Controlled Trusted Center

A higher level of security can be

achieved if there are added controls
on the distribution
of the public key. The public-key
announcements can include a
timestamp and be
signed by an authority to prevent
interception and modification of the
response. IfAlice
needs to know Bob's public key, she
can send a request to the center
including Bob's
name and a timestamp. The center
responds with Bob's public key, the
original request,
and the timestamp signed with the
private key of the center. Alice uses
the public key of
the center, known by all, to decrypt
the message and extract Bob's public
key. Figure 31.25
shows one scenario.
Certification Authority
The previous approach can create a
heavy load on the center if the
number of requests
is large. The alternative is to create
public-key certificates. Bob wants two
things: he
wants people to know his public key,
and he wants no one to accept a
public key forged
as his. Bob can go to a certification
authority (CA)-a federal or state
organization
that binds a public key to an entity
and issues a certificate. The CA has a
well-known
public key itself that cannot be forged.
The CA checks Bob's identification
(using a
988 CHAPTER 31 NETWORK SECURITY
Figure 31.25 Controlled trusted center
Directory
·· ·· Alice KA ·· ·· Bob Kg ·· :
Alice
r' - - Trusted center cw:::w:::J
-E:::3 Need Bob's key, Time
KCenter
Need Bob's key, Time, KB
picture ID along with other proof). It
then asks for Bob's public key and
writes it on the
certificate. To prevent the certificate
itself from being forged, the CA signs
the certificate
with its private key. Now Bob can
upload the signed certificate. Anyone
who wants
Bob's public key downloads the signed
certificate and uses the public key of
the center
to extract Bob's public key. Figure
31.26 shows the concept.
Figure 31.26 Certification authority
Directory
__A"p~IX jL.....-.K....B. _I-_
=-= cw:::w:::J Trusted
-E3 center
Issue
·· ·: Alice KA ·· ·· ,~ Bob Kg ·· ·:
Bob
..
-",' I I
.. I I
,,' I I
I " II
II
II
I
Announce to pUblic
I
\I
,I
\I
, I ".... ',I
"\I
.... , .., I
-------- ~--- -
SECTION 31.7 KEY MANAGEMENT 989
X.509 Although the use of a CA has
solved the problem of public-key
fraud, it has
created a side effect. Each certificate
may have a different format. If Alice
wa.!1ts to use
a program to automatically download
different certificates and digests
belonging to different
people, the program may not be able
to do so. One certificate may have the
public
key in one format and another in
another format. The public key may
be on the first line
in one certificate and on the third line
in another. Anything that needs to be
used universally
must have a universal format.
To remove this side effect, lTD has
designed a protocol called X.509,
which has been
accepted by the Internet with some
changes. X.509 is a way to describe
the certificate in a
structured way. It uses a well-known
protocol called ASN.1 (Abstract Syntax
Notation 1)
that defines fields familiar to C
programmers. The following lists the
fields in a certificate.
D Version This field defines the
version of X.509 of the certificate. The
version
number started at 0; the current
version is 2 (the third version).
o Serial number This field defines a
number assigned to each certificate.
The value
is unique for each certificate issued.
o Signature This field, for which the
name is inappropriate, identifies the
algorithm
used to sign the certificate. Any
parameter that is needed for the
signature is also
defined in this field.
o Issuer This field identifies the
certification authority that issued the
certificate. The
name is normally a hierarchy of
strings that defines a country, state,
organization,
department, and so on.
o Period of validity This field defines
the earliest and the latest times the
certificate
is valid.
o Subject This field defines the entity
to which the public key belongs. It is
also a
hierarchy of strings. Part of the field
defines what is called the common
name,
which is the actual name of the
beholder of the key.
o Subject's public key This field
defines the subject's public key, the
heart of the
certificate. The field also defines the
corresponding algorithm (RSA, for
example)
and its parameters.
o Issuer unique identifier This optional
field allows two issuers to have the
same
issuer field value, if the issuer unique
identifiers are different.
D Subject unique identifier This
optional field allows two different
subjects to have
the same subject field value, if the
subject unique identifiers are
different.
o Extension This field allows issuers to
add more private information to the
certificate.
o Encrypted This field contains the
algorithm identifier, a secure hash of
the other
fields, and a digital signature of that
hash.
Public-Key Infrastructures (PKI)
When we want to use public keys
universally, we have a problem similar
to secret-key
distribution. We found that we cannot
have only one KDC to answer the
queries. We
need many servers. In addition, we
found that the best solution is to put
the servers in a
hierarchical relationship with one
another. Likewise, a solution to public-
key queries is
a hierarchical structure called a
public-key infrastructure (PKI). Figure
31.27 shows
an example of this hierarchy.
990 CHAPTER 31 NETWORK SECURITY
Figure 31.27 PKI hierarchy
Level-l
CAl
At the first level, we can have a root
CA that can certify the performance of
CAs in
the second level; these level-l CAs
may operate in a large geographic or
logical area.
The level-2 CAs may operate in
smaller geographic areas.
In this hierarchy, everybody trusts the
root. But people mayor may not trust
intermediate
CAs. If Alice needs to get Bob's
certificate, she may find a CA
somewhere to
issue the certificate. But Alice may not
trust that CA. In a hierarchy Alice can
ask the
next-higher CA to certify the original
CA. The inquiry may go all the way to
the root.
31.8 RECOMMENDED READING
For more details about the subjects
discussed in this chapter, we
recommend the following
books and sites. The items in brackets
[...] refer to the reference list at the
end of the text.
Books
Several books are dedicated to
network security, such as [PHS02],
[Bis03], and [SalO3].
31.9 KEY TERMS
authentication server (AS)
certification authority (CA)
challenge-response authentication
claimant
dictionary attack
digital signature
eavesdropping
entity authentication
fingerprint
fixed password
hash function
hashed message authentication code
(HMAC)
identification
integrity
Kerberos
key distribution center (KDC)
message authentication
message authentication code (MAC)
message confidentiality or privacy
message digest
message integrity
message nonrepudiation
modification detection code
(MDC)
nonce
nonrepudiation
one-time password
one-wayness
password
privacy
public-key infrastructure
(PKI)
salting
SECTION 31.10 SUMMARY 991
session key
SHA-I
signature scheme
signing algorithm
strong collision
ticket
ticket-granting server
(TGS)
verifier
verifying algorithm
weak collision
X.509
31.10 SUMMARY
D Cryptography can provide five
services. Four of these are related to
the message
exchange between Alice and Bob. The
fifth is related to the entity trying to
access a
system for using its resources.
D Message confidentiality means that
the sender and the receiver expect
privacy.
D Message integrity means that the
data must arrive at the receiver
exactly as sent.
D Message authentication means that
the receiver is ensured that the
message is coming
from the intended sender, not an
imposter.
D Nonrepudiation means that a sender
must not be able to deny sending a
message
that he sent.
D Entity authentication means to
prove the identity of the entity that
tries to access
the system's resources.
D A message digest can be used to
preserve the integrity of a document
or a message.
A hash function creates a message
digest out of a message.
D A hash function must meet three
criteria: one-wayness, resistance to
weak collision,
and resistance to strong collision.
D A keyless message digest is used as
a modification detection code (MDC).
It guarantees
the integrity of the message. To
authenticate the data origin, one
needs a
message authentication code (MAC).
D MACs are keyed hash functions that
create a compressed digest from the
message
added with the key. The method has
the same basis as encryption
algorithms.
D A digital signature scheme can
provide the same services provided by
a conventional
signature. A conventional signature is
included in the document; a digital
signature is a separate entity.
D Digital signature provides message
integrity, authentication, and
nonrepudiation.
Digital signature cannot provide
confidentiality for the message. If
confidentiality
is needed, a cryptosystem must be
applied over the scheme.
992 CHAPTER 31 NETWORK SECURiTY
o A digital signature needs an
asymmetric-key system.
o In entity authentication, a claimant
proves her identity to the verifier by
using one
of the three kinds of witnesses:
something known, something
possessed, or something
inherent.
o In password-based authentication,