CNS - 25 - Asymmetric Cryptography IV
Lecture Info
Date:
Lecturer: Marco Bonola
Slides:
Introduction:
1 Public Key Infrastructure
A public key infrastructure (pki) consists of the protocols, the policies and the cryptographic mechanism used to manage the management of public key certificate.
A pki requires the definition of.
The certificate format
The relationship among CAs
Mechanisms and policies for issuing and revoking certificates
SAtorage services
In this lecture we start with the typical format for the public key certificate: X.509. Its important to note however that to define a pki there are many other things. In particular there are a set of standards which are called the PKCS family which standardize many pki related aspects.
2 X.509 Certificate
The de-factor standard format for public key certificate is the X.509 format.
2.1 High-Level Format
The high level structure of this format is shown below
As we can see, there are \(5\) main sections, which are discussed below:
Version and other data
CA identity
User identity
User public key
CA digital signature
2.1.1 Version and other Data
In this area we find the following info:
X.509 version: which can be either \(1\), \(2\) or \(3\).
Validity period: each certificate has a limited validity period, after which the certificate is no longer valid.
Serial number: used to identify in a unique way to certificate released by a CA. The \((\text{CA}, \text{serial-n})\) pair must be uniquelly identified.
Other extensions: you can insert inside the certificate other parameters and attributes.
2.1.2 CA and User Indentity
Both the CA and the user identity are expressed using the same format, which is composed of an hierarchicaly series of attributes.
Issuer, which is the identity of the CA
C=IT, ST=RM, L=Rome, O=UniRm2, OU=DIE, CN=Test CA
Subhect, which is the actual server we're trying to identify
C=IT, ST=RM, L=Rome, O=UniRm2, OU=DIE, CN=netgroup.uniroma2.it
Note that CN stands for Common Name, and it is the primary identificator. In the issuer field it is the name of the CA, while in the subject field it is the name of the entity which is crypto binded to the public key.
2.1.3 User Public Key
The most important field inside a public key certificate is the public key of the subject of the certificate.
The format of this field depends on the particular public key algorithm being used. To give a few examples:
If we use RSA, then in the certificate we find:
The modulus \(N\)
A field length in bit
The public exponent
If we use DH, we find the specific public parameters used in DH.
2.1.4 CA Digital Signature
All the data previously mentioned is then signed by the CA and the obtaiend signature is put in this last field of the certificate.
Whenever a user wants to verify the authenticity of the certificate he/she simply needs to decrypt the signature with the public key of the certificate, compute the hash of the rest of the certificate and compare the two results obtained: if they match then the certificate is valid, otherwise it was tampered.
2.2 Real Example
Here is reported a real certificate taken from wikipedia
2.3 Wildcard Certificates
A wildcard certificate is a public key certificate which can be used with multiple (all possible) sub-domains of a particular domain.
Such certificate has a * simbol in the CN field.
3 Certificate Signing Request
Suppose you have to buy a certificate, how can you do that? How can we request a certificate? To solve this problem there are two possible approaches:
A totally centralized approach in which the CA generates both the public and private key, signs the certificate and gives you everything. While this approach is ok for, example, using VPNs, it is not ideal for all possible scenarios. We thus need another way.
The other approach is called the certificate signing request, and it consists in sending a particular message (called CSR or certification request) form an applicant to a certificate authority which is used to ask for the generation of a new certificate.
The certificate signing request process is described as follows:
The applicant first generates a key pair, keeping the private key secret;
The applicant generates a CSR which contains information identify the applicant itself (X.509 subject field), optional x.509 extensions and the public key choosen by the applicant. The CSR is also signed with the private key of the applicant to guarantee that the request is a legit request.
The CA needs to verify that the applicannt actually owns the identity declared in the CSR. This particular process is not standardized, but there are various ways to do this.
3.1 X.509V3 Extensions
When a CA emits a X.509 certificate following a valid CSR, it can add to the certificate various extensions.
Certificate extensions provide a way of adding information such as alternative subject names and usage restrictions to certificates. Some well known extensions are the following.
Authority Key Identifier: provides a means of identifying the public key corresponding to the private key used to sign a certificate.
Subject Key Identifier: provides a means of identfying certificates that contain a particular public key.
Key Usage: defines the purpose (encipherment, signature, certificate signing) of the key contained in the certificate.
Subject Alternative Name:
Extended Key Usage:
Basic Contraint Extension: describes whether the certificate is a CA certificate or an end entity certification.
For the complete list check the standard.
3.2 Root Certificates
How do we verify a certification authority? This is done by creating a hierarchy of certification authorities, where each CA is certified by another CA at a layer above. The CAs which stand on the top of this hierarhcy are called root CAs and they are certified by the so-called root certificates.
The main different bewteen a root CAs and a non-root CAs is that, by definition, a root CA is a certification authority that necessarily certifies its own identity.
Root certificates are thus self-signed certificates. These certificates have the following properties:
The subject is the same as the issuer
The private key with which the certificate is signed is the one associated with the public key inserted in the certificate. That is, the authority key identifier is the same as the subject key identifier.
Once again the problem shifts: how can we now trust a root certificate? Root certificates have to be securely distributed and stored. They are built-in in the OS and cannot be added/removed by unprivileged users.
3.3 Certificate Chains
In many real world application scenarios the end user certificate is not issued by a root certificate. There are many reasons for this, but we can just say that it is done for the sake of scalability.
The idea is that we can have one (or more) intermediate certification authorities which are involved in the end user certification process.
Root CAs and intermediate CAs are not necesarily administrated by the same entity.
To allow this behavior certificate chains are used. A certificate chain is a list of certificates followed by one or emroe CA certificates with the following properties:
The issuer of the each certificate (expect the last one) matches the subject of the next certificate in the list.
Each certificate is supposed to be signed by the secret key corresponding to the next certificate in the chain.
The last certificate in the list is a root certificate.
The usage of certificate chain simplifies the key management and certificate monitoring by "grouping" CAs into a tree-like structure. When your browser connect to a site and sets up a TLS connection you thus not only check the server's certificate, but rather the entire chain of certificates.
3.3.1 Is chaining dangerous?
Notice that, in theroy, once we have obtained a real certificate we can think of creating fake certificates for real domains and sign them with the private key associated to the public one in our certificate
In pratice this attack is not possible, because we can use X.509 extensions to make sure that a private key cannot be used for signing new certificates.
3.4 Certificate Revocation
A pki must include mechanisms for handling compromised certificates, such as when the private key associated to the public key has been disclosed, or lost, or simply not used anymore.
The two major approaches used for this are:
Validity period for a certificate
Explicit revocation
3.4.1 Certificate Revocation List (CRL)
The basic idea is that every CA must regularly publish a list of certificates that the CA has revoked.
Such list must include:
The issuer
Last update date
Next update date
List of serial numbers revoked, along with revocation date
CA digital signature
To actually find the particular server which exposes such information you can look inside the extended field of a X.509 certificate.
4 OpenSSL: Creating a Certificate Chain
OpenSSL is a cryptographic toolkit implementing SSL/TLS and related cryptography standards required by them.
The main components of OpenSSL are:
libcrypto, a cryptography C library
libssl, SSL/TLS protocol library
openssl program
The openssl program is a command line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. It can be used for:
Creation and management of private/public keys
Public key crypto operations
Creation of X.509 certificates, CSRs and CRLs
Calculation of Message Digests
Encryption and Decryption with ciphers
SSL/TLS client and server tests
Handling of S/Mime signed or encrypted mail
In this example we will create a CA and sign certificate request with it. In particular we will implement the following workflow:
Generate the RSA key pair ofr our root CA
Create a self-sigend certificate for our root CA
Generate the RSA key pair for our intermediate CA
Generate a CSR for the intermediate CA
Sign the CSR with the root CA private key
Generate the RSA key pair for the web server
Generate a CSR for the web server
Sign the CSR with the intermediate CA private key
4.1 Create CA keys
Prepare our CA folder and the serial number file
mkdir CA cd /CA echo -e "01\n" > serial
Create the CA key pair
openssl genrsa -out root.key
When we run this command openssl generates a public/private key pair and encodes them in base64. To actually read them you can do the following
openssl rsa -in root.key -text
Observation 1: When using RSA typically the public key is the number \(65537\). Using this and some other numbers does not weaken the security at all of the system.
Observation 2: Openssl uses the CRT-RSA variant, as defined in the standard PKCS1. This variant uses the Chinese Remainder Theorem to speed up the computation.
4.2 Generate the root certificate
To generate the root certificate, which will be self-signed with the key we have just created, we can do the following.
openssl req -new -x509 -days 1460 -key root.key -out root.crt
Note that in this case we need both the public key as well as the private one, since we are self-signing the certificate. Both of these keys are contained in root.key.
When we execute this code the program will asks us for:
The Country name
The State (or province name)
The Locality name
The Organization name
The Organizational Unit name
The Common Name
The Email address
When it ends it will have generated the root certificate in the file root.crt. Once again if we want to read the decoded version of the certificate we can execute
openssl x509 -in root.crt -text
4.3 Certificate profiles
Openssl automatically applies the root CA profile to all self-signed certificates.
For the intermediate and user certificates we need to explicitly specify a certificate profile. Profiles are (usually) specified in the openssl configuration file. In ubuntu distros this is in /etc/ssl/openssl.cnf.
4.4 Intermadiate CA keys and CSR
We are now acting as the intermediate authority.
To generate a public/private key pair we do as we did before
openssl genrsa -out intermediate.key
Then instead of creating a self-signed certificate we will create a CSR, which will later be signed be signed by the CA private key
openssl req -new -key intermediate.key -out intermediate.csr
When we execute this commands a series of information will be asked like before. We might also get asked for a challenge password. This password is asked to you by the CA when you want to revoke a certificate. In pratice however this is never used.
To read our CSR we can do
openssl req -in intermediate.csr -text
The intermediate then sends this to the CA to transform the CSR into an actual X.509 certificate. To do this in pratice however we first have to add the following profile extension in the config file /etc/ssl/openssl.cnf.
[ v3_intermediate_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
The signing then is done as follows
openssl x509 -req -in intermediate.csr -out intermediate.crt -CA root.crt -CAkey root.key -Caserial serial -days 365 -extfile /etc/ssl/openssl.cnf -extensions v3_intermediate_ca
To check the newley generated certificate
openssl x509 -in intermediate.crt -text
4.5 Web Server keys and CSR
Finally, let us now impersonate the web server owner.
We generate our keys as usual
openssl genrsa -out server.key
We then issue a new CSR. In this case only the public key is inserted in the certificate, while the private key is used to sign it.
openssl req -new -key server.key -out server.csr
Note that during the issuing of a new CSR, the Common Name has to be the URL of the website we want to protect with SSL/TLS.
4.6 Server's CSR Signing
Finally, we use the intermediate CA to sign the CSR generated by the web server.
openssl x509 -req -in server.csr -out server.crt -CA intermediate.crt -CAkey intermediate.key -CAserial serial -days 365 -extfile /etc/ssl/openssl.cnf -extensions usr_cert
To check the newly created certificate we can do the following
openssl x509 -in server.crt -text
4.7 Create the Certificate Chain
Some applications such as apache2 may require a sinngle file containing the CA certificate bundle, which is the chain root->intermediate.
To create the chain we simply need to concatenate the certificates one after the other
cat root.crt intermediate.crt > chain.crt