Lecture 5 PKI
Lecture 5 PKI
• Certificate Revocation
• Certificate Transparency
0 Admin
Midterm Exam
• Scope:
o Lecture 1 to 5
o Tutorial 1 to 5
o Assignment 1
potentially being
Accept Reject
modified
Alice Verification
• If the user obtains a wrong public key from an attacker, the attacker could trick
the user to accept the wrong file.
Accept!!!
Alice Verification
• Distribution of public key: Need a secure way for user to obtain VLC’s public key.
• Hard coded:
o Some apps/software have the public key hardcoded in the programs. src
o For e.g., a game might have the developer’s public key hardcoded.
o The public key is to be used to verify data sent by the developer.
Public Announcement / Hardcoded: Limitations
• Not standardized
o Use different methods or formats for such announcements
Alice Bob
• Types PKI:
o “Public PKI” refer to the PKI we adopted in Internet for domain name, emails address etc.
o “Private PKI” are systems for other applications, and it has its own set of “CA”.
− For e.g. it is possible for a company to set up a PKI for its own usage only.
2 PKI Components: Certificate and CA
PKI
• A framework that encompasses the software, policies, procedures, and standards
to required for secure key distribution
• Key features
o Key pair generation: public/private key pair
o Digital certificate: bind public key to identity; signed by trusted third party (TTP)
called Certificate Authority (CA)
o Certificate revocation: invalidating a certificate before its expiration
Digital Certificate
• Certificate binds an entity to some public key
• Correctness of this binding is asserted via a signature by a certificate authority
(CA)
• Certificate Verification:
o Alice→ Bob: (KA, certC→A)
o Bob verifies certC→A
o If Bob knows Charlie’s key KCA and trusts Charlie (i.e., his word ‘Alice’s key is KA), then Bob
can believe that KA is indeed Alice’s key
Digital Certificate Issuance
[email protected] asd3123411
2. Verifies depending on the [email protected] 2s3dasdf233
type of certificate request Certificate Authority [email protected] a323fasdfas
(KCA , K-1CA ) ......
[email protected] x1s34adf39
[email protected]
x1s34adf39 3. Issues the certificate signed by the CA,
certCA→A = {[email protected], x1s34adf39, 1 Sep 2025}KCA-1
Alice
• Minimally messages to be signed will
1. Alice request for a certificate from the CA have entity identify, public key, validity
for ([email protected], x1s34adf39 ) • CA can hash the message and then sign
Verification by Client
Mail, certCA→A
Alice Bob
Alice: This is an email from [email protected]
The email is “signed” using my private key.
This is my certificate. KCA
From: [email protected] certCA→A
Subject: Hello Bob name : [email protected]
Meeting 3pm at the “old” place public key: x1s34adf39 No need to contact
today. Valid until: 1 Sep 2025 the CA.
signature: xsdewsdesd signature of the CA
• Bob verifies that the signature in the certificate is indeed signed by the CA.
• No one except the CA can produce the valid signature.
• The authenticity of the certificate is as good as coming directly from the CA.
Why Digital Certificate?
• Consider the situation where Bob wants to obtain Alice’s public key.
• Bob can directly send a query to the CA.
• Certificate is a “smart” work around to get the public key in an offline manner.
How about the CA's public key?
• Advantages
o Easy to build and maintain
o Consistent approach to certificate issuance
o Users trust only a single CA
• Disadvantages
o Single point of failure
o Does not scale particularly well
Different PKI Models: Multiple CAs
• Commonly used in browser
• System has many trusted CAs in the form of a list, certificate issued by any of them is accepted
o E.g., Alice can obtain certCA1→A, certCA2→A, …
• Advantages
o Redundancy
o Geographically distributed
• Disadvantages
o Complexity
CA Chain of Trust
Pre-installed,
Self-signed!
DBS Chain of Trust
The field “Basic Constraint” indicates whether the “name” can take the role of CA
X.509 Format
• How it works:
o Suppose a user wants to include a binding of name & public key of an entity, say D, but D doesn’t
have a certificate signed by CA.
o To handle this, D can “self-sign” a certificate and pass to the user.
o Next, the user manually accepts the certificate.
• By accepting the self-signed certificate, the user instructs the machine to accept the
binding takes the responsibility in ensuring that info in the certificate is correct.
Certificate Issuance: Self-Signed Certificate
• Advantage
o Fast and easy to issue
o Not dependent on others for certificate issuance
• Disadvantage
o Not via trusted CA, if compromised, security risk
o Not recommended for public-facing websites
• Advantages
o Highest level of trust
o Rigours identify verification
• Disadvantages
o Cost ($300-$1700)
o Time-consuming
DV vs EV
4 Security Issues with PKI
Number of Trusted CAs
CA
• As of August 2020 [link]
o 147 root certificates, representing 52 organizations, are trusted in the Firefox web
browser
o 168 root certificates, representing 60 organizations, are trusted by macOS
o 255 root certificates, representing 101 organizations, are trusted by Windows
o Android currently contains over 100 CAs that are updated with each release.
• Issue?
CA Single Point of Failure
Trusted CAs
Equifax Gmail Equifax
BAD CA
…
Alice’s
browser BAD CA
Fake Gmail
Well-Know Incident
src src
Compelled Certificates
Trusted CAs
Verisign Compelled certificate by CA1 Authentic certificate
CA1
…
(1) Hello (2) Hello Equifax
• Advantage
o Risk associated with a compromised certificate is minimized
• Disadvantage
o Too much overhead to CAs and domain owners
3. OCSP Extension
• Online Certificate Status Protocol (OCSP): Client query to get revocation status
1. Client connect to site
2. Server sends certificate to client
Alice’s
browser Gmail Equifax
4. Return good, revoked or
valid
3. Client send OCSP
request to OCSP responder
to check status
CA
Certificate Revocation Server
• Disadvantages
o Traffic overhead to CAs for querying
o Privacy: CA learns user’s activity
• Better method?
3. OCSP Stapling
2. Client connect to site
3. Server sends certificate + OCSP to client
Alice’s OCSP
browser Gmail Equifax response
1. Periodically refreshed
CA
Certificate Revocation
Server
Certificate
Log
How to build a public, verifiable, and append-only
log?
• One obvious approach
o One global log maintained as a lists
o Each client continuously downloads the entire log and verify
• Better approach:
o Merkle Tree
A better Approach: Merkle tree
• Proof of inclusion
o E.g., to verify d3, server shares node hashes of c,i,n with
the client
src
Availability vs. Consistency
• What about latency (e.g., time to register a new certificate and get the proof of
inclusion)?
CT’s Design choice: SCT and MMD
• SCT list can be embedded directly within the X.509 certificate itself as an extension.
A Good Ecosystem
• Any interested parties (e.g., CAs, domain owners, clients) can monitor logs to
ensure:
o CAs do not register improper certificates
o Logs do not misbehave; for example,
− violating append-only property
− presenting different logs to different clients
• PKC requires a “secure broadcast channel” to distribute the public keys: PKI.
• PKI: infrastructure to broadcast the key. Comprise of
o Certificate issued by Certificate Authority (CA)
o CA issues, verifies, and revokes certificates
• CA chain-of-trust
o A root CA can certificate other CA. Root CA’s public keys are pre-installed or “manually”
installed.