Public-Key Infrastructure Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University
Public-Key Infrastructure Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University
Public Key Infrastructure In public key cryptography,we have assumed that everyone knows everyone else's public key.However,this is not easy to achieve. -How does Alice know that the public key she received is really Bob's public key? A public key infrastructure (PKD)consists of all necessary components to securely distribute public keys. Basic idea:use certificate to distribute public keys.We need -Entities for creating certificates -Methods for evaluating certificates -Methods for revoking certificates CSE825 2
2 Public Key Infrastructure In public key cryptography, we have assumed that everyone knows everyone else’s public key. However, this is not easy to achieve. ─ How does Alice know that the public key she received is really Bob’s public key? A public key infrastructure (PKI) consists of all necessary components to securely distribute public keys. Basic idea: use certificate to distribute public keys. We need ─ Entities for creating certificates ─ Methods for evaluating certificates ─ Methods for revoking certificates CSE825
Distribution of Public Keys Original paper on public-key cryptography proposed the use of a Public File:Public-key white pages Public-key certificate -Signed statement specifying the key and identity ·“Bob”,PKB,Sigauthority(MD(Bob”,PKB) Basic idea:Authenticity of many public keys is reduced to the authenticity of one key (the public key of the authority). Who is the authority that you trust? 3
3 Distribution of Public Keys Original paper on public-key cryptography proposed the use of a Public File: Public-key white pages Public-key certificate ─ Signed statement specifying the key and identity ● “Bob”, PKB, sigauthority( MD(“Bob”, PKB) ) Basic idea: Authenticity of many public keys is reduced to the authenticity of one key (the public key of the authority). Who is the authority that you trust?
PKI Trust Models 1:Monopoly Model The world has only one CA trusted by everyone in the world. -The public key of this CA is embedded in all software and hardware as the PKI trust anchor. Loren Kohnfelder BS MIT thesis in 1978 -Offline CA signs(name key)to bind the two in a certificate -Online directory distributes certificates OSI proposed in X.500 a global directory run by monopoly telecommunication companies -Hierarchical database(or data organization,or both) -Path through the directory/database to keys is defined by a series of Relative Distinguished Names(RDNs) -Collection of RDNs form a Distinguished Name(DN) -Data being looked up is found at the end of the RDN path CSE825 4
4 PKI Trust Models 1: Monopoly Model The world has only one CA trusted by everyone in the world. ─ The public key of this CA is embedded in all software and hardware as the PKI trust anchor. Loren Kohnfelder BS MIT thesis in 1978 ─ Offline CA signs (name + key) to bind the two in a certificate ─ Online directory distributes certificates OSI proposed in X.500 a global directory run by monopoly telecommunication companies ─ Hierarchical database (or data organization, or both) ─ Path through the directory/database to keys is defined by a series of Relative Distinguished Names (RDNs) ─ Collection of RDNs form a Distinguished Name (DN) ─ Data being looked up is found at the end of the RDN path CSE825
Hierarchical Directory Structure CN NJU OU OU CS CN CN ( C:country,O:Organization, Alex Liu OU:Organization Unit,CN:Common Name PKLIU CSE825 5
5 Hierarchical Directory Structure C: country, O: Organization, OU: Organization Unit, CN: Common Name CSE825 C O O O OU CN OU CN CN NJU CS PKLIU Alex Liu
Problems of the Monopoly Model There is no such a universally trusted organization. Infeasible to change that CA's public key,if it is compromised. -All software and hardware are preconfigured with the CA's public key Difficult to certify. -How does the CA can certify your identity?Just because you paid? Single point of failure. -What if that CA has a corrupt employee? The world CA will charge monopoly price for certification. Concerns about the use of world directory -Companies don't like making their internal structure public Directory for corporate headhunters -Privacy concerns Directory of single women Directory of teenage children CSE825 6
6 Problems of the Monopoly Model There is no such a universally trusted organization. Infeasible to change that CA’s public key, if it is compromised. ─ All software and hardware are preconfigured with the CA’s public key Difficult to certify. ─ How does the CA can certify your identity? Just because you paid? Single point of failure. ─ What if that CA has a corrupt employee? The world CA will charge monopoly price for certification. Concerns about the use of world directory ─ Companies don’t like making their internal structure public ● Directory for corporate headhunters ─ Privacy concerns ● Directory of single women ● Directory of teenage children CSE825
PKI Trust Model 2:Monopoly Registration Authorities (RAs) Same as the monopoly model except that the world CA uses some other organizations to certify identities of users. ■( Getting certified becomes easier. All other drawbacks of the monopoly model still applies. CSE825 7
7 PKI Trust Model 2: Monopoly + Registration Authorities (RAs) Same as the monopoly model except that the world CA uses some other organizations to certify identities of users. Getting certified becomes easier. All other drawbacks of the monopoly model still applies. CSE825
PKI Trust Model 3:Monopoly Delegated CAs Similar to model 2 except that it uses CAs instead of RAs Has a hierarchical structure:root certificate authority signs certificates for lower-level authorities,lower-level authorities sign certificates for individual users,and so on. User sees a chain of certificates,instead of one certificate -"NJU",PKNIU,sigverisign(NJU,PKNJU), "Alex Liu",PKLIU,sigNU("Alex Liu",PKLIU) CSE825 8
8 PKI Trust Model 3: Monopoly + Delegated CAs Similar to model 2 except that it uses CAs instead of RAs Has a hierarchical structure: root certificate authority signs certificates for lower-level authorities, lower-level authorities sign certificates for individual users, and so on. User sees a chain of certificates, instead of one certificate ─ “NJU”, PKNJU, sigVerisign(“NJU”, PKNJU), “Alex Liu”, PKLIU, sigNJU(“Alex Liu”, PKLIU) CSE825
PKI Trust Model 4:Oligarchy -multiple CAs for the world The world trust multiple CAs.This is the model used today for web browsers. Web browsers today come shipped with the public keys of about 80 CAs. ■Problems: -Any of the trust anchor organizations getting comprised will put the security of the world into risk. The trust anchor organizations are trusted by the vendor,not by the user. -It is easy to trick a naive user to add a bogus trust anchor into the set: Warning:This was signed by an unknown CA.Would you like to accept the certificate anyway?(OK) ● Would you like to always accept this certificate without being asked in the future?(OK) ● Would you like to always accept certificates from the CA that issued the certificate? (OK) .Would you like to always accept certificates from any CA?(OK) ● Since you are willing to trust anyone for anything,would you like me to make random edits to the files on your hard drive without bothering you with a pop-up box?(OK) Use of public machine.What if the previous user added a malicious anchor? CSE825 9
9 PKI Trust Model 4: Oligarchy – multiple CAs for the world The world trust multiple CAs. This is the model used today for web browsers. Web browsers today come shipped with the public keys of about 80 CAs. Problems: ─ Any of the trust anchor organizations getting comprised will put the security of the world into risk. ─ The trust anchor organizations are trusted by the vendor, not by the user. ─ It is easy to trick a naïve user to add a bogus trust anchor into the set: ● Warning: This was signed by an unknown CA. Would you like to accept the certificate anyway? (OK) ● Would you like to always accept this certificate without being asked in the future? (OK) ● Would you like to always accept certificates from the CA that issued the certificate? (OK) ● Would you like to always accept certificates from any CA? (OK) ● Since you are willing to trust anyone for anything, would you like me to make random edits to the files on your hard drive without bothering you with a pop-up box? (OK) ─ Use of public machine. What if the previous user added a malicious anchor? CSE825
Getting your CA key into Browsers Total cost:half a million USD per browser NetScape:hand me the cash and a floppy MSIE:No special charge,but you must pass an SAS70 electronic data security audit US CPA Statement on Auditing Standards 70 Lengthy (up to 6 months),expensive,and painful Infrastructure,policy,staff,and auditing costs run to half a million ▣ CA keys are bought and sold on the secondary market -Equifax's certificates are actually owned by Geotrust CSE825 10
10 Getting your CA key into Browsers Total cost: half a million USD per browser NetScape: hand me the cash and a floppy MSIE: No special charge, but you must pass an SAS70 electronic data security audit ● US CPA Statement on Auditing Standards 70 ● Lengthy (up to 6 months), expensive, and painful ● Infrastructure, policy, staff, and auditing costs run to half a million CA keys are bought and sold on the secondary market ─ Equifax’s certificates are actually owned by Geotrust CSE825