PKI Milan Sova, CESNET EuroCAMP, Porto, 2005-11-07 Public Key - - PowerPoint PPT Presentation

pki
SMART_READER_LITE
LIVE PREVIEW

PKI Milan Sova, CESNET EuroCAMP, Porto, 2005-11-07 Public Key - - PowerPoint PPT Presentation

Sep 10, 2022 204 likes •561 views

PKI Milan Sova, CESNET EuroCAMP, Porto, 2005-11-07 Public Key Infrastructure Public key cryptography pair of keys public key (encryption, signature verification) private key (decryption, signing) Infrastructure binding

slide-1
SLIDE 1

PKI

Milan Sova, CESNET EuroCAMP, Porto, 2005-11-07

slide-2
SLIDE 2

Public Key Infrastructure

  • Public key cryptography

– pair of keys

  • public key (encryption, signature verification)
  • private key (decryption, signing)
  • Infrastructure

– binding public keys to identities – public keys management

  • revocation, key usage...
slide-3
SLIDE 3

PKI Architectures

  • PGP

– everybody can provide identity assertions – "Web of trust"

  • X.509

– defines roles for entities – separated identity providers (Certificate Authorities) – hierarchical management of trust

slide-4
SLIDE 4

X.509 PKI

slide-5
SLIDE 5

X.509 PKI Roles

  • Certificate Authority

– certificate issuer

  • Registration Authority

– identity vetting

  • End Entity

– private key holder

  • Relying Party (“user”)

– relies on the certificate

slide-6
SLIDE 6

X.509 Certificate

slide-7
SLIDE 7

X.509 Certificate - Content

  • public key
  • validity
  • subject names
  • issuer names
  • key usage restrictions
  • operational information

– serial number, standard version, policies, CDP, AIA

  • issuer signature
slide-8
SLIDE 8

X.509 Certificate - Structure

Certificate ::= SEQUENCE { tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } TBSCertificate ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, serialNumber CertificateSerialNumber, signature AlgorithmIdentifier, issuer Name, validity Validity, subject Name, subjectPublicKeyInfo SubjectPublicKeyInfo, issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, extensions [3] EXPLICIT Extensions OPTIONAL }

slide-9
SLIDE 9

X.509 Certificate - Structure

Version ::= INTEGER { v1(0), v2(1), v3(2) } CertificateSerialNumber ::= INTEGER Validity ::= SEQUENCE { notBefore Time, notAfter Time } Time ::= CHOICE { utcTime UTCTime, generalTime GeneralizedTime } UniqueIdentifier ::= BIT STRING SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT STRING } Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension

slide-10
SLIDE 10

Validity

  • notBefore
  • notAfter

– dates

slide-11
SLIDE 11

Naming

  • Distinguished Name (Subject, Issuer)

– sequence of sets of attribute-value pairs – highly structured, hierarchical – looks like a globally unique ID – in fact just an "opaque string"

slide-12
SLIDE 12

Naming 2

  • using existing managed name systems

– DNS – RFC822 – IP Addresses

  • subjectAltName

{ DNS: host1.domain.tld, DNS: host2.domain.tld, email: admin@domain.tld, IPAddress: 1.2.3.4 }

slide-13
SLIDE 13

X.509 Certificate - Names

... subject: cn=myserver, o=myOrg, dc=myDomain, dc=org ... subjectAltName: { DNS: host1.domain.tld, DNS: host2.domain.tld, IPAddress: 1.2.3.4 } ...

slide-14
SLIDE 14

Key Usage Restrictions

  • keyUsage (BIT STRING)

– 0 digitalSignature – 1 nonRepudiation – 2 keyEncipherment – 3 dataEncipherment – 4 keyAgreement – 5 keyCertSign – 6 cRLSign – ...

slide-15
SLIDE 15

Key Usage Restrictions 2

  • extendedKeyUsage (OID)

– 1.3.6.1.5.5.7.3.1

TLS server authentication

– 1.3.6.1.5.5.7.3.2

TLS client authentication

– 1.3.6.1.5.5.7.3.3

code signing

– 1.3.6.1.5.5.7.3.4

email protection

– ... – 1.3.6.1.5.5.7.3.0

Any usage

slide-16
SLIDE 16

Key Usage Restrictions 3

  • basicConstraints

– CA (boolean)

  • true in CA certs
  • false in EE certs (or no basicConstrains at all)

– path length (if CA == true)

  • maximum of non-self-issued intermediate certificates in

path

slide-17
SLIDE 17
  • X509. Certificate - Key Usage

... [basicConstraints: {critical, CA: false},] ... keyUsage: {critical, 101 (digitalSignature, keyEncipherment)}, ... extendedKeyUsage: {non-critical, 1.3.6.1.5.5.7.3.1 (tLSServerAuth)} ...

slide-18
SLIDE 18

Operational Information

  • version (v3)
  • serial number
  • Certificate Policies

– OID, qualifiers

  • CRL Distribution Points

– access to CRL (URL)

  • Authority Information Access

– OCSP URL

slide-19
SLIDE 19

X.509 CRL & Revocation

slide-20
SLIDE 20

Certificate Revocation List

  • version (v2)
  • issuer
  • this update

– time of issuance

  • next update

– expected next issuance

  • revoked certificates
  • signature
slide-21
SLIDE 21

CRL Extensions

  • CRL Extensions

– Authority Key Identifier – CRL Number

  • CRL Entry Extensions

– Reason Code – Invalidity Date

slide-22
SLIDE 22

On-line Certificate Status Protocol

  • request

– certificate ID

  • response

– status

  • good, revoked, unknown

– signature

slide-23
SLIDE 23

X.509 CA as Identity Provider

slide-24
SLIDE 24

Role of CA/RA

  • identity vetting [CA/RA]

– ALL names (Subject, subjectAltName)

  • Proof Of Possession (of the private key) [CA/RA]

– access to the private key (sign/decrypt) – PK delivery

  • revocation [CA/RA]
  • publishing (CP, CPS, CRL, OCSP...)
  • Certificate Policy & Certificate Practice Statement
slide-25
SLIDE 25

Common Myths

slide-26
SLIDE 26

Subject Content

“Subject must contain C, ST, L, O, OU, CN, Email”

  • no rules for Subject names
  • keep as short as possible
  • use DC naming
  • use subjectAltName for email
slide-27
SLIDE 27

Hostname in CN

“CN must contain FQDN for host verification”

  • obsolete, never standardized
  • use subjectAltName for FQDN

– RFC 3280, 2818, 2595

slide-28
SLIDE 28

One Valid Certificate per Subject

“There may be at most one valid certificate for any given subject”

  • OpenSSL implementation flaw
  • overlapping validity intervals when re-keying
  • different key usages
slide-29
SLIDE 29

nonRepudiation vs. authentication

“One can use (commercial = high quality) qualified digital signature certificates for authentication”

  • authentication = signing server provided

challenge

  • user has no control over the challenge
slide-30
SLIDE 30

PKI & IdM

slide-31
SLIDE 31

Naming

  • X.500 global namespace is not managed

– problems using Subject for identities

  • alternative names (subjectAltName)

– using existing managed namespaces

  • DC naming (Subject, Issuer)
slide-32
SLIDE 32

Private Key Management

  • software tokens

– quality of encryption – copyable

  • hardware tokens

– expensive

  • site storages

– only authentication keys (no non-repudiation)

  • short-lived certificates
slide-33
SLIDE 33

X.509 Certificate as Identity Assertion

  • all required content
  • cryptographically strong
  • compact, small
  • ubiquitous tools to handle
  • rich “historical experience”
slide-34
SLIDE 34

References

RFC 3280. Certificate and Certificate Revocation List (CRL) Profile RFC 2560. Online Certificate Status Protocol – OCSP RFC 3647. Certificate Policy and Certification Practices Framework RFC 2247. Using Domains in LDAP/X.500

slide-35
SLIDE 35

References

X.501. Information Technology – Open Systems Interconnection - The Directory: Models, 1993. X.509. Information Technology - Open Systems Interconnection – The Directory: Authentication Framework X.520. Information Technology – Open Systems Interconnection - The Directory: Selected Attribute Types