Chapter 2: CAs and PKIs

This chapter describes CAs and PKIs.

Two of the many well-known CAs on the Internet are VeriSign (http://www.verisign.com) and Thawte (http://www.thawte.com). You may find it useful to look at their Web sites from time to time while reading this chapter.

At this point we need to introduce the term "entity". A user of a network or intranet or the Internet might not be an individual person - it could be an organization, or even a machine. So we'll use the more general term "entity" from now on.

Trust

So far, we've assumed that you and the people you communicate with know and trust each other. In real life, this is unlikely to be the case. On the Internet, or a big organization's intranet, you are one of a great many people, all potentially communicating with each other, and unlikely ever to know each other personally.

In the previous chapter, we introduced certificates as a way of making an entity's public key available to anyone who wants it.

To prove that the entity is trustworthy, an entity's certificate is created and digitally signed by someone who knows the entity personally, or at least is able to check up on them personally, and who is in turn trusted by others. In this way the certificate also serves - like a traditional paper certificate - as a proof of the entity's trustworthiness. SSL software includes a function to display a certificate on the screen so a user can check the details of the owner and the signatory.

And the person who signed the certificate can in turn have a certificate signed by a third person, and that person can in turn have a certificate signed by a fourth, and so on. Each certificate includes a record of this chain of certificates.

This is called a "web-of-trust model", and in a small organization it may be sufficient, since it's fairly easy to ensure that anyone checking a certificate will find someone he or she knows and trusts in the chain of signatories on the certificate. But it's not scalable; that is, it won't work for a big organization consisting of thousands of people mostly unknown to each other - and certainly not for the Internet.

The solution to this is a PKI, which we describe later in this chapter.

What is a CA?

Since you yourself can't possibly check up on all your contacts, you need someone who can - someone who can investigate entities, perhaps meet them in person, and then provide a statement to other entities that they are trustworthy. A Certification Authority (CA) is a body that does this. For an intranet, the CA might be a department within your organization. For the Internet, there are well-known CAs that provide this service.

This raises several questions

How does the CA show it trusts an entity?

They issue certificates. Once they have satisfied themselves that an entity is genuine and trustworthy, they create a certificate as described above, containing the entity's public key, and the entity's identity details such as name, location, DNS host name, etc. They send this certificate to the entity to store, and keep a copy themselves.

The CA generally has a server dedicated to this function, and this machine is also known as the CA.

You can configure your SSL software to compare a received certificate to a list of known trusted CAs. As described above, you can also have your SSL software display a certificate on your screen for you to check the details.

How does the CA check on entities?

This is an important point, and a CA will have a Certificate Policy (or Practice) Statement (CPS) explaining how they do it. Typically this is available on the CA's Web site for anyone to read.

This check is what anchors electronic communications to the real world. Typically it involves the entity, or its representatives if it is an organization, actually presenting themselves in person to the CA, with proof of identity. If this is not practicable because entities wanting certification are geographically wide-spread, the CA will have Registration Authorities, local branches that carry out the in-person checks and then forward approval to the central CA.

Again, the RA uses a server which is itself known as the RA. The connection between the RA and CA is likely to be an electronic one - the RA notifies its approval to the CA, which then issues the certificate. At both levels, though, there are likely to be actual human beings making the decisions to recognize the proofs of identity, and to grant the certificates.

If the entities wanting certification are too widespread even for RAs to be within reach of them all, then the CA may use notaries - individuals authorized to check identification in person and forward the details to the CA or one of its RAs.

All these policies should be detailed in the CA's CPS - this document and the policies it describes are as important a part of a PKI as the SSL technology itself.

Why should you trust the CA?

The above all depends on the CA themselves being trustworthy. Who gave them the right to check identities and issue certificates pronouncing people trustworthy?

For the intranet of a company or other organization, the CA is likely to be a department set up at the management's direction. For the Internet, a number of privately run CAs have been established, which have become widely trusted simply because they have earned a world-wide reputation.

To maintain its reputation, a CA would be expected to keep its CA server extremely secure, not only from hackers, but also from physical on-site interference, to ensure that certificates cannot be created other than by the official route. If you read a CA's CPS, you should expect to find strict, detailed rules about physical access to the server by the CA's staff.

How do you know the certificate really came from the CA?

They sign it.

In addition to the data described earlier (the public key, name , etc of the certified entity), a certificate contains the CA's digital signature. As described earlier, this provides proof - in some countries, legal proof - that it came from the CA.

What is a PKI?

A PKI is the whole system described in the preceding sections - one or more CAs, their procedures (defined in their CPS's) for vetting applicants for certificates, and for handling and issuing certificates, and the SSL software used by entities to send, receive, and check certificates.

The Internet has, in effect, its own world-wide PKI, based around internationally known CAs such as Thawte, VeriSign and others. An organization, such as a company, can set up its own PKI for use within its intranet or network.

The same SSL software and world-wide standards (such as certificate formats) would normally be used in either case. The principal distinction between the world-wide PKI and a private one is that in a private one the organization would set up its own CAs, recognized within the organization.

Root and Subordinate CAs

If there were only a few CAs in the world, they would soon become overloaded. In fact, there are many. But how does a new CA show its trustworthiness? Usually, by applying for and being granted a certificate from one of the established CAs. A CA certified by another is called a subordinate CA.

A CA that is not certified by any other, but relies solely on its own reputation, is called a root CA. Even a root CA needs a certificate (we'll see below why), and the format of a certificate requires that it be signed, so they create and sign their own certificate. This is called a self-signed certificate or a root certificate.

Similarly, in a large organization, there might be subordinate CAs - for example, each department might run its own CA, each certified by the organization's root CA.

Also, a big CA such as those on the Internet might find that to cope with demand they need several CA machines. Each of these is a subordinate CA, with a certificate granted by one root CA machine.

A subordinate CA can itself certify subordinate CAs, so the standard format for a certificate includes a record of a chain of CAs, each certified by the next, back to a root CA. This chain of certificates is called the certification path. Thus a PKI is hierarchical. You trust the certificate if you know and trust any of the CAs on the certification path.

So in contrast to the web of trust described earlier, a PKI is a tree of trust, with one or more root CAs at the top, subordinate CAs below them and the actual users (client or server) at the bottom.

In a minor departure from this hierarchical nature, CAs can also cross-certify each other. For example, two government departments might each have its own PKI, with its own CA. Within each department, every member has been vetted and then certified by the relevant CA. They might then find that members of the two departments frequently need to communicate with each other. To establish trust between all the members of the two departments, effectively linking the two PKI's into one, all that is needed is for the two CAs to grant each other certificates.

How Do you Check a Certificate?

We said above that the SSL software compares a certificate to a list of known CAs. We'll describe more precisely what happens.

A CA itself has a certificate - a self-signed one in the case of a root CA. Your SSL software can store certificates (known as installing a certificate), and typically comes with the certificates of a number of well-known CAs already installed. You can install more, if you come across more CAs you wish to trust. Also, there may be periodic updates - for example, the automatic updates that Microsoft send out for Windows XP sometimes install additional CA certificates in Internet Explorer.

When your SSL software receives an entity's certificate as part of a handshake, it compares the hierarchy of CAs named in the certificate to the installed CA certificates. If any in the hierarchy matches any in the installed list, then the entity is considered to have been certified by a known and trusted CA.

Your SSL software also needs to check that the CA's digital signature in the entity's certificate is genuine. Remember that to check a digital signature your SSL software decrypts it using its owner's public key, and then compares the resulting decrypted hash with the hash that the SSL software has itself worked out from the message (in this case the entity's certificate). The SSL software obtains the CA's public key from the CA's certificate.

Certificate Validity Period and Revocation

Optionally, a certificate can contain start and end dates, when it starts and ceases to be valid. End dates are especially common, since most CAs consider it good policy to require a certificate to be renewed from time to time. Not only does it enable them to check that the holder is still genuine, but it enables them to charge for renewing the certificate.

It is sometimes necessary for a CA to revoke a certificate, for example if the holder's matching private key is lost or revealed, or if the CA ceases to consider the holder trustworthy. There are two ways a CA can do this. Both have shortcomings.

The first is to maintain a certificate revocation list (CRL), which it makes remotely accessible. A CRL can be installed in SSL software, for example in a browser, and when the SSL software is examining a certificate to see if it is trustworthy, part of the procedure is to see if the certificate is on any of the installed CRLs.

This approach has the problem that CA updates are issued periodically, so there is a delay between a CA deciding to revoke a certificate and the fact appearing in the latest issue of the CRL.

A more recent solution is for the CA to provide online certificate status - meaning that SSL software checking a certificate can contact the CA's server online and get a signed response saying whether the certificate has been revoked. The Online Certificate Status Protocol (OCSP) has been introduced for this.

This approach has the problem that it puts a high load on the CA's server.

Types of Certificates - Purpose

CAs issue different kinds of certificates, differing in what kind of checks the CA has made on the owner and consequently what purpose the certificate serves - in what roles it guarantees the owner as trustworthy. For example:

Exactly what the certificate certifies - in other words, its purpose - is stated in the certificate.

Authentication Modes

In a client/server scenario, it may be that only the server has a certificate, so that the clients can confirm the identity of the server; or it may be that clients too are required to have certificates, so that the server can identify their identities.

If only the server has a certificate, the online service is said to be operating in server-only authentication mode. If the clients too have certificates, the service is operating in full authentication mode.

If as a Web site owner you want the benefits of non-repudiation, that is, you want to be able to prove that data really was sent to you from a particular client, then you should use full authentication.

Typical Process

Here's a brief, simplified overview of what typically happens when you contact a secure Web site, that is, one using SSL. Let's say you are a Web user contacting your online bank.

In the following, remember that a symmetric algorithm is normally used to encrypt the data itself, while an asymmetric algorithm is used only to send the secret key for the symmetric algorithm.

In the following, we refer to "your browser" and "the bank's server". Of course we mean the SSL software in each.

  1. You enter the URL of the bank's login page.
  2. Your browser sends a list of symmetric algorithms it can support to the bank's server, and requests the bank's certificate.
  3. Their server replies saying which symmetric algorithm to use, and sends the requested certificate. It also sends a random number to be used in generating the secret key.
  4. Your browser checks the hierarchy of CAs shown in the bank's certificate against the CA certificates you've got installed. If there is no match, the browser flags a warning.
  5. If there is any match, the browser checks the bank's certificate against the CA that issued it, typically making the following checks and flagging a warning if any fail:
  6. Your browser generates a random number, encrypts it with the asymmetric algorithm using the bank's public key, and sends it to the bank's server.
  7. The bank's server uses the bank's private key to decrypt the random number the browser sent.
  8. Your browser and the bank's server now independently calculate the secret key from the two random numbers.
  9. As a final check, your browser and the bank's server send each other MACs of all the above messages, and check them to ensure no attacker has altered any of the messages.
  10. Your browser and the bank's server can now send each other your data confidentially, using the chosen symmetric algorithm.

Copyright © 2007 Micro Focus (IP) Ltd. All rights reserved.