digital signatures. public key cryptography public key cryptography requirements 1.it must be...
Post on 31-Dec-2015
223 Views
Preview:
TRANSCRIPT
Digital Signatures
Public Key Cryptography
Public Key Cryptography Requirements
1. It must be computationally easy to encipher or decipher a message given the appropriate key
2. It must be computationally infeasible to derive the private key from the public key
3. It must be computationally infeasible to determine the private key from a chosen plaintext attack
RSA
• Exponentiation cipher
• Relies on the difficulty of determining the number of numbers relatively prime to a large integer n
Background
• Totient function (n)– Number of positive integers less than n and relatively
prime to n• Relatively prime means with no factors in common with n
• Example: (10) = 4– 1, 3, 7, 9 are relatively prime to 10
• Example: (21) = 12– 1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 are relatively
prime to 21
Algorithm
• Choose two large prime numbers p, q– Let n = pq; then (n) = (p–1)(q–1)– Choose e < n such that e is relatively prime to
(n).– Compute d such that ed mod (n) = 1
• Public key: (e, n); private key: d• Encipher: c = me mod n• Decipher: m = cd mod n
Example: Confidentiality
• Take p = 7, q = 11, so n = 77 and (n) = 60• Alice chooses e = 17, making d = 53• Bob wants to send Alice secret message HELLO
(07 04 11 11 14)– 0717 mod 77 = 28– 0417 mod 77 = 16– 1117 mod 77 = 44– 1117 mod 77 = 44– 1417 mod 77 = 42
• Bob sends 28 16 44 44 42
Example
• Alice receives 28 16 44 44 42• Alice uses private key, d = 53, to decrypt message:
– 2853 mod 77 = 07– 1653 mod 77 = 04– 4453 mod 77 = 11– 4453 mod 77 = 11– 4253 mod 77 = 14
• Alice translates message to letters to read HELLO– No one else could read it, as only Alice knows her
private key and that is needed for decryption
Example: Integrity/Authentication
• Take p = 7, q = 11, so n = 77 and (n) = 60• Alice chooses e = 17, making d = 53• Alice wants to send Bob message HELLO (07 04 11 11
14) so Bob knows it is what Alice sent (no changes in transit, and authenticated)– 0753 mod 77 = 35– 0453 mod 77 = 09– 1153 mod 77 = 44– 1153 mod 77 = 44– 1453 mod 77 = 49
• Alice sends 35 09 44 44 49
Example
• Bob receives 35 09 44 44 49
• Bob uses Alice’s public key, e = 17, n = 77, to decrypt message:– 3517 mod 77 = 07
– 0917 mod 77 = 04
– 4417 mod 77 = 11
– 4417 mod 77 = 11
– 4917 mod 77 = 14
• Bob translates message to letters to read HELLO– Alice sent it as only she knows her private key, so no one else could have
enciphered it
– If (enciphered) message’s blocks (letters) altered in transit, would not decrypt properly
Example: Both
• Alice wants to send Bob message HELLO both enciphered and authenticated (integrity-checked)– Alice’s keys: public (17, 77); private: 53– Bob’s keys: public: (37, 77); private: 13
• Alice enciphers HELLO (07 04 11 11 14):– (0753 mod 77)37 mod 77 = 07– (0453 mod 77)37 mod 77 = 37– (1153 mod 77)37 mod 77 = 44– (1153 mod 77)37 mod 77 = 44– (1453 mod 77)37 mod 77 = 14
• Alice sends 07 37 44 44 14
Security Services
• Confidentiality– Only the owner of the private key knows it, so
text enciphered with public key cannot be read by anyone except the owner of the private key
• Authentication– Only the owner of the private key knows it, so
text enciphered with private key must have been generated by the owner
More Security Services
• Integrity– Enciphered letters cannot be changed
undetectably without knowing private key
• Non-Repudiation– Message enciphered with private key came
from someone who knew it
Warnings
• Encipher message in blocks considerably larger than the examples here– If 1 character per block, RSA can be broken
using statistical attacks (just like classical cryptosystems)
– Attacker cannot alter letters, but can rearrange them and alter message meaning
• Example: reverse enciphered message of text ON to get NO
Cryptographic Checksums
Cryptographic Checksums
• Mathematical function to generate a set of k bits from a set of n bits (where k ≤ n).– k is smaller then n except in unusual
circumstances
• Example: ASCII parity bit– ASCII has 7 bits; 8th bit is “parity”– Even parity: even number of 1 bits– Odd parity: odd number of 1 bits
Hashing
Definition
• Cryptographic checksum h: AB:1. For any x A, h(x) is easy to compute2. For any y B, it is computationally infeasible to
find x A such that h(x) = y3. It is computationally infeasible to find two inputs
x, x A such that x ≠ x and h(x) = h(x)– Alternate form (stronger): Given any x A, it is
computationally infeasible to find a different x A such that h(x) = h(x).
Collisions
• If x ≠ x and h(x) = h(x), x and x are a collision– Pigeonhole principle: if there are n containers
for n+1 objects, then at least one container will have 2 objects in it.
– Application: if there are 32 files and 8 possible cryptographic checksum values, at least one value corresponds to at least 4 files
Keys
• Keyed cryptographic checksum: requires cryptographic key– DES in chaining mode: encipher message, use
last n bits. Requires a key to encipher, so it is a keyed cryptographic checksum.
• Keyless cryptographic checksum: requires no cryptographic key– MD5 and SHA-1 are best known; others
include MD4, HAVAL, and Snefru
Public Key Infrastructure
Public Key Infrastructure
• Key exchange– Session vs. interchange keys– Classical, public key methods
• Cryptographic key infrastructure– Certificates
Notation
• X Y : { Z || W } kX,Y
– X sends Y the message produced by concatenating Z and W enciphered by key kX,Y, which is shared by users X and Y
• A T : { Z } kA || { W } kA,T
– A sends T a message consisting of the concatenation of Z enciphered using kA, A’s key, and W enciphered using kA,T, the key shared by A and T
• r1, r2 nonces (nonrepeating random numbers)
Session, Interchange Keys
• Alice wants to send a message m to Bob– Assume public key encryption– Alice generates a random cryptographic key ks and uses
it to encipher m• To be used for this message only• Called a session key
– She enciphers ks with Bob;s public key kB
• kB enciphers all session keys Alice uses to communicate with Bob
• Called an interchange key
– Alice sends { m } ks { ks } kB
Secret-key systems structure
Benefits
• Limits amount of traffic enciphered with single key– Standard practice, to decrease the amount of traffic an
attacker can obtain
• Prevents some attacks– Example: Alice will send Bob message that is either
“BUY” or “SELL”. Eve computes possible ciphertexts { “BUY” } kB and { “SELL” } kB. Eve intercepts enciphered message, compares, and gets plaintext at once
Key Exchange Algorithms
• Goal: Alice, Bob get shared key– Key cannot be sent in clear
• Attacker can listen in
• Key can be sent enciphered, or derived from exchanged data plus data not known to an eavesdropper
– Alice, Bob may trust third party
– All cryptosystems, protocols publicly known• Only secret data is the keys, ancillary information known only
to Alice and Bob needed to derive keys
• Anything transmitted is assumed known to attacker
Classical Key Exchange
• Bootstrap problem: how do Alice, Bob begin?– Alice can’t send it to Bob in the clear!
• Assume trusted third party, Cathy– Alice and Cathy share secret key kA
– Bob and Cathy share secret key kB
• Use this to exchange shared key ks
Simple Protocol
Alice Cathy{ request for session key to Bob } kA
Alice Cathy{ ks } kA || { ks } kB
Alice Bob{ ks } kB
Problems
• How does Bob know he is talking to Alice?– Replay attack: Eve records message from Alice
to Bob, later replays it; Bob may think he’s talking to Alice, but he isn’t
– Session key reuse: Eve replays message from Alice to Bob, so Bob re-uses session key
• Protocols must provide authentication and defense against replay
Needham-Schroeder
Alice CathyAlice || Bob || r1
Alice Cathy{ Alice || Bob || r1 || ks || { Alice || ks } kB } kA
Alice Bob{ Alice || ks } kB
Alice Bob{ r2 } ks
Alice Bob{ r2 – 1 } ks
Public Key Key Exchange
• Here interchange keys known– eA, eB Alice and Bob’s public keys known to all
– dA, dB Alice and Bob’s private keys known only to owner
• Simple protocol– ks is desired session key
Alice Bob{ ks } eB
Problem and Solution
• Vulnerable to forgery or replay– Because eB known to anyone, Bob has no assurance that
Alice sent message
• Simple fix uses Alice’s private key– ks is desired session key
Alice Bob{ { ks } dA } eB
Notes
• Can include message enciphered with ks
• Assumes Bob has Alice’s public key, and vice versa– If not, each must get it from public server
– If keys not bound to identity of owner, attacker Eve can launch a man-in-the-middle attack (next slide; Cathy is public server providing public keys)
• Solution to this (binding identity to keys) discussed later as public key infrastructure (PKI)
Man-in-the-Middle Attack
Alice Cathysend Bob’s public key
Eve Cathysend Bob’s public key
Eve CathyeB
AliceeE Eve
Alice Bob{ ks } eE
Eve Bob{ ks } eB
Eve intercepts request
Eve intercepts message
Cryptographic Key Infrastructure
• Goal: bind identity to key• Classical: not possible as all keys are shared
– Use protocols to agree on a shared key (see earlier)
• Public key: bind identity to public key– Crucial as people will use key to communicate with
principal whose identity is bound to key
– Erroneous binding means no secrecy between principals
– Assume principal identified by an acceptable name
Certificates
• Create token (message) containing– Identity of principal (here, Alice)– Corresponding public key– Timestamp (when issued)– Other information (perhaps identity of signer)
signed by trusted authority (here, Cathy)
CA = { eA || Alice || T } dC
Use
• Bob gets Alice’s certificate– If he knows Cathy’s public key, he can decipher the
certificate• When was certificate issued?• Is the principal Alice?
– Now Bob has Alice’s public key
• Problem: Bob needs Cathy’s public key to validate certificate– Problem pushed “up” a level– Two approaches: Merkle’s tree, signature chains
The Problem
• Create certificate– Generate hash of certificate– Encipher hash with issuer’s private key
• Validate– Obtain issuer’s public key– Decipher enciphered hash– Recompute hash from certificate and compare
• Problem: getting issuer’s public key
PKI basic entities and operations
X.509 Certificate
• Some certificate components in X.509v3:– Version
– Serial number
– Signature algorithm identifier: hash algorithm
– Issuer’s name; uniquely identifies issuer
– Interval of validity
– Subject’s name; uniquely identifies subject
– Subject’s public key
– Signature: enciphered hash
X.509 Certificate Validation
• Obtain issuer’s public key– The one for the particular signature algorithm
• Decipher signature– Gives hash of certificate
• Recompute hash from certificate and compare– If they differ, there’s a problem
• Check interval of validity– This confirms that certificate is current
Issuers
• Certification Authority (CA): entity that issues certificates
Multiple Issuers
• Multiple issuers pose validation problem• Alice’s CA is Cathy; Bob’s CA is Don; how can
Alice validate Bob’s certificate?• Have Cathy and Don cross-certify
– Each issues certificate for the other
Cross certificates
Validation and Cross-Certifying
• Certificates:– Cathy<<Alice>>– Dan<<Bob>– Cathy<<Dan>>– Dan<<Cathy>>
• Alice validates Bob’s certificate– Alice obtains Cathy<<Dan>>– Alice uses (known) public key of Cathy to validate
Cathy<<Dan>>– Alice uses Cathy<<Dan>> to validate Dan<<Bob>>
Certification Path Validation process
X.509 in Practice
• In the X.509 system, a CA issues a certificate binding a public key to a particular Distinguished Name in the X.500 tradition, or to an Alternative Name such as an e-mail address or a DNS-entry.
• An organization's trusted root certificates can be distributed to all employees so that they can use the company PKI system.
• Browsers such as Internet Explorer, Netscape/Mozilla, Opera and Safari come with root certificates pre-installed, so SSL certificates from larger vendors who have paid for the privilege of being pre-installed will work instantly.
• In effect the browsers' owners determine which CAs are trusted third parties for the browsers' users. – Although these root certificates can be removed or disabled, users rarely
do so. – If pre-installed root certificates are removed on the Microsoft-platform,
the operating-system re-installs them as soon as a web-site using the certificate is visited.
X.509 in Practice
• X.509 also includes standards for certificate revocation list (CRL) implementations, an often neglected aspect of PKI systems.
• The IETF-approved way of checking a certificate's validity is the Online Certificate Status Protocol (OCSP).
• Popular browsers like Internet Explorer and Firefox don't check for certificate revocation by default.
• The time lag for performing the checking could be one of the reasons.
A Sample X.509 certificate
A Sample X.509 certificate
• This is an example of a decoded X.509 certificate for www.freesoft.org, generated with OpenSSL -- the actual certificate is about 1KB in size.
• It was issued by Thawte (since acquired by VeriSign), as stated in the Issuer field.
• Its subject contains many personal details, but the most important part is usually the common name (CN), as this is the part that must match the host being authenticated.
• Also included is an RSA public key (modulus and public exponent), followed by the signature, computed by taking a MD5 hash of the first part of the certificate and encrypting it with Thawte's RSA private key.
Certificate Validation
• To validate this certificate, one needs the certificate that matches the Issuer (Thawte Server CA) of the first certificate.
• First one verifies that the second certificate is of a CA kind; that is, that it can be used to issue other certificates.– This is done by inspecting a value of the CA attribute in the
X509x3 extension section.
• Then the RSA public key from the CA certificate is used to decode the signature on the first certificate to obtain a MD5 hash, which must match an actual MD5 hash computed over the rest of the certificate.
An example CA certificate
An example CA certificate
• This is an example of a self-signed certificate, as the issuer and subject are the same.
• There's no way to verify this certificate except by checking it against itself; instead, these top-level certificates are manually stored by web browsers. – Thawte is one of the root certificate authorities recognized by both
Microsoft and Netscape. – This certificate comes with the web browser and is trusted by
default. – As a long-lived, globally trusted certificate that can sign anything
(as there are no constraints in the X509v3 Basic Constraints section), its matching private key has to be closely guarded.
Digital Signature
Digital Signature
• Construct that authenticated origin, contents of message in a manner provable to a disinterested third party (“judge”)
• Sender cannot deny having sent message (service is “nonrepudiation”)– Limited to technical proofs
• Inability to deny one’s cryptographic key was used to sign
– One could claim the cryptographic key was stolen or compromised
• Legal proofs, etc., probably required; not dealt with here
Common Error
• Classical: Alice, Bob share key k– Alice sends m || { m } k to Bob
This is a digital signature
WRONGWRONG
This is not a digital signature– Why? Third party cannot determine whether
Alice or Bob generated message
Classical Digital Signatures
• Require trusted third party– Alice, Bob each share keys with trusted party Cathy
• To resolve dispute, judge gets { m } kAlice, { m } kBob, and has Cathy decipher them; if messages matched, contract was signed
Alice Bob
Cathy Bob
Cathy Bob
{ m }kAlice
{ m }kAlice
{ m }kBob
Public Key Digital Signatures
• Alice’s keys are dAlice, eAlice
• Alice sends Bobm || { m } dAlice
• In case of dispute, judge computes{ { m } dAlice } eAlice
• and if it is m, Alice signed message– She’s the only one who knows dAlice!
Digital signature with message encryption and decryption
RSA Digital Signatures
• Use private key to encipher message– Protocol for use is critical
• Key points:– Never sign random documents, and when
signing, always sign hash and never document• Mathematical properties can be turned against signer
– Sign message first, then encipher• Changing public keys causes forgery
Key Points
• Key management critical to effective use of cryptosystems– Different levels of keys (session vs. interchange)
• Keys need infrastructure to identify holders, allow revoking– Key escrowing complicates infrastructure
• Digital signatures provide integrity of origin and contentMuch easier with public key cryptosystems than with
classical cryptosystems
top related