ppt

advertisement
Public Key Infrastructures: The Bane of Midterm 2
CS 451: Operating Systems
Jason Bartlett
What are PKI’s?
Put simply, PKI’s are a way to manage public
keys and/or trust in those keys.


Any PKI must handle three considerations:

Availability of keys: How do I find a key?

Validity of keys: How do I know this key is
correct?

Provenance of keys: How do I know if this
key is the right key?
Outline

Self-certifying names

Hierarchical PKI



X.509

DNSSEC
Distributed PKI

SDSI

PGP
Reputation Systems
Self-Certifying Names


One way to distribute keys is to
cryptographically derive the name of the data
from the data itself.
Ex:
A self-certifying pathname used by SFS, a locationindependent secure file system.

Any change to the data will result in a different
hashed name.
Self-Certifying Names, con’t


These names clearly satisfy key availability and
key validity.
Recent proposals for next-generation Internet
architectures use these ideas to secure data.

DONA

CCN/NDN
DONA

DONA (Data-Oriented Network Architecture)
uses self-certifying names to ensure data
validity over the network.
‒
‒
You ask for some data P:L where P is the hash of the
publisher’s public key and L is a human-readable
label
You receive a triple < Data, Key, Signature > and can
verify that the publisher’s key hashes to P, therefore
the data is owned by a proper publisher.
NDN

NDN (Named Data Networking) uses some of
these ideas, but not explicit self-certifying
names
‒
‒
NDN cryptographically derives a signature for each
piece of data from the data, publisher, and the
publisher’s key.
This basically signs the binding between the name
given to the data and the data itself.
Self-Certifying Names, con’t

But what about key provenance?


Self-certifying names rely on a mapping from
user-friendly names to the self-certifying name
This provides an avenue of attack

Ex: In SFS, a user can create symlinks to a server
so they don’t have to retype the hash.

If the user’s system is vulnerable, those links can
be rewritten to point to attacker’s server.
Outline

Self-certifying names

Hierarchical PKI



X.509

DNSSEC
Distributed PKI

SDSI

PGP
Reputation Systems
Hierarchical PKI


If self-certifying names are not used, a user
must be able to establish the validity of keys.
This is commonly done by binding a name to a
public key, creating an Identity Certificate

This binding is done by a trusted third-party called
a Certification Authority.
Hierarchical PKI


The CA forms the root
of a tree and can sign
any other key below
them.
These trees can be
as small as a project
group, or as big as
the Internet.
X.509

One of the earlier examples of a hierarchical
PKI is X.509 (version 3 defined in RFC 2459).


All certificates can be traced back to a single
global root.
The early motivation here was to create an
Internet-sized “phone book” of users and public
keys.
X.509


X.509 certificates are still commonly used in
SSL and TLS.
Check out your browser’s root list:
–
Firefox: Edit -> Preferences -> Advanced ->
Encryption -> View Certificates
–
Chrome: [Wrench] -> Preferences -> Under The
Hood -> Manage Certificates -> Authorities
X.509 Certificate
A sample X.509
Certificate.
http://publib.boulder.ibm.com/infocenter/tpfhel
p/current/index.jsp?topic=/com.ibm.ztpfztpfdf.doc_put.cur/gtps7/s7cont.html
DNSSEC


Another hierarchical PKI is the DNS Security
Extensions (RFC 4033).
Ideally, keys for the DNS roots are preloaded
into user systems.


Then the root keys certify the TLD keys, who
certify domains under them, and so on.
DNSSEC is not 100% deployed yet

Islands of Security exist though.
Example DNSSEC Query
yellowstone> dig com rrsig
; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> com rrsig
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52737
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1
;; QUESTION SECTION:
;com.
IN
RRSIG
;; ANSWER SECTION:
com.
86348
IN RRSIG DS 8 1 86400 20110502000000 20110424230000
34525 . HF+sUcMQMV5fOPCHLbtN9GpLKCZg/xKRQn8FNSXSoMOaznQAdSGu+wL4
L2rbxG6lxP91bwA3/+TMazCbAGDCaWanIAM+XLcrXxPK7fwfoYy6TQM9
ImqBw1FhEli043vYpo7CGq6Gwr5rmbIynNTOvrEWNBtQN+jwfDmA08rM vOI=
Hierarchical PKI

Key Availability?


Key Validity?


Of course, you know whose key you need.
Every key can be traced back through the
hierarchy until a trusted CA is found.
Key Provenance?

Yeah, about that...
Key Provenance in Hierarchical PKI


Consider the scale of an Internet-wide PKI.
It is possible to obtain a valid key, but have no
idea if the name attached to it is the person you
really want to be certifying your data.


How many John Robinsons does VeriSign know?
This is called the “Walton’s Mountain
Assumption”
Additional Risks


Any hierarchical PKI is vulnerable because of it
relies on an implicitly-trusted hierarchy.
For example, if your system is left unsecured
when you go to lunch and a disgruntled
custodian adds an attacker’s key to your
browser’s root list...

And what if you’re the head of the department?
Outline

Self-certifying names

Hierarchical PKI



X.509

DNSSEC
Distributed PKI

SDSI

PGP
Reputation Systems
Distributed PKI


Instead of a hierarchy, why not base all
authentication decisions on local trust?
Everybody’s signature is equally valid


i.e. Everybody can act as a CA.
You probably either know the people you need
a key from, or you know someone you can ask.
SDSI


In SDSI (Simple Distributed Security
Infrastructure), each user creates a “little black
book” of names and keys.
Users can then ask for and receive copies of
these keys.

This creates chains of trust (think Six Degrees of
Kevin Bacon).
SDSI Certificates
Example Identity Certificate:
(cert
(issuer (name (hash md5 |PWKULKycrQ/Pxu9qWBSY2Q==|) "Sam Washington"))
(subject (hash md5 |Z4a6hysK/0qN0L5SFkcJFQ==|)))
Example Group Certificates:
(cert
(issuer (name (hash md5 |PWKULKycrQ/Pxu9qWBSY2Q==|) "poker buddies"))
(subject (name "Sam Washington")))
(cert
(issuer (name (hash md5 |PWKULKycrQ/Pxu9qWBSY2Q==|) "poker buddies"))
(subject (name "Frank Adams")))
Example Delegation Certificate:
(cert
(issuer (hash md5 |PWKULKycrQ/Pxu9qWBSY2Q==|))
(subject (name "poker buddies"))
(tag (play super-poker at http://best-casino.com)))
Web Of Trust


Because each user
acts as a CA, trust
relationships become
decentralized.
This can be expanded

PGP allows for
explicit trust.
PGP

PGP is the current de-facto standard for e-mail
encryption.
http://www.pgpi.org/doc/pgpintro/
Distributed PKI


Distributed PKI’s attempt to fix the provenance
issue seen in hierarchical PKI’s

The scale of the system is smaller.

A user usually won’t have to go far to find a key.
Availability is impacted.

Some keys can still be preloaded, but a user that
deletes their root list can still go find them.
Outline

Self-certifying names

Hierarchical PKI



X.509

DNSSEC
Distributed PKI

SDSI

PGP
Reputation Systems
Reputation Systems


Most security infrastructures attempt to model
some sort of trust relationship

Company-department-employee

Friends in a bowling league
These real-world relationships are grown
through shared experiences.

Once enough people interact with the same
person, the person gains a reputation.
Reputation Systems, con’t

With the proliferation of e-commerce, complete
strangers are increasingly likely to do business.


How do we model trust here?
Any such system must have three criteria:

Longevity

Feedback must be collected

Feedback determines interaction
Centralized Reputation Systems


One approach is to have some sort of
centralized metric that measures trust.

Credit Score

eBay
Future customers can see how trustworthy a
particular seller is

And sellers can see if the customer is a jerk.
Issues With Feedback


Eliciting Feedback

Sometimes users don’t want to be bothered

Users could blackmail sellers with negative
feedback.
The Sybil Attack

Where a small number of users create many
identities

Still an active research area
More Feedback Issues

Distributing Feedback

Feedback in one system is generally not valid in
another system.


Users aren’t bound to a single online alias


Amazon used to import eBay ratings
“Moving to a new town to escape justice”
Aggregating Feedback

eBay ratings don’t capture aspects of transactions
that might be useful.
Distributed Reputation Systems

Instead of a centralized metric, allow users to
attach trust values to other users directly.

PGP is the classic example

A user can check the trust values on a key as well
as how much the user trusts the people that
assigned the other trust values.

Don’t need to aggregate or distribute feedback.
•
•
However, obtaining feedback is still tricky
Sybil Attacks are even more of a problem
Reputation Systems

Reputation Systems provide a mechanism for
strengthening trust in keys, i.e. increasing their
provenance.
‒
As a result, reputation systems are better suited as
an augmentation to existing models than as a
standalone system.
Download