Public Key Cryptography in Practice. c Eli Biham - May 3, 2005 372 Public Key Cryptography in Practice (13)



Similar documents
Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

CSCE 465 Computer & Network Security

CS 392/681 - Computer Security

Fighting product clones through digital signatures

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

SSL A discussion of the Secure Socket Layer

7 Key Management and PKIs

Introduction to Cryptography CS 355

Computer Security: Principles and Practice

CRYPTOGRAPHY IN NETWORK SECURITY

Cryptography and Network Security Chapter 14. Key Distribution. Key Management and Distribution. Key Distribution Task 4/19/2010

The Mathematics of the RSA Public-Key Cryptosystem

Key Management and Distribution

CS 758: Cryptography / Network Security

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631

Overview. SSL Cryptography Overview CHAPTER 1

Cryptography and Network Security Chapter 14

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

HMRC Secure Electronic Transfer (SET)

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Encryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

Modeling and verification of security protocols

Seminar report Digital Signature Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

to hide away details from prying eyes. Pretty Good Privacy (PGP) utilizes many

An Introduction to Digital Signature Schemes

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Neutralus Certification Practices Statement

Authentication requirement Authentication function MAC Hash function Security of

Number of relevant issues

IT Networks & Security CERT Luncheon Series: Cryptography

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Lecture 9: Application of Cryptography

[SMO-SFO-ICO-PE-046-GU-

Introduction to Cryptography

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Report to WIPO SCIT Plenary Trilateral Secure Virtual Private Network Primer. February 3, 1999

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Lecture VII : Public Key Infrastructure (PKI)

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

A Security Flaw in the X.509 Standard Santosh Chokhani CygnaCom Solutions, Inc. Abstract

Understanding digital certificates

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Cryptography & Digital Signatures

Authentication Types. Password-based Authentication. Off-Line Password Guessing

A Factoring and Discrete Logarithm based Cryptosystem

EXAM questions for the course TTM Information Security May Part 1

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Expert Reference Series of White Papers. Fundamentals of the PKI Infrastructure

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

CS Computer Security Third topic: Crypto Support Sys

Cryptography and Network Security

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Operating a CSP in Switzerland or Playing in the champions league of IT Security

Introduction to Security and PIX Firewall

Message authentication and. digital signatures

Authenticity of Public Keys

Danske Bank Group Certificate Policy

An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

OpenADR 2.0 Security. Jim Zuber, CTO QualityLogic, Inc.

Concept of Electronic Approvals

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

Chapter 7: Network security

Public Key Infrastructure (PKI)

Reducing Certificate Revocation Cost using NPKI

GlobalSign Subscriber Agreement for DocumentSign Digital ID for Adobe Certified Document Services (CDS)

National Certification Authority Framework in Sri Lanka

SBClient SSL. Ehab AbuShmais

Digital signatures. Informal properties

Digital Signatures. What are Signature Schemes?

Cornerstones of Security

National Security Agency Perspective on Key Management

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Minnesota State Colleges and Universities System Guideline Chapter 5 Administration

GlobalSign Subscriber Agreement for DomainSSL Certificates

CSE/EE 461 Lecture 23

Cryptography and Network Security: Summary

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Adobe Digital Signatures in Adobe Acrobat X Pro

How To Make A Trustless Certificate Authority Secure

Key Management and Distribution

1 Signatures vs. MACs

Lukasz Pater CMMS Administrator and Developer

Practice Questions. CS161 Computer Security, Fall 2008

Signature Schemes. CSG 252 Fall Riccardo Pucella

Capture Resilient ElGamal Signature Protocols

WiMAX Public Key Infrastructure (PKI) Users Overview

Security (II) ISO : Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

Table of Contents. Bibliografische Informationen digitalisiert durch

GlobalSign Subscriber Agreement for PersonalSign and DocumentSign for Adobe CDS Certificates Combined Agreement for epki (US)

Digital Signature. Raj Jain. Washington University in St. Louis

Transcription:

Public Key Cryptography in Practice c Eli Biham - May 3, 2005 372 Public Key Cryptography in Practice (13)

How Cryptography is Used in Applications The main drawback of public key cryptography is the inherent slow speed of the public key schemes. There are only a few schemes which are relatively faster, but they require use of huge keys, and are thus impractical. Therefore, public key schemes are not used directly for encryption. Instead, public key schemes are used in conjunction with secret key schemes where encryption is performed by the secret key schemes (e.g., Triple-DES) and the agreement on the keys is performed by public key distribution schemes (e.g., using RSA or Diffie-Hellman). This is similar to the case described in the public key signature schemes, where the signature scheme does not sign the original message, but rather signs the result of a fast hash function. Moreover, in many application even the single public key signature on a message is too cumbersome. In such cases, MACs are used, and their key is distributed in advance by a public key distribution scheme. c Eli Biham - May 3, 2005 373 Public Key Cryptography in Practice (13)

Recommended Key Sizes In secret key schemes the trend changes from keys of 56 64 to keys of 128 bits. Keys of 128 bits are large enough to thwart any practical attack, as long as the cipher does not have weakness due to its design. Paranoids can use even longer keys, which are supported by various ciphers. The situation is different in public key schemes, where considerably longer keys are required, as the keys are not uniformly selected from all the possible keys with the same length. Therefore, the number of keys is (slightly) smaller than the number of values of the same length as the keys. However, the main reason that requires longer keys is the information inherited in the key due to the properties of the cipher. c Eli Biham - May 3, 2005 374 Public Key Cryptography in Practice (13)

Recommended Key Sizes (cont.) In RSA, the public key is a product of two primes. The best known factoring algorithms are the quadratic sieve and the number field sieve whose complexities are about Complexity(QS) = e c ln n ln ln n ; Complexity(NFS) = e c(ln n)1/3 (ln ln n) 2/3 Due to the different constant factors (and other smaller terms) the quadratic sieve is faster when factoring up to about 129 decimal digits. The quadratic sieve algorithm was used to factor the number RSA-129, proposed by the designers of RSA in 1978 as an example of a number whose factoring will take about 40 quadrillion years. This factorization took a few months on several thousands computers over the Internet. Over a similar computer network the NFS can factor numbers up to about 140 digits. It is expected that within a decade numbers of up to 154 digits (512 bits) will be factorable. Therefore, all new applications should use public keys of 1024 bits. Long-term keys should have at least 2048 bits. Paranoids can use longer keys. c Eli Biham - May 3, 2005 375 Public Key Cryptography in Practice (13)

Recommended Key Sizes (cont.) Breaking DLOG-based schemes requires computation of discrete logarithms. Advances in designing algorithms for computing DLOG were performed in parallel to the design of algorithms for factoring, and actually the best known algorithms for computing DLOG are variants of those used for factoring. Nowadays, 400-bit primes moduli are still secure for DLOG-based schemes. However, it would better be that new applications use longer keys (e.g., 512 bits). c Eli Biham - May 3, 2005 376 Public Key Cryptography in Practice (13)

Public Key Infrastructure Public key cryptography provide a tool for secure communication between parties by letting them trust messages encrypted or signed by the already known public keys of the other parties. However, no algorithmic scheme can solve the original trust problem of accepting the identity of a party that you never met. The usual face-to-face identification is by a trusted third party (a friend) who presents the two parties to each other. Such a presentation protocol is also required for cryptographic protocols. The presenting party in the cryptographic environment is called a certification authority ( ), or briefly a CA. The management of the CA s requires a public key infrastructure (PKI). c Eli Biham - May 3, 2005 377 Public Key Cryptography in Practice (13)

Certificates During face-to-face presentation, the presenter gives the relation between the name and the face of the presented party, together with some side information (e.g., he is a friend of the presenter). For cryptographic use the certification authority should give the relation between the public key and the identity of his owner. This information should be transmitted authenticated from the CA to the receiver, e.g., signed under the widely known public key of the certification authority. Note that it is not necessary that the receiver communicate directly with the CA. Instead, the CA signs all the required information, and gives the key owner, who can then give it to anybody he wishes to communicate with, or publish widely. This, the receiver should only verify the signature of the CA, rather than to communicate with him for verifying every new key. Such a signed information is called a certificate ( ). c Eli Biham - May 3, 2005 378 Public Key Cryptography in Practice (13)

Certificates (cont.) A certificate includes 1. The CA name 2. Sequential number of the certificate 3. The public key of the user 4. The identity of the user 5. Date 6. Last validation date 7. signature of the CA on all the above c Eli Biham - May 3, 2005 379 Public Key Cryptography in Practice (13)

Certificates (cont.) It might happen that the secret key of some user become known to other, due to theft, factoring, or other reasons. Therefore, certification authorities maintain Certificate Revocation Lists (CRLs, blacklists) of canceled certificates which must not be trusted. Users can ask to add their old certificates to the blacklists if they suspect that their secret keys became known. The last validation date field in the certificate ensures that the blacklists will not have to keep such certificates for more than a selected time, as after the last validation date, the certificates become invalid anyway, and the user should select another key instead. c Eli Biham - May 3, 2005 380 Public Key Cryptography in Practice (13)

The Legal Status of Digital Signatures Several countries, including Israel, made special law to approve digital signatures for legal purposes. Under the Israeli law, there are three kinds of digital signatures: 1. Digital signature ( ): Any kind of electronic data that is added to a document to show the identity if the signer (e.g., a scanned hand-written signature at the bottom of a document). This kind has no legal status. 2. Protected digital signature ( ): A digital signature that allows verification of the identity of the signer, and ensures that the signed message is original and was not modified after the signature generation. 3. Certified digital signature ( ): A protected digital signature, whose key is certified by a certificate (signed by a CA). c Eli Biham - May 3, 2005 381 Public Key Cryptography in Practice (13)

The Legal Status of Digital Signatures (cont.) A CA should be approved by the CA registrar ( ), sign the certificates with a long key (at least 2048 bits in case of RSA), and satisfy many other security and financial requirements. Certified digital signatures can be used whenever a signature is required by law (a few exceptions apply, e.g., wills), and courts accept certified digital signatures (and with the proper evidence also protected digital signatures) as valid signatures. c Eli Biham - May 3, 2005 382 Public Key Cryptography in Practice (13)

The X.509 Public Key Hierarchy The X.509 standard defines a tree hierarchy of CA s. Each CA has some parent, who signs the certifies the CA s public key. The only required widely known public key is the key of the root CA. All other public keys of CA can be verifies using certificates. Then, a receiver verifies a certificate of another user by verifying the certificate of the CA first, and then verifying the signature of the CA on the certificate of the user. In turn, verification of the certificate of the CA is performed by verifying the certificate of his parent CA and the signature of the parent CA, and so on. Only the public key of the root CA should not be verified, as it is widely known. c Eli Biham - May 3, 2005 383 Public Key Cryptography in Practice (13)

The PGP Hierarchy The drawback of the X.509 hierarchy is that every user must trust all the CA s. If a user does not trust even one CA, he cannot trust the system at all. That like If you do not trust the government, you cannot trust your brother. In the PGP hierarchy every user is also a CA, and users can select which CA s they trust, and which they do not trust. As a CA a user signs certificates to his friends. His signature ensure that he recognizes the friend, and checked his identity. It does not mean that the friend is trustworthy. Each user then asks for certificates from many other users, and collects as many as he wishes. c Eli Biham - May 3, 2005 384 Public Key Cryptography in Practice (13)

The PGP Hierarchy (cont.) When a user need to prove his identity, he publishes (or sends) the certificates he collected to the other user, and the other user verify them. The receiver can select his own trust scheme. He can decide to trust certificates signed by some CA s unconditionally, and not trust certificates signed by some other CA s. He can also decide to trust some CA with some medium trust, i.e., a certificate is only trusted if he got one (or more) additional certificates for the same key from medium trust CA s. c Eli Biham - May 3, 2005 385 Public Key Cryptography in Practice (13)

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information