M M 4. PKIX 7. peer 2 peer 8. Identity 5. Cross Certification - - PowerPoint PPT Presentation

PKI architectures: references

FOUNDATIONS OF CODING

Compression, Encryption, Error Correction

Jean-Guillaume Dumas • Jean-Louis Roch Éric Tannier • Sébastien Varrette

ljk.imag.fr/membres/Jean-Guillaume.Dumas/Enseignements/PKI

• 2. Ingredients
• 7. peer 2 peer
• 4. PKIX
• 8. Identity
• 5. Cross Certification
• 6. Trust anchors
• 3. Principle
• 1. Motivation
• 13. Policies & Evaluation
• 9. Deployment
• 10. Tools
• 12. Secure communications
• Secure channel
• Secure routing
• Secure messaging
• Secure payment
• 11. Authentication & key exchange

$ FIPS 140 NIST OpenSSL LDAPS Commerçant Services de confiance Internet Commerçant en ligne ANSSI Règlements européens IKE IPSec Réseau de l’employeur EMV Banque 3D-Secure SET TOR Monkeysphere Prestataires Direcves eIDAS Bitcoin PKIX Cerficats EV HTTPS S/MIME RGS AC AC WWW

X.509 X.509

IGC/A

X.509 X.509 PGP PGP

Signature TLS e-gouv Prestataires de services de confiance AC

X.509 X.509

GPG DNSSec Industriels

Produits de sécurité

CC, CSPN, Qualificaon

X.509

AC

X.509 X.509 X.509 X.509

@

X.509

A = f(M) ? f ALICE f BOB M A M

function blablabbla blablabbla

Signed document

ALICE

Document

blablabbla blablabbla Private key Public key

Alice

blablabbla blablabbla

Signed document

ALICE

ALICE

Signature

blablabbla blablabbla

Document Extraction Signature verification algorithm Public key and private key generation Signature function

Response

Valid signature Invalid signature

• r

Verification function Signature algorithm function Hash Hash

salt 0xbc 0x01 Hash Hash MGF M mH H 00.........00 00.........00 mask salt

PKCS Standards Summary, From Wikipedia Version Name Comments PKCS #1 2.1 RSA Cryptography Standard[1] See RFC 3447. Defines the mathematical properties and format of RSA public and private keys (ASN.1-encoded in clear-text), and the basic algorithms and encoding/padding schemes for performing RSA encryption, decryption, and producing and verifying signatures. PKCS #2

• Withdrawn

No longer active as of 2010. Covered RSA encryption of message digests; subsequently merged into PKCS #1. PKCS #3 1.4 Diffie–Hellman Key Agreement Standard[2] A cryptographic protocol that allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. PKCS #4

• Withdrawn

No longer active as of 2010. Covered RSA key syntax; subsequently merged into PKCS #1. PKCS #5 2.0 Password-based Encryption Standard[3] See RFC 2898 and PBKDF2. PKCS #6 1.5 Extended-Certificate Syntax Standard[4] Defines extensions to the old v1 X.509 certificate specification. Obsoleted by v3 of the same. PKCS #7 1.5 Cryptographic Message Syntax Standard[5] See RFC 2315. Used to sign and/or encrypt messages under a PKI. Used also for certificate dissemination (for instance as a response to a PKCS#10 message). Formed the basis for S/MIME, which is as of 2010 based on RFC 5652, an updated Cryptographic Message Syntax Standard (CMS). Often used for single sign-on. PKCS #8 1.2 Private-Key Information Syntax Standard[6] See RFC 5208. Used to carry private certificate keypairs (encrypted or unencrypted). PKCS #9 2.0 Selected Attribute Types[7] See RFC 2985. Defines selected attribute types for use in PKCS #6 extended certificates, PKCS #7 digitally signed messages, PKCS #8 private-key information, and PKCS #10 certificate-signing requests. PKCS #10 1.7 Certification Request Standard[8] See RFC 2986. Format of messages sent to a certification authority to request certification of a public key. See certificate signing request. PKCS #11 2.20 Cryptographic Token Interface[9] Also known as "Cryptoki". An API defining a generic interface to cryptographic tokens (see also Hardware Security Module). Often used in single sign-on, Public-key cryptography and disk encryption[10] systems. PKCS #12 1.0 Personal Information Exchange Syntax Standard[11] Defines a file format commonly used to store private keys with accompanying public key certificates, protected with a password-based symmetric key. PFX is a predecessor to PKCS#12. This container format can contain multiple embedded objects, such as multiple certificates. Usually protected/encrypted with a password. Usable as a format for the Java key store and to establish client authentication certificates in Mozilla Firefox. Usable by Apache Tomcat. PKCS #13 – Elliptic Curve Cryptography Standard[12] (Under development as of 2012.)[13] PKCS #14 – Pseudo-random Number Generation (Under development as of 2012.)[13] PKCS #15 1.1 Cryptographic Token Information Format Standard[14] Defines a standard allowing users of cryptographic tokens to identify themselves to applications, independent of the application's Cryptoki implementation (PKCS #11) or other API. RSA has relinquished IC-card-related parts of this standard to ISO/IEC 7816-15.[15]

K ( || Alice ||...), T

KB

Ktgs ALICE KA Ka,tgs Ta,tgs A a,tgs ,b,

a,b

K Ka,tgs

a,b

A T a,b

a,b

K

AS : Authentification Server KDC : Key Distribution Center TGS : Ticket−Granting Service

BOB

Clients and keys

(3) KRB_TGS_REQ : ticket request for Bob (4) KRB_TGS_REP : ticket for Bob (1) KRB_AS_REQ : ticket request for the TGS (5) KRB_AP_REQ : service request (6) KRB_AP_REP : Bob’s answer (2) KRB_AS_REP : ticket for the TGS

(1) : a,tgs (2) : (3) :

a

(5) : (4) : , (6) : (t+1)

Data basis

( || Alice ||...), T

a,tgs a,b

Realm 2

ALICE KA

KB

BOB

(3) KRB_TGS1_REQ : for TGS2 (4) KRB_TGS1_REP : ticket for TGS2 (1) KRB_AS1_REQ (2) KRB_AS1_REP

Realm 1

AS 1 KDC Kerberos TGS 1 AS 2 KDC Kerberos TGS 2

Ktgs1 Ktgs2

(5) KRB_TGS2_REQ : for Bob (6) KRB_TGS2_REP : ticket for Bob (7) KRB_AP_REQ : service request

PKI Users

Entity (Alice) RA CA Another entity using certificates (Bob) Certificates + CRL

(5) (Possibly) CA provides the certificate to Alice request (3) Certification

Directory

Lookup (4) CA publishes the certificate (1) Certificate request (2) Applicant authentification PKI Administration

Information

14 (0xE) md5WithRSAEncryption v3 (0x2)

Signature CA private key

Not Before : Jun 8 14:52:40 2003 GMT Not After Jun 7 14:52:40 2004 GMT rsaEncryption Public Key Algorithm : RSA Public Key (1024bit) Exponent : 65537 (0x10001) 00:b3:e4:4f:....... Modulus (1024 bits) :

Signature

− Algorithm ID − Signature Value

Signature Algorithm ID Serial Number Issuer Name Version Validity Périod

− Start Date/Time − End Date/Time

Subject Name Subjet Public Key Info :

− Algorithm ID − Public Key Value

Issuer Unique ID Subject Unique ID Extension

C (country) : France L (Locality) : Grenoble ST : (State or Province) : Isère O (Organisation) : UdG SO (Organizational Unit) : icluster CN (Common Name) : Icluster_CA E (Email) : ca@udg.fr STREET (Adress): 50 av Jean Kuntzmann C (country) : France L (Locality) : Grenoble ST : (State or Province) : Isère O (Organisation) : UdG SO (Organizational Unit) : LJK CN (Common Name) : Jean−Guillaume Dumas E (Email) : Jean−Guillaume.Dumas@imag.fr STREET (Adress): 51, av des Mathématiques

Signature Algorithm ID Serial Number Issuer Name Version Validity Period

− Start Date/Time − End Date/Time

Subject Name Subjet Public Key Info :

− Algorithm ID − Public Key Value

Issuer Unique ID Subject Unique ID Extension X.509 Electronic Certificate

algorithm Hash Function Public key Ivan Public key Ivan

Signed Certificate

Issuer : Ivan Signature : s

• Pub. Key : KpubA

Subject : Alice Hash Function Certificate Signature

r

Subject : Ivan

• Pub. key : KpubI

Subject: Ivan

• Pub. Key : KpubI

Signature : r

Root Certificate

Issuer : Ivan Certificate Signature

s

Subject : Alice Issuer : Ivan

• Pub. Key : KpubA

Issuer : Ivan

2°) Extraction Issuer == Ivan 4°) Extraction Public key Alice 1°) Recovery 3°) Recovery Bob 7°) Key : OK 6°) Signature verification algorithm 5°) Signature verification

Reasons to revoke a certificate [RFC 5280]

• unspecified (0)
• keyCompromise (1)
• CACompromise (2)
• affiliationChanged (3)
• superseded (4)
• cessationOfOperation (5)
• certificateHold (6)
• removeFromCRL (8)
• privilegeWithdrawn (9)
• AACompromise (10)

Obs.: Value 7 is not used.

Alg. Hash. OID Identificator 3DES-CBC 1.2.840.113549.3.7 DES-EDE3-CBC RSA 1.2.840.113549.1.1.1 RSAEncryption RSA MD5 1.2.840.113549.1.1.4 md5withRSAEncryption RSA SHA-1 1.2.840.113549.1.1.5 sha1withRSAEncryption DSA 1.2.840.10040.4.1 id-dsa DSA SHA-1 1.2.840.10040.4.3 id-dsawithSha1 DSA SHA-1.320 1.3.14.3.2 id-dsawithSha1.320 ECDSA SHA-1 1.2.840.10045.1 ecdsawithSha1

Certificate signed with NEWpriv Certificate signed with OLDpriv Repository contains OLD and NEW NEWpub Recover OLDwNEW within DIRECT verification Verify OLDwNEW PSE with NEWpub Verify certificate with OLDpub OLDpub Recover NEWwOLD within Verify NEWwOLD DIRECT verification PSE with OLDpub Verify certificate with NEWpub Repository contains only OLD NEWpub DIRECT verification FAILURE (Repository’s fault) within PSE (without the Repository) OLDpub FAILURE (Repository’s fault) DIRECT verification within PSE

(C) s K =H(r) s C

Alice Bob

r=D C=E Kpub−Bob (r) Kpriv−Bob K =H(r)

[FIPS−196 Authentification Request]

Bob Alice

2°) 1°) 4°) 3°)

[TokenID] || TokenBA1 [TokenID] || [CertB] || TokenBA2 || SIGNprivB(TokenBA2) [TokenID] || [CertA] || TokenAB || SIGNprivA(TokenAB)

CA2 Root CA1 Subordinate CA3 Subordinate CA4

by setting the path length to 0 from adding other CAs by Root CA1 prevents CA2 within CA2 certificate addition after CA4, by setting

• ther CAs but prevents any other

Root CA1 allows CA3 to add the path length to 1 within CA3 certificate

Subordinate

certification path length. by setting a maximal CA1 limits the trust into CA2 Thus, CA1 does not trust CA3

CA2

Subject: Issuer: CA1 cross certificate

CA 1 CA 3 CA 2

System Trust Anchor Stores Debian 7 /etc/ssl/certs/ca-certificates.crt Windows 7 C:\Windows\System32\certmgr.msc Mac OS X Applications>Utilities>Keychain Access Android 4 Settings>Security>Credential Storage>Trusted Credentials>Display Trusted CA certificates Iceweasel 31 /usr/share/ca-certificates/mozilla/*.crt Firefox 36 Preferences>Privacy&Security>Certificates>Manage Certificates Chrome 40 Settings>Advanced settings>Manage certificates (using certmgr.msc or Keychain) Safari 5 using Keychain IE 11 Internet Options>Content>Certificates (using certmgr.msc)

EV OCSP CRL SLC AC Convergence DANE PKI2.0 Perspectives

Publication Registration

Notaries EMET PKP Patrol TACK CT ARPKI SK Logs

Control

Pinning

Identity Signature

Private Key of the Signer

[32 bits] creation [8 bits] flags [32 bits] Expiration [40 bits] pref−sym−algos [40 bits] pref−hash−algos [24 bits] pref−zip−algos [8 bits] preferences [64 bits] keyid [8 bits] features data : [256 bits] r data : [256 bits] s 0F75E44DE4ADC208 v4 1346747452

Version Algorithm Creation Expiration keyid Clef publique

− ...

Public key Paquet Identity Paquet PGP Signature Paquet

[16 bits] start of fingerprint

Algorithm Version Creation Class Hash Function Sub paquet fingerprint keyid (subject)

− keyid (issuer) − Fingerprint Parameters − Key Parameters 17 (DSA) pkey[0] : [2048 bits] prime p pkey[2] : [2047 bits] generator g pkey[3] : [2047 bits] y (=g^x mod p) pkey[1] : [256 bits] order q (divides p−1) − Name − e−Mail Jean−Guillaume.Dumas@imag.fr Jean−Guillaume Dumas

0x00 Signature of a binary document 0x01 Signature of a canonical text document 0x02 Standalone signature 0x10 Generic certification of a User ID and Public-Key packet 0x11 Persona certification of a User ID and Public-Key packet 0x12 Casual certification of a User ID and Public-Key packet 0x13 Positive certification of a User ID and Public-Key packet 0x18 Subkey Binding Signature 0x19 Primary Key Binding Signature 0x1F Signature directly on a key 0x20 Key revocation signature 0x28 Subkey revocation signature 0x30 Certification revocation signature 0x40 Timestamp signature 0x50 Third-Party Confirmation signature

field byte content a.1 1 0x99 a.2 1 most-significant bits of the size of fields (b) to (e) a.3 1 least-significant bits of the size of fields (b) to (e) b 1 version number = 4 c 4 key creation date d 1 signature algorithm, (e.g., 17 for DSA) e specific to the algorithm, e.g., for DSA : e.1 256 prime number (e.g., p on 2048 bits) e.2 32 group order (e.g., q on 256 bits) e.3 256 group generator (e.g., g on 2048 bits) e.4 256 public key value (e.g., y on 2048 bits)

Key with granted confidence Trustworthy Signer Partially Trusted Signer Unknown signer

?

Signed the key of

? ? ? User

keyid public ciphered timestamp user key private key . . . . . . . . . . . . . . . 0x70096AD1 KUi EH(Pi)(KRi) Timei Useri . . . . . . . . . . . . . . .

keyid public ciphered timestamp user trust signature key private key ... ... ... ... ... ... ... 0x70096AD1 KUi EH(Pi)(KRi) Timei Useri trusti signi ... ... ... ... ... ... ...

user transfers the certificate Subject: Ressource Delegation: Controler User Validity: ... O 2) Request 3) Authorisation Ressource Auth: Controler Ressource Validity: ... Delegation: Issuer: Issuer: Auth:

*

Subject: 1) Registration

Controler Ressource User

to the requested ressource

Alice

Clef privée

• ff−line

Authentication PKG Alice

PKG

Clef maître

Secure channel

Alice

signer verifier 1°) Generate d

Bob

2°) d 3°) Random R 4°) C=ID_M( R ) 5°) D_d( C ) =?= R associated to ID_M

4°) C receiver 3°) C=E_pubBob( B ) 2°) B=E_idBob ( M ) 1°) Pub. key Bob sender

Bob Alice

repository

Implementation

Conception Architecture Analysis Deployment

[Anas Abou El Kalam]

Audit Strategy

Business Process − Legal − Technical Value for the client

2006 Federal Criteria (USA) (USA) TCSEC European national initiatives (Fr, Ge, UK, NL) ITSEC v1.2 Canadian initiatives (Can, Fr, Ge, Jp, UK, NL, USA) CC v1.0 CC v2.1 <==> ISO 15408:1999 CC v2.3 <==> ISO 15408:2005 CTCPEC v3.0 (Canada) CC v3.1 (2012, r4) 1985 1991 1993 1996 2005 1999