Public Key Infrastructures: The Bane of Midterm 2CS 451: Operating Systems

Jason Bartlett

What are PKI’s?

Put simply, PKI’s are a way to manage public keys and/or trust in those keys.

Any PKI must handle three considerations: Availability of keys: How do I find a key? Validity of keys: How do I know this key is

correct? Provenance of keys: How do I know if this

key is the right key?

Outline

Self-certifying names Hierarchical PKI

X.509 DNSSEC

Distributed PKI SDSI PGP

Reputation Systems

Self-Certifying Names

One way to distribute keys is to cryptographically derive the name of the data from the data itself.

Ex:

A self-certifying pathname used by SFS, a location-independent secure file system.

Any change to the data will result in a different hashed name.

Self-Certifying Names, con’t

These names clearly satisfy key availability and key validity.

Recent proposals for next-generation Internet architectures use these ideas to secure data.

DONA CCN/NDN

DONA

DONA (Data-Oriented Network Architecture) uses self-certifying names to ensure data validity over the network.‒ You ask for some data P:L where P is the hash of the

publisher’s public key and L is a human-readable label

‒ You receive a triple < Data, Key, Signature > and can verify that the publisher’s key hashes to P, therefore the data is owned by a proper publisher.

NDN

NDN (Named Data Networking) uses some of these ideas, but not explicit self-certifying names‒ NDN cryptographically derives a signature for each

piece of data from the data, publisher, and the publisher’s key.

‒ This basically signs the binding between the name given to the data and the data itself.

Self-Certifying Names, con’t

But what about key provenance? Self-certifying names rely on a mapping from

user-friendly names to the self-certifying name

This provides an avenue of attack Ex: In SFS, a user can create symlinks to a server

so they don’t have to retype the hash. If the user’s system is vulnerable, those links can

be rewritten to point to attacker’s server.

Outline

Self-certifying names Hierarchical PKI

X.509 DNSSEC

Distributed PKI SDSI PGP

Reputation Systems

Hierarchical PKI

If self-certifying names are not used, a user must be able to establish the validity of keys.

This is commonly done by binding a name to a public key, creating an Identity Certificate

This binding is done by a trusted third-party called a Certification Authority.

Hierarchical PKI

The CA forms the root of a tree and can sign any other key below them.

These trees can be as small as a project group, or as big as the Internet.

X.509

One of the earlier examples of a hierarchical PKI is X.509 (version 3 defined in RFC 2459).

All certificates can be traced back to a single global root.

The early motivation here was to create an Internet-sized “phone book” of users and public keys.

X.509

X.509 certificates are still commonly used in SSL and TLS.

Check out your browser’s root list:– Firefox: Edit -> Preferences -> Advanced ->

Encryption -> View Certificates

– Chrome: [Wrench] -> Preferences -> Under The Hood -> Manage Certificates -> Authorities

X.509 Certificate

A sample X.509 Certificate.

http://publib.boulder.ibm.com/infocenter/tpfhelp/current/index.jsp?topic=/com.ibm.ztpf-ztpfdf.doc_put.cur/gtps7/s7cont.html

DNSSEC

Another hierarchical PKI is the DNS Security Extensions (RFC 4033).

Ideally, keys for the DNS roots are preloaded into user systems.

Then the root keys certify the TLD keys, who certify domains under them, and so on.

DNSSEC is not 100% deployed yet Islands of Security exist though.

Example DNSSEC Query

yellowstone> dig com rrsig

; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> com rrsig;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52737;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1

;; QUESTION SECTION:;com. IN RRSIG

;; ANSWER SECTION:com. 86348 IN RRSIG DS 8 1 86400 20110502000000 20110424230000 34525 .

HF+sUcMQMV5fOPCHLbtN9GpLKCZg/xKRQn8FNSXSoMOaznQAdSGu+wL4 L2rbxG6lxP91bwA3/+TMazCbAGDCaWanIAM+XLcrXxPK7fwfoYy6TQM9 ImqBw1FhEli043vYpo7CGq6Gwr5rmbIynNTOvrEWNBtQN+jwfDmA08rM vOI=

Hierarchical PKI

Key Availability? Of course, you know whose key you need.

Key Validity? Every key can be traced back through the

hierarchy until a trusted CA is found.

Key Provenance? Yeah, about that...

Key Provenance in Hierarchical PKI

Consider the scale of an Internet-wide PKI.

It is possible to obtain a valid key, but have no idea if the name attached to it is the person you really want to be certifying your data.

How many John Robinsons does VeriSign know?

This is called the “Walton’s Mountain Assumption”

Additional Risks

Any hierarchical PKI is vulnerable because of it relies on an implicitly-trusted hierarchy.

For example, if your system is left unsecured when you go to lunch and a disgruntled custodian adds an attacker’s key to your browser’s root list...

And what if you’re the head of the department?

Outline

Self-certifying names Hierarchical PKI

X.509 DNSSEC

Distributed PKI SDSI PGP

Reputation Systems

Distributed PKI

Instead of a hierarchy, why not base all authentication decisions on local trust?

Everybody’s signature is equally valid i.e. Everybody can act as a CA.

You probably either know the people you need a key from, or you know someone you can ask.

SDSI

In SDSI (Simple Distributed Security Infrastructure), each user creates a “little black book” of names and keys.

Users can then ask for and receive copies of these keys.

This creates chains of trust (think Six Degrees of Kevin Bacon).

SDSI Certificates

Example Identity Certificate:(cert (issuer (name (hash md5 |PWKULKycrQ/Pxu9qWBSY2Q==|) "Sam Washington")) (subject (hash md5 |Z4a6hysK/0qN0L5SFkcJFQ==|)))

Example Group Certificates:(cert (issuer (name (hash md5 |PWKULKycrQ/Pxu9qWBSY2Q==|) "poker buddies")) (subject (name "Sam Washington")))(cert (issuer (name (hash md5 |PWKULKycrQ/Pxu9qWBSY2Q==|) "poker buddies")) (subject (name "Frank Adams")))

Example Delegation Certificate:(cert (issuer (hash md5 |PWKULKycrQ/Pxu9qWBSY2Q==|)) (subject (name "poker buddies")) (tag (play super-poker at http://best-casino.com)))

Web Of Trust

Because each user acts as a CA, trust relationships become decentralized.

This can be expanded PGP allows for

explicit trust.

PGP

PGP is the current de-facto standard for e-mail encryption.

http://www.pgpi.org/doc/pgpintro/

Distributed PKI

Distributed PKI’s attempt to fix the provenance issue seen in hierarchical PKI’s

The scale of the system is smaller. A user usually won’t have to go far to find a key.

Availability is impacted. Some keys can still be preloaded, but a user that

deletes their root list can still go find them.

Outline

Self-certifying names Hierarchical PKI

X.509 DNSSEC

Distributed PKI SDSI PGP

Reputation Systems

Reputation Systems

Most security infrastructures attempt to model some sort of trust relationship

Company-department-employee Friends in a bowling league

These real-world relationships are grown through shared experiences.

Once enough people interact with the same person, the person gains a reputation.

Reputation Systems, con’t

With the proliferation of e-commerce, complete strangers are increasingly likely to do business.

How do we model trust here?

Any such system must have three criteria: Longevity Feedback must be collected Feedback determines interaction

Centralized Reputation Systems

One approach is to have some sort of centralized metric that measures trust.

Credit Score eBay

Future customers can see how trustworthy a particular seller is

And sellers can see if the customer is a jerk.

Issues With Feedback

Eliciting Feedback Sometimes users don’t want to be bothered Users could blackmail sellers with negative

feedback.

The Sybil Attack Where a small number of users create many

identities Still an active research area

More Feedback Issues

Distributing Feedback Feedback in one system is generally not valid in

another system. Amazon used to import eBay ratings

Users aren’t bound to a single online alias “Moving to a new town to escape justice”

Aggregating Feedback eBay ratings don’t capture aspects of transactions

that might be useful.

Distributed Reputation Systems

Instead of a centralized metric, allow users to attach trust values to other users directly.

PGP is the classic example A user can check the trust values on a key as well

as how much the user trusts the people that assigned the other trust values.

Don’t need to aggregate or distribute feedback.

• However, obtaining feedback is still tricky

• Sybil Attacks are even more of a problem

Reputation Systems

Reputation Systems provide a mechanism for strengthening trust in keys, i.e. increasing their provenance.

‒ As a result, reputation systems are better suited as an augmentation to existing models than as a standalone system.