PKIs and Secure Communication
April 24, 2007
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
1
Basic Problem
Bob
Intranet
Extranet
Internet
Alice
Bob and Alice want to exchange data in a digital world.
There are Confidence and Trust Issues …
Trusted E-Services Laboratory - HP Labs - Bristol
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
2
Confidence and Trust Issues
• In the Identity of an Individual or Application
AUTHENTICATION
• That the information will be kept Private
CONFIDENTIALITY
• That information cannot be Manipulated
INTEGRITY
Bob
• That information cannot be Disowned
NON-REPUDIATION
Intranet
Extranet
Internet
Trusted E-Services Laboratory - HP Labs - Bristol
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
Alice
Cryptography
Cryptography
It is the science of making the cost of acquiring or altering data
greater than the potential value gained
Cryptosystem
It is a system that provides techniques for mangling a message into
an apparently intelligible form and than recovering it from the
mangled form
Plaintext
Hello World
Encryption
Ciphertext
&$*£(“!273
Decryption
Plaintext
Hello World
Trusted E-Services Laboratory - HP Labs - Bristol
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
4
Cryptographic Algorithms based
on Private Key
Plaintext
Pros
Encryption
Ciphertext
Private Key
Decryption
Plaintext
Private Key
• Efficient and fast Algorithm
• Simple model
 Provides Integrity, Confidentiality
Cons
• The same secret key must be shared by all the entities involved in the data exchange
• High risk
• It doesn’t scale (proliferation of secrets)
 No Authentication, Non-Repudiation
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
Cryptographic Algorithms based
on Public Key
Intranet
Extranet
Internet
Bob
Plaintext
Encryption
Ciphertext
Alice’s Public Key
Alice
Decryption
Plaintext
Alice’s Private Key
Pros
• Private key is only known by the owner: less risk
• The algorithm ensures Integrity and Confidentiality by encrypting with
the Receiver’s Public key
Trusted E-Services Laboratory - HP Labs - Bristol
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
Cryptographic Algorithms based
on Public Key
Pros
The algorithm ensures Non-Repudiation by encrypting with
the Sender’s Private key
Intranet
Extranet
Internet
Bob
Plaintext
Encryption
Ciphertext
Bob’s Private Key
Alice
Decryption
Plaintext
Bob’s Public Key
Trusted E-Services Laboratory - HP Labs - Bristol
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
Cryptographic Algorithms based
on Public Key
Cons
• Algorithms are 100 – 1000 times slower than secret key ones
They are initially used in an initial phase of communication and then
secrets keys are generated to deal with encryptions
• How are Public keys made available to the other people?
• There is still a problem of Authentication!!!
Who ensures that the owner of a key pair is really the person whose
real life name is “Alice”?
Bob
Intranet
Extranet
Internet
Alice
Moving towards PKI …
Trusted E-Services Laboratory - HP Labs - Bristol
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
Digital Signature
A Digital Signature is a data item that vouches the origin
and the integrity of a Message
• The originator of a message uses a signing key (Private Key) to sign the
message and send the message and its digital signature to a recipient
• The recipient uses a verification key (Public Key) to verify the origin of
the message and that it has not been tampered with while in transit
Bob
Intranet
Extranet
Internet
Alice
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
Digital Signature
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
Digital Signature
There is still a problem linked to the
“Real Identity” of the Signer.
Why should I trust what the Sender claims to be?
Moving towards PKI …
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
Digital Certificate
A Digital Certificate is a binding between an entity’s
Public Key and one or more Attributes relating its Identity.
• The entity can be a Person, an Hardware Component, a Service, etc.
• A Digital Certificate is issued (and signed) by someone
- Usually the issuer is a Trusted Third Party
• A self-signed certificate usually is not very trustworthy
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
Digital Certificate
CERTIFICATE
Issuer
Subject
Subject Public Key
Issuer
Digital
Signature
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
Public Key Infrastructure
(PKI)
“A PKI is a set of agreed-upon standards, Certification
Authorities (CA), structure between multiple CAs,
methods to discover and validate Certification Paths,
Operational Protocols, Management Protocols,
Interoperable Tools and supporting Legislation”
“Digital Certificates” book – Jalal Feghhi, Jalil Feghhi, Peter Williams
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
Public Key Infrastructure
(PKI)
A Public Key Infrastructure is an Infrastructure
to support and manage Public Key-based
Digital Certificates
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
PKI services
A public-key security system comprises three
infrastructural services
• The Certification Authority (CA) signs users’ public key
•The directory is a public-access database of valid certificates
•The Certificate Revocation List (CRL) is a public-access database
of invalid certificate
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
16
X509 PKI
•Current ITU-T standard for PKI
•Hierarchical Structure of CA
Alice trusts the root CA
Bob sends a message to Alice
Trusted
Root
Alice needs Bob’s certificate, the certificate of
the CA that signed Bob’s certificate, and so on
up to the root CA’s self signed certificate.
Alice also needs each CRL for each CA.
*
Alice
Bob
Only then can Alice verify that Bob’s certificate
is valid and trusted and so verify the Bob’s
signature.
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
17
Example of X509
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
18
Life Cycle of user’s public key
certificate
Key generation
• The user creates a new key-pair
• The user provides his identity to the CA (not
electronically)
• The CA signs a certificate that names the user
as the bearer of his new public key
• The user also receives Root CA’s public-key,
for later use
• The user chooses a secrete passphrase, and
uses it to encrypt his asymmetric private key
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
19
Life Cycle of user’s public key
certificate
Single-Sign-on
• At login, the user types his passphrase, so as
to decrypt his private key
• With his private key, the user participates in
public-key protocol
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
20
Life Cycle of user’s public key
certificate
Authenticating Others
• To communicate securely with other users and
with networked services, the user refers to
other parties’ public key certificates
• The user exchanges certificates either directly
or from Directory service
• Certificates need to be checked against CRL
for revocation
• Validate the CA’s signature recursively.
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
21
Life Cycle of user’s public key
certificate
Password Change
• The user should regularly change the
passphrase for private key
Key-Revocation
• Certificates are timestamp to expire after a few
months or year
• If user’s private key is compromised, user must
inform CRL to revoke corresponding public-key
• User should check CRL every time a certificate
is used because CRL may have updated
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
22
Problems of X509
Complicate structures of CA
• What if there are multiple root CA?
• Centralized certification entity
Burden is on End-User!
•
•
•
•
•
Authenticating the User
Authenticating the CA
Certificate Revocation Lists
Private Key Management
Pass phrase Quality
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
23
IBM Lotus Notes & Domino Solution
 Client/server infrastructure for collaborative
applications
 Usage of PKI
• Authentication of Notes client to Domino Server
• Signing and encrypting mail messages
• Administrative accountability
 Implementation
• Note keys are created by Notes administrator and
distributed to user in a “identity file”
• Most of key management is hidden from user
• Suitable for enterprise setting
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
Alternative: Web of Trust
X509 requires centralized certification entity
• Certificate can be signed only by CA
• Root CA have to be available to lower level
• Root certificate companies may collapsed
• Dot-com bubble burst
Web of Trust uses self-signed certificates and 3rd party
attestations of those certificates
• PGP, GnuPG, OpenPGP
• Requires more individual attention
• “Why Johnny Can’t Encrypt”
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
25
Alternative: Key Continuity Management
Idea:
• Make key generation, management, and
signing automatically
• Ignore the X509 certification chain
• Public key is sent CA and returns back with
Digital ID
• Applications are directly aware of public key
certificates
• User would be notified only when server’s key
suddenly changes
• Implemented in email clients
 Outlook, Eudora
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
KCM: email example
Mail client creates a self-signed key when
user configures new From: address
Public key is attached to outgoing email
Public key gets stored in address book
Subsequent outgoing mail is sealed
Subsequent incoming mail is unsealed and
signature is verified
User is notified if when public key is
changed
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
Johnny 2
Study conducted on KCM
• Closely followed the setting of Johnny Study
• Used same scenario
• Added additional attacks that is close to
Phishing
• New Key Attack
 Participants are able to detect the impersonation
• New Identity Attack
 No significant Result
• Unsigned Message
 No significant Result
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
Alternative: iPKI
An iPKI is a lightweight PKI centered around standalone
CA
• Application specific, lightweight CA
• Automated PKI and CA setup
• Simple, intuitive enrollment mechanism
• A simple, intuitive trust model
• Secure bootstrapping
• Certificates as capabilities
•No need for direct user interactions with certificates
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
29
Network-in-a-Box: Problem
 Secure systems are unusable
 Network configuration - scanning, IP config, DNS
location are all automated
 Network security configuration mostly manual
• Home: Users specify passwords, manage PKI (install
certificates, configure security)
• Enterprise: Administrators install software encoded
with static security information (AP/authentication
server certificate) on each mobile user device
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
Idea
 Establishing trust requires trust
 Need secure communication w/o a priori infrastructure
 Bootstrap using Location-limited Channels
 Example: Infra-red port, passive USB, audio channels,
touching two devices simultaneously
 Gesture-based Automatic Configuration
 Laptop and AP exchange public keys
 Use it to perform full-fledged security auto-configuration
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
Details: Individual Steps
1.
Key pair generation : Client s/w generates key pair
2.
Device Enrollment : NiaB AP & client exchange digest
of their public keys over location-limited IR channel
3.
Authentication : NiaB AP & client exchange their full
public keys and prove possessions of corresponding
private keys over 802.11. Public keys are checked
against digests.
4.
Issuing Certificate : Certificate authority generates
and issues a certificate to client over TLS tunnel
5.
Configuration : Client installs the certificate and
configures laptop’s 802.1x security s/w to use it
6.
802.1x operation : Normal authentication and key
exchange with individual APs
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
NiaB Architecture
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
User Studies
 Methodology – Different sets of users asked to connect
laptop to a secure wireless network
 Different skill-sets, different experimental ordering, 2
iterations: 5+ subjects in first iteration to find usability errors
and refine interface
 Results –
Home Users
Enterprise Users
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
Discussion
Examples of PKI
•
•
•
•
X509 - Standard
Web of trust - PGP
KCM - email
iPKI – NiaB, Casca
In what setting, each PKI will be useful?
• Advantage & Disadvantage
• Any new PKI?
Usable Privacy and Security • Carnegie Mellon University • Spring 2007 • Cranor/Hong • http://cups.cs.cmu.edu/courses/ups-sp07/
35