Public Key Infrastructure

Similar documents
Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Introduction to Cryptography

CS 392/681 - Computer Security

Computer and Network Security. Outline

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Overview of Public-Key Cryptography

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Encryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

CRYPTOGRAPHY IN NETWORK SECURITY

Overview. SSL Cryptography Overview CHAPTER 1

Notes on Network Security Prof. Hemant K. Soni

Module 7 Security CS655! 7-1!

SECURITY IN NETWORKS

Secure Sockets Layer

CS 758: Cryptography / Network Security

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Key Management and Distribution

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Computer Security: Principles and Practice

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key

CSCE 465 Computer & Network Security

Lukasz Pater CMMS Administrator and Developer

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

SSL/TLS: The Ugly Truth

SSL Protect your users, start with yourself

Websense Content Gateway HTTPS Configuration

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Public Key Infrastructure

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

IT Networks & Security CERT Luncheon Series: Cryptography

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Strong Encryption for Public Key Management through SSL

The Mathematics of the RSA Public-Key Cryptosystem

Cryptography and Network Security Chapter 14. Key Distribution. Key Management and Distribution. Key Distribution Task 4/19/2010

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Lecture 9: Application of Cryptography

Chapter 8. Network Security

Chapter 9 Key Management 9.1 Distribution of Public Keys Public Announcement of Public Keys Publicly Available Directory

Internet Programming. Security

Key Management and Distribution

Network Security Protocols

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

Authenticity of Public Keys

Public Key Infrastructure (PKI)

Public Key Cryptography: RSA and Lots of Number Theory

What is network security?

Chapter 7: Network security

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Cryptography and Network Security Chapter 14

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Lightweight Security using Identity-Based Encryption Guido Appenzeller

Chapter 10. Network Security

Network Security. HIT Shimrit Tzur-David

Chapter 14. Key management and Distribution. Symmetric Key Distribution Using Symmetric Encryption

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

CS Computer Security Third topic: Crypto Support Sys

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

SSL A discussion of the Secure Socket Layer

Public Key Cryptography and RSA. Review: Number Theory Basics

Overview Keys. Overview

CS 356 Lecture 28 Internet Authentication. Spring 2013

Security Digital Certificate Manager

Security Policy Revision Date: 23 April 2009

Security Digital Certificate Manager

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Three attacks in SSL protocol and their solutions

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood

CSCI-E46: Applied Network Security. Class 1: Introduction Cryptography Primer 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING

RSA Encryption. Tom Davis October 10, 2003

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

, ) I Transport Layer Security

An Introduction to the RSA Encryption Method

IBM i Version 7.3. Security Digital Certificate Manager IBM

Expert Reference Series of White Papers. Fundamentals of the PKI Infrastructure

CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure

Communication Systems SSL

Lecture 17: Re-encryption

Authentication Types. Password-based Authentication. Off-Line Password Guessing

VoteID 2011 Internet Voting System with Cast as Intended Verification

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

understanding SSL certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

The science of encryption: prime numbers and mod n arithmetic

Web Security: Encryption & Authentication

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室


Key Management (Distribution and Certification) (1)

SBClient SSL. Ehab AbuShmais

CSE543 - Introduction to Computer and Network Security. Module: Public Key Infrastructure

Public Key Cryptography in Practice. c Eli Biham - May 3, Public Key Cryptography in Practice (13)

An Introduction to Cryptography and Digital Signatures

Modeling and verification of security protocols

Transcription:

Public Key Infrastructure Yan Huang Credit: David Evans (UVA)

Using RSA to Encrypt Use 2048-bit modulus (recommended) Encrypt 1MB file 4096 2048-bit messages Each M e requires log 2 (e) 1024-bit number modular multiplications (unless e is fixed to some small numbers) Why does not one use RSA like this? About 100-1000 times slower than DES Need to be careful not to encrypt particular Ms Can speed up encryption by choosing e that is an easy number to multiply by (e.g., 3 or 2 16 + 1) But, decryption must use non-easy d (~2048 bits) 2

Hybrid Encryption Use RSA to establish a shared secret key for symmetric cipher (e.g., AES) Encrypt the secret key with OAEP padding Sign (encrypt with private key) a hash of the message A short block that is associated with the message 3

RSA Paper The need for a courier between every pair of users has thus been replaced by the requirement for a single secure meeting between each user and the public file manager when the user joins the system. 4

Key Management Public keys only useful if you know: 1. The public key matches the entity you think it does (and no one else). 2. The entity is trustworthy. 5

Approach 1: Public Announcement Publish public keys in a public forum USENET groups Append to email messages New York Time classifieds Easy for rogue to pretend to be someone else 6

Approach 2: Public Directory Trusted authority maintains directory mapping names to public keys Entities register public keys with authority in some secure way Authority publishes directory Print using watermarked paper, special fonts, etc. Allow secure electronic access 7

Can we avoid needing an on-line directory? 8

Certificates Loren Kohnfelder, MIT 4 th year thesis project, 1978: Towards a Practical Public-key Cryptosystem Public-key communication works best when the encryption functions can reliably be shared among the communicants (by direct contact if possible). Yet when such a reliable exchange of functions is impossible the next best thing is to trust a third party. Diffie and Hellman introduce a central authority known as the Public File Each individual has a name in the system by which he is referenced in the Public File. Once two communicants have gotten each other s keys from the Public File then can securely communicate. The Public File digitally signs all of its transmission so that enemy impersonation of the Public File is precluded. 9

Certificates { alice@alice.org, KU A } TrustMe.com { bob@bob.com, KU B } C A = E KRTrustMe [ alice@alice.org, KU A ] C B = E KRTrustMe [ bob@bob.com, KU B ] C A Alice Bob C B KU Public Key KR Private Key 10

Data encrypted using secret key exchanged using some public key associated with some certificate.

12

SSL (Secure Sockets Layer) Simplified TLS Handshake Protocol Client Hello Server Check Certificate using KU CA Pick random K KR CA [Server Identity, KU S ] KU S [K] Find K using KR S Secure channel using K 13

Certificates { alice@alice.org, KU A } VarySign { bob@bob.com, KU B } C A = E KRTrustMe [ alice@alice.org, KU A ] C B = E KRTrustMe [ bob@bob.com, KU B ] C A Alice Bob C B How does TrustMe.com decide whether to provide Certificate?

Verifying Identities $$$$ { alice@alice.org, KU A } VarySign { bob@bob.com, KU B } C A = E KRTrustMe [ alice@alice.org, KU A ] C B = E KRTrustMe [ bob@bob.com, KU B ] C A Alice Bob C B CS588 Spring 2005 15

With over half a million businesses authenticated, VeriSign follows a rigorous and independently audited authentication process. All involved VeriSign employees pass stringent background checks, and each authentication is split between multiple individuals. We maintain physically secure facilities, including biometric screening on entry. CS588 Spring 2005 16

VeriSign s Certificate Classes Secure Site SSL Certificate Supports 40-bit session key Proves: you are communicating with someone willing to pay VeriSign $598 (or with ~$1000 to break a 40-bit key) Except they have a free 14-day trial (but it uses a different Trial CA key) 17

18

Secure Site Pro Certificate $995 per year true 128-bit key 128-bit encryption offers 2 88 times as many possible combinations as 40-bit encryption. That s over a trillion times a trillion times stronger. trillion = 10 12 trillion * trillion = 10 24 Verisign s marketing claim could be: trillion times a trillion times a trillion times a trillion times a trillion times a trillion times a trillion times ten thousand (in Britain it is a trillions time a trillion times a trillion times a trillion times a billion times a thousand) times stronger (but that would sound even sillier!) Businesses authentication: out-of-band communication, records 19

20

Limiting The Damage { alice@alice.org, KU A } VarySign.com C A = E KRTrustMe [ alice@alice.org, cert id, expiration time, KU A ] C A Alice Bob Checks expiration time > now

22

Revoking Certificates { alice@alice.org, KU A } VarySign.com C A E KRTrustMe [CRL] Send me the CRL C A Alice <certid, Date Revoked> <certid, Date Revoked> <certid, Date Revoked> Bob 23

Certificate Questions How do participants acquire the authority s public key? If authority s private key is compromised, everything is vulnerable! Keep the key locked up well 24

Problems with Certificates Depends on a certificate authority Needs to be a big, trusted entity Needs to make money (or be publicly funded) Need to acquire a certificate Makes anonymity difficult Requires handshaking 25

PGP (Pretty Good Privacy) Keyring: list of public keys, signed by owner s private key Alice s keyring: E KR Alice (< bob@bob.com, KU Bob >, < cathy@sharky.com, KU Cathy >) Exchanging Keyrings (Web of Trust) Complete Trust: I trust Alice s keyring (add the public key pairings to my own keyring) Partial Trust: I sort of trust Alice, but require confirmation from someone else too (I need to get E KR Cathy (< bob@bob.com, KU Bob >) before trusting KU Bob 26

Charge Look at the certificate chains when you browse the web Find a certificate with a trust chain more than two levels deep Update your browser CRLs: when were they last updated? 27

Avoiding Certificates What if your identity (e.g., your email address) is your public key? Is it possible to do this with RSA? Do you want your email address to be a 200-digit random number? 28

Identity Based Encryption [Shamir 1984], [Boneh & Franklin 2003] public-key = identity private-key = F(master-key, identity) The owner of the master-key is the new authority. Must be careful who it gives private keys to. 29

Key-Generating Service Holds master-key Participants request private keys from KGS Sends s to KGS, requests corresponding private key KGS authenticates requestor If valid, computes F(master-key, s) and sends over secure channel How does the trust given to the KGS compare to that given to CA in SSL? KGS can decrypt all messages! With certificates, certificate owner still has her own private key. But, CA can impersonate anyone by generating a certificate with a choosen public-key. 30

Shamir s IBE Signature Scheme Setup: done by KGS Select p, q large primes N = pq Choose e relatively prime to ϕ (N) = (p-1)(q-1) Choose d satisfying ed 1 mod ϕ (N) Choose h a cryptographic hash function Publish N, e and h to all participants Keep d secret master-key 31

Shamir s Signatures Generating a private key privatekey(id) = ID d mod N Can only be done by KGS (d is master secret) Signing a message M with identity ID Obtain g = privatekey(id) from KGS Choose random r less than N Compute signature (s, t): t = r e mod N s = g r h(t M) mod N Warning: book typesetting is off and wrong range for h! 32

Verifying a Signature KGS produced g = ID d mod N Recipient knows ID and M, system parameters e and N t = r e mod N s = g r h(t M) mod N Verify (ID, s, t, M) s e = ID t h(t M) mod N (ID d r h(t M) ) e mod N ID de r h(t M)e mod N ID r eh(t M) mod N ID t h(t M) mod N What does non-forgibility of a Shamir IBE signature rely on? 33

Identity-Based Encryption Shamir s scheme signatures only, not encryption Boneh & Franklin, 2001 First practical, provably secure IBE scheme Builds on elliptic curves 34

Issues in IBE Complete trust in KGS With Boneh & Franklin s system can use secret sharing techniques to divide this trust among multiple entities Could you do this with Shamir s IBE signatures? Revocation Can include expiration times in identities But no way to revoke granted private keys 35

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information