Public Key Infrastructure
Public Key Infrastructure (PKI)
Neil F. Johnson [email protected] http://ise.gmu.edu/~csis
Assumptions
• Understanding of – Fundamentals of Public Key Cryptosystems – Hash codes for message digests and integrity check – Digital Signatures
Copyright 1999, Neil F. Johnson 1 Public Key Infrastructure
Overview
• Public Key Cryptosystems – Quick review – Cryptography – Digital Signatures – Key Management Issues • Certificates – Certificates Information – Certificate Authority – Track Issuing a Certificate • Putting it all together – PKI applications – Pretty Good Privacy (PGP) – Privacy Enhanced Mail (PEM)
Public Key Cryptosystems – Quick Review
• Key distribution problem of secret key systems – You must share the secret key with another party before you can initiate communication – If you want to communicate with n parties, you require n different keys • Public Key cryptosystems solve the key distribution problem in secret key systems (provided a reliable channel for communication of public keys can be implemented) • Security is based on the unfeasibility of computing B’s private key given the knowledge of – B’s public key, – chosen plaintext, and – maybe chosen ciphertext
Copyright 1999, Neil F. Johnson 2 Public Key Infrastructure
Key Distribution (n)(n-1) 2 Bob Bob Alice 1 Alice 2
Chris Chris 7 5 8 9
Ellie 3 Ellie 6 David 4 David
Secret Key Distribution Directory of Public Keys (certificates)
Public Key Cryptosystem INSECURE CHANNEL
Plaintext Ciphertext Plaintext Encryption Decryption Algorithm Algorithm
Bob’s PUBLIC Key Bob’s PRIVATE Key
Reliable Channel Directory of Public Keys (certificates)
Copyright 1999, Neil F. Johnson 3 Public Key Infrastructure
Digital Signature INSECURE CHANNEL
Plaintext Signed Plaintext Plaintext Sign Verify Algorithm Algorithm
Alice’s PRIVATE Key Alice’s PUBLIC Key
Reliable Channel Directory of Public Keys (certificate)
How a Digital Signature Works
SENDER RECIEVER • Calculate the hash of the message • Separate the signed hash and the • Sign the hash with Alice’s private plaintext message key • Calculate a newhash of the • Combine the plaintext message message with the signed hash • Verify the signed hash with Alice’s • Send the combined message to the public key receiver (Bob) • Compare the original hash with the new hash (they should match)
Copyright 1999, Neil F. Johnson 4 Public Key Infrastructure
Digital Signature and Encryption (sender)
Plaintext (M) Plaintext (M) H = Hash(M) Alice’s PRIVATE S = Sign(H) Key
SM = Combine S + M Reliable (Signed Plaintext) Channel
Secret Key (K) C = Encrypt(SM, K) CE = C+E Public Keys Directory Encrypted Signed Plaintext Bob’s E = Encrypt K PUBLIC Key to Bob
Digital Signature and Encryption (receiver) Encrypted Signed Split CE Plaintext (CE) from Alice
E = Encrypted(K) C = Encrypted(SM,K)
K = Decrypt(E)
SM = Decrypt(C,K) Reliable Channel Bob’s PRIVATE Split SM Key
S = Signed(H) M = Plaintext
Public Keys Directory H = Verify Compute Signature on S H1 = Hash(M) Alice’s PUBLIC Compare H = H1 Key
Copyright 1999, Neil F. Johnson 5 Public Key Infrastructure
Signature and Encryption (in a nutshell)
A B
Encrypted Signed Signed Signed Plain- Plaintext Plaintext Plaintext Plain- text text S E D V
A’s Private B’s Public B’s Private A’s Public Key Key Key Key
Signature and Encryption
• We could do the encryption first followed by the signature. Signature first has the advantage that the signature can be verified by parties other than B. • We could use DES, IDEA for encryption
Copyright 1999, Neil F. Johnson 6 Public Key Infrastructure
Non-repudiation
• In general, non-repudiation requires a notarized signature, involving a third party in addition to A and B. • In large systems this can involved hierarchies of notarization (possibly certificate authority)
Key Management Issues
• Issues: – generating keys – keeping backup keys – dealing with compromised keys – changing keys – destroying expired keys • Problems – establishing and maintaining third-party trust – implementing consistent security policies among users – making cryptography accessible to appropriate parties
Copyright 1999, Neil F. Johnson 7 Public Key Infrastructure
Pretty Good Privacy (PGP) An Example of a Public Key Application
Neil F. Johnson [email protected] http://isse.gmu.edu/~csis/
PGP - Pretty Good Privacy
• Phil Zimmerman • Shaky start – RSA patent – US export laws • Worldwide popularity • More than just e-mail
Copyright 1999, Neil F. Johnson 8 Public Key Infrastructure
PGP’s Success
• Freely available worldwide on a variety of platforms. • Based on algorithms that re considered secure and have been under extensive public review (RSA, IDEA, MD5). • Wide range of applications. • PGP is not controlled by any government or standards organization.
PGP - What it Uses
• Public/Private Key (RSA) • Secret Key (IDEA) • Message Digest/Hash (MD5) • Zip • radix 64 ASCII format
Copyright 1999, Neil F. Johnson 9 Public Key Infrastructure
PGP – How it Works • Confidentiality • Authentication • Compression • Compatibility measures
Confidentially & Authentication
• Message Encryption – IDEA - Encrypt message with one-time session key generated by sender – RSA - Session key is encrypted with receiver’s public key, and included with the message • Digital Signature – MD5 - Creates a 128-bit hash code of the message (message digest) – RSA - The message digest is encrypted with the sender’s private key, and included with the message
Copyright 1999, Neil F. Johnson 10 Public Key Infrastructure
Compression & Compatibility
• Compression – ZIP • Messages or files may be compressed for storage or transmission • Compression occurs after signature but before encryption • E-mail Compatibility – Radix-64 • Converts binary encrypted data to ASCII through table lookup • A-Z, a-z, 0-9,+, /, = (padding)
Notation
Ks = Session key M = Message (plaintext) S = Sender C = Ciphertext R = Receiver Ei = Encryption with IDEA Sk = Sender’s Private Key Di = Decryption with IDEA Sp = Sender’s Public Key Er = Encryption with RSA Rk = Receiver’s Private Key Dr = Decryption with RSA Rp = Receiver’s Public Key H = Hash function (MD5) Z = ZIP compression (optional after authentication) R64 = Radix 64 conversion to ASCII
Copyright 1999, Neil F. Johnson 11 Public Key Infrastructure
PGP - Authentication
• SM = M + Er[H{M},Sk] • Receiver: – ‘Splits’ SM • Er{Dr[H{M},Sk], Sp} = H{M} • creates a ‘new’ H{M} from M – Compares decrypted H{M} with “new” H{M}
PGP - Authentication (cont)
• Sender – Sender creates a message (M) – MD5 is used to creates a 128-bit message digest of the message (H{M}) – Hash code is encrypted with RSA using the sender’s private key (Dr[H{M}, Sk]) Alice’s PRIVATE Key (Sk) Plaintext (M) H = MD5(M) S = RSA(H,Sk)
Combine S and M and send to Bob
Copyright 1999, Neil F. Johnson 12 Public Key Infrastructure
PGP - Authentication (cont)
• Receiver – The receiver uses RSA with the sender’s public key to decrypt and recover the hash code (Dr{Er[H{M}, Sk], Sp} => H{M}). – Receiver generates a new hash code for the message (H{M}). – The decrypted hash code is compared with the generated hash code. SM from Alice Split SM
S = RSA(H,Sk) M = Plaintext
Reliable H = Verify Compute Channel Alice’s Signature RSA(S,Sp) PUBLIC H1 = MD5(M) Key (Sp) Compare H = H1 Public Keys Directory
PGP - Compression
• Authentication before compression – preferable to sign an uncompressed message. – Trade-off between speed and compression differs upon the message type. • Encryption after compression – Strengthens cryptographic security by reducing redundancy in the original plaintext.
Sign - Compress - Encrypt
Copyright 1999, Neil F. Johnson 13 Public Key Infrastructure
PGP - Confidentiality
• IDEA – uses 128-bit key – 64-bit cipher feedback mode with a random initialization vector (IV). Earlier version of PGP used a null (zero stream) IV.
PGP - Confidentiality (cont)
• Sender – Sender generates a message and a 128-bit number to be used as a session key for this message only (Ks) – Message is compressed, then encrypted using IDEA with the session key (C = Ei[Z{M}, Ks]) – Session key is encrypted with RSA using receiver’s public key (E = Er{Ks, Rp}) Plaintext (M) Z = Zip(M)
Session Key (Ks) C = IDEA(Z, Ks)
Bob’s PUBLIC E = RSA(Ks, Rp) Combine C and E and send to Key (Rp) Bob Public Keys Directory
Copyright 1999, Neil F. Johnson 14 Public Key Infrastructure
PGP - Confidentiality (cont)
• Receiver – Receiver’s private key is used with RSA to decrypt and recover the session key (Ks = Dr[RpEr{Ks}, Rk]). – Session key is used to decrypt the message (Z = Di{Ei[Z{M}, Ks], Ks}). – Decompression (M = unZip{Z(M)})
Ciphertext (CE) Split CE from Alice
E = RSA(K,Rp) C = IDEA(Z,K)
Bob’s K = RSA(E,Rk) Z =IDEA(C,K) PRIVATE Key M = unZip(Z)
PGP - Confidentiality (cont.)
• May combine authentication and encryption • Multiple RSA key length options are available (from 768 to 4096).
Copyright 1999, Neil F. Johnson 15 Public Key Infrastructure
PGP - Putting it Together (sender) Plaintext (M) Plaintext (M) H = MD5(M) Alice’s PRIVATE S = RSA(H,Sk) Key SM = Combine S + M (Signed Plaintext)
Reliable Z = Zip(SM) Channel Secret Key (K) C = IDEA(Z, K)
CE = C+E Public Keys Directory Bob’s Encrypted Signed PUBLIC Key E = RSA(K,Rp) Plaintext to Bob
PGP - Putting it Together (receiver) Encrypted Signed Split CE Plaintext (CE) from Alice E = RSA(K,Rp) C = IDEA(Z,K)
K = RSA(E,Rk) Z =IDEA(C,K)
Bob’s SM = unZip(Z) PRIVATE Key Split SM Reliable Channel S = RSA(H,Sk) M = Plaintext
Public Keys Directory H = Verify Compute Signature RSA(S,Sp) H1 = MD5(M) Alice’s PUBLIC Compare H = H1 Key
Copyright 1999, Neil F. Johnson 16 Public Key Infrastructure
PGP - Key Distribution
• Public Key • User-based certification • Key Ring • Session Key – a new, random, 128-bit secret key is generated with each message. This key is encrypted with the receiver’s public key.
PGP - Key Rings
• Private Key – Timestamp, KeyID, Public Key, E{Private Key}, User ID • Public Key – Timestamp, KeyID, Public Key, Trust_flag, User ID, Key Legitimacy flag, Signature(s), Signature Trust(s)
Copyright 1999, Neil F. Johnson 17 Public Key Infrastructure
PGP - Certificate Management
• Manual key exchange Alice • Trusted third-party authentication (Web of Trust - User-based) – Alice wants to communicate with Charlie – Alice and Bob know each other; Bob also knows Charlie Bob – Alice and Bob sign each others public key as a show of trust – Bob also trusts Charlie, and “signs” Charlie’s public key – Since Alice trusts Bob, she can trust Bob’s signature on Charlie’s Public key – Alice, then believes the identity of Charlie and uses Charlie’s public key for communication. Charlie
Certificate Authority
• An entity that is responsible for identification and authentication of its issued or signed certificates • A Certificate Authority Entity consist of: – Secure Hardware System(s) – Trusted Cryptographic Module(s) – Personnel – Directory Repositories • User Public Certificate • Certificate Revocation List • Certificate Practice/Policy Statement
Copyright 1999, Neil F. Johnson 18 Public Key Infrastructure
Certificates
• Certificates establish trust in public keys • Certificates for: – user identification – associated keys • Certificate Authority (CA) User – Trusted third-party – Issuer – Variations: • Registration authority (RA) • Root CA • Policy CA
Certificates
Certificate Contents Certificate Role • Owner’s Public Key • Confirm Identity • Owner’s Name • Verify Electronic Information • Owner’s Digital Signature • Offers Confidentiality via • Validity Period Encryption • Name of the CA • CA’s Digital Signature
A Certificate (digital ID, digital certificate, electronic signature) is electronic identification that is issued to an individual by a certificate authority (trusted entity),which determines and established set of authentication, background check, and security procedures before issuing a certificate
Copyright 1999, Neil F. Johnson 19 Public Key Infrastructure
Certificate Authorities
Certificate Authority
Registration Authority
Users
Users Users
Certificate Authorities
Root Certification Authority
Certificate Certificate Authority Authority
Local Registration Local Registration Authority Authority
Users
Users Users Users Users
Copyright 1999, Neil F. Johnson 20 Public Key Infrastructure
Not so simple
• Certification Policies – Organization-based – Function-based – “Need to know” • Certificate Revocation List (CRL) – key loss, corruption, renewal, expire – List of “bad” certificates • Division of Responsibility – System Security Officer – Certificate Authority Administrator – System Administrator – Directory Administrator – Local Registration Authority – Client User/Subscriber
Certificate Usage
• Certificate Validation – Access to public key directories • Certificate revocation – maintains trust • Key recovery • Cross-certification – extended third-party trust among multiple Certification Authorities
Copyright 1999, Neil F. Johnson 21 Public Key Infrastructure
Key Revocation & Update
• Expiration dates defined in certificates • Key update – Rules for update depend on user and type of certificate – Automatically and transparently prior to expiration – Previously signed private keys must be destroyed • Key histories – required to decrypt information encrypted with ‘older’ key pairs
Applying for a Certificate
• Subscriber needs to register with the CA – Requests a Certificate from the RA by completing a certificate application – Registration involves establishing a relationship between the subscriber and CA thus verifying the identity of the subscriber (authentication) • Subject Authentication – Personal presence – Identification documents
Copyright 1999, Neil F. Johnson 22 Public Key Infrastructure
Applying for a Certificate
• CA activities often require personal interaction through a intermediary such as a local registration authority – Think of a local branch of the Department of Motor Vehicles – Registering and changing attributes of the subscribers – Identify and authenticate the subscribers – Authorizing requests for key-pair or certificate generation, or recovery of backed up keys – Accepting and authorizing requests for certificate revocation – Distributing personal tokens to, and recovering obsolete tokens from, users authorized to hold them • If the Client’s entry is a change due to key loss, corruption, or renewal the Certificates Revocation List is updated
Putting it all together Public Key Applications and Examples of PKI
Neil F. Johnson [email protected] http://isse.gmu.edu/~csis/
Copyright 1999, Neil F. Johnson 23 Public Key Infrastructure
Overview
• PEM: Privacy Enhanced Mail • PKI Architectures – SET: Secure Electronic Transactions – MISSI: Multilevel Information Systems Security Initiative
PEM - Certificate Management
• Follows X.509 standard • Certificate Chain • PEM - Privacy Enhanced Mail – Internet PCA Registration Authority (IPRA) – Policy Certificate Authority (PCA)
Copyright 1999, Neil F. Johnson 24 Public Key Infrastructure
PEM - Certificate Hierarchy IPRA
PCA PCA
CA CA CA CA
Users CA End-entities Users Users
Users
PEM - Certificate Hierarchy Example
Internet Policy Regisration Authority IPRA
Policy Certification Authorities (PCA) Organization Residential PERSONA
GMU IBM Virgina Anonymous Certification Authorities (CA) ISSE Johnson Fairfax Alice
Jajodia Johnson Jajodia
Subjects
Copyright 1999, Neil F. Johnson 25 Public Key Infrastructure
PEM Hierarchy Example
IPRA
Organization Residential PERSONA
GMU IBM
Virginia Anonymous ISE
Alice Fairfax Johnson
Johnson Jajodia Jajodia
PGP vs. PEM (summary)
• Certificate Management • Encryption • Cryptographic Algorithms Supported • Recipients with Multiple Keys • Hash Code = Message Integrity Check (MIC)
Copyright 1999, Neil F. Johnson 26 Public Key Infrastructure
PEM Services
• Disclosure Protection • Originator Authentication • Integrity • Nonrepudiation (if public/private key is used)
PEM - What it Uses
• Public/Private Key (RSA) • Secret Key (DES/3DES) • Message Digest/Hash (MD2/MD5) • radix 64 ASCII format
Copyright 1999, Neil F. Johnson 27 Public Key Infrastructure
PEM - How it Works
• Message Encryption • Authentication – Digital Signature – without Digital Signature • Key Management (secret key vs. public key) • E-mail Compatibility (radix 64)
PEM - Message Encryption
• DES - Cipher Block Chain • One-time session key (Ks) • Ks is encrypted with RSA using Rp. • Message encryption ALWAYS uses symmetric (secret key) encryption.
Copyright 1999, Neil F. Johnson 28 Public Key Infrastructure
PEM - Authentication
• H{M} is created using MD2 or MD5. • Digital Signature (asymmetric) – H{M} is encrypted with RSA using Sk • Without a Digital Signature (symmetric) – H{M} is encrypted with DES-ECB or 3DES using a shared secret key
PEM - Key Management
• Symmetric Key Management – Session Key is encrypted with DES-ECB or 3DES using a shared secret key • Asymmetric Key Management – Public Key certificates are created and signed. – MD2 is used to hash the certificate and RSA encrypts the hash code. – Session Key is encrypted with RSA using Rp
Copyright 1999, Neil F. Johnson 29 Public Key Infrastructure
PEM - Sender Steps
1. Generate a message integrity and authentication information 2. Encrypt the message 3. Apply radix 64 ASCII conversion Three message types – ENCRYPTED: all steps are applied – MIC-ONLY: only steps 1 and 3 – MIC-CLEAR: only step 1
Examples of PKI Architectures
• Secure Electronic Transactions (SET) – Developed by Visa and MasterCard (MC) to support credit card transactions over the Internet • U.S. Department of Defense PKI – Developed to support secure electronic mail and other applications – Multilevel Information Systems Security Initiative (MISSI) – Main application was the DoD Defense Messaging System (DMS)
Copyright 1999, Neil F. Johnson 30 Public Key Infrastructure
SET Members
• Issuer – Financial institution than issues bank cards (such as Visa and MC) • Cardholder – Authorized holder of a bank card who is registered with an issuer to perform electronic commerce • Merchant – Seller of goods, services, or information, who accepts payments electronically • Acquirer – Financial institution that supports merchants and processes bank card transactions • Payment Gateway – System that provides online electronic commerce services • Certificate Authorities – Certify public keys of cardholders, merchants, or acquirers or their gateways
SET Certificate Authorities
• Root CA – All certification paths start with the Root CA’s public key – Typically kept offline and is not accessed often to issue certificates for the Brand CA – Should be operated by a party that the industry trusts • Brand CA – Operated by the different brand owners (Visa, MC) • Geo-political CA – Allows a brand to issue lower-level certificates across different geo- political regions (optional) • Cardholder CA – Generate and distribute certificates to cardholders • Merchant CA – Generate and issue certificates to merchants based on approval by an acquirer
Copyright 1999, Neil F. Johnson 31 Public Key Infrastructure
SET PKI Example Root CA
Visa Brand MC Brand CA Brand Certificate CA Authorities
MC North MC Europe America CA Geo-political CA Certificate Authorities
Cardholder CA Merchant CA
Cardholders Merchants
DoD MISSI PKI Components
• Policy Approving Authority (PAA) – Root CA certifies the PCAs – Can cross-certify other PAAs (allied countries) • Policy Creation Authority (PCA) – Administrative root for a separate security policy domain (for example: unclassified-sensitive, secret, Federal Civil, commercial) • Certificate Authority (CA) – Administrative authority for an organization within a policy domain – Registers and issues certificates to end-entities • Organizational Registration Authority (ORA) – Similar to a local registration authority – Does not issue certificates, but assists in registering users with the CA – Can be used to decentralize part of the CAs administrative tasks
Copyright 1999, Neil F. Johnson 32 Public Key Infrastructure
MISSI PKI Example U.S. Govt. PAA (Other PAA)
PCA 1 PCA 2
CA 2 CA 3 CA 4 CA 1
ORA
End-entities } End-entities End-entities End-entities
Summary • Public Key Cryptosystems – Quick review – Cryptography – Digital Signatures – Key Management Issues • Pretty Good Privacy (PGP) • Public Key Infrastructure – Certificates & Management – Privacy Enhanced Mail (PEM) – PKI Architectures • SET: Secure Electronic Transactions • MISSI: Multilevel Information Systems Security Initiative
Copyright 1999, Neil F. Johnson 33 Public Key Infrastructure
References
• W. Ford, M.S. Baum, Secure Electronic Commerce, Prentice Hall PTR, 1997 • S, Garfinkel, “PGP: Pretty Good Pivacy”, O’Reilly & Associates, 1995 • B. Schneier, “Applied Cryptography,” John Wiley, 1996 • W. Stallings, “Network and Internetwork Security,” Prentise Hall, 1995
Copyright 1999, Neil F. Johnson 34