Chapter 9ii: Public Key Infrastructure

Question 1

• X.509 is a ITU standard that …
• X.509 is part of the X.500 family of standards (ITU)
• X.500 vision: global directory to store and retrieve entity information
• All information stored in a tree → strict naming discipline
• X.509 is the certificate standard in X.500
• X.500 never saw much deployment
• The X.509 certificate standard was reused by the IETF to create a certification standard, in particular …
• CAs and subCAs responsible for …
• The concept of a tree was given up → any CA can…

Answer 1

defines the format of public key certificates

to link domain names to public keys

controlling access to sub-trees

issue certificates for any domain

Question 2

X.509

X.509 and SSL/TLS

SSL/TLS include certificate-based authentication
* Original design of SSL by Netscape (Mozilla!)
* Goal: …
* The attack model in mind was more a criminal, less a state-level attacker

Answer 2

protect sensitive information like cookies, user input (e.g., credit cards)

Question 3

Fill in the blanks.

Answer 3

Question 4

X.509: Multiple Domain Names and “Wildcards” in Certificates

• Often, a certificate includes only one domain name, called common name (CN), e.g., net.in.tum.de
• The CN is …
• Optionally, it is possible to …:

Answer 4

stated in the subject field of the certificate

create certificates that are valid for multiple (sub-)domains

• This means, the same certificate (and asymmetric key pair) can be used by a server to serve multiple web- sites/services
• E.g.: the server uses the same cert/key pair for net.in.tum.de and webmail.net.in.tum.de
• Such alternative (sub-)domain names are listed (usually including the CN) in subject alternative name (SAN)
  fields

Question 5

X.509: Multiple Domain Names and “Wildcards” in Certificates

Benefits and Drawbacks?

Answer 5

• Benefit: simplified configuration, reduced workload, and cost for certification
• Drawback: private key leaks → affects multiple (sub-)domains/services (central point of failure/error)

Question 6

R: Root certificates

Root stores: contains certificates of trusted Root CAs–> Explain.

Root store processes–> Explain.

Answer 6

Root stores: contains certificates of trusted Root CAs
* Root certificates are “self-signed”
* Every application that uses X.509 has to have a root store,
i.e. a set of certificates of “trusted” CA (trusted to issue certificates to the correct entities)
* Operating Systems have root stores: Windows, Apple, Linux
* Browsers use root stores: Mozilla ships their own, IE uses Windows’ root store, etc.

Root store processes
* Every root store vendor has their own process to determine if a CA is added or not
* A CA’s Certification Policy Statements (CPS) are assessed
* Mozilla: open discussion forum (but very few participants)
* Commercial vendors (Microsoft, Apple): little to no openness

Question 7

Intermediate Certificates

Why do we need intermediate certificates?

Answer 7

Intermediate certs: part of a certificate chain, but neither a root certificate nor an end-entity certificate.

• Protect your main root certificate:
• To delegate signing authority to another organization: sub-CA

Question 8

Hazards of Sub-CA/Intermediate Certificates

Answer 8

Sub-CA/intermediate certs have the same signing authority as Root CA/root certs:

SSL proxies

Cross Signing: A (Sub-)CA signs a root or signing certificate of another (Sub-)CA

Question 9

Hazards of Sub-CA/Intermediate Certificates

Sub-CA/intermediate certs have the same signing authority as Root CA/root certs: explain.

Answer 9

• Example: Russian Sub-CA might sign certificate of Ukrainian web site
• DNS restrictions (name spaces a CA is responsible for/allowed to sign) are in the standard
• The restriction must be supported on client-side
• This feature is little used

Question 10

Hazards of Sub-CA/Intermediate Certificates

SSL proxies

• SSL proxies allow …
• Using SSL proxies, …
• Used by companies in order to ….
• Requires that SSL Proxy can ….
• CAs have issued intermediate CA certificates for ….
• Worst: the holder of the sub-CA is …
• Since outing of first such CA, Mozilla requires …

Answer 10

the transparent rewriting of certificate chains – a classic Man-in-the-middle attack

end-to-end protected traffic can be monitored

avert industrial espionage, etc. (but also by state level attackers)

“on the fly” issue valid (but actually forged) certificates of visited websites

companies that operate a SSL proxy

suddenly as powerful as all CAs in the root store

practice to be disclosed, and stopped

Question 11

Hazards of Sub-CA/Intermediate Certificates

Cross Signing: A (Sub-)CA signs a root or signing certificate of another (Sub-)CA

• Cross signing is able to subvert control of the root store vendor: exemplify.
• In a business-to-business model, this makes sense:
  why?

• A special case of intermediate cert

Answer 11

• Example: Entrust (US CA) has signed CNNIC (Chinese CA) long before CNNIC became part of the root store in Mozilla
• CNNIC-issued certificates suddenly became valid
• For the WWW, it completely breaks the root store model
• Two businesses wishing to cooperate cross-sign each other
• Makes it easy to design business processes that access each others’ resources via SSL/TLS

Question 12

Answer 12

Browser (Client) Root Stores
Remember:
* Your browser or your OS chooses the ‘trusted CAs’. Not you.
* All CAs have equal signing authority (there are efforts to change this)
* Any CA may issue a certificate for any domain.
* DNS path restrictions are a possibility; must be set by the CA in their signing cert
* A globally operating CA cannot feasibly set such restrictions in their root cert

The weakest CA determines the strength of the whole PKI. This is also true if the CA is a sub-CA.