CS 513 - System Security
Lecture 12

Lecturer: Professor Fred B. Schneider
Notes by: Vicky Weissman
Lecture Date: 3/7/00

Today's Topics

Multiple CAs

Public key cryptography relies on a CA to distribute public keys. By using multiple CAs, the cryptosystem can perform well in large networks and can accommodate principals with different trust requirements.

Multiple CAs - Chaining

Let Kx refer to x's public key.

Given:

2 principals, P and Q, and n certification authorities, CA1, CA2, ..., CAn
where P knows KCA1, CAn has KQ, and each CA has the public key for the next CA in the sequence

An Algorithm for P to get KQ is:

for i = 1 to (n-1) {use CAi to get KCAi+1}
use CAn to get KQ

Example: Given the public key of the CA responsible for edu/*, get the public key for edu/cornell/fbs.
Use the given key to get the public key for cornell/*. Use the public key for cornell/* to get fbs's public key.

Multiple CAs - Trust Management

The Internet Policy Registration Authority (IPRA) rates CAs according to 3 policy certificate authority (PCA) classes. The classes are:
  1. high assurance
    • all reachable CAs use strict tests to verify identity before issuing certificates
    • designed for military use
  2. discretionary assurance
    • the CA is well-managed, but may be used to access insecure services
    • designed for corporate America
  3. no assurance
    • the CA does not issue 2 certificates for the same principal
The level of confidence that a public key is correct corresponds to the least secure rating of any CA used to obtain the key.

Another way to do trust management is called a 'web of trust'. It is implemented by Pretty Good Privacy (PGP). In this approach, each user maintains a set of principals that are trusted to supply correct bindings. (The trusted set can be obtained through personal contact such as key parties.) A binding is valid if it is signed by a trusted principal or by multiple, partially trusted principals.

Reasoning about Statements

Given a statement, S, and 2 principals, P and Q, the following inference rules can be used to reason about a statement's validity: 
1.	(P controls S)		(P said S) 
     _________________________________________

          	           S


2.		          {S}P 
     _______________________________________________
 
      (KP said S) where KP is the key used to sign S


3.      (P speaks for Q)        (P said S) 
     _____________________________________

		     (Q said S)

Example:

Given {x, Kx}CA and {m}x, deduce that x said m

{x, Kx}CA -> (KCA said 'Kx speaks for x') by Rule 2 (and the definition of a binding)
Assuming KCA speaks for CA, CA said 'Kx speaks for x' by Rule 3
Assuming CA controls the binding, 'Kx speaks for x' by Rule 1

{m}x -> (Kx said 'm') by Rule 2
Since Kx speaks for x, x said 'm' by Rule 3

Note: In the above example, -> is a meta-logical operator used to separate the hypotheses from the conclusion of an inference rule.