|Elements for PKI|
PKI certifies identity. Using the PKI infrastructure, should, ideally, prove beyond reasonable doubt that, in the digital world, you are who you say you are.
To be able to prove your own identity, someone has to vouch for you. This happens by someone or something writing out a digital certificate for you. The someone or something is called a certificate authority (CA). What (s)he writes out is called a digital certificate. The latter can be used to prove your identity and you can use it to sign someone else's digital certificate.
This creates a chain, which of course, has to end somewhere. It usually ends in a public CA: well-known companies, like RSA and VeriSign tend to act as so-called Cas. Their certificates are called "root certificates" .PKI vs. asymmetric cryptography
Although asymmetric cryptography is extremely helpful when establishing a CA, it is actually not really necessary. The keys can be generated using algorithms that are not related to asymmetric cryptographic systems: it does not make any difference to the validity of the certificate whether it has been produced by symmetric or asymmetric cryptographic algorithms.Identity validation by other means
We don't have to use a CA hierarchy to be able to exchange keys. We can also be part of something called a "Web of Trust" , something implemented by GnuGPG. In principle it is quite simple and works according to the following steps:1. The user creates a public-private key pair and then makes his public key pair available.
2. If two or more key-owners meet (so called key-signing parties), they exchange their "real" identity information, to confirm their identities and then sign each other's digital certificates.
3. Once a large number of people have done this, it is likely that they both know people who can vouch for their identities. The path of signatures becomes a secure communication link.
4. To be sure that each person can be identified securely, multiple signature chains are a good idea.
There are other systems to ensure key authenticity and user identity, but they tend to rely to some extent on both or just variations of the PKI system.Variations of PKI
Digital certificates contain quite a lot of information: Basically, they show all the information necessary to identify a person or organization uniquely. Addresses, names and other items are added to the certificate.
But more importantly, the owner's public key and the CA's digital signature created by the CA. All elements make up the coveted digital certificate. The standard currently being used by most CA is the X 509v3 standard. Other varieties include the PGP protocol (in its free and open source implementations), but they have much less impact globally.Becoming your own CA
We will get to know the process of setting up a CA. It is perfectly possible to act as your own CA: the purposes can be manifold; first of all it is extremely useful to set up your own CA and know the process involved. It also helps you to understand how to get SSL to work and how to set up client certificates using PKI. Self-certification is not, however, particularly useful to authenticate yourself to someone else.Internal CA
An organization might want to be its own CA and distribute digital certificates to its employees. This can be useful as an alternative to the LDAP or Apache network access control. (Chapter xx)PKI procedures
We are getting close to actually building a CA and setting up SSL to work with Apache.
The basic procedure to find out whether you are communicating with the correspondent actually holding the correct certificate is this: first encrypt the digital certificate using your public key and wait for the respondent to send you the corresponding
The certificates usually consist of the following items:
All certificates need a subject that contains personal or company information. The next item that often confuses the user is the common name, abbreviated as CN. It is little else but the domain name of the host being authenticated. Then we get the public key, followed by the signature. The signature is computed using a one-way hash (MD5 or SHA-1) of the information provided by the user "subject and CN" and then encrypted using the CA's private key.
If you send the certificate in encoded form, it is called a challenge. The challenge has been satisfied if the corresponding private key has been used to decode the certificate. The private key is provided by the CA and thus acts as the guarantee that the name appearing in the certificate is the name of the person the certificate was issued to by the CA.
You can then continue communicating using private key encryption with the trusted user.SSL: the Theory
First of all, some nomenclature:
If you look up the Secure Socket Layer Standard in any context, you will always be redirected to TLS (Transport Layer Security). Owing to past naming issues, and Netscape's role in creating SSL, TLS is the official name of SSLv3.1, but no one uses the TLS moniker.
TLS has been codified in RFC 2246, but it is complex and most ssl commandline configuration utilities are difficult to figure out. We will help out, though.
SSL adds security to the transport layer protocol: it secures other protocols as well, like SMTP, FTP etc. but we are going to deal with http here.
SSL has one distinct disadvantage: it cannot use virtual hosting to recycle Internet Protocol addresses. The reason is that the HTTP HOST request header is part of the encrypted packet sent through the channel. To decrypt the header and indeed, the whole packet (or the channel in question), the web server needs the correct key. It cannot find the right key, however, to decrypt the packet/channel if it doesn't know where the packet is heading. Thus the only information accessible to the web server to id the right key is the IP address. It follows that name-based virtual hosting cannot be used for SSL.
Once the server has an idea who is talking to, further authentication is needed: the server sends his digital certificate and the client will decrypt it using its private key. Only now can both sides agree on encryption protocols and private keys to keep each exchange secret.Data Transfers
Once both sides have a pair of keys to authenticate each other's identity, both parties can switch to symmetric encryption. They use (or rather, you can determine during configuration) a set of symmetric encryption protocols until both sides terminate the secure channel.Versions
Please be aware of the TLS v. 1.1: it is the currently approved version, but so far only very few clients seem to be able to cope with it.SSL Security
We need to address several issues before installing and configuring the SSL stack for use with mod_ssl. The first and most important issue is to determine whether the protocol is secure enough for production use.
It is still possible to use symmetric ciphers using RC 4 with 256 bit key length, and authentication should be attempted using 2048-bit key RSA. Please have no illusions about the security of RC4, however: it has been broken quite a while ago, even though for some purposes it is still considered fairly secure.
There are a fair number of protocols that should not be used with SSL v3. Low key strengths are a dead give-away, and so is the presence of DES or SHA 0/1.The Man in the Middle
All literature and documentation on SSL contains ample warnings about Man in the Middle (MITM) attacks. As the phrase tells us, it is possible for an attacker to intercept all or part of communications between two parties.
At the beginning of client-server SSL communication, the client needs to send the intended domain name and the associated IP address. But first, the client needs to find the IP address (see above). The client therefore needs to send a DNS query, which is fairly trivial to intercept using a tool called dsniff.
The Man in the Middle will not only intercept the request, but he will also reply with a fake IP address and thus interpose himself between client and server. During the handshake, the MITM has to supply a digital certificate as well, which poses some problems for the attacker.
The classical list of possible MITM attacks on a SSL client goes like this:
1. The attacker might be using a self-signed (!) or a CA-supplied certificate procured from another website. The warning message that this produces on the client's browser is probably something the user will ignore.
2. The attacker can just send his own root certificate. The browser then might just import the root certificate in question. As a result the attacker will find it a lot easier to get his certificates accepted by other websites.
3. It is possible to get a root certificate by conducting some ingenious social engineering. Disgruntled employees might be inclined to use their powers to let an attacker have a root certificate. It would enable an attacker to provide a valid certificate for the target website.
Further SSL Problems
There are issues that concern all users of SSL and they will recur on several occasions in this course.
- As we already know, SSL is not an end-to-end solution. As we have seen during the discussion of the SSL handshake, it cannot start an encrypted channel by encrypting all information used during the handshake. E.g. There is a common mistake using form-to-email scripts that enable a user to send confidential information to the SSL-enabled webserver. Needless to say that form-to-email scripts should never be used for any confidential information, let alone to initiate an SSL session.
- Certificates that are self-signed, invalid or expired lead to browser warnings. These warnings should be treated with some degree of respect. MITM attacks are often executed in this fashion (s.a.). This is still a user issue, although browser writers should be able to deal with this issue in the course of time. For the time being, all self-signed certificates should be rejected out of hand. Expired certificates from sites that you used to visit regularly should be treated as opportunities to write a polite email reminding the web administrator to renew the digital certificate.
- Invalid certificates are a different matter. If you want to be safe, don't proceed to the website. If you are asked for confidential information, do not provide it. It is possible that invalid certificates are provided due to a
- some browsers do not compare certificates to this day. When an MITM has been executed and DNS information has been stolen, it is a simple matter of building an identical website to redirect the web traffic and collect confidential information.
Phishing attacks have similar intent and often lead to redirecting traffic and misleading unsuspecting users into providing confidential information of all kinds.Conclusion
We have now the basics to understand setup of the OpenSSL library and to use mod_ssl on Apache. We will also set up our own Certificate Authority, but you should not be tempted to compete with VeriSign just yet. For internal use, however, you should be able to implement an Intranet with Certificate-based Server authentication in place.
We left out Client-side authentication: it is possible to do use that, but given time constraints, we have to leave it as the proverbial exercise for the reader.