A Concise History of Public Key Infrastructure

Home , Public key certificate, RSA (cryptosystem), RSA Security, Shared secret, Taher Elgamal

DEVELOPING AND CONNECTING ISSA CYBERSECURITY LEADERS GLOBALLY A Concise History of Public Key Infrastructure

Jeff Stapleton – ISSA member, Fort Worth, USA Chapter

The author explores the history of Public Key Infrastructure from the viewpoint of its more significant technical publications.

rom a technical per- spective a public key F infrastructure (PKI) includes cryptographic algorithms, schemes, and protocols. Cryptography includes symmetric, asymmetric, and hash algorithms. Schemes include data structures and com- binations of cryptographic algorithms and data-encoding rules. Protocols include message for- mats, data flows, response codes, and er- ror handling. In addition to technology a PKI also includes both legal and operational issues. Figure 1 – PKI Time Line Legal aspects include warranties, liabilities, and juris- dictional law. Operational models include policy, practices, For more information regarding the history of cryptography, and procedures. One way of looking at the history of PKI is refer to either Wikipedia – History of Cryptography [2] or from the viewpoint of its more significant technical publica- David Kahn’s book, The Codebreakers [3]. tions. The first publicly published PKI paper was the Whitfield As a technology, the earliest known use of cryptography be- Diffie and Martin Hellman key agreement protocol in 1976, gan as a priesthood character substitution method for Egyp- “New Directions in Cryptography,” also called exponential tian hieroglyphics almost 4,000 years ago, exceeded by the key agreement [4]. Some of the earlier classified works on Mesopotamian invention of writing over 6,000 years ago [1]. public key cryptography have since been de-classified. The Modern cryptography essentially began during the Second second public publication was the Ronald Rivest, Adi Shamir, World War. For the purposes of this article the PKI time line and Leonard Adleman (the R, the S and the A) paper in 1978, begins in the 1970s and shows a progression of publication “A Method for Obtaining Digital Signatures and Public Key dates for various asymmetric algorithms, schemes, and pro- Cryptosystems” [5]. During this same time period in 1977, tocols. The publication dates for three major symmetric algo- the Data Encryption Standard (DES) was published by the rithms, namely DES, TDES and AES, are also provided as a National Institute of Standards and Technology (NIST) as counterpoint to public key cryptography. Certainly not every FIPS PUB 46 [6]. Today, RSA is still the predominant key cryptographic paper, standard, or specification is represented transport scheme and digital signature algorithm; and Diffie- on the time line, but for the purposes of this article the more Hellman is the principal key agreement scheme in use today. significant publications are listed. The next significant publication was by Taher Elgamal in 1984, “A Public Key Cryptosystem and a Signature Scheme

Based on Discrete Logarithms” [7]. The Elgamal digital sig- which is a component of the Secure Socket (SSL) protocol. nature algorithm eventually became the basis for the Digital The largest segment of issued certificates is for SSL connec- Signature Algorithm (DSA) published by NIST as FIPS PUB tions, many of which are used to protect financial services. 186 in 1993 [8]. Elliptic Curve Cryptography (ECC) was inde- SSL was developed by Netscape, with SSL v2.0 released in pendently developed in the mid-1980s by Victor S. Miller in 1995, followed by several upgrades concluding with v3.0 re- 1985, “Use Of Elliptic Curves In Cryptography,” [9] and Neal leased in 1997 [15]. The Transport Layer Security (TLS) v1.0 Koblitz in 1987, “Elliptic Curve Cryptosystems” [10]. As pub- [16] was published by the IETF in 1999 as an upgrade to SSL lic key sizes continue to get larger and the global proliferation v3.0. The two protocols are not interoperable, but since most of resource-constraint mobile platforms continue to grow, implementations support both, it is a common practice to re- ECC implementations are likewise increasing. fer to secure tunneling as SSL/TLS. The current TLS v1.3 [19] The International Telecommunication Union – Telecommu- was published in 2010; however, few implementations offer nication (ITU-T, formerly the CCITT) standardization sec- TLS v1.1 [17] much less later versions [18]. The combination of tor in 1988 published the X.509 “Information Technology the authentication hashing algorithm (HMAC), the symmet- – Open Systems Interconnection – The Directory: Authen- ric encryption algorithm (e.g., DES, TDES, AES), and the key tication Framework” [11]. This standard established the pre- establishment algorithms (e.g., RSA, Diffie-Hellman) are de- sumption of a Certificate Authority (CA) to issue public key fined as cipher suites. Each version has subsequently deleted certificates, also called digital certificates. The primary -com weaker cipher suites and added stronger ones. ponents of the certificate are the subject, the subject’s public Correspondingly, the RSA Security Corporation in the late key, the CA, and the CA’s digital signature. The CA’s digital 1990s held a series of DES Challenges designed to determine signature provides a cryptographic binding of the subject, the the feasibility of an exhaustive key attack [20]. The DES II subject’s public key, and the issuing CA. The cryptographic Challenge was completed in 1997 by finding a random DES binding also represents a warranty and liability by the issuing key in 140 days using approximately 10,000 Internet-coor- CA that the public key belongs to the subject. dinated workstations. Two years later the DES III Challenge Most CA systems are hierarchal in nature such that the public [21] was completed in 1999 in 22¼ hours using approximately key of the issuer CA is in another certificate issued by a su- 100,000 Internet-coordinated workstations and a specially perior CA, and so on, to a topmost root CA. Figure 2 shows built computer called DeepCrack, built by the Electronic Free- an example certificate chain consisting of the subscriber cer- dom Frontier [22]. Consequently DES was expanded to Triple tificate, the CA-sub2 certificate, the CA-sub1 certificate, and DES (TDES), published as the American National Standard the self-signed CA-Root certificate. The root CA public key, X9.52 in 1998 [23], and NIST began the search for the Ad- also called a trust anchor, is typically in a self-signed cer- vanced Encryption Algorithm (AES) which was completed tificate that is provided to relying parties through a separate in 2001 and published as FIPS 197 [24]. Similar challenges trust channel. For example, root CA certificates are stored in have been conducted for RSA to factor composite numbers into their elemental prime numbers. As Moore’s Law [25] and newer technologies such as quantum computing continue to erode legacy cryptography, the overall impact to PKI is the evo- lution of stronger cryptographic solutions. At the same time SSL was being developed, the credit card brands Visa and MasterCard began their own at- tempts at securing Internet payments. Eventually the two brands agreed on the common specification “Secure browsers from the manufacturer, and while other root CA Electronic Transaction” (SET) published in 1997 [26]. SET certificates and whole certificate chains can be added by the was designed to encrypt transactional data at the consumer user, the trust model is primarily based on the existing trust computer and allow online merchants to only access the or- anchors. der data and online processors to only access the payment Figure 2 – Certificate Chain data. Consumers, merchants, and payment processors were In order for the CA to sign a certificate, it not only needs a all issued certificates. However, consumer certificates were digital signature algorithm, it also needs a hash algorithm. optional, and payment data was allowed for large merchants Ron Rivest published the Message Digest (MD4 and MD5) who performed their own credit card clearing and settle- algorithms in 1990 [12] and 1992 [13], respectively, and NIST ment. Consequently, the minimal security provided by SET published the Secure Hash Algorithm (SHA) in 1993 as FIPS was similar to SSL, and since SSL deployment was cheaper 180 [14] in parallel with FIPS 186 DSA [8]. NIST has subse- and more manageable for merchants, SSL became the preva- quently updated both the DSA and SHA. Hash algorithms are lent Internet payment solution. Eventually SET was formally also used for Hashed Message Authentication Code (HMAC) decommissioned in 2008.

SSL and TLS support several key establishment schemes for an internal proxy service. The subject in the MITM certifi- the symmetric keys which are used for data encryption and cate is the external website, but the public key belongs to the HMAC. Diffie-Hellman is a key agreement method where employer. the client and server exchange public keys used to calculate a shared secret which is then used to derive the symmetric Conclusion keys. RSA is a key transport method where the client gen- The past 35 years of PKI history is a mere blip of the 4,000 erates a random symmetric key and sends it to the server, year history of cryptography. There are many other PKI encrypted using the server’s public key. RSA key transport schemes including Virtual Private Network (VPN), Identity only requires that the server has a public key certificate; client Based Encryption (IBE) [32], and Secure Shell (SSH) [33] not certificates are not required. Consequently, RSA is the pre- discussed in this article. The use of PKI continues to grow dominant method. in such areas using extended markup language (XML) based When the client receives the SSL certificate from the server, messaging and federated identity such as Security Assertion it validates the certificate chain to the trusted root CA stored Markup Language (SAML) [34]. Assuredly academia research in the browser. The trust model is based on the presumptions continues unabated in the field of cryptography and technol- that the CA authenticates the server when a certificate re- ogy companies continue to file for new PKI patents. PKI is in quest is submitted, and that the CA manages itself in a secure its infancy, and the next generation of PKI, in whatever form manner. In 2011 several independent CAs were reported to it takes, will be an interesting sequence of events to watch and have been compromised, including Comodo [27], DigiNotar hopefully participate. PKI 2.0 may include new types of algo- [28], and GlobalSign [29]. The compromises allowed hackers rithms, mobile schemes, enhanced protocols, and hardware- to issue counterfeit certificates for another subject. Thus the based security elements. hacker’s public key in the certificate appeared to belong to a References legitimate organization. The issues around CA compromises 1. Wikipedia – History of Writing, http://en.wikipedia.org/wiki/His- have been summarized in the 2012 “NIST ITL Bulletin” [31]. tory_of_writing. A similar uncertainty occurs when an organization issues 2. Wikipedia – History of Cryptography, http://en.wikipedia.org/wiki/ History_of_cryptography. man-in-the-middle (MITM) certificates [30] to monitor its 3. David Kahn, The Codebreakers, Scribner (1967), ISBN-10 0684831309. employees. In this scenario, employees browsing an external website using an SSL connection are actually connected to PROTECT, DETECT & DEFEND AGAINST CYBER CRIME

Build specialized career-advancing strengths in fighting cyber crime with these online degree programs:

M.S. in Cybersecurity with Specializations in: • Intelligence • Forensics

B.S. in Cybersecurity with Concentrations in: • Cybercrime Investigations and Forensics • Information Assurance

CALL: 315.732.2640 VISIT: www.onlineuticacollege.com/ECJS

4. “New Directions in Cryptograph,” Whitfield Diffie and Martin Hell- 22. “Cracking DES: Secretes of Encryption Research, Wiretap Politics, and man, IEEE Transactions on Information Theory, 1976. Chip Design,” Electronic Freedom Foundation (EFF), ISBN 1-56592- 5. Ronald Rivest, Adi Shamir, and Leonard Adleman, “A Method for 520-3, 1998. Obtaining Digital Signatures and Public Key Cryptosystems,” Com- 23. ANSI X9.52-1998 Triple Data Encryption Algorithm Modes of Opera- munications of the ACM, 1978. tion (withdrawn). 6. Federal Information Processing Standard (FIPS) Publication 46, The 24. Federal Information Processing Standard (FIPS) Publication 197, The Data Encryption Standard (DES), 1977. Advanced Encryption Standard (AES), 2001. 7. Taher Elgamal, “A public key cryptosystem and a signature scheme 25. Wikipedia – Moore’s Law, http://en.wikipedia.org/wiki/Moore’s_law. based on discrete logarithms,” IEEE Transactions on Information 26. Secure Electronic Transaction (SET) Specification, 1997. Theory, 1984. 27. Comodo Blogs, “The Recent RA Compromise,”http://blogs.comodo. 8. Federal Information Processing Standard (FIPS) Publication 186, The com/it-security/data-security/the-recent-ra-compromise/. Digital Signature Standard (DSS), 1993. 28. Wikipedia – DigiNotar, http://en.wikipedia.org/wiki/DigiNotar. 9. Victor S. Miller, “Use Of Elliptic Curves In Cryptography,” CRYPTO 29. Wikipedia – GlobalSign, http://en.wikipedia.org/wiki/GlobalSign. 85, 1985. 30. Bugzilla@Mozilla, “Bug 724929, Remove Trustwave Certificate(s) 10. Neal Koblitz, “Elliptic Curve Cryptosystems,” Mathematics of Compu- from trusted root certificates,” https://bugzilla.mozilla.org/show_bug. tation, 1987. cgi?id=724929. 11. ITU-T Recommendation X.509, “Information Technology - Open 31. NIST ITL Bulletin, “Preparing for and Responding to Certification Systems Interconnection - The Directory: Authentication Framework,” Authority Compromise and Fraudulent Certificate Issuance,” 2012. 1988. 32. Dan Boneh and Matthew Franklin, “Identity-Based Encryption from 12. Ron Rivest, “The MD4 Message Digest Algorithm,” IEFT Network the Weil Pairing,” SIAM J. of Computing, 2003. Working Group RFC 1320, 1990. 33. “The Secure Shell (SSH) Authentication Protocol,” IETF Network 13. Ron Rivest, “The MD5 Message Digest Algorithm,” IETF Network Working Group RFC 4252, 2006. Working Group RFC 1321, 1992. 34. OASIS Security Assertion Markup Language (SAML), 2002, 2003, 14. Federal Information Processing Standard (FIPS) Publication 180, The 2005, https://www.oasis-open.org/committees/tc_home.php?wg_ Secure Hash Standard, 1993. abbrev=security. 15. The SSL Protocol, Netscape Corporation, 1997. 16. “The Transport Layer Security (TLS) Protocol Version 1.0,” IETF Net- work Working Group RFC 2246, 1999. About the Author 17. “The Transport Layer Security (TLS) Protocol Version 1.1,” IETF Net- Jeff Stapleton and has over 25 years expe- work Working Group RFC 4346, 2006. rience in the cryptography, security, and 18. “The Transport Layer Security (TLS) Protocol Version 1.2,” IETF Net- financial industries. He has participated work Working Group RFC 5246, 2008. in developing dozens of ISO and X9 Amer- 19. “The Transport Layer Security (TLS) Protocol Version 1.3,” IETF Net- work Working Group RFC 5746, 2010. ican National Standards for information 20. Wikipedia – “DES Challenges,” http://en.wikipedia.org/wiki/DES_ security for over 20 years and is chair of Challenges. the X9F4 working group that develops 21. RSA Laboratories – “DES Challenge III,” http://www.rsa.com/rsalabs/ node.asp?id=2108. standards for cryptographic protocols and application security. He has been an ISSA member for many years. You can reach him at [email protected].