Public Key Infrastructure

ChesterRebeiroIITMadras

•  KeyEstablishment:“AliceandBobwanttouseablockcipherforencryption.Howdotheyagreeuponthesecretkey”

2

AliceandBobagreeuponaprimepandageneratorg.Thisispublicinformation

chooseasecretacomputeA=gamodp

chooseasecretbcomputeB=gbmodp

B A

ComputeK=Bamodp ComputeK=Abmodp

Abmodp=(ga)bmodp=(gb)amodp=Bamodp

Recollect Diffie-Hellman Key Exchange

Man in the Middle Attack

3

Alicesendshispublickey

Alicedecryptswithherprivatekey

Bobencrypts

withSally’spu

blickey

ManinthemiddleInterceptsmessages

Sallysendsherpublickey

Sallydecryptswithherprivatekeyandre-encryptsWithAlice’spublickey

Man in the Middle Attack

4

Alicesendshispublickey

Alicedecryptswithherprivatekey

Sallyencrypt

s

withMallory’

spublickey

ManinthemiddleInterceptsmessages

Sallysendsherpublickey

Sallydecryptswithherprivatekeyandre-encryptsWithAlice’spublickey

FundamentalProblem:WhoisAlice?Bob has no way to tell whether the public key he receivedbelongstoAliceornot.

5

chooseasecretacomputeA=gamodp

chooseasecretbcomputeB=gbmodp

DigitallycertificatePublickeyofBob(B)

ComputeK=Bamodp ComputeK=Abmodp

Certifying Authority

DigitallycertificatePublickeyofAlice(A)

X.509 Digital Certificates

Contains•  SerialNumber•  Issueràthecertifyingauthoritydetails•  Subjectàinformationabouttheowner(whoown’sthepublickeyforexampleAlice)•  PublicKeyàAlice’spublickey•  Validity•  SignatureàThesignatureofthecertificatesignedbythecertifyingauthority

6

7

A more practical Perspective

8

A more practical Perspective

VerifythesubjectEnsurethatthepersonapplyingforthecertificateeitherownsorrepresentstheidentityinthesubjectfield.

2,VerifyIdentityofAlice

9

A more practical Perspective

SigningdigitalcertificatesCAgeneratesadigitalsignatureforthecertificateusingitsprivatekey.Oncethesignatureisapplied,thecertificatecannotbemodified.SignaturescanbeverifiedbyanyonewiththeCA’spublickey.

2,VerifyIdentityofAlice3.DigitallySign

10

4.Alice’scertificateSignedbyCA

A more practical Perspective

Alicecanadvertisethecertificateonherwebsite

2,VerifyIdentityofAlice3.DigitallySign

11

chooseasecretacomputeA=gamodp chooseasecretb

computeB=gbmodp

Alice’scertificateSignedbyCA

ComputeK=Bamodp ComputeK=Abmodp

A more practical Perspective

Bob’scertificateSignedbyCA

Alice’scertificateBob’scertificate

Fetching certificates with openssl

12

Hostname:portheader

Certificate1

header

Certificate2

--BEGINCERTIFICATE----ENDCERTIFICATE--

Fetching certificates with openssl

13

Hostname:port

Cutandpasteinafilepaypal.pem(PEM:privacyenhancedmail)Toviewtextequivalentofthis,useopenssl x509 –in paypal.pem –text -noout

Example of X.509 Certificate (1st Part)

TheCA’sidentity(Symantec)

Theownerofthecertificate(paypal)

Example of X.509 Certificate (2nd Part)

Publickey

CA’ssignature

Who Certifies the CA?

16

TherearemanyCAsintherealworld,andtheyareorganizedinahierarchicalstructure.

Root CAs and Self-Signed Certificate

•  A root CA’s public key is also stored in an X.509 certificate. It is self-signed.

•  Self-signed:theentriesfortheissuerandthesubjectareidentical.•  Howcantheybetrusted?

•  PublickeysofrootCAsarepre-installedintheOS,browsersandothersoftware

Same

Root CAs in Mac OS

18

Intermediate CAs and Chain of Trust

Paypal’scertificate

IntermediateCA’scertificate

AisusedtoverifyB

B

A

SomethingelseisneedtoverifyA(certificatefromanotherintermediateCAorrootCA)

Fetching certificates with openssl

20

Hostname:portheader

Certificate1

header

Certificate2

--BEGINCERTIFICATE----ENDCERTIFICATE--

21

22

Manually Verifying a Certificate Chain

•  Paypal.pem:SavePaypal’scertificatetoafilecalled•  Symatec-g3.pem:Savecertificatefrom“SymantecClass3EVSSLCA–G3”•  VeriSign-G5.pem:SavetheVeriSign-G5’scertificatefromthebrowser

RootCA’scertificate

Chainofcertificates

The Entire Process

24

1.SetuptheCA

CA

25

1.SetuptheCA

CA’sselfsignedcertificate

CA’spublic-privatekey(passwordprotected)

26

1.SetuptheCA

modelCA’scertificate

Selfsigned

The Entire Process

27

1.SetuptheCA

1.GenerateKeys

CA

user

28

1.UserGenerateKeys

29

1.UserGenerateKeys

n=pxqn

Publickey(A)

Privatekey(a)

p

q

ap

aq

q-1

The Entire Process

30

1.SetuptheCA

1.GenerateKeys

CA

user

2.GenerateCSR(certisigningreq)

31

2.GenerateCSR(certisigningreq)

32

2.GenerateCSR(certisigningreq)

Signedwiththebank’sprivatekey(selfsigned)

The Entire Process

33

1.SetuptheCA

1.GenerateKeys

CA

user

2.GenerateCSR(certisigningreq) 2.CreateCertificateSendcsrfile

34

2.CreateCertificate

The Entire Process

35

1.SetuptheCA

1.GenerateKeys

CA

user

2.GenerateCSR(certisigningreq) 2.CreateCertificate

Sendcertificate

3.Deploy(httpsserver)

36

3.Deploy

The Entire Process

37

1.SetuptheCA

1.GenerateKeys

CA

user

2.GenerateCSR(certisigningreq) 2.CreateCertificate

3.Deploy(httpsserver)

client

38

clientAclientfailstoconnectbecauseitcannotverifythefirst(root)Certificate(modelCA)

39

client

AclientconnectsifthemodelCAscertificateisknown

40

https://localhost:44330

41

https://cse.iitm.ac.in:44330

42

RegistermodeCAinyoursystem(needtoselectthatyoutrustthisCA)

43

https://cse.iitm.ac.in:44330

Attacker forwards authentic certificate

44

3,VerifyIdentityofAlice4.DigitallySign

Bank.com

Attacker changes public key with her own

45

3,VerifyIdentityofAlice4.DigitallySign

RequestatCAisgoingtobefailBecausesignaturedoesnotmatchpublickey

Bank.com

Attacker sends her own public key + signature

46

3,VerifyIdentityofAlice4.DigitallySign

Verifyshouldfail

Bank.com

47

Alice’scertificateSignedbyCA

Consider this Situation

Bank.comCertificateSignedbyCA

Bank’scertificate

1.  Attackermodifiespublickeys2.  AttackerreplacesBob’scertificatewithhis/herown

48

Alice’scertificateSignedbyCA

Consider this Situation

Bank’scertificate

1.  Attackerforwardsfakecertificate2.  AttackerreplacesBob’scertificatewithhis/herown

(WhatistherequirementtohaveaMIMA?)

Bank.comCertificateSignedbyCA

Attacker Sends His/Her Own Certificate

•  Attacker’scertificateisvalid.•  BrowserchecksiftheidentityspecifiedinthesubjectfieldofthecertificatematchestheAlice’sintent.•  Thereisamismatch:attacker.com≠example.com

•  Browserterminateshandshakeprotocol:MITMfails

Emulating an MITM Attack •  DNSAttackisatypicalapproachtoachieveMITM

•  WeemulateanDNSattackbymanuallychangingthe/etc/hostsfileontheuser’smachinetomapexample.comtotheIPaddressoftheattacker’smachine.

•  Onattacker’smachinewehostawebsiteforexample.com.•  Weusetheattacker’sX.509certificatetosetuptheserver•  TheCommonnamefieldofthecertificatecontainsattacker32.com

•  Whenwevisitexample.com,wegetanerrormessage:

Attacks Surfaces on PKI

Attack on CA’s Verification Process

• CA’sjobhastwoparts:•  Verifytherelationshipbetweencertificateapplicantandthesubjectinformationinsidethecertificate

•  Putadigitalsignatureonthecertificate

•  Casestudy:ComodoBreach[March2011]•  PopularrootCA.•  TheapprovalprocessinSouthernEuropewascompromised.•  Ninecertificateswereissuedtosevendomainsandhencetheattackercouldprovidefalseattestation.

•  Oneoftheaffecteddomain(akeydomainfortheFirefoxbrowser):addons.mozilla.org

Attack on CA’s Signing Process

•  IftheCA’sprivatekeyiscompromised,attackerscansignacertificatewithanyarbitrarydatainthesubjectfield.

•  CaseStudy:theDigiNotarBreach[June-July2011]

•  AtopcommercialCA•  AttackergotDigiNotar’sprivatekey•  531roguecertificateswereissued.•  TrafficintendedforGooglesubdomainswasintercepted:MITMattack.

•  HowCAsProtectTheirPrivateKey•  HardwareSecurityModel(HSM)

Attacks on Algorithms

•  DigitalCertificatesdependontwotypesofalgorithms•  one-wayhashfunctionanddigitalsignature

•  CaseStudy:theCollision-ResistantPropertyofOne-WayHash•  AtCRYPTO2004,XiaoyunWangdemonstratedcollisionattackagainstMD5.•  InFebruary2017,GoogleResearchannouncedSHAtteredattack

•  Attackbrokethecollision-resistantpropertyofSHA-1•  TwodifferentPDFfileswiththesameSHA-1haswascreated.

• Countermeasures:usestrongeralgorithm,e.g.SHA256.

Attacks on User Confirmation

•  Afterverifyingthecertificatefromtheserver,clientsoftwareissurethatthecertificateisvalidandauthentic

•  Inaddition,thesoftwareneedstoconfirmthattheserveriswhattheuserintendstointeractwith.

•  Confirmationinvolvestwopiecesofinformation

•  Informationprovidedorapprovedbyuser•  Thecommonnamefieldinsidetheserver’scertificate•  Somesoftwaredoesnotcomparethesetwopiecesofinformation:securityflaw

Attacks on Confirmation: Case Study PhishingAttackonCommonNamewithUnicode

•  ZhengfoundoutseveralbrowsersdonotdisplaythedomainnamecorrectlyifnamecontainsUnicode.

•  xn—80ak6aa92e.comis encoded using Cyrillic characters. But domain name displayed by browser likes like apple.com

•  Attack:•  Getacertificateforxn—80ak6aa92e.com•  Getusertovisitxn—80ak6aa92e.com,sothecommonnameismatched•  User’sbrowsershowsthatthewebsiteisapple.com.Usercanbefooled.

•  Hadthebrowsertoldtheuserthattheactualdomainisnottherealapple.com,theuserwouldstop.