Certificates, Certification

Authorities and
Public-Key Infrastructures
Ozalp Babaoglu

ALMA MATER STUDIORUM UNIVERSITA DI BOLOGNA

Certificati digitali

La chiave pubblica con la quale stiamo cifrando deve

appartenere realmente al destinatario del messaggio
Si pone il problema dello scambio delle chiavi (man-in-themiddle attack)
I certificati digitali vengono usati per evitare che qualcuno
tenti di spacciarsi per unaltra persona sostituendone la
chiave pubblica

Babaoglu 2001-2014

Sicurezza

Physical Certificates
Photograph
+
Personal data

Seals
=
I certify that
the photo
corresponds to
the personal data

Babaoglu 2001-2014

Sicurezza

PKI Certificates

A certificate is the form in which a PKI communicates

public key information
It is a binding between a public key and identity
information about a subject
Signed by a certificate issuer
Functions much like a physical certificate
Avoids man-in-the-middle attacks

Babaoglu 2001-2014

Sicurezza

PKI X.509 Certificates

X.509 Certificate Information

Subject: Distinguished Name, Public Key
Issuer: Distinguished Name, Signature
Validity: Not Before Date, Not After Date
Administrative Info: Version, Serial Number
Extended Info:

Babaoglu 2001-2014

Sicurezza

Distinguished Name Information

Defined by X.509 Standard

Common Name

CN=Calisto Tanzi

Organization or Company O=Parmalat

Organizational Unit

OU=Management

City/Locality

L=Parma

State/Province

ST=Emilia Romagna

Country (ISO Code)

C=IT

Babaoglu 2001-2014

Sicurezza

Distribuzione dei certificati

Distribuzione manuale o di persona: passaporto, carta

didentit
Certificati generati, custoditi e distribuiti da entit fidate
Certificate servers
Public Key Infrastructures (PKI)

Babaoglu 2001-2014

Sicurezza

Certificate servers

Database disponibili su rete

Permettono agli utenti di
richiedere linserimento del proprio certificato nel database
richiedere il certificato di qualcuno

Babaoglu 2001-2014

Sicurezza

Public Key Infrastructure

PKI is a collection of services and protocols for

Registering
Certifying (issuing)
Validating
Revoking certificates

Public-key infrastructure (PKI)

Registration Authority (RA) usually a physical person
Certification Authority (CA) usually software

Babaoglu 2001-2014

Sicurezza

PKI Registration Authority

Invoked when a subject requests a certificate for the first
time
Subject requesting the certificate must be authenticated
In-band authentication:
performed using the PKI itself
possible only for certain types of identity information (e.g. email
address)

Out-of-band authentication:
performed using more traditional methods, such as mail, fax,
over the telephone or physically meeting someone

Babaoglu 2001-2014

Sicurezza

10

PKI Certification Authority

Certification Authorities (CAs) are responsible for issuing,

validating and revoking certificates
Many different types of CAs exist: commercial,
government, free, etc.
Examples of CAs: VeriSign, Symantec, Thawte, Geotrust,
Comodo, Visa

Babaoglu 2001-2014

Sicurezza

11

Public Key Infrastructure

Is there an Internet PKI?

Several proposal for an Internet PKI exist: PGP, PEM, PKIX,
Secure DNS, SPKI and SDSI
No single one has gained widespread use

In the future:
Several PKI operating and inter-operating in the Internet

Babaoglu 2001-2014

Sicurezza

12

Public Key Infrastructure

There are two basic operations common to all PKIs:

Certification: process of binding a public-key value to subject:
an individual, organization or other entity
Validation: process of verifying that a certification is still valid

Babaoglu 2001-2014

Sicurezza

13

PKI Certification Authorities

The certification process is based on trust

users trust the issuing authority to issue only certificates that
correctly associate subjects to their public keys

Only one CA for the entire world?

Impractical

Instead:
most PKI enable one CA to certify other CAs
one CA is telling its users that they can trust what a second CA
says in its certificates

Babaoglu 2001-2014

Sicurezza

14

PKI Certificate Chains

DN CA X
PK CA X
Sig CA X
DN CA Y
PK CA Y
Sig CA X

Babaoglu 2001-2014

DN CA Z
PK CA Z
Sig CA Y

Sicurezza

DN Bob
PK Bob
Sig CA Z

15

PKI Certificate Chains

Certificate chains can be of arbitrary length

Each certificate in the chain validated by the one
preceding it
Different certificates:
Leaf certificates (end-user)
Intermediate certificates
Root certificates

Babaoglu 2001-2014

Sicurezza

16

PKI CA Hierarchies
CAs can be organized
as a rooted tree (X.509)
as a general graph (PGP)
CA

CA
CA

Babaoglu 2001-2014

CA

CA

Sicurezza

CA

CA

17

Hierarchical Trust (X.509)

Based on chains of trust forming a rooted tree among

entities that are reputed to be CAs
The (blind) trust we place on root-level CAs must be
acquired through reputation, experience, operational
competence and other non-technical aspects
Anyone claiming to be a CA must be a trusted entity and
we must believe that it is secure and correct

Babaoglu 2001-2014

Sicurezza

18

Web of Trust (PGP)

In PGP, any user can act as a CA and sign the public key
of another user
A public key is considered valid only if a sufficient number
of trusted users have signed it
As the system evolves, complex trust relations emerge as
dynamic web
Trust need not be symmetric or transitive
(more on PGP later)

Babaoglu 2001-2014

Sicurezza

19

PKI Validation
Validation
The information in a certificate can change over time
Need to be sure that the information in the certificate is current
and that the certificate is authentic

Two basic methods of certificate validation:

Off-line validation
The CA can include a validity period in the certificate a range
during which the information in the certificate can be considered
valid
On-line validation
The user can ask the CA directly about a certificates validity
every time it is used
Babaoglu 2001-2014

Sicurezza

20

PKI Revocation
Revocation
the process of informing users when the information in a
certificate becomes unexpectedly invalid
subjects private key becomes compromised
user information changes (e.g., email address, domain name of a server)

On-line
revocation problem becomes trivial
Online Certificate Status Protocol (OCSP) of X.509 describes
how to check validity and revoke certificates

Off-line
Within the validity periods, certificate revocation method is critical
Clients check locally if a certificate has been revoked
Babaoglu 2001-2014

Sicurezza

21

PKI Revocation
Certificate Revocation List (CRL)
a list of revoked certificates that is signed and periodically issued
by a CA
user must check the latest CRL during validation to make sure
that a certificate has not been revoked
X.509 includes a CRL profile, describing the format of CRLs

CRL Problems
CRL time-granularity problem
how often CRLs must be issued?

CRL size
incremental CRL

Babaoglu 2001-2014

Sicurezza

22

Certificates in Practice: Firefox

Babaoglu 2001-2014

Sicurezza

23

Certificates in Practice: Firefox

Babaoglu 2001-2014

Sicurezza

24

Certificates in Practice: Firefox

Babaoglu 2001-2014

Sicurezza

25