INFS 766

Internet Security Protocols

Lecture 6
Digital Certificates

Prof. Ravi Sandhu

PUBLIC-KEY CERTIFICATES

™ reliabledistribution of public-keys
™ public-key encryption
¾ sender needs public key of receiver
™ public-key digital signatures
¾ receiver needs public key of sender
™ public-key key agreement
¾ both need each other’s public keys

© Ravi Sandhu 2000-2004 2

 THE CERTIFICATE
TRIANGLE

user

X.509 X.509
attribute identity
certificate certificate

attribute public-key
SPKI
certificate
© Ravi Sandhu 2000-2004 3

X.509 CERTIFICATE

VERSION
SERIAL NUMBER
SIGNATURE ALGORITHM
ISSUER
VALIDITY
SUBJECT
SUBJECT PUBLIC KEY INFO
SIGNATURE
© Ravi Sandhu 2000-2004 4
 X.509 CERTIFICATE

0
1234567891011121314
RSA+MD5, 512
C=US, S=VA, O=GMU, OU=ISE
9/9/99-1/1/1
C=US, S=VA, O=GMU, OU=ISSE, CN=Ravi Sandhu
RSA, 1024, xxxxxxxxxxxxxxxxxxxxxxxxx
SIGNATURE
© Ravi Sandhu 2000-2004 5

CERTIFICATE TRUST

™ how to acquire public key of the

issuer to verify signature
™ whether or not to trust certificates
signed by the issuer for this subject

© Ravi Sandhu 2000-2004 6

 PEM CERTIFICATION GRAPH
Internet Policy
IPRA Registration Authority
Policy Certification
Authorities (PCAs)

HIGH MID-LEVEL RESIDENTIAL PERSONA

ASSURANCE ASSURANCE

MITRE Certification Virginia Anonymous

GMU
Authorities
(CAs)

Abrams ISSE Fairfax LEO

Subjects
© Ravi Sandhu 2000-2004 Sandhu Sandhu 7

CRL FORMAT
SIGNATURE ALGORITHM
ISSUER
LAST UPDATE
NEXT UPDATE
REVOKED CERTIFICATES
SIGNATURE

SERIAL NUMBER
REVOCATION DATE
© Ravi Sandhu 2000-2004 8
 PGP BOTTOM UP
TRUST MODEL

™ How does Alice get Bob’s public key

¾ directlyfrom Bob through some secure
channel (e.g., post, phone, floppy)
¾ from Chuck, who is known to both Alice
and Bob and introduces Bob to Alice
¾ from a trusted certifying authority

™ PGP has mechanisms to support

these, and related, alternatives
© Ravi Sandhu 2000-2004 9

X.509 CERTIFICATES

™ X.509v1
¾ very basic
™ X.509v2
¾ adds unique identifiers to prevent
against reuse of X.500 names
™ X.509v3
¾ adds many extensions
¾ can be further extended

© Ravi Sandhu 2000-2004 10

 SEPARATE KEYS FOR
SEPARATE PURPOSES

™ RSA is the only known public-key

cryptosystem in which the same
public-private key pair can be used for
¾ digital
signatures
¾ encryption

™ perceived as a major advantage

© Ravi Sandhu 2000-2004 11

SIGNATURE KEYS

™ private key: must be private for entire life,

may never leave smart card
¾ needs to be securely destroyed after lifetime
¾ no need for backup or archiving (would
conflict with above)
¾ no need to weaken or escrow due to law
™ public key: must be archive possibly for a
long time

© Ravi Sandhu 2000-2004 12

 ENCRYPTION KEY

™ private key: backup or archive required for

recovery
¾ should not be destroyed after lifetime
¾ may be weakened/escrowed due to law
™ public key:
¾ no need to backup RSA or other encryption
keys
¾ need to backup Diffie-Hellman key agreement
keys

© Ravi Sandhu 2000-2004 13

X.509 INNOVATIONS

™ distinguish various certificates

¾ signature, encryption, key-agreement
™ identification info in addition to X.500 name
™ name other than X.500 name
¾ email address
™ issuer can state policy and usage
¾ good enough for casual email but not good enough for
signing checks
™ limits on use of signature keys for further
certification

© Ravi Sandhu 2000-2004 14

 X.509v3 EXTENSIONS

™ X.509v3 same as X.509v2 but adds

extensions
™ provides a general extension
mechanism
¾ extension type: registered just like an
algorithm is registered
¾ standard extension types: needed for
interoperability

© Ravi Sandhu 2000-2004 15

X.509v3 EXTENSIONS
CRITICALITY

™ non-critical: extension can be

ignored by certificate user
¾ alternate name can be non-critical
™ critical : extension should not be
ignored by certificate user
¾ limit on use of signatures for further
certification

© Ravi Sandhu 2000-2004 16

 X.509v3 EXTENSIONS
CRITICALITY

™ criticality is flagged by certificate issuer

¾ certificate user may consider non-critical
extensions more important than critical ones
¾ certificate user may refuse to use certificate if
some extensions are missing
™ critical extensions should be few and
should be standard

© Ravi Sandhu 2000-2004 17

X.509v3 NAMES

™ internet email address

™ internet domain name
™ web uri (url's are subset of uri)
™ IP address
™ X.400 email address
™ X.500 directory name
™ registered identifier
™ other name

© Ravi Sandhu 2000-2004 18

 X.509v3 STANDARD
EXTENSIONS

™ Key and policy information

™ Subject and issuer attributes
™ Certification path constraints
™ Extensions related to CRLs
¾ will be discussed with CRLs

© Ravi Sandhu 2000-2004 19

KEY AND POLICY

INFORMATION
™ key usage
¾ critical: intended only for that purpose, limits liability of CA
¾ non-critical: advisory to help find the correct key, no liability
implication
™ private-key usage period
¾ certificate valid for 2 years for verifying signature
¾ key valid only for one year for signing
™ certificate policies
¾ for CAs

© Ravi Sandhu 2000-2004 20

 SUBJECT AND ISSUER
ATTRIBUTES

™ Subject alternative names

™ Issuer alternative names
™ Subject directory attributes
¾ whatever you like
¾ position, phone, address etc.

© Ravi Sandhu 2000-2004 21

CERTIFICATION PATH
CONSTRAINTS

™ Basic Constraints
¾ can or cannot act as CA
¾ if can act as CA limit on certification path
• limit=1 means cannot certify other CAs
™ Name Constraints
¾ limits names of subjects that this CA can issue
certificates for
™ Policy Constraints
¾ concerned with CA policies

© Ravi Sandhu 2000-2004 22

 CERTIFICATE REVOCATION
LISTS

™ CRLs issued periodically as per CA

policy
¾ off-cycle
CRLs may also be needed
¾ blank CRLs can be issued

© Ravi Sandhu 2000-2004 23

CERTIFICATE REVOCATION
LISTS

™ CRL distribution
¾ pull
method
¾ push method

™ DMS example
¾ pull method with push for compromised
key list (CKL) which is broadcast via
secure email, single CKL for entire
system

© Ravi Sandhu 2000-2004 24

 CERTIFICATE REVOCATION
LISTS

™ immediate or real-time revocation

¾ needs query to CA on every certificate
use
¾ maybe ok for small closed communities

© Ravi Sandhu 2000-2004 25

REVOCATION TIME-LINE
Issue Of Revocation Issue Of
CRL 1 Request CRL 2

Compromise Revocation
Event Time
© Ravi Sandhu 2000-2004 26
 OCSP
ON-LINE CERTIFICATE STATUS PROTOCOL

™ consult authoritative server

™ the server in turn can look up CRLs

© Ravi Sandhu 2000-2004 27

SHORT-LIVED
CERTIFICATES

™ Authorization certificates can be

short lived
¾ minutes,hours, days instead of
¾ months, years

© Ravi Sandhu 2000-2004 28

 X.509 CRL EXTENSIONS

™ General Extensions
™ CRL distribution points
™ Delta-CRLs
™ Indirect-CRLs
™ Certificate Suspension

© Ravi Sandhu 2000-2004 29

GENERAL EXTENSIONS

™ Reason Code
¾ Key Compromise
¾ CA Compromise
¾ Affiliation changed
¾ Superseded
¾ Cessation of operation
¾ Remove from CRL: defer till Delta-CRL
¾ Certificate hold: defer
™ Invalidity Date
© Ravi Sandhu 2000-2004 30
 CRL DISTRIBUTION POINTS

™ CRLs can get very big

¾ version 1 CRL (1988, 1993)
• each CA has two CRLs: one for end users, one for CAs
• end user CRL can still be very big
¾ version 2 CRL
• can partition certificates, each partition associated
with one CRL
• distribution point
• also can have different distribution points for different
revocation reasons

© Ravi Sandhu 2000-2004 31

CRL DISTRIBUTION POINTS

™ certificateextension field, says

where to look
™ CRL extension field
¾ distributionpoint for this CRL and limits
on scope and reason of revocation
¾ protects against substitution of a CRL
from one distribution point to another

© Ravi Sandhu 2000-2004 32

 DELTA-CRLs

™ Delta CRL indicator

¾ only carries changes from previous CRL
™ Remove from CRL reason code
causes purge from base CRL (stored
at certificate user)
™ removal due to expiry of validity
period or restoration of suspension

© Ravi Sandhu 2000-2004 33

INDIRECT-CRL

™ CRL can be issued by different CA

than issuer of certificate
¾ allows all compromise revocations to be
one list
¾ allows all CA revocations to be on one
list (simplify certificate chasing)

© Ravi Sandhu 2000-2004 34

 CERTIFICATE SUSPENSION

™ Certificate
hold reason code in CRL
™ Supporting CRL entry extension
¾ Instruction code: instructions on what
to do with held certificate
• call CA, repossess token

© Ravi Sandhu 2000-2004 35

GENERAL HIERARCHICAL
STRUCTURE
Z

X Y

Q R S T

A C E G I K M O

a b c d e f g h i j k l m n o p
© Ravi Sandhu 2000-2004 36
 GENERAL HIERARCHICAL
STRUCTURE WITH ADDED LINKS
Z

X Y

Q R S T

A C E G I K M O

a b c d e f g h i j k l m n o p
© Ravi Sandhu 2000-2004 37

TOP-DOWN HIERARCHICAL
STRUCTURE
Z

X Y

Q R S T

A C E G I K M O

a b c d e f g h i j k l m n o p
© Ravi Sandhu 2000-2004 38
 PEM CERTIFICATION GRAPH
Internet Policy
IPRA Registration Authority
Policy Certification
Authorities (PCAs)

HIGH MID-LEVEL RESIDENTIAL PERSONA

ASSURANCE ASSURANCE

MITRE Certification Virginia Anonymous

GMU
Authorities
(CAs)

Abrams ISSE Fairfax LEO

Subjects
© Ravi Sandhu 2000-2004 Sandhu Sandhu 39

SET CA HIERARCHY
Root

Brand Brand Brand

Geo-Political

Bank Acquirer

Customer Merchant
© Ravi Sandhu 2000-2004 40
 FOREST OF HIERARCHIES

© Ravi Sandhu 2000-2004 41