Title: PKI and Secure Communication Usable Privacy and Security Ahren Studer 42808
1PKI and Secure CommunicationUsable Privacy and
SecurityAhren Studer4/28/08
2Outline
- Definition PKIs
- How they help security
- Why they arent a cure all
- Where is the trust (MS or Firefox really)
- Why they arent user friendly
- We dont always need to use PKIs (chapter)
- Why users dont understand them
- Thunderbird trouble as an exercise
3Basics
- Asymmetric cryptography
- 2 keys (private and public keys)
- Can sign (decrypt) using private key
- Can verify (encrypt) using public key
- Need an authentic copy of the public key
- Multiple Ways to Acquire these
- PKI
- PGP Web of Trust
- Other
4PKI Basics
Certificate Authority (CA)
books.amazon.com
motors.ebay.com
jill_at_ebay.com
monkey_wrench_at_motors.ebay.com
5Ideal PKI
- Decades ago goal was a global PKI
- Not just server identification
- If you were online youd have a certificate
- Convenient secure communication
- No spam (know your friends public keys)
- Helps fight fishing (know your banks keys)
6Why this is great.
- Once we have we can authenticate any entity
in the tree. - No need to share a-priori information.
- Authority doesnt have to be online.
- CA can delegate work to others.
- E.g. CMU signs keys for each department,
department signs professors keys, professor
signs students keys
7Why PKIs arent so great.
- Security Weaknesses
- Implicit trust
- Usability Weaknesses
- Public key storage methods
- Removing invalid certificates
- Private key management
- Concept of asymmetric key
- Doesnt fulfill users expectations
- Sometimes a better solution exists
Partially based on Don Davis. Compliance Defects
in Public-Key Cryptography
8Security Vulnerabilities in PKIs
- Simple question
- Who must you trust in a PKI?
- Certificate Authority
- Entities with Certifying Authority
- Your software??!
9I need to trust my software?
- Your software can install new CAs.
- Your software can access the hosts files.
- hosts file translates URL to IP address
- URL is in the certificate not the IP address
10A potential attack
11A potential attack
12A potential attack
- Computer is infected
- Malcode can change crucial files
- Add CAs to Thunderbird, IE, Safari, Opera,
- Add entries to the hosts file
- Translates URL to IP address (no DNS lookup)
- What happens the next time you type in/click
eBay.com, amazon.com, www.pnc.com ?
13A potential attack
- Everything looks right
- Certificate is valid
- How can we fix this?
14A potential attack
- How can we fix this? (software vulnerabilities
will always exist) - Verify the CAs public key each time it is used
(usability headache) - Store the key in non-writable memory
- Smart card
15How else is trust involved?
- Trust the CA to identify the correct entities
16Why should you trust the CA?
17Who can we trust (in a PKI)?
- Need to trust the CA, without it no PKI
- Once the CA makes a mistake, we need a mechanism
to address the mistake - How do we address CA mistakes?
- Certificate Revocation Lists (CRLs)
18Certificate Revocation Lists
- Indicates which certificates are no longer valid
- Wrong entity received a certificate
- Server is compromised and private key is leaked
- Anything else?
- All are valid reasons to revoke a certificate
19Drawbacks to a CRL
- CRL needs checked before any verification
- CRL database and user must be online
- Central point of failure (focus of attack)
- Shut down the CRL database
- That private key you stole is valid again
20Revocation in Reality
- How are bad certificates identified in reality?
- Answer Not CRLs
- Microsoft uses automatic update
- Majority of cases utilize time
- Certificates just expire after X years
21Why PKIs arent so great.
- Security Weaknesses
- Implicit trust trust CA system
- Usability Weaknesses
- Public key storage methods
- Removing invalid certificates
- Private key management
- Concept of asymmetric key
- Doesnt fulfill users expectations
- Sometimes a better solution exists
22Managing your private key
- Imagine you have a private key to
- Sign emails
- Perform transactions
- Whatever you can imagine
- This is your online identifier
23Managing your private key
- You want to protect your digital identity
- If this is stolen, the thief can act as you
- What about 2 factor authentication?
- Who would waste the time typing in passwords if
you had a key to perform authentication
automatically?
24Managing your private key
- A password (authentication) is still needed, why?
- You personally cant remember the key.
- Who can remember a 1024 bit number?
- Proves to the system you are the owner of the key.
25Managing your private key
- Private key is needed to sign/decrypt messages
- Where should this key be stored?
- On local machine
- Security implications
- Mobility implications
- On mail server
- Security implications
- Mobility implications
26Managing your private key
- Once you prove to the system youre the owner,
how long should the private key be present in
memory? - Just long enough to generate the signature
- Strong security
- Annoying (bad usability)
- The entire session
- More chance to be leaked
27Why PKIs arent so great.
- Security Weaknesses
- Implicit trust
- Usability Weaknesses
- Public key storage methods
- Removing invalid certificates
- Private key management
- Users concepts
- Doesnt fulfill users expectations
- Sometimes a better solution exists
Partially based on Don Davis. Compliance Defects
in Public-Key Cryptography
28Real users and PKIs
- Concepts are hard to follow
- Non-intuitive
- Users expect too much from PKIs
29Non-intuitive concepts
- Asymmetric crypto is strange
- How many physical systems use two keys one to
lock, one to unlock? - Called trap doors to help people understand
30What do trapdoors have to do with my online bank
account?
- A PKI doesnt really make sense with the current
task - Why do I need to know the CA to talk to my
bank? - Why should I ask the CA if my bank is still
valid? My bank is my bank. - How is my communication secure if I dont share
a key with the bank? - Why is my money a series of 1s and 0s on the
Internet?
31Johnny 2 proves otherwise
- Repeated Why Johnny Cant Encrypt with new
techniques - More description later when covering different
secure communication methods - it was clear that users generally understood
signing a message allowed a recipient to verify
S. Garfinkel R. Miller. Johnny 2 A User Test
of Key Continuity Management with S/MIME and
Outlook Express
32Johnny 2 proves otherwise
- Main goal was secure communication
- Will users understand why PKIs are needed when
they just want to ? - When attacked, users leveraged email based
identification and authentication - Roughly the same properties that Veri-sign
requires
33Why PKIs dont fix everything
- If everyone had a certificate
- Would phishing still be a problem?
- No real change (the wrong page is used, not the
wrong user) - Helps if it is part of a two-token system
- Depends on the backup mechanism
34PKIs arent always the best solution
- PKIs arent the only mechanism to allow entities
that trust a third party to communicate securely - Symmetric Alternatives
- Key Distribution Center (KDC)
- Asymmetric Alternatives
- PGP web of trust
- Leap-of-faith
- Location-limited channels
35Key Distribution Center
KAT KBT KCT
KAT
KBT
KAB
KAB
36KDCs vs. PKIs
- Both require work to register users
- What needs to be online
- KDC needs to be online (easy revocation)
- CRL database needs to be online
- What needs protected
- KDC
- CA, client, CRL
37KDC model seems better than some iPKIs
- Examine the applications and ask
- What PKI advantage still applies?
- What portion requires asymmetric cryptography?
- Why not just use a KDC and symmetric cryptography?
D. Balfanz, G. Durfee, D.K. Smetters Making
the Impossible Easy Usable PKI
38Example Scenarios
- Network in a Box
- Casca (collaboration application)
- Both use infrared to securely exchange data
- Both use a CA which is online as part of the
task - How can you use an AP that is offline or
collaborate without your collaborator?
39PKI Advantages
- Public key allows communication with anyone in
the PKI. - Authority doesnt have to be online.
- CA can delegate work to others.
- None still hold.
- Only real benefit is storage
- In a PKI, client stores key and certificate
- In a KDC, server stores per client info
40Other mechanisms for secure communication
- PGP web of trust
- Use trusted parties to identify public keys
- Trusted parties are friends, coworkers,
- Leap-of-faith authentication
- Assume an attack isnt present
- Alert the user when the key changes
- Location-limited channels
- Securely get the key from the user
41PGP Communication
- Should remember from Why Johnny Cant Encrypt
- Friends sign each others keys
- Advantages versus a PKI
- Everyone can have a key for free, just need
trustworthy friends - Disadvantages versus a PKI
- You need to deal with revocation yourself
- Privacy invasive to find a key
- Your friends are CAs
42PGP Communication
http//www.xkcd.com/364
43Leap-of-Faith/Key Continuity
- Majority of the time an attack is not a threat
- Just proceed as though the key is correct
- Currently the model used in SSH
44Leap-of-Faith
- User is told when a new key is used
- Keys are associated with identities
45Leap-of-Faith
- If the servers key changes, the user is alerted
- Disadvantages
- Key might have legitimately changed
- No revocation mechanism
- Doesnt provide an alternative solution
- Advantages
- No need for authorities
- Simple for users
46Johnny 2
- A repeat of the experiment in Why Johnny Cant
Encrypt - Looked at Outlook Express with built in
asymmetric crypto support - Investigated Key Continuity Management
- Yellow border new key for a new user
- Green border key matches record
- Red border key differs from record
- Gray border no key used, but one on record
47Johnny 2
- Investigated whether users could detect attacks
- Sent an email signed with the wrong key
- Sent an email using a new identity (email
address) - Sent an email that was unsigned
48Johnny 2
- With KCM users didnt fall for attacks that used
different keys - When given a short briefing
- Users still sent messages to new emails for a
recognized user - Social attack Im at home
- User was less likely to accept an unsigned
message
49Johnny 2
- A simple integrated visible mechanism can improve
security - However, it is not a panacea
- New identities are a problem
- (I feel) However, the solution does help compared
to a PKI - At least you notice a new identity is being used
50Location-limited key exchange
- Exchange or verify keys using a
physically-limited mechanism - Numerous mechanisms
- Infrared
- Wired connections (Stajano et al.)
- Pictures (McCune et al.)
- Shaking (Bichler et al.)
- Pressing Buttons Simultaneously (Soriente et al.)
51Location-limited key exchange
- Advantages
- Leverage physical trust, know the key corresponds
to the right entity - Often a simple user-friendly mechanism
- The focus of lots of research
- Disadvantages
- Need to physically interact with other entity
52Usability
- Key exchange is not always the hard part
- Using those keys with current software is a
challenge
53Usability in Thunderbird
- Using asymmetric crypto in email is fairly simple
- Generate a key pair using OpenSSL
- Register your private key in Thunderbird
- System fails
- Register your certificate as a CA
- Click sign
54Usability in Thunderbird
- Other users need your key to verify the signature
- All of the mentioned techniques allow you to
exchange Thunderbird compatible certificates - However, your certificate is a self-signed
certificate
55Using Self-Signed Certificates in Thunderbird
- Thunderbird is conservative and considers any
self-signed certificate as invalid - Why is this acceptable as a default?
- It doesnt know you securely acquired it from
that specific user.
56Using Self-Signed Certificates in Thunderbird
- How can you get Thunderbird to accept self-signed
certificates? - Register that certificate as a CA
- Now that user can generate new identities your
system automatically accepts - Hint you are a registered CA
- Just sign that certificate using your own private
key
57Conclusions
- PKIs provide useful functionality
- Offline authority, ability to delegate
- PKIs have some vulnerabilities
- Need to protect public and private keys
- Have to trust signing authorities
- Revocation information is needed
- PKIs arent always the best solution
58Conclusions
- Symmetric and asymmetric key management systems
exist - Each system has different advantages and
disadvantages