580 likes | 674 Views
Cryptography. Lecture 10 Stefan Dziembowski www.dziembowski.net stefan@dziembowski.net. Plan. Qualified signatures PKI and trust management Introduction to the key establishment protocols. Remember the slide from the previous lectures?. P 3. public register:. P 2. sk 3. sk 2. P 4.
E N D
Cryptography Lecture 10Stefan Dziembowskiwww.dziembowski.net stefan@dziembowski.net
Plan • Qualified signatures • PKI and trust management • Introduction to the key establishment protocols
Remember the slide from the previous lectures? P3 public register: P2 sk3 sk2 P4 P1 sk4 sk1 P5 sk5
Question:How to maintain the public register? • We start with the case when the public keys are used for signing that islegally binding. • Then we consider other cases.
A problem skA pkA m є {0,1}* (m, σ=Signsk(m)) Alice Bob I got (m,σ) from Alice It’s not true!I never signed m! Vrfy(pk,m,σ) = yesso you cannot repudiate signing m... But pk is not my public key! Judge
Solution: certification authorities A simplified view: comes with her ID and pkAlice (pkCert,skCert) Certification Authority Alice checks the ID of Alice and issues a certificate: SignskCert(“pkAliceis a public key of Alice”) Now, everyone can verify that pkAliceis a public key of Alice. So Alice can attach it to every signature really everyone?
What is needed to verify the certificate To verify the certificate coming from Cert one needs: • to know the public key of the Cert • to trust Cert. It is better if Cert also keeps a document: “I, Alice certify thatpkAliceis my public key” with a written signature of Alice.
How does it look from the legal point of view? What matters at the end is if you can convince the judge. Many countries have now a special law regulating these things. In Italy it is: Decreto Legislativo 7 marzo 2005, n. 82 "Codice dell'amministrazione digitale" pubblicato nella Gazzetta Ufficiale n. 112 del 16 maggio 2005 - Supplemento Ordinario n. 93
This law defines the conditions to become an official certification authority (in Italian: certificatore). A certificate issued by such an authority is called a qualified certificate (in Italian: certificato qualificato) A signature obtained this way is called a qualified digital signature (in Italian: firma elettronica qualificata). The qualified signature is equivalent to the written one!
Some of the Italian Certificate Authorities: Banca Monte dei Paschi di Siena S.p.A. (dal 03/08/2004) Lombardia Integrata S.p.A. (dal 17/08/2004) Banca Intesa S.p.A. (dal 09/09/2004 - Società soggetta a cambio di denominazione sociale; ora Intesa Sanpaolo S.p.A.) Banca di Roma S.p.A. (dal 09/09/2004) (cessata attività dal 13/02/2008 - certificatore sostitutivo: nessuno) CNIPA (dal 15/03/2001) I.T. Telecom S.r.l. (dal 13/01/2005) Comando Trasmissioni e Informazioni Esercito (dal 10/04/2003 - già Comando C4 - IEW - cessata attività dal 21/09/2007 - certificatore sostitutivo: nessuno) Consorzio Certicomm (dal 23/06/2005) . . .
So, what to do if you want to issue the qualified signatures? You have to go to one of this companies and get a qualified certificate (it costs!). The certificate is valid just for some given period.
What if the secret key is lost? • In this case you have to revoke the certificate.Every authority maintains a list of revoked certificates. • The certificates come with some insurance.
In many case one doesn’t want to use the qualified signatures • The certificates cost. • It’s risky to use them:How do you know what your computer is really signing?Computers have viruses, Trojan horses, etc.You can use external (trusted) hardware but it should have a display (so you can see what is signed).Remember: qualified signatures are equivalent to the written ones!
Practical solution In many cases the qualified signatures are an overkill. Instead, people use non-qualified signatures. Here, the certificates are distributed using a public-key infrastructure (PKI).
Users can certify keys of the other users knows pk2 knows pk3 P2 P1 P3 pk1 pk3 pk2 “trusts” P2 P1 believesthat pk3 is a public key of P3 P2 certifies that pk3 is a public key of P3 signature of P2 this should be done only if P2 really met P3 in person and verified his identity
knows pk2 knows pk3 knows pk4 P2 P1 P3 P4 pk1 pk3 pk4 pk2 “trusts” P2 “trusts” P3 P2 certifies that pk3 is a public key of P3 signature of P2 P1 believesthat pk3 is a public key of P3 P3 certifies that pk4 is a public key of P4 signature of P3
knows pk2 knows pk3 knows pk4 knows pk5 P2 P1 P3 P4 P4 pk1 pk3 pk4 pk4 pk2 “trusts” P2 “trusts” P3 This is called acertificate chain “trusts” P4 P2 certifies that pk3 is a public key of P3 signature of P2 P1 believesthat pk3 is a public key of P3 P3 certifies that pk4 is a public key of P4 signature of P3 P4 certifies that pk5 is a public key of P5 signature of P4
A problem knows pk2 knows pk3 knows pk4 What if P1does not knowP3? How can he trust him? Answer: P2 can recommendP3 to P1. P2 P1 P3 P4 pk1 pk3 pk4 pk2 “trusts” P2 “trusts” P3
A question: is trust transitive? Does: P2 P1 P3 pk1 pk3 pk2 “trusts” P2 “trusts” P3 imply: P2 P1 P3 pk1 pk3 pk2 ? “trusts” P3
I can recommend P3 Example P2 P1 P3 pk1 pk3 pk2 trusts thatP2 is a veryhonest person trusts thatP3 is a veryhonest person P2 P1 P3 pk1 pk3 pk2 doesn’t trust that P3 is honest, because he thinks thatP2is honest but naive
Moral Trust is not transitive: “P1trusts in the certificates issued by P2” is not the same as saying: “P1trusts that if P2 says you can trust the certificates issued by P3 then one can trust the certificates issued by P3”
Recommendation levels level 1 recommendation: A: ”you can trusts in all the certificates issued by B” level 2 recommendation: A : “you can trust that all the level1 recommendations issued by B” level 3 recommendation: B : “you can trust that all the level2 recommendations issued by B” and so on. . . Recursively: level i+1 recommendation: A : “you can trust that all the leveli recommendations issued by B”
Now, if: P2 P1 P3 P4 P2trust in all the recommendations issued by P2 P2issues a recommendation of level 2 for P3 P3issues a recommendation of level 1 for P4 then P2 P1 P3 P4 trusts the certificates issued by P4 Of course the recommendations also need to be signed. Starts to look complicated...
How is it solved in practice? In popular standard is X.509 the recommendation is included into a certificate. Here the level of recommendations is bounded using a field called basic constraints. X.509 is used for example in SSL. SSL is implemented is implemented in every popular web-browser. So, let’s look at it.
this field limits the recommendation depth (here it’s unlimited)
Concrete example Let’s go to the Banca Di Roma website
the second certificate wassigned by ”Verisign Primary Authority” for “Verisign Inc”. (it’s not strange, we willdiscuss it)
The third certificatewas issued by Verisign Inc. for Banca di Roma
The typical picture web browser knows these certificates . . . Verisign DigiCert Entrust • Implicit assumptions: • the author of the browser is honest, • nobody manipulated the browser VerisignEurope VerisignUSA VerisignItaly a certificate path Banca di Roma
CA1 d1 cert1 d2 CA2 All these certificates have to have a flag “Is a Certification Authority” switched on. cert2 d3 CA3 cert3 Moreover: each certihas a number didenoting a maximal depth of certificate chain from this point (this limits the recommendation depth) That is, we need to have: di≥ n - i certn-1 dn CAn certn client
Is it so important to check it? Yes! For example: the last element in the chain can be anybody (who paid to Verising for a certificate). For sure we do not want to trust the certificates issued by anyone.
So, what happens when a user contacts the bank? sends(cert1,..., certn) Alice Bank If Alice’s browser knows cert1 it canverify the chain and read the public key of the bank from certn
What happens if the certification path is invalid? For example if the first certificate in the path is not known to the user. Experiment: let’s delete the Verisign certificate for the configuration of the browser...
Suppose Alice and Bob want to authenticate to each other... internet Bob Alice Observation: authentication itself is not very useful.More useful: key establishment
Protocols for key establishment Suppose Alice and Bob want to establish a fresh session key in an authentic way. When is it possible? • Using symmetric cryptography: Alice and Bob can use some trusted server S. • Using asymmetric cryptography: e.g. using PKI.
Symmetric cryptography The server can help Alice and Bob to establish a session key. (in reality it’s not so trivial to design a secure protocol) share a private keyKAS share a private keyKBS server S Alice Bob
The public-key cryptography sends(cert1,..., certn) sends(cert’1,..., cert’n) Alice Bob • If they accepted the certificate paths they can establish a session key: • Alice selects a random key K. • Alice encrypts K with Bob’s public key, and sign is it with her private key, and sends it to Bob. • Bob verifies the signature and decrypts the K. • Again: in reality it’s not that simple...
What if one of the parites doesn’t have a certificate? Typical situation in real life... E.g. a bank can verify authenticity of Alice by asking her for a secret password. This password is provided to her (in a physical way) when she opened an account. How to prevent the dictionary attacks? Not so trivial...
Designing the key establishment protocols It is an active area of research. It’s more complicated than one may think... On the next slides we show some common errors.
An idea (1) key shared by Alice and the server: KAS key shared by Bob and the server: KBS server S (A,B) selects a random KAB EncKAS(KAB), EncKBS(KAB) (EncKBS(KAB),A) Alice Bob
An attack key shared by Alice and the server: KAS key shared by Bob and the server: KBS server S (A,B) I’m talking to D selects a random KAB EncKAS(KAB), EncKBS(KAB) (EncKBS(KAB),A) (EncKBS(KAB),D) Alice Bob
An idea (2) key shared by Alice and the server: KAS key shared by Bob and the server: KBS server S (A,B) selects a random KAB EncKAS(KAB,B), EncKBS(KAB,A) EncKBS(KAB,A) Alice Bob