INFS 766 PUBLIC-KEY CERTIFICATES

Internet Security Protocols

™ reliabledistribution of public-keys
Lecture 6 ™ public-key encryption
Digital Certificates ¾ sender needs public key of receiver
™ public-key digital signatures
¾ receiver needs public key of sender
Prof. Ravi Sandhu ™ public-key key agreement
¾ both need each other’s public keys

© Ravi Sandhu 2000-2004 2

THE CERTIFICATE
TRIANGLE X.509 CERTIFICATE
user VERSION
SERIAL NUMBER
X.509 X.509
attribute identity SIGNATURE ALGORITHM
certificate certificate ISSUER
VALIDITY
SUBJECT
attribute public-key
SPKI SUBJECT PUBLIC KEY INFO
certificate SIGNATURE
© Ravi Sandhu 2000-2004 3 © Ravi Sandhu 2000-2004 4

X.509 CERTIFICATE CERTIFICATE TRUST

0 ™ how to acquire public key of the

1234567891011121314 issuer to verify signature
RSA+MD5, 512 ™ whether or not to trust certificates
C=US, S=VA, O=GMU, OU=ISE signed by the issuer for this subject
9/9/99-1/1/1
C=US, S=VA, O=GMU, OU=ISSE, CN=Ravi Sandhu
RSA, 1024, xxxxxxxxxxxxxxxxxxxxxxxxx
SIGNATURE
© Ravi Sandhu 2000-2004 5 © Ravi Sandhu 2000-2004 6
 PEM CERTIFICATION GRAPH CRL FORMAT
Internet Policy
IPRA Registration Authority SIGNATURE ALGORITHM
Policy Certification
Authorities (PCAs) ISSUER

HIGH MID-LEVEL LAST UPDATE

RESIDENTIAL PERSONA
ASSURANCE ASSURANCE
NEXT UPDATE
REVOKED CERTIFICATES
MITRE Certification Virginia Anonymous
GMU SIGNATURE
Authorities
(CAs)

Abrams ISSE Fairfax LEO

SERIAL NUMBER
Subjects REVOCATION DATE
© Ravi Sandhu 2000-2004 Sandhu Sandhu 7 © Ravi Sandhu 2000-2004 8

PGP BOTTOM UP
TRUST MODEL X.509 CERTIFICATES

™ How does Alice get Bob’s public key ™ X.509v1

¾ directlyfrom Bob through some secure ¾ very basic
channel (e.g., post, phone, floppy) ™ X.509v2
¾ from Chuck, who is known to both Alice ¾ adds unique identifiers to prevent
and Bob and introduces Bob to Alice against reuse of X.500 names
¾ from a trusted certifying authority ™ X.509v3
¾ adds many extensions
™ PGP has mechanisms to support
¾ can be further extended
these, and related, alternatives
© Ravi Sandhu 2000-2004 9 © Ravi Sandhu 2000-2004 10

SEPARATE KEYS FOR

SEPARATE PURPOSES SIGNATURE KEYS

™ RSA is the only known public-key ™ private key: must be private for entire life,
cryptosystem in which the same may never leave smart card
public-private key pair can be used for ¾ needs to be securely destroyed after lifetime
¾ digital
signatures ¾ no need for backup or archiving (would
conflict with above)
¾ encryption
¾ no need to weaken or escrow due to law
™ perceived as a major advantage ™ public key: must be archive possibly for a
long time

© Ravi Sandhu 2000-2004 11 © Ravi Sandhu 2000-2004 12

 ENCRYPTION KEY X.509 INNOVATIONS

™ private key: backup or archive required for ™ distinguish various certificates

recovery ¾ signature, encryption, key-agreement

¾ should not be destroyed after lifetime
¾ may be weakened/escrowed due to law
™ public key:
¾ no need to backup RSA or other encryption
keys
¾ need to backup Diffie-Hellman key agreement
keys
™ identification info in addition to X.500 name
™ name other than X.500 name
¾ email address
™ issuer can state policy and usage
¾ good enough for casual email but not good enough for
signing checks
™ limits on use of signature keys for further
certification

© Ravi Sandhu 2000-2004 13 © Ravi Sandhu 2000-2004 14

X.509v3 EXTENSIONS
X.509v3 EXTENSIONS CRITICALITY

™ X.509v3 same as X.509v2 but adds ™ non-critical: extension can be

extensions ignored by certificate user
™ provides a general extension ¾ alternate name can be non-critical
mechanism ™ critical : extension should not be
¾ extension type: registered just like an ignored by certificate user
algorithm is registered ¾ limit on use of signatures for further
¾ standard extension types: needed for certification
interoperability

© Ravi Sandhu 2000-2004 15 © Ravi Sandhu 2000-2004 16

X.509v3 EXTENSIONS
CRITICALITY X.509v3 NAMES

™ criticality is flagged by certificate issuer ™ internet email address

¾ certificate user may consider non-critical ™ internet domain name
extensions more important than critical ones
™ web uri (url's are subset of uri)
¾ certificate user may refuse to use certificate if
some extensions are missing ™ IP address
™ critical extensions should be few and ™ X.400 email address
should be standard ™ X.500 directory name
™ registered identifier
™ other name
© Ravi Sandhu 2000-2004 17 © Ravi Sandhu 2000-2004 18
 X.509v3 STANDARD KEY AND POLICY
EXTENSIONS INFORMATION
™ key usage
™ Key and policy information ¾ critical: intended only for that purpose, limits liability of CA
™ Subject and issuer attributes ¾ non-critical: advisory to help find the correct key, no liability
implication
™ Certification path constraints ™ private-key usage period
™ Extensions related to CRLs ¾ certificate valid for 2 years for verifying signature
¾ key valid only for one year for signing
¾ will be discussed with CRLs
™ certificate policies
¾ for CAs

© Ravi Sandhu 2000-2004 19 © Ravi Sandhu 2000-2004 20

SUBJECT AND ISSUER CERTIFICATION PATH

ATTRIBUTES CONSTRAINTS

™ Subject alternative names ™ Basic Constraints

¾ can or cannot act as CA
™ Issuer alternative names
¾ if can act as CA limit on certification path
™ Subject directory attributes • limit=1 means cannot certify other CAs
¾ whatever you like ™ Name Constraints
¾ position, phone, address etc. ¾ limits names of subjects that this CA can issue
certificates for
™ Policy Constraints
¾ concerned with CA policies

© Ravi Sandhu 2000-2004 21 © Ravi Sandhu 2000-2004 22

CERTIFICATE REVOCATION CERTIFICATE REVOCATION

LISTS LISTS

™ CRLs issued periodically as per CA ™ CRL distribution

policy ¾ pull method
¾ off-cycle
CRLs may also be needed ¾ push method
¾ blank CRLs can be issued ™ DMS example
¾ pull method with push for compromised
key list (CKL) which is broadcast via
secure email, single CKL for entire
system

© Ravi Sandhu 2000-2004 23 © Ravi Sandhu 2000-2004 24

 CERTIFICATE REVOCATION
LISTS REVOCATION TIME-LINE
Issue Of Revocation Issue Of
™ immediate or real-time revocation CRL 1 Request CRL 2
¾ needsquery to CA on every certificate
use
¾ maybe ok for small closed communities

Compromise Revocation
Event Time
© Ravi Sandhu 2000-2004 25 © Ravi Sandhu 2000-2004 26

OCSP SHORT-LIVED
ON-LINE CERTIFICATE STATUS PROTOCOL CERTIFICATES

™ consult authoritative server ™ Authorization certificates can be

™ the server in turn can look up CRLs short lived
¾ minutes, hours, days instead of
¾ months, years

© Ravi Sandhu 2000-2004 27 © Ravi Sandhu 2000-2004 28

X.509 CRL EXTENSIONS GENERAL EXTENSIONS

™ General Extensions ™ Reason Code

¾ Key Compromise
™ CRL distribution points
¾ CA Compromise
™ Delta-CRLs ¾ Affiliation changed
™ Indirect-CRLs ¾ Superseded
¾ Cessation of operation
™ Certificate Suspension
¾ Remove from CRL: defer till Delta-CRL
¾ Certificate hold: defer
™ Invalidity Date
© Ravi Sandhu 2000-2004 29 © Ravi Sandhu 2000-2004 30
 CRL DISTRIBUTION POINTS CRL DISTRIBUTION POINTS

™ CRLs can get very big ™ certificateextension field, says

¾ version 1 CRL (1988, 1993) where to look
• each CA has two CRLs: one for end users, one for CAs
• end user CRL can still be very big ™ CRL extension field
¾ version 2 CRL ¾ distributionpoint for this CRL and limits
• can partition certificates, each partition associated on scope and reason of revocation
with one CRL
• distribution point ¾ protects against substitution of a CRL
• also can have different distribution points for different from one distribution point to another
revocation reasons

© Ravi Sandhu 2000-2004 31 © Ravi Sandhu 2000-2004 32

DELTA-CRLs INDIRECT-CRL

™ Delta CRL indicator ™ CRL can be issued by different CA

¾ only carries changes from previous CRL than issuer of certificate
™ Remove from CRL reason code ¾ allows all compromise revocations to be
causes purge from base CRL (stored one list
at certificate user) ¾ allows all CA revocations to be on one
list (simplify certificate chasing)
™ removal due to expiry of validity
period or restoration of suspension

© Ravi Sandhu 2000-2004 33 © Ravi Sandhu 2000-2004 34

GENERAL HIERARCHICAL
CERTIFICATE SUSPENSION STRUCTURE
Z
™ Certificate
hold reason code in CRL
™ Supporting CRL entry extension X Y
¾ Instruction code: instructions on what
to do with held certificate
Q R S T
• call CA, repossess token

A C E G I K M O

a b c d e f g h i j k l m n o p
© Ravi Sandhu 2000-2004 35 © Ravi Sandhu 2000-2004 36
 GENERAL HIERARCHICAL TOP-DOWN HIERARCHICAL
STRUCTURE WITH ADDED LINKS STRUCTURE
Z Z

X Y X Y

Q R S T Q R S T

A C E G I K M O A C E G I K M O

a b c d e f g h i j k l m n o p a b c d e f g h i j k l m n o p
© Ravi Sandhu 2000-2004 37 © Ravi Sandhu 2000-2004 38

PEM CERTIFICATION GRAPH SET CA HIERARCHY

Internet Policy
IPRA Registration Authority Root
Policy Certification
Authorities (PCAs)

HIGH MID-LEVEL Brand Brand Brand

RESIDENTIAL PERSONA
ASSURANCE ASSURANCE

Geo-Political
MITRE Certification Virginia Anonymous
GMU
Authorities
(CAs)
Bank Acquirer
Abrams ISSE Fairfax LEO

Subjects Customer Merchant

© Ravi Sandhu 2000-2004 Sandhu Sandhu 39 © Ravi Sandhu 2000-2004 40

FOREST OF HIERARCHIES

© Ravi Sandhu 2000-2004 41