PKI and Secure Communication Usable Privacy and Security Ahren Studer 42808

1
PKI and Secure CommunicationUsable Privacy and
SecurityAhren Studer4/28/08
2
Outline

• Definition PKIs
• How they help security
• Why they arent a cure all
• Where is the trust (MS or Firefox really)
• Why they arent user friendly
• We dont always need to use PKIs (chapter)
• Why users dont understand them
• Thunderbird trouble as an exercise

3
Basics

• Asymmetric cryptography
• 2 keys (private and public keys)
• Can sign (decrypt) using private key
• Can verify (encrypt) using public key
• Need an authentic copy of the public key
• Multiple Ways to Acquire these
• PKI
• PGP Web of Trust
• Other

4
PKI Basics
Certificate Authority (CA)
books.amazon.com
motors.ebay.com
jill_at_ebay.com
monkey_wrench_at_motors.ebay.com
5
Ideal PKI

• Decades ago goal was a global PKI
• Not just server identification
• If you were online youd have a certificate
• Convenient secure communication
• No spam (know your friends public keys)
• Helps fight fishing (know your banks keys)

6
Why this is great.

• Once we have we can authenticate any entity
  in the tree.
• No need to share a-priori information.
• Authority doesnt have to be online.
• CA can delegate work to others.
• E.g. CMU signs keys for each department,
  department signs professors keys, professor
  signs students keys

7
Why PKIs arent so great.

• Security Weaknesses
• Implicit trust
• Usability Weaknesses
• Public key storage methods
• Removing invalid certificates
• Private key management
• Concept of asymmetric key
• Doesnt fulfill users expectations
• Sometimes a better solution exists

Partially based on Don Davis. Compliance Defects
in Public-Key Cryptography
8
Security Vulnerabilities in PKIs

• Simple question
• Who must you trust in a PKI?
• Certificate Authority
• Entities with Certifying Authority
• Your software??!

9
I need to trust my software?

• Your software can install new CAs.
• Your software can access the hosts files.
• hosts file translates URL to IP address
• URL is in the certificate not the IP address

10
A potential attack
11
A potential attack
12
A potential attack

• Computer is infected
• Malcode can change crucial files
• Add CAs to Thunderbird, IE, Safari, Opera,
• Add entries to the hosts file
• Translates URL to IP address (no DNS lookup)
• What happens the next time you type in/click
  eBay.com, amazon.com, www.pnc.com ?

13
A potential attack

• Everything looks right
• Certificate is valid
• How can we fix this?

14
A potential attack

• How can we fix this? (software vulnerabilities
  will always exist)
• Verify the CAs public key each time it is used
  (usability headache)
• Store the key in non-writable memory
• Smart card

15
How else is trust involved?

• Trust the CA to identify the correct entities

16
Why should you trust the CA?
17
Who can we trust (in a PKI)?

• Need to trust the CA, without it no PKI
• Once the CA makes a mistake, we need a mechanism
  to address the mistake
• How do we address CA mistakes?
• Certificate Revocation Lists (CRLs)

18
Certificate Revocation Lists

• Indicates which certificates are no longer valid
• Wrong entity received a certificate
• Server is compromised and private key is leaked
• Anything else?
• All are valid reasons to revoke a certificate

19
Drawbacks to a CRL

• CRL needs checked before any verification
• CRL database and user must be online
• Central point of failure (focus of attack)
• Shut down the CRL database
• That private key you stole is valid again

20
Revocation in Reality

• How are bad certificates identified in reality?
• Answer Not CRLs
• Microsoft uses automatic update
• Majority of cases utilize time
• Certificates just expire after X years

21
Why PKIs arent so great.

• Security Weaknesses
• Implicit trust trust CA system
• Usability Weaknesses
• Public key storage methods
• Removing invalid certificates
• Private key management
• Concept of asymmetric key
• Doesnt fulfill users expectations
• Sometimes a better solution exists

22
Managing your private key

• Imagine you have a private key to
• Sign emails
• Perform transactions
• Whatever you can imagine
• This is your online identifier

23
Managing your private key

• You want to protect your digital identity
• If this is stolen, the thief can act as you
• What about 2 factor authentication?
• Who would waste the time typing in passwords if
  you had a key to perform authentication
  automatically?

24
Managing your private key

• A password (authentication) is still needed, why?
• You personally cant remember the key.
• Who can remember a 1024 bit number?
• Proves to the system you are the owner of the key.

25
Managing your private key

• Private key is needed to sign/decrypt messages
• Where should this key be stored?
• On local machine
• Security implications
• Mobility implications
• On mail server
• Security implications
• Mobility implications

26
Managing your private key

• Once you prove to the system youre the owner,
  how long should the private key be present in
  memory?
• Just long enough to generate the signature
• Strong security
• Annoying (bad usability)
• The entire session
• More chance to be leaked

27
Why PKIs arent so great.

• Security Weaknesses
• Implicit trust
• Usability Weaknesses
• Public key storage methods
• Removing invalid certificates
• Private key management
• Users concepts
• Doesnt fulfill users expectations
• Sometimes a better solution exists

Partially based on Don Davis. Compliance Defects
in Public-Key Cryptography
28
Real users and PKIs

• Concepts are hard to follow
• Non-intuitive
• Users expect too much from PKIs

29
Non-intuitive concepts

• Asymmetric crypto is strange
• How many physical systems use two keys one to
  lock, one to unlock?
• Called trap doors to help people understand

30
What do trapdoors have to do with my online bank
account?

• A PKI doesnt really make sense with the current
  task
• Why do I need to know the CA to talk to my
  bank?
• Why should I ask the CA if my bank is still
  valid? My bank is my bank.
• How is my communication secure if I dont share
  a key with the bank?
• Why is my money a series of 1s and 0s on the
  Internet?

31
Johnny 2 proves otherwise

• Repeated Why Johnny Cant Encrypt with new
  techniques
• More description later when covering different
  secure communication methods
• it was clear that users generally understood
  signing a message allowed a recipient to verify

S. Garfinkel R. Miller. Johnny 2 A User Test
of Key Continuity Management with S/MIME and
Outlook Express
32
Johnny 2 proves otherwise

• Main goal was secure communication
• Will users understand why PKIs are needed when
  they just want to ?
• When attacked, users leveraged email based
  identification and authentication
• Roughly the same properties that Veri-sign
  requires

33
Why PKIs dont fix everything

• If everyone had a certificate
• Would phishing still be a problem?
• No real change (the wrong page is used, not the
  wrong user)
• Helps if it is part of a two-token system
• Depends on the backup mechanism

34
PKIs arent always the best solution

• PKIs arent the only mechanism to allow entities
  that trust a third party to communicate securely
• Symmetric Alternatives
• Key Distribution Center (KDC)
• Asymmetric Alternatives
• PGP web of trust
• Leap-of-faith
• Location-limited channels

35
Key Distribution Center
KAT KBT KCT
KAT
KBT
KAB
KAB
36
KDCs vs. PKIs

• Both require work to register users
• What needs to be online
• KDC needs to be online (easy revocation)
• CRL database needs to be online
• What needs protected
• KDC
• CA, client, CRL

37
KDC model seems better than some iPKIs

• Examine the applications and ask
• What PKI advantage still applies?
• What portion requires asymmetric cryptography?
• Why not just use a KDC and symmetric cryptography?

D. Balfanz, G. Durfee, D.K. Smetters Making
the Impossible Easy Usable PKI
38
Example Scenarios

• Network in a Box
• Casca (collaboration application)
• Both use infrared to securely exchange data
• Both use a CA which is online as part of the
  task
• How can you use an AP that is offline or
  collaborate without your collaborator?

39
PKI Advantages

• Public key allows communication with anyone in
  the PKI.
• Authority doesnt have to be online.
• CA can delegate work to others.
• None still hold.
• Only real benefit is storage
• In a PKI, client stores key and certificate
• In a KDC, server stores per client info

40
Other mechanisms for secure communication

• PGP web of trust
• Use trusted parties to identify public keys
• Trusted parties are friends, coworkers,
• Leap-of-faith authentication
• Assume an attack isnt present
• Alert the user when the key changes
• Location-limited channels
• Securely get the key from the user

41
PGP Communication

• Should remember from Why Johnny Cant Encrypt
• Friends sign each others keys
• Advantages versus a PKI
• Everyone can have a key for free, just need
  trustworthy friends
• Disadvantages versus a PKI
• You need to deal with revocation yourself
• Privacy invasive to find a key
• Your friends are CAs

42
PGP Communication
http//www.xkcd.com/364
43
Leap-of-Faith/Key Continuity

• Majority of the time an attack is not a threat
• Just proceed as though the key is correct
• Currently the model used in SSH

44
Leap-of-Faith

• User is told when a new key is used
• Keys are associated with identities

45
Leap-of-Faith

• If the servers key changes, the user is alerted
• Disadvantages
• Key might have legitimately changed
• No revocation mechanism
• Doesnt provide an alternative solution
• Advantages
• No need for authorities
• Simple for users

46
Johnny 2

• A repeat of the experiment in Why Johnny Cant
  Encrypt
• Looked at Outlook Express with built in
  asymmetric crypto support
• Investigated Key Continuity Management
• Yellow border new key for a new user
• Green border key matches record
• Red border key differs from record
• Gray border no key used, but one on record

47
Johnny 2

• Investigated whether users could detect attacks
• Sent an email signed with the wrong key
• Sent an email using a new identity (email
  address)
• Sent an email that was unsigned

48
Johnny 2

• With KCM users didnt fall for attacks that used
  different keys
• When given a short briefing
• Users still sent messages to new emails for a
  recognized user
• Social attack Im at home
• User was less likely to accept an unsigned
  message

49
Johnny 2

• A simple integrated visible mechanism can improve
  security
• However, it is not a panacea
• New identities are a problem
• (I feel) However, the solution does help compared
  to a PKI
• At least you notice a new identity is being used

50
Location-limited key exchange

• Exchange or verify keys using a
  physically-limited mechanism
• Numerous mechanisms
• Infrared
• Wired connections (Stajano et al.)
• Pictures (McCune et al.)
• Shaking (Bichler et al.)
• Pressing Buttons Simultaneously (Soriente et al.)

51
Location-limited key exchange

• Advantages
• Leverage physical trust, know the key corresponds
  to the right entity
• Often a simple user-friendly mechanism
• The focus of lots of research
• Disadvantages
• Need to physically interact with other entity

52
Usability

• Key exchange is not always the hard part
• Using those keys with current software is a
  challenge

53
Usability in Thunderbird

• Using asymmetric crypto in email is fairly simple
• Generate a key pair using OpenSSL
• Register your private key in Thunderbird
• System fails
• Register your certificate as a CA
• Click sign

54
Usability in Thunderbird

• Other users need your key to verify the signature
• All of the mentioned techniques allow you to
  exchange Thunderbird compatible certificates
• However, your certificate is a self-signed
  certificate

55
Using Self-Signed Certificates in Thunderbird

• Thunderbird is conservative and considers any
  self-signed certificate as invalid
• Why is this acceptable as a default?
• It doesnt know you securely acquired it from
  that specific user.

56
Using Self-Signed Certificates in Thunderbird

• How can you get Thunderbird to accept self-signed
  certificates?
• Register that certificate as a CA
• Now that user can generate new identities your
  system automatically accepts
• Hint you are a registered CA
• Just sign that certificate using your own private
  key

57
Conclusions

• PKIs provide useful functionality
• Offline authority, ability to delegate
• PKIs have some vulnerabilities
• Need to protect public and private keys
• Have to trust signing authorities
• Revocation information is needed
• PKIs arent always the best solution

58
Conclusions

• Symmetric and asymmetric key management systems
  exist
• Each system has different advantages and
  disadvantages