220 likes | 315 Vues
Public Key Management. Brent Waters. Last Time . Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation (RSA) Went over RSA-based signatures in detail. DSA (Digital Signature Algorithm). Discrete log based signature scheme
E N D
Public Key Management Brent Waters
Last Time • Saw multiple one-way function candidates for sigs. • OWP (AES) • Discrete Log • Trapdoor Permutation (RSA) • Went over RSA-based signatures in detail
DSA (Digital Signature Algorithm) • Discrete log based signature scheme • Similar to El Gamal Signatures • 1991 NIST proposed • Became first govt. adopted signature scheme • Short signatures • 2 160-bit components • Slow signing and verification • Exponentiation • Awkward description • Security reduces to funny assumption
RSA Patent (until 2000) Longer sigs ~200 bytes Encryption (Export Controls) DSA Patent Free Short Signatures ~40bytes No encryption Why DSA standard?
I ambob@stanford.edu Public Key Certificate Certificate Encrypted Message CA master-key Public Key Management • How does Alice obtain Bob’s public key • Answer: Certificate Authority signs other keys
Certificates • X.509 Standard cert= name, org, address | public key |expiration |... + signature of certificate by C.A. Extensions (Version 3) Sign certs only... Bob obtains certificate offline
How do we validate Certificate Auth? • Alice must have public key of certificate authority • Publish in N.Y. Times • Everyone see, adversary cannot forge all • Make sure Jayson Blair not on staff • Not realistic • Ships with Browser or Operating System • Done in practice
Trust in CA • C.A. is trusted • If compromised can forge a cert for Bob • Attack might be detected • CA key should be strongly guarded • BBN SafeKeeper: tempest attacks
Public Key Generation Algorithm • 1) Alice generates pub/priv. key pair sends pub to CA • 2) CA verifies Alice knows private key • Challenge/response • Self-signed certificate • 3) CA generates cert and sends to Alice • CA doesn’t know Alice’s key
A1 A2 A3 A4 A1 A2 CA Trust models (Symmetric vs Public) Symmetric Public Key Pub/cert KDC Pub/cert
Symmetric Online KDC Knows my key If compromised past+future gone (forward security helps—guesses?) Public Offline Knows only public key Harder to do attack Only future messages exposed Trust models (Symmetric vs Public)
A A CA1 CA2 Cross Domain Certification Many domains, can’t load them all How does Bob verify if doesn’t even have CA key?
Hierarchical solution root Stanford Amazon Cert chain: Check cert all way to root Hierarchies are pretty flat in practice cs
A B C Web of Trust No authority: I trust A who trusts B.... Which model do you like better?
Certificate Revocation • Revoke Bob’s certificate • Private key is stolen • Leaves company, doesn’t own ID • Expiration Date in Cert (1 year) • CRL Periodically send lists to everyone Long lists, hard to manage • OSCP (Online Certificate status protocol) Online authority to answer queries Signing key at risk if distribute authorities
Certificate Revocation Is B revoked A VA1 Proof of Y/N Secure VA VA2 Order revoked certs and build hash tree Secure VA signs root Either show path of revoked or prove by neighbors
A bit disappointing ... • , but now have an on-line party again
Price of Security • How much for 1 year certificate? • $349 • 40 bit security on some browsers • $995 (Pro Version)
I Counted 105 How many “root” certs on your browser?