Attribute Certificate
   HOME

TheInfoList



OR:

In
computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
, an attribute certificate, or authorization certificate (AC) is a
digital document An electronic document is any electronic media content (other than computer programs or system files) that is intended to be used in either an electronic form or as printed output. Originally, any computer data were considered as something inter ...
containing attributes associated to the holder by the issuer. When the associated attributes are mainly used for the purpose of authorization, AC is called authorization certificate. AC is standardized in
X.509 In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secu ...
. RFC 5755 further specifies the usage for authorization purpose in the Internet. The authorization certificate works in conjunction with a
public key certificate In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes information about the key, information about the ...
(PKC). While the PKC is issued by a
certificate authority In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This ...
(CA) and is used as a proof of identity of its holder like a
passport A passport is an official travel document issued by a government that contains a person's identity. A person with a passport can travel to and from foreign countries more easily and access consular assistance. A passport certifies the personal ...
, the authorization certificate is issued by an
attribute authority Attribute may refer to: * Attribute (philosophy), an extrinsic property of an object * Attribute (research), a characteristic of an object * Grammatical modifier, in natural languages * Attribute (computing), a specification that defines a proper ...
(AA) and is used to characterize or entitle its holder like a
visa Visa most commonly refers to: *Visa Inc., a US multinational financial and payment cards company ** Visa Debit card issued by the above company ** Visa Electron, a debit card ** Visa Plus, an interbank network *Travel visa, a document that allows ...
. Because identity information seldom changes and has a long validity time while attribute information frequently changes or has a short validity time, separate certificates with different security rigours, validity times and issuers are necessary.


Comparison of attribute and public key certificates

An AC resembles a PKC but contains no
public key Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
because an AC verifier is under the control of the AC issuer, and therefore, trusts the issuer directly by having the public key of the issuer preinstalled. This means that once the AC issuer's
private key Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
is compromised, the issuer has to generate a new
key pair Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
and replaces the old public key in all verifiers under its control with the new one. The verification of an AC requires the presence of the PKC that is referred as the AC holder in the AC. As with a PKC, an AC can be chained to delegate attributions. For example, an authorization certificate issued for Alice authorizes her to use a particular service. Alice can delegate this privilege to her assistant Bob by issuing an AC for Bob's PKC. When Bob wants to use the service, he presents his PKC and a chain of ACs starting from his own AC issued by Alice and then Alice's AC issued by the issuer that the service trusts. In this way, the service can verify that Alice has delegated her privilege to Bob and that Alice has been authorized to use the service by the issuer that controls the service. RFC 3281, however, does not recommend the use of AC chains because of the complexity in administering and processing the chain and there is little use of AC in the Internet.


Usage

To use a service or a resource that the issuer of an AC controls, a user presents both the PKC and the AC to a part of the service or resource that functions as an AC verifier. The verifier will first check the identity of the user using the PKC, for example, by asking the user to decrypt a message encrypted by the user's public key in the PKC. If the authentication is successful, the verifier will use the preinstalled public key of the AC issuer to check the validity of the presented AC. If the AC is valid, the verifier will check whether or not the PKC specified in the AC matches the presented PKC. If it matches, the verifier will check the validity period of the AC. If the AC is still valid, the verifier can perform additional checks before offering the user a particular level of service or resource usage in accordance to the attributes contained in the AC. For example, a software developer that already has a PKC wants to deploy its software in a computing device employing
DRM DRM may refer to: Government, military and politics * Defense reform movement, U.S. campaign inspired by Col. John Boyd * Democratic Republic of Madagascar, a former socialist state (1975–1992) on Madagascar * Direction du renseignement militai ...
like
iPad The iPad is a brand of iOS and iPadOS-based tablet computers that are developed by Apple Inc. The iPad was conceived before the related iPhone but the iPhone was developed and released first. Speculation about the development, operating s ...
where software can only be run in the device after the software has been approved by the device manufacturer. The software developer signs the software with the
private key Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
of the PKC and sends the signed software to the device manufacturer for approval. After authenticating the developer using the PKC and reviewing the software, the manufacturer may decide to issue an AC granting the software the basic capability to install itself and be executed as well as an additional capability to use the Wi-Fi device following the
principle of least privilege In information security, computer science, and other fields, the principle of least privilege (PoLP), also known as the principle of minimal privilege (PoMP) or the principle of least authority (PoLA), requires that in a particular abstraction la ...
. In this example, the AC does not refer to the PKC of the developer as the holder but to the software, for example, by storing the developer's signature of the software in the holder field of the AC. When the software is put into the computing device, the device will verify the integrity of the software using the developer's PKC before checking the validity of the AC and granting the software access to the device functionalities. A user may also need to obtain several ACs from different issuers to use a particular service. For example, a company gives one of its employees a company-wide AC that specifies engineering department as the work area. To access engineering data, however, the employee also needs a security clearance AC from the head of the engineering department. In this example, the resource of engineering data needs to be preinstalled with the public keys of both the company-wide and the engineering department AC issuers.


Contents of a typical attribute certificate

Version: the version of the certificate. Holder: the holder of the certificate. Issuer: the issuer of the certificate. Signature algorithm: the algorithm by which the certificate is signed. Serial number: the unique issuance number given by the issuer. Validity period: the validity period of the certificate. Attributes: the attributes associated to the certificate holder. Signature value: the signature of the issuer over the whole data above.


Benefits

Using attribute certificate, the service or resource
host A host is a person responsible for guests at an event or for providing hospitality during it. Host may also refer to: Places * Host, Pennsylvania, a village in Berks County People *Jim Host (born 1937), American businessman * Michel Host ...
does not need to maintain an
access control list In computer security, an access-control list (ACL) is a list of permissions associated with a system resource (object). An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on giv ...
that can potentially be large or to always be connected to a network to access a central server like when using Kerberos. It is similar to the idea of capabilities in which the permission (or permissions) to use a service or resource is not stored in the service or resource itself but in the users using a
tamper resistance Tamperproofing, conceptually, is a methodology used to hinder, deter or detect unauthorised access to a device or circumvention of a security system. Since any device or system can be foiled by a person with sufficient knowledge, equipment, and ti ...
mechanism.


See also

*
Public key certificate In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes information about the key, information about the ...
*
Security Assertion Markup Language Security Assertion Markup Language (SAML, pronounced ''SAM-el'', ) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based m ...
*
Shibboleth A shibboleth (; hbo, , šībbōleṯ) is any custom or tradition, usually a choice of phrasing or even a single word, that distinguishes one group of people from another. Shibboleths have been used throughout history in many societies as passwor ...
* Voms


References

{{reflist


External links


SPKI/SDSI Certificate Documentation
Public-key cryptography