sec390 a-to-z of public key infrastructure (pki) rafal lukawiecki [email protected] ...
Post on 18-Dec-2015
220 views
TRANSCRIPT
SEC390
A-to-Z of Public Key Infrastructure (PKI)Rafal Lukawieckirafal@projectbotticelli.co.ukwww.projectbotticelli.co.uk
Strategic ConsultantProject Botticelli Ltd
2
Objectives
Explain the basics of PKI without concentrating on any particular product
Introduce commonly used terminology
Point out those aspects of PKI that require careful planning and implementation
Outline some social issues associated with PKI
3
Agenda
A Briefest Summary of Cryptography (upgrades you to from 220 to level 280)
8% subset of SEC290
Fundamentals of PKI (level 300 – you need to understand cryptography)
Recommendations on PKI Deployment (level 300)
Warning: this is another fast and furious A-to-Z type of a session. Attend at your own risk.
4
PKI
“Public Key Infrastructure provides the components and services that enable practical deployment and operation of a system that uses certificates.” A. Nash, “PKI”, RSA PressPKI is a group of solutions for key distribution problems and other issues:
Key generationCertificate generation, revocation, validationManaging trust
I consider Web-of-Trust systems (e.g. PGP) as a perfectly alternative and compatible implementation of PKI
5
A Summary of Cryptography(6 Slides Only)
6
What is Really Secure?
Look for systemsFrom well-know parties
With published (not secret!) algorithms
That generate a lot of interest
That have been hacked for a few years
That have been analysed mathematically
Absolutely do not “improve” algorithms yourself
Employ someone to attempt a break-in
7
What Does Cryptography Solve?
Confidentiality ◄ Your data/service provides no useful information to
unauthorised people
Integrity ◄ If anyone tampers with your asset it will be immediately
evident
Authenticity ◄ We can verify that asset is attributable to its authors or
caretakers
Non-repudiation◄ The author or owner or caretaker of asset cannot deny
that they are associated with it
Identity◄ We can verify who is the specific individual entity
associated with your asset
8
Symmetric Key Cryptography
EncryptionEncryption
““The quick The quick brown fox brown fox jumps over jumps over the lazy the lazy dog”dog”
““AxCv;5bmEseTfid3)AxCv;5bmEseTfid3)fGsmWe#4^,sdgfMwifGsmWe#4^,sdgfMwir3:dkJeTsY8R\s@!r3:dkJeTsY8R\s@!q3%”q3%”
““The quick The quick brown fox brown fox jumps over jumps over the lazy the lazy dog”dog”
DecryptionDecryption
Plain-text inputPlain-text input Plain-text outputPlain-text outputCipher-textCipher-text
Same keySame key(shared secret)(shared secret)
9
Public Key Encryption
EncryptionEncryption
““The quick The quick brown fox brown fox jumps over jumps over the lazy the lazy dog”dog”
““Py75c%bn&*)9|Py75c%bn&*)9|fDe^bDFaq#xzjFr@gfDe^bDFaq#xzjFr@g5=&nmdFg$5knvMd’r5=&nmdFg$5knvMd’rkvegMs”kvegMs”
““The quick The quick brown fox brown fox jumps over jumps over the lazy the lazy dog”dog”
DecryptionDecryption
Clear-text InputClear-text Input Clear-text OutputClear-text OutputCipher-textCipher-text
DifferentDifferent keys keys
Recipient’s Recipient’s public keypublic key
Recipient’s Recipient’s private keyprivate key
privatprivatee
publicpublic
10
Hybrid Encryption (Real World)
As above, repeated As above, repeated for other recipientsfor other recipientsor recovery agentsor recovery agents
DigitalDigitalEnvelopeEnvelope
Other recipient’s or Other recipient’s or agent’s agent’s publicpublic key key (in certificate)(in certificate)in recovery policyin recovery policy
Launch keyLaunch keyfor nuclearfor nuclear
missile missile ““RedHeat” RedHeat”
is...is...
Symmetric key Symmetric key encrypted asymmetrically encrypted asymmetrically
(e.g., RSA)(e.g., RSA)
Digital Digital EnvelopeEnvelope
User’sUser’spublicpublic key key(in certificate)(in certificate)
RNGRNG
Randomly-Randomly-Generated Generated symmetricsymmetric“session” key “session” key
SymmetricSymmetric encryption encryption(e.g. DES)(e.g. DES)
*#$fjda^j*#$fjda^ju539!3tu539!3t
t389E *&\@t389E *&\@5e%32\^kd5e%32\^kd
11
*#$fjda^j*#$fjda^ju539!3tu539!3t
t389E *&\@t389E *&\@5e%32\^kd5e%32\^kd
Launch keyLaunch keyfor nuclearfor nuclear
missile missile ““RedHeat” RedHeat”
is...is...
Launch keyLaunch keyfor nuclearfor nuclear
missile missile ““RedHeat” RedHeat”
is...is...
SymmetricSymmetricdecryption decryption (e.g. DES)(e.g. DES)
Digital Digital EnvelopeEnvelope
Asymmetric Asymmetric decryption of decryption of
“session” key (e.g. RSA)“session” key (e.g. RSA)
Symmetric Symmetric “session” key“session” key
Session key must be Session key must be decrypted using the decrypted using the recipient’s recipient’s private private keykey
Digital envelope Digital envelope contains “session” contains “session” key encrypted key encrypted using recipient’s using recipient’s public keypublic key
Recipient’s Recipient’s privateprivate keykey
Hybrid Decryption
12
Fundamentals of PKI
13
Is PKI relevant?Who uses all of that stuff?
Web’s HTTP and other protocols (SSL)
VPN (PPTP, IPSec, L2TP…)
Email (S/MIME, PGP, Exchange KMS)
Files (W2K EFS, PGP and many others)
Web Services (WS-Security)
Good ID Smartcards (Certificates and Challenge/Response)
Executables (.NET Assemblies, Drivers, Authenticode)
Copyright protection (DRM)
…
14
Public Key Distribution Problem
We just solved the problem of symmetric key distribution by using public/private keys
But…
Scott creates a keypair (private/public) and quickly tells the world that the public key he published belongs to Bill
People send confidential stuff to Bill
Bill does not have the private key to read them…
Scott reads Bill’s messages
15
Eureka!
We need PKI to solve that problem
And a few others…
16
How to Verify a Public Key?
Two approaches:1. Before you use Bill’s public key, call him or meet
him and check that you have the right oneFingerprint or hash of the key can be checked on the phone
2. Get someone you already trust to certify that the key really belongs to Bill
By checking for a trusted digital signature on the key
But there has to be one…
And you have to have friends to trust in first place…
17
Trust Models
Web-of-Trust (PGP)Peer-to-peer model
Individuals digitally sign each other keys
You would implicitly trust keys signed by some of your friends
Trusted Authority + Path of Trust (CAs)Everyone trusts the root Certificate Authority (Verisign, Thawte, BT etc.)
CA digitally signs keys of anyone having checked their credentials by traditional methods
CA may even nominate others to be CAs – and you would trust them automatically, too
18
Trust Models Issues and Future
Web-of-trust is more, erh, trustworthyBut it is time-consuming, requires lots of work and general public doesn’t understand it
CAs tend to be a little bit like a big brother as we all have to trust them implicitly
But it is a simpler model, easier to deploy and manage
Combination strategy?Let’s trust a CA that verifies keys by traditional strong methods and peer-to-peer recommendations
19
Creating a Digital Signature
Hash Hash Function Function
(SHA, MD5)(SHA, MD5)
Jrf843kjfgf*Jrf843kjfgf*££$&Hdif*7oU$&Hdif*7oUsd*&@:<CHsd*&@:<CHDFHSD(**DFHSD(**
Py75c%bn&*)9|Py75c%bn&*)9|fDe^bDFaq#xzjFr@gfDe^bDFaq#xzjFr@g5=&nmdFg$5knvMd’r5=&nmdFg$5knvMd’rkvegMs”kvegMs”
This is a This is a really long really long message message about about Bill’s…Bill’s…
AsymmetricAsymmetricEncryptionEncryption
Message or FileMessage or File Digital SignatureDigital Signature128 bits 128 bits Message DigestMessage Digest
Calculate a short Calculate a short message digest from message digest from even a long input even a long input using a one-way using a one-way message digest message digest function (hash)function (hash)
Signatory’s Signatory’s privateprivate key key
privatprivatee
20
Verifying a Digital Signature
Jrf843kjfJrf843kjfgf*£$&Hdgf*£$&Hdif*7oUsdif*7oUsd
*&@:<CHD*&@:<CHDFHSD(**FHSD(**
Py75c%bn&*)Py75c%bn&*)9|fDe^bDFaq9|fDe^bDFaq#xzjFr@g5=#xzjFr@g5=
&nmdFg$5kn&nmdFg$5knvMd’rkvegMs”vMd’rkvegMs”
Py75c%bn&*)Py75c%bn&*)9|fDe^bDFaq9|fDe^bDFaq#xzjFr@g5=#xzjFr@g5=
&nmdFg$5kn&nmdFg$5knvMd’rkvegMs”vMd’rkvegMs”
AsymmetricAsymmetricdecryption decryption (e.g. RSA)(e.g. RSA)
Everyone has Everyone has access to trusted access to trusted public key of the public key of the signatorysignatory
Signatory’s Signatory’s publicpublic keykey
Digital SignatureDigital Signature
This is a This is a really long really long message message
about Bill’s…about Bill’s…
Same hash functionSame hash function(e.g. MD5, SHA…)(e.g. MD5, SHA…)
Original MessageOriginal Message
Py75c%bn&*)Py75c%bn&*)9|fDe^bDFaq9|fDe^bDFaq#xzjFr@g5=#xzjFr@g5=
&nmdFg$5kn&nmdFg$5knvMd’rkvegMs”vMd’rkvegMs”
Py75c%bn&*)Py75c%bn&*)9|fDe^bDFaq9|fDe^bDFaq#xzjFr@g5=#xzjFr@g5=
&nmdFg$5kn&nmdFg$5knvMd’rkvegMs”vMd’rkvegMs”
? == ?? == ?Are They Same?Are They Same?
21
Hash (Digest) Functions
MD5 and SHAJust a hash value of between 128 bits (MD5) and 512 bits of key (SHA512)
Great support in .NET Framework and in CryptoAPI of Windows
Just don’t ever use any function with 64bits result
22
Message Authentication Codes
“MACs” – Combination of a hash function and a symmetric encryption
Integrity, authenticity but not non-repudiationMust share the key!
HMACDigest + shared-secret encryption for up to 160 bit results
MACTripleDESEncryption using 8, 16 or 24 bytes of TripleDES key on top of a hash64 bit result (ouch!)
Both of the above implemented in .NET Fx
23
Certificates
The simplest certificate just contains:Information about the entity that is being certified to own a public key
That public key
And all of this isDigitally signed by someone trusted (like your friend or a CA)
24
X.509 CertificateCertificate Authority Digital Signature Certificate Authority Digital Signature
of All Components Together:of All Components Together:
Serial NumberSerial Number
Issuer X.500 Issuer X.500 Distinguished NameDistinguished Name
Validity PeriodValidity Period
Subject X.500Subject X.500Distinguished NameDistinguished Name
Subject Public KeySubject Public KeyInformationInformation
Key/Certificate UsageKey/Certificate Usage
ExtensionsExtensions
OU=Project OU=Project Botticelli…Botticelli…
The Key or Info About ItThe Key or Info About It
25
Authentication with Certificates1. Melinda gets Bill’s certificate
2. She verifies its digital signatureShe can trust that the public key really belongs to Bill
But is it Bill standing if front of her, or is that Scott?
3. Melinda challenges Bill to encrypt for her a phrase etc. she just made up (“I really need more shoes”)
4. Bill has, of course, the private key that matches the certificate, so he responds (“*&$^%£$&£fhsdf*&EHFDhd62^&£”)
5. Melinda decrypts this with the public key she has in the certificate (which she trusts) and if it matches the phrase she challenged Bill with then it must really be Bill himself!
By the way, that’s the basic concept of how SSL works
26
What’s in the Store?
Certificates are “safe”No need to protect them too much, as they are digitally signed
Store anywhere, a file or a “dumb” memory-only smartcard
Private keys that match the public key are extremely vulnerable (key assets)
You must protect them well
Store in “Protected Storage” on your OS or a “smart” smartcard that will have crypto functionality on board
27
Certification Hierarchy
Most organisations do not use just one root key for signing certificates
Dangerous, if that one key is compromisedDoes not scale to large organisationsDifficulty in managing responsibility
Certificate HierarchiesStart with CA root certCreate more keys (e.g. for BT, Microsoft etc.), sign with root key, mark as subordinate CAsCreate more levels in your organisation (for departments etc.)
Validating a cert possibly involves validating a path of trust
28
Certificate Validation
Essentially, this is just checking the digital signature
But
You may have to “walk the path” of all subordinate authorities until you reach the root
Unless you explicitly trust a subordinate CA
I: PB CAI: PB CAS: RafalS: Rafal
I: Xanadu RootI: Xanadu RootS: PB CAS: PB CA
I: Xanadu RootI: Xanadu RootS: Xanadu RootS: Xanadu Root
Check DS of Check DS of OCG CAOCG CA
Check DS of Check DS of XanaduXanadu
““In Xanadu We Trust”In Xanadu We Trust”
(installed root CA (installed root CA certificate)certificate)
29
Certificate Revocation
Keys get compromised, as a fact of life
You or your CA issue a certificate revocation certificateMust be signed by CA, of course
And you do everything you can to let the world know that you issued it
This is not easyCertificate Revocation Lists (CRL) are used
They require that the process of cert validation actively checks the CRL and keep it up-to-date
There are some scalability issues
Many people disable this function
That is why short expiration policies are important
30
Storing Certificates and Keys
Certificates need to be stored so that interested users can obtain them
Keys need to be stored for data recovery purposes
This weakens the system, but is a necessity
This is a function of most certificate servers such as certificate services in Windows 2003 Server
Those servers are also responsible for issuing, revoking, signing etc. of certs
31
Certificate Interchange
Two main routes:Server-based store to the userProtected local store or smartcard to the user
Microsoft dedicates significant part of CryptoAPI to this function
It works well and you may need to use it for custom apps
PKCS #11 is an alternative interface used by NetscapeCerts are normally packaged in a PKCS #11 (or #7) standard envelopesAll PKCS #s are results of work by RSA Labs related to IETF as part of X.509 PKI group (PKIX)
32
Developers: Which API?
CAPI (Crypto API, Cryptographic API) is the underlying API provided by the operating system
Mature
Not too easy to use
Good functionality
.NET Framework System.Security.Cryptography
Newer, but wraps some CAPI functions
Extremely easy to use
Not all needed functionality is present
33
.NET Framework API
Comprehensive cryptographic libraryEasy, unified, stream-based architecture
System.Security.Cryptography
Open & extensible model (for new algorithms)
Some implementations just CAPI wrappers, some completely managed by .NET
Configuration classes for control
Streaming model for block algorithmsSupporting CBC (Cipher Block Chaining)
34
SymmetricSymmetricAlgorithmAlgorithm
TripleDESTripleDES RijndaelRijndael
TripleDESCryptoTripleDESCryptoServiceProviderServiceProvider
(CryptoAPI)(CryptoAPI)
RijndaelRijndaelManagedManaged
(C#)(C#)
RC2RC2
RC2CryptoRC2CryptoServiceProviderServiceProvider
AbstractAbstractAlgorithmAlgorithmClassesClasses
Algorithm Algorithm Implementation Implementation ClassesClasses(fully (fully implemented)implemented)
AbstractAbstractBase ClassesBase Classes(only one shown)(only one shown)
Crypto Object Model (subsection)
35
Recommendations on PKI Deployment
36
CA Services
If you decide against web-of-trust, you need to make an important decision:
Use a well known CAYour certs will be universally recognised but you are dependent on the trustworthiness of the CA
Establish your own CANo one except your explicitly nominated partners or clients will recognise your certs but you are in full control
In addition, you may want to outsource CA services altogether
37
Identity Management Process
Consider using Windows Server 2003 as it integrates active directory managament of users with PKI provisioning
Microsoft is investing heavily in identity management across directory boundaries
Between Active Directories
Between heterogenous systems
38
Social Problem
Real-life certificates are well understoodWhat do you trust more: a passport or a driving license?
Digital certificates are a long way from public understanding
Is Verisign Class 1 better or worse than Class 5? What about BT Class 2 versus Thawte Class 3?
Easier if you just deploy internal PKIUse real-life names, like “passport”, “company id” etc. if possible
39
Common Strength Recommendations (Jun 2003)
Minimum Recommended
Symmetric Key 96 bits (avoid DES as it can do only 56, instead use AES-Rijndael or RC5)
256 bits (Rijndael, RC5 128bits, not DES)
Asymmetric Key 1024 (RSA) 4096 (RSA)
ECC Key 192 bits 256 bits
Hash: SHA/MD5 128 bits (absolutely not 64 bits)
256 bits or more
Common Cert Classes
Class 2 Class 3 at least
40
Word About Smartcards
Most smartcards are “dumb”, i.e. they are only a memory chip
This is OK for a certificate store, but not recommended for storing a private key used in a challenge test (verifying identity)Anyway, they are still better than leaving keys on a floppy disk
Cryptographically-enabled smartcards are more expensive but they give much more security
Private key is secure and used as neededAdditional protection (password, biometrics) is possibleHardware implements some algorithmsSelf-destruct is possible
41
Certificate Revocations
It is a good idea to prepare one in advance if possible!
Keep it really safe
Particularly important in web-of-trust systems in case you lose access to your private key
Please, please enable checking and updating of CRL (revocation list) on all of your systems
Apply numerous security patches – this was a particularly “patchy” area recently
42
Summary
Asymmetric encryption solved the extremely difficult problem of key symmetric key exchangeIt created a smaller, easier to solve problem of asymmetric key management…Which is solved with PKIBringing additional benefits, such as trust and identity management
43
Resources and Reading
Visit www.microsoft.com/securityReview session slides on crypto & security For more detail, read:
PKI, A. Nash et al., RSA Press, ISBN 0-07-213123-3Applied Cryptography, B. Schneier, John Wiley & Sons, ISBN 0-471-12845-7Foundations of Cryptography, O. Goldereich, www.eccc.uni-trier.de/eccc-local/ECCC-Books/oded_book_readme.htmlHandbook of Applied Cryptography, A.J. Menezes, CRC Press, ISBN 0-8493-8523-7Cryptography in C and C++, M. Welschenbach, Apress, ISBN 1-893115-95-X (includes code samples CD)
45
evaluations…evaluations…
Please don’t forget to complete your online
Evaluation Form
46
© 2003 Microsoft Corporation & Project Botticelli Ltd. All rights reserved. This presentation is for informational © 2003 Microsoft Corporation & Project Botticelli Ltd. All rights reserved. This presentation is for informational purposes only. MICROSOFT AND PROJECT BOTTICELLI MAKE NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.purposes only. MICROSOFT AND PROJECT BOTTICELLI MAKE NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.