Certificates, Trust & PKI Brian A. LaMacchia [email protected] [email protected] Portions ©...

Certificates, Trust & PKICertificates, Trust & PKI

Brian A. LaMacchiaBrian A. [email protected]@[email protected]@microsoft.com

Portions © 2002-2006, Brian A. LaMacchia. This material is provided without warranty of any kind including, without limitation, warranty of non-infringement or suitability for any purpose. This material is not guaranteed to be error free and is intended for instructional use only.

CertificatesCertificates

February 21, 2006February 21, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 33

Why do I trust the server Why do I trust the server key?key? How do I know I’m really talking How do I know I’m really talking

to Amazon.com?to Amazon.com? What defeats a man-in-the-What defeats a man-in-the-

middle attack?middle attack?

WebWebServerServer

ClientClient MalletMalletHTTP with HTTP with SSL/TLSSSL/TLS

HTTP with HTTP with SSL/TLSSSL/TLS


SSL/TLSSSL/TLS

You (client)You (client) Merchant (server)Merchant (server)

Let’s talk securely.Here are the protocols and ciphers I understand.

Here is a fresh key encrypted with your key.

I choose this protocol and ciphers.Here is my public key and

some other stuff that will make youtrust this key is mine.


What’s the “some other What’s the “some other stuff”stuff”How can we convince Alice that How can we convince Alice that

some key belongs to Bob?some key belongs to Bob? Alice and Bob could have met Alice and Bob could have met

previously & exchanged keys previously & exchanged keys directly.directly. Jeff Bezos isn’t going to shake Jeff Bezos isn’t going to shake

hands with everyone he’d like to hands with everyone he’d like to sell to...sell to...

Someone Alice trusts could Someone Alice trusts could vouch to her for Bob and Bob’s vouch to her for Bob and Bob’s keykey A third party can A third party can certifycertify Bob’s key Bob’s key

in a way that convinces Alice.in a way that convinces Alice.


What is a certificate?What is a certificate?

A certificate is a digitally-signed A certificate is a digitally-signed statement that binds a public statement that binds a public key to some identifying key to some identifying information.information. The signer of the certificate is The signer of the certificate is

called its called its issuer.issuer. The entity talked about in the The entity talked about in the

certificate is the certificate is the subjectsubject of the of the certificate.certificate.

That’s all a certificate is, at the That’s all a certificate is, at the 30,000’ level. 30,000’ level.


Certificates are Like Certificates are Like MarriageMarriageBy the power vested in me I now By the power vested in me I now

declare this text and this bit declare this text and this bit string “name” and “key.” What string “name” and “key.” What RSA has joined, let no man put RSA has joined, let no man put

asunder.asunder.

--Bob Blakley--Bob Blakley


Certs in the “real Certs in the “real world”world” A driver’s license is A driver’s license is likelike a a

certificatecertificate It is a “signed” document (sealed, It is a “signed” document (sealed,

tamper-resistant)tamper-resistant) It is created and signed by an It is created and signed by an

“issuing authority” (the WA Dept. “issuing authority” (the WA Dept. of Licensing)of Licensing)

It binds together various pieces of It binds together various pieces of identifying informationidentifying information NameName License numberLicense number Driving restrictions (must wear Driving restrictions (must wear

glasses, etc.)glasses, etc.)


More certs in the real More certs in the real worldworld Many physical objects are like Many physical objects are like

certificates:certificates: Any type of license – vehicle tabs, Any type of license – vehicle tabs,

restaurant liquor license, amateur restaurant liquor license, amateur radio license, etc.radio license, etc.

Government-issued IDs Government-issued IDs (passports, green cards)(passports, green cards)

Membership cards (e.g. Costco, Membership cards (e.g. Costco, discount cards)discount cards)

All of these examples bind an All of these examples bind an identity and certain rights, identity and certain rights, privileges or other identifiersprivileges or other identifiers ““BAL ==N1TJT” signed FCCBAL ==N1TJT” signed FCC


Why do we believe what Why do we believe what certs say?certs say? In the physical world, why do In the physical world, why do

we trust the statements we trust the statements contained on a physical cert?contained on a physical cert? We believe it’s hard to forge the We believe it’s hard to forge the

certcert We trust the entity that “signed” We trust the entity that “signed”

the certthe cert In the digital world we need In the digital world we need

those same two propertiesthose same two properties We need to believe it’s hard to We need to believe it’s hard to

forge the digital signature on a forge the digital signature on a signed documentsigned document

We need to trust the issuer/signer We need to trust the issuer/signer not to lie to usnot to lie to us


Defeating MalletDefeating MalletBob can convince Alice that his key Bob can convince Alice that his key really does belong to him if he can also really does belong to him if he can also send along a digital certificate Alice will send along a digital certificate Alice will believe & trustbelieve & trust

BobBobAliceAlice

Let’s talk securely.Here are the protocols and ciphers I understand.

I choose this protocol and ciphers.Here is my public key and

a certificate to convince you that thekey really belongs to me.

CertCert

CertCert


Getting a certificateGetting a certificate

How does Bob get a certificate How does Bob get a certificate for his key?for his key?

He goes to a Certificate He goes to a Certificate Authority (CA) that issues Authority (CA) that issues certificates and asks for one...certificates and asks for one...

The CA The CA issuesissues Bob a certificate Bob a certificate for his public key.for his public key. CA is the issuerCA is the issuer Bob is the subjectBob is the subject


Using CertificatesUsing Certificates Now that Bob has a certificate, Now that Bob has a certificate,

is it useful?is it useful? Alice will believe Bob’s key Alice will believe Bob’s key

belongs to Bob if Alice believes belongs to Bob if Alice believes the certificate Bob gives her for the certificate Bob gives her for his key.his key.

Alice will believe Bob’s key Alice will believe Bob’s key belongs to Bob if Alice trusts belongs to Bob if Alice trusts the issuer of Bob’s certificate to the issuer of Bob’s certificate to make key-name binding make key-name binding statementsstatements

Have we made the situation any Have we made the situation any better?better?


Does Alice Trust Bob’s Does Alice Trust Bob’s CA?CA?

How can we convince Alice to trust How can we convince Alice to trust Bob’s CA?Bob’s CA?

Alice and Bob’s CA could have met Alice and Bob’s CA could have met previously & exchanged keys previously & exchanged keys directly.directly. Bob’s CA isn’t going to shake hands Bob’s CA isn’t going to shake hands

with everyone he’s certified, let alone with everyone he’s certified, let alone everyone whom Bob wants to talk to.everyone whom Bob wants to talk to.


Does Alice Trust Bob’s Does Alice Trust Bob’s CA?CA?

How can we convince Alice to trust How can we convince Alice to trust Bob’s CA?Bob’s CA?

Alice and Bob’s CA could have met Alice and Bob’s CA could have met previously & exchanged keys previously & exchanged keys directly.directly. Bob’s CA isn’t going to shake hands Bob’s CA isn’t going to shake hands

with everyone he’s certified, let alone with everyone he’s certified, let alone everyone whom Bob wants to talk to.everyone whom Bob wants to talk to.

Someone Alice trusts could vouch Someone Alice trusts could vouch to her for Bob’s CA and Bob’s CA’s to her for Bob’s CA and Bob’s CA’s keykey Infinite Loop: See Loop, Infinite.Infinite Loop: See Loop, Infinite. Actually, it’s just a bounded Actually, it’s just a bounded

recursion...recursion...


What’s Alice’s Trust What’s Alice’s Trust ModelModel Alice has to implicitly trust Alice has to implicitly trust

somesome set of keys set of keys Once she does that, those keys Once she does that, those keys

can introduce others to her.can introduce others to her. In the model used by SSL/TLS, In the model used by SSL/TLS,

CAs are arranged in a hierarchyCAs are arranged in a hierarchy Alice, and everyone else, trusts Alice, and everyone else, trusts

one or more “root CA” that live at one or more “root CA” that live at the top of the treethe top of the tree

Other models work differentlyOther models work differently

Public Key Public Key InfrastructureInfrastructure


Certificate AuthoritiesCertificate Authorities A certificate authority (CA) A certificate authority (CA)

guarantees the connection guarantees the connection between a key and another CA between a key and another CA or an “end entity.” or an “end entity.”

An end entity is:An end entity is: A personA person A role (“VP of sales”)A role (“VP of sales”) An organizationAn organization A pseudonymA pseudonym A piece of hardware or softwareA piece of hardware or software An accountAn account

Some CA’s only allow a subset Some CA’s only allow a subset of these types.of these types.


CA HierarchiesCA Hierarchies

CAs can certify other CAs or “end CAs can certify other CAs or “end entities”entities”

Certificates are links in a tree of EEs Certificates are links in a tree of EEs & CAs& CAs

CA

EE

RootCA

CA

EECAEE


BAL’s No-Frills CertsBAL’s No-Frills Certs

Certificates can contain all sorts Certificates can contain all sorts of information inside themof information inside them We’ll talk about the details in a We’ll talk about the details in a

little bitlittle bit In the abstract, though, they’re In the abstract, though, they’re

just statements by an issuer just statements by an issuer about a subject:about a subject:

Issuer

Subject


Does Alice trust Bob’s Does Alice trust Bob’s Key?Key? Alice trusts Bob’s key if there is a Alice trusts Bob’s key if there is a

chain of certificateschain of certificates from Bob’s key from Bob’s key to a root CA that Alice implicitly to a root CA that Alice implicitly truststrusts

CA EERootCA

CA

EE

Root CA

CA

Root CA

Root CA


Chain Building & Chain Building & ValidationValidation ““Given an end-entity certificate, Given an end-entity certificate,

does there exist a cryptographically does there exist a cryptographically valid chain of certificates linking it valid chain of certificates linking it to a trusted root certificate?”to a trusted root certificate?”

CA EERootCA

CA

EE

Root CA

CA

Root CA

Root CA


Chaining CertificatesChaining Certificates

In theory, building chains of In theory, building chains of certificates should be easycertificates should be easy ““Just link them together like Just link them together like

dominos”dominos” In practice, it’s a lot more In practice, it’s a lot more

complicated...complicated...


Chain Building Details Chain Building Details (1)(1)

CA2CA1

EE1

RootCA

EE2

CA2

EE3

Root CA

CA1

Root CA

CA2

CA1

EE2

CA1

EE1

EE3



CA2CA1

EE1

RootCA1

EE2 EE3

RootCA2



CA2CA1

EE1

RootCA1

EE2 EE3

RootCA2

BridgeCA


Chaining CertificatesChaining Certificates

How do we determine whether How do we determine whether two certificates chain together?two certificates chain together? You’d think this was an easy You’d think this was an easy

problem...problem... But it’s actually a question with But it’s actually a question with

religious significance in the religious significance in the security communitysecurity community

““Are you a believer in Are you a believer in namesnames, or in , or in keyskeys?”?”

In order to understand the In order to understand the schism, we need to digress for a schism, we need to digress for a bit and talk about names and bit and talk about names and some historysome history


PKI Alphabet SoupPKI Alphabet Soup X.509v3 - standard content of a X.509v3 - standard content of a

certificatecertificate PKIX – IETF Working Group on PKIX – IETF Working Group on

PKI interoperabilityPKI interoperability PKIX == Public Key Infrastructure PKIX == Public Key Infrastructure

using X.509v3 certificatesusing X.509v3 certificates ASN.1 - Abstract Syntax ASN.1 - Abstract Syntax

Notation, exact description of a Notation, exact description of a certificate formatcertificate format

DER - Distinguished Encoding DER - Distinguished Encoding Rules, how to physically Rules, how to physically package a certificatepackage a certificate


The X.500 Directory The X.500 Directory ModelModel The model SSL/TLS uses, the The model SSL/TLS uses, the

X.509 certificate model, is X.509 certificate model, is based on namesbased on names Names as principlesNames as principles

Specifically, X.509 is based on Specifically, X.509 is based on the X.500 directory modelthe X.500 directory model

X.500 defined a global, all-X.500 defined a global, all-encompassing directory, to be encompassing directory, to be run by the telcosrun by the telcos One directory to rule them all, one One directory to rule them all, one

directory to define them...directory to define them...


X.500 Distinguished X.500 Distinguished NamesNames In the X.500 model, everything In the X.500 model, everything

has a single, unique, global, has a single, unique, global, assigned nameassigned name There is a worldwide hierarchy, There is a worldwide hierarchy,

and you’re in it!and you’re in it!CountryC=US

SP = ORState or Province

SP = WA

LocalityL=Redmond

OrganizationO=Microsoft

L=Seattle

O=Univ. of Washington

SP = CA


DNs in PracticeDNs in Practice

Name is unique within the Name is unique within the scope of the CA’s namescope of the CA’s name

Public CAs (e.g. Verisign) Public CAs (e.g. Verisign) typically settypically set C = CA CountryC = CA Country O = CA NameO = CA Name OU = Certificate type/classOU = Certificate type/class CN = User nameCN = User name E= email addressE= email address


Private-label DNsPrivate-label DNs

If you own the CA, you get to If you own the CA, you get to decide what fields go in the DNdecide what fields go in the DN Really varies on what the software Really varies on what the software

supportssupports Can get really strange as people Can get really strange as people

try to guess values for fields try to guess values for fields that are required by softwarethat are required by software Software requires an OU, we don’t Software requires an OU, we don’t

have OUs, so I better make have OUs, so I better make something up!something up!


DNs in X.509 DNs in X.509 CertificatesCertificates The X.509 certificate standard The X.509 certificate standard

began as a way to associate a began as a way to associate a certificate with a node in the certificate with a node in the directory.directory.

How is the subject of a cert How is the subject of a cert identified?identified? By its DN.By its DN.

How is the issuer of a cert How is the issuer of a cert identified?identified? By its DN.By its DN.

How are certificates linked How are certificates linked together?together? By DNs.By DNs.


Key fields in a Key fields in a certificatecertificate The core fields of an X.509 The core fields of an X.509

certificate arecertificate are The subject public keyThe subject public key The subject Distinguished NameThe subject Distinguished Name The issuer Distinguished NameThe issuer Distinguished Name

What’s missing here?What’s missing here?


Key fields in a Key fields in a certificatecertificate The core fields of an X.509 The core fields of an X.509

certificate arecertificate are The subject public keyThe subject public key The subject Distinguished NameThe subject Distinguished Name The issuer Distinguished NameThe issuer Distinguished Name

What’s missing here?What’s missing here? The issuer’s public key is The issuer’s public key is notnot

present in the certificate.present in the certificate. You can’t verify the signature on You can’t verify the signature on

the cert without finding a parent the cert without finding a parent cert!cert!


Back to Chain BuildingBack to Chain Building

OK, assume we’re a “relying OK, assume we’re a “relying party application” -- something party application” -- something that received an end-entity that received an end-entity certificate and wants to verify certificate and wants to verify it.it. Our task is to build a cert chain Our task is to build a cert chain

from that end-entity cert to one of from that end-entity cert to one of our trusted rootsour trusted roots

How do we do that?How do we do that? We start with our EE cert, and We start with our EE cert, and

using the information contained using the information contained within we look for possible parent within we look for possible parent certificates. certificates.


Parent certsParent certs

What’s a valid parent What’s a valid parent certificate?certificate? In the raw X.509 model, parent-In the raw X.509 model, parent-

child relationships are determined child relationships are determined solely by matching Issuer DN in solely by matching Issuer DN in the child to Subject DN in the the child to Subject DN in the parentparent

Recall that there’s an assumption Recall that there’s an assumption that you have a big directory that you have a big directory handy to find certs.handy to find certs.

If you don’t have a directory If you don’t have a directory handy, you need to do the handy, you need to do the matching yourselfmatching yourself This is not as easy as you might This is not as easy as you might

think…think…


Name matchingName matching

Issuer Name

Subject Name

Issuer Name

Subject Name


Matching NamesMatching Names

How do we determine if two How do we determine if two DNs match?DNs match? ““Use directory name matching Use directory name matching

rules!”rules!” Try to be mildly smart about itTry to be mildly smart about it

Remove spaces, case-fold, etc.Remove spaces, case-fold, etc. Disaster…Disaster…

Try to be really dumb about itTry to be really dumb about it Exact binary matchExact binary match Less of a disaster, but there are Less of a disaster, but there are

still problems we can’t work still problems we can’t work around…around…


Unicode NamesUnicode Names Are these two character equal?Are these two character equal?

éé é é They look equal…They look equal…


Unicode NamesUnicode Names Are these two character equal?Are these two character equal?

éé é é They look equal…They look equal… ……but may not bebut may not be In Unicode, you can compose In Unicode, you can compose

characters, so:characters, so: ““é” as one characteré” as one character ““é” as two characters – “e” followed by é” as two characters – “e” followed by

non-spacing accentnon-spacing accent ““é” as two characters – non-spacing é” as two characters – non-spacing

accent followed by “e”accent followed by “e” Ick!Ick!


Even More Chain Even More Chain BuildingBuilding Name matching is just the Name matching is just the

beginning of the chain-building beginning of the chain-building processprocess It is It is necessarynecessary that subject and that subject and

issuer DNs exactly match for two issuer DNs exactly match for two certs to chain, but not always certs to chain, but not always sufficientsufficient

The chain building process is The chain building process is also influenced dynamically by also influenced dynamically by other information contained other information contained within the certs themselveswithin the certs themselves What other information is there in What other information is there in

certs?certs?


Trusted Root Trusted Root CertificatesCertificates Who do I trust to be roots at the Who do I trust to be roots at the

top of the cert chain?top of the cert chain? In theory, “anyone you want”In theory, “anyone you want” In practice, trusted roots come In practice, trusted roots come

from two sourcesfrom two sources They’re baked into your web They’re baked into your web

browser or operating systembrowser or operating system They’re pushed onto your They’re pushed onto your

“enterprise managed desktop”“enterprise managed desktop”


Trusted Root CertificatesTrusted Root Certificates

Certificate Certificate ExtensionsExtensions


Exploring inside an X.509 Exploring inside an X.509 CertCert


Inside an X.509v3 Inside an X.509v3 CertificateCertificate

Version

Issuer Distinguished Name

Subject Public Key

Signing Algorithm

Validity Period

Subject Distinguished Name

Serial Number

ExtensionsExtension 1Extension 2

Extension n


Certificate ExtensionsCertificate Extensions

An extension consists of three An extension consists of three things:things: A “critical” flag (boolean)A “critical” flag (boolean) A type identifierA type identifier A value A value

Format of the value depends on Format of the value depends on the type identifierthe type identifier


Certificate ExtensionsCertificate ExtensionsExtensions

Key UsageCritical?

Subject Key IDCritical?

Authority Key IDCritical?

CRL Distribution PointsCritical?

Authority Info AccessCritical?

Extended Key UsageCritical?

Subject Alt NameCritical?

Certificate PoliciesCritical?

Proprietary Extension 1Critical?

Proprietary Extension nCritical?


Critical FlagsCritical Flags

The “critical flag” on an The “critical flag” on an extension is used to protect the extension is used to protect the issuing CA from assumptions issuing CA from assumptions made by software that doesn’t made by software that doesn’t understand (implement support understand (implement support for) a particular extensionfor) a particular extension If the flag is set, relying parties If the flag is set, relying parties

must process the extension if they must process the extension if they recognize it, or reject the recognize it, or reject the certificatecertificate

If the flag is not set, the extension If the flag is not set, the extension may be ignoredmay be ignored


Critical Flags (2)Critical Flags (2)

Some questions you might be Some questions you might be asking yourself right now...asking yourself right now...

What does “must process the What does “must process the extension if they recognize it” extension if they recognize it” mean?mean? What does “recognize” mean?What does “recognize” mean? What does “process” mean?What does “process” mean? You’ve got me....You’ve got me.... The IETF standards folks didn’t The IETF standards folks didn’t

know either...know either...


Critical Flags (3)Critical Flags (3) Actual definitions of flag usage Actual definitions of flag usage

are vague:are vague: X.509: Non-critical extension “is X.509: Non-critical extension “is

an advisory field and does not an advisory field and does not imply that usage of the key is imply that usage of the key is restricted to the purpose restricted to the purpose indicated”indicated”

PKIX: “CA’s are required to PKIX: “CA’s are required to support constrain extensions” but support constrain extensions” but “support” is never defined.“support” is never defined.

S/MIME: Implementations should S/MIME: Implementations should “correctly handle” certain “correctly handle” certain extensionsextensions

Verisign: “All persons shall Verisign: “All persons shall process the extension...or else process the extension...or else ignore the extension”ignore the extension”


Types of ExtensionsTypes of Extensions

There are two flavors of There are two flavors of extensionsextensions Usage/informational extensions, Usage/informational extensions,

which provide additional info which provide additional info about the subject of the certificateabout the subject of the certificate

Constraint extensions, which place Constraint extensions, which place restrictions on one or more of:restrictions on one or more of: Use of the certificateUse of the certificate The user of the certificateThe user of the certificate The keys associated with the The keys associated with the

certificatecertificate


Some common Some common extensionsextensions Key UsageKey Usage

digitalSignaturedigitalSignature ““Sign things that don’t look like Sign things that don’t look like

certs”certs” keyEnciphermentkeyEncipherment

Exchange encrypted session Exchange encrypted session keyskeys

keyAgreementkeyAgreement Diffie-HellmanDiffie-Hellman

keyCertSign/keyCRLSignkeyCertSign/keyCRLSign ““Sign things that look like Sign things that look like

certs”certs” nonRepidiationnonRepidiation


NonRepudiationNonRepudiation The nonRepudiation bit is the The nonRepudiation bit is the

black hole of PKIXblack hole of PKIX It absorbs infinite amounts of It absorbs infinite amounts of

argument time on the mailing list argument time on the mailing list without making any progress without making any progress toward understanding what it toward understanding what it meansmeans

What does it mean? How do you What does it mean? How do you enforce that?enforce that?

No one knows...No one knows... ““Nonrepudiation is anything Nonrepudiation is anything

which fails to go away when you which fails to go away when you stop believing in it”stop believing in it”


More ExtensionsMore Extensions

Subject Key IDSubject Key ID Short identifier for the subject Short identifier for the subject

public keypublic key Authority Key IDAuthority Key ID

Short identifier for the issuer’s Short identifier for the issuer’s public key – useful for locating public key – useful for locating possible parent certspossible parent certs

CRL Distribution PointsCRL Distribution Points List of URLs pointing to revocation List of URLs pointing to revocation

information serversinformation servers Authority Info AccessAuthority Info Access

Pointer to issuer cert publication Pointer to issuer cert publication locationlocation


Even More ExtensionsEven More Extensions

Basic constraintsBasic constraints Is the cert a CA cert?’Is the cert a CA cert?’ Limits on path length beneath this Limits on path length beneath this

certcert Name constraintsName constraints

Limits on types of certs this key Limits on types of certs this key can issuecan issue

Policy mappingsPolicy mappings Convert one policy ID into anotherConvert one policy ID into another

Policy constraintsPolicy constraints Anti-matter for policy mappingsAnti-matter for policy mappings


Still More ExtensionsStill More Extensions

Extended Key UsageExtended Key Usage Because Key Usage wasn’t Because Key Usage wasn’t

confusing enough!confusing enough! Private Key Usage PeriodPrivate Key Usage Period

CA attempt to limit key validity CA attempt to limit key validity periodperiod

Subject Alternative namesSubject Alternative names Everything which doesn’t fit in a Everything which doesn’t fit in a

DNDN RFC822 names, DNS names, URIsRFC822 names, DNS names, URIs IP addresses, X.400 names, EDI, IP addresses, X.400 names, EDI,

etc.etc.


Yet Still More Yet Still More ExtensionsExtensions Certificate policiesCertificate policies

Information identifying the CA Information identifying the CA policy that was in effect when the policy that was in effect when the cert was issuedcert was issued

Policy identifierPolicy identifier Policy qualifierPolicy qualifier Explicit textExplicit text Hash reference (hash + URI) to a Hash reference (hash + URI) to a

documentdocument X.509 defers cert semantics to X.509 defers cert semantics to

the CA’s issuing policythe CA’s issuing policy Most CA policies disclaim Most CA policies disclaim

liabilityliability


Extensions and Chain Extensions and Chain Building Building When you build a cert chain, When you build a cert chain,

you start with the EE cert and you start with the EE cert and discover possible parent discover possible parent certificates by matching DNscertificates by matching DNs ““Build the chain from the bottom Build the chain from the bottom

up.”up.” However, to verify a cert chain, However, to verify a cert chain,

you have to start and the root you have to start and the root and interpret all the extensions and interpret all the extensions that may constrain subordinate that may constrain subordinate CAs (and EEs)CAs (and EEs) ““Build the chain from the top Build the chain from the top

down.”down.”

Certificate Lifecycle Certificate Lifecycle ManagementManagement


Lifecycle ManagementLifecycle Management

Certificate EnrollmentCertificate Enrollment Initial acquisition of a certificate Initial acquisition of a certificate

based on other authentication based on other authentication informationinformation

RenewalRenewal Acquiring a new certificate for a Acquiring a new certificate for a

key when the existing certificate key when the existing certificate expiresexpires

RevocationRevocation ““Undoing” a certificateUndoing” a certificate


Certificate EnrollmentCertificate Enrollment EnrollmentEnrollment is the process of is the process of

obtaining a certificate from a obtaining a certificate from a CA.CA.

1.1. Alice generates a key pair, Alice generates a key pair, creates a message containing a creates a message containing a copy of the public key and her copy of the public key and her identifying information, and identifying information, and signs the message with the signs the message with the private key (PKCS#10).private key (PKCS#10). Signing the message provided Signing the message provided

“proof-of-possession” (POP) of “proof-of-possession” (POP) of the private key as well as the private key as well as message integritymessage integrity

2.2. CA verifies Alice’s signature on CA verifies Alice’s signature on the messagethe message


Certificate Enrollment Certificate Enrollment (2)(2)3.3. (Optional) CA verifies Alice’s ID (Optional) CA verifies Alice’s ID

through out-of-band means.through out-of-band means.

4.4. CA creates a certificate CA creates a certificate containing the ID and public containing the ID and public key, and signs it with the CA’s key, and signs it with the CA’s own keyown key CA has certified the binding CA has certified the binding

between key and IDbetween key and ID

5.5. Alice verifies the key, ID & CA Alice verifies the key, ID & CA signaturesignature

6.6. Alice and/or the CA publish the Alice and/or the CA publish the certificatecertificate


DirectoryDirectory

CertCert

ClientClient

CACA

Certificate RequestCertificate Requestand Installationand Installation

Publish Certificate?Publish Certificate?

Certificate Enrollment Certificate Enrollment FlowFlow


More PKI Alphabet More PKI Alphabet SoupSoup PKCS #10 – (old) standard message PKCS #10 – (old) standard message

format for certificate requestsformat for certificate requests PKCS #7 – (old) standard message PKCS #7 – (old) standard message

format for encrypted/signed dataformat for encrypted/signed data Also used for certificate request Also used for certificate request

responsesresponses Replaced by IETF CMS syntaxReplaced by IETF CMS syntax

CMC – “Certificate Management with CMC – “Certificate Management with CMS”CMS” Replacement for PKCS #10/PKCS#7 in a Replacement for PKCS #10/PKCS#7 in a

certificate management contextcertificate management context CMP – “Certificate Management CMP – “Certificate Management

Protocols”Protocols” Alternative to CMCAlternative to CMC

RevocationRevocation


Expiration & Expiration & RevocationRevocation Certificates (at least, all the Certificates (at least, all the

ones we’re concerned with) ones we’re concerned with) contain explicit validity periods contain explicit validity periods – “valid from” & “expires on”– “valid from” & “expires on” Expiration dates help bound the Expiration dates help bound the

risk associated with issuing a risk associated with issuing a certificatecertificate

Sometimes, though, it becomes Sometimes, though, it becomes necessary to “undo” a necessary to “undo” a certificate while it is still validcertificate while it is still valid Key compromiseKey compromise Cert was issued under false Cert was issued under false

pretensespretenses This is called revoking a This is called revoking a

certificatecertificate


Status Info for Status Info for CertificatesCertificates Two standards within PKIX:Two standards within PKIX:

X.509v2/PKIX Part 1 Certificate X.509v2/PKIX Part 1 Certificate Revocation Lists (CRLs)Revocation Lists (CRLs)

Online Certificate Status Protocol Online Certificate Status Protocol (OCSP)(OCSP)

Both methods state:Both methods state: Whether a cert has been revokedWhether a cert has been revoked A “revocation code” indicating A “revocation code” indicating

why the cert was revokedwhy the cert was revoked The time at which the cert was The time at which the cert was

revokedrevoked


Certificate RevocationCertificate Revocation A CA revokes a certificate by A CA revokes a certificate by

placing the cert on its placing the cert on its Certificate Revocation List (CRL)Certificate Revocation List (CRL) Every CA issues CRLs to cancel out Every CA issues CRLs to cancel out

issued certsissued certs A CRL is like anti-matter – when it A CRL is like anti-matter – when it

comes into contact with a comes into contact with a certificate it lists it cancels out the certificate it lists it cancels out the certificatecertificate

Think “1970s-style credit-card Think “1970s-style credit-card blacklist”blacklist”

Relying parties are expected to Relying parties are expected to check CRLs before they rely on check CRLs before they rely on a certificatea certificate ““The cert is valid unless you hear The cert is valid unless you hear

something telling you otherwise”something telling you otherwise”


The Problem with CRLsThe Problem with CRLs

Blacklists have numerous Blacklists have numerous problemsproblems Not issued frequently enough to Not issued frequently enough to

be effective against a serious be effective against a serious attackattack

Expensive to distribute (size & Expensive to distribute (size & bandwidth)bandwidth)

Vulnerable to simple DOS attacksVulnerable to simple DOS attacks If you block on lack of CRL If you block on lack of CRL

access, why have off-line access, why have off-line support in the first place?support in the first place?


The Problem with CRLs The Problem with CRLs (2)(2) CRL design made it worseCRL design made it worse

CLRs can contain CLRs can contain retroactiveretroactive invalidity datesinvalidity dates

A CRL issued today can say a cert A CRL issued today can say a cert was invalid as of was invalid as of last weeklast week. . Checking that something was Checking that something was

valid at time valid at time t t wasn’t sufficient!wasn’t sufficient! Back-dated CRLs can appear at Back-dated CRLs can appear at

any time in the futureany time in the future If you rely on certs & CRLs you’re If you rely on certs & CRLs you’re

screwed because the CA can screwed because the CA can change the rules out from under change the rules out from under you later.you later.


The Problem with CRLs The Problem with CRLs (3)(3) Revoking a CA cert is more Revoking a CA cert is more

problematic than revoking an end-problematic than revoking an end-entity certentity cert When you revoke a CA cert, you When you revoke a CA cert, you

potentially take out the entire potentially take out the entire subordinate structure, depending on subordinate structure, depending on what chaining logic you usewhat chaining logic you use

How do you revoke a self-signed How do you revoke a self-signed cert?cert? ““The cert revokes itself.”The cert revokes itself.”

Huh?Huh? Do I accept the CRL as valid & bounce Do I accept the CRL as valid & bounce

the cert?the cert? Do I reject the CRL because the cert Do I reject the CRL because the cert

associated with the CRL signing key was associated with the CRL signing key was revoked?revoked?


The Problem with CRLs The Problem with CRLs (4)(4) You can’t revoke a CRLYou can’t revoke a CRL

Once you commit to a CRL, it’s a Once you commit to a CRL, it’s a valid state for the entirety of its valid state for the entirety of its validity periodvalidity period

What happens if you have to What happens if you have to update the CRL while the CRL update the CRL while the CRL you just issued is still valid?you just issued is still valid? You can update it, but clients You can update it, but clients

aren’t required to fetch it since aren’t required to fetch it since the one they have is still valid!the one they have is still valid!

Bottom line: yikes!Bottom line: yikes! We need something elseWe need something else


CRLs vs. OCSP CRLs vs. OCSP ResponsesResponses Aggregation vs. FreshnessAggregation vs. Freshness

CRLs combine revocation CRLs combine revocation information for many certs into information for many certs into one long-lived objectone long-lived object

OCSP Responses designed for OCSP Responses designed for real-time responses to queries real-time responses to queries about the status of a single about the status of a single certificatecertificate

Both CRLs & OCSP Responses Both CRLs & OCSP Responses are generated by the issuing CA are generated by the issuing CA or its designate. (Generally this or its designate. (Generally this is is notnot the relying party.) the relying party.)


Online Status CheckingOnline Status Checking

OCSP: Online Certificate Status OCSP: Online Certificate Status ProtocolProtocol A way to ask “is this certificate good A way to ask “is this certificate good

right now?right now? Get back a signed response from the Get back a signed response from the

OCSP server saying, “Yes, cert C is good OCSP server saying, “Yes, cert C is good at time t”at time t” Response is like a “freshness Response is like a “freshness

certificate”certificate” OCSP response is like a selective OCSP response is like a selective

CRLCRL Client indicates the certs for which he Client indicates the certs for which he

wants status informationwants status information OCSP responder dynamically creates a OCSP responder dynamically creates a

lightweight CRL-like response for those lightweight CRL-like response for those certscerts


OCSP in ActionOCSP in Action

End-entity

CA

RelyingParty

CertCertCertCertRequestRequest

OCSP RequestOCSP Request OCSPOCSPForForCertCert

OCSP ResponseOCSP Response

Transaction ResponseTransaction Response

CertCert++TransactionTransaction


Final thoughts on Final thoughts on RevocationRevocation From a financial standpoint, it’s From a financial standpoint, it’s

the revocation data that is the revocation data that is valuable, not the issued valuable, not the issued certificate itselfcertificate itself For high-valued financial For high-valued financial

transactions, seller wants to know transactions, seller wants to know your cert is good right nowyour cert is good right now

Same situation as with credit Same situation as with credit cards, where the merchant wants cards, where the merchant wants the card authorized right now at the card authorized right now at the point-of-salethe point-of-sale

Card authorizations transfer Card authorizations transfer risk from merchant to bank – risk from merchant to bank – thus they’re worth $$$thus they’re worth $$$ Same with cert status checksSame with cert status checks


Using CertificatesUsing Certificates Most certificate uses do not require Most certificate uses do not require

any sort of directoryany sort of directory Only needed to locate someone else’s Only needed to locate someone else’s

certificate for encryptioncertificate for encryption Authentication protocols have the Authentication protocols have the

client present their certificate (or client present their certificate (or chain) to the serverchain) to the server Ex: SSL, TLS, Smart card logonEx: SSL, TLS, Smart card logon Rules for mapping a certificate to user Rules for mapping a certificate to user

account vary widelyaccount vary widely Cert fields, name forms, binary Cert fields, name forms, binary

comparecompare Signing operations embed the Signing operations embed the

certificates with the signaturecertificates with the signature How else would you know who signed How else would you know who signed

it?it?


Using Certificates (2)Using Certificates (2) X.509 and PKIX define the basic X.509 and PKIX define the basic

structure of certificatesstructure of certificates If you understand X.509, you can If you understand X.509, you can

parse any certificate you’re parse any certificate you’re presentedpresented

However, every protocol defines However, every protocol defines a a certificate profilecertificate profile for for certificate use in that particular certificate use in that particular protocolprotocol Ex: TLS, S/MIME, IPSEC, Ex: TLS, S/MIME, IPSEC,

WPA/WPA2WPA/WPA2 CAs/organizations define CAs/organizations define

profiles tooprofiles too Ex: US DoD Common Access Card Ex: US DoD Common Access Card

certscerts


Additional Additional Implementation Implementation ConsiderationsConsiderations Publishing certificatesPublishing certificates

How? Where? What format?How? Where? What format? Key escrow / data recovery for Key escrow / data recovery for

encryption keys/certsencryption keys/certs Auto-enrollment (users & Auto-enrollment (users &

machines)machines) Establishing trusts / hierarchiesEstablishing trusts / hierarchies Protecting private keysProtecting private keys Disseminating root certificatesDisseminating root certificates

Certificates, Trust & PKI Brian A. LaMacchia [email protected] [email protected] Portions ©...

Documents

Transcript of Certificates, Trust & PKI Brian A. LaMacchia [email protected] [email protected] Portions ©...