PKI Flashcards
What is the trust anchor?
A self signed certificate of a public key that is allowed to sign other certificates.
What can you do with a Root of Trust?
Establish trust in other entities. using cryptography to enable transfer of trust from one entity to another.
Sections of x509
Data and signature
Compelled certs
CA cert enabling law enforcement to sign other certs
Do trust roots scale? Models?
No, two models: oligarchy: weakest link security, not trusting one entity creates unverifiable entities. Monarchy: no one can agree who. Single rot, like bgpsec, dnssec.
HSTS
Http strict transport security: only https
HPKP
HTTP public key pinning. Https header with public keys and a report uri
CRL
Certificate revocation list. Updates come in the form of deltas.
CAP theorem
Consistency, availability, tolerance to partition, pick 2
OCSP (stapling)
Online certificate status protocol. Web server attaches OCSP report, response can become too large for intemrediate CA’s
DANE (+ constraints)
DNS-based authentication of named entities. Uses DNSSEC to bind cert, without CA. 3 constraints: CA constraints, cert constraints, or trust anchor assertion.
CT (+prove)
Certificate transparency, log append only. SCT’s. Prove log is append only using MHT, and prove cert is in log.
Advantages of CT;
Fully operational today, no change required to webserver
Disadvantages of CT
Mitm still possible, broeser still needs to check logs eventually, malicious log servers, no revocation. Management of list of log servers can introduce a kill-switch.
How does CT work + consequence?
Browser only accepts cert if it has SCT’s, verifies that cert was added. Consequence is that any attacks are public knowledge as cert has to be listed in the log
