1b.
Trust Models
� Overview
• Trust models
– PGP Web of Trust
– Kerberos
– Public Key Certificates and Certificate Authorities
� Trust Models
• Secure use of cryptography requires trust.
• While secret key cryptography can ensure message
confidentiality and hash codes can ensure integrity,
none of this works without trust.
• In SKC, Alice and Bob had to share a secret key.
• PKC solved the secret distribution problem, but how
does Alice really know that Bob is who he says he is?
Just because Bob has a public and private key, and
purports to be "Bob," how does Alice know that a
malicious person (Mallory) is not pretending to be Bob?
� Trust Models
• There are a number of trust models employed by various
cryptographic schemes. This section will explore three of
them:
1. The web of trust employed by Pretty Good Privacy (PGP)
users, who hold their own set of trusted public keys.
2. Kerberos, a secret key distribution scheme using a trusted
third party.
3. Certificates, which allow a set of trusted third parties to
authenticate each other and, by implication, each other's
users.
• Each of these trust models differs in complexity, general
applicability, scope, and scalability.
� PGP Web of Trust
• Pretty Good Privacy is a widely used private e-mail scheme based on
public key methods.
• A PGP user maintains a local keyring of all their known and trusted
public keys.
• The user makes their own determination about the trustworthiness of a
key using what is called a "web of trust."
• If Alice needs Bob's public key, Alice can ask Bob for it in another e-mail
or, in many cases, download the public key from an advertised server.
– This server might a well-known PGP key repository or a site that Bob
maintains himself.
– Bob's public key might be stored or listed in many places.
• Alice is prepared to believe that Bob's public key, as stored at these
locations, is valid.
� PGP Web of Trust
• Suppose Carol claims to hold Bob's public key and offers to
give the key to Alice.
– How does Alice know that Carol's version of Bob's key is valid or if
Carol is actually giving Alice a key that will allow Mallory access to
messages?
• The answer is, "It depends."
– If Alice trusts Carol and Carol says that she thinks that her version of
Bob's key is valid, then Alice may — at her option — trust that key.
• Trust is not necessarily transitive
– If Dave has a copy of Bob's key and Carol trusts Dave, it does not
necessarily follow that Alice trusts Dave even if she does trust Carol.
� PGP Web of Trust
• The point here is that who Alice trusts and
how she makes that determination is strictly
up to Alice.
• PGP makes no statement and has no protocol
about how one user determines whether they
trust another user or not.
– In any case, encryption and signatures based on
public keys can only be used when the
appropriate public key is on the user's keyring.
� Kerberos
• Kerberos is a commonly used authentication scheme on
the Internet.
• Developed by MIT's Project Athena
– Kerberos is named for the three-headed dog who, according
to Greek mythology, guards the entrance of Hades.
• It employs a client/server architecture.
– Provides user-to-server authentication rather than host-to-host
authentication.
• Security and authentication will be based on secret key
technology.
– Every host on the network has its own secret key.
� Kerberos
• It would be unmanageable if every host had to know
the keys of all other hosts.
• A secure, trusted host somewhere on the network,
known as a Key Distribution Center (KDC), knows the
keys for all of the hosts
– (or at least some of the hosts within a portion of the
network, called a realm).
– When a new node is brought online, only the KDC and the
new node need to be configured with the node's key.
• Keys can be distributed physically or by some other
secure means.
�Kerberos architecture.
� Kerberos
• The Kerberos Server/KDC has two main functions:
Authentication Server (AS) and Ticket-Granting Server (TGS).
• The steps in establishing an authenticated session between
an application client and the application server are:
1. The Kerberos client software establishes a connection with
the Kerberos server's AS function.
– The AS first authenticates that the client is who it purports to be.
– The AS then provides the client with a secret key for this login
session (the TGS session key) and a ticket-granting ticket (TGT),
which gives the client permission to talk to the TGS.
– The ticket has a finite lifetime so that the authentication process
is repeated periodically.
� Kerberos
2. The client now communicates with the TGS to
obtain the Application Server's key so that it (the
client) can establish a connection to the service it
wants.
– The client supplies the TGS with the TGS session key
and TGT.
– The TGS responds with an application session key
(ASK) and an encrypted form of the Application
Server's secret key.
• This secret key is never sent on the network in any other
form.
� Kerberos
3. The client has now authenticated itself and can
prove its identity to the Application Server by
supplying the Kerberos ticket, application session
key, and encrypted Application Server secret key.
– The Application Server responds with similarly
encrypted information to authenticate itself to the
client.
– At this point, the client can initiate the intended
service requests (e.g., Telnet, FTP, HTTP, or e-
commerce transaction session establishment).
� Kerberos
• The current shipping version of this protocol is
Kerberos V5 (described in RFC 1510), although
Kerberos V4 still exists and is seeing some use.
– While the details of their operation, functional
capabilities, and message formats are different, the
conceptual overview above pretty much holds for
both.
– One primary difference is that Kerberos V4 uses only
DES to generate keys and encrypt messages, while V5
allows other schemes to be employed (although DES
is still the most widely algorithm used).
� Public Key Certificates and Certificate
Authorities
• Certificates and Certificate Authorities (CA) are necessary
for widespread use of cryptography for e-commerce
applications.
• While a combination of secret and public key cryptography
can solve the business issues discussed above, crypto cannot
alone address the trust issues that must exist between a
customer and vendor
– How does one site obtain another party's public key? How does a
recipient determine if a public key really belongs to the sender?
– How does the recipient know that the sender is using their public
key for a legitimate purpose for which they are authorized?
– When does a public key expire? How can a key be revoked in case
of compromise or loss?
� Public Key Certificates and Certificate
Authorities
• The concept of a certificate is one that is familiar to all of
us.
– A driver's license identify us to others, indicate something that
we are authorized to do, has an expiration date, and identify the
authority that granted the certificate.
• Certificates allow key exchange without real-time access to
public-key authority.
– A certificate binds identity to public key, and other info such as
period of validity, rights of use, etc.
• All contents are signed by a trusted Public-Key or
Certificate Authority (CA).
– It be verified by anyone who knows the CA’s public key.
� Public Key Certificates and Certificate
Authorities
• For purposes of electronic transactions,
certificates are digital documents.
• The specific functions of the certificate include:
– Establish identity: Associate, or bind, a public key to
an individual, organization, corporate position, or
other entity.
– Assign authority: Establish what actions the holder
may or may not take based upon this certificate.
– Secure confidential information (e.g., encrypting the
session's symmetric key for data confidentiality).
� Public Key Certificates and Certificate
Authorities
• Typically, a certificate contains:
– a public key
– a name
– an expiration date
– the name of the authority that issued the certificate (and,
therefore, is vouching for the identity of the user)
– a serial number
– any pertinent policies describing how the certificate was
issued and/or how the certificate may be used
– the digital signature of the certificate issuer
– and perhaps other information.
� Public Key Certificates and Certificate
Authorities
• When the browser makes a connection to a
secure Web site, the Web server sends its
public key certificate to the browser.
• The browser then checks the certificate's
signature against the public key that it has
stored; if there is a match, the certificate is
taken as valid and the Web site verified by this
certificate is considered to be "trusted."
�GTE Cybertrust Global Root-issued certificate as viewed
by Netscape Navigator V4.
� Public Key Certificates and
Certificate Authorities
• The most widely accepted
certificate format is the one
defined in International
Telecommunication Union
Telecommunication
Standardization Sector (ITU-
T) Recommendation X.509.
• Rec. X.509 is a specification
used around the world and
any applications complying
with X.509 can share
certificates
� Summary
• PGP's web of trust is easy to maintain and very much based on the
reality of users as people.
– The model, however, is limited; just how many public keys can a single user
reliably store and maintain?
• Kerberos overcomes many of the problems of PGP's web of trust, in
that it is scalable and its scope can be very large.
– However, it also requires that the Kerberos server have a priori knowledge of
all client systems prior to any transactions, which makes it unfeasible for "hit-
and-run" client/server relationships as seen in e-commerce.
• While certificates and the benefits of a PKI are most often associated
with electronic commerce, the applications for PKI are much broader
and include secure electronic mail, payments and electronic checks,
Electronic Data Interchange (EDI), secure transfer of Domain Name
System (DNS) and routing information, electronic forms, and digitally
signed documents.
– A single "global PKI" is still many years away.
