public key infrastructures - eindhoven university of ... · public key infrastructures … a public...
TRANSCRIPT
![Page 1: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/1.jpg)
Public Key
Infrastructures
Andreas Hülsing
![Page 2: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/2.jpg)
Public Key Infrastructures
… a public key infrastructure (PKI) is designed to
facilitate the use of public key cryptography.
Source: Housley, R. and Polk, T.: Planning for PKI; Wiley 2001
PAGE 1 19-5-2014
![Page 3: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/3.jpg)
Tasks of a PKI
• Assure that the public key is available
• Assure that the public key is authentic
• Assure that the public key is valid
• Enforce security and interoperability
PAGE 2 19-5-2014
![Page 4: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/4.jpg)
Authenticate Public Keys
• Bind public key to electronic identity
• Seal the binding
• Answer for the binding
Public key certificates
PAGE 3 19-5-2014
![Page 5: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/5.jpg)
Public Key Certificate
Public key certificates are data structures that bind
public key values to subjects. The binding is
asserted by having a trusted CA digitally sign each
certificate …
[From RFC 5280]
PAGE 4 19-5-2014
![Page 6: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/6.jpg)
Public Key Certificate
PAGE 5 19-5-2014
![Page 7: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/7.jpg)
Public Key Certificate
PAGE 6 19-5-2014
Digital Signature
Subject (Name)
Public-key Binding eID public key
protection of authenticity
![Page 8: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/8.jpg)
Certificate Properties
• Protected binding of a key to the key holder
• Its authenticity is independent of the means of
transportation
• It can be used online and offline
• It is a proof of the binding
• It can be used for key servers
PAGE 7 19-5-2014
![Page 9: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/9.jpg)
Certificate Standards
PAGE 8 19-5-2014
• X.509 • X.509 (ITU-T)
• PKIX (RFC 5280)
• Pretty Good Privacy (PGP) • OpenPGP (RFC 4880)
• GNU Privacy Guard (GnuPG or GPG)
• WAP certificates • Like X.509 certificates but smaller
• Card Verifiable Certificates (CVC) • Even smaller than WAP certificates
• Simple PKI / Simple Distributed Security Infrastructure • SPKI, pronounced spoo-key
• SDSI, pronounced sudsy
![Page 10: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/10.jpg)
Validity of Public Keys
• Monitor binding public key electronic identity
key owner
• Establish time constraints
• Provide means to revoke binding
Certificate revocation
PAGE 9 19-5-2014
![Page 11: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/11.jpg)
Certificate Revocation
PAGE 10 19-5-2014
• Abortive ending of the binding between
• subject and key (public key certificate)
OR
• subject and attributes (attribute certificate)
• The revocation is initiated by
• the subject
OR
• the issuer
• Typical frequency (assumption):
• 10% of the issued certificates will be revoked (See: “Selecting
Revocation Solutions for PKI” by Årnes, Just, Knapskog, Lloyd and Meijer)
![Page 12: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/12.jpg)
Certificate Revocation List
PAGE 11 19-5-2014
![Page 13: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/13.jpg)
Publish Public Key Information
PAGE 12 19-5-2014
• Directories • (L)DAP
• Active Directory
• Web pages • HTTP
• File transfer • FTP
• Services
• OCSP
• SCVP
![Page 14: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/14.jpg)
LDAP
PAGE 13 19-5-2014
![Page 15: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/15.jpg)
Security of Key Pairs
Select suitable algorithms and key sizes
Monitor possible security threads and react adequately
Provide suitable means to generate key pairs
Provide suitable formats and media to store private keys
Provide suitable means of delivering private keys
Personal security environments
PAGE 14 19-5-2014
![Page 16: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/16.jpg)
PSE: Smartcard
PAGE 15 19-5-2014
![Page 17: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/17.jpg)
Interoperability
• Comply to accepted (international) standards
• Certificates / revocations
− X.509, PGP, SPKI/SDSI, …
• Directory services
− (L)DAP, Active Directory, …
• Cryptographic algorithms / protocols / formats
− PKCS, RFC, …
• Constraints on content and processing
− PKIX, ISIS-MTT, …
PAGE 16 19-5-2014
![Page 18: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/18.jpg)
Policy Enforcement
• Certificate policy (CP)
• States what to comply to
• Certificate practice statement (CPS)
• States how to comply
• Policies are enforced by the PKI through:
• Selecting standards, parameters, hardware, …
• Monitor behavior of involved parties
• Reacting on infringement of the policy
PAGE 17 19-5-2014
![Page 19: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/19.jpg)
Trust Models
PAGE 18 19-5-2014
![Page 20: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/20.jpg)
Trust
The perhaps most important part of a PKI is to
establish trust in the binding between an entity and a
certificate
PAGE 19 19-5-2014
![Page 21: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/21.jpg)
Direct Trust
PAGE 20 19-5-2014
• User receives public key directly from owner
OR
• User verifies public key directly with owner
![Page 22: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/22.jpg)
Most Common: Fingerprint comparison
PAGE 21 19-5-2014
Fingerprint = hash value of the certificate (incl. Signature) (e.g. SHA1)
![Page 23: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/23.jpg)
Face-to-Face Verification
PAGE 22 19-5-2014
![Page 24: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/24.jpg)
Phone Verification
PAGE 23 19-5-2014
![Page 25: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/25.jpg)
Web Page Verification
PAGE 24 19-5-2014
http://www.cacert.org/index.php?id=3
![Page 26: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/26.jpg)
Printed Media Verification
PAGE 25 19-5-2014
BNetzA publishes the public key
![Page 27: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/27.jpg)
…and more
PAGE 26 19-5-2014
~# gpg --list-public-keys
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key
sub 2048g/8495160C 2000-10-19 [expires: 2006-02-12]
e.g. public keys on software CD/DVD
![Page 28: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/28.jpg)
Summary: Direct Trust
• Establishes • Which keys are authentic
• Why they are considered authentic
• Bad scalability • n * (n-1) = O(n2) verifications
• Worse complexity than secret key exchange!
• Basis for all other trust models • To be seen
PAGE 27 19-5-2014
![Page 29: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/29.jpg)
PGP (Pretty Good Privacy)
PAGE 28 19-5-2014
![Page 30: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/30.jpg)
Web of Trust
PAGE 29 19-5-2014
[From PGP-Pretty Good Privacy by Simon Garfinkel]
![Page 31: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/31.jpg)
Web of Trust
PAGE 30 19-5-2014
A web of trust is a concept used in PGP, GnuPG, and
other OpenPGP-compatible systems to establish the
authenticity of the binding between a public key and a
user.
Its decentralized trust model is an alternative to the
centralized trust model of a public key infrastructure
(PKI), which relies exclusively on a certificate authority
(or a hierarchy of such).
Source: http://en.wikipedia.org/wiki/Web_of_trust
![Page 32: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/32.jpg)
Key Validity
PAGE 31 19-5-2014
• Alice computes key validity using Bob’s signatures
Carl
Dorian
Bob Alice
![Page 33: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/33.jpg)
Chaining Key Validity
PAGE 32 19-5-2014
• Alice computes key validity using Bob’s and Carl’s
signatures
Alice Bob Carl
Dorian
Eve
![Page 34: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/34.jpg)
Public Keyring
PAGE 33 19-5-2014
![Page 35: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/35.jpg)
Public Keyring
PAGE 34 19-5-2014
Alice’s public keyring
![Page 36: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/36.jpg)
Key Validity vs. Owner Trust
PAGE 35 19-5-2014
• Key Validity:
• Is the key owner who he claims to be?
• Levels: no answer; unknown; marginal; complete;
ultimate
• Owner trust:
• Is the key owner reliable? (in respect to signing keys of others)
• Levels: unknown; none; marginal; complete; ultimate
![Page 37: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/37.jpg)
Key Validity: Levels
PAGE 36 19-5-2014
• no answer
• Nothing is said about this key.
• unknown
• Nothing is known about this key.
• marginal
• The key probably belongs to the name.
• complete
• The key definitely belongs to the name.
• (ultimate)
• (Own keys).
![Page 38: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/38.jpg)
Owner Trust: Levels
PAGE 37 19-5-2014
• unknown
• Nothing can be said about the owner's judgment in key signing.
• none
• The owner is known to improperly sign keys.
• marginal
• The owner is known to properly sign keys.
• complete
• The owner is known to put great care in key signing.
• ultimate
• The owner is known to put great care in key signing, and is allowed to make trust decisions for you.
![Page 39: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/39.jpg)
Assigning Key Validity
• Manually (Key Signing)
OR
• computed from the trust in the corresponding
signers, only considering signers with key validity
“complete” (or better).
PAGE 38 19-5-2014
![Page 40: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/40.jpg)
Assigning Key Validity
PAGE 39 19-5-2014
Alice signs the public key of other users.
![Page 41: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/41.jpg)
Key Signing: Direct Trust
PAGE 40 19-5-2014
Bob’s key validity is complete for Alice because she decided it when signing the key after verifying the fingerprint.
![Page 42: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/42.jpg)
Key Validity Computation: “complete” (1)
PAGE 41 19-5-2014
If the key is signed by at least one user with owner trust complete.
![Page 43: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/43.jpg)
Key Validity Computation: “complete” (2)
PAGE 42 19-5-2014
If the key is signed by at least x (here x=2) names with owner trust marginal.
![Page 44: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/44.jpg)
Key Validity Computation: “marginal”
PAGE 43 19-5-2014
If the key is signed by less than x (here x=2) names with owner trust marginal.
![Page 45: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/45.jpg)
Key Validity Computation: “unknown”
PAGE 44 19-5-2014
If the key is signed by no name with at least owner trust marginal
![Page 46: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/46.jpg)
Assigning Owner Trust
• Manually (Trust Setting)
OR
• computed from the owner trust of signers only using
“ultimate” valid keys.
PAGE 45 19-5-2014
![Page 47: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/47.jpg)
Trust Anchor: Owner Trust
PAGE 46 19-5-2014
Alice assigns owner trust to users.
![Page 48: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/48.jpg)
“Simple” PGP
PAGE 47 19-5-2014
Alice signs Bob’s key (level 0) and trusts him. Alice uses Bob’s signatures on Dorian’s and Frank’s
keys.
![Page 49: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/49.jpg)
Trusted Introducers
PAGE 48 19-5-2014
Alice signs Bob’s key (level 1) and trusts him. Bob signs Carl’s key (level 0) and trusts him. Alice uses Carl’s signatures on Dorian’s and Frank’s
keys. Bob = Trusted Introducer
By allowing more intermediate signers (level >1), Bob becomes a Meta Introducer
![Page 50: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/50.jpg)
PGP Certificates
PAGE 49 19-5-2014
![Page 51: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/51.jpg)
PGP Certificates: Content
PAGE 50 19-5-2014
[From http://www.ece.cmu.edu/~adrian/630-f04/PGP-intro.html]
![Page 52: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/52.jpg)
A Simple PGP Certificate - Example
PAGE 51 19-5-2014
One UserID with one signature
Legend
Public Key Packet
User ID Packet
Signature Packet
![Page 53: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/53.jpg)
Example, cont’d
PAGE 52 19-5-2014
Legend
Public Key Packet
User ID Packet
Signature Packet
One UserID with one signature and
a second UserID without signature
![Page 54: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/54.jpg)
Example, cont’d
PAGE 53 19-5-2014
One UserID with four signatures
Legend
Public Key Packet
User ID Packet
Signature Packet
![Page 55: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/55.jpg)
A More Complicated Example
PAGE 54 19-5-2014
One UserID with one signature and
a second UserID with one signature and
a second key (subkey) with one signature
Legend
Public Key Packet
User ID Packet
Signature Packet
![Page 56: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/56.jpg)
Public Key Packet
PAGE 55 19-5-2014
Creation Time Version
Public Key Algorithm
Public Key
(RSA case)
![Page 57: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/57.jpg)
User ID Packet
PAGE 56 19-5-2014
A User ID packet consists of UTF-8 text that is intended to
represent the name and email address of the key holder. By
convention, it includes an RFC 2822 mail name-addr, but
there are no restrictions on its content. The packet length in
the header specifies the length of the User ID.
[From RFC 4880]
Example:
Andreas Hülsing <[email protected]>
![Page 58: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/58.jpg)
Signature Package
PAGE 57 19-5-2014
…
…
Version Signature Type Public Key Algorithm Hash Algorithm Counter
Hashed Subpackets Unhashed Subpackets 16 bits of signed hash value Signature (RSA Case)
![Page 59: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/59.jpg)
Subpacket Content
PAGE 58 19-5-2014
• signature creation time
• signature expiration time
• exportable certification
• trust signature
• regular expression
• revocable
• key expiration time
• placeholder for backward compatibility
• preferred symmetric algorithms
• revocation key
• issuer key ID
• notation data
• preferred hash algorithms
• preferred compression algorithms
• key server preferences
• preferred key server
• primary user id
• policy URL
• key flags
• signer's user id
• reason for revocation
![Page 61: Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography](https://reader036.vdocuments.mx/reader036/viewer/2022063001/5f1550b285154506835ce7e9/html5/thumbnails/61.jpg)
PGP Revocation
• Uses Key Revocation Certificate
• generated during KeyGen using private key
• Uploading Key Revocation Certificate to one of the
public key servers revokes key pair.
• Key Revocation Certificate can contain new UserID
PAGE 60 19-5-2014