lec ectur ure 12 e 12
play

Lec ectur ure 12 e 12 Public Key Certification and Revocation - PowerPoint PPT Presentation

Mar 31, 2024 •168 likes •578 views

Lec ectur ure 12 e 12 Public Key Certification and Revocation [lecture slides are adapted from previous slides by Prof. Gene Tsudik] 1 CertificationTree / Hierarchy Logical tree of CA-s PK root root [PK CA1 ]SK root CA1 CA3 [PK CA2 ]SK

  1. Lec ectur ure 12 e 12 Public Key Certification and Revocation [lecture slides are adapted from previous slides by Prof. Gene Tsudik] 1

  2. CertificationTree / Hierarchy Logical tree of CA-s PK root root [PK CA1 ]SK root CA1 CA3 [PK CA2 ]SK CA1 [PK CA3 ]SK root CA2 CA4[PK CA4 ]SK CA3 2

  3. Hierarchical Public Key Infrastructure (PKI) Example UCI UCSB UCSD UCR 3

  4. Hierarchical PKI Example UCOP CSOP UCLA CSUN UCI CSULB 4

  5. Hierarchical PKI Example Governor UCOP CSOC UCLA CSUN UCI CSULB Alfred Chen 5

  6. Cross Certificate Based PKI Example 6

  7. Cross Certificate Based PKI Example UMass UTexas UCI 7

  8. Certificate Paths Derived from PKI 8

  9. Certificate Paths 9

  10. Certificate Paths • Verifier must know public key of the first CA • Other public keys are ‘ discovered ’ one by one • All CAs on the path must be (implicitly) trusted by the verifier 10

  11. X.509 Standard • X.509v3 is the current version • ITU standard • ISO 9495-2 is the equivalent ISO standard • Defines certificate format, not PKI • Supports both hierarchical model and cross certificates • End users cannot be CAs 11

  12. X.509 Service • Assumes a distributed set of servers maintaining a database about certificates • Used in S/MIME, PEM, IPSec, SSL/TLS, SSH • RSA, DSA, SHA, MD5 are most commonly used algorithms 12

  13. X.509 Certificate Format • version • serial number • signature algorithm ID • issuer name(X.500 Distinguished Name) • validity period • subject(user) name (X.500 Distinguished Name) • subject public key information • issuer unique identifier (version 2 and 3 only) • subject unique identifier (version 2 and 3 only) • extensions (version 3 only), e.g., revocation info • signature on the above fields 13

  14. X.509 Certificate Format 14

  15. A Sample X.509v3 Certificate 15

  16. A Sample Certificates in Practice (1/3) 16

  17. A Sample Certificates in Practice (2/3) 10000000000000001 17

  18. A Sample Certificates in Practice (3/3) -----BEGIN CERTIFICATE----- MIIDTzCCAvmgAwIBAgIBATANBgkqhkiG9w0BAQQFADBcMSEwHwYDVQQKExhFdXJv cGVhbiBJQ0UtVEVMIHByb2plY3QxIzAhBgNVBAsTGlYzLUNlcnRpZmljYXRpb24g QXV0aG9yaXR5MRIwEAYDVQQHEwlEYXJtc3RhZHQwHhcNOTcwNDAyMTczNTU5WhcN OTgwNDAyMTczNTU5WjBrMSEwHwYDVQQKExhFdXJvcGVhbiBJQ0UtVEVMIHByb2pl Y3QxIzAhBgNVBAsTGlYzLUNlcnRpZmljYXRpb24gQXV0aG9yaXR5MRIwEAYDVQQH EwlEYXJtc3RhZHQxDTALBgNVBAMTBFVTRVIwWTAKBgRVCAEBAgICAANLADBIAkEA qKhTY0kbk8PDC2yIEVXefmri+VKg3GklxMi/VeExqM7kqSmFmYoVmt72L+G0UF9e BHWm9HbcPA453Dq+PqRhiwIDAQABo4IBmDCCAZQwHwYDVR0jBBgwFoAUfnLy+DqG nEKINDRmdcPU/NGiETMwHQYDVR0OBBYEFJfc4B8gjSoRmLUx4Sq/ucIYiMrPMA4G A1UdDwEB/wQEAwIB8DAcBgNVHSABAf8EEjAQMAYGBCoDBAUwBgYECQgHBjBDBgNV HREEPDA6gRV1c2VyQGRhcm1zdGFkdC5nbWQuZGWGIWh0dHA6Ly93d3cuZGFybXN0 YWR0LmdtZC5kZS9+dXNlcjCBsQYDVR0SBIGpMIGmgQxnbWRjYUBnbWQuZGWGEWh0 dHA6Ly93d3cuZ21kLmRlghdzYXR1cm4uZGFybXN0YWR0LmdtZC5kZaRcMSEwHwYD VQQKExhFdXJvcGVhbiBJQ0UtVEVMIHByb2plY3QxIzAhBgNVBAsTGlYzLUNlcnRp ZmljYXRpb24gQXV0aG9yaXR5MRIwEAYDVQQHEwlEYXJtc3RhZHSHDDE0MS4xMi42 Mi4yNjAMBgNVHRMBAf8EAjAAMB0GA1UdHwQWMBQwEqAQoA6BDGdtZGNhQGdtZC5k ZTANBgkqhkiG9w0BAQQFAANBAGkM4ben8tj76GnAE803rSEGIk3oxtvxBAu34LPW DIEDzsNqPsfnJCSkkmTCg4MGQlMObwkehJr3b2OblJmD1qQ= -----END CERTIFICATE----- 18

  19. Certificates in Practice • X.509 certificate format is defined in Abstract Syntax Notation 1 (ASN.1) • ASN.1 structure is encoded using the Distinguished Encoding Rules (DER) • A DER-encoded binary string is typically base-64 encoded to get an ASCII representation (previous slide) 19

  20. Certificate Revocation Scenarios What if: • Bob’s CA goes out of control? • Bob left the company? • Bob forgets his private key? • Someone steals Bob’s private key? • Bob willingly discloses his private key? • Eve can decrypt/sign while Bob’s certificate is still valid ... • Bob reports key loss to CA (or CA finds out somehow) • CA issues a Certificate Revocation List (CRL) • Distributed in public announcements • Published in public databases • When verifying Bob’s signature or encrypting a message for Bob, Alice first checks if Bob’s certificate is still valid! • IMPORTANT: what about signatures “Bob” generated before he realized his key is lost? 20

  21. Certificate is a cap apab abili lity ty • Certificate revocation needs to occur when: • certificate holder key compromise/loss • CA key compromise • end of contract (e.g., certificates for employees) • Certificate Revocation List (CRL) lists certificates that are not yet naturally expired but revoked • CRL should be reissued periodically, even there if no new revocation activity! WHY? 21

  22. Requirements for Revocation • Timeliness • Before using a certificate, must check most recent revocation status • Efficiency • Computation • Bandwidth and Storage • Availability • Security 22

  23. Types of Revocation • Implicit • Each certificate is frequently/periodically re-issued • Alice has a current valid certificate  Alice is not revoked • No need to distribute/publish revocation info • Explicit • Only revoked certificates are periodically announced • Alice ’ s certificate is not listed among the revoked  Alice is not revoked • Need to distribute/publish revocation info 23

  24. Revocation Methods Explicit: • CRL - Certificate Revocation List • Sources: CRL-DP, indirect CRL, dynamic CRL-DP • Delta-CRL, windowed CRL, etc. • Certificate Revocation Tree (CRT) and other Authenticated Data Structures • OCSP – On-line Certificate Status Protocol Implicit: • CRS - Certificate Revocation System 24

  25. Certificate Revocation List (CRL) • Off-line mechanism • CRL = list of revoked certificates (e.g., SNs) signed by a revocation authority (RA) • RA not always CA that issued the revoked PKC • Periodically issued: daily, weekly, monthly, etc. 25

  26. Pros & Cons of CRLs • Pros • Simple • Does not need secure channels for CRL distribution • Cons • Timeliness: “ window of vulnerability ” • CRLs grow and can become huge • How to distribute CRLs reliably? 26

  27. X.509 CRL Format 27

  28. Certificate Revocation Tree (CRT) • Proposed by in 1998 by P. Kocher • Based on so-called hash trees • Hash trees first proposed by R. Merkle in another context in 1979 (one-time signatures) 28

  29. Merkle Hash Tree Example • Need to authenticate a sequence of values: D 0 , D 1 , …, D N • Construct binary tree over data values • Arrows represent hashing, e.g., T 4 = H ( D 2 , D 3 ) • The root is T 0 T 0 T 1 T 2 T 3 T 4 T 5 T 6 D 0 D 1 D 2 D 3 D 4 D 5 D 6 D 7

  30. Merkle Hash Trees: II • Verifier knows T 0 • How can verifier authenticate tree leaf D i ? • Solution: re-compute T 0 using D i • Example: to authenticate D 2 , send D 2 and co-path=[D 3 ,T 3 , T 2 ] • Verify T 0 = H( H( T 3 || H( D 2 || D 3 )) || T 2 ) T 0 T 1 T 2 T 3 T 4 T 5 T 6 D 0 D 1 D 2 D 3 D 4 D 5 D 6 D 7

  31. CRT Contd. • Express ranges of SN of PKC ’ s as tree leaf labels: • E.g., (5—12) means: 5 and 12 are revoked, those larger than 5 and less than 12 are okay • Place the hash of the range in the leaf • Response includes the corresponding tree leaf, the necessary hash values along the path to the root, the signed root • The CA periodically updates the structure and distributes to untrusted servers called Confirmation Issuers 31

  32. Ex Exam ample of of C CRT: each l each lea eaf = = rang ange o of v val alid c certi rtific icates HASH (- ∞ to 7) N 0,0 query: Is 67 revoked? N 1,0 HASH HASH N 0,1 (7 to 23) N 2,0 HASH HASH N 0,2 (23 to 27) N 1,1 HASH HASH Signed N 0,3 (27 to 37) HASH root (N 3,0 ) HASH N 0,4 (37 to 49) N 1,2 HASH HASH N 0,5 (49 to 54) N 2,1 HASH HASH N 0,6 (54 to 88) N 1,3 HASH HASH (88 to + ∞ ) N 0,7 32

  33. Cha Charact cter eristics of of CRT • Each response (leaf + co-path) represents a proof • Length of proof is: O(log n) • Much shorter than CRL which is O(n) • Where n is # of revoked certificates • Only one “ real ” signature for the whole tree – over the root 33

  34. Expl plici cit R Revoc ocation: O OCSP CSP • OCSP = On-line Certificate Status Protocol (RFC 2560) - June 1999 • Used in place of or, as a supplement to, checking CRLs • Conveys instantaneous status of a PKC • Especially suitable for sensitive, volatile settings, e.g., stock trades, electronic funds transfer, military 34

  35. OCSP Players 1. Cert request 2. Bob Bob CA OCSP responder 6. Transaction response 5. OCSP response / Error message 4. OCSP request Alice 3. Transaction + Bob request 35

  36. OCSP Definitive Response • All definitive responses have to be signed: • either by issuing CA • or by a Trusted Responder (OCSP client trusts the TR’s PKC) • or by a CA Authorized Responder which has a special PKC (issued by the CA) saying that it can issue OCSP responses on CA’s behalf 36

  37. Responses for Each Certificate • Response format: • target PKC SN • PKC status: • good - positive answer • revoked - permanently/temporarily (on-hold) • unknown - responder doesn’t know about the certificate being requested • response validity interval • optional extensions 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

3 HS HSC 2020 Head Head Star art t Lec ectur ture PD PD/H/PE: PE: Cor Core Top opics

3 HS HSC 2020 Head Head Star art t Lec ectur ture PD PD/H/PE: PE: Cor Core Top opics

3 HS HSC 2020 Head Head Star art t Lec ectur ture PD PD/H/PE: PE: Cor Core Top opics Introd oduction on Presented by: Lucy DaSilva Who Am I? Graduated in 2017 with an ATAR of 97.70 My subjects: Mathematics English Advanced

1.72k views • 127 slides
TIMES MES Lec ectur ure T e Title Name Sl Slides es Abstra stract WEL WELCOME DA ME

TIMES MES Lec ectur ure T e Title Name Sl Slides es Abstra stract WEL WELCOME DA ME

TIMES MES Lec ectur ure T e Title Name Sl Slides es Abstra stract WEL WELCOME DA ME DAY FR FRI 2: 2:00 P 00 PM Welcome Steve E. Sampson, DO Download Slides 1 WEL WELCOME DA ME DAY FR FRI 2: 2:00 P 00 PM Mobile App

414 views • 4 slides
Quokka Quokka Archit Architect ect Soc ocial ial Ar Arch chit itec ectur ture Clara

Quokka Quokka Archit Architect ect Soc ocial ial Ar Arch chit itec ectur ture Clara

Quokka Quokka Archit Architect ect Soc ocial ial Ar Arch chit itec ectur ture Clara Cavallero Clavero Blanca Caturla Snchez Jose Luis de la Cruz Garca Marta Marbn Ortiz Beatriz Solera Heredia Aitor Zurita Daz HOMEmade.

1.06k views • 57 slides
Today My Info : Timings for the class References Pre-Requisites Survey How you

Today My Info : Timings for the class References Pre-Requisites Survey How you

Complexity & Analysis of Data Complexity & Analysis of Data Complexity & Analysis of Data Structures & Algorithms Structures & Algorithms Structures & Algorithms Piyush Kumar Piyush Kumar (Lect (Lect ectur ectur

449 views • 23 slides
THE MULTI TI-DATAFLOW TAFLOW COMPOSE OSER R TOOL: L: A RUNTIME TIME RECONFIG ONFIGUR

THE MULTI TI-DATAFLOW TAFLOW COMPOSE OSER R TOOL: L: A RUNTIME TIME RECONFIG ONFIGUR

Confer erence ence on Design gn and Architect ectur ures es for Signal and Image e Processing ng -2011 Electron onic ic Chips & S Systems design gn Initiat iativ ive Nov ovem ember 2nd-4th, , 2011, Tampere, e, Finland nd

567 views • 41 slides
Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup University of Freiburg Computer Networks and Telematics Summer 2009 Overview In previous parts of this chapter: Modeling behaviour with

773 views • 74 slides
Glacier Hydrology Ian Hewitt, University of Oxford hewitt@maths.ox.ac.uk Water sources - Basal

Glacier Hydrology Ian Hewitt, University of Oxford hewitt@maths.ox.ac.uk Water sources - Basal

Glacier Hydrology Ian Hewitt, University of Oxford hewitt@maths.ox.ac.uk Water sources - Basal melting - Surface melting, precipitation Subglacial hydrology - Sheet flow - Tunnels / channels - Cavities - Canals - Lakes Large-scale models Glacier

446 views • 22 slides
ESnet's LHCONE Service Presented by Jason Zurawski, zurawski@es.net Science Engagement Authored

ESnet's LHCONE Service Presented by Jason Zurawski, zurawski@es.net Science Engagement Authored

ESnet's LHCONE Service Presented by Jason Zurawski, zurawski@es.net Science Engagement Authored by March 23 rd 2015 Joe Metzger metzger@es.net Network Engineering What is LHCONE? LHCONE is a Global Science Overlay Network designed for high

689 views • 14 slides
NFC-enabled Attack on Cyber Physical Systems: A Practical Case Study Fan Dang 1 , Pengfei Zhou 1,

NFC-enabled Attack on Cyber Physical Systems: A Practical Case Study Fan Dang 1 , Pengfei Zhou 1,

1 NFC-enabled Attack on Cyber Physical Systems: A Practical Case Study Fan Dang 1 , Pengfei Zhou 1, 2 , Zhenhua Li 1 , Yunhao Liu 1 1 School of Software, Tsinghua University, China 2 Beijing Feifanshi Technology Co., Ltd., China 2 Outline

1.01k views • 21 slides
Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of

Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of

Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of Cambridge (Joint with Giampaolo Bella and Fabio Massacci) Plan of Talk The SET Protocol Defining the Formal Models Verifying the

570 views • 24 slides
1 Wendell Crenshaw Technologies presents 1 2 Tumbleweed 2 All Your Baseband Are Belong To

1 Wendell Crenshaw Technologies presents 1 2 Tumbleweed 2 All Your Baseband Are Belong To

1 Wendell Crenshaw Technologies presents 1 2 Tumbleweed 2 All Your Baseband Are Belong To Us over-the-air exploitation of memory corruptions in GSM software stacks Ralf-Philipp Weinmann Laboratory for Algorithmics, Cryptology &

737 views • 45 slides
A Little Knowledge is a Dangerous Thi Thing Technology Transfer Workshops Technology Transfer

A Little Knowledge is a Dangerous Thi Thing Technology Transfer Workshops Technology Transfer

NORDUnet Nordic I nfrastructure for Research & Education A Little Knowledge is a Dangerous Thi Thing Technology Transfer Workshops Technology Transfer Workshops Training the community in new networking technologies Jerry Sobieski

660 views • 30 slides
Security Verification with F* Cdric Fournet Catalin Hritcu Aseem Rastogi *the Everest

Security Verification with F* Cdric Fournet Catalin Hritcu Aseem Rastogi *the Everest

Computer-Aided Security Proofs, Aarhus, Oct 9 13 2017 Security Verification with F* Cdric Fournet Catalin Hritcu Aseem Rastogi *the Everest VERified End-to-end Secure Transport Everest*: Verified Drop-in Replacements for TLS/HTTPS

464 views • 34 slides
Corporation for National and Community Service Programs and Funding Nov. 6, 2019 Welcome

Corporation for National and Community Service Programs and Funding Nov. 6, 2019 Welcome

Corporation for National and Community Service Programs and Funding Nov. 6, 2019 Welcome William Snow Office of Special Needs Assistance Programs U.S. Department of Housing and Urban Development Corporation for National & Community

545 views • 51 slides
The Role of the Head in the Interpretation of English Deverbal Compounds Gianina Iordchioaia i ,

The Role of the Head in the Interpretation of English Deverbal Compounds Gianina Iordchioaia i ,

The Role of the Head in the Interpretation of English Deverbal Compounds Gianina Iordchioaia i , Lonneke van der Plas ii , Glorianna Jagfeld i (Universitt Stuttgart i , University of Malta ii ) Wen wurmt der Ohrwurm? An interdisciplinary,

608 views • 37 slides
Comparing the Performance of Abstract Syntax Notation One (ASN.1) vs. eXtensible Markup Language

Comparing the Performance of Abstract Syntax Notation One (ASN.1) vs. eXtensible Markup Language

Comparing the Performance of Abstract Syntax Notation One (ASN.1) vs. eXtensible Markup Language (XML) Presented By: Prof. D.W.Chadwick Other Author: D.Mundy Thanks to: ISSRG Information Systems Security Research Group Contact:

613 views • 20 slides
Using Routing Policies Using Routing Policies Mark Prior Mark Prior Core Engineering Group

Using Routing Policies Using Routing Policies Mark Prior Mark Prior Core Engineering Group

Using Routing Policies Using Routing Policies Mark Prior Mark Prior Core Engineering Group Core Engineering Group connect.com.au connect.com.au Topics Topics Why define a routing policy? Why define a routing policy? How to

247 views • 12 slides
Analysis of Krylov subspace methods: Moments, error estimators, numerical stability and

Analysis of Krylov subspace methods: Moments, error estimators, numerical stability and

Analysis of Krylov subspace methods: Moments, error estimators, numerical stability and unexpected consequences Zden ek Strako Academy of Sciences and Charles University, Prague http://www.cs.cas.cz/strakos A joint work with Dianne P

840 views • 64 slides
Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure

Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure

Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure Routing? Current routing protocols assume trusted environment! Even misconfigurations severely disrupt Internet routing Secure routing

245 views • 22 slides
Eigenspace estimation for source localization using large random matrices Pascal Vallet (1) Joint

Eigenspace estimation for source localization using large random matrices Pascal Vallet (1) Joint

Eigenspace estimation for source localization using large random matrices Pascal Vallet (1) Joint work with Philippe Loubaton (1) and Xavier Mestre (2) (1) LabInfo IGM (CNRS-UMR 8049) / Universit Paris-Est (2) Centre Tecnologic de

812 views • 68 slides
Brief Introduction to the Internet Standard Management Framework Part 2: Structure of Management

Brief Introduction to the Internet Standard Management Framework Part 2: Structure of Management

Brief Introduction to the Internet Standard Management Framework Part 2: Structure of Management Information Version 2 (SMIv2) The SMI is the Data Definition Language, based loosely on an old version of ASN.1 and used to model and

517 views • 17 slides
Prolongable Satisfaction Classes and Iterations of Uniform Reflection over PA Mateusz eyk

Prolongable Satisfaction Classes and Iterations of Uniform Reflection over PA Mateusz eyk

Prolongable Satisfaction Classes and Iterations of Uniform Reflection over PA Mateusz eyk Institute of Philosophy, University of Warsaw Wormshop 2017 , Moscow, October 23, 2017 Very brief introduction This research is about the relations

1.1k views • 87 slides
Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007,

Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007,

Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007, New Delhi Agenda Agenda bashing Do you want to see the labs, or want to discuss issues Netflow What it is and how it works

1.1k views • 91 slides
Unit testing and mocking with cmocka Unit testing and mocking with cmocka SambaXP 2018 SambaXP

Unit testing and mocking with cmocka Unit testing and mocking with cmocka SambaXP 2018 SambaXP

Unit testing and mocking with cmocka Unit testing and mocking with cmocka SambaXP 2018 SambaXP 2018 Andreas Schneider Red Hat Samba Maintainer About me About me Free and Open Source Software Developer: cmocka - a unit testing framework for

1.27k views • 40 slides

More recommend