromised keys? (especially the root key!)-revoked certificate• Certificate as Credential (Attribute Certificate instead of ID certificate)• Trustworthiness of CA and procedures; liability?• Privacy, AnonymityQuestion: How do we deal with privacy issues in the CA?Answer: Use certificate serial numbers instead of names.2.3 Naming 32.3 NamingPK infrastructure has a very intimate link with naming. We want a system that is easy to use forpeople, similar to that of file names. The naming relationship should be as follows:• Names are for people to use.• Keys are for machines to use.• PKI can provide a binding between the two.Naming is a large issue. Since the CA has the burden of properly identifying and labeling the partieswith certificates, names must be made clear and accurate.Naming provides an interface between people and cyberspace. People must then write securitypolicy based on the name associated with a PK used to sign message. Writers of such policies needto know/understand the relationship between keys and names.Desirable naming properties• Descriptive• Global uniqueness• DynamicExamples• Role (purchasing agent at IBM)• Legal names• Email• Phone #’s (“enum”)• Mail addressCertificates can also be used for identifying much more about an individual than just identity.Attributes of a person can be given by certificates. For attributes, what exactly is the CA allowedto certify?Example: John has brown hair.How do they know?Why should we believe them?4 3 X.5093 X.509X.509 is one of the most popular standards specifying the contents of a digital certificate. One ofthe main goals of X.509 is global uniqueness of names.3.1 X.509 Hierarchical StructureX.509 maintains properties of distinguished names (DNs) and is organized in a hierarchical structure.This naming scheme for certificates traverses through local CAs until arriving at a specific name.Each local CA is responsible for only certificates in its specific domain.Below is the graphical representation of the path between the root CA and John Smith. /root/us/ibm/ibm-sales/John-SmithSome major problems with DN here is that single points of failure disrupt the system. The structureitself is also awkward.Question: What happens if the root CA is compromised?Answer: Instead of having one root CA we can implement a threshold system. This would helpeliminate single points of failure.3.2 What’s included in X.509 version 3 certificates? 53.2 What’s included in X.509 version 3 certificates?• Version #• Certificate Serial #• Signature Algorithm Identifier• Issuer Distinguished Name (DN)• Validity Period• Subject DN• Subject PK Information- algorithm identifier- associated key parameters• Issuer Unique #• Subject Unique #• Extensions- key usage- certificate policies- subject/issuer alternate names- path constraints- criticality bits3.3 Revocation or Compromised KeyIs the assertion of the certificate (“Public Key is Alice’s PK”) valid any more? Who’s decision is itto revoke a certificate? Revocation is hard to do. It is much easier to have certificates expire. Agood method is to use short validity periods.Certificate Revocation Lists (CRLs)CRLs provide a listing of serial numbers of revoked certificates. For example, if Alice’s Laptop werestolen and her secret key compromised, we would want her certificate to be revoked. CRLs couldalso include the reasons why certificates were revoked. A consideration with CRLs is how frequentlythey should be updated (daily?, weekly?, monthly?). Another option
View Full Document
Unlocking...