Network Security Notes

digital envelope
When using secret-key cryptosystems, users must first agree on a session key, that is, a secret key to be used for the duration of one message or communication session. In completing this task there is a risk the key will be intercepted during transmission. This is part of the key management problem (see Section 4. !. "ublickey cryptography offers an attracti#e solution to this problem within a framework called a digital en#elope. The digital en#elope consists of a message encrypted using secret-key cryptography and an encrypted secret key. While digital en#elopes usually use public-key cryptography to encrypt the secret key, this is not necessary. If $lice and %ob ha#e an established secret key, they could use this to encrypt the secret key in the digital en#elope. Suppose $lice wants to send a message to %ob using secret-key cryptography for message encryption and public-key cryptography to transfer the message encryption key. $lice chooses a secret key and encrypts the message with it, then encrypts the secret key using %ob&s public key. She sends %ob both the encrypted secret key and the encrypted message. When %ob wants to read the message he decrypts the secret key, using his pri#ate key, and then decrypts the message, using the secret key. In a multi-addressed communications en#ironment such as e-mail, this can be e'tended directly and usefully. If $lice&s message is intended for both %ob and (arol, the message encryption key can be represented concisely in encrypted forms for %ob and for (arol, along with a single copy of the message&s content encrypted under that message encryption key. $lice and %ob may use this key to encrypt )ust one message or they may use it for an e'tended communication. *ne of the nice features about this techni+ue is they may switch secret keys as fre+uently as they would like. Switching keys often is beneficial because it is more difficult for an ad#ersary to find a key that is only used for a short period of time (see ,uestion 4. .-.. for more information on the life cycle of a key!. /ot only do digital en#elopes help sol#e the key management problem, they increase performance (relati#e to using a public-key system for direct encryption of message data! without sacrificing security. The increase in performance is obtained by using a secret-key cryptosystem to encrypt the large and #ariably si0ed amount of message data, reser#ing public-key cryptography for encryption of short-length keys. In general, secret-key cryptosystems are much faster than public-key cryptosystems. The digital en#elope techni+ue is a method of key e'change, but not all key e'change protocols use digital en#elopes (see ,uestion -.-..!.

How PGP works

The following text is taken from chapter 1 of the document Introduction to Cryptography in the PGP 6.5.1 documentation. Copyright 1!!"#1!!! $etwork %ssociates& Inc. and its %ffiliated Companies. %ll 'ights 'eser(ed. Con(erted from P)* to +T,- at http.//access.ado0e.com/ and then manually edited 0y hand. • The Basics of Cryptography o Encryption and decryption o What is cryptography?   o Strong cryptography How does cryptography work?

Conventional cryptography   Caesar's Cipher Key management and conventional encryption

o o o o

!"lic key cryptography How # works Keys $igital signat!res  Hash f!nctions

o

$igital certificates   Certificate distri"!tion Certificate formats

o

%alidity and tr!st    Checking validity Esta"lishing tr!st Tr!st models

o

Certificate &evocation  Comm!nicating that a certificate has "een revoked

o o

What is a passphrase? Key splitting

The Basics of Cryptography

When '!li!s Caesar sent messages to his generals( he didn't tr!st his messengers) So he replaced every * in his messages with a $( every B with an E( and so on thro!gh the alpha"et) +nly someone who knew the ,shift "y -, r!le co!ld decipher his messages) *nd so we "egin)

Encryption and decryption
$ata that can "e read and !nderstood witho!t any special meas!res is called plaintext or cleartext. The method of disg!ising plainte.t in s!ch a way as to hide its s!"stance is called encryption. Encrypting plainte.t res!lts in !nreada"le gi""erish called ciphertext. /o! !se encryption to ens!re that information is hidden from anyone for whom it is not intended( even those who can see the encrypted data) The process of reverting cipherte.t to its original plainte.t is called decryption) *igure 1#1 ill!strates this process)

*igure 1#1. 1ncryption and decryption

What is cryptography?
Cryptography is the science of !sing mathematics to encrypt and decrypt data) Cryptography ena"les yo! to store sensitive information or transmit it across insec!re networks 0like the 1nternet2 so that it cannot "e read "y anyone e.cept the intended recipient) While cryptography is the science of sec!ring data( cryptanalysis is the science of analy3ing and "reaking sec!re comm!nication) Classical cryptanalysis involves an interesting com"ination of analytical reasoning( application of mathematical tools( pattern finding( patience( determination( and l!ck) Cryptanalysts are also called attackers. Cryptology em"races "oth cryptography and cryptanalysis)

Strong cryptography
2There are two kinds of cryptography in this world. cryptography that will stop your kid sister from reading your files& and cryptography that will stop ma3or go(ernments from reading your files. This 0ook is a0out the latter.2 44Br!ce Schneier( *pplied Cryptography5 rotocols( *lgorithms( and So!rce Code in C) # is also a"o!t the latter sort of cryptography) Cryptography can "e strong or weak& as e.plained a"ove) Cryptographic strength is meas!red in the time and reso!rces it wo!ld re6!ire to recover the plainte.t) The res!lt of strong cryptography is cipherte.t

that is very diffic!lt to decipher witho!t possession of the appropriate decoding tool) How diffic!lt? #iven all of today's comp!ting power and availa"le time 7 even a "illion comp!ters doing a "illion checks a second 7 it is not possi"le to decipher the res!lt of strong cryptography "efore the end of the !niverse) +ne wo!ld think( then( that strong cryptography wo!ld hold !p rather well against even an e.tremely determined cryptanalyst) Who's really to say? 8o one has proven that the strongest encryption o"taina"le today will hold !p !nder tomorrow's comp!ting power) However( the strong cryptography employed "y # is the "est availa"le today) %igilance and conservatism will protect yo! "etter( however( than claims of impenetra"ility)

How does cryptography work?
* cryptographic algorithm& or cipher( is a mathematical f!nction !sed in the encryption and decryption process) * cryptographic algorithm works in com"ination with a key 4 a word( n!m"er( or phrase 7 to encrypt the plainte.t) The same plainte.t encrypts to different cipherte.t with different keys) The sec!rity of encrypted data is entirely dependent on two things5 the strength of the cryptographic algorithm and the secrecy of the key) * cryptographic algorithm( pl!s all possi"le keys and all the protocols that make it work comprise a cryptosystem. # is a cryptosystem)

Conventional cryptography
1n conventional cryptography( also called secret#key or symmetric#key encryption( one key is !sed "oth for encryption and decryption) The $ata Encryption Standard 0$ES2 is an e.ample of a conventional cryptosystemthat is widely employed "y the 9ederal #overnment) *igure 1#5 is an ill!stration of the conventional encryption process)

*igure 1#5. Con(entional encryption

Caesar's Cipher
*n e.tremely simple e.ample of conventional cryptography is a s!"stit!tion cipher) * s!"stit!tion cipher s!"stit!tes one piece of information for another) This is most fre6!ently done "y offsetting letters of the alpha"et) Two e.amples are Captain :idnight's Secret $ecoder &ing( which yo! may have owned when yo! were a kid( and

'!li!s Caesar's cipher) 1n "oth cases( the algorithm is to offset the alpha"et and the key is the n!m"er of characters to offset it) 9or e.ample( if we encode the word ,SEC&ET, !sing Caesar's key val!e of -( we offset the alpha"et so that the -rd letter down 0$2 "egins the alpha"et) So starting with *BC$E9#H1'K;:8+ <&ST=%W>/? and sliding everything !p "y -( yo! get $E9#H1'K;:8+ <&ST=%W>/?*BC where $@*( E@B( 9@C( and so on) =sing this scheme( the plainte.t( ,SEC&ET, encrypts as ,%H9=HW), To allow someone else to read the cipherte.t( yo! tell them that the key is -) +"vio!sly( this is e.ceedingly weak cryptography "y today's standards( "!t hey( it worked for Caesar( and it ill!strates how conventional cryptography works)

ey !anage!ent and conventional encryption
Conventional encryption has "enefits) 1t is very fast) 1t is especially !sef!l for encrypting data that is not going anywhere) However( conventional encryption alone as a means for transmitting sec!re data can "e 6!ite e.pensive simply d!e to the diffic!lty of sec!re key distri"!tion) &ecall a character from yo!r favorite spy movie5 the person with a locked "riefcase handc!ffed to his or her wrist) What is in the "riefcase( anyway? 1t's pro"a"ly not the missile la!nch codeA "ioto.in form!laA invasion plan itself) 1t's the key that will decrypt the secret data) 9or a sender and recipient to comm!nicate sec!rely !sing conventional encryption( they m!st agree !pon a key and keep it secret "etween themselves) 1f they are in different physical locations( they m!st tr!st a co!rier( the Bat hone( or some other sec!re comm!nication medi!m to prevent the disclos!re of the secret key d!ring transmission) *nyone who overhears or intercepts the key in transit can later read( modify( and forge all information encrypted or a!thenticated with that key) 9rom $ES to Captain :idnight's Secret $ecoder &ing( the persistent pro"lem with conventional encryption is key distri0ution. how do yo! get the key to the recipient witho!t someone intercepting it?

P"#lic key cryptography
The pro"lems of key distri"!tion are solved "y pu0lic key cryptography& the concept of which was introd!ced "y Whitfield $iffie and :artin Hellman in BCDE) 0There is now evidence that the British Secret Service invented it a few years "efore $iffie and Hellman( "!t kept it a military secret 7 and did nothing with it) F' H Ellis5 The ossi"ility of Sec!re 8on4Secret $igital Encryption( CES# &eport( 'an!ary BCDGH2

!"lic key cryptography is an asymmetric scheme that !ses a pair of keys for encryption5 a pu0lic key& which encrypts data( and a corresponding pri(ate& or secret key for decryption) /o!p!"lishyo!r p!"lic keytotheworldwhile keeping yo!r private key secret) *nyone with a copy of yo!r p!"lic key can then encrypt information that only yo! can read) Even people yo! have never met) 1t is comp!tationally infeasi"le to ded!ce the private key from the p!"lic key) *nyone who has a p!"lic key can encrypt information "!t cannot decrypt it) +nly the person who has the corresponding private key can decrypt the information)

*igure 1#6. Pu0lic key encryption The primary "enefit of p!"lic key cryptography is that it allows people who have no pree.isting sec!rity arrangement to e.change messages sec!rely) The need for sender and receiver to share secret keys via some sec!re channel is eliminatedI all comm!nications involve only p!"lic keys( and no private key is ever transmitted or shared) Some e.amples of p!"lic4key cryptosystems are Elgamal 0named for its inventor( Taher Elgamal2( &S* 0named for its inventors( &on &ivest( *di Shamir( and ;eonard *dleman2( $iffie4Hellman 0named( yo! g!essed it( for its inventors2( and $S*( the $igital Signat!re *lgorithm 0invented "y $avid Kravit32) Beca!se conventional cryptography was once the only availa"le means for relaying secret information( the e.pense of sec!re channels and key distri"!tion relegated its !se only to those who co!ld afford it( s!ch as governments and large "anks 0or small children with secret decoder rings2) !"lic key encryption is the technological revol!tion that provides strong cryptography to the ad!lt masses) &emem"er the co!rier with the locked "riefcase handc!ffed to his wrist? !"lic4key encryption p!ts him o!t of "!siness 0pro"a"ly to his relief2)

How PGP works
# com"ines some of the "est feat!res of "oth conventional and p!"lic key cryptography) # is a hy0rid cryptosystem. When a !ser encrypts plainte.t with # ( # first compresses the plainte.t) $ata compression saves modem transmission time and disk space and( more importantly( strengthens cryptographic sec!rity) :ost cryptanalysis techni6!es e.ploit patterns fo!nd in the plainte.t to crack the cipher) Compression red!ces these patterns in the plainte.t( there"y greatly enhancing resistance to cryptanalysis) 09iles that are too short to compress or which don't compress well aren't compressed)2

# then creates a session key& which is a one4time4only secret key) This key is a random n!m"er generated from the random movements of yo!r mo!se and the keystrokes yo! type) This session key works with a very sec!re( fast conventional encryption algorithm to encrypt the plainte.tI the res!lt is cipherte.t) +nce the data is encrypted( the session key is then encrypted to the recipient's p!"lic key) This p!"lic key4encrypted session key is transmitted along with the cipherte.t to the recipient)

*igure 1#7. +ow PGP encryption works $ecryption works in the reverse) The recipient's copy of # !ses his or her private key to recover the temporary session key( which # then !ses to decrypt the conventionally4encrypted cipherte.t)

*igure 1#5. +ow PGP decryption works The com"ination of the two encryption methods com"ines the convenience of p!"lic key encryption with the speed of conventional encryption) Conventional encryption is a"o!t B( GGG times faster than p!"lic key encryption) !"lic key encryption in t!rn provides a sol!tion to key distri"!tion and data transmission iss!es) =sed together( performance and key distri"!tion are improved witho!t any sacrifice in sec!rity)

eys
* key is a val!e that works with a cryptographic algorithm to prod!ce a specific cipherte.t) Keys are "asically really( really( really "ig n!m"ers) Key si3e is meas!red in "itsI the n!m"er representing a BGJK4"it key is darn h!ge) 1n p!"lic key cryptography( the "igger the key( the more sec!re the cipherte.t)

However( p!"lic key si3e and conventional cryptography's secret key si3e are totally !nrelated) * conventional LG4"it key has the e6!ivalent strength of a BGJK4"it p!"lic key) * conventional BJL4"it key is e6!ivalent to a -GGG4"it p!"lic key) *gain( the "igger the key( the more sec!re( "!t the algorithms !sed for each type of cryptography are very different and th!s comparison is like that of apples to oranges) While the p!"lic and private keys are mathematically related( it's very diffic!lt to derive the private key given only the p!"lic keyI however( deriving the private key is always possi"le given eno!gh time and comp!ting power) This makes it very important to pick keys of the right si3eI large eno!gh to "e sec!re( "!t small eno!gh to "e applied fairly 6!ickly) *dditionally( yo! need to consider who might "e trying to read yo!r files( how determined they are( how m!ch time they have( and what their reso!rces might "e) ;arger keys will "e cryptographically sec!re for a longer period of time) 1f what yo! want to encrypt needs to "e hidden for many years( yo! might want to !se a very large key) +f co!rse( who knows how long it will take to determine yo!r key !sing tomorrow's faster( more efficient comp!ters? There was a time when a EM4"it symmetric key was considered e.tremely safe) Keys are stored in encrypted form) # stores the keys in two files on yo!r hard diskI one for p!"lic keys and one for private keys) These files are called keyrings. *s yo! !se # ( yo! will typically add the p!"lic keys of yo!r recipients to yo!r p!"lic keyring) /o!r private keys are stored on yo!r private keyring) 1f yo! lose yo!r private keyring( yo! will "e !na"le to decrypt any information encrypted to keys on that ring)

$igital signat"res
*maNor "enefit of p!"lic key cryptography is that it provides a method for employing digital signatures. $igital signat!res ena"le the recipient of information to verify the a!thenticity of the information's origin( and also verify that the information is intact) Th!s( p!"lic key digital signat!res provide authentication and data integrity. * digital signat!re also provides non#repudiation& which means that it prevents the sender from claiming that he or she did not act!ally send the information) These feat!res are every "it as f!ndamental to cryptography as privacy( if not more) * digital signat!re serves the same p!rpose as a handwritten signat!re) However( a handwritten signat!re is easy to co!nterfeit) * digital signat!re is s!perior to a handwritten signat!re in that it is nearly impossi"le to co!nterfeit( pl!s it attests to the contents of the information as well as to the identity of the signer) Some people tend to !se signat!res more than they !se encryption) 9or e.ample( yo! may not care if anyone knows that yo! N!st deposited OBGGG in yo!r acco!nt( "!t yo! do want to "e darn s!re it was the "ank teller yo! were dealing with) The "asic manner in which digital signat!res are created is ill!strated in *igure 1#6) 1nstead of encrypting information !sing someone else's p!"lic key( yo! encrypt it with yo!r private key) 1f the information can "e decrypted with yo!r p!"lic key( then it m!st have originated with yo!)

*igure 1#6. 8imple digital signatures

Hash f"nctions
The system descri"ed a"ove has some pro"lems) 1t is slow( and it prod!ces an enormo!s vol!me of data 7 at least do!"le the si3e of the original information) *n improvement on the a"ove scheme is the addition of a one4way hash function in the process) * one4way hash f!nction takes varia"le4length inp!t 7 in this case( a message of any length( even tho!sands or millions of "its 7 and prod!ces a fi.ed4length o!tp!tI say( BMG4"its) The hash f!nction ens!res that( if the information is changed in any way 7 even "y N!st one "it 7 an entirely different o!tp!t val!e is prod!ced) # !ses a cryptographically strong hash f!nction on the plainte.t the !ser is signing) This generates a fi.ed4length data item known as a message digest. 0*gain( any change to the information res!lts in a totally different digest)2 Then # !ses the digest and the private key to create the ,signat!re), # transmits the signat!re and the plainte.t together) =pon receipt of the message( the recipient !ses # to recomp!te the digest( th!s verifying the signat!re) # can encrypt the plainte.t or notI signing plainte.t is !sef!l if some of the recipients are not interested in or capa"le of verifying the signat!re) *s long as a sec!re hash f!nction is !sed( there is no way to take someone's signat!re from one doc!ment and attach it to another( or to alter a signed message in any way) The slightest change in a signed doc!ment will ca!se the digital signat!re verification process to fail)

*igure 1#9. 8ecure digital signatures $igital signat!res play a maNor role in a!thenticating and (alidating other # !sers' keys)

$igital certificates
+ne iss!e with p!"lic key cryptosystems is that !sers m!st "e constantly vigilant to ens!re that they are encrypting to the correct person's key) 1n an environment where it is safe to freely e.change keys via p!"lic servers( man#in#the#middle attacks are a potential threat) 1n this type of attack( someone posts a phony key with the name and !ser 1$ of the !ser's intended recipient) $ata encrypted to 7 and intercepted "y 7 the tr!e owner of this "og!s key is now in the wrong hands) 1n a p!"lic key environment( it is vital that yo! are ass!red that the p!"lic key to which yo! are encrypting data is in fact the p!"lic key of the intended recipient and not a forgery) /o! co!ld simply encrypt only to those keys which have "een physically handed to yo!) B!t s!ppose yo! need to e.change information with people yo! have never metI how can yo! tell that yo! have the correct key? )igital certificates& or certs& simplify the task of esta"lishing whether a p!"lic key tr!ly "elongs to the p!rported owner) * certificate is a form of credential) E.amples might "e yo!r driver's license( yo!r social sec!rity card( or yo!r "irth certificate) Each of these has some information on it identifying yo! and some a!thori3ation stating that someone else has confirmed yo!r identity) Some certificates( s!ch as yo!r passport( are important eno!gh confirmation of yo!r identity that yo! wo!ld not want to lose them( lest someone !se them to impersonate yo!) * digital certificate is data that f!nctions m!ch like a physical certificate) * digital certificate is information incl!ded with a person's p!"lic key that helps others verify that a key is gen!ine or (alid. $igital certificates are !sed to thwart attempts to s!"stit!te one person's key for another)

* digital certificate consists of three things5 • • • * p!"lic key) Certificate information) 0,1dentity, information a"o!t the !ser( s!ch as name( !ser 1$( and so on)2 +ne or more digital signat!res)

The p!rpose of the digital signat!re on a certificate is to state that the certificate information has "een attested to "y some other person or entity) The digital signat!re does not attest to the a!thenticity of the certificate as a wholeI it vo!ches only that the signed identity information goes along with( or is 0ound to& the p!"lic key) Th!s( a certificate is "asically a p!"lic key with one or two forms of 1$ attached( pl!s a hearty stamp of approval from some other tr!sted individ!al)

*igure 1#:. %natomy of a PGP certificate

Certificate distri#"tion
Certificates are !tili3ed when it's necessary to e.change p!"lic keys with someone else) 9or small gro!ps of people who wish to comm!nicate sec!rely( it is easy to man!ally e.change diskettes or emails containing each owner's p!"lic key) This is manual pu0lic key distri0ution& anditispracticalonlytoa certain point) Beyond that point( it is necessary to p!t systems into place that can provide the necessary sec!rity( storage( and e.change mechanisms so coworkers( "!siness partners( or strangers co!ld comm!nicate if need "e) These can come in the form of storage4only repositories called Certificate 8er(ers& or more str!ct!red systems that provide additional key management feat!res and are called Pu0lic ;ey Infrastructures <P;Is=. Certificate servers * certificate ser(er& also calledacert ser(er or a key ser(er& is a data"ase that allows !sers to s!"mit and retrieve digital certificates) * cert server !s!ally provides some

administrative feat!res that ena"le a company to maintain its sec!rity policies 7 for e.ample( allowing only those keys that meet certain re6!irements to "e stored) P"#lic ey %nfrastr"ct"res * K1 contains the certificate storage facilities of a certificate server( "!t also provides certificate management facilities 0the a"ility to iss!e( revoke( store( retrieve( and tr!st certificates2) The main feat!re of a K1 is the introd!ction of what is known as a Certification %uthority& orC*( whichisah!manentity 7 a person( gro!p( department( company( or other association 7 that an organi3ation has a!thori3ed to iss!e certificates to its comp!ter !sers) 0* C*'s role is analogo!s to a co!ntry's government's assport +ffice)2 * C* creates certificates and digitally signs them !sing the C*'s private key) Beca!se of its role in creating certificates( the C* is the central component of a K1) =sing the C*'s p!"lic key( anyone wanting to verify a certificate's a!thenticity verifies the iss!ing C*'s digital signat!re( and hence( the integrity of the contents of the certificate 0most importantly( the p!"lic key and the identity of the certificate holder2)

Certificate for!ats
* digital certificate is "asically a collection of identifying information "o!nd together with a p!"lic key and signed "y a tr!sted third party to prove its a!thenticity) * digital certificate can "e one of a n!m"er of different formats. # recogni3es two different certificate formats5 • • # certificates >)EGC certificates

PGP certificate for!at * # certificate incl!des 0"!t is not limited to2 the following information5 • • The PGP version n"!#er & this identifies which version of # was !sed to create the key associated with the certificate) The certificate holder's p"#lic key & the p!"lic portion of yo!r key pair( together with the algorithm of the key5 &S*( $H 0$iffie4Hellman2( or $S* 0$igital Signat!re *lgorithm2) The certificate holder's infor!ation & this consists of ,identity, information a"o!t the !ser( s!ch as his or her name( !ser 1$( photograph( and so on) The digital signat"re of the certificate owner & also called a self#signature& this is the signat!re !sing the corresponding private key of the p!"lic key associated with the certificate) The certificate's validity period & the certificate's start dateA time and e.piration dateA timeI indicates when the certificate will e.pire) The preferred sy!!etric encryption algorith!for the key & indicates the encryption algorithm to which the certificate owner prefers to have information encrypted) The s!pported algorithms are C*ST( 1$E* or Triple4$ES)

• •

• •

/o! might think of a # certificate as a p!"lic key with one or more la"els tied to it 0see *igure 1#!2) +n these 'la"els' yo!'ll find information identifying the owner of the key and a signat!re of the key's owner( which states that the key and the identification go

together) 0This partic!lar signat!re is called a self#signature> every # certificate contains a self4signat!re)2 +ne !ni6!e aspect of the # certificate format is that a single certificate can contain m!ltiple signat!res) Several or many people may sign the keyA identification pair to attest to their own ass!rance that the p!"lic key definitely "elongs to the specified owner) 1f yo! look on a p!"lic certificate server( yo! may notice that certain certificates( s!ch as that of # 's creator( hil ?immermann( contain many signat!res) Some # certificates consist of a p!"lic key with several la"els( each of which contains a different means of identifying the key's owner 0for e.ample( the owner's name and corporate email acco!nt( the owner's nickname and home email acco!nt( a photograph of the owner 7 all in one certificate2) The list of signat!res of each of those identities may differI signat!res attest to the a!thenticity that one of the la"els "elongs to the p!"lic key( not that all the la"els on the key are a!thentic) 08ote that 'a!thentic' is in the eye of its "eholder 7 signat!res are opinions( and different people devote different levels of d!e diligence in checking a!thenticity "efore signing a key)2

*igure 1#!. % PGP certificate '()*+ certificate for!at ?.5"! is another very common certificate format) *ll >)EGC certificates comply with the 1T=4T >)EGC international standardI th!s 0theoretically2 >)EGC certificates created for one application can "e !sed "y any application complying with >)EGC) 1n practice( however( different companies have created their own e.tensions to >)EGC certificates( not all of which work together) *certificate re6!ires someone to validate that a p!"lic key and the name of the key's owner go together) With # certificates( anyone can play the role of validator) With >)EGC certificates( the validator is always a Certification *!thority or someone designated "y a C*) 0Bear in mind that # certificates also f!lly s!pport a hierarchical str!ct!re !sing a C% to validate certificates)2 *n >)EGC certificate is a collection of a standard set of fields containing information a"o!t a !ser or device and their corresponding p!"lic key) The >)EGC standard defines what information goes into the certificate( and descri"es how to encode it 0the data format2) *ll >)EGC certificates have the following data5

• •

The '()*+ version n"!#er & this identifies which version of the >)EGC standardapplies to this certificate( whichaffects what informationcan"e specified in it) The most c!rrent is version -) The certificate holder's p"#lic key & the p!"lic key of the certificate holder( together with an algorithm identifier which specifies which cryptosystem the key "elongs to and any associated key parameters) The serial n"!#er of the certificate & the entity 0application or person2 that created the certificate is responsi"le for assigning it a !ni6!e serial n!m"er to disting!ish it from other certificates it iss!es) This information is !sed in n!mero!s waysI for e.ample when a certificate is revoked( its serial n!m"er is placed in a Certificate 'e(ocation -ist or C'-. The certificate holder's "ni,"e identifier & 0or )$ 4 distinguished name=. This name is intended to "e !ni6!e across the 1nternet) This name is intended to "e !ni6!e across the 1nternet) * $8 consists of m!ltiple s!"sections and may look something like this5 C8@Bo" *llen( +=@Total 8etwork Sec!rity $ivision( +@8etwork *ssociates( 1nc)( C@=S 0These refer to the s!"Nect's Common $ame& @rganiAational Bnit& @rganiAation& and Country)2

•

•

• •

The certificate's validity period & the certificate's start dateA time and e.piration dateA timeI indicates when the certificate will e.pire) The "ni,"e na!e of the certificate iss"er & the !ni6!e name of the entity that signed the certificate) This is normally a C*) =sing the certificate implies tr!sting the entity that signed this certificate) 08ote that in some cases( s!ch as root or top#le(el C* certificates( the iss!er signs its own certificate)2 The digital signat"re of the iss"er & the signat!re !sing the private key of the entity that iss!ed the certificate) The signat"re algorith! identifier & identifies the algorithm !sed "y the C* to sign the certificate)

• •

There are many differences "etween an >)EGC certificate and a # certificate( "!t the most salient are as follows5 • yo! can create yo!r own # certificateI yo! m!st re6!est and "e iss!ed an >)EGC certificate from a Certification *!thority • >)EGC certificates natively s!pport only a single name for the key's owner • >)EGC certificates s!pport only a single digital signat!re to attest to the key's validity

To o"tain an >)EGC certificate( yo! m!st ask a C* to iss!e yo! a certificate) /o! provide yo!r p!"lic key( proof that yo! possess the corresponding private key( and some specific information a"o!t yo!rself) /o! then digitally sign the information and send the whole package 7 the certificate reCuest 4 to the C*) The C* then performs some d!e diligence in verifying that the information yo! provided is correct( and if so( generates the certificate and ret!rns it) /o! might think of an >)EGC certificate as looking like a standard paper certificate 0similar to one yo! might have received for completing a class in "asic 9irst *id2 with a

p!"lic key taped to it) 1t has yo!r name and some information a"o!t yo! on it( pl!s the signat!re of the person who iss!ed it to yo!)

*igure 1#1". %n ?.5"! certificate ro"a"ly the most widely visi"le !se of >)EGC certificates today is in we" "rowsers)

-alidity and tr"st
Every !ser in a p!"lic key system is v!lnera"le to mistaking a phony key 0certificate2 for a real one) Dalidity is confidence that a p!"lic key certificate "elongs to its p!rported owner) %alidity is essential in a p!"lic key environment where yo! m!st constantly esta"lish whether or not a partic!lar certificate is a!thentic) When yo!'ve ass!red yo!rself that a certificate "elonging to someone else is valid( yo! can sign the copy on yo!r keyring to attest to the fact that yo!'ve checked the certificate and that it's an a!thentic one) 1f yo! want others to know that yo! gave the certificate yo!r stamp of approval( yo! can e.port the signat!reto a certificateserver so that others canseeit) *s descri"ed in the section !"lic Key 1nfrastr!ct!res( some companies designate one or more Certification *!thorities 0C*s2 to indicate certificate validity) 1n an organi3ation !sing a K1 with >)EGC certificates( it is the No" of the C* to issue certificates to !sers 7 a process which generally entails responding to a !ser's re6!est for a certificate) 1n an organi3ation !sing # certificates witho!t a K1( it is the No" of the C* to check the a!thenticity of all # certificates and then sign the good ones) Basically( the main p!rpose of a C* is to "ind a p!"lic key to the identification information contained in the certificate and th!s ass!re third parties that some meas!re of care was taken to ens!re that this "inding of the identification information and key is valid) The C* is the #rand ooh4"ah of validation in an organi3ationI someone whom everyone tr!sts( and in some organi3ations( like those !sing a K1( no certificate is considered valid !nless it has "een signed "y a tr!sted C*)

Checking validity
+ne way to esta"lish validity is to go thro!gh some man!al process) There are several ways to accomplish this) /o! co!ld re6!ire yo!r intended recipient to physically hand yo! a copy of his or her p!"lic key) B!t this is often inconvenient and inefficient) *nother way is to man!ally check the certificate's fingerprint. '!st as every h!man's fingerprints are !ni6!e( every # certificate's fingerprint is !ni6!e) The fingerprint is a hash of the !ser's certificate and appears as one of the certificate's properties) 1n # ( the fingerprint can appear as a he.adecimal n!m"er or a series of so4called 0iometric words& which are phonetically distinct and are !sed to make the fingerprint identification process a little easier) /o! can check that a certificate is valid "y calling the key's owner 0so that yo! originate the transaction2 and asking the owner to read his or her key's fingerprint to yo! and verifying that fingerprint against the one yo! "elieve to "e the real one) This works if yo! know the owner's voice( "!t( how do yo! man!ally verify the identity of someone yo! don't know? Some people p!t the fingerprint of their key on their "!siness cards for this very reason) *nother way to esta"lish validity of someone's certificate is to trust that a third individ!al has gone thro!gh the process of validating it) * C*( for e.ample( is responsi"le for ens!ring that prior to iss!ing to a certificate( he or she caref!lly checks it to "e s!re the p!"lic key portion really "elongs to the p!rported owner) *nyone who tr!sts the C* will a!tomatically consider any certificates signed "y the C* to "e valid) *nother aspect of checking validity is to ens!re that the certificate has not "een revoked) 9or more information( see the section Certificate &evocation)

Esta#lishing tr"st
/o! validate certificates. /o! tr!st people. :ore specifically( yo! tr!st people to validate other people' certificates) Typically( !nless the owner hands yo! the certificate( yo! have to go "y someone else's word that it is valid) .eta and tr"sted introd"cers 1n most sit!ations( people completely tr!st the C* to esta"lish certificates' validity) This means that everyone else relies !pon the C* to go thro!gh the whole man!al validation process for them) This is fine !p to a certain n!m"er of !sers or n!m"er of work sites( and then it is not possi"le for the C* to maintain the same level of 6!ality validation) 1n that case( adding other validators to the system is necessary) * C* can also "e a meta4introducer. * meta4introd!cer "estows not only validity on keys( "!t "estows the a0ility to trust keys !pon others) Similar to the king who hands his seal to his tr!sted advisors so they can act on his a!thority( the meta4introd!cer ena"les others to act as trusted introducers. These tr!sted introd!cers can validate keys to the same effect as that of the meta4introd!cer) They cannot( however( create new tr!sted introd!cers) :eta4introd!cer and tr!sted introd!cer are # terms) 1n an >)EGC environment( the meta4introd!cer is called the root Certification %uthority 0root C%= and tr!sted introd!cers su0ordinate Certification *!thorities)

The root C* !ses the private key associated with a special certificate type called a root C% certificate to sign certificates) *ny certificate signed "y the root C* certificate is viewed as valid "y any other certificate signed "y the root) This validation process works even for certificates signed "y other C*s in the system 7 as long as the root C* certificate signed the s!"ordinate C*'s certificate( any certificate signed "y the C*is considered valid to others within the hierarchy) This process of checking "ack !p thro!gh the systemto see who signed whose certificate is called tracing a certification path or certification chain.

Tr"st !odels
1n relatively closed systems( s!ch as within a small company( it is easy to trace a certification path "ack to the root C*) However( !sers m!st often comm!nicate with people o!tside of their corporate environment( incl!ding some whom they have never met( s!ch as vendors( c!stomers( clients( associates( and so on) Esta"lishing a line of tr!st to those who have not "een e.plicitly tr!sted "y yo!r C* is diffic!lt) Companies followone or another trust model& which dictates how !sers will go a"o!t esta"lishing certificate validity) There are three different models5 • • • $irect Tr!st Hierarchical Tr!st * We" of Tr!st

$irect Tr"st $irect tr!st is the simplest tr!st model) 1n this model( a !ser tr!sts that a key is valid "eca!se he or she knows where it came from) *ll cryptosystems !se this form of tr!st in some way) 9or e.ample( in we" "rowsers( the root Certification *!thority keys are directly tr!sted "eca!se they were shipped "y the man!fact!rer) 1f there is any form of hierarchy( it e.tends from these directly tr!sted certificates) 1n # ( a !ser who validates keys herself and never sets another certificate to "e a tr!sted introd!cer is !sing direct tr!st)

*igure 1#11. )irect trust Hierarchical Tr"st 1n a hierarchical system( there are a n!m"er of ,root, certificates from which tr!st e.tends) These certificates may certify certificates themselves( or they may certify certificates that certify still other certificates down some chain) Consider it as a "ig tr!st ,tree), The ,leaf, certificate's validity is verified "y tracing "ackward from its certifier( to other certifiers( !ntil a directly tr!sted root certificate is fo!nd)

*igure 1#15. +ierarchical trust We# of Tr"st * we" of tr!st encompasses "oth of the other models( "!t also adds the notion that tr!st is in the eye of the "eholder 0which is the real4world view2 and the idea that more information is "etter) 1t is th!s a c!m!lative tr!st model) * certificate might "e tr!sted directly( or tr!sted in some chain going "ack to a directly tr!sted root certificate 0the meta4introd!cer2( or "y some gro!p of introd!cers) erhaps yo!'ve heard of the term six degrees of separation& which s!ggests that any person in the world can determine some link to any other person in the world !sing si. or fewer other people as intermediaries) This is a we" of introd!cers) 1t is also the # view of tr!st) # !ses digital signat!res as its form of introd!ction) When any !ser signs another's key( he or she "ecomes an introd!cer of that key) *s this process goes on( it esta"lishes a we0 of trust. 1n a # environment( any !ser can act as a certifying a!thority) *ny # !ser can validate another # !ser's p!"lic key certificate) However( s!ch a certificate is only valid to another !ser if the relying party recogni3es the validator as a tr!sted introd!cer) 0That is( yo! tr!st my opinion that others' keys are valid only if yo! consider me to "e a tr!sted introd!cer) +therwise( my opinion on other keys' validity is moot)2 Stored on each !ser's p!"lic keyring are indicators of • • whether or not the !ser considers a partic!lar key to "e valid the level of tr!st the !ser places on the key that the key's owner can serve as certifier of others' keys

/o! indicate( on yo!r copy of my key( whether yo! think my N!dgement co!nts) 1t's really a rep!tation system5 certain people are rep!ted to give good signat!res( and people tr!st them to attest to other keys' validity) /evels of tr"st in PGP The highest level of tr!st in a key( implicit tr!st( is tr!st in yo!r own key pair) #

ass!mes that if yo! own the private key( yo! m!st tr!st the actions of its related p!"lic key) *ny keys signed "y yo!r implicitly tr!sted key are valid) There are three levels of tr!st yo! can assign to someone else's p!"lic key5 • • • Complete tr!st ,arginal tr!st 8otr!st 0or =ntr!sted2

To make things conf!sing( there are also three levels of validity5 • %alid • :arginally valid • 1nvalid

To define another's key as a tr!sted introd!cer( yo! B) Start with a valid key( one that is either o signed "y yo! or o signed "y another tr!sted introd!cer

and then J) Set the level of tr!st yo! feel the key's owner is entitled) 9or e.ample( s!ppose yo!r key ring contains *lice's key) /o! have validated *lice's key and yo! indicate this "y signing it) /o! know that *lice is a real stickler for validating others' keys) /o! therefore assign her key with Complete tr!st) This makes *lice a Certification *!thority) 1f *lice signs another's key( it appears as %alid on yo!r keyring) # re6!ires one Completely tr!sted signat!re or two :arginally tr!sted signat!res to esta"lish a key as valid) # 's method of considering two :arginals e6!al to one Complete is similar to a merchant asking for two forms of 1$) /o! might consider *lice fairly tr!stworthy and also consider Bo" fairly tr!stworthy) Either one alone r!ns the risk of accidentally signing a co!nterfeit key( so yo! might not place complete tr!st in either one) However( the odds that "oth individ!als signed the same phony key are pro"a"ly small)

Certificate 0evocation
Certificates are only !sef!l while they are valid) 1t is !nsafe to simply ass!me that a certificate is valid forever) 1n most organi3ations and in all K1s( certificates have a restricted lifetime) This constrains the period in which a system is v!lnera"le sho!ld a certificate compromise occ!r) Certificates are th!s created with a sched!led (alidity period. a start dateAtime and an e.piration dateA time) The certificate is e.pected to "e !sa"le for its entire validity period 0its lifetime2) When the certificate e.pires( it will no longer "e valid( as the a!thenticity of its keyA identification pair are no longer ass!red) 0The certificate can still "e safely !sed to reconfirm information that was encrypted or signed within the validity period 7 it sho!ld not "e tr!sted for cryptographic tasks moving forward( however)2

There are also sit!ations where it is necessary to invalidate a certificate prior to its e.piration date( s!ch as when an the certificate holder terminates employment with the company or s!spects that the certificate's corresponding private key has "een compromised) This is called re(ocation. *revoked certificate is much more s!spect than an e.pired certificate) E.pired certificates are !n!sa"le( "!t do not carry the same threat of compromise as a revoked certificate) *nyone who has signed a certificate can revoke his or her signat!re on the certificate 0provided he or she !ses the same private key that created the signat!re2) *revoked signat!re indicates that the signer no longer "elieves the p!"lic key and identification information "elong together( or that the certificate's p!"lic key 0or corresponding private key2 has "een compromised) * revoked signat!re sho!ld carry nearly as m!ch weight as a revoked certificate) With >)EGC certificates( a revoked signat!re is practically the same as a revoked certificate given that the only signat!re on the certificate is the one that made it valid in the first place 7 the signat!re of the C*) # certificates provide the added feat!re that yo! can revoke yo!r entire certificate 0not N!st the signat!res on it2 if yo! yo!rself feel that the certificate has "een compromised) +nly the certificate's owner 0the holder of its corresponding private key2 or someone whom the certificate's owner has designated as a revoker can revoke a # certificate) 0$esignating a revoker is a !sef!l practice( as it's often the loss of the passphrase for the certificate's corresponding private key that leads a # !ser to revoke his or her certificate 7 a task that is only possi"le if one has access to the private key)2 +nly the certificate's iss!er can revoke an >)EGC certificate)

Co!!"nicating that a certificate has #een revoked
When a certificate is revoked( it is important to make potential !sers of the certificate aware that it is no longer valid) With # certificates( the most common way to comm!nicate that a certificate has "een revoked is to post it on a certificate server so others who may wish to comm!nicate with yo! are warned not to !se that p!"lic key) 1n a K1 environment( comm!nication of revoked certificates is most commonly achieved via a data str!ct!re called a Certificate 'e(ocation -ist& or C'-& which is p!"lished "y the C*) The C&; contains a time4stamped( validated list of all revoked( !ne.pired certificates in the system) &evoked certificates remain on the list only !ntil they e.pire( then they are removed from the list 7 this keeps the list from getting too long) The C* distri"!tes the C&; to !sers at some reg!larly sched!led interval 0and potentially off4cycle( whenever a certificate is revoked2) Theoretically( this will prevent !sers from !nwittingly !sing a compromised certificate) 1t is possi"le( tho!gh( that there may "e a time period "etween C&;s in which a newly compromised certificate is !sed)

What is a passphrase?
:ost people are familiar with restricting access to comp!ter systems via a password& which is a !ni6!e string of characters that a !ser types in as an identification code) * passphrase is a longer version of a password( and in theory( a more sec!re one) Typically composed of m!ltiple words( a passphrase is more sec!re against standard dictionary attacks& wherein the attacker tries all the words in the dictionary in an

attempt to determine yo!r password) The "est passphrases are relatively long and comple. and contain a com"ination of !pper and lowercase letters( n!meric and p!nct!ation characters) # !ses a passphrase to encrypt yo!r private key on yo!r machine) /o!r private key is encrypted on yo!r disk !sing a hash of yo!r passphrase as the secret key) /o! !se the passphrase to decrypt and !se yo!r private key) * passphrase sho!ld "e hard for yo! to forget and diffic!lt for others to g!ess) 1t sho!ld "e something already firmly em"edded in yo!r long4term memory( rather than something yo! make !p from scratch) Why? Beca!se if yo" forget yo"r passphrase1 yo" are o"t of l"ck( /o!r private key is totally and a"sol!tely !seless witho!t yo!r passphrase and nothing can "e done a"o!t it) &emem"er the 6!ote earlier in this chapter? # is cryptography that will keep maNor governments o!t of yo!r files) 1t will certainly keep yo! o!t of yo!r files( too) Keep that in mind when yo! decide to change yo!r passphrase to the p!nchline of that Noke yo! can never 6!ite remem"er)

ey splitting
They say that a secret is not a secret if it is known to more than one person) Sharing a private key pair poses s!ch a pro"lem) While it is not a recommended practice( sharing a private key pair is necessary at times) Corporate 8igning ;eys& for e.ample( are private keys !sed "y a company to sign 7 for e.ample 7 legal doc!ments( sensitive personnel information( or press releases to a!thenticatetheirorigin) 1n s!ch a case( it is worthwhile for m!ltiple mem"ers of the company to have access to the private key) However( this means that any single individ!al can act f!lly on "ehalf of the company) 1ns!cha caseit is wisetosplit the key among m!ltiple people in s!ch a way that more than one or two people m!st present a piece of the key in order to reconstit!te it to a !sa"le condition) 1f too few pieces of the key are availa"le( then the key is !n!sa"le) Some e.amples are to split a key into three pieces and re6!ire two of them to reconstit!te the key( or split it into two pieces and re6!ire "oth pieces) 1f a sec!re network connection is !sed d!ring the reconstit!tion process( the key's shareholders need not "e physically present in order to reNoin the key)