Forms the certificate and calculates the user certificate hash uch

116
Preserving Public
Key Hierarchy

Geoffrey C. Grabow, CISSP

It is the intention of this chapter to propose a system in which this single point of failure is removed.

Cryptographically secure digital timestamps (CSDTs) have been used for a wide variety of purposes, includ-ing document archiving, digital notary services, etc. By adding a CSDT to every digital certificate issued within a PKI, one now has a method for ensuring not only that the certificate is valid, but also at what point in time that validity was declared.

Sender:

DATA + KPUB(Recipient) + Encryption algorithm = EKPUB(Recipient)[Data]

The reverse of this process is also true. If the recipient encrypts data with KPRI(Recipient), it can be decrypted with KPUB(Recipient). This means that anyone can decrypt the information and confidentiality has not been achieved; but if it can be decrypted using KPUB(Recipient), then only KPRI(Recipient) could have encrypted it, thereby identifying the individual2 who sent the data. This is the principle behind a digital signature. However, in a true digital signature scheme, only a hash of the data is encrypted/decrypted to save processing time.

Standard PKI Hierarchical Construction

The Impact of a Root Key Compromise

The problem with this hierarchical construction is the total reliance on the security of the Root private key. If the KPRI(Root) is compromised by an attacker, that attacker can create a fraudulent CA#3, and then fraudulent

If one cannot determine which CAs are to be trusted, then there is no way to determine which users’certificates are to be trusted. This causes the complete collapse of the entire hierarchy, from the top down.

Constructing Cryptographically Secure Digital Timestamps

Hash of the Certificate

For a CSDT to be bound to a particular certificate, some data must be included to tie it to the certificate in question. A hash generated by a known and trusted algorithm, such as SHA-1 or MD5, is used to provide this connection. This is the same hash that is calculated and encrypted during the Certificate Authority signing process.

Digital Signature of the Time Authority

To prevent tampering, the CSDT must be cryptographically sealed using a standard digital signature. Because the total amount of data in a CSDT is small, this can be accomplished by simply encrypting the data fields

Separation of Hierarchies

Of course, the x.509 standard already includes a timestamp so it can be determined at what date and time a certificate was signed by its CA. However, if the root private key was compromised and a fraudulent CA is created, that CA could simply set the time to any value desired prior to signing the certificate.

The sequence of events to add a CSDT to a public key certificate is as follows:

1. User generates the public/private key pair.

6. TA receives the request and validates the CA’s signature on the request using the CA’s public key certificate.

7. TA gets the current time from its secure time source.

12. TA returns CSDT to the CA.

13. CA validates the TA’s signature on the CSDT using the TA’s public key certificate. 14. CA verifies UCH in the CSDT against the UCH sent to the TA.

With any system providing assurance, it is necessary to have a plan of action in the event of some problem. The following outlines the minimum necessary steps if a CA is compromised.

Given:

Immediately upon determining that a compromise has occurred, the CA must:

• Inform the TA not to accept any further requests under the compromised key• Inform its users
• Generate a new set of keys
• Issue no further certificates under the compromised key

One of the primary responsibilities of a CA is to ensure that everyone who wished to rely on its signature has access to its public key certificate. This is also true for the TA, which must use similar methods to establish trust in its public keys. This may cause some extra effort on the part the CA and its users.