51 preliminaries we begin by outlining the underlying

Info icon This preview shows pages 25–27. Sign up to view the full content.

View Full Document Right Arrow Icon
5.1 Preliminaries We begin by outlining the underlying mechanisms, formats, and assumptions of the security architecture. 5.1.1 Static Key Infrastructure A small number of public key pairs and certificates must be created and distributed among various infrastructure components to establish the basic authentication frame- work. Two requirements must be satisfied: There must be a well-known set of public keys, which we refer to as root keys , that can be used to authenticate top-level certificates. This set can in- clude well-known keys for commercial certificate authorities (e.g., VeriSign, Thawte) or well-known keys specific to PlanetLab (i.e., either the global PlanetLab or private instances). Every authority—management authority (MA) or slice authority (SA)—that provides an interface for access by services (e.g., management services run- ning in their own slice) must have a public-private key pair, and a certificate signed by one of the certificate authorities (CA) that can be authenticated using the corresponding well-known key. 24
Image of page 25

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
In certain small-scale environments (e.g., testing and development), it may in- stead be desirable to add the public keys for every authority to the set of well-known keys, thus eliminating one level of signed certificates. However, this sacrifices some of the benefits of using a root key to sign the authority’s certificate, such as the ability to change a particular authority’s certificate without updating the global list of root keys. 5.1.2 Certificates The certificate format is a simple XML document as defined by the XML-SEC standard. The document contains three elements: subject: Identifies the certificate subject and includes a PEM representation of the subject’s public key. The certificate indicates to the recipient that the binding between subject identity and public key was verified by the certificate issuer using out-of-band methods (e.g., some feature of the underlying OS). issuer: Data used to authenticate the certificate, either an identifier for a well- known public key—indicating that this certificate is a top-level certificate (i.e., was signed by with a root key)—or a certificate that includes the public key for the authority that signed this certificate. signature: An element in XML-SEC format that specifies a number of signature parameters and includes the cryptographic signature value for this certificate. An authority uses information in the authenticator element—either a public key contained in an embedded cert or a named well-known key—to verify this signature. Note that because the issuer is verified by either a well-known public key or another certificate, certificates are a recursive data structure. Implementation Note: The current implementation uses a simple Python script, mkcert , to generate or verify XML certificates, hiding the details of recursive certificates from the end-user. The actual sign- ing and verification are performed using the xmlsec1 utility, which in turn uses the OpenSSL cryptographic primitives.
Image of page 26
Image of page 27
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern