Password Enabled Public-Key Infrastructure (PKI): Virtual Smartcards vs. Virtual Soft Tokens Ravi Sandhu Chief Scientist Single. Sign. On. Net & Professor, George Mason University Mihir Bellare Chief Cryptographer Single. Sign. On. Net & Professor, Univ. of California--San Diego Ravi Ganesan Chief Executive Officer Single. Sign. On. Net 11417 Sunset Hills Rd. , Reston, VA 20190
Why Password. Enabled PKI • Smartcards have not happened – It’s the smartcard readers stupid! – Roaming capability is critical – Even Do. D is stretched in large-scale deployment • Trends are not in favor of smartcards – Deployment scale of 10’s or even 100’s of millions of users – Computing devices are proliferating – Large installed base of reader-less computers Smartcards are likely to remain a highassurance niche application 2
Solve PKI Gap and Silo Problem Result • Phased migration path • No “quantum jump” • PKI integral, not silo’d Strong PKI Systems PKI with Password Convenience Password Usability PKI Hardened Passwords PKI Capability No change for users No change for issuer Weak Password Systems Eliminate weaknesses 3
A Common Misperception • Fact: Password based systems are often vulnerable to attacks • Myth: Passwords are inherently insecure. • Fact: It is completely possible to design a sufficiently secure password system. Designing sufficiently secure password-based systems is non-trivial but it is possible. 4
Another Common Misperception • Fact: Users hate current password systems that require – too many passwords and – force too many changes • Myth: Users inherently hate passwords. • Fact: It is completely possible to design a user friendly password system with PKIenabled Single Sign On. Designing user-friendly and sufficiently secure password-enabled PKI systems is non-trivial but it is possible. 5
Password Vulnerabilities and Counter-Measures • Bad password selection – enforce complexity rules • On-line guessing attack – throttling mechanism • Off-line guessing (dictionary attacks) – don’t reveal required information (we know how to design such protocols) • Undetected theft and sharing – online intrusion detection to discover – deter sharing, e. g. , sharing reveals sensitive user information • Use of same password at strong and weak servers – user awareness and education • Password reuse – don’t force unnecessary password changes • Server spoofing – use secure protocols to prove knowledge of password w/o sending it – limit password exposure to trusted servers • Server compromise – use hardened servers or multiple servers 6
Password Benefits • Instant roaming capability • Proven user acceptance – 100’s of millions of passwords usages per day in cyberspace • Cheap • Self-maintained – Password resets – Password change 7
Traditional Public-Key Infrastructure (PKI) • How to distribute public-keys – Digital Certificates – Certificate Revocation Lists • How to distribute private-keys (long-term) – Smartcards • The private key never leaves the smartcard • Often called a hard token • How to distribute private-keys (short-term) – Password protected on the hard disk • Not very mobile – Password protected on a floppy disk • Often called a soft token 8
“Modern” Public-Key Infrastructure (PKI) • How to distribute public-keys – Digital Certificates – Certificate Revocation Lists – On-line servers for certificate validation • How to distribute private-keys (long-term) – Smartcards • The private key never leaves the smartcard • Often called a hard token • How to distribute private-keys (short-term) – Password protected on the hard disk • Not very mobile – Password protected on a floppy disk • Often called a soft token – On-line servers for password-enabled mobility 9
Approaches How to marry PKI and Passwords? • Approach 1: Virtual Soft Token Use password to encrypt private key and store it on remote server(s). Need password to RETREIVE private key. • Approach 2: Virtual Smartcard The password is part of the composite private key. Need password to USE private key. 10
Trivial Insecure Virtual Soft Token • Private key encrypted with user’s password is stored on an on-line server Epwd(private-key) • Anyone is allowed to retrieve the encrypted private key • Only the user can decrypt it using the password • Unacceptable risk due to dictionary attack 11
Cryptographic Camouflage, Hoover and Kausik • Epwd(private-key) • Dictionary attack – Knowledge of public key allows attacker to obtain known plaintext – So prohibit knowledge of public key resulting in closed public-key system 12
EKE Roaming, Bellovin -Merritt et al • Store Epwd(private-key) on server • Transmit EK(Epwd(private-key)) where K is a strong symmetric key • K is established using passwordbased authenticated key exchange protocol (such as EKE or SPEKE) – Immune to off-line dictionary attack 13
Hardened Password Roaming, Kaliski-Ford • User’s “hardened password” is retrieved at any computer from two on-line servers – Compromise of both servers is required to compromise “hardened password” – Successful retrieval of “hardened password” requires knowledge of user’s password • User’s private key is retrieved by means of “hardened password” • Once retrieved the user’s private key can be freely used on this computer 14
Step Credential Servers 1 & 2 als Alice knows Password, Pa 1: A lice send s p Ste Pa sk : A 5 for ti den Cre Long term private key is locked with ‘hardened password’ H. Need duplicate credentials server for redundancy. Client Computer Step 2: Client Computer starts process e ep St Ste p 4: Security Servers 1 & 2 Security server with partial knowledge of ‘H’ (H 1). Need duplicate server for redundancy. r Ce n tur R 7: 2 : Ge t. H 3 tep S n ta H ) Step 6: Check if Cert is revoked 1 t. H Ge d Step 8: Use H to decrypt private key D (D Step 9: Finally get around to logon or sign operation! Revocation Servers 1 & 2 Security Servers 3 & 4 OCSP server to check for revocation Security server with remaining knowledge of ‘H’ (H 2). Need duplicate server for redundancy. 15
Approaches How to marry PKI and Passwords? • Approach 1: Virtual Soft Token Use password to encrypt private key and store it on remote server(s). Need password to RETREIVE private key. • Approach 2: Virtual Smartcard The password is part of the composite private key. Need password to USE private key. 16
Trivial Insecure Virtual Smart Card • Keep the private key on an on-line server • Use the password as authentication to enable use of the private key on the server • Lose non-repudiation 17
We want: 1. Appliance takes A ID: Castle Corp FN: Castle C LN: Corp. C. C A And creates A 2. Alice takes A And creates A A 3. But (presto!) A A A 18
The Practical PKITM Approach Password CA A • A Alice has password P which ONLY she knows. Password P expands to key d 1 on computer. A A Secure Identity Appliance has • key d 2 for Alice which ONLY it knows. • As before, Alice has public cert, with public key e, signed by a CA. Process Alice authenticates to appliance, sets up secure channel and sends M. Appliance performs partial signature on M with its key for Alice d 2. Alice completes signature with her key d 1. ID: Castle Corp FN: Castle C LN: Corp. C. 1. Secure Identity Appliance A 2. 3. C A 19
Comparison Traditional PKI Keys: a) Alice Public = e b) Alice Private = d c) Alice Cert = C Practical PKITM Send [S, C] to Bob Keys: a) Alice Public = e b) Alice PKCS 5(password, salt, iteration count) = d 1 c) Alice Cert = C d) Alice appliance key = d 2 Signing: a) Alice logs on to appliance using d 1 and creates secure channel a) Spartial = Sign(M, d 2) b) S = Sign(Spartial, d 1) Send [S, C] to Bob: Gets e from C Does Verify(S, e) = M? Signing: a) S = Sign (M, d) 20
Comparison Traditional PKI Difference #1: Alice has short convenient password Practical PKITM Keys: a) Keys: Alice Public = e a) Alice Public = e b) Alice Private = d b) Alice PKCS 5(password, salt, iteration count) = d 1 c) Alice Cert = C d) Alice appliance key = d 2 Signing: a) S = Sign (M, d) a) Alice logs on to appliance using d 1 and creates secure channel Difference #2: Alice has to a) Spartial = Sign(M, d 2) interact with appliance to sign. b) S = Sign(Spartial, d 1) Send [S, C] to Bob Bob: Gets e from C Does Verify(S, e) = M? 21
Comparison Traditional PKI Keys: a) Alice Public = e b) Alice Private = d c) Alice Cert = C Practical PKITM Send [S, C] to Bob Keys: a) Alice Public = e b) Alice PKCS 5(password, salt, iteration count) = d 1 c) Alice Cert = C d) Alice appliance key = d 2 Signing: a) Alice logs on to appliance using d 1 and creates secure channel a) Spartial = Sign(M, d 2) b) S = Sign(Spartial, d 1) Send [S, C] to Bob: Gets e from C Does Verify(S, e) = M? NOTHING ELSE Signing: a) S = Sign (M, d) CHANGES!!!! 22
Strong Fraud Management Velocity Checking Easy to report ID CANNOT BE USED ANY FURTHER! INSTANT, COMPLETE, REVOCATION ID: Alice FN: Alice LN: Smith Email: alice@cc. com. . A C A ID stolen Theft detected Theft reported CA revokes ID Recipient (we hope) stops accepting ID 23
Every signature requires appliance interaction. So appliance logs can be used for velocity checking. Velocity Checking Strong signature requires Every Fraud appliance interaction. Once revoked key cannot Management be used further! Instant, Consumer or CSR can use password to revoke instantly! complete revocation! Easy to report ID CANNOT BE USED ANY FURTHER! INSTANT, COMPLETE, REVOCATION ID: Alice FN: Alice LN: Smith Email: alice@cc. com. . A C A ID stolen Theft detected Theft reported CA revokes ID Recipient (we hope) stops accepting ID 24
Single. Sign. On. Net • Practical PKITM solution – Ease of use: password based – Quick to deploy – Simple to manage with least privilege – Velocity checking and instant revocation – Reusable for multiple applications • Web, Wireless, VPN, email, etc. – Use existing standards and widely deployed technologies 25
Summary • Password enabled solutions are poised to jump start the stalled PKI car. • Major vendors jumping into password enabled solutions using on-line servers is a good sign. • “Many servers” are not all good, and have quality/security downside. • Making password a part of the composite private key (virtual smartcards) provides substantial advantages over using password to retrieve private key (virtual soft tokens). 26
Скачать презентацию Password Enabled Public-Key Infrastructure PKI Virtual Smartcards vs
f23922838be11a6fc916f6a4b8fe3210.ppt