Internet.Security
.pdf
|
|
Y |
|
L |
|
|
F |
|
|
M |
|
A |
|
|
E |
|
|
T |
|
|
Team-Fly®
6
Public-key Infrastructure
This chapter presents the profiles related to public-key Infrastructure (PKI) for the Internet. The PKI manages public keys automatically through the use of public-key certificates. It provides a basis for accommodating interoperation between PKI entities. A large-scale PKI issues, revokes and manages digital signature public-key certificates to allow distant parties to reliably authenticate each other. A sound digital signature PKI should provide the basic foundation needed for issuing any kind of public-key certificate.
The PKI provides a secure binding of public keys and users. The objective is how to design an infrastructure that allows users to establish certification paths which contain more than one key. Creation of certification paths, commonly called chains of trust, is established by Certification Authorities (CAs). A certification path is a sequence of CAs. CAs issue, revoke and archive certificates. In the hierarchical model, trust is delegated by a CA when it certifies a subordinate CA. Trust delegation starts at a root CA that is trusted by every node in the infrastructure. Trust is also established between any two CAs in peer relationships (cross-certification).
The CAs will certify a PKI entity’s identity (a unique name) and that identity’s public key. A CA performs user authentication and is responsible for keeping the user’s name and the associated public key. Hence, each CA must be a trusted entity, at least to the extent described in the Policy Certification Authority (PCA) policies. The CAs will need to certify public keys, create certificates, distribute certificates, and generate and distribute Certificate Revocation Lists (CRLs). The PCA is a special purpose CA which creates a policy-setting responsibility: that is, how the CA’s and PCA’s functions and responsibilities are defined and how they interact to determine the nature of the infrastructure. Therefore, PKI tasks are centred on researching and developing these functions, responsibilities and interactions.
This chapter presents the interoperability functional specifications that are carried out by CA entities at all levels. It describes what the PAA, PCAs and CAs perform. It also describes the role of an Organisational Registration Authority (ORA) that acts an intermediary between the CA and a prospective certificate subject. In the long run, the
Internet Security. Edited by M.Y. Rhee
2003 John Wiley & Sons, Ltd ISBN 0-470-85285-2
202 |
INTERNET SECURITY |
goal of the Internet PKI is to satisfy the requirements of identification, authentication, access control and authorisation functions.
6.1 Internet Publications for Standards
The Internet Activities Board (IAB) is the body responsible for coordinating Internet design, engineering and management. The IAB has two subsidiary task forces:
•The Internet Engineering Task Force (IETF), which is responsible for short-term engineering issues including Internet standards.
•The Internet Research Task Force (IRTF), which is responsible for long-term research.
The IETF working groups meet three times annually at large conventions to discuss standards development, but the development process is conducted primarily via open e- mail exchanges. Participants of IETF are individual technical contributors, rather than formal organisational representatives.
The most important series of Internet publications for all standards specifications appear in the Internet Request for Comments (RFCs) document series. Anyone interested in learning more about current developments on Internet standards can readily track their progress via e-mail. Another important series of Internet publications are the Internet Drafts. These are working documents prepared by IETF, its working groups, or other groups or individuals working on Internet technical topics. Internet Drafts are valid for a maximum of six months and may be updated, replaced or rendered obsolete by other documents at any time. Specifications that are destined to become Internet standards evolve through a set of maturity level as the standards evolve, which has three recognised levels: Proposed Standard, Draft Standard and Refined Standard.
To review the complete listing of current Internet Drafts, Internet standards associated with PKI will be briefly summarised in the following.
A public directory service or repository that can distribute certificates is particularly attractive. The X.500 standard specifies the directory service. A comprehensive online directory service has been developed through the ISO/ITU standardisation processes. These directory standards provide the basis for constructing a multipurpose distributed directory service by interconnecting computer systems belonging to service providers, governments and private organisations. In this way, the X.500 directory can act as a source of information for private people, communications network components or computer applications. When the X.500 standards were first developed in 1984 – 1988, the use of X.500 directories for distributing public-key certificates was recognised. Therefore, the standards include full specifications of data items required for X.500 to fulfil this role. Since the X.500 technology is somewhat complex, adoption of X.500 was slower than expected until the mid-1990s. Nevertheless, deployment of X.500 within large enterprises is increasing and some organisations are finding this repository a useful means of public-key certificate distribution.
The Internet Lightweight Directory Access Protocol (LDAP) is a protocol which can access information stored in a directory, including access to stored public-key certificates.
PUBLIC-KEY INFRASTRUCTURE |
203 |
LDAP is an access protocol which is compatible with the X.500 directory standards. However, LDAP is much simpler and more effective than the standard X.500 protocols.
The X.509 certificate format describes the authentication service using the X.500 directory. The certificate format specified in the Privacy-Enhanced Mail (PEM) standards is the 1988 version of the X.509 certificate format. The certificate format specified in the American National Standards Institute (ANSI) X9.30 standards is based on the 1992 version of the X.509 certificate format. The ANSI X9.30 standard requires that the issuer unique identifier field be filled in. This field will contain information that allows the private key to sign the certificate and be uniquely identified.
The certificate format used with the Message Security Protocol (MSP) is also based on the 1988 X.509 certificate format, but it does not include the issuer unique identifier or the subject unique identifier fields that are found in the 1992 version of the X.509 format.
The ISO/IEC/ITU X.509 standard defines a standard CRL format. The X.509 CRL format has evolved somewhat since first appearing in 1988. When the extension fields were added to the X.509 v3 certificate format, the same type of mechanism was added to the CRL to create the X.509 v2 CRL format. Of the various CRL formats studied, the PEM CRL format best meets the requirements of the PKI CRL format. ITU-T X.509 (formerly CCITT X.509) and ANSI X9.30 CRL formats are compared with the PEM CRL format to show where they differ. For example, the ANSI X9.30 CRL format is based on the PEM format, but the former adds one reason code field to each certificate entry within the list of revoked certificates.
All CAs are assumed to generate CRLs. The CRLs may be generated on a periodic basis or every time a certificate revocation occurs. These CRLs will include certificates that have been revoked because of key compromises, changes in a user’s affiliation, etc. All entities are responsible for requesting the CRLs that they need from the directory, but to keep querying the directory is impractical. Any CA which generates a CRL is responsible for sending its latest CRL to the directory. However, CRL distribution is the biggest cost driver associated with the operation of the PKI. CAs certifying fewer users result in much smaller CRLs because each CRL requested carries far less unwanted information. The delta CRL indicator is a critical CRL extension that identifies a delta CRL. The use of delta CRLs can significantly improve processing time for applications that store revocation information in a format other than the CRL structure. This allows changes to be added to the local database while ignoring unchanged information that is already in the local database.
6.2 Digital Signing Techniques
Since user authentication is so important for the PKI environment, it is appropriate to discuss the concept of digital signature at an early stage in this chapter. Digital signing techniques are employed to provide sender authentication, message integrity and sender non-repudiation, provided that private keys are kept secret and the integrity of public keys is preserved. Provision of these services is furnished with the proper association between the users and their public/private key pairs.
When two users A and B communicate, they can use their public keys to keep their messages confidential. If A wishes to hide the contents of a message to B, A encrypts
204 |
INTERNET SECURITY |
A’s private key
User A |
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
Message digest |
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
One-way |
|
Signature |
||||||||
Message (M) |
|
|
|
|
|
|
|
|||||||
|
|
|
|
|
|
|
algorithm |
|||||||
|
|
|
hash function |
|
|
|
|
|||||||
|
|
|
|
|
|
|
||||||||
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
Digital signature (S) |
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
M |
|
S |
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Internet
User B
M S
|
|
|
Hash function |
|
|
|
Decryption |
|
|
|
|
A’s public key |
|||||
|
|
|
|
|
|
|
|
|
|
||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Message digest |
|
|
|
|
|
|
|
|
|
Message digest |
|
||||||
computed at B |
|
|
Comparison |
|
|
|
|
||||||||||
|
|
|
|
|
|
|
|
|
|
|
|||||||
|
|
|
|
|
|
? |
|
|
|
|
|
|
|
|
|
||
|
|
|
= |
|
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
No |
|
|||||||||||
|
|
|
Yes |
|
|
|
|||||||||||
|
|
|
|
|
|
|
|
|
|
||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Accept |
|
|
|
|
|
Reject |
|
|
|
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If the comparison is successful, It is authentic.
If the comparison fails, the message is tempered with.
Figure 6.1 Overall view of a typical digital signature scheme.
PUBLIC-KEY INFRASTRUCTURE |
205 |
A (client) |
Session |
|
key |
||
|
|
|
|
|
CA |
|
(Certification Authority) |
||||
|
|
|
|
|
|
|
(B’s public key) |
|||
|
|
|
|
|
eB |
|||||
|
K |
|
|
|
|
|
|
|
|
|
Session |
|
RSA |
|
|
KeB |
|
||||
key |
|
|
encryption |
|
|
|
||||
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
K
B (server)
dB (B′s private key)
RSA |
|
|
Session |
||
decryption |
|
|
key |
||
|
|
|
|
|
|
|
|
|
|
|
K |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Y = EK |
(m) |
|
|
|
|
|
|
|
|
Plaintext |
|
|
|
H (m) |
|||||||
|
DES |
|
|
|
Ciphertext |
|
|
|
|
DES |
|
H |
|
|||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
decryption |
m |
|
|
|
|
||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||
|
|
m |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Hash |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
function |
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
Plaintext |
|
|
|
|
(A′s private key) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
dA |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
m |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
One-way |
|
|
|
h = H(m) |
|
|
|
|
|
C |
|
|
|
|
|
|
|
|
|
|
|
(hdA)eA |
|
h |
|||
|
function |
|
|
|
|
|
|
hdA |
|
|
|
|
|
C eA |
|
|
|
|
|
|
|
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||
|
H |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
No |
|
|
|
|
|
Message |
|
|
RSA |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||
|
MD5 |
|
|
|
|
|
|
|
|
|
|
eA (A′s public key) |
|
|||||||||||||||
|
|
|
|
digest |
encryption |
|
|
|
|
|
|
|
||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
h′ |
Message |
digest |
h′ |
= ? |
Yes |
|
CA |
|
Authentication |
Authentication |
|
|
|
|
is verified |
fails |
|
(Certification Authority) |
|||||
|
|
||||
Figure 6.2 Signature and authentication with DES/RSA/MD5 (compatible with PEM method).
it using B’s public key. If A wishes to sign a document, he or she must use the private key available only to him or her. When B receives a digitally signed message from A, B must verify its signature. B needs A’s public key for this verification. A should have high confidence in the integrity of that key.
The scenario of a typical signature scheme is described in Figure 6.1. The following example is presented to illustrate one practical system (Figure 6.2) applicable to the digital signature computation for user authentication. The combination of SHA-1 (or MD5) and RSA provides an effective digital signature scheme. As an alternative, signatures can also be generated using DSS/SHA-1.
For digital signatures, the content of a message m is reduced to a message digest with a hash function (such as MD5). An octet string containing the message digest is encrypted with the RSA private key of the signer. The message and the encrypted message digest are represented together to yield a digital signature. This application is compatible with the Privacy-Enhanced Mail (PEM) method. For digital envelopes, the message is first encrypted under a DES key with a DES algorithm and then the DES key (messageencryption key) is encrypted with the RSA public key of the recipients of the message. The encrypted message and the encrypted DES key are represented together to yield a digital envelope. This application is also compatible with PEM methods.
Example 6.1 Utilizing the practical signature/authentication scheme shown in Figure 6.2, the analytic solution is as follows:
206 |
INTERNET SECURITY |
Client A
1.DES encryption of message m: The 64-bit message m is
m = 785ac3a4bd0fe12d
The 56-bit DES session key K is
K = ba0c2b3c484ff9 (hexadecimal)
The 64-bit ciphertext Y (output of 16-round DES) is
Y = a78791c0c8f0b444
2.RSA encryption of K:
K = 52367725502681081 (decimal)
Split K into blocks of two digits:
K = 05 23 67 72 55 02 68 10 81
Obtain B’s public key eB = 79 from CA and choose public modulo n = 3337. Encrypt every two-bit block of K as follows:
579 (mod 3337) ≡ 270
2379 (mod 3337) ≡ 2524
.
.
.
8179 (mod 3337) ≡ 3198
Encrypted K = 0270 2524 1479 0285 1773 3139 2753 3269 3198 This encrypted symmetric key is called the digital envelope.
Send this encrypted key (digital envelope) K to B.
3.Computation of hash code using MD5: Compute the hash value h of m:
h= H (m) = H (785ac3a4bd0f e12d)
=6a26ee0ed9ce3963ec8b0f98ebda8476 (hexadecimal)
h= 141100303223912907143183747760118203510 (decimal)
Choose dA = 13 (A’s private key) and compute:
c = hdA
PUBLIC-KEY INFRASTRUCTURE |
207 |
Let us break the hash code into two decimal numbers as follows:
h = 1 |
41 |
10 |
03 |
03 |
22 |
39 |
12 |
90 |
71 |
43 |
18 |
37 |
47 |
76 |
01 |
18 |
20 |
35 |
10 |
Using dA = 13 and n = 851, compute the RSA signature:
113 (mod 851) ≡ 1 |
|
|
|
|
|
|
|
|
||
4113 |
(mod 851) ≡ 545 |
|
|
|
|
|
|
|
||
|
. |
|
|
|
|
|
|
|
|
|
|
. |
|
|
|
|
|
|
|
|
|
|
. |
|
|
|
|
|
|
|
|
|
1013 |
(mod 851) ≡ 333 |
|
|
|
|
|
|
|
||
c = hAd = 001 |
669 |
084 |
400 |
400 |
091 |
348 |
719 |
157 |
303 |
|
|
635 |
439 |
333 |
047 |
089 |
001 |
439 |
520 |
466 |
084 |
Send c to B.
A → B
Send (ciphertext Y , encrypted value of K and signed hash code c) to B.
Server B
1.Decryption of secret session key K: Received encryption key K:
K = 0270 2524 1479 0285 1773 3139 2753 3669 3198
Choose dB = 1019 (B’s private key) and decrypt K block by block:
2701019 (mod 3337) ≡ 5
25241019 (mod 3337) ≡ 23
.
.
.
31981019 (mod 3337) ≡ 81
K = 05 23 67 72 55 02 68 10 81
or
K = 52367725502681081 (decimal)
=ba0c2b3c484ff9 (hexadecimal)
2.Decryption of m using DES: Ciphertext Y = a78791c0c8f0b444
Restored DES key K = ba0c2b3c484ff9
208 |
INTERNET SECURITY |
Using Y and K, the message m can be recreated:
m= 785ac3a4bd0fe12d
3.Computation of hash code and verification of signature:
Apply MD5 algorithm to the restored message in order to compute the hash code: h = H (m) = H(785ac3a4bd0fe12d)
=6a26ee0ed9ce3963ec8b0f98ebda8476
Obtain A’s public key eA = 61 from CA and apply eA to the signed hash value c:
c = 001 |
669 |
084 |
400 |
400 |
091 |
348 |
719 |
157 |
303 |
|
635 |
439 |
333 |
047 |
089 |
001 |
439 |
520 |
466 |
084 |
|
Using eA, compute h = ceA as follows: |
|
|
|
|
||||||
161 (mod 851) ≡ 1 |
|
|
|
|
|
|
|
|
||
66961 (mod 851) ≡ 41 |
|
|
|
|
|
|
|
|
||
. |
|
|
|
|
|
|
|
|
|
|
. |
|
|
|
|
|
|
|
|
|
|
. |
|
|
|
|
|
|
|
|
|
|
08461 (mod 851) ≡ 10 |
|
|
|
|
|
|
|
|
||
Hence, |
h = 1 |
41 |
10 |
03 |
03 |
22 |
39 |
12 |
90 |
71 |
|
43 |
18 |
37 |
47 |
76 |
01 |
18 |
20 |
35 |
10 |
Convert it to the hexadecimal number:
h = 6a26ee0ed9ce3963ec8b0f98ebda8476
Thus, we can easily check h = h .
Digital signing techniques are used in a number of applications. Since digital signature technology has grown in demand, its explosive utilisation and development will be expected to continue in the future. Several applications are considered in the following.
•Electronic mail security: Electronic mail is needed to sign digitally, especially in cases where sensitive information is being transmitted and security services such as authentication, integrity and non-repudiation are desired. Signing an e-mail message assures all recipients that the sender of the information is the person who he or she claims to be, thus authenticating the sender. For example, the DSS is using MOSAIC to provide security services for e-mail messages. The DSA has been incorporated into MOSAIC and is used to digitally sign e-mails as well as public-key certificates. Pretty Good Privacy (PGP) provides security services as well as data integrity services for messages and data files by using digital signatures, encryption, compression (zip) and radix-64 conversion (ASCII Armor). MIME defines a format for text messages being
PUBLIC-KEY INFRASTRUCTURE |
209 |
sent using e-mail. MIME is actually intended to address some of the problems and limitations of the use of SMTP. S/MIME is a security enhancement to the MIME Internet e-mail format, based on technology from RSA Data Security. Although both PGP and S/MIME are on an IETF standards track, it appears likely that PGP will remain the choice for personal e-mail security for many users, while S/MIME will emerge as the industry standard for commercial and organisational use.
•Financial transactions: This encompasses a number of areas in which money is being transferred directly or in exchange for services and goods. One area of financial transactions which could benefit especially from the use of digital signatures is Electronic Funds Transfer (EFT). Digitally signing EFTs are a way of providing security services such as authentication, integrity and non-repudiation.
Secure Electronic Transaction (SET) is the most important protocol relating to e- commerce. SET introduced a new concept of digital signature called dual signatures. A dual signature is generated by creating the message digest of two messages: order digest and payment digest. The SET protocol for payment processing utilises cryptography to provide confidentiality of information, ensure payment integrity and identity authentication.
•Electronic filing: Contracting requirements expect certain mandated certificates to be submitted from contractors. This requirement is often filed through the submission of a written form and usually requires a handwritten signature. If filings are digitally signed and electronically filed, digital signatures may be used to replace written signatures and to provide authentication and integrity services.
One of the largest information submission processes is perhaps the payment of taxes and the request for tax-related information will require signatures. In fact, the IRS in the USA is converting many of these processes electronically and is considering use of digital signatures. The IRS has several prototype under development that utilise digital signatures generated by using DSA. At present, individuals send their tax forms to the IRS in bulk transactions. The IRS will require them to sign the bulk transactions digitally to provide added assurances. In future, the electronically generated tax returns may be digitally signed. The taxpayer may send the digitally signed electronic form to the IRS directly or through a tax accountant or adviser.
•Software protection: Digital signatures are also used to protect software. By signing the software, the integrity of the software is assured when it is distributed. The signature may be verified when the software is installed to ensure that it was not modified during the distribution process.
•Signing and authenticating: Signing is the process of using the sender’s private key to encrypt the message digest of a document. Anyone with the sender’s public key can decrypt it. A person who wants to sign the data has only to encrypt the message digest to ensure that the data originated from the sender. Authentication is provided when the sender encrypts the hash value with the sender’s private key. This assures the receiver that the message originated from the sender.
Digital signatures can be used in cryptography-based authentication schemes to sign either the message being authenticated or the authentication challenge used in the