Certificates, Trust & PKI Brian A. LaMacchia [email protected] [email protected] Portions ©...
-
date post
18-Dec-2015 -
Category
Documents
-
view
212 -
download
0
Transcript of Certificates, Trust & PKI Brian A. LaMacchia [email protected] [email protected] Portions ©...
Certificates, Trust & PKICertificates, Trust & PKI
Brian A. LaMacchiaBrian A. [email protected]@[email protected]@microsoft.com
Portions © 2002-2006, Brian A. LaMacchia. This material is provided without warranty of any kind including, without limitation, warranty of non-infringement or suitability for any purpose. This material is not guaranteed to be error free and is intended for instructional use only.
CertificatesCertificates
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 33
Why do I trust the server Why do I trust the server key?key? How do I know I’m really talking How do I know I’m really talking
to Amazon.com?to Amazon.com? What defeats a man-in-the-What defeats a man-in-the-
middle attack?middle attack?
WebWebServerServer
ClientClient MalletMalletHTTP with HTTP with SSL/TLSSSL/TLS
HTTP with HTTP with SSL/TLSSSL/TLS
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 44
SSL/TLSSSL/TLS
You (client)You (client) Merchant (server)Merchant (server)
Let’s talk securely.Here are the protocols and ciphers I understand.
Here is a fresh key encrypted with your key.
I choose this protocol and ciphers.Here is my public key and
some other stuff that will make youtrust this key is mine.
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 55
What’s the “some other What’s the “some other stuff”stuff”How can we convince Alice that How can we convince Alice that
some key belongs to Bob?some key belongs to Bob? Alice and Bob could have met Alice and Bob could have met
previously & exchanged keys previously & exchanged keys directly.directly. Jeff Bezos isn’t going to shake Jeff Bezos isn’t going to shake
hands with everyone he’d like to hands with everyone he’d like to sell to...sell to...
Someone Alice trusts could Someone Alice trusts could vouch to her for Bob and Bob’s vouch to her for Bob and Bob’s keykey A third party can A third party can certifycertify Bob’s key Bob’s key
in a way that convinces Alice.in a way that convinces Alice.
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 66
What is a certificate?What is a certificate?
A certificate is a digitally-signed A certificate is a digitally-signed statement that binds a public statement that binds a public key to some identifying key to some identifying information.information. The signer of the certificate is The signer of the certificate is
called its called its issuer.issuer. The entity talked about in the The entity talked about in the
certificate is the certificate is the subjectsubject of the of the certificate.certificate.
That’s all a certificate is, at the That’s all a certificate is, at the 30,000’ level. 30,000’ level.
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 77
Certificates are Like Certificates are Like MarriageMarriageBy the power vested in me I now By the power vested in me I now
declare this text and this bit declare this text and this bit string “name” and “key.” What string “name” and “key.” What RSA has joined, let no man put RSA has joined, let no man put
asunder.asunder.
--Bob Blakley--Bob Blakley
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 88
Certs in the “real Certs in the “real world”world” A driver’s license is A driver’s license is likelike a a
certificatecertificate It is a “signed” document (sealed, It is a “signed” document (sealed,
tamper-resistant)tamper-resistant) It is created and signed by an It is created and signed by an
“issuing authority” (the WA Dept. “issuing authority” (the WA Dept. of Licensing)of Licensing)
It binds together various pieces of It binds together various pieces of identifying informationidentifying information NameName License numberLicense number Driving restrictions (must wear Driving restrictions (must wear
glasses, etc.)glasses, etc.)
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 99
More certs in the real More certs in the real worldworld Many physical objects are like Many physical objects are like
certificates:certificates: Any type of license – vehicle tabs, Any type of license – vehicle tabs,
restaurant liquor license, amateur restaurant liquor license, amateur radio license, etc.radio license, etc.
Government-issued IDs Government-issued IDs (passports, green cards)(passports, green cards)
Membership cards (e.g. Costco, Membership cards (e.g. Costco, discount cards)discount cards)
All of these examples bind an All of these examples bind an identity and certain rights, identity and certain rights, privileges or other identifiersprivileges or other identifiers ““BAL ==N1TJT” signed FCCBAL ==N1TJT” signed FCC
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1010
Why do we believe what Why do we believe what certs say?certs say? In the physical world, why do In the physical world, why do
we trust the statements we trust the statements contained on a physical cert?contained on a physical cert? We believe it’s hard to forge the We believe it’s hard to forge the
certcert We trust the entity that “signed” We trust the entity that “signed”
the certthe cert In the digital world we need In the digital world we need
those same two propertiesthose same two properties We need to believe it’s hard to We need to believe it’s hard to
forge the digital signature on a forge the digital signature on a signed documentsigned document
We need to trust the issuer/signer We need to trust the issuer/signer not to lie to usnot to lie to us
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1111
Defeating MalletDefeating MalletBob can convince Alice that his key Bob can convince Alice that his key really does belong to him if he can also really does belong to him if he can also send along a digital certificate Alice will send along a digital certificate Alice will believe & trustbelieve & trust
BobBobAliceAlice
Let’s talk securely.Here are the protocols and ciphers I understand.
I choose this protocol and ciphers.Here is my public key and
a certificate to convince you that thekey really belongs to me.
CertCert
CertCert
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1212
Getting a certificateGetting a certificate
How does Bob get a certificate How does Bob get a certificate for his key?for his key?
He goes to a Certificate He goes to a Certificate Authority (CA) that issues Authority (CA) that issues certificates and asks for one...certificates and asks for one...
The CA The CA issuesissues Bob a certificate Bob a certificate for his public key.for his public key. CA is the issuerCA is the issuer Bob is the subjectBob is the subject
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1313
Using CertificatesUsing Certificates Now that Bob has a certificate, Now that Bob has a certificate,
is it useful?is it useful? Alice will believe Bob’s key Alice will believe Bob’s key
belongs to Bob if Alice believes belongs to Bob if Alice believes the certificate Bob gives her for the certificate Bob gives her for his key.his key.
Alice will believe Bob’s key Alice will believe Bob’s key belongs to Bob if Alice trusts belongs to Bob if Alice trusts the issuer of Bob’s certificate to the issuer of Bob’s certificate to make key-name binding make key-name binding statementsstatements
Have we made the situation any Have we made the situation any better?better?
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1414
Does Alice Trust Bob’s Does Alice Trust Bob’s CA?CA?
How can we convince Alice to trust How can we convince Alice to trust Bob’s CA?Bob’s CA?
Alice and Bob’s CA could have met Alice and Bob’s CA could have met previously & exchanged keys previously & exchanged keys directly.directly. Bob’s CA isn’t going to shake hands Bob’s CA isn’t going to shake hands
with everyone he’s certified, let alone with everyone he’s certified, let alone everyone whom Bob wants to talk to.everyone whom Bob wants to talk to.
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1515
Does Alice Trust Bob’s Does Alice Trust Bob’s CA?CA?
How can we convince Alice to trust How can we convince Alice to trust Bob’s CA?Bob’s CA?
Alice and Bob’s CA could have met Alice and Bob’s CA could have met previously & exchanged keys previously & exchanged keys directly.directly. Bob’s CA isn’t going to shake hands Bob’s CA isn’t going to shake hands
with everyone he’s certified, let alone with everyone he’s certified, let alone everyone whom Bob wants to talk to.everyone whom Bob wants to talk to.
Someone Alice trusts could vouch Someone Alice trusts could vouch to her for Bob’s CA and Bob’s CA’s to her for Bob’s CA and Bob’s CA’s keykey Infinite Loop: See Loop, Infinite.Infinite Loop: See Loop, Infinite. Actually, it’s just a bounded Actually, it’s just a bounded
recursion...recursion...
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1616
What’s Alice’s Trust What’s Alice’s Trust ModelModel Alice has to implicitly trust Alice has to implicitly trust
somesome set of keys set of keys Once she does that, those keys Once she does that, those keys
can introduce others to her.can introduce others to her. In the model used by SSL/TLS, In the model used by SSL/TLS,
CAs are arranged in a hierarchyCAs are arranged in a hierarchy Alice, and everyone else, trusts Alice, and everyone else, trusts
one or more “root CA” that live at one or more “root CA” that live at the top of the treethe top of the tree
Other models work differentlyOther models work differently
Public Key Public Key InfrastructureInfrastructure
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1818
Certificate AuthoritiesCertificate Authorities A certificate authority (CA) A certificate authority (CA)
guarantees the connection guarantees the connection between a key and another CA between a key and another CA or an “end entity.” or an “end entity.”
An end entity is:An end entity is: A personA person A role (“VP of sales”)A role (“VP of sales”) An organizationAn organization A pseudonymA pseudonym A piece of hardware or softwareA piece of hardware or software An accountAn account
Some CA’s only allow a subset Some CA’s only allow a subset of these types.of these types.
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1919
CA HierarchiesCA Hierarchies
CAs can certify other CAs or “end CAs can certify other CAs or “end entities”entities”
Certificates are links in a tree of EEs Certificates are links in a tree of EEs & CAs& CAs
CA
EE
RootCA
CA
EECAEE
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2020
BAL’s No-Frills CertsBAL’s No-Frills Certs
Certificates can contain all sorts Certificates can contain all sorts of information inside themof information inside them We’ll talk about the details in a We’ll talk about the details in a
little bitlittle bit In the abstract, though, they’re In the abstract, though, they’re
just statements by an issuer just statements by an issuer about a subject:about a subject:
Issuer
Subject
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2121
Does Alice trust Bob’s Does Alice trust Bob’s Key?Key? Alice trusts Bob’s key if there is a Alice trusts Bob’s key if there is a
chain of certificateschain of certificates from Bob’s key from Bob’s key to a root CA that Alice implicitly to a root CA that Alice implicitly truststrusts
CA EERootCA
CA
EE
Root CA
CA
Root CA
Root CA
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2222
Chain Building & Chain Building & ValidationValidation ““Given an end-entity certificate, Given an end-entity certificate,
does there exist a cryptographically does there exist a cryptographically valid chain of certificates linking it valid chain of certificates linking it to a trusted root certificate?”to a trusted root certificate?”
CA EERootCA
CA
EE
Root CA
CA
Root CA
Root CA
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2323
Chaining CertificatesChaining Certificates
In theory, building chains of In theory, building chains of certificates should be easycertificates should be easy ““Just link them together like Just link them together like
dominos”dominos” In practice, it’s a lot more In practice, it’s a lot more
complicated...complicated...
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2424
Chain Building Details Chain Building Details (1)(1)
CA2CA1
EE1
RootCA
EE2
CA2
EE3
Root CA
CA1
Root CA
CA2
CA1
EE2
CA1
EE1
EE3
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2525
Chain Building Details Chain Building Details (2)(2)
CA2CA1
EE1
RootCA1
EE2 EE3
RootCA2
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2626
Chain Building Details Chain Building Details (3)(3)
CA2CA1
EE1
RootCA1
EE2 EE3
RootCA2
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2727
Chain Building Details Chain Building Details (3)(3)
CA2CA1
EE1
RootCA1
EE2 EE3
RootCA2
BridgeCA
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2828
Chain Building Details Chain Building Details (3)(3)
CA2CA1
EE1
RootCA1
EE2 EE3
RootCA2
BridgeCA
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2929
Chain Building Details Chain Building Details (3)(3)
CA2CA1
EE1
RootCA1
EE2 EE3
RootCA2
BridgeCA
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 3030
Chain Building Details Chain Building Details (3)(3)
CA2CA1
EE1
RootCA1
EE2 EE3
RootCA2
BridgeCA
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 3131
Chaining CertificatesChaining Certificates
How do we determine whether How do we determine whether two certificates chain together?two certificates chain together? You’d think this was an easy You’d think this was an easy
problem...problem... But it’s actually a question with But it’s actually a question with
religious significance in the religious significance in the security communitysecurity community
““Are you a believer in Are you a believer in namesnames, or in , or in keyskeys?”?”
In order to understand the In order to understand the schism, we need to digress for a schism, we need to digress for a bit and talk about names and bit and talk about names and some historysome history
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 3232
PKI Alphabet SoupPKI Alphabet Soup X.509v3 - standard content of a X.509v3 - standard content of a
certificatecertificate PKIX – IETF Working Group on PKIX – IETF Working Group on
PKI interoperabilityPKI interoperability PKIX == Public Key Infrastructure PKIX == Public Key Infrastructure
using X.509v3 certificatesusing X.509v3 certificates ASN.1 - Abstract Syntax ASN.1 - Abstract Syntax
Notation, exact description of a Notation, exact description of a certificate formatcertificate format
DER - Distinguished Encoding DER - Distinguished Encoding Rules, how to physically Rules, how to physically package a certificatepackage a certificate
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 3333
The X.500 Directory The X.500 Directory ModelModel The model SSL/TLS uses, the The model SSL/TLS uses, the
X.509 certificate model, is X.509 certificate model, is based on namesbased on names Names as principlesNames as principles
Specifically, X.509 is based on Specifically, X.509 is based on the X.500 directory modelthe X.500 directory model
X.500 defined a global, all-X.500 defined a global, all-encompassing directory, to be encompassing directory, to be run by the telcosrun by the telcos One directory to rule them all, one One directory to rule them all, one
directory to define them...directory to define them...
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 3434
X.500 Distinguished X.500 Distinguished NamesNames In the X.500 model, everything In the X.500 model, everything
has a single, unique, global, has a single, unique, global, assigned nameassigned name There is a worldwide hierarchy, There is a worldwide hierarchy,
and you’re in it!and you’re in it!CountryC=US
SP = ORState or Province
SP = WA
LocalityL=Redmond
OrganizationO=Microsoft
L=Seattle
O=Univ. of Washington
SP = CA
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 3535
DNs in PracticeDNs in Practice
Name is unique within the Name is unique within the scope of the CA’s namescope of the CA’s name
Public CAs (e.g. Verisign) Public CAs (e.g. Verisign) typically settypically set C = CA CountryC = CA Country O = CA NameO = CA Name OU = Certificate type/classOU = Certificate type/class CN = User nameCN = User name E= email addressE= email address
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 3636
Private-label DNsPrivate-label DNs
If you own the CA, you get to If you own the CA, you get to decide what fields go in the DNdecide what fields go in the DN Really varies on what the software Really varies on what the software
supportssupports Can get really strange as people Can get really strange as people
try to guess values for fields try to guess values for fields that are required by softwarethat are required by software Software requires an OU, we don’t Software requires an OU, we don’t
have OUs, so I better make have OUs, so I better make something up!something up!
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 3737
DNs in X.509 DNs in X.509 CertificatesCertificates The X.509 certificate standard The X.509 certificate standard
began as a way to associate a began as a way to associate a certificate with a node in the certificate with a node in the directory.directory.
How is the subject of a cert How is the subject of a cert identified?identified? By its DN.By its DN.
How is the issuer of a cert How is the issuer of a cert identified?identified? By its DN.By its DN.
How are certificates linked How are certificates linked together?together? By DNs.By DNs.
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 3838
Key fields in a Key fields in a certificatecertificate The core fields of an X.509 The core fields of an X.509
certificate arecertificate are The subject public keyThe subject public key The subject Distinguished NameThe subject Distinguished Name The issuer Distinguished NameThe issuer Distinguished Name
What’s missing here?What’s missing here?
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 3939
Key fields in a Key fields in a certificatecertificate The core fields of an X.509 The core fields of an X.509
certificate arecertificate are The subject public keyThe subject public key The subject Distinguished NameThe subject Distinguished Name The issuer Distinguished NameThe issuer Distinguished Name
What’s missing here?What’s missing here? The issuer’s public key is The issuer’s public key is notnot
present in the certificate.present in the certificate. You can’t verify the signature on You can’t verify the signature on
the cert without finding a parent the cert without finding a parent cert!cert!
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 4040
Back to Chain BuildingBack to Chain Building
OK, assume we’re a “relying OK, assume we’re a “relying party application” -- something party application” -- something that received an end-entity that received an end-entity certificate and wants to verify certificate and wants to verify it.it. Our task is to build a cert chain Our task is to build a cert chain
from that end-entity cert to one of from that end-entity cert to one of our trusted rootsour trusted roots
How do we do that?How do we do that? We start with our EE cert, and We start with our EE cert, and
using the information contained using the information contained within we look for possible parent within we look for possible parent certificates. certificates.
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 4141
Parent certsParent certs
What’s a valid parent What’s a valid parent certificate?certificate? In the raw X.509 model, parent-In the raw X.509 model, parent-
child relationships are determined child relationships are determined solely by matching Issuer DN in solely by matching Issuer DN in the child to Subject DN in the the child to Subject DN in the parentparent
Recall that there’s an assumption Recall that there’s an assumption that you have a big directory that you have a big directory handy to find certs.handy to find certs.
If you don’t have a directory If you don’t have a directory handy, you need to do the handy, you need to do the matching yourselfmatching yourself This is not as easy as you might This is not as easy as you might
think…think…
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 4242
Name matchingName matching
Issuer Name
Subject Name
Issuer Name
Subject Name
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 4343
Matching NamesMatching Names
How do we determine if two How do we determine if two DNs match?DNs match? ““Use directory name matching Use directory name matching
rules!”rules!” Try to be mildly smart about itTry to be mildly smart about it
Remove spaces, case-fold, etc.Remove spaces, case-fold, etc. Disaster…Disaster…
Try to be really dumb about itTry to be really dumb about it Exact binary matchExact binary match Less of a disaster, but there are Less of a disaster, but there are
still problems we can’t work still problems we can’t work around…around…
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 4444
Unicode NamesUnicode Names Are these two character equal?Are these two character equal?
éé é é They look equal…They look equal…
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 4545
Unicode NamesUnicode Names Are these two character equal?Are these two character equal?
éé é é They look equal…They look equal… ……but may not bebut may not be In Unicode, you can compose In Unicode, you can compose
characters, so:characters, so: ““é” as one characteré” as one character ““é” as two characters – “e” followed by é” as two characters – “e” followed by
non-spacing accentnon-spacing accent ““é” as two characters – non-spacing é” as two characters – non-spacing
accent followed by “e”accent followed by “e” Ick!Ick!
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 4646
Even More Chain Even More Chain BuildingBuilding Name matching is just the Name matching is just the
beginning of the chain-building beginning of the chain-building processprocess It is It is necessarynecessary that subject and that subject and
issuer DNs exactly match for two issuer DNs exactly match for two certs to chain, but not always certs to chain, but not always sufficientsufficient
The chain building process is The chain building process is also influenced dynamically by also influenced dynamically by other information contained other information contained within the certs themselveswithin the certs themselves What other information is there in What other information is there in
certs?certs?
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 4747
Trusted Root Trusted Root CertificatesCertificates Who do I trust to be roots at the Who do I trust to be roots at the
top of the cert chain?top of the cert chain? In theory, “anyone you want”In theory, “anyone you want” In practice, trusted roots come In practice, trusted roots come
from two sourcesfrom two sources They’re baked into your web They’re baked into your web
browser or operating systembrowser or operating system They’re pushed onto your They’re pushed onto your
“enterprise managed desktop”“enterprise managed desktop”
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 4848
Trusted Root CertificatesTrusted Root Certificates
Certificate Certificate ExtensionsExtensions
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 5050
Exploring inside an X.509 Exploring inside an X.509 CertCert
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 5151
Exploring inside an X.509 Exploring inside an X.509 CertCert
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 5252
Exploring inside an X.509 Exploring inside an X.509 CertCert
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 5353
Inside an X.509v3 Inside an X.509v3 CertificateCertificate
Version
Issuer Distinguished Name
Subject Public Key
Signing Algorithm
Validity Period
Subject Distinguished Name
Serial Number
ExtensionsExtension 1Extension 2
Extension n
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 5454
Certificate ExtensionsCertificate Extensions
An extension consists of three An extension consists of three things:things: A “critical” flag (boolean)A “critical” flag (boolean) A type identifierA type identifier A value A value
Format of the value depends on Format of the value depends on the type identifierthe type identifier
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 5555
Certificate ExtensionsCertificate ExtensionsExtensions
Key UsageCritical?
Subject Key IDCritical?
Authority Key IDCritical?
CRL Distribution PointsCritical?
Authority Info AccessCritical?
Extended Key UsageCritical?
Subject Alt NameCritical?
Certificate PoliciesCritical?
Proprietary Extension 1Critical?
Proprietary Extension nCritical?
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 5656
Critical FlagsCritical Flags
The “critical flag” on an The “critical flag” on an extension is used to protect the extension is used to protect the issuing CA from assumptions issuing CA from assumptions made by software that doesn’t made by software that doesn’t understand (implement support understand (implement support for) a particular extensionfor) a particular extension If the flag is set, relying parties If the flag is set, relying parties
must process the extension if they must process the extension if they recognize it, or reject the recognize it, or reject the certificatecertificate
If the flag is not set, the extension If the flag is not set, the extension may be ignoredmay be ignored
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 5757
Critical Flags (2)Critical Flags (2)
Some questions you might be Some questions you might be asking yourself right now...asking yourself right now...
What does “must process the What does “must process the extension if they recognize it” extension if they recognize it” mean?mean? What does “recognize” mean?What does “recognize” mean? What does “process” mean?What does “process” mean? You’ve got me....You’ve got me.... The IETF standards folks didn’t The IETF standards folks didn’t
know either...know either...
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 5858
Critical Flags (3)Critical Flags (3) Actual definitions of flag usage Actual definitions of flag usage
are vague:are vague: X.509: Non-critical extension “is X.509: Non-critical extension “is
an advisory field and does not an advisory field and does not imply that usage of the key is imply that usage of the key is restricted to the purpose restricted to the purpose indicated”indicated”
PKIX: “CA’s are required to PKIX: “CA’s are required to support constrain extensions” but support constrain extensions” but “support” is never defined.“support” is never defined.
S/MIME: Implementations should S/MIME: Implementations should “correctly handle” certain “correctly handle” certain extensionsextensions
Verisign: “All persons shall Verisign: “All persons shall process the extension...or else process the extension...or else ignore the extension”ignore the extension”
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 5959
Types of ExtensionsTypes of Extensions
There are two flavors of There are two flavors of extensionsextensions Usage/informational extensions, Usage/informational extensions,
which provide additional info which provide additional info about the subject of the certificateabout the subject of the certificate
Constraint extensions, which place Constraint extensions, which place restrictions on one or more of:restrictions on one or more of: Use of the certificateUse of the certificate The user of the certificateThe user of the certificate The keys associated with the The keys associated with the
certificatecertificate
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 6060
Some common Some common extensionsextensions Key UsageKey Usage
digitalSignaturedigitalSignature ““Sign things that don’t look like Sign things that don’t look like
certs”certs” keyEnciphermentkeyEncipherment
Exchange encrypted session Exchange encrypted session keyskeys
keyAgreementkeyAgreement Diffie-HellmanDiffie-Hellman
keyCertSign/keyCRLSignkeyCertSign/keyCRLSign ““Sign things that look like Sign things that look like
certs”certs” nonRepidiationnonRepidiation
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 6161
NonRepudiationNonRepudiation The nonRepudiation bit is the The nonRepudiation bit is the
black hole of PKIXblack hole of PKIX It absorbs infinite amounts of It absorbs infinite amounts of
argument time on the mailing list argument time on the mailing list without making any progress without making any progress toward understanding what it toward understanding what it meansmeans
What does it mean? How do you What does it mean? How do you enforce that?enforce that?
No one knows...No one knows... ““Nonrepudiation is anything Nonrepudiation is anything
which fails to go away when you which fails to go away when you stop believing in it”stop believing in it”
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 6262
More ExtensionsMore Extensions
Subject Key IDSubject Key ID Short identifier for the subject Short identifier for the subject
public keypublic key Authority Key IDAuthority Key ID
Short identifier for the issuer’s Short identifier for the issuer’s public key – useful for locating public key – useful for locating possible parent certspossible parent certs
CRL Distribution PointsCRL Distribution Points List of URLs pointing to revocation List of URLs pointing to revocation
information serversinformation servers Authority Info AccessAuthority Info Access
Pointer to issuer cert publication Pointer to issuer cert publication locationlocation
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 6363
Even More ExtensionsEven More Extensions
Basic constraintsBasic constraints Is the cert a CA cert?’Is the cert a CA cert?’ Limits on path length beneath this Limits on path length beneath this
certcert Name constraintsName constraints
Limits on types of certs this key Limits on types of certs this key can issuecan issue
Policy mappingsPolicy mappings Convert one policy ID into anotherConvert one policy ID into another
Policy constraintsPolicy constraints Anti-matter for policy mappingsAnti-matter for policy mappings
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 6464
Still More ExtensionsStill More Extensions
Extended Key UsageExtended Key Usage Because Key Usage wasn’t Because Key Usage wasn’t
confusing enough!confusing enough! Private Key Usage PeriodPrivate Key Usage Period
CA attempt to limit key validity CA attempt to limit key validity periodperiod
Subject Alternative namesSubject Alternative names Everything which doesn’t fit in a Everything which doesn’t fit in a
DNDN RFC822 names, DNS names, URIsRFC822 names, DNS names, URIs IP addresses, X.400 names, EDI, IP addresses, X.400 names, EDI,
etc.etc.
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 6565
Yet Still More Yet Still More ExtensionsExtensions Certificate policiesCertificate policies
Information identifying the CA Information identifying the CA policy that was in effect when the policy that was in effect when the cert was issuedcert was issued
Policy identifierPolicy identifier Policy qualifierPolicy qualifier Explicit textExplicit text Hash reference (hash + URI) to a Hash reference (hash + URI) to a
documentdocument X.509 defers cert semantics to X.509 defers cert semantics to
the CA’s issuing policythe CA’s issuing policy Most CA policies disclaim Most CA policies disclaim
liabilityliability
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 6666
Extensions and Chain Extensions and Chain Building Building When you build a cert chain, When you build a cert chain,
you start with the EE cert and you start with the EE cert and discover possible parent discover possible parent certificates by matching DNscertificates by matching DNs ““Build the chain from the bottom Build the chain from the bottom
up.”up.” However, to verify a cert chain, However, to verify a cert chain,
you have to start and the root you have to start and the root and interpret all the extensions and interpret all the extensions that may constrain subordinate that may constrain subordinate CAs (and EEs)CAs (and EEs) ““Build the chain from the top Build the chain from the top
down.”down.”
Certificate Lifecycle Certificate Lifecycle ManagementManagement
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 6868
Lifecycle ManagementLifecycle Management
Certificate EnrollmentCertificate Enrollment Initial acquisition of a certificate Initial acquisition of a certificate
based on other authentication based on other authentication informationinformation
RenewalRenewal Acquiring a new certificate for a Acquiring a new certificate for a
key when the existing certificate key when the existing certificate expiresexpires
RevocationRevocation ““Undoing” a certificateUndoing” a certificate
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 6969
Certificate EnrollmentCertificate Enrollment EnrollmentEnrollment is the process of is the process of
obtaining a certificate from a obtaining a certificate from a CA.CA.
1.1. Alice generates a key pair, Alice generates a key pair, creates a message containing a creates a message containing a copy of the public key and her copy of the public key and her identifying information, and identifying information, and signs the message with the signs the message with the private key (PKCS#10).private key (PKCS#10). Signing the message provided Signing the message provided
“proof-of-possession” (POP) of “proof-of-possession” (POP) of the private key as well as the private key as well as message integritymessage integrity
2.2. CA verifies Alice’s signature on CA verifies Alice’s signature on the messagethe message
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 7070
Certificate Enrollment Certificate Enrollment (2)(2)3.3. (Optional) CA verifies Alice’s ID (Optional) CA verifies Alice’s ID
through out-of-band means.through out-of-band means.
4.4. CA creates a certificate CA creates a certificate containing the ID and public containing the ID and public key, and signs it with the CA’s key, and signs it with the CA’s own keyown key CA has certified the binding CA has certified the binding
between key and IDbetween key and ID
5.5. Alice verifies the key, ID & CA Alice verifies the key, ID & CA signaturesignature
6.6. Alice and/or the CA publish the Alice and/or the CA publish the certificatecertificate
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 7171
DirectoryDirectory
CertCert
ClientClient
CACA
Certificate RequestCertificate Requestand Installationand Installation
Publish Certificate?Publish Certificate?
Certificate Enrollment Certificate Enrollment FlowFlow
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 7272
More PKI Alphabet More PKI Alphabet SoupSoup PKCS #10 – (old) standard message PKCS #10 – (old) standard message
format for certificate requestsformat for certificate requests PKCS #7 – (old) standard message PKCS #7 – (old) standard message
format for encrypted/signed dataformat for encrypted/signed data Also used for certificate request Also used for certificate request
responsesresponses Replaced by IETF CMS syntaxReplaced by IETF CMS syntax
CMC – “Certificate Management with CMC – “Certificate Management with CMS”CMS” Replacement for PKCS #10/PKCS#7 in a Replacement for PKCS #10/PKCS#7 in a
certificate management contextcertificate management context CMP – “Certificate Management CMP – “Certificate Management
Protocols”Protocols” Alternative to CMCAlternative to CMC
RevocationRevocation
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 7474
Expiration & Expiration & RevocationRevocation Certificates (at least, all the Certificates (at least, all the
ones we’re concerned with) ones we’re concerned with) contain explicit validity periods contain explicit validity periods – “valid from” & “expires on”– “valid from” & “expires on” Expiration dates help bound the Expiration dates help bound the
risk associated with issuing a risk associated with issuing a certificatecertificate
Sometimes, though, it becomes Sometimes, though, it becomes necessary to “undo” a necessary to “undo” a certificate while it is still validcertificate while it is still valid Key compromiseKey compromise Cert was issued under false Cert was issued under false
pretensespretenses This is called revoking a This is called revoking a
certificatecertificate
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 7575
Status Info for Status Info for CertificatesCertificates Two standards within PKIX:Two standards within PKIX:
X.509v2/PKIX Part 1 Certificate X.509v2/PKIX Part 1 Certificate Revocation Lists (CRLs)Revocation Lists (CRLs)
Online Certificate Status Protocol Online Certificate Status Protocol (OCSP)(OCSP)
Both methods state:Both methods state: Whether a cert has been revokedWhether a cert has been revoked A “revocation code” indicating A “revocation code” indicating
why the cert was revokedwhy the cert was revoked The time at which the cert was The time at which the cert was
revokedrevoked
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 7676
Certificate RevocationCertificate Revocation A CA revokes a certificate by A CA revokes a certificate by
placing the cert on its placing the cert on its Certificate Revocation List (CRL)Certificate Revocation List (CRL) Every CA issues CRLs to cancel out Every CA issues CRLs to cancel out
issued certsissued certs A CRL is like anti-matter – when it A CRL is like anti-matter – when it
comes into contact with a comes into contact with a certificate it lists it cancels out the certificate it lists it cancels out the certificatecertificate
Think “1970s-style credit-card Think “1970s-style credit-card blacklist”blacklist”
Relying parties are expected to Relying parties are expected to check CRLs before they rely on check CRLs before they rely on a certificatea certificate ““The cert is valid unless you hear The cert is valid unless you hear
something telling you otherwise”something telling you otherwise”
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 7777
The Problem with CRLsThe Problem with CRLs
Blacklists have numerous Blacklists have numerous problemsproblems Not issued frequently enough to Not issued frequently enough to
be effective against a serious be effective against a serious attackattack
Expensive to distribute (size & Expensive to distribute (size & bandwidth)bandwidth)
Vulnerable to simple DOS attacksVulnerable to simple DOS attacks If you block on lack of CRL If you block on lack of CRL
access, why have off-line access, why have off-line support in the first place?support in the first place?
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 7878
The Problem with CRLs The Problem with CRLs (2)(2) CRL design made it worseCRL design made it worse
CLRs can contain CLRs can contain retroactiveretroactive invalidity datesinvalidity dates
A CRL issued today can say a cert A CRL issued today can say a cert was invalid as of was invalid as of last weeklast week. . Checking that something was Checking that something was
valid at time valid at time t t wasn’t sufficient!wasn’t sufficient! Back-dated CRLs can appear at Back-dated CRLs can appear at
any time in the futureany time in the future If you rely on certs & CRLs you’re If you rely on certs & CRLs you’re
screwed because the CA can screwed because the CA can change the rules out from under change the rules out from under you later.you later.
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 7979
The Problem with CRLs The Problem with CRLs (3)(3) Revoking a CA cert is more Revoking a CA cert is more
problematic than revoking an end-problematic than revoking an end-entity certentity cert When you revoke a CA cert, you When you revoke a CA cert, you
potentially take out the entire potentially take out the entire subordinate structure, depending on subordinate structure, depending on what chaining logic you usewhat chaining logic you use
How do you revoke a self-signed How do you revoke a self-signed cert?cert? ““The cert revokes itself.”The cert revokes itself.”
Huh?Huh? Do I accept the CRL as valid & bounce Do I accept the CRL as valid & bounce
the cert?the cert? Do I reject the CRL because the cert Do I reject the CRL because the cert
associated with the CRL signing key was associated with the CRL signing key was revoked?revoked?
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 8080
The Problem with CRLs The Problem with CRLs (4)(4) You can’t revoke a CRLYou can’t revoke a CRL
Once you commit to a CRL, it’s a Once you commit to a CRL, it’s a valid state for the entirety of its valid state for the entirety of its validity periodvalidity period
What happens if you have to What happens if you have to update the CRL while the CRL update the CRL while the CRL you just issued is still valid?you just issued is still valid? You can update it, but clients You can update it, but clients
aren’t required to fetch it since aren’t required to fetch it since the one they have is still valid!the one they have is still valid!
Bottom line: yikes!Bottom line: yikes! We need something elseWe need something else
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 8181
CRLs vs. OCSP CRLs vs. OCSP ResponsesResponses Aggregation vs. FreshnessAggregation vs. Freshness
CRLs combine revocation CRLs combine revocation information for many certs into information for many certs into one long-lived objectone long-lived object
OCSP Responses designed for OCSP Responses designed for real-time responses to queries real-time responses to queries about the status of a single about the status of a single certificatecertificate
Both CRLs & OCSP Responses Both CRLs & OCSP Responses are generated by the issuing CA are generated by the issuing CA or its designate. (Generally this or its designate. (Generally this is is notnot the relying party.) the relying party.)
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 8282
Online Status CheckingOnline Status Checking
OCSP: Online Certificate Status OCSP: Online Certificate Status ProtocolProtocol A way to ask “is this certificate good A way to ask “is this certificate good
right now?right now? Get back a signed response from the Get back a signed response from the
OCSP server saying, “Yes, cert C is good OCSP server saying, “Yes, cert C is good at time t”at time t” Response is like a “freshness Response is like a “freshness
certificate”certificate” OCSP response is like a selective OCSP response is like a selective
CRLCRL Client indicates the certs for which he Client indicates the certs for which he
wants status informationwants status information OCSP responder dynamically creates a OCSP responder dynamically creates a
lightweight CRL-like response for those lightweight CRL-like response for those certscerts
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 8383
OCSP in ActionOCSP in Action
End-entity
CA
RelyingParty
CertCertCertCertRequestRequest
OCSP RequestOCSP Request OCSPOCSPForForCertCert
OCSP ResponseOCSP Response
Transaction ResponseTransaction Response
CertCert++TransactionTransaction
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 8484
Final thoughts on Final thoughts on RevocationRevocation From a financial standpoint, it’s From a financial standpoint, it’s
the revocation data that is the revocation data that is valuable, not the issued valuable, not the issued certificate itselfcertificate itself For high-valued financial For high-valued financial
transactions, seller wants to know transactions, seller wants to know your cert is good right nowyour cert is good right now
Same situation as with credit Same situation as with credit cards, where the merchant wants cards, where the merchant wants the card authorized right now at the card authorized right now at the point-of-salethe point-of-sale
Card authorizations transfer Card authorizations transfer risk from merchant to bank – risk from merchant to bank – thus they’re worth $$$thus they’re worth $$$ Same with cert status checksSame with cert status checks
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 8585
Using CertificatesUsing Certificates Most certificate uses do not require Most certificate uses do not require
any sort of directoryany sort of directory Only needed to locate someone else’s Only needed to locate someone else’s
certificate for encryptioncertificate for encryption Authentication protocols have the Authentication protocols have the
client present their certificate (or client present their certificate (or chain) to the serverchain) to the server Ex: SSL, TLS, Smart card logonEx: SSL, TLS, Smart card logon Rules for mapping a certificate to user Rules for mapping a certificate to user
account vary widelyaccount vary widely Cert fields, name forms, binary Cert fields, name forms, binary
comparecompare Signing operations embed the Signing operations embed the
certificates with the signaturecertificates with the signature How else would you know who signed How else would you know who signed
it?it?
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 8686
Using Certificates (2)Using Certificates (2) X.509 and PKIX define the basic X.509 and PKIX define the basic
structure of certificatesstructure of certificates If you understand X.509, you can If you understand X.509, you can
parse any certificate you’re parse any certificate you’re presentedpresented
However, every protocol defines However, every protocol defines a a certificate profilecertificate profile for for certificate use in that particular certificate use in that particular protocolprotocol Ex: TLS, S/MIME, IPSEC, Ex: TLS, S/MIME, IPSEC,
WPA/WPA2WPA/WPA2 CAs/organizations define CAs/organizations define
profiles tooprofiles too Ex: US DoD Common Access Card Ex: US DoD Common Access Card
certscerts
February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 8787
Additional Additional Implementation Implementation ConsiderationsConsiderations Publishing certificatesPublishing certificates
How? Where? What format?How? Where? What format? Key escrow / data recovery for Key escrow / data recovery for
encryption keys/certsencryption keys/certs Auto-enrollment (users & Auto-enrollment (users &
machines)machines) Establishing trusts / hierarchiesEstablishing trusts / hierarchies Protecting private keysProtecting private keys Disseminating root certificatesDisseminating root certificates