public key distribution- cryptography and network security
DESCRIPTION
Fast and authenticated - vertical handovers in heterogeneous networks by 802.11rTRANSCRIPT
Public Key Distribution
CONTENTS
INTRODUCTIONIf BOB wants to send message to ALICE,
Bob needs only Alice public key .Public key is freely available to every oneAny one can have access to anybody’s key.In public key Cryptography , every one
shields private key and advertise public key.In other words, every one has access to everyone’s public key; public keys are available to public.
Public Announcement By this approach
announcement of public key is made publicly.
BOB can put public key on website or announce it on local newspaper.
When ALICE needs to communicate with BOB then Alice needs to obtain BOBs key from site/newspaper or send message to ask for key.
Drawback of Announcement
This approach is not secure, it is subject to forgery.Example- Eve could make such public announcement
and before Bob can react, Eve would hack Bob’s file.Eve can fool Alice into sending her message that is
intended for BobEve could sign a document with a corresponding
forged private key and make every one believe that it was signed by Bob.
Approach is vulnerable when Alice directly requests Bob’s public key, Eve can intercept Bob’s response and substitute his own forged public key instead of Bob’s.
Use of Trusted Center In this approach, there is trusted center
that retains directory of public keys.Directory like telephone system, is
dynamically updated.Each user can select a private and
public key, keep private key and deliver the public key for insertion into the directory.
The center have condition that each user register in the center and proves his/her identity.
The directory can publicly advertise by the trusted center. The center can also respond to any inquiry about public key.
.
...
Alice
Ka
.
...
BOb Kb
.
...
Controlled Trusted CenterA higher level of security can be achieved if there
are added controls on the distribution of public key.
The public key announcement includes timestamp and be signed by authority to prevent interception and modifications of response.
Example-Alice need Bobs public key, she requests to center including bobs name and timestamp.Center respond with Bobs public key and
timestamp signed with private key of center.Alice use public key of center, known by all, to
verify timestamp.If timestamp is verified , Alice extract bobs
public key.
.
...
Alice Ka
.
...
Bob Kb
.
...
Needs Bobs key, T
Needs Bob’s key,
Bobs public key T: timestamp
Directory
Trusted center
Controlled Trusted Center
Alice
Drawback of controlled trusted center
Controlled trusted center approach create heavy load on the center if number of requests are large.
To over come this – creation of certificates was done(public key certificates).
Certificate Authority (CA)Bob wants two things- he wants people to know his public
key and wants no one to accept a forged key as his.Bob would go to certificate authority/ federal/state
organisation that binds public key and issue an certificate.The CA has well known public key itself that cannot be
forged.The CA checks Bobs identification(proof), then ask for
public key and write it on the certificate. To prevent certificate for being forged , the CA signs the
certificate with its private key. Now Bob can upload the signed certificate and anyone can
download the cerifiacte and use the centers public key to extract Bobs public key.
Certificate Authority (CA)..
.
.
Alice
Ka
.
...
BOb Kb
.
...
Directory
CA
<-------------
-----
Bob’s Certificate
Applying
Issuing
Bobs public key
Bob’s
Recording
Signed with CA’s Private key
Distributing to public
Drawback of certificate AuthorityAlthough the use of CA has solved the problem of public key fraud,
it has created a side effect . Each certificate may have different format.
If Alice wants to use a program to automatically download different certificates and digest belonging to different people, tha program may not be able to do this.
One certificate may have the public key in one format and other in different format. The public key may be on the first line or third line on different certificate.
Anything that needs to be used universally must have a universal format.
To remove this side effect , ITU designed X.59. Accepted by the internet changes and use protocol called ASN.1(abstract syntax notation 1)
X.509 is a way to describe the certificate in a structured way.
X.509 certificate formatVersion number
Serial Number
Signature Algorithm ID
Issuer name
Validity period
Subject name
Subject public key
Issuer unique identifier
Extensions
Signature
Hash algorithm
Digest
Signature
Algorithm
Signed Digest
Signed with CA’s private key
Hash algorithm ID+ Cipher ID + Parameters
Revoked
Certificate Renewal and RevocationEach Certificate has a period of validity. If there
is no problem with the certificate, the CA issues a new certificate before the old one expires. The process like the renewal of credit cards by a credit card company.
Revocation means deleting & remaking.The user private key might have been comprised.The CA is no longer willing to certify the user.CA private key, which can verify certificates, may
have been compromised. Such cases CA revokes all certificates.
Revocation is done periodically issuing a certificate revocation list(CRL). List is checked when certificate is revoked.
Certificate Renewal and Revocation
Signature Algorithm ID
Issuer name
This Update Date
Next Update Date
Revoked Certificate
::
Revoked Certificate
Signature
Hash Algorithm
Digest
Signature
Algorithm
Signed Digest
Signed with CA’s private key
Hash algorithm ID+ Cipher ID + Parameters
Public key infrastructuresIt is model for creating, distributing and
revoking certificates based on X.509
Thank You