Public Key Management

1
Public Key Management

• Brent Waters

2
Last Time

• Saw multiple one-way function candidates for
  sigs.
• OWP (AES)
• Discrete Log
• Trapdoor Permutation (RSA)
• Went over RSA-based signatures in detail

3
DSA (Digital Signature Algorithm)

• Discrete log based signature scheme
• Similar to El Gamal Signatures
• 1991 NIST proposed
• Became first govt. adopted signature scheme
• Short signatures
• 2 160-bit components
• Slow signing and verification
• Exponentiation
• Awkward description
• Security reduces to funny assumption

4
Why DSA standard?

• RSA
• Patent (until 2000)
• Longer sigs 200 bytes
• Encryption (Export Controls)

• DSA
• Patent Free
• Short Signatures 40bytes
• No encryption

5
Public Key Management

• How does Alice obtain Bobs public key
• Answer Certificate Authority signs other keys

6
Certificates

• X.509 Standard

cert name, org, address public key expiration
... signature of certificate by C.A.
Extensions (Version 3) Sign certs only... Bob
obtains certificate offline
7
How do we validate Certificate Auth?

• Alice must have public key of certificate
  authority
• Publish in N.Y. Times
• Everyone see, adversary cannot forge all
• Make sure Jayson Blair not on staff
• Not realistic
• Ships with Browser or Operating System
• Done in practice

8
Trust in CA

• C.A. is trusted
• If compromised can forge a cert for Bob
• Attack might be detected
• CA key should be strongly guarded
• BBN SafeKeeper tempest attacks

9
Public Key Generation Algorithm

• 1) Alice generates pub/priv. key pair sends pub
  to CA
• 2) CA verifies Alice knows private key
• Challenge/response
• Self-signed certificate
• 3) CA generates cert and sends to Alice
• CA doesnt know Alices key

10
Trust models (Symmetric vs Public)
Symmetric
Public Key
Pub/cert
KDC
Pub/cert
11
Trust models (Symmetric vs Public)

• Symmetric
• Online KDC
• Knows my key
• If compromised pastfuture gone (forward security
  helpsguesses?)

• Public
• Offline
• Knows only public key
• Harder to do attack
• Only future messages exposed

12
Cross Domain Certification
Many domains, cant load them all How does Bob
verify if doesnt even have CA key?
13
Hierarchical solution
root
Stanford
Amazon
Cert chain Check cert all way to
root Hierarchies are pretty flat in practice
cs
14
Web of Trust
No authority I trust A who trusts B.... Which
model do you like better?
15
Certificate Revocation

• Revoke Bobs certificate
• Private key is stolen
• Leaves company, doesnt own ID
• Expiration Date in Cert (1 year)
• CRL Periodically send lists to everyone
• Long lists, hard to manage
• OSCP (Online Certificate status protocol)
• Online authority to answer queries
• Signing key at risk if distribute authorities

16
Certificate Revocation
Is B revoked
A
VA1
Proof of Y/N
Secure VA
VA2
Order revoked certs and build hash tree Secure VA
signs root Either show path of revoked or prove
by neighbors
17
A bit disappointing ...

• , but now have an on-line party again

18
Price of Security

• How much for 1 year certificate?
• 349
• 40 bit security on some browsers
• 995 (Pro Version)

19
Certificates in Practice
20
Certificates in Practice
21
Certificates in Practice
22
How many root certs on your browser?