4th Annual PKI R&D Workshop

4th Annual PKI R&D Workshop Summary
Ben Chinowsky, Internet2

Note: this summary is organized topically rather than chronologically. See http://middleware.internet2.edu/pki05/proceedings/ for the workshop program, with links to papers and presentations.

The overarching theme of this fourth iteration of the PKI R&D workshop was putting PKI to use. There was much experience to report from new and ongoing PKI deployments.

Deployments

One of the largest PKI projects is the ongoing Department of Defense deployment; Rebecca Nielsen brought the group up to date on DoD's experiences. Nielsen noted that PKI cycle times are around 72 months, while hardware cycle times are more like 24 months, so you end up running on obsolete hardware much of the time. Also, while "smartcards are good," reissuance is hard when you have 3.5 million users. Organizational issues loom larger than technical ones; getting buy-in from both users and management is particularly challenging. Secure web server access is the primary application, though signing and encrypting email are also done; user education is a particular challenge with the latter ("this PKI thing is a problem because I can't sign my boss's emails anymore.") Nielsen characterized the DoD rollout as "generally successful."

Rajashekar Kailar presented experiences with Securing the Public Health Information Network Messaging System (PHINMS), deployed by CDC and its partners. PHINMS uses certificates for SSL but does not require a specific source, and Kailar noted that other means of secure authenticated transport could also be acceptable. Kailar identified this as a key lesson learned: where multiple credentials and mechanisms for security are acceptable, permit them, rather than trying to impose just one.

The PHINMS presentation was followed by a panel on PKI In Healthcare. Richard Guida presented an overview of the sector, noting that it can be divided up into four categories: companies that supply medical devices, equipment and pharmaceuticals; "points of care" (e.g. hospitals and clinics); companies that handle payments and billings (e.g. insurers); and companies or institutions that support or perform medical research, including clinical trials. Guida noted that while the strong focus on patient care at the points of care tends to lead to less of a focus on security, there is lots of growth in this sector, and lots more the research community and vendor community can do to help ensure that privacy requirements set forth under the Health Insurance Portability and Accountability Act (HIPAA) are met. Reducing the burden of paperwork, especially the burden of storing paper and moving paper around, is a particularly great need; reducing the paperwork involved in clinical trials can save time without reducing the quality of the trials. Guida cited Acrobat 6 and 7 as "exemplars" of PKI growing up. Terry Zagar discussed the biopharmaceutical industry's Secure Access For Everyone initiative (SAFE; http://www.safe-biopharma.org/). Zagar noted that PKI is much harder to scale between enterprises than within them, hence the need for common standards such as those being developed by SAFE. Many companies already have PKIs and want them to interoperate so that certificates can be accepted by outside parties; minimizing the need for reinvention is a major consideration. SAFE has embraced the use of a bridge CA as a means to this end. SAFE plans to have tens of thousands of certificates issued to doctors and other healthcare professionals by the end of the year, and hundreds of thousands by next year. John Landwehr offered details on the Acrobat signing technology cited by Guida and intended for use by SAFE to execute and validate legally binding digital signatures that comply with regulatory requirements (FDA 21 CFR Part 11). Documents let you apply signatures inline — applying the principle of making it as much like paper as possible — and can specify parameters for allowed signatures. The technology has passed the 250+ tests in the NIST PKI test suite and is JITC certified; a FIPS 201 evaluation is underway.

In the discussion, Ken Klingenstein pointed out that the communities that seem to have the most traction in implementing role-based access control are those that have regulatory mandates that lead to common definitions of roles — above all the securities industry. The panelists agreed on the need for RBAC in healthcare, though this is a ways off yet. Guida noted that there are recurring problems with large institutions failing to understand rapid technical changes and accompanying opportunities; having real-world success stories to tell helps a lot in this regard. Landwehr noted that the standardization of smartcards has the potential to make cert deployment a lot easier, and Zagar stressed the importance of avoiding US-centric standards.

Mike Just discussed Canada's Secure Delivery of E-Government Services, updating the group on work presented at PKI03. EPass is now a successfully established solution; the current issues are political and legal, e.g. privacy concerns leading to multiple and burdensome enrollments. Just also noted that Canadian law has recently changed to make electronic data acceptable as legal evidence.

A WIP session by Jeroen Van de Graaf provided an overview of PKI Projects in Brazil. As in the US, projects are underway at the national government and pan-Higher-Education levels. There is also a large project in the state of Minas Gerais, driven by the need to fix the presently fraud-prone process of publishing legal judgments in newspapers. The long-term goal is to issue smartcards and certs for all 15 million residents of the state. At all levels, there is a strong bias in favor of open-source solutions, for both financial and strategic reasons. Van de Graaf also noted that a 2001 federal directive gave digital signatures the same legal status as wet signatures.

There were also two sessions on bridge deployments and PKI interoperability. Peter Alterman surveyed International and Bridge-to-Bridge Interoperability, including pending cross-certifications between FBCA and Canada, FBCA and Australia, and the DoD PKI and trusted allies. Alterman noted that where PKI-PKI cross-certification is concerned primarily with policies, bridge-bridge cross-certification requires that business practices be commensurate as well. Scott Rea followed with an update on HEBCA and Phase 4 of the PKI Interoperability Project. HEBCA grew out of the NIH-EDUCAUSE PKI interoperability pilot, and has since been moved to Dartmouth; production FBCA/HEBCA cross-certification is expected in a few months. Form-signing is the principal application.

A perspective on Side-Effects of Cross-Certification was provided by James Fisher: "It is easy to structure unintended and difficult-to-detect consequences." This assertion is amply documented in Fisher's paper and slides. In the Q&A for this session, Fisher noted that the technical aspect of bridging is relatively straightforward; it's getting the trust path to reflect what was agreed on in human-to-human trust negotiations that introduces most of the complexity.

The deployment-experience portion of the workshop was rounded out by Ken Klingenstein's survey of Interfederation Interoperability, E-Authentication and Shibboleth. There are now production federations in several countries, and many campuses and other enterprises which are themselves federal in structure have been creating federations for themselves. Indemnification issues are the biggest obstacle in getting universities to participate in federations. Klingenstein noted that SAML 2.0, ratified by OASIS earlier this year, is likely to prove a high plateau; it's "a fusion product" with Liberty Alliance, which has incorporated most of its functionality into SAML and is moving off in new directions.

Addressing recurring deployment issues

Of the presentations not concerned with specific deployments, many considered developments aimed at solving problems that recur across deployments. Note that in addition to the presentations discussed below, the proceedings include papers in this area from two contributors — Tice DeYoung and Karl Scheibelhofer — who ended up not being able to attend the workshop.

One of the most important areas of cross-deployment development is, of course, standards. With respect to IETF, PKIX co-chair Tim Polk noted that no longer is everything happening in PKIX; there are also important developments in PKI4IPSEC and LTANS. Internationalizing domain names is a major focus, and a new version of RFC 3280 with expanded support for this is expected later this year. Overall, Polk characterized the core PKI specs as stable and the supplemental specs as ready for implementation, so standards obstacles to PKI deployment are diminishing. IETF Security Area Director Russ Housley noted the creation of the ENROLL working group; it's likely that considerable research will be needed to create an effective standard in this area.

Eric Norman asked if IETF is planning to issue standards for digital signatures, given that the courts are likely to decide what's acceptable here. There was general agreement that the technical community — primarily in IETF, but also in government bodies like NARA — still needs to take the lead in guiding implementations. Housley said that social-engineering attacks based on flaws in Unicode are likely to remain a problem for some time; several working groups are studying the complex tradeoffs in this area.

Polk also surveyed the FIPS 201 project at NIST. This is a Presidentially-mandated standard for both physical and electronic access to Federal facilities; public-key cryptography and contactless smartcards are the core technologies. FIPS 201 was published in February of this year. Biometrics introduce new vulnerabilities and can compromise privacy; fingerprint images are big and therefore slow to move on and off cards. Cards were chosen over other hardware such as dongles largely because they can function as old-fashioned photo IDs as well. See http://csrc.nist.gov/piv-project/ for more on FIPS 201.

David Engberg of CoreStreet presented work on Secure Access Control with Government Contactless Cards, for FIPS 201 in particular. Engberg noted a prosaic reason for contactless cards: the contact strips on swipe cards tend to wear out after a few months. On the other hand, there are privacy risks in allowing remote access to contactless cards. Engberg also noted that processing-power limitations on PKI are "starting to melt away."

Jon Callas discussed a hybrid approach to IBE with conventional PKI. IBE as first proposed by Shamir requires a master secret on a central server, creating Kerberos-like vulnerabilities. Callas's approach addresses this by removing offline key generation; this system has also been referred to as "attribute-based enrollment". Callas noted that when you have ubiquitous devices that are hard to turn off — as is increasingly the case just about everywhere — the advantages of offline operations are minimal anyway. Callas argued that his hybrid approach can bring the advantages of IBE to existing PKIs.

Marco "Kiko" Carnut presented an IBE-like approach to Taking Cryptography Out of the Browsers. This is accomplished by a proxy, called Kapanga, that takes over functions like certificate issuing and webform signing that are often handled badly by browsers. Carnut described his approach as similar to that of Callas's "Self-Assembling PKI" as presented at PKI03: make every application an opportunity for enrollment. Carnut further elaborated his ideas in a WIP session, offering an IBE-like idea for instantaneous enrollment. In this approach, certs are issued with no authentication, and trust depends on the client CA instead of the root.

Sang Seok Lim presented a method of improving access to cert repositories via LDAP component matching. He noted that while component matching is generally considered to be the approach of choice, it's complex; his work demonstrates that the complexity can be limited enough to ensure deployability.

There were two presentations on delegation of authority. David Chadwick described a Delegation Issuing Service for X.509. Advantages of this approach include the managers doing the delegating not needing to have certificates themselves. Chadwick noted that the lack of standard terminology for roles is a big obstacle to any delegation scheme, including this one. Liang Fang presented XPOLA, which stands for eXtensible Principle Of Least Authority. XPOLA is motivated by the need to reduce the time needed to get access to Grid services and by the need to improve authorization scalability and fine-grainedness.

Kenji Imamoto offered One-time ID as a solution to DoS attacks on the SEM approach to revocation. One-time ID makes use of symmetric key authentication to provide low overhead.

Two talks explored proposed extensions to the Shibboleth federating software. David Chadwick discussed Adding Distributed Trust Management to Shibboleth by combining it with PERMIS (PrivilEge and Role Management Infrastructure Standards; see http://www.permis.org/). Chadwick's paper explores several different ways to combine the two. Von Welch described Integrating Shibboleth and Globus. The motivation for this work is to get virtual organizations of scientific researchers out of the business of IT support. Integration is based on replacing Shibboleth's handle-based authentication with X.509, offering stronger security while leveraging the X.509 installed base. Working code is expected this summer; see http://grid.ncsa.uiuc.edu/GridShib/.

In a WIP session, Carl Ellison discussed the need for ceremony analysis — formal analysis of the human-to-human, out-of-band elements of security processes. Ellison argued that these elements are just as much part of security protocols as are operations that take place inside computers, and need to be taken seriously as such.

BoF on Human-Computer Interaction

More generally, it is widely agreed that human-computer interaction (HCI) is one of the areas where much work is still needed if PKI deployments are to thrive. HCI was the main focus at PKI03; an HCI BoF at PKI05 reviewed recent developments in this area. BoF chair Eric Norman has been trying to identify the minimum set of things a PKI user should need to learn, and used a draft list to get discussion started. The consensus from his previous discussion on the HCISec list (see http://groups.yahoo.com/group/hcisec/) is that this list needs to be much, much shorter. The BoF participants concurred in this judgment; Paul Danik asked "How do you teach someone with rudimentary computer skills even one of the things on Eric's list?"

The group discussed Simson Garfinkel's work on HCI (see http://simson.net/). Sean Smith was a guinea pig for Garfinkel's prototype, which he found confusing — "why are these things changing colors?" — although as several people pointed out, Smith might not be the best test subject for a system aimed at the naive user. There was general agreement that it's well worth paying attention to Garfinkel's criticisms of existing PKI user interfaces.

Smith noted that it's only in the last couple of years that phishing and IDN attacks have created broad awareness that spoofing is really a problem, and recommended taking a look at the presentations from the DIMACS Workshop on Theft in E-Commerce: http://dimacs.rutgers.edu/Workshops/Intellectual/slides/slides.html. He also pointed the group to anti-spoofing work presented at Usenix: http://www.cs.dartmouth.edu/~sws/abstracts/ys02.shtml.

The BoF participants discussed several other factors involved in making PKI usable. Carl Ellison stressed the importance of giving the relying party control over what name is used for a trusted entity, as all other information the user learns about that entity is linked to the name; this is an entrenched human behavior that no amount of "user education" can or should try to change. Jon Callas observed that "one of the principles of real human factors is, the user is always right." Callas also related an experience with certs expiring mid-transaction; there was general agreement that "about to expire" warnings are needed. Several of those present spoke well of The Design of Everyday Things by Don Norman (no relation to Eric); though the book is more about doors and clock radios than computers, its principles apply to making anything more usable.

Farther out

There were also several talks aimed at solving broader problems with PKI, or at applying it in new ways. Of these, the one with the widest implications was Arjen Lenstra's discussion of Progress in Hashing Cryptanalysis. Lenstra discussed the implications of recent discoveries of weaknesses in commonly-used hash functions; his slides offer an overview of the mathematics involved, and of how these weaknesses might be exploited in real-world attacks. This February NIST announced that SHA1 should still be considered secure until it's phased out around 2010. Lenstra's assessment is somewhat more pessimistic; while there are currently no dangerous attacks based on these recent discoveries, research continues, and such attacks are likely to emerge soon. Lenstra suggests abandoning SHA1 for SHA256 and launching a competition for a replacement for the entire SHA family. On the other hand, Bill Burr noted that encouraging a move to SHA256 in the short term could make it a lot harder to move to the hoped-for SHA replacement in the medium term. NIST doesn't have the resources to develop that replacement. Burr agreed that a global competition is the best way to mobilize the resources needed.

Cliff Neuman presented a WIP session on work by his student Ho Chung on a multidimensional approach to Modeling Strength of Security. This work is at an early stage.

A. Prasad Sistla described a scheme for Language-Based Policy Analysis in a SPKI Trust Management System, using modal logic to describe roles in SPKI. While citing related work, Sistla claims that this is the first general policy-analysis language, usable e.g. with Keynote or XACML. There is no implementation yet.

Terence Spies discussed Pairing Standards for Identity Based Encryption. "Pairings" are a new elliptic-curve crypto primitive. An IEEE study group on pairings and their application to IBE is just getting underway; see http://grouper.ieee.org/groups/1363/WorkingGroup/.

Finally, Meiyuan Zhao presented her simulations aimed at Evaluating the Performance Impact of PKI on BGP Security. Russ Housley stressed the importance of this work; he noted that securing BGP is one of his top priorities as an IETF Security Area Director. Housley also observed that memory requirements are a major obstacle to S-BGP deployment, and suggested focusing future research on approaches that require less memory, in particular by using elliptic-curve cryptography.

Conclusions

The PKI0x series has clearly matured, as demonstrated by its emulation in Europe and Asia (see "Related Workshops" at http://middleware.internet2.edu/pki05/), by this year's conference having the largest number of accepted papers yet, and by several of the sessions offering followups on ongoing work presented in previous years.

PKI04 produced consensus on two main ideas: "Understanding and educating users is centrally important" and "The specifics of any particular PKI deployment should be driven by real needs, and should be only as heavyweight as necessary." PKI05 reaffirmed this consensus; it also demonstrated that we are much further along in applying the latter principle than the former.

There was strong general agreement on keeping the workshop's mix of research and deployment topics. Please join us for PKI06 (http://middleware.internet2.edu/pki06/), April 4-6, 2006.