HP Laboratories, Bristol, UK Public Key Infrastructure (PKI) Public Key Infrastructure (X509 PKI) Trusted E-Services Laboratory - HP Labs - Bristol Marco.

HP Laboratories, Bristol, UKHP Laboratories, Bristol, UKPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)

Public Key Infrastructure Public Key Infrastructure (X509 PKI)(X509 PKI)

Trusted E-Services Laboratory - HP Labs - BristolTrusted E-Services Laboratory - HP Labs - Bristol

Marco Casassa MontMarco Casassa Mont


OutlineOutline

• Basic Problem of Confidence and Trust Basic Problem of Confidence and Trust

• Background: Cryptography, Digital Signature,Background: Cryptography, Digital Signature, Digital CertificatesDigital Certificates

• (X509) Public Key Infrastructure (PKI)(X509) Public Key Infrastructure (PKI)

• (X509) PKI: Trust and Legal Issues(X509) PKI: Trust and Legal Issues


Confidence and Trust Confidence and Trust

Issues in the Digital Issues in the Digital

WorldWorld


Basic ProblemBasic Problem

IntranetIntranetExtranetExtranetInternetInternet

AliceAliceBobBob

Bob and Alice want to exchange data in a digital world. Bob and Alice want to exchange data in a digital world.

There are Confidence and Trust Issues …There are Confidence and Trust Issues …


ConfidenceConfidence and Trust Issues and Trust Issues

• In the Identity of an Individual or ApplicationIn the Identity of an Individual or Application

AUTHENTICATIONAUTHENTICATION

• That the information will be kept PrivateThat the information will be kept Private

CONFIDENTIALITYCONFIDENTIALITY

• That information cannot be ManipulatedThat information cannot be Manipulated

INTEGRITYINTEGRITY

• That information cannot be Disowned That information cannot be Disowned

NON-REPUDIATIONNON-REPUDIATION


AliceAliceBobBob


Starting Point:Starting Point: CryptographyCryptography


Starting Point: Cryptography Starting Point: Cryptography

Cryptography Cryptography

It is the science of making the cost of acquiring or altering It is the science of making the cost of acquiring or altering data greater than the potential value gained data greater than the potential value gained

Cryptosystem Cryptosystem

It is a system that provides techniques for mangling a It is a system that provides techniques for mangling a message into an apparently intelligible form and than message into an apparently intelligible form and than recovering it from the mangled formrecovering it from the mangled form

PlaintextPlaintext EncryptionEncryption DecryptionDecryption PlaintextPlaintextCiphertextCiphertext

KeyKey KeyKeyHello WorldHello World &$*£(“!273&$*£(“!273 Hello WorldHello World


Cryptographic AlgorithmsCryptographic Algorithms

All cryptosystems are based only on All cryptosystems are based only on three Cryptographic three Cryptographic AlgorithmsAlgorithms::

• MESSAGE DIGEST MESSAGE DIGEST (MD2-4-5, SHA, SHA-1, …)(MD2-4-5, SHA, SHA-1, …)

• SECRET KEY SECRET KEY (Blowfish, DES, IDEA, RC2-4-5, Triple-DES, …)(Blowfish, DES, IDEA, RC2-4-5, Triple-DES, …)

• PUBLIC KEY PUBLIC KEY (DSA, RSA, …)(DSA, RSA, …)

Maps variable length plaintext into fixed length ciphertextMaps variable length plaintext into fixed length ciphertextNo key usage, computationally infeasible to recover the plaintextNo key usage, computationally infeasible to recover the plaintext

Encrypt and decrypt messages by using the same Secret KeyEncrypt and decrypt messages by using the same Secret Key

Encrypt and decrypt messages by using two different Keys: Public Key, Encrypt and decrypt messages by using two different Keys: Public Key, Private Key (coupled together)Private Key (coupled together)


• Efficient and fast Algorithm Efficient and fast Algorithm • Simple modelSimple model Provides Integrity, ConfidentialityProvides Integrity, Confidentiality

ConsCons• The same secret key must be shared by all the entities involved in the data exchange The same secret key must be shared by all the entities involved in the data exchange

• High risk High risk • It doesn’t scaleIt doesn’t scale (proliferation of secrets) (proliferation of secrets) No Authentication, Non-RepudiationNo Authentication, Non-Repudiation


Private KeyPrivate Key Private KeyPrivate KeyProsPros

Cryptographic Algorithms based Cryptographic Algorithms based on Private Keyon Private Key



Alice’s Public KeyAlice’s Public Key Alice’s Private KeyAlice’s Private Key


AliceAliceBobBob

• Private key is only known by the owner: less riskPrivate key is only known by the owner: less risk

• The algorithm ensures The algorithm ensures Integrity Integrity and and ConfidentialityConfidentiality by encrypting with by encrypting with

the Receiver’s Public keythe Receiver’s Public key

ProsPros

Cryptographic Algorithms based Cryptographic Algorithms based on Public Keyon Public Key



Bob’s Private KeyBob’s Private Key Bob’s Public KeyBob’s Public Key


AliceAliceBobBob

• The algorithm ensures The algorithm ensures Non-RepudiationNon-Repudiation by encrypting with by encrypting with

the Sender’s Private keythe Sender’s Private key

ProsPros




ConsCons• Algorithms are 100 – 1000 times slower than secret key onesAlgorithms are 100 – 1000 times slower than secret key ones

They are initially used in an initial phase of communication and then They are initially used in an initial phase of communication and then

secrets keys are generated to deal with encryptionssecrets keys are generated to deal with encryptions

• How are Public keys made available to the other people?How are Public keys made available to the other people?

• There is still a problem of There is still a problem of AuthenticationAuthentication!!! !!!

Who ensures that the owner of a key pair is really the person whose Who ensures that the owner of a key pair is really the person whose

real life name is “Alice”?real life name is “Alice”?


AliceAliceBobBobMoving towards PKI …Moving towards PKI …


Digital SignatureDigital Signature


Digital SignatureDigital Signature A Digital Signature is a data item that vouches the origin A Digital Signature is a data item that vouches the origin and the integrity of a Messageand the integrity of a Message

• The originator of a message uses a signing key (Private Key) to sign the The originator of a message uses a signing key (Private Key) to sign the

message and send the message and its digital signature to a recipientmessage and send the message and its digital signature to a recipient

• The recipient uses a verification key (Public Key) to verify the origin of The recipient uses a verification key (Public Key) to verify the origin of

the message and that it has not been tampered with while in transitthe message and that it has not been tampered with while in transit


AliceAliceBobBob


Digital Signature Digital Signature

Hash Function Hash Function

MessageMessage

SignatureSignature

Private KeyPrivate Key EncryptionEncryption

DigestDigest

MessageMessage

DecryptionDecryption

Public KeyPublic Key

ExpectedExpectedDigestDigest

ActualActualDigestDigest

Hash Function Hash Function

SignerSigner ReceiverReceiverChannelChannel

DigestDigest

AlgorithmAlgorithm

DigestDigest

AlgorithmAlgorithm


Digital SignatureDigital Signature

There is still a problem linked to the There is still a problem linked to the

““Real Identity”Real Identity” of the Signer. of the Signer.

Why should I trust what the Sender claims to be?Why should I trust what the Sender claims to be?

Moving towards PKI …Moving towards PKI …


Digital CertificateDigital Certificate



A Digital Certificate is a binding between an entity’s A Digital Certificate is a binding between an entity’s

Public Key and one or more Attributes relating its Identity. Public Key and one or more Attributes relating its Identity.

• The entity can be a Person, an Hardware Component, a Service, etc.The entity can be a Person, an Hardware Component, a Service, etc.

• A Digital Certificate is issued (and signed) by someoneA Digital Certificate is issued (and signed) by someone

• A self-signed certificate usually is not very trustworthyA self-signed certificate usually is not very trustworthy

- - Usually the issuer is a Trusted Third PartyUsually the issuer is a Trusted Third Party


CERTIFICATE


IssuerIssuer

SubjectSubject

IssuerIssuerDigitalDigitalSignatureSignature

Subject Public KeySubject Public Key



• How are Digital Certificates Issued?How are Digital Certificates Issued?

• Who is issuing them?Who is issuing them?

• Why should I Trust the Certificate Issuer?Why should I Trust the Certificate Issuer?

• How can I check if a Certificate is valid? How can I check if a Certificate is valid?

• How can I revoke a Certificate?How can I revoke a Certificate?

• Who is revoking Certificates?Who is revoking Certificates?

ProblemsProblems

Moving towards PKI …Moving towards PKI …


Public Key Infrastructure Public Key Infrastructure (PKI)(PKI)



A Public Key Infrastructure is an Infrastructure A Public Key Infrastructure is an Infrastructure

to support and manage Public Key-based to support and manage Public Key-based

Digital CertificatesDigital Certificates



““A PKI is a set of agreed-upon standards, CertificationA PKI is a set of agreed-upon standards, Certification

Authorities (CA), structure between multiple CAs,Authorities (CA), structure between multiple CAs,

methods to discover and validate Certification Paths,methods to discover and validate Certification Paths,

Operational Protocols, Management Protocols,Operational Protocols, Management Protocols,

Interoperable Tools and supporting Legislation”Interoperable Tools and supporting Legislation”

““Digital Certificates” book – Jalal Feghhi, Jalil Feghhi, Peter WilliamsDigital Certificates” book – Jalal Feghhi, Jalil Feghhi, Peter Williams



Focus on:Focus on:

• X509 PKIX509 PKI

• X509 Digital CertificatesX509 Digital Certificates

Standards defined by IETF, PKIX WG: Standards defined by IETF, PKIX WG:

http://www.ietf.org/http://www.ietf.org/

… … even if X509 is not the only approach (e.g. SPKI)even if X509 is not the only approach (e.g. SPKI)


X509 PKI – Technical ViewX509 PKI – Technical ViewBasic Components:Basic Components:

• Certificate Authority (CA)Certificate Authority (CA)

• Registration Authority (RA)Registration Authority (RA)

• Certificate Distribution SystemCertificate Distribution System

• PKI enabled applicationsPKI enabled applications ““Consumer” SideConsumer” Side

““Provider” SideProvider” Side


X509 PKI – Simple ModelX509 PKI – Simple Model

CACA

RARA

CertificationCertification

EntityEntity

DirectoryDirectory

ApplicationApplication

ServiceService

Remote Remote

PersonPerson

LocalLocal

PersonPerson

Certs,Certs,

CRLsCRLs

Cert. RequestCert. Request

Signed Signed CertificateCertificate InternetInternet


X509 PKI X509 PKI Certificate Authority (CA)Certificate Authority (CA)

Basic Tasks:Basic Tasks:• Key GenerationKey Generation

• Digital Certificate GenerationDigital Certificate Generation

• Certificate Issuance and DistributionCertificate Issuance and Distribution

• Revocation Revocation

• Key Backup and Recovery SystemKey Backup and Recovery System

• Cross-CertificationCross-Certification


X509 PKI X509 PKI Registration Authority (RA)Registration Authority (RA)

Basic Tasks:Basic Tasks:• Registration of Certificate InformationRegistration of Certificate Information

• Face-to-Face RegistrationFace-to-Face Registration

• Remote RegistrationRemote Registration

• Automatic RegistrationAutomatic Registration

• RevocationRevocation


X509 PKI X509 PKI Certificate Distribution SystemCertificate Distribution System

Provide Repository for:Provide Repository for:• Digital CertificatesDigital Certificates

• Certificate Revocation Lists (CRLs)Certificate Revocation Lists (CRLs)

Typically:Typically:

• Special Purposes DatabasesSpecial Purposes Databases

• LDAP directoriesLDAP directories


Certificate Revocation List

Revoked Certificates Revoked Certificates

remain in CRL remain in CRL

until they expireuntil they expire

Certificate Revocation ListCertificate Revocation List


Certificate Revocation List (CRL)Certificate Revocation List (CRL)

• CRLs are published by CAs at well defined CRLs are published by CAs at well defined interval of timeinterval of time

• It is a responsibility of “Users” of certificates toIt is a responsibility of “Users” of certificates to

“ “download” a CRL and verify if a certificate has download” a CRL and verify if a certificate has

been revoked been revoked

• User application must deal with the revocationUser application must deal with the revocation processesprocesses


Online Certificate Status ProtocolOnline Certificate Status Protocol(OCSP)(OCSP)

• An alternative to CRLsAn alternative to CRLs

• IETF/PKIX standard for a real-time check if aIETF/PKIX standard for a real-time check if a

certificate has been revoked/suspendedcertificate has been revoked/suspended

• Requires a high availability OCSP ServerRequires a high availability OCSP Server


CRL vs OCSP ServerCRL vs OCSP Server

UserUser CACACRLCRL

DirectoryDirectory

Download CRLDownload CRL

CRLCRL

UserUser CACACRLCRL

DirectoryDirectory

Download Download

CRLCRL

Certificate IDs Certificate IDs

to be checkedto be checked

Answer about Answer about

Certificate StatesCertificate States

OCSPOCSP

ServerServer

OCSPOCSP


X509 PKI X509 PKI PKI-enabled ApplicationsPKI-enabled Applications

Functionality Required:Functionality Required:• Cryptographic functionalityCryptographic functionality

• Secure storage of Personal InformationSecure storage of Personal Information

• Digital Certificate HandlingDigital Certificate Handling

• Directory AccessDirectory Access

• Communication FacilitiesCommunication Facilities


X509 PKI X509 PKI Trust and Legal IssuesTrust and Legal Issues


X509 PKI X509 PKI Trust and Legal IssuesTrust and Legal Issues

• Why should I Trust a CA?Why should I Trust a CA?

• How can I determine the liability of a CA?How can I determine the liability of a CA?


X509 PKI X509 PKI Approaches to Trust and Approaches to Trust and

Legal AspectsLegal Aspects

• Why should I Trust a CA?Why should I Trust a CA?

• How can I determine the liability of a CA?How can I determine the liability of a CA?

Certificate Hierarchies, Cross-CertificationCertificate Hierarchies, Cross-Certification

Certificate Policies (CP) and Certificate PolicyCertificate Policies (CP) and Certificate Policy

Statement (CPS) Statement (CPS)


X509 PKI X509 PKI Approach to TrustApproach to Trust

Certificate Hierarchies Certificate Hierarchies andand

Cross-CertificationCross-Certification


Try to reflect Try to reflect Real world Trust ModelsReal world Trust Models

CA CA

CA

RA RA

CA

RA

LRALRA

CA

CA

RA

CA

CA

RA RA

DirectoryServices

InternetInternet

InternetInternet

CA Technology Evolution CA Technology Evolution


Each entity has its own certificate (and may have more than one). The root CA’s certificate is self signed and each sub-CA is signed by its parent CA.

Each CA may also issue CRLs. In particular the lowest level CAs issue CRLs frequently.

End entities need to “find” a certificate path to a CA that they trust.

Simple Certificate HierarchySimple Certificate HierarchyRoot CARoot CA

Sub-CAsSub-CAs

End EntitiesEnd Entities


Alice Bob

Simple Certificate PathSimple Certificate PathAlice trusts the root CAAlice trusts the root CA

Bob sends a message to AliceBob sends a message to Alice

Alice needs Bob’s certificate, the certificate of Alice needs Bob’s certificate, the certificate of the CA that signed Bob’s certificate, and so on the CA that signed Bob’s certificate, and so on up to the root CA’s self signed certificate.up to the root CA’s self signed certificate.

Alice also needs each CRL for each CA.Alice also needs each CRL for each CA.

Only then can Alice verify that Bob’s certificate Only then can Alice verify that Bob’s certificate is valid and trusted and so verify the Bob’s is valid and trusted and so verify the Bob’s signature.signature.

Trusted Trusted RootRoot


11

22 33

1.1. Multiple RootsMultiple Roots

2.2. Simple cross-certificateSimple cross-certificate

3.3. Complex cross-certificateComplex cross-certificate

Cross-Certification andCross-Certification andMultiple HierarchiesMultiple Hierarchies


Things are getting more and more Things are getting more and more

complex if Hierarchies and complex if Hierarchies and

Cross-Certifications are usedCross-Certifications are used

X509 PKI X509 PKI Approach to Trust : ProblemsApproach to Trust : Problems


Trusted Root

3

Trusted Trusted RootRoot

Cross-Certification andCross-Certification andPath DiscoveryPath Discovery


X509 PKI X509 PKI Approach to Legal AspectsApproach to Legal Aspects

Certificate PolicyCertificate Policy

AndAnd

Certificate Practice StatementCertificate Practice Statement


Certificate Policy (CP)Certificate Policy (CP)• A document that sets out the rights, duties and A document that sets out the rights, duties and obligations of each party in a Public Key obligations of each party in a Public Key InfrastructureInfrastructure

• The Certificate Policy (CP) is a document which The Certificate Policy (CP) is a document which

usually has legal effectusually has legal effect

• A CP is usually publicly exposed by CAs, forA CP is usually publicly exposed by CAs, for

example on a Web Site (VeriSign, etc.)example on a Web Site (VeriSign, etc.)


Certificate Policy (CP)Certificate Policy (CP)

POLICY OUTLINEPOLICY OUTLINE COMMUNITY &COMMUNITY &APPLICABILITYAPPLICABILITY

RIGHTS, LIABILITIESRIGHTS, LIABILITIES& OBLIGATIONS& OBLIGATIONS

OPERATIONALOPERATIONALREQUIREMENTSREQUIREMENTS

CERTIFICATE & CERTIFICATE & CRL PROFILESCRL PROFILES

IDENTIFICATION & IDENTIFICATION & AUTHENTICATIONAUTHENTICATION

CPCP

TECHNICALTECHNICALSECURITY CONTROLSECURITY CONTROL


• Liability IssuesLiability Issues

• Repository Access ControlsRepository Access Controls

• Confidentiality RequirementsConfidentiality Requirements

• Registration ProceduresRegistration Procedures- Uniqueness of Names- Authentication of Users/Organisations

• Suspension and Revocation (Online/CRL)Suspension and Revocation (Online/CRL)

• Physical Security ControlsPhysical Security Controls

• Certificate AcceptanceCertificate Acceptance

Policy Issues (CP)Policy Issues (CP)


Certificate Policy Statement Certificate Policy Statement (CPS)(CPS)

• A document that sets out what happens in practiceA document that sets out what happens in practice

to support the policy statements made in the CPto support the policy statements made in the CP

in a PKIin a PKI

• The Certificate Practice Statement (CPS) is a The Certificate Practice Statement (CPS) is a document which may have legal effect in limiteddocument which may have legal effect in limited circumstancescircumstances


PHYSICAL, PHYSICAL, PROCEDURAL & PROCEDURAL &

PERSONNELPERSONNEL

CERTIFICATE &CERTIFICATE &CRL PROFILESCRL PROFILES

INTRODUCTIONINTRODUCTION GENERALGENERALPROVISIONSPROVISIONS

IDENTIFICATION &IDENTIFICATION &AUTHENTICATIONAUTHENTICATION

OPERATIONAL OPERATIONAL REQUIREMENTSREQUIREMENTS

SPECIFICATIONSPECIFICATIONADMINISTRATIONADMINISTRATION

TECHNICALTECHNICALSECURITYSECURITY

CONTROLSCONTROLS

CPSCPS

Certificate Policy Statement Certificate Policy Statement (CPS)(CPS)


IETF (PKIX) StandardsIETF (PKIX) Standards

• X.509 Certificate and CRL Profiles

• PKI Management Protocols

• Certificate Request Formats

• CP/CPS Framework

• LDAP, OCSP, etc.

http://www.ietf.org/http://www.ietf.org/


Identity is Not Enough:Identity is Not Enough:Attribute CertificatesAttribute Certificates

IETF (PKIX WG) is also defining standards for Attribute IETF (PKIX WG) is also defining standards for Attribute Certificates (ACs):Certificates (ACs):• Visa Card (Attribute) vs. Passport (Identity)Visa Card (Attribute) vs. Passport (Identity)• Attribute Certificates specify Attributes associatedAttribute Certificates specify Attributes associated

to an Identityto an Identity• Attribute Certificates don’t contain a Public keyAttribute Certificates don’t contain a Public key

but a link to an Identity Certificatebut a link to an Identity Certificate

HP Laboratories, Bristol, UK Public Key Infrastructure (PKI) Public Key Infrastructure (X509 PKI) Trusted E-Services Laboratory - HP Labs - Bristol Marco.

Documents

public key dsa

private key

key usage

secret key blowfish

hp laboratories

legal issues x509 pki

trust issues

digital world slide