Public Key Infrastructures: The Bane of Midterm 2 CS 451: Operating Systems Jason Bartlett What are PKI’s? Put simply, PKI’s are a way to manage public keys and/or trust in those keys. Any PKI must handle three considerations: Availability of keys: How do I find a key? Validity of keys: How do I know this key is correct? Provenance of keys: How do I know if this key is the right key? Outline Self-certifying names Hierarchical PKI X.509 DNSSEC Distributed PKI SDSI PGP Reputation Systems Self-Certifying Names One way to distribute keys is to cryptographically derive the name of the data from the data itself. Ex: A self-certifying pathname used by SFS, a locationindependent secure file system. Any change to the data will result in a different hashed name. Self-Certifying Names, con’t These names clearly satisfy key availability and key validity. Recent proposals for next-generation Internet architectures use these ideas to secure data. DONA CCN/NDN DONA DONA (Data-Oriented Network Architecture) uses self-certifying names to ensure data validity over the network. ‒ ‒ You ask for some data P:L where P is the hash of the publisher’s public key and L is a human-readable label You receive a triple < Data, Key, Signature > and can verify that the publisher’s key hashes to P, therefore the data is owned by a proper publisher. NDN NDN (Named Data Networking) uses some of these ideas, but not explicit self-certifying names ‒ ‒ NDN cryptographically derives a signature for each piece of data from the data, publisher, and the publisher’s key. This basically signs the binding between the name given to the data and the data itself. Self-Certifying Names, con’t But what about key provenance? Self-certifying names rely on a mapping from user-friendly names to the self-certifying name This provides an avenue of attack Ex: In SFS, a user can create symlinks to a server so they don’t have to retype the hash. If the user’s system is vulnerable, those links can be rewritten to point to attacker’s server. Outline Self-certifying names Hierarchical PKI X.509 DNSSEC Distributed PKI SDSI PGP Reputation Systems Hierarchical PKI If self-certifying names are not used, a user must be able to establish the validity of keys. This is commonly done by binding a name to a public key, creating an Identity Certificate This binding is done by a trusted third-party called a Certification Authority. Hierarchical PKI The CA forms the root of a tree and can sign any other key below them. These trees can be as small as a project group, or as big as the Internet. X.509 One of the earlier examples of a hierarchical PKI is X.509 (version 3 defined in RFC 2459). All certificates can be traced back to a single global root. The early motivation here was to create an Internet-sized “phone book” of users and public keys. X.509 X.509 certificates are still commonly used in SSL and TLS. Check out your browser’s root list: – Firefox: Edit -> Preferences -> Advanced -> Encryption -> View Certificates – Chrome: [Wrench] -> Preferences -> Under The Hood -> Manage Certificates -> Authorities X.509 Certificate A sample X.509 Certificate. http://publib.boulder.ibm.com/infocenter/tpfhel p/current/index.jsp?topic=/com.ibm.ztpfztpfdf.doc_put.cur/gtps7/s7cont.html DNSSEC Another hierarchical PKI is the DNS Security Extensions (RFC 4033). Ideally, keys for the DNS roots are preloaded into user systems. Then the root keys certify the TLD keys, who certify domains under them, and so on. DNSSEC is not 100% deployed yet Islands of Security exist though. Example DNSSEC Query yellowstone> dig com rrsig ; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> com rrsig ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52737 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1 ;; QUESTION SECTION: ;com. IN RRSIG ;; ANSWER SECTION: com. 86348 IN RRSIG DS 8 1 86400 20110502000000 20110424230000 34525 . HF+sUcMQMV5fOPCHLbtN9GpLKCZg/xKRQn8FNSXSoMOaznQAdSGu+wL4 L2rbxG6lxP91bwA3/+TMazCbAGDCaWanIAM+XLcrXxPK7fwfoYy6TQM9 ImqBw1FhEli043vYpo7CGq6Gwr5rmbIynNTOvrEWNBtQN+jwfDmA08rM vOI= Hierarchical PKI Key Availability? Key Validity? Of course, you know whose key you need. Every key can be traced back through the hierarchy until a trusted CA is found. Key Provenance? Yeah, about that... Key Provenance in Hierarchical PKI Consider the scale of an Internet-wide PKI. It is possible to obtain a valid key, but have no idea if the name attached to it is the person you really want to be certifying your data. How many John Robinsons does VeriSign know? This is called the “Walton’s Mountain Assumption” Additional Risks Any hierarchical PKI is vulnerable because of it relies on an implicitly-trusted hierarchy. For example, if your system is left unsecured when you go to lunch and a disgruntled custodian adds an attacker’s key to your browser’s root list... And what if you’re the head of the department? Outline Self-certifying names Hierarchical PKI X.509 DNSSEC Distributed PKI SDSI PGP Reputation Systems Distributed PKI Instead of a hierarchy, why not base all authentication decisions on local trust? Everybody’s signature is equally valid i.e. Everybody can act as a CA. You probably either know the people you need a key from, or you know someone you can ask. SDSI In SDSI (Simple Distributed Security Infrastructure), each user creates a “little black book” of names and keys. Users can then ask for and receive copies of these keys. This creates chains of trust (think Six Degrees of Kevin Bacon). SDSI Certificates Example Identity Certificate: (cert (issuer (name (hash md5 |PWKULKycrQ/Pxu9qWBSY2Q==|) "Sam Washington")) (subject (hash md5 |Z4a6hysK/0qN0L5SFkcJFQ==|))) Example Group Certificates: (cert (issuer (name (hash md5 |PWKULKycrQ/Pxu9qWBSY2Q==|) "poker buddies")) (subject (name "Sam Washington"))) (cert (issuer (name (hash md5 |PWKULKycrQ/Pxu9qWBSY2Q==|) "poker buddies")) (subject (name "Frank Adams"))) Example Delegation Certificate: (cert (issuer (hash md5 |PWKULKycrQ/Pxu9qWBSY2Q==|)) (subject (name "poker buddies")) (tag (play super-poker at http://best-casino.com))) Web Of Trust Because each user acts as a CA, trust relationships become decentralized. This can be expanded PGP allows for explicit trust. PGP PGP is the current de-facto standard for e-mail encryption. http://www.pgpi.org/doc/pgpintro/ Distributed PKI Distributed PKI’s attempt to fix the provenance issue seen in hierarchical PKI’s The scale of the system is smaller. A user usually won’t have to go far to find a key. Availability is impacted. Some keys can still be preloaded, but a user that deletes their root list can still go find them. Outline Self-certifying names Hierarchical PKI X.509 DNSSEC Distributed PKI SDSI PGP Reputation Systems Reputation Systems Most security infrastructures attempt to model some sort of trust relationship Company-department-employee Friends in a bowling league These real-world relationships are grown through shared experiences. Once enough people interact with the same person, the person gains a reputation. Reputation Systems, con’t With the proliferation of e-commerce, complete strangers are increasingly likely to do business. How do we model trust here? Any such system must have three criteria: Longevity Feedback must be collected Feedback determines interaction Centralized Reputation Systems One approach is to have some sort of centralized metric that measures trust. Credit Score eBay Future customers can see how trustworthy a particular seller is And sellers can see if the customer is a jerk. Issues With Feedback Eliciting Feedback Sometimes users don’t want to be bothered Users could blackmail sellers with negative feedback. The Sybil Attack Where a small number of users create many identities Still an active research area More Feedback Issues Distributing Feedback Feedback in one system is generally not valid in another system. Users aren’t bound to a single online alias Amazon used to import eBay ratings “Moving to a new town to escape justice” Aggregating Feedback eBay ratings don’t capture aspects of transactions that might be useful. Distributed Reputation Systems Instead of a centralized metric, allow users to attach trust values to other users directly. PGP is the classic example A user can check the trust values on a key as well as how much the user trusts the people that assigned the other trust values. Don’t need to aggregate or distribute feedback. • • However, obtaining feedback is still tricky Sybil Attacks are even more of a problem Reputation Systems Reputation Systems provide a mechanism for strengthening trust in keys, i.e. increasing their provenance. ‒ As a result, reputation systems are better suited as an augmentation to existing models than as a standalone system.