PKI Flashcards
Definition of PKC. Which security properties can it achieve?
A PKC is a data structure to securely bind (with the signature by an authority) a public key to some attributes (being employed in the transaction that is protected by the PKC).
It is important to achieve non-repudiation of a digital signature which normally has only data integrity and authN.
How can the key pair of a PKC be generated/stored?
The key pair has to be protected both when stored and when used.
The key pair could be generated:
* in a SW application -> needed trust in the platform
* in a. dedicated. HW -> difficult to update and to do vulnerability patching
* in SW and then injected in trusted device -> good for encryption key recovery
PKI actors
- Certification Authority: generates, revokes and suspends certificates + publishes PKCs and infos about their status
- Registration Authority: helps the CA to verify claimed identity and attributes and to authorize the CA to issue or revoke a certificate
- Validation Authority
- (unofficial) Revocation authority: can be RA or CA and must be up 24/7 to timely revoke a compromised certificate
Certificate generation
There are multiple possibilities after the key pair generation:
* the secret key is stored in a secure way by the user and the public key is sent to the CA with some claimed attributes -> the user is redirected to the RA to which it identifies itself -> the RA confirms to the CA and takes responsibilities in case of mistakes -> the CA issues the PKC, publishes it in a repository while the user stores it together with the secret key (like in a smart card)
* the RA generates the key pair, obtains a PKC and distributes the key pair + PKC on a secure device
* the user first visits the RA and gets a code = MAC (K, ID) where K is a shared key between CA and RA, then it uses it to get a PKC from the CA
How many attributes can be bound to a PKC?
A PKC is bound to a single public key but it can be bound to multiple attributes.
Versions of X.509 PKC
v1 and v2
Invented to protect OSI networks and make them more usable.
v3
Extensions were added together with attribute certificates which are used to assign attributes and not idenitties allowing to not disclose personal informations.
Context of X.509 PKC
X.509 PKC is part of the X.500 standard, which provides the foundation for directory services used to hierarchically store and reteieve infos about entities in a distributed network.
Each entry in the hierarchical tree has a DN that is the result of the concatenation of the Relative DNs along the path to reach it.
The organization from top to bottom is:
* root
* country
* organization
* organization unit
* individual/resource
This standard defines the Directory Access Protocol which i used to query, modify, manage entries of the tree.
The issues are:
- lack of CA policies
- lack of a proper X.500 infrastructure
- difficult to establish the certification path among entities
X.509: CP and CPS
CA liability may be limited in specific applications or purposes, as specified in the CA policies.
We have:
* Certificate Policy (CP): a. set of rules that indicate the applicability of the PKC to a particular application; it defines minimum requirements and can be followed by different CAs
* Certification Practice Statement (CPS): it is about the practices of a specific CA so it is about one particular CA only and about its implementation details. For example it contains the internal processing time to know when the next CRL will be published.
Who is the TTP in the X.509 context?
CA
RFC-1422: what is it about, what does it define and which issues does it have?
RFC-1422 envisioned a single hierarchical certification infrastructure for the entire world. This hierarchy was rooted at the Internet Policy Registration Authority (IPRA), which was the sole root CA. Below IPRA, there were special Certification Authorities (CAs) called Policy Certification Authorities (PCAs), which established the policies for issuing certificates. The actual CAs were positioned below the PCAs, and each CA was required to conform to a naming convention known as name subordination.
IPRA certified PCAs, which in turn issued certificates following predefined policies. The primary policies defined by RFC-1422 were:
- high assurance: to get a PKC under this policy 2-photo ID docs and a DNA test are needed
- mid-level assurance: one documment needed
- residential: PKCs issued base on the residence of the requestor
- persona: Derived from the Latin word persona (mask), this policy allowed for anonymous certificates. Such certificates did not contain personal identifiers (e.g., name or address). Instead, they included a pseudonym (e.g., Anon#37), ensuring the user’s actions were traceable to the same pseudonymous identity without revealing their real identity
The RFC-1422 hierarchy ultimately failed due to political and operational challenges:
* The single root CA (IPRA) created a single point of failure and immense political controversy over which entity (e.g., USA, China, India, Russia) should manage it. Control over IPRA allowed the creation of fake certificates for any entity, undermining trust in the entire system.
* The hierarchical structure was too rigid, limiting the flexibility of certificate management.
X.509v3: extensions types and what is a certificate profile
- public: defined by the standard and public to anyone -> anyone can understan them
- private: belonging to a closed community
- critical: unrecognized critical extensions MUST be rejected
- non-critical: MAY be rejected if not understood.
Profile = set of extensions for a specific purpose
X.509v3: base syntax of a PKC
A X.509 Certificate is a data structure that contains a SEQUENCE of data:
~~~
Certificate ::= SEQUENCE {
signatureAlgorithm AlgorithmIdentifier,
tbsCertificate TBSCertificate,
signatureValue BIT STRING
}
~~~
The TBSCertificate data type represents a data structure that contains a SEQUENCE of data as well:
* version: by default it starts from 0, so, if it’s 2 it corresponds to X.509v3;
* serialNumber: unique number for the certificate issuer;
* signature: the algorithm used to sign the certificate;
* issuer: the entity that issued the certificate;
* validity: the period of time for which the certificate is valid;
* subject: whoever is in control of the private key associated to the public key in the certificate;
* subjectPublicKeyInfo: information on the public key of the certificate;
* issuerUniqueID: nowadays deprecated (that’s why it’s OPTIONAL), unique world wide identifier for the certificate issuer;
* subjectUniqueID: same as issuerUniqueID but for the subject instead;
* extensions: if any extension is present (optional), the certificate version must be v3
Why is the AlgorithmIdentifier present in both the Certificate and the TBSCertificate? This re-dundancy ensures that the algorithm used for certification matches the externally declared algorithm. If they differ, the certificate is deemed invalid. This acts as a security measure to prevent attacks such as the “signature substitution attack.”
Both issuer and subject fields can only be Distinguished Names (DNs).
X.509v3: list of public extensions classes
Public extensions are those defined in the standard that everyone should understand. These extensions are divided into four classes:
* Key and policy information: This includes details about the key and the policies that the certificate follows.
* Certificate subject and certificate issuer attributes: These provide more information about the subject and issuer of the certificate.
* Certificate path constraints: This defines the sequence of certificates from the root to the certificate in question.
* CRL distribution point: These extensions identify where the Certificate Revocation List (CRL) can be obtained.
In many cases, the term EE (End Entity) is used to refer to the entity at the end of the certification hierarchy, which possesses both the public and private keys.
What is a DN?
Hierarchical sequence going from the top down to the level of the entity that controls the key.
X.509v3: alternative names
– rfc822Name: it’s just an email address; useful if you want to use the certificate to protect your email;
– dNSName: it’s a Fully Qualified Domain Name (FQDN);
– iPAddress: important for routing security to certify that a specific node, controlling a private key, has that specific IP address;
– uniformResourceIdentifier (URI): grants the possibility to assign different keys to different (active) web pages hosted on the same server.
– directoryName: useful if you’re using a directory with a different syntax
– X400Address: it was the old OSI email
– ediPartyName: EDI (Electronic Data Interchange) is a way in which companies transfer from each other electronic data that are relevant for their business. The purpose of EDI is to send a message which can be understood and processed directly by computers. EDI parties interact with EDI and they’re identified by ediPartyName;
– registeredID: any other kind of official registry name, e.g., VAT number (which uniquely identifies a com-
pany);
– otherName
IETF-PKIX extensions
While the use of private extensions is generally discouraged due to a lack of interoperability, there is one notable exception: the IETF-PKIX has defined three extensions for the Internet user community.These extensions are now considered public because they adhere to widely known Internet standards.
The following PKIX private extensions are defined:
* Subject Information Access (SIA)
* Authority Information Access (AIA)
* CA Information Access (CAIA)
RFC-2459
RFC-2459 defines the profile of X.509v3 certificates as suggested by PKIX for use in Internet applications (e.g., IPsec, TLS, S/MIME). This document provides guidelines for ensuring interoperability when using X.509 certificates with standard Internet mechanisms.
The extensions are defined using an OID having as base the PKIX OID.
RFC-2459 also provides implementation suggestions to ensure consistency and compatibility across systems, for example a Validity Period: Certificates must include a validity period (from-to) specifying their active time frame using UTC time (Universal Time Coordinated).
-
UTCtime avoids issues with time zones when validating certificates.
– Seconds must always be included.
– Certificates must use Zulu time (GMT, denoted by the suffix Z) to ensure global compatibility.
– When the year is written with two digits, it is assumed to be in the range 1950-2049.
RFC-3279 and additions
RFC-3279 specifies the algorithms that MUST be supported by applications using the RFC-3280 profile. It includes both modern and older algorithms.
RFC-3280 and RFC-5280
The RFC-3280 and its successor RFC-5280 define the PKIX profile. This profile specifies not only the values and fields but also the algorithms and procedures to ensure that certificates are processed consistently worldwide.
- Path Validation Algorithm: algorithm for validating a certificate chain. When an End-Entity (EE) certificate is issued, it is signed by a Certification Authority (CA). This CA may itself have a certificate issued by another CA, continuing up to the root CA. The RFC specifies how to construct and verify this chain.
- Certificate Status Verification: Specifies the algorithms for verifying the status of a certificate by using a basic or full Certificate Revocation List (CRL) or by using a Delta-CRL, which contains only the differences with the last full CRL.
- Extended Key Usage: Adds the OCSPSigning purpose for certificates used in Online Certificate Status Protocol (OCSP) responses.
- Extensions for Certificates: Inhibit Any-Policy (ensures that the CA explicitly specifies its policy), Freshest CRL: Provides a pointer to a Delta-CRL, which contains only the differences compared to the basic CRL, Subject Information Access
- Freshest CRL in CRL Context: The Freshest CRL extension applies not only to certificates but also to CRLs. This allows the retrieval of differences from the last full CRL when a Delta-CRL is available.
- Delta CRL Distribution Point: Specifies a distribution point for Delta-CRLs. This extension follows the same syntax as CRL Distribution Point and can be included either in a certificate or in a CRL. However, it must not be present in a Delta-CRL itself, ensuring that a Delta-CRL always represents the difference between a base CRL and its updates (i.e., no “delta of delta”). This extension is always marked as non-critical, as multiple methods for verifying the status of a certificate are available (e.g., full CRL, Delta-CRL, OCSP), and no single method can be universally mandated.
PKC revocation: when does it happen and how is it performed?
A certificate may be revoked before its natural expiration for several reasons:
* Upon request of the certificate owner: Key compromise or Key loss
* Upon request of the certificate sponsor: The sponsor (e.g., an organization) may request re- vocation.
* Autonomous action by the issuer (CA): The issuer may revoke a certificate due to an error, such as issuing a wrong certificate by mistake, or a fraud, where the certificate was obtained under false pretenses.
X.509 CRL: generalities
The Certificate Revocation List (CRL) is a list of revoked certificates, where each entry includes the revocation date and the reason for revocation.
CRLs are issued periodically and maintained by the certificate issuers. This process requires re-issuing a CRL even when no changes have occurred, to assure the relying party of its freshness.
This periodic reissuance is necessary to prevent replay attacks, where an attacker could present an old signed CRL as if it were a new one. To mitigate this risk, the security policy of each CA specifies the lifetime of a CRL.
CRLs are digitally signed by the CA that issued the certificate or by a delegated revocation authority (RA). In cases where the CRL is not directly issued by the CA, it is referred to as an indirect CRL (iCRL). This means that the CRL is neither created nor signed by the issuer itself, but rather by its delegate.
For an RA to sign an iCRL, it requires a certificate with the Key Usage (KU) field set to CRLSign. This field certifies that the RA has been authorized by the issuer to sign the CRL. Without this authorization, anyone with the appropriate signing capabilities could sign a CRL, compromising its integrity. In this context, the CRLSign field also functions as an authorization mechanism.
X.509 CRL: structure
- tbsCertList
- signatureAlgorithm: The algorithm used to sign the CRL.
- signatureValue: The signature of the CRL.
Inside the tbsCertList we have:
* version (optional)
* signature: the signature algorithm is repeated inside TBSCertList to avoid attacks;
* issuer: the entity (usually a CA) that issued the CRL;
* thisUpdate: date and time when the CRL was created;
* nextUpdate: a promise from the CA that the next CRL will be published before this date;
* revokedCertificates: A sequence where each entry contains the serial number of the revoked certificate and the revocation date;
– userCertificate: Identifies the revoked certificate (CertificateSerialNumber).
– revocationDate: The date and time the certificate was revoked.
– crlEntryExtensions: Extensions for the individual revoked certificate entry.
* crlExtensions: extensions for the whole CRL;
X.509 CRL: extensions
crlEntryExtensions
– reasonCode: A code that specifies the reason why the certificate has been revoked (e.g., keyCompromise).
– Hold Instruction Code: The PKIX group suggests not using this extension, but military organizations use it to “block” a certificate when its subject is not operative. To achieve this, the certificate is added to the CRL as if it were revoked but marked as “on hold”. When the subject becomes operative again, another CRL is published where the certificate is marked as “off hold”. If someone needs to verify whether the certificate was valid during a specific period, they must download all CRLs published in that period to check its “hold on/hold off” status.
– InvalidityDate: Specifies the date on which the private key is known or suspected to have been compromised, or when the certificate otherwise became invalid. This date may be earlier than the revocationDate in the CRL entry, which represents the date the CA processed the revocation.
– CertificateIssuer: Identifies the certificate issuer associated with an entry in an indirect CRL. This extension includes one or more names from the issuer field and/or the IssuerAlternative Name (IAN) extension of the certificate corresponding to the CRL entry. It binds the certificate serial number to the CA.
crlExtensions
- Authority Key Identifier: Points to the public key corresponding to the private key used to sign the CRL.
– Issuer Alternative Name: Allows additional identities to be associated with the issuer of the CRL.
– CRL Number: Conveys a monotonically increasing sequence number for a given CRL scope and issuer. This extension helps users determine when one CRL supersedes another and supports iden- tifying complementary complete CRLs and delta CRLs.
– Delta CRL Indicator: A critical CRL extension that identifies a CRL as a delta CRL.
– Issuing Distribution Point: A pointer to the location where the latest update of the CRL can be downloaded.
X.509 CRL: certificate revocation timeline
- The certificate is valid and it’s not included in the last CRL (CRL n);
- Key compromise event: the subject loses control over the private key;
- Cert revocation request: the subject asks for the certificate to be revoked and identifies himself to the CA.
The time when the key compromise event occurred corresponds to the invalidityDate field (CRL entry extension). The subject must demonstrate, in case of legal dispute, that he lost control over the key at that time; - Cert revocation time: the certificate is officially revoked by the CA but it will take some time before this change
is made public, i.e., before a new CRL containing that certificate is issued. This time depends from the processing time of the CA (time spent to create the new CRL and publish it).
The certificate revocation time corresponds to the revocationDate field of revokedCertificates of TBSCertList. The CA will proof that it identified the subject and it followed all necessary procedures to perform the revocation;
Attacks:
* If an attack is performed during the red period, it will be successfull since the relying party (RP) will have no way to check if the certificate’s private key has been compromised (because CRL n + 1 hasn’t been published yet);
* If an attack is performed during the yellow period, it could be successful…unless the RP is cautious enough. As a matter of fact, since the internal processing time of the CA should be specified in the Certificate Practice Statement (CPS), e.g., “the CA guarantees that, as soon as it receives and validates the revocation request, CRL n + 1 will be published within 15min”, the RP could wait that specific amount of time, to see whether a new CRL is published or not and, if so, if that CRL contains the received certificate;
* If the certificate was valid at the Time of Signature (ToS), it doesn’t matter if, at the Time of Verification (ToV), it appears as “revoked”! Note that (IMPORTANT):
– If Time of Signature < Time of Verification
∗ CRL is useless unless you can demonstrate and tell with precision when was the ToS;
∗ the ToS cannot be self-declared;
– If ToS = ToV
∗ e.g., the key’s being used to perform an asymmetric challenge-response NOW;
∗ no problem…just download the newest CRL and check if it contains the certificate;
X.509 CRL: maintainance issues
Certificate Revocation Lists (CRLs) can grow very large, as they include all certificates revoked up to a certain date. This size increase makes them costly to download and examine. Several strategies exist to manage this efficiently:
-
Eliminating revocations after the certificate’s expiration date: this approach involves removing the revoked certificate entry in the first CRL issued after the certificate expires. However, this method has significant drawbacks: let’s say a certificate was valid until 12/31, but it was revoked on 10/5. If the CRL is updated after the certificate’s expiration date, the revocation entry for this certificate will be included only in that specific CRL (after the certificate has expired). Once the certificate expires, it will be removed from future CRLs, even though it was revoked before its expiration. This means that subsequent CRLs will not show its revocation, which creates problems for validating past signatures or transactions.
Consider a scenario where a student, John, receives a grade on a specific date, and a signature is created for it. This signature needs verification during graduation, which occurs at a later time. If the revocation entry has been deleted, there is no way to confirm its validity unless past CRLs are archived. -
Publishing a complete CRL followed by deltas: a Certificate Authority (CA) generates a base CRL (e.g., CRL number N) and subsequent delta CRLs that contain only the differences from N. To verify a certificate, one must download the base CRL and all subsequent deltas until the next
base CRL. While this approach speeds up downloads, it requires additional processing to reconstruct the full CRL. - Partitioning the CRL into groups using CRLDP: the CRL Distribution Point (CRLDP) extension in certificates allows partitioning CRLs into smaller subsets. This method enables a CA to manage multiple smaller CRLs instead of a single large CRL. However, to obtain all revoked certificates for a CA, all CRLDP partitions must be downloaded. The implementation of CRLDP varies across CAs, guided by their Certificate Policies (theoretical principles) and Certificate Practice Statements (practical implementations).
