ALMA MATER STUDIORUM – UNIVERSITA’ DI BOLOGNA
Certificates,
Certification Authorities and
Public-Key Infrastructures
Ozalp Babaoglu
© Babaoglu 2001-2015 Sicurezza
Certificati digitali
■ La chiave pubblica con la quale stiamo cifrando deve
appartenere realmente al destinatario del messaggio
■ Si pone il problema dello scambio delle chiavi
(man-in-the-middle attack)
■ I certificati digitali vengono usati per evitare che qualcuno
tenti di “spacciarsi” per un’altra persona sostituendone la chiave pubblica
2
Certificates in the physical world
Personal data Photograph
Seals + Signature “I certify that the data
correspond to the person in the photo”
Digital Certificates
■ In asymmetric cryptography, a digital certificate is the form
in which public keys are communicated
■ It is a binding between a public key and identity
information about a subject
■ It is signed by a certificate issuer
■ Functions much like a physical certificate ■ Avoids man-in-the-middle attacks
© Babaoglu 2001-2015 Sicurezza
X.509 Certificates
X.509 is a standard that specifies digital certificates with the following fields:
Subject: Distinguished Name, Public Key Issuer: Distinguished Name, Signature Validity: Not Before Date, Not After Date Administrative Info: Version, Serial Number
Extended Info: …
5 © Babaoglu 2001-2015 Sicurezza
X.509 Certificates
■ Distinguished Name Fields as defined by X.509 StandardCommon Name CN=Calisto Tanzi Organization or Company O=Parmalat
Organizational Unit OU=Management
City/Locality L=Parma
State/Province ST=Emilia Romagna Country (ISO Code) C=IT
6
Distribuzione dei certificati
■ Distribuzione manuale o di persona: passaporto, carta
d’identità
■ Certificati sono generati e distribuiti da entità fidate
■ Certificate servers
■ Public Key Infrastructures (PKI)
Certificate servers
■ Database centralizzate disponibili su rete ■ Possono essere replicate
■ Permettono agli utenti di
● richiedere l’inserimento del proprio certificato nel database ● richiedere il certificato di qualcuno
© Babaoglu 2001-2015 Sicurezza
Certification Authority
■ Certification Authority (CA) is responsible for certification,
validation and revocation of certificates
■ Many different types of CAs exist: commercial, government,
free, etc.
■ Examples of CAs: VeriSign, Symantec, Thawte, Geotrust,
Comodo, Visa, Actalis
9 © Babaoglu 2001-2015 Sicurezza
Public Key Infrastructure
■ Collection of CAs and protocols for invoking their services
by clients constitutes a Public Key Infrastructure (PKI)
10
PKI – Certification
■ When a subject requests a certificate for the first time, thesubject must be authenticated
■ In-band authentication:
● performed using the PKI itself
● possible only for certain types of identity information (e.g. email
addresses)
■ Out-of-band authentication:
● performed using more traditional methods, such as mail, fax, over
the telephone or physical meeting
PKI – Certification Authorities
■ The certification process is based on trust■ Users trust the issuing authority to issue only certificates that
correctly associate subjects to their public keys ■ Only one CA for the entire world?
■ No — would be impractical
■ Instead:
■ Most PKI enable one CA to certify other CA’s
■ One CA is telling its users that they can trust what a second CA
© Babaoglu 2001-2015 Sicurezza
PKI – Certificate Chains
13 DN Bob PubK Bob Sig CA Z DN CA Y PubK CA Y Sig CA X DN CA Z PubK CA Z Sig CA Y DN CA X Sig CA X PubK CA X © Babaoglu 2001-2015 Sicurezza
PKI – Certificate Chains
■ Certificate chains can be of arbitrary length
■ Each certificate in the chain validated by the preceding one ■ Different certificates:
■ “Leaf” certificates (end-user) ■ “Intermediate” certificates ■ “Root” certificates
14
PKI – CA Hierarchies
■ CAs can be organized● as a rooted tree (X.509) ● as a general graph (PGP) CA CA CA CA CA CA CA
Hierarchical Trust (X.509)
■ Based on chains of trust forming a rooted tree among
entities that are reputed to be CAs
■ The (blind) trust we place on root-level CAs must be
acquired through reputation, experience, operational competence and other non-technical aspects
■ Anyone claiming to be a CA must be a trusted entity and we
© Babaoglu 2001-2015 Sicurezza
Web of Trust (PGP)
■ In PGP, any user can act as a CA and sign the public key of
another user
■ A public key is considered valid only if a sufficient number of
trusted users have signed it
■ As the system evolves, complex trust relations emerge as
dynamic “web”
■ Trust need not be symmetric or transitive ■ (more on PGP later)
17 © Babaoglu 2001-2015 Sicurezza
PKI – Validation
■ Validation — need to control that the certificate
■ Is current — within “not before” and “not after” dates, ■ Is valid — signed by a chain of CAs ending in a root CA, ■ Has not been revoked
■ Checking currency and validity can be done locally and
off-line by the certificate user
■ Checking if the certificate has been revoked is more
complicated
18
PKI – Revocation
■ Revocation — the process of breaking the binding betweena public key and a subject for various reasons ■ subject’s private key becomes compromised
■ subject identifier information changes (e.g., name, email address)
■ On-line
■ revocation problem becomes trivial
■ Online Certificate Status Protocol (OCSP) of X.509 describes how
to check validity and revoke certificates ■ Off-line
■ While the certificate is current, the revocation method is critical
PKI – Revocation
■ Certificate Revocation List (CRL)
■ a list of revoked certificates id constructed, signed and periodically
distributed by th CA
■ user must check the latest CRL during validation to make sure that
a certificate has not been revoked
■ X.509 includes a CRL profile, describing the format of CRLs
■ CRL Problems
■ CRL time-granularity problem — how often to issue CRLs? ■ CRL size — incremental versus bulk
© Babaoglu 2001-2015 Sicurezza
Certificates in Practice: Firefox
21 © Babaoglu 2001-2015 Sicurezza
Certificates in Practice: Firefox
22