PKI: State of the Art - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

PKI: State of the Art

Description:

Public key crypto invented in 1976. First mention of a public key certificate in 1978 ... Merchant-issued names (video rental store, LL Bean, Land's End, MacMall, ... – PowerPoint PPT presentation

Number of Views:123
Avg rating:3.0/5.0
Slides: 25
Provided by: steve102
Category:
Tags: pki | art | bean | ll | state

less

Transcript and Presenter's Notes

Title: PKI: State of the Art


1
PKI State of the Art Future Trends
  • Dr. Stephen Kent
  • Co-chair PKIX WG - IETF
  • Chief Scientist - Information Security

2
PKI A Brief History
  • Public key crypto invented in 1976
  • First mention of a public key certificate in 1978
  • First certificate standards (X.509) issued in
    1988
  • First IETF certificate standard issued in 1993
  • Later half of 1990s were full of hope, and hype
  • emergence of the World Wide Web
  • .com boom
  • VeriSign founded (1995)
  • SSL invented deployed in browsers
  • Expiration of Diffie-Hellman RSA patents

3
PKI Bad News, Good News
  • No global PKI ala X.509 X.500 model
  • Little use of S/MIME for e-mail security
  • PKI complexity cited as impediment to IPsec
  • Some very large PKIs have not been successful
  • Some ask Is biometrics the next wave, the
    successor to PKI?
  • VeriSign very successful as dominant TTP CA
  • Very widespread use of SSL server certificates
  • PKI often used with IPsec in enterprise
    environments
  • Asia progressing with several national PKI plans
  • No, but a hash of some types of biometric data in
    a certificate is OK

4
Measures of PKI Progress
  • Number of PKI-enabled applications available?
  • Number of certificates issued?
  • Number of individuals who make regular use of
    certificates?
  • Number of commercial, government, or private
    (closed system) CAs?
  • Value of transactions protected by PKI-enabled
    applications?
  • Number of countries where digital signatures are
    approved for legally binding transactions?

5
PKI Status Mixed Results
  • The number of certificates issued is small, on a
    worldwide basis, compared to populations
  • Many standard applications are PKI-enabled, but
    few are employed, other than SSL
  • Few users regularly employ personal certificates
  • There are some closed system PKIs, but not a lot
  • SSL is used to protect hundreds of millions of
    credit card transactions, over the web
  • Many countries now recognize digitally signed
    transactions as legally binding

6
Impediments to PKI Proliferation?
  • Do we need more or just better
  • PKI standards?
  • Crypto hardware or software?
  • PKI utility software
  • PKI-enabled applications?
  • Operational costs are a concern
  • Privacy is a concern for enterprise PKIs the
    directory problem!
  • Is the problem our expectations of what problems
    are best addressed via use of a PKI?

7
State of the Art PKI Standards
  • Critical base standards X.509, PKIX, ETSI, etc.
  • PKIX created standards for
  • Certificate and CRL syntax and processing
  • Certificate management protocols
  • OCSP
  • Time stamping
  • CA policies procedures
  • Qualified certificates
  • Delegated path/certificate validation (in
    progress)
  • See also the ETSI work in some of these areas and
    in additional areas

8
IETF PKI Users Security Protocols
  • IP layer VPNs (IPsec)
  • Secure web access (TLS)
  • Secure E-mail (S/MIME)
  • IPv6 Mobility
  • IPv6 Secure Neighbor Discovery (SEND WG)
  • BGP security (RPSEG WG and a new WG to be formed)
  • VoIP security (SIP, MSEC, other WGs)
  • Note that none of these protocols make use of
    PKI
  • for legally binding digital signatures!

9
State of the Art PKI Software
  • Infrastructure software
  • Certification authority systems
  • Time stamping servers
  • OCSP servers
  • SCVP servers (coming soon)
  • Trusted archives for signed documents
  • Client software
  • PKI toolkits
  • PKI-enabled applications
  • S/MIME, IPsec, SSL/TLS, VoIP (SIP),

10
We Could Use Better Software!
  • Many CAs issue certificates that syntactically
    violate X.509 and/or RFC 3280
  • Many toolkits have poor path building
    algorithms, and some products dont precisely
    follow path validation standards (e.g.,
    Microsoft)
  • Some applications, even if they use certificates,
    dont do the right thing
  • MS Outlook indicates that the signature on a
    received message is valid, but does not indicate
    that the certificate contains NO name that
    matches the FROM field in the e-mail!
  • IPsec product use of certificates has been
    haphazard

11
State of the Art Crypto Hardware
  • CA crypto modules
  • Very few have been designed to support CAs
  • Some offer high assurance (FIPS 140 level 3/4)
  • Some offer high performance
  • But only one processed certificates and CRLs (vs.
    hashes)
  • CA systems are very vulnerable to a wide range of
    attacks
  • User crypto modules
  • Smart cards are getting more powerful, more
    secure
  • Other formats possible too (e.g., USB tokens)
  • Signature generation devices face the what did I
    just sign? problem, a serious problem for
    applications supporting legally binding digital
    signatures

12
State of the Art CAs
  • We have a number of large scale CAs
  • VeriSign has a commanding position in the web
    server certificate space, and significantly
    influences public notions of PKI
  • The EU promotes liaise fare private sector CAs,
    hoping to spur competition, and has created a
    level playing field for them
  • In Asia, we see more of a government-influenced,
    national-level PKI orientation, for citizens and
    organizations
  • The first two of these models emphasizes trust
    over authority
  • We are missing a very obvious, big CA system
    opportunity the Internet Domain Name System
    (DNS)
  • We can make use of closed CAs for most
    applications, and organizations are doing this
    today

13
PKI Cost Privacy Issues
  • Costs
  • CA technology can be expensive, or free
    (commercial products vs. open source)
  • Recurring costs for certificates are an issue
  • Credential issuance is fundamentally expensive,
    hardware tokens can make it even more expensive
  • Privacy
  • Names in certificates may be sensitive, e.g., if
    they include organization chart data
  • Companies are reluctant to put certificates in
    directories, due to concerns over spam and
    employee poaching

14
Future Trends in PKI?
  • More government-issued certificates
  • More focus on authorization vs. authentication
  • Many certificates vs. one certificate per user
    the naming problem
  • Better understanding of the role of trust in PKI
  • One proposed PKI illustrates several of these
    trends
  • An IP address space allocation PKI

15
Passports Visas
  • New standards for passports agreed to by
    international community
  • Will be phased in over several years, as existing
    passports need to be renewed
  • Passports will contain a chip, RF readable
  • Chip stores electronic format of passport text
    and biometric data, e.g., photo, fingerprint,
  • Data is digitally signed by issuing country,
    verifiable by other using issuers public key
  • Privacy concerns forcing additional safeguards
    against covert reading of passport chips

16
Identification vs. Authorization
  • Most PKIs focus on identifying entities (users,
    devices, etc.) as a basis for machine-enforced
    authorization or for human value judgments (do I
    trust e-mail from him?)
  • Thus CAs emphasize the procedures they use to
    verify the identity of certificate subjects
  • For many big CAs, there is an assumption that a
    single certificate is all a user should need
  • This assumes that one identity is sufficient for
    all applications, which contradicts experience
  • For personal privacy, multiple, independent
    certificates for each user are preferable

17
The One Certificate Fallacy
  • Individuals have multiple identities, each
    appropriate and meaningful in a different, often
    limited context
  • Unless these identities are embedded in
    certificates, it will be necessary to map from a
    certificate subject name to the locally
    meaningful ID for authorization
  • This mapping requires another registration
    activity, which is what a CA/RA does
  • The mapping database also represents an
    opportunity to introduce additional errors into
    the authorization process
  • So, if each relying party has to execute this
    activity for each user, what is the point of a
    user having a single identity certificate?

18
Names in a PKI
  • Names in a PKI must be unique relative to a
    well-defined context, but may not be globally
    unique
  • A CA issuing a certificate must ensure uniqueness
    among subject names in the certificates it issues
  • Its easy to make a name globally unique just
    add a qualifier (a number)
  • However, most names that are globally unique are
    not globally meaningful!
  • Relying parties need meaningful names for
    authorization decisions or value judgments, and
    thus users need different certificates to
    interact with different relying parties, in
    context

19
Names for Me
  • Frequent traveler names
  • Postal name
  • E-mail names
  • Government system (e.g., tax) names
  • Public utility (e.g., electricity) names
  • Credit card names
  • Professional society names
  • Merchant-issued names (video rental store, LL
    Bean, Lands End, MacMall, )

20
Whats Trust got to do with PKI?
  • The term trust is almost always used when
    discussing PKIs, yet explicit trust is separable
  • Trust is not transitive, yet certificate paths
    are graphs representing transitive relationships!
  • Trust is not quantitative, yet certificate path
    validation usually yields a yes/no answer
    (relative to an application context)
  • PKIs can be created that do not require explicit
    trust, by moving extant user credentials from the
    physical world to cyberspace
  • This too argues for multiple certificates per
    user and against most TTP CA systems

21
A PKI for Internet Addresses
  • Today, it is not easy to demonstrate to an ISP
    that an organization holds a block of IP
    addresses (a prefix)
  • Internet routing security requires an ability to
    verify that a given ISP is a authorized to
    advertise a route for a prefix
  • A security infrastructure for routing could be
    built using a PKI for address holders, plus route
    origination authorizations
  • A PKI of this sort illustrates some of the trends
    I noted
  • The PKI is about authorization vs. authentication
  • The CAs are authorized vs. trusted
  • Subject names in certificates are largely
    irrelevant
  • RFC 3779 defines an X.509 extension for address
    blocks

22
IP Address Space PKI
IANA (CA)
APNIC
RIPE NCC
LACNIC
ARIN
AFRINIC
APNIC Repository
ISPX
ISPY
ISPZ
SUBL
SUBK
SUBL
SUBL
23
Conclusions
  • PKI has made important progress in the last
    decade, but is not so successful as some hoped
  • We have enough basic standards, crypto
    technology, PKI-enabled applications, although
    each could be better!
  • Impediments to more widespread use are varied
    unrealistic expectations, privacy issues, poor
    user interfaces, operational costs,
  • Future PKI trends may include
  • More authoritative vs. trusted CAs, e.g.,
    Governments
  • More emphasis on authorization vs. authentication
  • Use of certificates in a wider range of contexts

24
Thank You
Write a Comment
User Comments (0)
About PowerShow.com