360 likes | 507 Views
ISA 562 Information Systems Theory and Practice. 10. Digital Certificates. PUBLIC-KEY CERTIFICATES-1. What is a certificate?: A statement claiming some binding of attribute values Why do we need them? Identifying entities outside of domain Distributed access control What do they do?
E N D
ISA 562Information Systems Theory and Practice 10. Digital Certificates
PUBLIC-KEY CERTIFICATES-1 • What is a certificate?: • A statement claiming some binding of attribute values • Why do we need them? • Identifying entities outside of domain • Distributed access control • What do they do? • Propagates claims: • Certifier makes a claim that can be checked for authenticity and accepted if the recipient believe the claimant to be truthful • Manages trust – distributed trust management
X.509v1 CERTIFICATE VERSION SERIAL NUMBER SIGNATURE ALGORIT ISSUER VALIDITY SUBJECT SUBJECT PUB KEY INFO SIGNATURE 1 1234567891011121314 RSA+MD5, 512 C=US, S=VA, O=GMU, OU=ISE 9/9/99-1/1/1 C=US, S=VA, O=GMU, OU=ISE, CN=Alice RSA, 1024, xxxxxx SIGNATURE
PUBLIC-KEY CERTIFICATES • For public-key based encryption • sender needs public key of receiver • For public-key digital signatures • receiver needs public key of sender • To establish an agreement • both need each other’s public keys
CERTIFICATE TRUST • Acquisition of public key of the issuer to verify the signature • Go to through a certificate chain • Whether or not to trust certificates signed by the issuer for this subject
PEM CERTIFICATION GRAPH Internet Policy Registration Authority IPRA Policy Certification Authorities (PCAs) PERSONA RESIDENTIAL MID-LEVEL ASSURANCE HIGH ASSURANCE Anonymous MITRE GMU Virginia Certification Authorities (CAs) Abrams LEO Fairfax CS Subjects Grover Grover
PUBLIC-KEY CERTIFICATES • What is a certificate?: • A statement claiming some binding of attribute values • Why do we need them? • Identifying entities outside of domain • Distributed access control • What do they do? • Propagate claims: • Certifier makes a claim that can be checked for authenticity and accepted if the recipient believe the claimant to be truthful • Manages trust – distributed trust management
SECURE ELECTRONIC TRANSACTIONS (SET) CA HIERARCHY Root Brand Brand Brand Geo-Political Bank Acquirer Customer Merchant
Certificate Revocation • Sometimes, the issuer need to recant certificate • The subject’s attributes have changed • The subject misused the certificate • There are forged certificates • Published in a certificate revocation list
CRL FORMAT SIGNATURE ALGORITHM ISSUER LAST UPDATE NEXT UPDATE REVOKED CERTIFICATES SIGNATURE SERIAL NUMBER REVOCATION DATE
X.509 CERTIFICATES • X.509v1 • basic • X.509v2 • adds unique identifiers to prevent against reuse of X.500 names • X.509v3 • adds many extensions • can be further extended
X.509v3 CERTIFICATE INNOVATIONS • distinguish various certificates • signature, encryption, key-agreement • identification info in addition to X.500 name • internet names: email addresses, host names, URLs • issuer can state policy and usage • good enough for casual email but not for signing checks • limits on use of signature keys for further certification • extensible • proprietary extensions can be defined and registered • attribute certificates • ongoing work
X.509v2 CRL INNOVATIONS • CRL distribution points • indirect CRLs • delta CRLs • revocation reason • push CRLs
HIERARCHICAL STRUCTURE Z X Y Q R S T A C E G I K M O a b c d e f g h i j k l m n o p
HIERARCHICAL STRUCTURE WITH ADDED LINKS Z X Y Q R S T A C E G I K M O a b c d e f g h i j k l m n o p
TOP-DOWN HIERARCHICAL STRUCTURE Z X Y Q R S T A C E G I K M O a b c d e f g h i j k l m n o p
MULTIPLE ROOT CA’s + INTERMEDIATE CA’s MODEL X S T Q R A C E G I K M O a b c d e f g h i j k l m n o p
THE CERTIFICATE TRIANGLE user X.509 attribute certificate X.509 identity certificate attribute public-key SPKI certificate
2-WAY SSL HANDSHAKE WITH RSA Handshake Protocol Record Protocol
SINGLE ROOT CA MODEL Root CA a b c d e f g h i j k l m n o p Root CA User
User RA User RA User RA SINGLE ROOT CAMULTIPLE RA’s MODEL Root CA a b c d e f g h i j k l m n o p Root CA
MULTIPLE ROOT CA’s MODEL Root CA Root CA Root CA a b c d e f g h i j k l m n o p Root CA User Root CA User Root CA User
ROOT CA + INTERMEDIATE CA’s MODEL Z X Y Q R S T A C E G I K M O a b c d e f g h i j k l m n o p
MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL X S T Q R A C E G I K M O a b c d e f g h i j k l m n o p
MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL X S T Q R A C E G I K M O a b c d e f g h i j k l m n o p
MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL X S T Q R A C E G I K M O a b c d e f g h i j k l m n o p
MULTIPLE ROOT CA’s + INTERMEDIATE CA’s MODEL • Essentially the model on the web today • Deployed in server-side SSL mode • Client-side SSL mode yet to happen
SERVER-SIDE MASQUERADING Bob Web browser www.host.com Web server Server-side SSL Ultratrust Security Services www.host.com
SERVER-SIDE MASQUERADING Bob Web browser www.host.com Web server Ultratrust Security Services Server-side SSL Server-side SSL Mallory’s Web server www.host.com BIMM Corporation www.host.com
SERVER-SIDE MASQUERADING Bob Web browser www.host.com Web server Ultratrust Security Services Server-side SSL Server-side SSL BIMM Corporation Mallory’s Web server www.host.com Ultratrust Security Services www.host.com
MAN IN THE MIDDLEMASQUERADING PREVENTED Client Side SSL end-to-end Ultratrust Security Services Bob Web browser www.host.com Web server Bob Ultratrust Security Services Client-side SSL Client-side SSL BIMM Corporation BIMM Corporation www.host.com Mallory’s Web server Ultratrust Security Services Ultratrust Security Services www.host.com Bob
ATTRIBUTE-BASED CLIENT SIDE MASQUERADING Joe@anywhere Web browser BIMM.com Web server Client-side SSL Ultratrust Security Services Ultratrust Security Services Joe@anywhere BIMM.com
ATTRIBUTE-BASED CLIENT SIDE MASQUERADING Alice@SRPC Web browser BIMM.com Web server Client-side SSL SRPC Ultratrust Security Services Alice@SRPC BIMM.com
ATTRIBUTE-BASED CLIENT SIDE MASQUERADING Bob@PPC Web browser BIMM.com Web server Client-side SSL PPC Ultratrust Security Services Bob@PPC BIMM.com
ATTRIBUTE-BASED CLIENT SIDE MASQUERADING Alice@SRPC Web browser BIMM.com Web server Client-side SSL SRPC Ultratrust Security Services PPC BIMM.com Bob@PPC