PKI: State of the Art

1
PKI State of the Art Future Trends

• Dr. Stephen Kent
• Co-chair PKIX WG - IETF
• Chief Scientist - Information Security

2
PKI A Brief History

• Public key crypto invented in 1976
• First mention of a public key certificate in 1978
• First certificate standards (X.509) issued in
  1988
• First IETF certificate standard issued in 1993
• Later half of 1990s were full of hope, and hype
• emergence of the World Wide Web
• .com boom
• VeriSign founded (1995)
• SSL invented deployed in browsers
• Expiration of Diffie-Hellman RSA patents

3
PKI Bad News, Good News

• No global PKI ala X.509 X.500 model
• Little use of S/MIME for e-mail security
• PKI complexity cited as impediment to IPsec
• Some very large PKIs have not been successful
• Some ask Is biometrics the next wave, the
  successor to PKI?

• VeriSign very successful as dominant TTP CA
• Very widespread use of SSL server certificates
• PKI often used with IPsec in enterprise
  environments
• Asia progressing with several national PKI plans
• No, but a hash of some types of biometric data in
  a certificate is OK

4
Measures of PKI Progress

• Number of PKI-enabled applications available?
• Number of certificates issued?
• Number of individuals who make regular use of
  certificates?
• Number of commercial, government, or private
  (closed system) CAs?
• Value of transactions protected by PKI-enabled
  applications?
• Number of countries where digital signatures are
  approved for legally binding transactions?

5
PKI Status Mixed Results

• The number of certificates issued is small, on a
  worldwide basis, compared to populations
• Many standard applications are PKI-enabled, but
  few are employed, other than SSL
• Few users regularly employ personal certificates
• There are some closed system PKIs, but not a lot
• SSL is used to protect hundreds of millions of
  credit card transactions, over the web
• Many countries now recognize digitally signed
  transactions as legally binding

6
Impediments to PKI Proliferation?

• Do we need more or just better
• PKI standards?
• Crypto hardware or software?
• PKI utility software
• PKI-enabled applications?
• Operational costs are a concern
• Privacy is a concern for enterprise PKIs the
  directory problem!
• Is the problem our expectations of what problems
  are best addressed via use of a PKI?

7
State of the Art PKI Standards

• Critical base standards X.509, PKIX, ETSI, etc.
• PKIX created standards for
• Certificate and CRL syntax and processing
• Certificate management protocols
• OCSP
• Time stamping
• CA policies procedures
• Qualified certificates
• Delegated path/certificate validation (in
  progress)
• See also the ETSI work in some of these areas and
  in additional areas

8
IETF PKI Users Security Protocols

• IP layer VPNs (IPsec)
• Secure web access (TLS)
• Secure E-mail (S/MIME)
• IPv6 Mobility
• IPv6 Secure Neighbor Discovery (SEND WG)
• BGP security (RPSEG WG and a new WG to be formed)
• VoIP security (SIP, MSEC, other WGs)
• Note that none of these protocols make use of
  PKI
• for legally binding digital signatures!

9
State of the Art PKI Software

• Infrastructure software
• Certification authority systems
• Time stamping servers
• OCSP servers
• SCVP servers (coming soon)
• Trusted archives for signed documents
• Client software
• PKI toolkits
• PKI-enabled applications
• S/MIME, IPsec, SSL/TLS, VoIP (SIP),

10
We Could Use Better Software!

• Many CAs issue certificates that syntactically
  violate X.509 and/or RFC 3280
• Many toolkits have poor path building
  algorithms, and some products dont precisely
  follow path validation standards (e.g.,
  Microsoft)
• Some applications, even if they use certificates,
  dont do the right thing
• MS Outlook indicates that the signature on a
  received message is valid, but does not indicate
  that the certificate contains NO name that
  matches the FROM field in the e-mail!
• IPsec product use of certificates has been
  haphazard

11
State of the Art Crypto Hardware

• CA crypto modules
• Very few have been designed to support CAs
• Some offer high assurance (FIPS 140 level 3/4)
• Some offer high performance
• But only one processed certificates and CRLs (vs.
  hashes)
• CA systems are very vulnerable to a wide range of
  attacks
• User crypto modules
• Smart cards are getting more powerful, more
  secure
• Other formats possible too (e.g., USB tokens)
• Signature generation devices face the what did I
  just sign? problem, a serious problem for
  applications supporting legally binding digital
  signatures

12
State of the Art CAs

• We have a number of large scale CAs
• VeriSign has a commanding position in the web
  server certificate space, and significantly
  influences public notions of PKI
• The EU promotes liaise fare private sector CAs,
  hoping to spur competition, and has created a
  level playing field for them
• In Asia, we see more of a government-influenced,
  national-level PKI orientation, for citizens and
  organizations
• The first two of these models emphasizes trust
  over authority
• We are missing a very obvious, big CA system
  opportunity the Internet Domain Name System
  (DNS)
• We can make use of closed CAs for most
  applications, and organizations are doing this
  today

13
PKI Cost Privacy Issues

• Costs
• CA technology can be expensive, or free
  (commercial products vs. open source)
• Recurring costs for certificates are an issue
• Credential issuance is fundamentally expensive,
  hardware tokens can make it even more expensive
• Privacy
• Names in certificates may be sensitive, e.g., if
  they include organization chart data
• Companies are reluctant to put certificates in
  directories, due to concerns over spam and
  employee poaching

14
Future Trends in PKI?

• More government-issued certificates
• More focus on authorization vs. authentication
• Many certificates vs. one certificate per user
  the naming problem
• Better understanding of the role of trust in PKI
• One proposed PKI illustrates several of these
  trends
• An IP address space allocation PKI

15
Passports Visas

• New standards for passports agreed to by
  international community
• Will be phased in over several years, as existing
  passports need to be renewed
• Passports will contain a chip, RF readable
• Chip stores electronic format of passport text
  and biometric data, e.g., photo, fingerprint,
• Data is digitally signed by issuing country,
  verifiable by other using issuers public key
• Privacy concerns forcing additional safeguards
  against covert reading of passport chips

16
Identification vs. Authorization

• Most PKIs focus on identifying entities (users,
  devices, etc.) as a basis for machine-enforced
  authorization or for human value judgments (do I
  trust e-mail from him?)
• Thus CAs emphasize the procedures they use to
  verify the identity of certificate subjects
• For many big CAs, there is an assumption that a
  single certificate is all a user should need
• This assumes that one identity is sufficient for
  all applications, which contradicts experience
• For personal privacy, multiple, independent
  certificates for each user are preferable

17
The One Certificate Fallacy

• Individuals have multiple identities, each
  appropriate and meaningful in a different, often
  limited context
• Unless these identities are embedded in
  certificates, it will be necessary to map from a
  certificate subject name to the locally
  meaningful ID for authorization
• This mapping requires another registration
  activity, which is what a CA/RA does
• The mapping database also represents an
  opportunity to introduce additional errors into
  the authorization process
• So, if each relying party has to execute this
  activity for each user, what is the point of a
  user having a single identity certificate?

18
Names in a PKI

• Names in a PKI must be unique relative to a
  well-defined context, but may not be globally
  unique
• A CA issuing a certificate must ensure uniqueness
  among subject names in the certificates it issues
• Its easy to make a name globally unique just
  add a qualifier (a number)
• However, most names that are globally unique are
  not globally meaningful!
• Relying parties need meaningful names for
  authorization decisions or value judgments, and
  thus users need different certificates to
  interact with different relying parties, in
  context

19
Names for Me

• Frequent traveler names
• Postal name
• E-mail names
• Government system (e.g., tax) names
• Public utility (e.g., electricity) names
• Credit card names
• Professional society names
• Merchant-issued names (video rental store, LL
  Bean, Lands End, MacMall, )

20
Whats Trust got to do with PKI?

• The term trust is almost always used when
  discussing PKIs, yet explicit trust is separable
• Trust is not transitive, yet certificate paths
  are graphs representing transitive relationships!
• Trust is not quantitative, yet certificate path
  validation usually yields a yes/no answer
  (relative to an application context)
• PKIs can be created that do not require explicit
  trust, by moving extant user credentials from the
  physical world to cyberspace
• This too argues for multiple certificates per
  user and against most TTP CA systems

21
A PKI for Internet Addresses

• Today, it is not easy to demonstrate to an ISP
  that an organization holds a block of IP
  addresses (a prefix)
• Internet routing security requires an ability to
  verify that a given ISP is a authorized to
  advertise a route for a prefix
• A security infrastructure for routing could be
  built using a PKI for address holders, plus route
  origination authorizations
• A PKI of this sort illustrates some of the trends
  I noted
• The PKI is about authorization vs. authentication
• The CAs are authorized vs. trusted
• Subject names in certificates are largely
  irrelevant
• RFC 3779 defines an X.509 extension for address
  blocks

22
IP Address Space PKI
IANA (CA)
APNIC
RIPE NCC
LACNIC
ARIN
AFRINIC
APNIC Repository
ISPX
ISPY
ISPZ
SUBL
SUBK
SUBL
SUBL
23
Conclusions

• PKI has made important progress in the last
  decade, but is not so successful as some hoped
• We have enough basic standards, crypto
  technology, PKI-enabled applications, although
  each could be better!
• Impediments to more widespread use are varied
  unrealistic expectations, privacy issues, poor
  user interfaces, operational costs,
• Future PKI trends may include
• More authoritative vs. trusted CAs, e.g.,
  Governments
• More emphasis on authorization vs. authentication
• Use of certificates in a wider range of contexts

24
Thank You