air traffic management systems public key ...public key infrastructure for air traffic management...
TRANSCRIPT
PUBLIC KEY INFRASTRUCTUREFOR
AIR TRAFFIC MANAGEMENT SYSTEMS
609-485-5046
PUBLIC KEY INFRASTRUCTUREPUBLIC KEY INFRASTRUCTUREFOR FOR
AIR TRAFFIC MANAGEMENT SYSTEMSAIR TRAFFIC MANAGEMENT SYSTEMS
Vic PatelVic [email protected]@tc.faa.gov
609609--485485--50465046
Federal Aviation Administration (FAA) William J. Hughes TechnicaFederal Aviation Administration (FAA) William J. Hughes Technical Center (WJHTC)l Center (WJHTC)
Basic Cryptography DefinitionsBasic Cryptography Definitions
CRYTOGRAPHY: It allows two parties to exchange sensitive information in a secure manner via mathematical techniques
AUTHENTICATION: Assures the information owner that he/she knows with whom thehe/she is doing business with
CONFIDENTIALITY: Assures the information owner that his/her information is protected
INTEGRITY: Assures the information owner that the information is not being modified or substituted,
NON-REPUDIATION: Assures the information owner that the originator cannot deny originating a message or business transaction
BASIC CRYPTOGRAPHIC TECHNIQUEBASIC CRYPTOGRAPHIC TECHNIQUE
Symmetric Cryptography: It relies on a symmetric encipherment algorithmIt is also called secret key cryptographySingle secret key to encipher and decipherUsed for Encryption or Authentication
Asymmetric Cryptography:It is also called public key cryptographyKeys comes in pairs – public and privatePublic key is available to anyone – like phone number in the phone bookPrivate key is kept secret by the owner
HASH function:A mapping from an arbitrarily long input message to short (fixed-length) outputNot feasible to guess an input message that results in a given outputUsed for Data Integrity
ADDITIONAL DESCRIPTIONSADDITIONAL DESCRIPTIONS
Certificate: A digitally signed data structure defined in the X.509 standard that binds the identity of a certificate holder (or subject) to a public key.
Certificate Authority (CA): A trusted entity that issues certificates to end entities and other CAs. CA issues CRLs periodically, and post certificate and CRLs to a repository
Certificate Revocation List (CRL): A list of revoked but unexpired certificates by a CA.
Registration Authority: A set of technical and administrative functions(e.g., enrollment) performed by a component of a CA.
CRYPTOGRAPHIC TECHNIQUE AS APPLIED TO ATNCRYPTOGRAPHIC TECHNIQUE AS APPLIED TO ATN
Encryption Scheme:A cryptographic scheme for confidentialityIt has an encryption and decryption operationMay use Asymmetric Encipherment (under public key)Or alternatively may use Symmetric Encipherment
Digital Signature Scheme:It is used for data origin authentication and data integrityIt has a signing and verification operationsA receiver must be able to validate the sender’s signatureThe sender of a signed message must not be able to repudiate it latterAsymmetric Encipherment (under private key)Hash Function
CRYPTOGRAPHIC TECHNIQUE AS APPLIED TO ATNCRYPTOGRAPHIC TECHNIQUE AS APPLIED TO ATN
(cont’d)(cont’d)
Message Authentication Code (MAC) Scheme:A key-dependent one-way hash function is called a MACMAC is useful to protect authenticity without providing secrecyUse of hash also provides integrityOnly someone with the identical key can verify the hash
Key Agreement Scheme:Used for key establishment between two entitiesIt creates a shared key for two entitiesAsymmetric Encipherment (under private key)
DigitalSignatureScheme
KEYESTABLISHMENT
KeyAgreement
Scheme
MessageAuthentication
CodeScheme
SymmetricEncipherment
AsymmetricEncipherment
(under public key)
OR
Cryptographic Building Blocks
Cryptographic Schemes
HashFunction
AsymmetricEncipherment(under private key)
AND
EncryptionScheme
(Keyed)Hash
Function
AsymmetricEncipherment(under private key)
AUTHENTICATION,INTEGRITY
AUTHENTICATION,INTEGRITY,
NON-REPUDIATION
CONFIDENTIALITY
SECURITY SERVICES
SECURITY MECHANISMS
SECURITYSECURITY SERVICE AND MECHANISMSERVICE AND MECHANISM
Alice Bob
Internet
Encryption DecryptionClear Message Clear Message
Secret Key Secret Key
Symmetric CryptographySymmetric Cryptography
DATA CONFIDENTIALITY
Ciphertext Cipher text
Alice Bob
Internet
Encryption
ConfidentialMessage
Decryption
ConfidentialMessage
A = DB = EC = FD = G
E = HF = IG = JH = K
I = LJ = MK = NL = O
M = PN = QO = RP = S
Q = TR = US = VT = W
U = XV = YW = ZX = A
E = HF = IG = JH = K
EncryptedMessage
“Wklv lv d vhfuw phvvdjh”
EncryptedMessage
“Wklv lv d vhfuw phvvdjh”
“This isa secretmessage”
“This isa secretmessage”
Symmetric CryptographySymmetric Cryptography
SYMMETRIC CRYPTOGRAPHYSYMMETRIC CRYPTOGRAPHY
• Shared Symmetric key or PRIVATE KEY used• Provides data confidentiality (or authentication)• Fast, easy to implement in hardware, widely used• Works well for a small group of authorized parties, where
keys may be pre-distributed and challenge for a large scale environment secure distribution
• E.g., DES, AES, 3DES, IDEA
SYMMETRIC CYPTOGRAPHYSYMMETRIC CYPTOGRAPHY
• Pro:– Fast, easy to implement in hardware, Widely used
• Cons:– Key management very difficult– Key must be exchanged via a trusted channel– Fixed length– Can be stolen– Difficult to administer
Public
Public Public
Private Private
1 1
Public
2
1 Create public / private key pairs
2 Exchange only public keys
Bob Alice
Asymmetric CryptographyAsymmetric Cryptography
Alice Bob
Encryption
Bob’sPublic Key3
Decryption
Bob’sPrivate Key4
Bob’sReply
Bob’sReply
Internet
Internet
Alice’sPublic Key
Bob’sPublic Key2 2
Decryption
6Alice’sPrivate Key
Encryption
5Alice’sPublic Key
OriginalMessage
OriginalMessage
Public PublicPrivate Private
1 Public / privatekey pair 1Public / private
key pairAsymmetric KeyAsymmetric Key
CONFIDENTIALITY
Alice’sPublic Key
Bob’sPublic Key2Alice Bob
Encryption DecryptionInternetOriginalMessage
OriginalMessage
Alice’sPublic Key
Alice’sPrivate Key3 4
Decryption EncryptionBob’sReply
Bob’sReply
6 5Internet
2
Bob’sPublic Key
Bob’sPrivate Key
Public PublicPrivate Private
1 Public / privatekey pair 1Public / private
key pairAsymmetric KeyAsymmetric Key
AUTHENTICATION
ASYMMETRIC CRYPTOGRAPHYASYMMETRIC CRYPTOGRAPHY
• Use of two distinct but related keys• Provides data confidentiality and authentication• Works well for a small group of authorized parties, where
keys may be pre-distributed and challenge for a large scale environment secure distribution
• For example RSA
ASYMMETRIC CRYPTOGRAPHYASYMMETRIC CRYPTOGRAPHY
• Pros:– Scales easily and easy key management is possible– Provides authentication of sender– Variable key sizes– Can be used for both encryption and digital signature
• Cons:– Relatively slow – Inefficient for encrypting lots of data– Authentication of public keys
Public Public
Private Private
1 1
1 Create public / private key pairs
2 Exchange only public keys Eve intercepted and substituted Bob’s Public Key
Bob Alice
Asymmetric CryptographyAsymmetric Cryptography
2Public
Eve
OneOne--Way HASH FunctionWay HASH Function
Alice Bob
Message
21 3
4
Fingerprint
Fingerprint
Fingerprint
Fingerprint
DATA INTEGRITY
Public Key2Sender Receiver
Message
1 Create public / private key pair
2 Sender sends its public key to receiver
Creating DIGITAL SIGNATURECreating DIGITAL SIGNATURE
PublicPrivate
1 Public / privatekey pair
006FBBC95
Output is the hash of the message
Signature
Digital signature is the encrypted hash
Hash is encrypted with sender’s private key
Encryption
Private
Original message is input to a one-way
hash function
Message
Signature
Message
006FBBC95
Result is hash of message
Receiver separates message & signature
006FBBC95
Result is decrypted hash
Public KeyEncryption
Decrypt signature using sender’s public key
Message
Signature
Original message is input to a one-way
hash function
Receiver
Is HASH equal?
Yes No
Message NOT altered
Message altered
Verifying DIGITAL SIGNATUREVerifying DIGITAL SIGNATURE
Digital Certificate Through a Certificate AuthorityDigital Certificate Through a Certificate Authority
Bob
CAPublic
Key
1 Request Alice’s Certificate
VerifySignature
3
4
CA Fingerprint CA Fingerprint
Decryption
Alice’sPublic
Key
Alice’sCertificate
CA Fingerprint
Alice’sCertificate
Bob’sCertificate
2
CA Signature
Alice’s Certificate
CertificateAuthority