Kerberos X 509 Part2

Embed Size (px)

Citation preview

  • 8/13/2019 Kerberos X 509 Part2

    1/23

    System & Network Security

    Dr. Ashok Kumar Das

    Center for Security, Theory and Algorithmic ResearchInternational Institute of Information Technology, Hyderabad

    E-mail:[email protected]: http://www.iiit.ac.in/people/faculty/ashokkdas

    Personal Home Page: http://sites.google.com/site/iitkgpakdas/

    Dr. Ashok Kumar Das (IIIT-H) System & Network Security 1 / 23

  • 8/13/2019 Kerberos X 509 Part2

    2/23

    Security at the Application Layer

    Dr. Ashok Kumar Das (IIIT-H) System & Network Security 2 / 23

  • 8/13/2019 Kerberos X 509 Part2

    3/23

    Authentication Applications:

    X.509 AUTHENTICATION SERVICE

    Dr. Ashok Kumar Das (IIIT-H) System & Network Security 3 / 23

  • 8/13/2019 Kerberos X 509 Part2

    4/23

    Characteristics of X.509

    ITU-T (International Telecommunication Union-

    Telecommunication Standardization Sector) recommendationX.509 is part of the X.500 series of recommendations that define

    a directory service.

    The directory is a server or a distributed set of servers that

    maintains a database of information about users.

    X.509 is an important standard because the certificate structureand authentication protocols defined in X.509 are used in a varietycontexts, such as X.509 certificate format is used in

    S/MIME (Secure Multipurpose Internet Mail Extension) for providingE-mail security.

    IPSec (IP security) for providing the Network Layer security.SSL/TLS (Secure Socket Layer/ Transport Layer Security) forproviding security at the Transport Layer.SET (Secure Electronic Transaction) for providing Application LayerSecurity (for examples, Credit card/Debit card transactions).

    Dr. Ashok Kumar Das (IIIT-H) System & Network Security 4 / 23

  • 8/13/2019 Kerberos X 509 Part2

    5/23

    Characteristics of X.509 (Continued...)

    X.509 is based on the use of public-key cryptography and digital

    signatures.

    The heart of X.509 scheme is the public-key certificate associated

    with each user.

    Each certificate contains the public-key of a user and is signed

    with the private key of a trusted certification authority (CA).

    The user certificates are assumed to be created by some trusted

    certification authority (CA) and placed in the directory by the CA

    or by the user.

    Dr. Ashok Kumar Das (IIIT-H) System & Network Security 5 / 23

  • 8/13/2019 Kerberos X 509 Part2

    6/23

    General Format of a X.509 Certificate

    Table:X.509 Certificate Formats

    Version (1/2/3) (V)

    Certificate serial number (SN)

    Signature algorithm identifier (AI)

    Issuer name (CA)Period of validity(TA)

    Subject (user) name (A)

    Subjects public-key info(Ap)

    Issuer unique identifier (V2 and V3 only)

    Subject (user) unique identifier (V2 and V3 only)

    Extensions (V3 only)

    Signature on the above fields (all versions)

    Dr. Ashok Kumar Das (IIIT-H) System & Network Security 6 / 23

  • 8/13/2019 Kerberos X 509 Part2

    7/23

    General Format of a X.509 Certificate (Continued...)

    Version: Differentiates among successive versions of the

    certificate format: the default version is V1. If the issuer uniqueidentifier or subject unique identifier are present, then it is V2. If

    one or more extensions are present, the version must be V3.

    Serial Number: An integer value, unique within issuing CA.

    Signature algorithm identifier: The algorithm used to sign the

    certificate, together with associated parameters.

    Issuer Name: X.500 name of the CA that created and signed this

    certificate.

    Period of Validity: Consists of two dates: the first and last on

    which the certificate is valid.

    Subject Name: The name of the user to whom this certificate

    refers. That is, this certificate certifies the public key of the subject

    who holds the corresponding private key.

    Dr. Ashok Kumar Das (IIIT-H) System & Network Security 7 / 23

  • 8/13/2019 Kerberos X 509 Part2

    8/23

    General Format of a X.509 Certificate (Continued...)

    Subject Name: The name of the user to whom this certificate

    refers. That is, this certificate certifies the public key of the subjectwho holds the corresponding private key.

    Issuer Unique Identifier: An optional bit string field used to identify

    uniquely the issuing CA in the event the X.500 name has been

    reused for different entities.

    Subject Unique Identifier: An optional bit string field used to

    identify uniquely the subject in the event the X.500 name has

    been reused for different entities.

    Extensions: A set of one or more extension fields. Extensions are

    added in V3.

    Signature: Covers all of the other fields of the certificate; it

    contains the hash code (H) of the other fields, encrypted with CAs

    private key. This field includes the signature algorithm identifier.

    Dr. Ashok Kumar Das (IIIT-H) System & Network Security 8 / 23

  • 8/13/2019 Kerberos X 509 Part2

    9/23

    General Format of a X.509 Certificate (Continued...)

    The standard uses the following notation to define a certificate (forV1):

    CA =CA{V, SN, AI, CA, TA, A, Ap}

    CA = the certificate of user A issued by the certification

    authority CA.

    sgnData= signature of the information

    I={V, SN, AI, CA, TA, A, Ap}.

    sgnData= EKRca[H(V||SN||AI||CA||TA||A||Ap)].

    KRca: private key of CA;KUca: public key of CA.

    Thus,CA ={V, SN, AI, CA, TA, A, Ap, sgnData}={V, SN, AI, CA, TA, A, Ap, EKRca[H(V||SN||AI||CA||TA||A||Ap)]}.

    Dr. Ashok Kumar Das (IIIT-H) System & Network Security 9 / 23

  • 8/13/2019 Kerberos X 509 Part2

    10/23

    Certificate Revocation

    Sometimes it may be desirable to revoke a certificate before itexpires due to the following reasons:

    The users private key (KR) is assumed to be compromised.The user is no longer certified by this CA.The CAs certificate is assumed to be compromised.

    Dr. Ashok Kumar Das (IIIT-H) System & Network Security 10 / 23

  • 8/13/2019 Kerberos X 509 Part2

    11/23

    Certificate Revocation (Continued...)

    Table:Certificate Revocation List (CRL)

    Signature Algorithm Identifier (AI)

    Issuer Name (CA)

    This update date

    Next update dateRevoked User certificate Serial#

    Certificate Revocation date

    ...

    Revoked User certificate Serial#Certificate Revocation date

    Signature on the above fields

    Dr. Ashok Kumar Das (IIIT-H) System & Network Security 11 / 23

  • 8/13/2019 Kerberos X 509 Part2

    12/23

    Certificate Authentication

    U

    V

    X

    U

    V

    Certificates of X generated byby other CAs

    Useful for traversing down a

    hierarchy of CAs

    Figure:Forward certificates example

    Dr. Ashok Kumar Das (IIIT-H) System & Network Security 12 / 23

  • 8/13/2019 Kerberos X 509 Part2

    13/23

    Certificate Authentication (Continued...)

    hierarchy of CAs

    X

    Y

    ZY

    X

    Certificates generated by Xare certificates of other CAs

    Useful for traversing up a

    Figure:Reverse certificates example

    Dr. Ashok Kumar Das (IIIT-H) System & Network Security 13 / 23

    C C

  • 8/13/2019 Kerberos X 509 Part2

    14/23

    Certificate Authentication (Continued...)

    Problem: Suppose that userAhas a digital certificate fromcertification authorityX1 and userBhas obtained a certificatefrom CAX2. We would like to present a hypothetical scenario

    where userAverifies the certificate of userB.Case I: IfAdoes not know securely the public-key of X2, theBs

    certificate issued byX2 is useless toA, because the certificate

    needs to be decrypted using KUX2 , the public-key ofX2. Acan

    read the certificate, but can not verify the signature.

    Dr. Ashok Kumar Das (IIIT-H) System & Network Security 14 / 23

    C ifi A h i i (C i d )

  • 8/13/2019 Kerberos X 509 Part2

    15/23

    Certificate Authentication (Continued...)

    Case II: If two CAs have securely exchanged their own public

    keys, then the following procedure will enable Ato obtainBspublic key:

    Step 1. Aobtains the certificate ofX2 signed byX1 from thedirectory. BecauseA securely knows theX1s public key,A canobtainX2s public-key from its certificate and verify it by means ofX1s signature on the signature.Step 2. Athen goes back to the directory and obtains the certificateofBsigned byX2. BecauseA knows now a trusted copy of X2spublic-key,A can verify the signature and securely obtainBspublic-key. Hence,A verifies the certificate of B.

    Note: Here,Ahas used a chain of certificates to obtainBs public key.In the notation of X.509, this chain is expressed as:

    X1 X2 .

    In a similar fashion, Bcan also obtainAs public-key with the reverse

    chain: X2 X1 .

    Dr. Ashok Kumar Das (IIIT-H) System & Network Security 15 / 23

    C tifi t A th ti ti (C ti d )

  • 8/13/2019 Kerberos X 509 Part2

    16/23

    Certificate Authentication (Continued...)

    Generalization of this scheme

    The above scheme need not to be limited to a chain of two

    certificates.

    An arbitrarily long path of CAs can be followed to produce a chain.

    A chain withNelements could be expressed as:

    X1 X2 . . . XN

    Acan use the chain to verify the certificate ofBissued by CA,XN.

    Dr. Ashok Kumar Das (IIIT-H) System & Network Security 16 / 23

    C tifi t A th ti ti (C ti d )

  • 8/13/2019 Kerberos X 509 Part2

    17/23

    Certificate Authentication (Continued...)

    U

    V

    W

    X

    AC B

    Z

    Y

    U

    V

    V

    Y

    YZ

    Z

    ZXX

    WX

    X

    V

    W

    Figure:X.509 Hierarchy: A Hypothetical Example

    Dr. Ashok Kumar Das (IIIT-H) System & Network Security 17 / 23

    A th ti ti P d

  • 8/13/2019 Kerberos X 509 Part2

    18/23

    Authentication Procedures

    One-way Authentication

    It involves a single transfer of information from one user(A)toanother(B), and establishes the following.

    1. The identity ofA and that the message was generated by A.

    2. That message was intended forB.

    3. The integrity and originality (it has not been sent multiple times)

    of the message.

    A B:tA, rA, IDB, sgnData, EKUb(Kab)tA:timestamp prevents delayed delivery of messages,rA :random nonce used to detect replay attacks. Bstores the

    nonce until it expires and reject any new messages with the samenonce,

    IDB :identity ofB,sgnData=EKRa[tA||rA||IDB], signature on datacontainingtA, rA,andIDB.

    Kab :secret symmetric session key between AandB.

    Dr. Ashok Kumar Das (IIIT-H) System & Network Security 18 / 23

    Authentication Procedures (Continued )

  • 8/13/2019 Kerberos X 509 Part2

    19/23

    Authentication Procedures (Continued...)

    One-way Authentication (Continued...)

    t

    r

    ID

    A

    A

    A A

    B

    BE {t , r , ID }KR

    a

    KU bab

    E (K )

    A

    D

    DKUa

    KRb

    t r IDA BA

    { }, ,

    Compare

    Compare

    Compare

    Store abK

    Figure:Verification of signature byB

    Dr. Ashok Kumar Das (IIIT-H) System & Network Security 19 / 23

    Authentication Procedures (Continued )

  • 8/13/2019 Kerberos X 509 Part2

    20/23

    Authentication Procedures (Continued...)

    Two-way Authentication

    It involves transfer of two messages between one user (A)toanother(B), and establishes the following:

    1. The identity ofAand that the message was generated by A.

    2. That message was intended forB.3. The integrity and originality (it has not been sent multiple times)of the message.4. The identity ofBand that the reply message was generated byB.

    5. That the message was intended for A.6. The integrity and originality of the replay.

    Dr. Ashok Kumar Das (IIIT-H) System & Network Security 20 / 23

    Authentication Procedures (Continued )

  • 8/13/2019 Kerberos X 509 Part2

    21/23

    Authentication Procedures (Continued...)

    Two-way Authentication (Continued...)

    A B:tA, rA, IDB, sgnData1, EKUb[Kab]

    B

    A:

    tB

    , rB

    , IDA

    , sgnData2

    , EKUa[

    Kba]

    Kab=Kba

    sgnData1 =EKRa[tA||rA||IDB]

    sgnData2 =EKRb[tB||rB||IDA||rA]

    Dr. Ashok Kumar Das (IIIT-H) System & Network Security 21 / 23

    Authentication Procedures (Continued )

  • 8/13/2019 Kerberos X 509 Part2

    22/23

    Authentication Procedures (Continued...)

    Three-way Authentication (X.509 Strong Authentication

    Procedure)Involves exchanges of three messages between Aand B

    Final message fromAtoBis included, which a signed copy of the

    noncerB.

    A B:tA, rA, IDB, sgnData1, EKUb[Kab]BA:tB, rB, IDA, rA, sgnData2, EKUa[Kba]

    A B:EKRa(rB)

    Kab=Kba

    sgnData1 =EKRa[tA||rA||IDB]sgnData2 =EKRb[tB||rB||IDA||rA]

    This approach is needed when synchronized clocks are not

    available.

    Dr. Ashok Kumar Das (IIIT-H) System & Network Security 22 / 23

  • 8/13/2019 Kerberos X 509 Part2

    23/23