Public Key Infrastructure Study
`
`Final Report
`
`April, 1994
`
`National Institute of Standards and Technology
`Gaithersburg, MD
`
`001
`
`

`

`Form SF298 Citation Data
`
`Report Date
`("DD MON HYY'j
`01041994
`
`Title and Subtitle
`Public Key Infrastructure Study
`
`Authors
`
`Report Type
`N/A
`
`Dates Covered (from .•• to)
`(''DD MON YYYY':J
`
`Contract or Grant Number
`
`J_~-~m~~r
`
`Project Number
`
`Task Number
`
`Work Unit Number
`
`Performing Organization Name(s) and Address(cs)
`National Institute of Standards and Technology Gaithersburg.
`~T1D
`
`Performing Organization
`Number(s)
`
`Sponsoring/Monitoring Agency Name(s) and Address(es)
`
`Monitoring Agency Acronym
`
`I Monitoring Agency Report
`i Number(s)
`j
`
`Distribution/ Availability Statement
`Approved for public release, distribution unlimited
`
`Supplementary Notes
`
`"""~
`
`Abstract
`
`Subject Terms
`"IAT AC COLLECTION"
`
`Document Classification
`unclassified
`
`Classification of Abstract
`unclassified
`
`Number of Pages
`192
`
`~~~"'-~--~m~-"'"
`
`---~-~-
`
`-·
`
`Classification of SF298
`unclassified
`
`Limitation of Abstract
`unlimited
`
`002
`
`

`

`oe&, gMhar!ng and
`information,
`.
`. VA
`
`4. TITLE AND SUBTITLE
`Public Key Infrastructure (Final Report)
`
`5. FUNDING NUMBERS
`
`6. AUTHOR($)
`Shimshon Berkovits, Santosh Chokhani, ,Judith Furlong, Jisoo
`Geiter, Jonathan Guild
`
`7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)
`
`8. PERFORMING ORGANIZATION
`REPORT NUMBER
`
`IATAC
`Information Assurance T cchnology Analysis
`Center
`3190 Fairview Park Drive
`
`Defense Technical lnfom1ation Center
`OTIC-lA
`8725 John J. Kingman Rd, Suite 944
`Ft. Belvoir, VA 22060
`11. SUPPLEMENTARY NOTES
`
`10. SPONSORING J MONITORING
`AGENCY REPORT NUMBER
`
`12a. DISTRIBUTION I AVAILABILITY STATEMENT
`
`12b. DISTRIBUTION COOE
`
`A
`
`13. ABSTRACT (Maximum 200 Words}
`The National lnsLi tute of Standar:ds and Technology (NIS'l') has tasked The MIT'RECorpoJ::ation
`to Gt.udy the alternatives for automated management of public keys and of t.heaGsociated
`publi.c koy cf:rtificates for the Federal Gover:r.mont. The public koys areenv.isioned to be
`used for secure electronic commerce. This Public Key Infrast.ructUJ:'e (PKI) study focuses on
`the United States Federal Government operations, but also addresses national and global
`issue£> in order to facil tate the interoperation of protected electronic co:rmnerce among
`the various levels of government. in the U.S., private citizens, commercial organizations,
`and :Lntenwtionn1 organi?J-ltions. Under the PKI study, policy and legal issues r:elated to
`the oper:ation and the management of the PKI are identified. Architectural and
`1mp1.ementati.on al.tenwt.ive£> for the PKI are developed.
`In addition, a methodology to
`determine the cost of the PEG is presented. The results of the PKI study are documented in
`this report. With the information and techniques presented in this report, federal
`agencies will be able to determine which infrastructure alternative is appropriate to
`their needs. In additi.on, agencies may use the costing methodology presented in tJ1e paper
`
`14. SUBJECT TERMS
`FKl
`
`17. SECURITY CLASSIFICATION
`OF REPORT
`Onclassifiod
`
`18. SECURITY ClASSIFICATION
`OF THIS PAGE
`UNCLASSIFIED
`
`19. SECURITY CLASSIFICATION
`OF ABSTRACT
`UNCLASSIFIED
`
`15. NUMBER OF PAGES
`
`16. PRICE CODE
`
`20. LIMiTATION OF ABSTRACT
`
`No no
`
`003
`
`

`

`Public Key Infrastructure Study
`Final Report
`
`MTRxxxxx
`
`Dr. Shimshon Berkovits
`Dr. Santosh Chokhani
`Judith A. Furlong
`Jisoo A. Geiter
`Jonathan C. Guild
`
`CONTRACT SPONSOR:
`CONTRACT NO.:
`PROJECT NO.:
`DEPT.:
`
`National Institute of Standards and Technology
`50SBNB I C6732
`3357B/Y
`G02i,J024
`
`MITRE
`McLean, Virginia
`
`II
`
`004
`
`

`

`ABSTRACT
`
`The National Institute of Standards and Technology (NIST) has tasked The MITRE
`Corporation to study the altematives for automated management of public keys and of the
`associated public key certificates for the Federal Government. The public keys are
`envisioned to be used for secure electronic commerce. This Public Key Infrastructure (PKI)
`study focuses on the United States Federal Government operations, but also addresses
`national and global issues in order to facilitate the interoperation of protected electronic
`commerce among the various levels of government in the U.S., private citizens, commercial
`organizations, and international organizations.
`
`Under the PKI study, policy and legal issues related to the operation and the management
`of the PKI are identified. Architectural and implementation alternatives for the PKI are
`developed. In addition, a methodology to determine the cost of the PKI is presented. The
`results of the PKI study are documented in this report. With the information and techniques
`presented in this report, federal agencies will be able to determine which infrastructure
`alternative is appropriate to their needs. In addition, agencies may use the costing
`methodology presented in the paper for planning and budgeting purposes.
`
`111
`
`005
`
`

`

`EXECUTIVE SUMMARY
`
`Use of electronic messaging and electronic commerce is becoming more widespread as
`information technology becomes cheaper and telecommunications become more advanced.
`However, increased user interconnectivity and reliance upon electronic communications
`means that more infonnation is being carried electronically so that more information is
`becoming vulnerable to attacks such as eavesdropping, modification, and masquerade.
`Public key cryptography, which includes digital signature technology, can play an integral
`role in countering these attacks by providing end-to-end security of infonnation in terms of
`confidentiality, integrity and proof of origin. The strength of these security services are
`dependent upon the security of the underlying cryptographic keys. Specifically, this requires
`protection of the confidentiality of the private keys and the integrity ofthe public keys in
`delivery and storage.
`
`ln a small community, the integrity of the public keys can be insured by manual delivery
`of the keys. However, manual delivery of keys is infeasible in a national or an international
`electronic messaging and commerce environment where thousands or millions of keys are
`involved. Therefore, in order to facilitate the use ofpublic key cryptography in such an
`environment, automatic key management is necessary. This study addresses the issues
`related to a Public Key Infrastructure (PKI), which will automatically manage public keys
`through the use of public key certificates. Each certificate certifies the association between a
`user's identity and his public key.
`
`The National Institute of Standards and Technology (NIST) has tasked The MITRE
`Corporation to study the alternatives for automated management of public keys and of the
`associated public key certificates in both a national and an international environment. This
`stu<iy J()9l1ses Qn the United States FederaLGovernment operations. It also addresses
`national and global issues in order to t~tcilitate the interoperation of protected electronic
`commerce among the various levels of government in the U.S., the states, private citizens,
`commercial organizations, and international organizations.
`
`Under the PKI study, user and technical requirements for the PKl have been developed
`using information obtained through the examination of relevant standards, through
`discussions held among project members, and through interviews with personnel at various
`federal agencies, standards committees, and commercial organizations. The identified
`requirements apply to the infrastrucntre as a whole as well as to specific components of the
`infrastructure. They include requirements that relate to the generation and distribution of
`keys, to the obtaining of public key certificates and to the distribution of "hot lists" of
`canceled certificates, commonly known as Certificate Revocation Lists (CRLs).
`
`The user and technical requirements form the basis for the architecture and the
`implementation recommendations for the PKI. A number of entities are integral to the
`
`006
`
`

`

`functioning of the PKI. Some have policy responsibilities; others provide certit1cation
`services; and a fhv do both. These entities are defined below.
`
`PAA: The PAA is the policy approving authority, which creates the overall
`guidelines for the entire PKL It may also certify public keys belonging to PCAs.
`
`PCA: The PCA is the policy certification authority. Each PCA establishes policy
`for all certification authorities and users within its domain. It certifies CA public
`keys.
`
`CA: The CA is the certification authority with minimal policy making
`responsibilities. The CAs are expected to certify the public keys of users in a manner
`consistent with the cognizant PCA's and the PAA's policies.
`
`ORA: The ORA is the organizational registration authority. The ORA is an entity
`which acts as an intermediary between a CA and a user. Its sole purpose is to vouch
`fbr the identity and affiliation of the user and register that user with its CA.
`
`These entities can be organized in either a hierarchical (tree) structure or a non(cid:173)
`hierarchical (network) structure. In the former, the PAA issues certificates for the PCAs
`while in the latter it approves the PCA policies. Each PCA issues certificates for the CAs
`within its domain. In the non-hierarchical structure, roots of smaller trees must issue
`certificates for each other (cross certification) as circumstances require. As cross
`certifications create uncertainties about and ambiguities between the applicable certification
`policies, the PKI does not follow this alternative.
`
`There are several approaches to how users are associated with PCAs and CAs within the
`PKI. At least three alternatives arc possible. The Communities oflnterest (COT) approach
`organizes users according to the tasks they perform most frequently. The organizational
`alternative parallels existing organizational hierarchy. The assurance level approach divides
`users according to the level of certification assurance they require. A small number of
`assurance levels, perhaps as few as three or four, may be sufficient.
`
`Any determination of which implementation approach is most appropriate for the
`national PKI must consider the following qualitative attributes: robustness, scalability,
`flexibility and case of usc, trust, intcroperation, implementation timeframe, management
`structure, and exposure to liability. These considerations lead to the following
`recommendation for the PKI:
`
`• P AA, a national body, be created to establish overall PKI policy, to approve
`individual PCA policies, and to act as a root for the national certitication
`infrastructure to be created.
`
`007
`
`

`

`• Each federal depa1iment implement its own PCA to establish its own policy.
`PC As be established for sets of independent commissions and independent
`agencies.
`
`• Each PCA be certified by the P AA.
`
`• CAs be established by offices and bureaus within large federal departments and
`independent agencies, as determined by the PCA. ORAs be placed near
`individual facility security offices, as needed.
`
`• Several assurance levels, with associated PCAs and CAs, be established tor use
`by private corporations and citizens. ORAs be placed near corporate personnel
`offices, as needed.
`
`• Each user caches (stores) all certificates he or she uses most fi·equently.
`
`The following organizations are recommended tor the various levels of the PKI:
`
`PAA. Poiicy setting be done by a committee consisting of representatives from some
`or all of the following: Defense Information Systems Agency (DISA), Federal
`Reserve Board (FRB), General Accounting Office (GAO), General Services
`Administration {GSA), NIST, National Security Agency (NSA), OHice of
`Management and Budget (OMB), United States Postal Service (USPS), and industry
`and trade organizations. The daily operation of the PAA's certification functions can
`be managed by GSA, the FRB or USPS.
`
`PCA. Executive departments or major independent agencies are recommended for
`the management of the PCAs for the Federal Government. USPS, banks, and
`telecommunications service providers are among the qualified organizations for
`fa~.ilitati}1gi}1ter()per<ttiQ11 .. 9f1h~ft!d~:mlinfrastructure .. withthe.restof.thenationa1
`infrastructure.
`
`CAs. Agencies below the executive department level are recommended for the CA
`management USPS, banks, and telecommunications service providers are among the
`qualified organizations for facilitating interoperation of the federal infrastructure with
`the rest of the national infrastructure.
`
`ORAs. For the federal agencies, local authorities such as badge-issuing offices or
`security oflices are recommended to run ORAs. For the non-federal segment, ORAs
`may be established by private corporations for their own convenience.
`
`Global interoperability is also of interest There are two principle ways for achieving
`interoperabiiity: ( l) the creation of a single global root for certifying various national and
`transitional roots (PAAs); or (2) the cross certification by such roots (PAAs). While the
`
`008
`
`

`

`former alternative may create a neater infrastructure, the politics of international agreement
`and the natural flow of events may make the latter altemative the de facto choice.
`
`The recommended PKI organization follows the lines of the existing Federal
`Government organization. The cost of the various PKI components will probably be divided
`along the same lines. Nonetheless, it is useful to estimate a PKl-wide price tag for
`deployment and for the annual operations budget. This effort requires the development of a
`cost model tor the PKI. Such a model should also aid implementors with their planning and
`budgeting activities for their segments of the PKL The model should include only
`quantitative impacts which can be specificalJy ascribed to the PKI as well as the cost of the
`additional demands that the PKI will place on the directory service and its supporting
`communications. Costs associated with developing and running an electronic transaction
`environment are specifically excluded. They are deemed prerequisites for the use of digital
`signatures.
`
`lt is not possible to estimate the cost of a large computer and communications system
`without some detailed concept of how that system will operate. A concept of operations for
`the PKl consists of thirteen distinct activities. Each of these PKI activities can be divided
`into multiple steps. The resources necessary to accomplish each step must be enumerated.
`These resources fall into four categories: storage, communications, processor and staff: The
`model consists of four modules, one for each of the four PKl entities: PCA, CA, ORA and
`key generator. There are additioru'll modules for the user and for the directory. Within each
`module, costs and frequencies for all needed resources are computed and a total cost is
`derived. From these totals and the numbers of each type ofPKl entities included in the
`costing, it is possible to estimate PKI costs. Start-up and the yearly running costs are
`estimated to be about $9.5M and $16.2M, respectively.
`
`Policy makers must consider their legal obligations in establishing a PAA, PCAs and
`CAs. Although there are questions that must be answered, there appears to be no legal
`impediment to delay continued development and ultimate implementation of the PKI. There
`seems to be a consensus that properly suppmted digital signatures on electronic documents
`can and do meet "signed" and "in writing" laws and regulations. What exceptions exist to
`this principle can be remedied by new legislation or further regulations. Electronically
`executed contract~, especially those that are covered by written trading partner agreements,
`are becoming legally accepted. The electronic filing of certifications, repotis and briefs, if
`supported by digital signatures, will be widely used and accepted. These considerations
`point to the recommendation that PKI prototype development and examination of PKllegal
`needs and implications should proceed in parallel.
`
`One impotiant legal consideration is the development of a structure for PKlliability. As
`an agency of the Federal Government, the PKI may be considered to have sovereign
`immunity. That would imply that the PKI and its managers cannot be sued for any losses
`resulting from their actions or from their inaction. While such status may be attractive, it
`undermines the usefulness of the PKl. Without reasonable assurances that potential losses
`due to malfeasance will be recoverable, a typical non-government user will shy away from
`
`009
`
`

`

`relying on the PKI. (Even many government users win balk at mandated PKI use unless
`some system is in place for fixing blame when the PKI fails in its mission.) Any set of laws
`and regulations must strike a balance between protection of the government from excessive
`claims and blocking users from any chance of reimbursement. The entities of the PKI
`should not be liable if they operate according to their established policies. Furthermore,
`their liability should be limited for losses caused by the entities not following the agreed
`policies and procedures. In addition, legal issues relating to personal privacy concerns must
`also be resolved.
`
`This summary has highlighted some of the issues that must be considered in defining the
`PKI. Based on the recommended infrastructure, work must begin on its implementation.
`The infrastructure should be implemented incrementally to gain practical experience with
`PKI policies, user acceptability, usage statistics, resource requirements, costs and liability
`issues. The practical experience obtained through implementation wiH help to refine and
`alter the infrastructure design and operation as well as the full scale implementation.
`
`The designers of the PKI should be aware that there are stiH issues that need resolution.
`They include some concerns that pertain to the PKI itself and others that are external to the
`PKI, iri paraiiei systems with which PKl may have to interface in the future. Examples of
`the latter include user authorizations, user attributes, time and date stamps, interoperation
`with other infrastructures and algorithms, and directory services. PKI issues involve
`archiving, a unique naming system, and confidentiality. This Jast issue is of utmost
`importance and demands immediate attention. The overall trust that users place on the .PKl
`derives, to a considerable extent, from the ready availability of CRLs. Questions of liability
`depend on the way in which the CRLs are handled. Yet, the frequent and extended
`distribution of CRLs creates a great financial drain on the system. CRLs are to be obtained
`from the appropriate directory elements as needed. The problem of liabilities associated
`with the use or non-use of the CRLs should be studied immediately and resolutions found
`quickly.
`
`010
`
`

`

`ACKNOWLEDGMENTS
`
`The authors would like to express their gratitude to Carolyn Barnes, Dennis Branstad,
`Shirley Kawamoto, Lynn McNulty, Judith Messing, Cyril Murphy, and Miles Smid for
`participating in discussions regarding the Public Key Infrastructure and/or for reviewing and
`commenting on this paper. We are especially grateful to David Gill and Shari Galitzer for
`their contributions to this project. For his advice and guidance on the legal issues, we are
`indebted to Michael Baum and we acknowledge Peter Weiss's comments and corrections on
`the draft of that section. We are also indebted to the following experts for their peer-review
`comments: Richard Ankney, Fisher International Systems Corp.; James Bidzos, RSA Data
`Security Inc.~ Stephen Crocker, Trusted Information Systems; Dorothy Denning,
`Georgetown University; M. Blake Greenlee, M. Blake Greenlee Associates, Ltd.; Stephen
`Kent, BBN Laboratories; Stuart Stubblebine, University of Southern California; and Frank
`Sudia, Bankers Trust. Finally, we must thank all who participated in the interview phase of
`this study and all who challenged and encouraged us at the periodic participating agency
`meetings.
`
`XI
`
`011
`
`

`

`TABLE OF CONTENTS
`
`SECTION
`
`Introduction
`
`l.l
`1.2
`1.3
`1.4
`1.5
`
`Background
`Purpose
`Scope
`Audience
`Overview of Report
`
`2 Overview
`
`2.1
`
`2.2
`
`Project Methodology
`2.1.1
`Developing Requirements
`2.1.2
`Analyzing Requirements
`2.1.3
`Developing Alternatives
`2.1.4
`Developing operational Concepts
`2.1.5
`Cost Model and Analysis
`Highlights of Key PKI Requirements
`
`3 Architectural Alternatives for the Infrastructure
`
`3.1
`
`3.2
`3.3
`
`Policy Management and Certificate Management
`3. i .l
`The Policy Approval Authority
`3. L2
`Policy Certification Authority
`3.1.3
`Certification Authorities
`Trees and Cross Certification
`Architectt~rt; A.Jt<:matives
`3.3.1 Cross Certified CAs
`3.3.2
`Cross Certified PCAs
`3.3.3
`A Root PAA
`
`4
`
`Implementation Alternatives for the Infrastructure
`
`4.1
`
`4.2
`
`Functions Perfonned by CA Entities
`4.1.1
`PAA Functions
`4.1.2
`PCA Functions
`4.1 .3
`CA Functions
`4.1.4
`ORA Functions
`The Implementation Altematives
`4.2. i
`COI Altemative
`Organizational Alternative
`4.2.2
`xiii
`
`PAGE
`
`1-l
`
`I-l
`1-2
`1-3
`1-3
`l-4
`
`2-J
`
`2~3
`2-3
`2-3
`2-3
`2-4
`2-4
`2-4
`
`3-J
`
`3-1
`3-I
`3-l
`3-2
`3-2
`3-6
`3-6
`3-6
`3-7
`
`4-l
`
`4-1
`4-l
`4-2
`4-3
`4-4
`4-5
`4-6
`4-7
`
`012
`
`

`

`SECTION
`
`PAGE
`
`4.3
`
`4.4
`
`4.5
`
`Assurance Level Alternative
`4.2.3
`Hybrid Alternative
`4.2.4
`Recommendation
`4.3.1
`Comparison of Implementation Altematives
`4.3.2
`The Recommended Federal Govemment Alternative
`4.3.3
`Beyond the Federal Government
`Management of the Recommended Infrastructure
`4.4.1
`Management ofthe PAA
`4.4.2 Management of the PC As
`4.4.3 Management of the CAs
`4.4.4 Management of the ORAs
`4.4.5
`Summary of Recommended Organizations for the Infrastructure
`Management
`Towards Global Interoperability
`4.5.1
`Cross Certification with All Roots
`4.5.2
`One Global Root
`
`5 Operational Concepts
`
`5.l
`5.2
`
`Introduction
`PKI Activities
`Key Generation, Certifying. and Distributing Keys
`5.2.1
`5.2.2
`Signature and Verification
`5.2.3
`Obtaining Certificates
`5.2.4
`Verifying Certificates
`Caching Certificates
`5.2.5
`5.2.6
`Obtaining Certificates from a Cache
`5.2.7
`Reporting Key Compromise or Severed Relations
`5.2.8
`Recovering from a Key Compromise
`5.2.9
`Obtaining CRLs
`5.2.1 0 Rekeying and Recertifying
`5.2.11 Auditing
`5.2.12 Archiving
`
`6
`
`Infrastmcturc Cost Analysis Results
`
`6.1
`
`6.2
`6.3
`
`Operational Concept Used in Cost Model
`6.l.l User Activities
`6.1.2 PKI Activities
`6. i .3 Directory Activities
`Scenarios
`Results
`
`xiv
`
`4-8
`4-9
`4-10
`4-10
`4-17
`4-18
`4-19
`4-19
`4-20
`4-20
`4-20
`
`4-20
`4-21
`4-21
`4-22
`
`5-l
`
`5-l
`5-1
`5-l
`5-2
`5-3
`5-3
`5-4
`5-4
`5-4
`5-5
`5-6
`5-6
`5-7
`5-7
`
`6-l
`
`6-l
`6-l
`6-2
`6-3
`6-3
`6-3
`
`013
`
`

`

`SECTION
`
`PAGE
`
`6.4
`
`Analysis
`6.4. 1 Analysis of Start-up Costs
`6.4.2
`Analysis of Yearly Running Costs
`Analysis of Cost per Message and Cost per User
`6.4.3
`
`7 Related Issues 7-1
`
`7.!
`7.2
`7.3
`7.4
`7.5
`
`Authorizations and Attributes
`Time and Date Stamps
`Archiving
`Confidentiality
`The Next Steps
`7.5.1
`General Planning
`Cryptography Awareness
`7.5.2
`Beyond the Executive Branch
`7.5.3
`Forge Ahead
`7.5.4
`Develop ~v1ultidiscip1i-nary Developn1e1it Group
`7~5.5
`7.5.6
`Liability
`
`Appendix A:
`
`Tem1s and Definitions
`
`Appendix B:
`
`Digital Signature Standard
`
`Appendix C:
`
`Applications of Digital Signatures
`
`Appendix D:
`
`Summary ofPKI Requirements
`
`Appendix E:
`
`Applicable Standards and Analysis
`
`Appe11diX F:
`
`ceriificiltc Formats
`
`Appendix 0:
`
`Certificate Revocation List Fonnat
`
`Appendix H:
`
`Sample Elements ofPCA Security Policy
`
`Appendix I:
`
`PKI Cost Analysis
`
`Appendix J:
`
`Legal Issues
`
`XV
`
`6-5
`6-5
`6-7
`6-lO
`
`7-1
`7-2
`7-2
`7-3
`7-3
`7-4
`7-8
`7-8
`7-8
`7-9
`7-10
`
`A-1
`
`B-l
`
`C-l
`
`D-1
`
`E-1
`
`F-1
`
`G-1
`
`H-1
`
`I-1
`
`J-1
`
`014
`
`

`

`LIST OF FIGURES
`
`FIGURE
`
`2-1 Typical Digital Signature Scheme
`
`3-1 Users with a Common CA
`
`3-2 Users with Different Cross Certified CAs
`
`3-3 Users with Different CAs under a Single PCA
`
`3-4 Users with Different Cross Certified PCAs
`
`3-5 Users with Different PCAs under a PAA
`
`4-1 Communities of Interest Alternative
`
`4-2 Organizational Alternative
`
`4-3 Assurance Level Alternative
`
`4-4 Sample Hybrid of Certificate Management Infrastructure
`
`4-5 Example of COT Alternative
`
`4-6 Example of Organizational Alternative
`
`4-7 Recommended National Certificate Management Organization
`
`4-8
`
`lnteroperability through One Global Root
`
`7 -I First Phase of Public Key Infrastructure
`
`B-l The DSS Signature Process
`
`B-2 The DSS Signature Verification Process
`
`E-l PEM Key Management Infrastructure
`
`F-1 Proposed 1992 CCITT X.509 Certificate Format
`
`F-2 1988 CCITT X.509 and PEM Certificate Fon11at
`
`G-1 PEM CRL Fonnat
`
`XV11
`
`PAGE
`
`2-2
`
`3-2
`
`3-3
`
`3-4
`
`3-5
`
`3-5
`
`4-7
`
`4-8
`
`4-9
`
`4-10
`
`4-ll
`
`4-12
`
`4-18
`
`4-23
`
`7-5
`
`B-2
`
`B-3
`
`E-3
`
`F-2
`
`F-4
`
`G-2
`
`015
`
`

`

`FIGURE
`
`G-2 CCITT X.509 CRL Fom1at
`
`G-3 ANSI X9.30 CRL Fom1at
`
`G-4 Recommended PKI CRL Format
`
`l-l Entity Spreadsheet Layout
`
`PAGE
`
`G-3
`
`G-4
`
`G-5
`
`1-26
`
`XVlll
`
`016
`
`

`

`LIST OF TABLES
`
`TABLE
`
`4-1 Summary of Policy-Setting Body and Users tor Each Alternative
`
`4-2
`
`Infrastructure Management
`
`6-l Total Start-Up Cost Estimates
`
`6-2 Total Yearly Cost Estimates
`
`6-3 Start-up Costs
`
`6-4 Yearly Costs
`
`6-4 PKI Yearly Costs (Concluded)
`
`6-5 Cost per Message and Yearly Cost per User
`
`J-1 Combined Translation Table
`
`PAGE
`
`4-5
`
`4-20
`
`6-4
`
`6-5
`
`6-6
`
`6-8
`
`6-9
`
`6-12
`
`1-30
`
`xix
`
`017
`
`

`

`SECTION 1
`
`INTRODUCTION
`
`l.lBACKGROUND
`
`As information technology becomes cheaper and proliferates further in both office and
`home environments, use of electronic messaging and electronic commerce is becoming
`widespread. The transaction of business electronically is further spurred by the National
`Information Infrastructure (Nil) and by the Defense Infonnation Infrastructure (DII)
`initiatives. Advances by telecommunications service providers and by the cable industry in
`establishing a national information highway also play a major role in the growth of
`electronic commerce. Together, the information technology revolution and the
`communications infrastructure initiatives are changing the way we do business. They are
`bringing about a new interconnection of individuals and organizations both nationwide and
`worldwide. But this interconnectivity and reliance on electronic communications makes the
`information being carried more vulnerable to attacks - attacks to information confidentiality
`in the form of eavesdropping, to data integrity through message modification or substitu.tion,
`to origin integrity by an impostor's submission of messages in another user's name, and to
`message dependability destroyed by the possible future repudiation of the message by its
`sender.
`
`Public key cryptography can play an integral role in providing end-to-end security of
`information in tenns of confidentiality, integrity, and proof-of-origin. This cryptography is
`based on asymmetric keys. Each user has two keys: one is called the public key and may be
`available to everyone, the other is called the private key and is known only to its owner.
`When two typical users, call them Alice and Bob, communicate, they can use their public
`key capability to keep their messages confidentiaL If Bob wishes to hide the contents of a
`message to Alice, he encrypts it using Alice's public key. Encryption, however, is not
`germane to this study, lf Bob wishes to sign adocument, he must use a key available onlyto
`him that is, his private key. When Alice receives a digitally signed message from Bob, she
`must verify his signature. She needs his public key for this verification. She should have
`high confidence in the integrity of that key. If she can be tricked into accepting an
`impostor's public key as Bob•s, then she will accept the impostor's signature on documents as
`Bob's also. Digital signature technology offers some of the desired infonnation security
`services, namely sender authentication, message integlity and sender non-repudiation,
`provided that private keys are kept secret and the integrity of public keys is preserved.
`
`In a small community, the integrity of keys can be guaranteed by the manual delivery of
`public keys. This is impossible in national or international electronic messaging and
`commerce environments. Anyone, anywhere, may send a message to anyone, anywhere.
`There is no way to exchange thousands or miHions of keys manually and their storage is also
`difficult. This study addresses the management ofpublic keys which will facilitate digital
`signatures for the worldwide electronic transactions of the Federal Govemment. lt is
`
`1-l
`
`018
`
`

`

`assumed that readers of this report are familiar with public key cryptography in general and
`with the Digital Signature Standard (DSS) in particular. For those who are not, appendix B
`contains a brief description of the standard.
`
`1.2 PURPOSE
`
`The following agencies in the United States Federal Govemment wish to explore the role
`of digital signatures in electronic commerce within in the Federal Govemment: Advanced
`Research Project Agency (ARPA), Department of State, Federal Bureau of Investigation
`(FBI), General Services Administration (GSA), Internal Revenue Service (IRS), National
`Aeronautics and Space Administration (NASA), National Security Agency (NSA), and
`United States Postal Service (USPS). These agencies have asked the (NIST) to study the
`technical, policy, and legal issues associated with establishing an automated system to
`manage keys electronically and distribute public keys and associated public key certificates.
`
`NIST has tasked The MITRE Corporation to study the altematives for automated
`management of public keys in a national and intemational environment. The focus of the
`study is the Federal Govemment operations. However, the study also needs to address the
`issues on a global basis, since the Federal Government conducts business with both national
`and intemational entities (governments at various levels, private citizens and business, and
`other organizations).
`
`The automated management of public keys is henceforth tetmed the Public Key
`Infrastructure (PKI). The purpose ofPKl is fourfold:
`
`l. Generate public key cettiticates that bind the identity of users and their public keys
`in a secure manner
`
`2.
`
`3.
`
`4.
`
`Provide users, directly or indirectly, with easy access to the certificates of other
`users
`
`Provide users with easy access to circumstances (security policy) under which the
`certificates were issued.
`
`Provide users, directly or indirectly, timely announcements of cettiticate
`revocations.
`
`The purpose ofthis study is fourfold:
`
`l.
`
`2.
`
`Identify policy and legal issues in the use of digital signatures in the Federal
`Govemment operations
`
`IdentifY policy, technical, and legal issues related to the operation and the
`management of the PKI
`
`l-l
`
`019
`
`

`

`3. Develop PKJ alternatives for federal agencies and techniques for selecting the most
`appropriate alternative based on an agency's needs
`
`4.
`
`Provide a PKI costing methodology to calculate costs for planning and budgeting
`purposes on an agency-by-agency basis
`
`1.3SCOPE
`
`The PKI \Vill provide a secure binding of public keys and users. In that sense, its scope
`is limited to providing strong authentication of the users. This report examines the issues
`involved in such an undertaking. It does not set any standards for an infrastructure. While
`this study focuses on the PKI needs of the Federal Government, it must consider other
`national and international entities such as individuals, businesses and other organizations. A
`considerable portion of the Federal Government's electronic commerce is expected to
`involve people outside the Federal Government Thus, the PKI needs to be flexible in terms
`of accommodating a wide variety of digital signature schemes (since different entities may
`use different digital signature algorithms), and the PKl must be flexible in allowing
`heterogeneous subsnuctures to intemperate. However, the final architectural
`recommendation is based on the needs of the Federal Government and not on those of the
`external agencies and entities.
`
`The United States is moving towards split-key, multiple trusted parties, key escrowing to
`allow law-enforcement agencies to decrypt court-authorized wiretaps. The multiple trusted
`parties, key-escrowing and associated key management is gem1ane to both the secret keys in
`symmetric encryption scheme