Public Key Infrastructure

Public Key Infrastructure
(X509 PKI)
Marco Casassa Mont
Trusted E-Services Laboratory - HP Labs - Bristol
Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Outline
• Basic Problem of Confidence and Trust
• Background: Cryptography, Digital Signature,
Digital Certificates
• (X509) Public Key Infrastructure (PKI)
• (X509) PKI: Trust and Legal Issues

Confidence and Trust
Issues in the Digital
World

Basic Problem
Intranet
Extranet
Internet
Bob Alice
Bob and Alice want to exchange data in a digital world.
There are Confidence and Trust Issues …

Confidence and Trust Issues
• In the Identity of an Individual or Application
AUTHENTICATION
• That the information will be kept Private
CONFIDENTIALITY Intranet
Extranet
• That information cannot be Manipulated Internet
Alice
Bob
INTEGRITY
• That information cannot be Disowned
NON-REPUDIATION

Starting Point:
Cryptography

Starting Point: Cryptography
Cryptography
It is the science of making the cost of acquiring or altering
data greater than the potential value gained
Cryptosystem
It is a system that provides techniques for mangling a
message into an apparently intelligible form and than
recovering it from the mangled form
Plaintext Encryption Ciphertext Decryption Plaintext

Hello World &$*£(“!273 Hello World
Key Key
Cryptographic Algorithms
All cryptosystems are based only on three Cryptographic
Algorithms:
• MESSAGE DIGEST (MD2-4-5, SHA, SHA-1, …)
Maps variable length plaintext into fixed length ciphertext
No key usage, computationally infeasible to recover the plaintext
• SECRET KEY (Blowfish, DES, IDEA, RC2-4-5, Triple-DES, …)

Encrypt and decrypt messages by using the same Secret Key
• PUBLIC KEY (DSA, RSA, …)

Encrypt and decrypt messages by using two different Keys: Public Key,
Private Key (coupled together)
Cryptographic Algorithms based
on Private Key
Pros Private Key Private Key
• Efficient and fast Algorithm

• Simple model
 Provides Integrity, Confidentiality
Cons
• The same secret key must be shared by all the entities involved in the data exchange
• High risk
• It doesn’t scale (proliferation of secrets)
 No Authentication, Non-Repudiation

on Public Key
Pros
• Private key is only known by the owner: less risk
• The algorithm ensures Integrity and Confidentiality by encrypting with
the Receiver’s Public key
Intranet
Extranet
Internet
Bob Alice
Alice’s Public Key Alice’s Private Key

on Public Key
Pros
• The algorithm ensures Non-Repudiation by encrypting with
the Sender’s Private key
Intranet
Extranet
Internet
Bob Alice
Bob’s Private Key Bob’s Public Key

on Public Key
Cons
• Algorithms are 100 – 1000 times slower than secret key ones
They are initially used in an initial phase of communication and then
secrets keys are generated to deal with encryptions
• How are Public keys made available to the other people?
• There is still a problem of Authentication!!!
Who ensures that the owner of a key pair is really the person whose
real life name is “Alice”?
Intranet
Extranet
Internet Moving towards PKI …
Bob Alice

Digital Signature

Digital Signature
A Digital Signature is a data item that vouches the origin
and the integrity of a Message
• The originator of a message uses a signing key (Private Key) to sign the
message and send the message and its digital signature to a recipient
• The recipient uses a verification key (Public Key) to verify the origin of
the message and that it has not been tampered with while in transit
Intranet
Extranet
Internet
Bob Alice

Digital Signature
Message Message
Digest Digest
Hash Function Hash Function
Algorithm Algorithm
Digest
Public Key
Private Key Encryption Decryption
Signature Expected Actual

Digest Digest
Signer Channel Receiver

Digital Signature
There is still a problem linked to the

“Real Identity” of the Signer.
Why should I trust what the Sender claims to be?
Moving towards PKI …

Digital Certificate

Digital Certificate
A Digital Certificate is a binding between an entity’s
Public Key and one or more Attributes relating its Identity.
• The entity can be a Person, an Hardware Component, a Service, etc.
• A Digital Certificate is issued (and signed) by someone

- Usually the issuer is a Trusted Third Party
• A self-signed certificate usually is not very trustworthy

Digital Certificate
CERTIFICATE
Issuer
Subject
Subject Public Key
Issuer
Digital
Signature
Digital Certificate
Problems
• How are Digital Certificates Issued?
• Who is issuing them?
• Why should I Trust the Certificate Issuer?
• How can I check if a Certificate is valid?
• How can I revoke a Certificate?
• Who is revoking Certificates?
Moving towards PKI …

(PKI)

(PKI)
A Public Key Infrastructure is an Infrastructure

to support and manage Public Key-based
Digital Certificates

(PKI)
“A PKI is a set of agreed-upon standards, Certification
Authorities (CA), structure between multiple CAs,
methods to discover and validate Certification Paths,
Operational Protocols, Management Protocols,
Interoperable Tools and supporting Legislation”
“Digital Certificates” book – Jalal Feghhi, Jalil Feghhi, Peter Williams

(PKI)
Focus on:
• X509 PKI
• X509 Digital Certificates
 Standards defined by IETF, PKIX WG:
http://www.ietf.org/
… even if X509 is not the only approach (e.g. SPKI)

X509 PKI – Technical View
Basic Components:
• Certificate Authority (CA)
• Registration Authority (RA) “Provider” Side
• Certificate Distribution System
“Consumer” Side
• PKI enabled applications
X509 PKI – Simple Model
Certification
CA Entity
Cert. Request
Application Signed
Certificate
RA
Service Internet
Certs, Directory
CRLs
Remote Local
Person Person

X509 PKI
Certificate Authority (CA)
Basic Tasks:
• Key Generation
• Digital Certificate Generation
• Certificate Issuance and Distribution
• Revocation
• Key Backup and Recovery System
• Cross-Certification
X509 PKI
Registration Authority (RA)
Basic Tasks:
• Registration of Certificate Information
• Face-to-Face Registration
• Remote Registration
• Automatic Registration
• Revocation
X509 PKI
Certificate Distribution System
Provide Repository for:
• Digital Certificates
• Certificate Revocation Lists (CRLs)
Typically:
• Special Purposes Databases
• LDAP directories
Certificate Revocation List
Certificate Revocation List
Revoked Certificates
remain in CRL
until they expire

Certificate Revocation List (CRL)
• CRLs are published by CAs at well defined
interval of time
• It is a responsibility of “Users” of certificates to
“download” a CRL and verify if a certificate has
been revoked
• User application must deal with the revocation
processes
Online Certificate Status Protocol
(OCSP)
• An alternative to CRLs
• IETF/PKIX standard for a real-time check if a
certificate has been revoked/suspended
• Requires a high availability OCSP Server

CRL vs OCSP Server
Download CRL CRL

User CA
Directory CRL
Certificate IDs
to be checked Download
CRL
User OCSP CRL
CA
Answer about Server
Certificate States
Directory
OCSP
X509 PKI
PKI-enabled Applications
Functionality Required:
• Cryptographic functionality
• Secure storage of Personal Information
• Digital Certificate Handling
• Directory Access
• Communication Facilities
X509 PKI
Trust and Legal Issues

X509 PKI
Trust and Legal Issues
• Why should I Trust a CA?
• How can I determine the liability of a CA?

X509 PKI
Approaches to Trust and
Legal Aspects
• Why should I Trust a CA?
Certificate Hierarchies, Cross-Certification
• How can I determine the liability of a CA?
Certificate Policies (CP) and Certificate Policy
Statement (CPS)

X509 PKI
Approach to Trust
Certificate Hierarchies
and
Cross-Certification

CA Technology Evolution
CA CA CA CA Directory CA
Services
RA CA CA CA
RA RA Internet RA
RA RA Internet
Try to reflect
Real world Trust Models
LRA LRA

Simple Certificate Hierarchy
Root CA
Sub-CAs Each entity has its own certificate (and may

have more than one). The root CA’s certificate
is self signed and each sub-CA is signed by its
parent CA.
Each CA may also issue CRLs. In particular

the lowest level CAs issue CRLs frequently.
End Entities
End entities need to “find” a certificate path to
a CA that they trust.

Trusted
Simple Certificate Path
Root Alice trusts the root CA
Bob sends a message to Alice
Alice needs Bob’s certificate, the certificate of

the CA that signed Bob’s certificate, and so on
up to the root CA’s self signed certificate.
Alice also needs each CRL for each CA.
 Only then can Alice verify that Bob’s certificate

Alice Bob is valid and trusted and so verify the Bob’s
signature.

Cross-Certification and
Multiple Hierarchies
1
2 3
1. Multiple Roots
2. Simple cross-certificate
3. Complex cross-certificate
X509 PKI
Approach to Trust : Problems
Things are getting more and more

complex if Hierarchies and
Cross-Certifications are used

Cross-Certification and
Path Discovery
Trusted
Root
Trusted
Root

X509 PKI
Approach to Legal Aspects
Certificate Policy
And
Certificate Practice Statement

Certificate Policy (CP)
• A document that sets out the rights, duties and
obligations of each party in a Public Key
Infrastructure
• The Certificate Policy (CP) is a document which
usually has legal effect
• A CP is usually publicly exposed by CAs, for
example on a Web Site (VeriSign, etc.)
Certificate Policy (CP)
COMMUNITY &
POLICY OUTLINE
APPLICABILITY
RIGHTS, LIABILITIES
& OBLIGATIONS
CERTIFICATE &
CRL PROFILES CP
IDENTIFICATION &
AUTHENTICATION
TECHNICAL OPERATIONAL
SECURITY CONTROL REQUIREMENTS

Policy Issues (CP)
• Liability Issues
• Repository Access Controls
• Confidentiality Requirements
• Registration Procedures
- Uniqueness of Names
- Authentication of Users/Organisations
• Certificate Acceptance
• Suspension and Revocation (Online/CRL)
• Physical Security Controls
Certificate Policy Statement
(CPS)
• A document that sets out what happens in practice
to support the policy statements made in the CP
in a PKI
• The Certificate Practice Statement (CPS) is a
document which may have legal effect in limited
circumstances

Certificate Policy Statement
(CPS)
GENERAL
INTRODUCTION
PROVISIONS
IDENTIFICATION &
SPECIFICATION
AUTHENTICATION
ADMINISTRATION
CPS
CERTIFICATE & OPERATIONAL
CRL PROFILES REQUIREMENTS
TECHNICAL PHYSICAL,
SECURITY PROCEDURA
CONTROLS L&
PERSONNEL
IETF (PKIX) Standards
• X.509 Certificate and CRL Profiles
• PKI Management Protocols
• Certificate Request Formats
• CP/CPS Framework
• LDAP, OCSP, etc.
http://www.ietf.org/

Identity is Not Enough:
Attribute Certificates
IETF (PKIX WG) is also defining standards for Attribute
Certificates (ACs):
• Visa Card (Attribute) vs. Passport (Identity)
• Attribute Certificates specify Attributes associated
to an Identity
• Attribute Certificates don’t contain a Public key
but a link to an Identity Certificate

Public Key Infrastructure

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Public Key Infrastructure

Uploaded by

Copyright:

Available Formats

Public Key Infrastructure

Trusted E-Services Laboratory - HP Labs - Bristol

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Bob and Alice want to exchange data in a digital world.

There are Confidence and Trust Issues …

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Plaintext Encryption Ciphertext Decryption Plaintext

• SECRET KEY (Blowfish, DES, IDEA, RC2-4-5, Triple-DES, …)

• PUBLIC KEY (DSA, RSA, …)

Pros Private Key Private Key

• Efficient and fast Algorithm

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Plaintext Encryption Ciphertext Decryption Plaintext

Alice’s Public Key Alice’s Private Key

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Plaintext Encryption Ciphertext Decryption Plaintext

Bob’s Private Key Bob’s Public Key

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Private Key Encryption Decryption

Signature Expected Actual

Signer Channel Receiver

There is still a problem linked to the

Why should I trust what the Sender claims to be?

Moving towards PKI …

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

• The entity can be a Person, an Hardware Component, a Service, etc.

• A Digital Certificate is issued (and signed) by someone

• A self-signed certificate usually is not very trustworthy

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

A Public Key Infrastructure is an Infrastructure

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Interoperable Tools and supporting Legislation”

“Digital Certificates” book – Jalal Feghhi, Jalil Feghhi, Peter Williams

… even if X509 is not the only approach (e.g. SPKI)

• Certificate Distribution System

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

• Requires a high availability OCSP Server

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Download CRL CRL

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

• Why should I Trust a CA?

• How can I determine the liability of a CA?

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Sub-CAs Each entity has its own certificate (and may

Each CA may also issue CRLs. In particular

Public Key Infrastructure (PKI) HP Laboratories, Bristol, UK

Alice needs Bob’s certificate, the certificate of

Alice also needs each CRL for each CA.

 Only then can Alice verify that Bob’s certificate