Introduction to Public Key Infrastructures

Johannes A. Buchmann • Evangelos Karatsiolis Alexander Wiesmaier

Introduction to Public Key Infrastructures

123 Johannes A. Buchmann Evangelos Karatsiolis FB Informatik FlexSecure GmbH TU Darmstadt Darmstadt Darmstadt Germany Germany

Alexander Wiesmaier AGT International Darmstadt Germany

ISBN 978-3-642-40656-0 ISBN 978-3-642-40657-7 (eBook) DOI 10.1007/978-3-642-40657-7 Springer Heidelberg New York Dordrecht London

Library of Congress Control Number: 2013954524

© Springer-Verlag Berlin Heidelberg 2013 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Exempted from this legal reservation are brief excerpts in connection with reviews or scholarly analysis or material supplied specifically for the purpose of being entered and executed on a computer system, for exclusive use by the purchaser of the work. Duplication of this publication or parts thereof is permitted only under the provisions of the Copyright Law of the Publisher’s location, in its current version, and permission for use must always be obtained from Springer. Permissions for use may be obtained through RightsLink at the Copyright Clearance Center. Violations are liable to prosecution under the respective Copyright Law. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made. The publisher makes no warranty, express or implied, with respect to the material contained herein.

Printed on acid-free paper

Springer is part of Springer Science+Business Media (www.springer.com) Preface

More than 30 years ago, when the Internet was emerging, public key cryptography was invented. Traditionally, cryptography relied on the exchange of secret keys prior to any secure communication, which made the application of cryptography in open networks such as the Internet very difficult. In contrast, public key cryptography allows for secure communication of entities that had no prior contact. Today, as the Internet has over two billion participants, this is extremely important. In addition, public key cryptography enables techniques that have no analogue in traditional cryptography, most importantly digital signatures. In fact, security on the Internet could not be achieved without digital signatures as they are, for example, required to authenticate software downloads and updates. We are convinced that today and in the future, there is and will be no IT security without public key cryptography. Although public key cryptography does not rely on the exchange of secret keys, proper key management is still of vital importance to its security. In public key cryptography, pairs of private and public keys are used. The first task of such key management is to keep private keys private. This is easier than protecting keys in traditional secret key cryptography as there is no need to exchange private keys over insecure channels. But it is still an important challenge since there are billions of computing devices with private keys stored on them. The second task is to guarantee the authenticity of public keys, which is as important as maintaining the secrecy of private keys. For example, if the public signature verification key of a software vendor could be replaced by the public key of an adversary, the software signatures would be of no use since the adversary would be able to sign software in the name of the software vendor. In order to fully understand public key cryptography, we therefore consider it necessary to study the infrastructures that manage key pairs in public key cryptography, the so-called public key infrastructures (PKIs). It is not sufficient to understand the ingenious mathematical mechanisms that underlie public key cryp- tography. This book grew out of a PKI course at Technische Universität Darmstadt, Germany, which we have been teaching for several years and which complements the introductory course on cryptography. It is our goal to cover the important concepts underlying PKI and to discuss relevant standards, implementations, and

v vi Preface applications. We have included several exercises in each chapter that help deepen the understanding of its content. The book can thus be used as the basis for a course on PKI and as a self-study book for students and others interested in PKI. Only basic computer science knowledge is required. By giving numerous references that point to the relevant standards and implementation guidelines, we hope to make the book useful for those who are involved in PKI projects. While writing this book and working on PKI projects, it became clear to us that PKI is still a very important research and development area. While public key cryptography applications that do not require user interaction are widely used (e.g., code signing), security solutions that require users to be actively involved are not so widespread (e.g., email signature and encryption). Many say that this is because current PKI concepts are still too complicated. Also, in the recent past, several incidents have shown that PKI does not always deliver the required security. Therefore, PKI concepts are required that overcome these deficiencies. We also intend this book to aid researchers and developers in doing so. We would not have been able to write this book without the help of many people, in particular the students who attended the PKI course that the book is based on. Johannes Braun, Martin A. Gagliotti Vigil, Patrick Schmidt, Marcus Lippert, and Ciaran Mullan helped develop the exercises and made many important comments. We also thank Ronan Nugent and Alfred Hofmann of Springer for their support.

Darmstadt, Germany Johannes A. Buchmann July 2013 Evangelos Karatsiolis Alexander Wiesmaier Contents

1ThePurposeofPKI...... 1 1.1 TheInternet...... 1 1.2 SecurityGoals...... 2 1.2.1 Confidentiality ...... 2 1.2.2 Integrity...... 3 1.2.3 Entity Authentication ...... 3 1.2.4 DataAuthenticity...... 4 1.2.5 Non-repudiation ...... 5 1.2.6 OtherSecurityGoals ...... 5 1.3 Cryptography...... 5 1.3.1 SecretKeyEncryption...... 5 1.3.2 PublicKeyEncryption ...... 7 1.3.3 TheRSAPublicKeyCryptosystem ...... 8 1.3.4 OtherPublicKeyCryptosystems ...... 9 1.3.5 HybridEncryption...... 10 1.3.6 Cryptographic Hash Functions and Message AuthenticationCodes...... 11 1.3.7 DigitalSignatures...... 12 1.3.8 TheRSASignatureScheme...... 13 1.3.9 OtherDigitalSignatureSchemes...... 14 1.4 WhyPublicKeyInfrastructure?...... 15 1.5 Identity-Based Public Key Cryptography ...... 16 1.6 ObjectIdentifiers...... 17 1.7 Exercises...... 17 References...... 18 2 Certificates ...... 21 2.1 TheConceptofa Certificate...... 21 2.2 X.509Certificates ...... 22 2.2.1 Structure...... 22 2.2.2 tbsCertificate...... 24

vii viii Contents

2.2.3 signatureAlgorithm...... 27 2.2.4 signatureValue...... 27 2.3 X.509CertificateExtensions ...... 27 2.4 AttributeCertificates...... 31 2.5 CVCertificates ...... 31 2.6 PGPCertificates...... 33 2.7 OtherCertificates...... 33 2.7.1 WAPCertificates...... 34 2.7.2 SPKICertificates ...... 34 2.7.3 Traceable Anonymous Certificate ...... 35 2.8 Exercises...... 35 References...... 37 3TrustModels...... 39 3.1 DirectTrust...... 39 3.2 WebofTrust...... 42 3.2.1 KeyRing...... 44 3.2.2 TrustSignatures...... 47 3.2.3 Probabilistic Trust Model for GnuPG ...... 48 3.3 HierarchicalTrust ...... 48 3.3.1 BasicConstraints ...... 50 3.4 CombiningTrustHierarchies...... 51 3.4.1 TrustedLists ...... 52 3.4.2 CommonRoot ...... 53 3.4.3 Cross-Certification...... 56 3.4.4 Bridge...... 56 3.5 Exercises...... 58 References...... 60 4PrivateKeys...... 61 4.1 PrivateKeyLifeCycle...... 61 4.2 PersonalSecurityEnvironments...... 62 4.3 SoftwarePSEs...... 63 4.3.1 PKCS#12...... 63 4.3.2 PKCS#8...... 64 4.3.3 JavaKeyStore...... 65 4.3.4 Application-SpecificFormats...... 65 4.4 HardwarePSEs...... 68 4.4.1 SmartCards...... 68 4.4.2 SmartCardReaders ...... 69 4.4.3 Smart Card Communication Interfaces ...... 70 4.4.4 Hardware Security Module...... 72 4.5 Exercises...... 73 References...... 73 Contents ix

5 Revocation ...... 75 5.1 Requirements...... 75 5.2 CertificateRevocationLists...... 76 5.2.1 BasicFields...... 76 5.2.2 CRLExtensions ...... 79 5.2.3 IssuingTimeofa CRL ...... 81 5.2.4 DeltaCRLs ...... 82 5.2.5 AuthorityRevocationList...... 83 5.2.6 IndirectCRLs...... 83 5.3 CertificateExtensionsRelatedtoRevocation...... 83 5.3.1 CRLDistributionPoints...... 83 5.4 OCSP ...... 84 5.4.1 Functionality ...... 84 5.4.2 Extensions ...... 86 5.4.3 LightweightOCSP ...... 89 5.4.4 DesignofanOCSPServer...... 89 5.5 OtherRevocationMechanisms ...... 89 5.5.1 Novomodo ...... 89 5.5.2 Short-LivedCertificates...... 90 5.6 RevocationinPGP ...... 90 5.7 Exercises...... 91 References...... 94 6 Validity Models ...... 95 6.1 TheShellModel...... 95 6.2 TheChainModel...... 97 6.3 TheModifiedShellModel...... 98 6.4 Exercises...... 100 References...... 101 7 Certification Service Provider...... 103 7.1 CertificateLifeCycle ...... 103 7.1.1 CertificateGenerationPhase...... 103 7.1.2 CertificateValidityPhase...... 104 7.1.3 CertificateInvalidityPhase...... 104 7.2 RegistrationAuthority ...... 105 7.3 CertificationAuthority...... 107 7.4 Other Components ...... 108 7.5 CommunicationWithinCSPs...... 108 7.5.1 CryptographicProtectionofMessages...... 108 7.5.2 CertificateRequests ...... 109 7.5.3 ComplexMessageFormatsandProtocols...... 112 7.6 Exercises...... 115 References...... 115 x Contents

8 Certificate Policies ...... 117 8.1 StructureofCertificatePolicies...... 117 8.1.1 CertificationPracticeStatement ...... 119 8.2 RelevantCertificateExtensions...... 119 8.2.1 CertificatePolicies...... 119 8.2.2 PolicyMappings...... 119 8.2.3 PolicyConstraints ...... 121 8.2.4 InhibitanyPolicy...... 121 8.3 ExtendedValidationCertificates...... 122 8.4 Exercises...... 122 References...... 123 9 Certification Paths: Retrieval and Validation ...... 125 9.1 LDAP ...... 125 9.1.1 StoringCertificates ...... 126 9.1.2 CertificateSearch...... 129 9.1.3 StoringCRLs ...... 130 9.1.4 Security ...... 131 9.2 Other Certificate Retrieval Methods ...... 131 9.2.1 DNS...... 131 9.2.2 HTTP...... 132 9.2.3 WebServersandFTPServers...... 132 9.2.4 WebDAV...... 132 9.3 CertificationPathBuilding...... 132 9.4 CertificationPathValidation...... 134 9.4.1 ValidationAlgorithm...... 135 9.5 Server-BasedCertificateValidationProtocol(SCVP)...... 137 9.6 RelevantCertificateExtensions...... 138 9.6.1 Authority Information Access ...... 138 9.6.2 Subject Information Access ...... 139 9.7 Exercises...... 140 References...... 141 10 PKI in Practice...... 143 10.1 Internet...... 143 10.2 Email...... 144 10.2.1 S/MIME...... 145 10.2.2 PGP...... 147 10.3 CodeSigning ...... 152 10.4 VPN...... 154 10.5 LegallyBindingElectronicSignatures...... 156 10.6 E-Government...... 159 10.7 Exercises...... 162 References...... 163 Contents xi

A Basic Path Validation Algorithm...... 165

Solutions to the Exercises ...... 173

Index ...... 187

Acronyms

AA Attribute Authority ACL Access Control List AES Advanced Encryption Standard APDU Application Protocol Data Unit API Application Programming Interface ARL Authority Revocation List ASN Abstract Syntax Notation AKI Authority Key Identifier BER Basic Encoding Rules CA Certification Authority CC Common Criteria CD Compact Disc CER Canonical Encoding Rules CMC Certificate Management Messages over CMS CMP Certificate Management Protocol CMS Cryptographic Message Syntax CPS Certification Practice Statement CRL Certificate Revocation List CRMF Certificate Request Message Format CSP Certification Service Provider CSP Cryptographic Service Provider CT-API Card Terminal Application Programming Interface CVC Card Verifiable Certificate DER Distinguished Encoding Rules DES Data Encryption Standard DIT Directory Information Tree DN Distinguished Name DNS Domain Name System DSA Digital Signature Algorithm DVD Digital Video Disc EBCA European Bridge CA

xiii xiv Acronyms

ECB Electronic Code Book ECDSA Elliptic Curve Digital Signature Algorithm EEPROM Electrically Erasable Programmable Read Only Memory EFS Encrypting File System EV Extended Validation FINREAD Financial Transactional IC Card Reader FIPS Federal Information Processing Standard FTP File Transfer Protocol GNU GNU’s Not Unix GPG Gnu Privacy Guard GSM Global System for Mobile Communications HSM Hardware Security Module HTTP Hypertext Transfer Protocol IBE Identity-Based Encryption ICC Integrated Circuit Card ICT Information and Communication Technology IETF Internet Engineering Task Force IP Internet Protocol ISP Internet Service Provider ITSEC Information Technology Security Evaluation Criteria ITU International Telecommunication Union JCRE Java Card Runtime Environment JCA Java Cryptography Architecture JCE Java Cryptography Extension JCEKS Java Cryptography Extension KeyStore JKS Java KeyStore LAN Local Area Network LDAP Lightweight Directory Access Protocol LRA Local Registration Authority MAC Message Authentication Code MIME Multipurpose Internet Mail Extensions OC Object Class OCF OpenCardFramework OCSP Online Certificate Status Protocol OID Object Identifier OS Operating System PAM Pluggable Authentication Module PCI Peripheral Component Interconnect PC Personal Computer PC/SC Personal Computer/Smart Card PEM Privacy Enhanced Mail PER Packed Encoding Rules PGP Pretty Good Privacy PIN Personal Identification Number PKCS Public Key Cryptography Standards Acronyms xv

PKI Public Key Infrastructure PKC Public Key Cryptography PMI Privilege Management Infrastructure PoP Proof of Possession PSE Personal Security Environment PRNG Pseudorandom Number Generator PUK Personal Unblocking Key RA Registration Authority RDN Relative Distinguished Name RFC Request for Comments ROM Read Only Memory SASL Simple Authentication and Security Layer SCVP Server-Based Certificate Validation Protocol SHA Secure Hash Algorithm SIM Subscriber Information Module SKI Subject Key Identifier SMTP Simple Mail Transfer Protocol SPKI Simple Public Key Infrastructure SSH Secure Shell SSL Secure Socket Layer TBS To Be Signed TCP Transmission Control Protocol TCP/IP Transmission Control Protocol/Internet Protocol TSA Time-Stamping Authority TSL Trust-Service Status List TSP Time-Stamp Protocol TLS Transport Layer Security TOE Target of Evaluation URI Uniform Resource Identifier USB Universal Serial Bus UML Unified Modeling Language VPN Virtual Private Network W3C World Wide Web Consortium WAP Wireless Application Protocol WebDAV Web-Based Distributed Authoring and Versioning WLAN Wireless Local Area Network XER XML Encoding Rules X-KISS XML Key Information Service Specification XKMS XML Key Management Specification X-KRSS XML Key Registration Service Specification XML Extensible Markup Language