Certificates, Certification
Authorities and
Public-Key Infrastructures
Ozalp Babaoglu
ALMA MATER STUDIORUM – UNIVERSITA’ DI BOLOGNA
Certificati digitali
■ La chiave pubblica con la quale stiamo cifrando deve
appartenere realmente al destinatario del messaggio
■ Si pone il problema dello scambio delle chiavi (man-in-themiddle attack)
■ I certificati digitali vengono usati per evitare che qualcuno
tenti di “spacciarsi” per un’altra persona sostituendone la
chiave pubblica
© Babaoglu 2001-2014
Sicurezza
2
Physical Certificates
Photograph
+
Personal data
Seals
=
I certify that
the photo
corresponds to
the personal data
© Babaoglu 2001-2014
Sicurezza
3
PKI – Certificates
■ A certificate is the form in which a PKI communicates
public key information
■ It is a binding between a public key and identity
information about a subject
■ Signed by a certificate issuer
■ Functions much like a physical certificate
■ Avoids man-in-the-middle attacks
© Babaoglu 2001-2014
Sicurezza
4
PKI – X.509 Certificates
X.509 Certificate Information
Subject: Distinguished Name, Public Key
Issuer: Distinguished Name, Signature
Validity: Not Before Date, Not After Date
Administrative Info: Version, Serial Number
Extended Info:
© Babaoglu 2001-2014
…
Sicurezza
5
Distinguished Name Information
Defined by X.509 Standard
Common Name
CN=Calisto Tanzi
Organization or Company O=Parmalat
Organizational Unit
OU=Management
City/Locality
L=Parma
State/Province
ST=Emilia Romagna
Country (ISO Code)
C=IT
© Babaoglu 2001-2014
Sicurezza
6
Distribuzione dei certificati
■ Distribuzione manuale o di persona: passaporto, carta
d’identità
■ Certificati generati, custoditi e distribuiti da entità fidate
● Certificate servers
● Public Key Infrastructures (PKI)
© Babaoglu 2001-2014
Sicurezza
7
Certificate servers
■ Database disponibili su rete
■ Permettono agli utenti di
● richiedere l’inserimento del proprio certificato nel database
● richiedere il certificato di qualcuno
© Babaoglu 2001-2014
Sicurezza
8
Public Key Infrastructure
■ PKI is a collection of services and protocols for
●
●
●
●
Registering
Certifying (issuing)
Validating
Revoking certificates
■ Public-key infrastructure (PKI)
● Registration Authority (RA) usually a physical person
● Certification Authority (CA) usually software
© Babaoglu 2001-2014
Sicurezza
9
PKI – Registration Authority
■ Invoked when a subject requests a certificate for the first
time
■ Subject requesting the certificate must be authenticated
■ In-band authentication:
● performed using the PKI itself
● possible only for certain types of identity information (e.g. email
address)
■ Out-of-band authentication:
● performed using more traditional methods, such as mail, fax,
over the telephone or physically meeting someone
© Babaoglu 2001-2014
Sicurezza
10
PKI – Certification Authority
■ Certification Authorities (CAs) are responsible for issuing,
validating and revoking certificates
■ Many different types of CAs exist: commercial,
government, free, etc.
■ Examples of CAs: VeriSign, Symantec, Thawte, Geotrust,
Comodo, Visa
© Babaoglu 2001-2014
Sicurezza
11
Public Key Infrastructure
■ Is there an “Internet PKI”?
● Several proposal for an Internet PKI exist: PGP, PEM, PKIX,
Secure DNS, SPKI and SDSI
● No single one has gained widespread use
■ In the future:
● Several PKI operating and inter-operating in the Internet
© Babaoglu 2001-2014
Sicurezza
12
Public Key Infrastructure
■ There are two basic operations common to all PKIs:
● Certification: process of binding a public-key value to subject:
an individual, organization or other entity
● Validation: process of verifying that a certification is still valid
© Babaoglu 2001-2014
Sicurezza
13
PKI – Certification Authorities
■ The certification process is based on trust
● users trust the issuing authority to issue only certificates that
correctly associate subjects to their public keys
■ Only one CA for the entire world?
● Impractical
■ Instead:
● most PKI enable one CA to certify other CA’s
● one CA is telling its users that they can trust what a second CA
says in its certificates
© Babaoglu 2001-2014
Sicurezza
14
PKI – Certificate Chains
DN CA X
PK CA X
Sig CA X
DN CA Y
PK CA Y
Sig CA X
© Babaoglu 2001-2014
DN CA Z
PK CA Z
Sig CA Y
Sicurezza
DN Bob
PK Bob
Sig CA Z
15
PKI – Certificate Chains
■ Certificate chains can be of arbitrary length
■ Each certificate in the chain validated by the one
preceding it
■ Different certificates:
● “Leaf” certificates (end-user)
● “Intermediate” certificates
● “Root” certificates
© Babaoglu 2001-2014
Sicurezza
16
PKI – CA Hierarchies
■ CAs can be organized
● as a rooted tree (X.509)
● as a general graph (PGP)
CA
CA
CA
© Babaoglu 2001-2014
CA
CA
Sicurezza
CA
CA
17
Hierarchical Trust (X.509)
■ Based on chains of trust forming a rooted tree among
entities that are reputed to be CAs
■ The (blind) trust we place on root-level CAs must be
acquired through reputation, experience, operational
competence and other non-technical aspects
■ Anyone claiming to be a CA must be a trusted entity and
we must believe that it is secure and correct
© Babaoglu 2001-2014
Sicurezza
18
Web of Trust (PGP)
■ In PGP, any user can act as a CA and sign the public key
of another user
■ A public key is considered valid only if a sufficient number
of trusted users have signed it
■ As the system evolves, complex trust relations emerge as
dynamic “web”
■ Trust need not be symmetric or transitive
■ (more on PGP later)
© Babaoglu 2001-2014
Sicurezza
19
PKI – Validation
■ Validation
● The information in a certificate can change over time
● Need to be sure that the information in the certificate is current
and that the certificate is authentic
■ Two basic methods of certificate validation:
● Off-line validation
The CA can include a validity period in the certificate — a range
during which the information in the certificate can be considered
valid
● On-line validation
The user can ask the CA directly about a certificate’s validity
every time it is used
© Babaoglu 2001-2014
Sicurezza
20
PKI – Revocation
■ Revocation
● the process of informing users when the information in a
certificate becomes unexpectedly invalid
▴ subject’s private key becomes compromised
▴ user information changes (e.g., email address, domain name of a server)
■ On-line
● revocation problem becomes trivial
● Online Certificate Status Protocol (OCSP) of X.509 describes
how to check validity and revoke certificates
■ Off-line
● Within the validity periods, certificate revocation method is critical
● Clients check “locally” if a certificate has been revoked
© Babaoglu 2001-2014
Sicurezza
21
PKI – Revocation
■ Certificate Revocation List (CRL)
● a list of revoked certificates that is signed and periodically issued
by a CA
● user must check the latest CRL during validation to make sure
that a certificate has not been revoked
● X.509 includes a CRL profile, describing the format of CRLs
■ CRL Problems
● CRL time-granularity problem
▴ how often CRLs must be issued?
● CRL size
▴ incremental CRL
© Babaoglu 2001-2014
Sicurezza
22
Certificates in Practice: Firefox
© Babaoglu 2001-2014
Sicurezza
23
Certificates in Practice: Firefox
© Babaoglu 2001-2014
Sicurezza
24
Certificates in Practice: Firefox
© Babaoglu 2001-2014
Sicurezza
25