Public Key Infrastructure (PKI)

Public Key Infrastructure

Neil F. Johnson [email protected] http://ise.gmu.edu/~csis

Assumptions

• Understanding of – Fundamentals of Public Key Cryptosystems – Hash codes for message digests and integrity check – Digital Signatures

Overview

• Public Key Cryptosystems – Quick review – Cryptography – Digital Signatures – Key Management Issues • Certificates – Certificates Information – Certificate Authority – Track Issuing a Certificate • Putting it all together – PKI applications – Pretty Good Privacy (PGP) – Privacy Enhanced Mail (PEM)

Public Key Cryptosystems – Quick Review

• Key distribution problem of secret key systems – You must share the secret key with another party before you can initiate communication – If you want to communicate with n parties, you require n different keys • Public Key cryptosystems solve the key distribution problem in secret key systems (provided a reliable channel for communication of public keys can be implemented) • Security is based on the unfeasibility of computing B’s private key given the knowledge of – B’s public key, – chosen plaintext, and – maybe chosen ciphertext

Key Distribution (n)(n-1) 2 Bob Bob Alice 1 Alice 2

Chris Chris 7 5 8 9

Ellie 3 Ellie 6 David 4 David

Secret Key Distribution Directory of Public Keys (certificates)

Public Key Cryptosystem INSECURE CHANNEL

Plaintext Ciphertext Plaintext Encryption Decryption Algorithm Algorithm

Bob’s PUBLIC Key Bob’s PRIVATE Key

Reliable Channel Directory of Public Keys (certificates)

Digital Signature INSECURE CHANNEL

Plaintext Signed Plaintext Plaintext Sign Verify Algorithm Algorithm

Alice’s PRIVATE Key Alice’s PUBLIC Key

Reliable Channel Directory of Public Keys (certificate)

How a Digital Signature Works

SENDER RECIEVER • Calculate the hash of the message • Separate the signed hash and the • Sign the hash with Alice’s private plaintext message key • Calculate a newhash of the • Combine the plaintext message message with the signed hash • Verify the signed hash with Alice’s • Send the combined message to the public key receiver (Bob) • Compare the original hash with the new hash (they should match)

Digital Signature and Encryption (sender)

Plaintext (M) Plaintext (M) H = Hash(M) Alice’s PRIVATE S = Sign(H) Key

SM = Combine S + M Reliable (Signed Plaintext) Channel

Secret Key (K) C = Encrypt(SM, K) CE = C+E Public Keys Directory Encrypted Signed Plaintext Bob’s E = Encrypt K PUBLIC Key to Bob

Digital Signature and Encryption (receiver) Encrypted Signed Split CE Plaintext (CE) from Alice

E = Encrypted(K) C = Encrypted(SM,K)

K = Decrypt(E)

SM = Decrypt(C,K) Reliable Channel Bob’s PRIVATE Split SM Key

S = Signed(H) M = Plaintext

Public Keys Directory H = Verify Compute Signature on S H1 = Hash(M) Alice’s PUBLIC Compare H = H1 Key

Signature and Encryption (in a nutshell)

A B

Encrypted Signed Signed Signed Plain- Plaintext Plaintext Plaintext Plain- text text S E D V

A’s Private B’s Public B’s Private A’s Public Key Key Key Key

Signature and Encryption

• We could do the encryption first followed by the signature. Signature first has the advantage that the signature can be verified by parties other than B. • We could use DES, IDEA for encryption

Non-repudiation

• In general, non-repudiation requires a notarized signature, involving a third party in addition to A and B. • In large systems this can involved hierarchies of notarization (possibly certificate authority)

Key Management Issues

• Issues: – generating keys – keeping backup keys – dealing with compromised keys – changing keys – destroying expired keys • Problems – establishing and maintaining third-party trust – implementing consistent security policies among users – making cryptography accessible to appropriate parties

Pretty Good Privacy (PGP) An Example of a Public Key Application

Neil F. Johnson [email protected] http://isse.gmu.edu/~csis/

PGP - Pretty Good Privacy

• Phil Zimmerman • Shaky start – RSA patent – US export laws • Worldwide popularity • More than just e-mail

PGP’s Success

• Freely available worldwide on a variety of platforms. • Based on algorithms that re considered secure and have been under extensive public review (RSA, IDEA, MD5). • Wide range of applications. • PGP is not controlled by any government or standards organization.

PGP - What it Uses

• Public/Private Key (RSA) • Secret Key (IDEA) • Message Digest/Hash (MD5) • Zip • radix 64 ASCII format

PGP – How it Works • Confidentiality • Authentication • Compression • Compatibility measures

Confidentially & Authentication

• Message Encryption – IDEA - Encrypt message with one-time session key generated by sender – RSA - Session key is encrypted with receiver’s public key, and included with the message • Digital Signature – MD5 - Creates a 128-bit hash code of the message (message digest) – RSA - The message digest is encrypted with the sender’s private key, and included with the message

Compression & Compatibility

• Compression – ZIP • Messages or files may be compressed for storage or transmission • Compression occurs after signature but before encryption • E-mail Compatibility – Radix-64 • Converts binary encrypted data to ASCII through table lookup • A-Z, a-z, 0-9,+, /, = (padding)

Notation

Ks = Session key M = Message (plaintext) S = Sender C = Ciphertext R = Receiver Ei = Encryption with IDEA Sk = Sender’s Private Key Di = Decryption with IDEA Sp = Sender’s Public Key Er = Encryption with RSA Rk = Receiver’s Private Key Dr = Decryption with RSA Rp = Receiver’s Public Key H = Hash function (MD5) Z = ZIP compression (optional after authentication) R64 = Radix 64 conversion to ASCII

PGP - Authentication

• SM = M + Er[H{M},Sk] • Receiver: – ‘Splits’ SM • Er{Dr[H{M},Sk], Sp} = H{M} • creates a ‘new’ H{M} from M – Compares decrypted H{M} with “new” H{M}

PGP - Authentication (cont)

• Sender – Sender creates a message (M) – MD5 is used to creates a 128-bit message digest of the message (H{M}) – Hash code is encrypted with RSA using the sender’s private key (Dr[H{M}, Sk]) Alice’s PRIVATE Key (Sk) Plaintext (M) H = MD5(M) S = RSA(H,Sk)

Combine S and M and send to Bob

PGP - Authentication (cont)

• Receiver – The receiver uses RSA with the sender’s public key to decrypt and recover the hash code (Dr{Er[H{M}, Sk], Sp} => H{M}). – Receiver generates a new hash code for the message (H{M}). – The decrypted hash code is compared with the generated hash code. SM from Alice Split SM

S = RSA(H,Sk) M = Plaintext

Reliable H = Verify Compute Channel Alice’s Signature RSA(S,Sp) PUBLIC H1 = MD5(M) Key (Sp) Compare H = H1 Public Keys Directory

PGP - Compression

• Authentication before compression – preferable to sign an uncompressed message. – Trade-off between speed and compression differs upon the message type. • Encryption after compression – Strengthens cryptographic security by reducing redundancy in the original plaintext.

Sign - Compress - Encrypt

PGP - Confidentiality

• IDEA – uses 128-bit key – 64-bit cipher feedback mode with a random initialization vector (IV). Earlier version of PGP used a null (zero stream) IV.

PGP - Confidentiality (cont)

• Sender – Sender generates a message and a 128-bit number to be used as a session key for this message only (Ks) – Message is compressed, then encrypted using IDEA with the session key (C = Ei[Z{M}, Ks]) – Session key is encrypted with RSA using receiver’s public key (E = Er{Ks, Rp}) Plaintext (M) Z = Zip(M)

Session Key (Ks) C = IDEA(Z, Ks)

Bob’s PUBLIC E = RSA(Ks, Rp) Combine C and E and send to Key (Rp) Bob Public Keys Directory

PGP - Confidentiality (cont)

• Receiver – Receiver’s private key is used with RSA to decrypt and recover the session key (Ks = Dr[RpEr{Ks}, Rk]). – Session key is used to decrypt the message (Z = Di{Ei[Z{M}, Ks], Ks}). – Decompression (M = unZip{Z(M)})

Ciphertext (CE) Split CE from Alice

E = RSA(K,Rp) C = IDEA(Z,K)

Bob’s K = RSA(E,Rk) Z =IDEA(C,K) PRIVATE Key M = unZip(Z)

PGP - Confidentiality (cont.)

• May combine authentication and encryption • Multiple RSA key length options are available (from 768 to 4096).

PGP - Putting it Together (sender) Plaintext (M) Plaintext (M) H = MD5(M) Alice’s PRIVATE S = RSA(H,Sk) Key SM = Combine S + M (Signed Plaintext)

Reliable Z = Zip(SM) Channel Secret Key (K) C = IDEA(Z, K)

CE = C+E Public Keys Directory Bob’s Encrypted Signed PUBLIC Key E = RSA(K,Rp) Plaintext to Bob

PGP - Putting it Together (receiver) Encrypted Signed Split CE Plaintext (CE) from Alice E = RSA(K,Rp) C = IDEA(Z,K)

K = RSA(E,Rk) Z =IDEA(C,K)

Bob’s SM = unZip(Z) PRIVATE Key Split SM Reliable Channel S = RSA(H,Sk) M = Plaintext

Public Keys Directory H = Verify Compute Signature RSA(S,Sp) H1 = MD5(M) Alice’s PUBLIC Compare H = H1 Key

PGP - Key Distribution

• Public Key • User-based certification • Key Ring • Session Key – a new, random, 128-bit secret key is generated with each message. This key is encrypted with the receiver’s public key.

PGP - Key Rings

• Private Key – Timestamp, KeyID, Public Key, E{Private Key}, User ID • Public Key – Timestamp, KeyID, Public Key, Trust_flag, User ID, Key Legitimacy flag, Signature(s), Signature Trust(s)

PGP - Certificate Management

• Manual key exchange Alice • Trusted third-party authentication (Web of Trust - User-based) – Alice wants to communicate with Charlie – Alice and Bob know each other; Bob also knows Charlie Bob – Alice and Bob sign each others public key as a show of trust – Bob also trusts Charlie, and “signs” Charlie’s public key – Since Alice trusts Bob, she can trust Bob’s signature on Charlie’s Public key – Alice, then believes the identity of Charlie and uses Charlie’s public key for communication. Charlie

Certificate Authority

• An entity that is responsible for identification and authentication of its issued or signed certificates • A Certificate Authority Entity consist of: – Secure Hardware System(s) – Trusted Cryptographic Module(s) – Personnel – Directory Repositories • User Public Certificate • Certificate Revocation List • Certificate Practice/Policy Statement

Certificates

• Certificates establish trust in public keys • Certificates for: – user identification – associated keys • Certificate Authority (CA) User – Trusted third-party – Issuer – Variations: • Registration authority (RA) • Root CA • Policy CA

Certificates

Certificate Contents Certificate Role • Owner’s Public Key • Confirm Identity • Owner’s Name • Verify Electronic Information • Owner’s Digital Signature • Offers Confidentiality via • Validity Period Encryption • Name of the CA • CA’s Digital Signature

A Certificate (digital ID, digital certificate, electronic signature) is electronic identification that is issued to an individual by a certificate authority (trusted entity),which determines and established set of authentication, background check, and security procedures before issuing a certificate

Certificate Authorities

Certificate Authority

Registration Authority

Users

Users Users

Certificate Authorities

Root Certification Authority

Certificate Certificate Authority Authority

Local Registration Local Registration Authority Authority

Users

Users Users Users Users

Not so simple

• Certification Policies – Organization-based – Function-based – “Need to know” • Certificate Revocation List (CRL) – key loss, corruption, renewal, expire – List of “bad” certificates • Division of Responsibility – System Security Officer – Certificate Authority Administrator – System Administrator – Directory Administrator – Local Registration Authority – Client User/Subscriber

Certificate Usage

• Certificate Validation – Access to public key directories • Certificate revocation – maintains trust • Key recovery • Cross-certification – extended third-party trust among multiple Certification Authorities

Key Revocation & Update

• Expiration dates defined in certificates • Key update – Rules for update depend on user and type of certificate – Automatically and transparently prior to expiration – Previously signed private keys must be destroyed • Key histories – required to decrypt information encrypted with ‘older’ key pairs

Applying for a Certificate

• Subscriber needs to register with the CA – Requests a Certificate from the RA by completing a certificate application – Registration involves establishing a relationship between the subscriber and CA thus verifying the identity of the subscriber (authentication) • Subject Authentication – Personal presence – Identification documents

Applying for a Certificate

• CA activities often require personal interaction through a intermediary such as a local registration authority – Think of a local branch of the Department of Motor Vehicles – Registering and changing attributes of the subscribers – Identify and authenticate the subscribers – Authorizing requests for key-pair or certificate generation, or recovery of backed up keys – Accepting and authorizing requests for certificate revocation – Distributing personal tokens to, and recovering obsolete tokens from, users authorized to hold them • If the Client’s entry is a change due to key loss, corruption, or renewal the Certificates Revocation List is updated

Putting it all together Public Key Applications and Examples of PKI

Neil F. Johnson [email protected] http://isse.gmu.edu/~csis/

Overview

• PEM: Privacy Enhanced Mail • PKI Architectures – SET: Secure Electronic Transactions – MISSI: Multilevel Information Systems Security Initiative

PEM - Certificate Management

• Follows X.509 standard • Certificate Chain • PEM - Privacy Enhanced Mail – Internet PCA Registration Authority (IPRA) – Policy Certificate Authority (PCA)

PEM - Certificate Hierarchy IPRA

PCA PCA

CA CA CA CA

Users CA End-entities Users Users

Users

PEM - Certificate Hierarchy Example

Internet Policy Regisration Authority IPRA

Policy Certification Authorities (PCA) Organization Residential PERSONA

GMU IBM Virgina Anonymous Certification Authorities (CA) ISSE Johnson Fairfax Alice

Jajodia Johnson Jajodia

Subjects

PEM Hierarchy Example

IPRA

Organization Residential PERSONA

GMU IBM

Virginia Anonymous ISE

Alice Fairfax Johnson

Johnson Jajodia Jajodia

PGP vs. PEM (summary)

• Certificate Management • Encryption • Cryptographic Algorithms Supported • Recipients with Multiple Keys • Hash Code = Message Integrity Check (MIC)

PEM Services

• Disclosure Protection • Originator Authentication • Integrity • Nonrepudiation (if public/private key is used)

PEM - What it Uses

• Public/Private Key (RSA) • Secret Key (DES/3DES) • Message Digest/Hash (MD2/MD5) • radix 64 ASCII format

PEM - How it Works

• Message Encryption • Authentication – Digital Signature – without Digital Signature • Key Management (secret key vs. public key) • E-mail Compatibility (radix 64)

PEM - Message Encryption

• DES - Cipher Block Chain • One-time session key (Ks) • Ks is encrypted with RSA using Rp. • Message encryption ALWAYS uses symmetric (secret key) encryption.

PEM - Authentication

• H{M} is created using MD2 or MD5. • Digital Signature (asymmetric) – H{M} is encrypted with RSA using Sk • Without a Digital Signature (symmetric) – H{M} is encrypted with DES-ECB or 3DES using a shared secret key

PEM - Key Management

• Symmetric Key Management – Session Key is encrypted with DES-ECB or 3DES using a shared secret key • Asymmetric Key Management – Public Key certificates are created and signed. – MD2 is used to hash the certificate and RSA encrypts the hash code. – Session Key is encrypted with RSA using Rp

PEM - Sender Steps

1. Generate a message integrity and authentication information 2. Encrypt the message 3. Apply radix 64 ASCII conversion Three message types – ENCRYPTED: all steps are applied – MIC-ONLY: only steps 1 and 3 – MIC-CLEAR: only step 1

Examples of PKI Architectures

• Secure Electronic Transactions (SET) – Developed by Visa and MasterCard (MC) to support credit card transactions over the Internet • U.S. Department of Defense PKI – Developed to support secure electronic mail and other applications – Multilevel Information Systems Security Initiative (MISSI) – Main application was the DoD Defense Messaging System (DMS)

SET Members

• Issuer – Financial institution than issues bank cards (such as Visa and MC) • Cardholder – Authorized holder of a bank card who is registered with an issuer to perform electronic commerce • Merchant – Seller of goods, services, or information, who accepts payments electronically • Acquirer – Financial institution that supports merchants and processes bank card transactions • Payment Gateway – System that provides online electronic commerce services • Certificate Authorities – Certify public keys of cardholders, merchants, or acquirers or their gateways

SET Certificate Authorities

• Root CA – All certification paths start with the Root CA’s public key – Typically kept offline and is not accessed often to issue certificates for the Brand CA – Should be operated by a party that the industry trusts • Brand CA – Operated by the different brand owners (Visa, MC) • Geo-political CA – Allows a brand to issue lower-level certificates across different geo- political regions (optional) • Cardholder CA – Generate and distribute certificates to cardholders • Merchant CA – Generate and issue certificates to merchants based on approval by an acquirer

SET PKI Example Root CA

Visa Brand MC Brand CA Brand Certificate CA Authorities

MC North MC Europe America CA Geo-political CA Certificate Authorities

Cardholder CA Merchant CA

Cardholders Merchants

DoD MISSI PKI Components

• Policy Approving Authority (PAA) – Root CA certifies the PCAs – Can cross-certify other PAAs (allied countries) • Policy Creation Authority (PCA) – Administrative root for a separate security policy domain (for example: unclassified-sensitive, secret, Federal Civil, commercial) • Certificate Authority (CA) – Administrative authority for an organization within a policy domain – Registers and issues certificates to end-entities • Organizational Registration Authority (ORA) – Similar to a local registration authority – Does not issue certificates, but assists in registering users with the CA – Can be used to decentralize part of the CAs administrative tasks

MISSI PKI Example U.S. Govt. PAA (Other PAA)

PCA 1 PCA 2

CA 2 CA 3 CA 4 CA 1

ORA

End-entities } End-entities End-entities End-entities

Summary • Public Key Cryptosystems – Quick review – Cryptography – Digital Signatures – Key Management Issues • Pretty Good Privacy (PGP) • Public Key Infrastructure – Certificates & Management – Privacy Enhanced Mail (PEM) – PKI Architectures • SET: Secure Electronic Transactions • MISSI: Multilevel Information Systems Security Initiative

References

• W. Ford, M.S. Baum, Secure Electronic Commerce, Prentice Hall PTR, 1997 • S, Garfinkel, “PGP: Pretty Good Pivacy”, O’Reilly & Associates, 1995 • B. Schneier, “Applied Cryptography,” John Wiley, 1996 • W. Stallings, “Network and Internetwork Security,” Prentise Hall, 1995