1
Hash Function, Digital Signature
& Public Key Infrastructure
2
Review: Security Requirements
In the context of communications across a network, the following attacks can be identified:
disclosuretraffic analysismasqueradecontent modificationsequence modificationtiming modificationsource repudiationdestination repudiation
Symmetric/Asymmetric cryptography
Generally regarded as Message Authentication
Come under the heading of digital signature
Require a combination of the use of digital signature and protocol design
3
Review: Security Services Authentication: Provides the assurance of
someone’s identity Confidentiality: Protects against disclosure to
unauthorized identities Non-Repudiation: Protects against
communications originator to later deny it Integrity: Protects from unauthorized data
alteration
4
Review: Services, Mechanisms, Algorithms
A typical security protocol provides one or more services
Services
Mechanisms
Algorithms
Services are built from MechanismsMechanisms are implemented using Algorithms
SSL, IPSEC, TLS, SSH, etc...SSL, IPSEC, TLS, SSH, etc...
Signatures
Signatures
Encryption
Encryption HashingHashing
DSADSA RSARSA RSARSA DESDES SHASHA MD5MD5
5
Review: Message Authentication
Message AuthenticationMessage Authentication
Hash FunctionHash FunctionMessage Authentication Code Message Authentication Code Message EncryptionMessage Encryption
6
Message Authentication:Hash functions
Message Authentication:Hash functions
7
Hash Functions
Can use for encryption, authentication and digital signature.
Hash function accepts a variable-size message M as input and produces a fixed-size output, referred to as a hash code H(M).
A cryptographic hash function h takes as input a message or arbitrary length and produces as output a message digest of fixed length, for example 160 bits as depicted in Figure.
…. 0 1 1 0 1 1 0 1 1 ….
1 0 ….. 1 0
Long Message
160-Bit Message digest
…. 0 1 1 0 1 1 0 1 1 ….
1 0 ….. 1 0
…. 0 1 1 0 1 1 0 1 1 ….
1 0 ….. 1 0
Long Message
160-Bit Message digest
8
Defining Hashing
If you were to give someone the number 1,765,335 and ask he/she to determine your original number, it would be virtually impossible for he/she to “work backwards” and derive to the original number of 12,345.
If you give her/him the multiplier (143), she could easily determine the original number.
Input Value Multiplier Formula Result
12,345 143 Value * Multiplier 1,765,335
Plaintext Key Algorithm Ciphertext
9
A Practical Use of Hash Algorithm
DRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJ
DRJ Independent BankDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJ
DRJ Independent Bank
459384502392
DRJ INDEPENDENT BANK
459384502392 = 123456 hashed
123456PIN entered on keypad
Hashed value Store on card
10
A Practical Use of Hash Algorithm
DRJ INDEPENDENT BANK
459384502392 = 123456 hashed 123456PIN entered on keypad
Hashed value Store on card
DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK
DRJ Independent Bank
459384502392
DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK
DRJ Independent Bank
459384502392
Use Hashing AlgorithmThe hash value is based on algorithm
Haval MD2 MD4 MD5SHA Hash Functions (SHA-1, SHA-2)
11
One-way HASH functionOne-way HASH function
12
Hash Functions
Hash code does not use a key.
Hash code is a function only of the input message.
Hash code is also referred to as a message digest or hash value.
The hash code is a function of all the bits of the message and provides an error-detection capability.
A change to any bit or bits in the message results in a change to the hash code.
13
Hash Function Properties
a Hash Function produces a fingerprint of some file/message/data
h = H(M)
condenses a variable-length message M
to a fixed-sized fingerprint
assumed to be public
14
Requirements for Hash Functions
Purpose of the HASH function is to produce a ”fingerprint.Properties of a HASH function H :
1. H can be applied to a block of data at any size2. H produces a fixed length output3. H(x) is easy to compute for any given x.4. For any given block x, it is computationally infeasible to
find x such that H(x) = h– One-way property
5. For any given block x, it is computationally infeasible to find with H(y) = H(x).
– Weak collision resistance
6. It is computationally infeasible to find any pair (x, y) such that H(x) = H(y)
– Strong collision resistance
xy
15
Simple Hash Functions
are several proposals for simple functions
based on XOR of message blocks
not secure since can manipulate any message and either not change hash or change hash also
need a stronger cryptographic function
16
Hash Functions Operations(In term of: Hashing, Signing, and Applications)
One useful application of hash functions is to make signature schemes more efficient.
The hash function is made public.
Starting with a message m, Alice calculates the hash h(m). This output h(m) is significantly smaller, and hence signing the hash may be done more quickly than signing the entire message.
Alice calculates the signed message sig(h(m)) for the hash function and uses it as the signature of the message.
The pair (m, sig(h(m))) now conveys basically the same knowledge as the original signature scheme did.
It has the advantages that it is faster to create (under the reasonable assumption that the hash operation is quick) and requires less resources for transmission or storage.
17
In Term of Security
Suppose Eve has possession of Alice’s signed message (m, sig(h(m))).
She has another message m’ to which she wants she to add Alice’s signature.
This means that she needs sig(h(m’)) = sig(h(m)); in particular, she needs h(m’) = h(m).
If the hash function is one-way, Eve will find it hard to find any such m’.
The chance that her desired m’ will work is very small. Moreover, since we require our hash function to be strongly collision-free, it is unlikely that eve can find two messages m1 ≠ m2 with the same
signatures.
Of course, if she did, she could have Alice sign m1, then transfer her
signature to m2. But Alice would get suspicious since m1 (and m2)
would very likely be meaningless messages.
18
Check on Data Integrity
Hash function also can be employed as a check on data integrity.
The question of data integrity comes up in basically two scenarios. First: when the data (encrypted or not) are being transmitted to another
person and a noisy communication channel introduces errors to the data. Second: An observer rearranges the transmission in some manner
before it gets to the receiver. Either way, the data have become corrupted.
Example: Suppose Alice sends Bob long messages about financial transactions
with Eve and encrypts them in blocks. Perhaps Eve deduces that the tenth block of each message lists the
amount of money that is to be deposited to Eve’s account. She could easily substitute the tenth block from one message into
another and increase the deposit.
IntegrityThe assurance that data received are exactly as sent by an authorized entity (i.e., contain no modification, insertion, deletion.
19
Check on Data Integrity
Another situation:
Alice might send Bob a message consisting of several blocks of data, but one of the blocks is lost during transmission. Bob might not ever realize that the block is missing.
Here is how function can be used. Say we send (m, h(m)) over the communications channel and it is received as (M, H). To check whether errors might have occurred, the recipient computes h(M) and sees whether it equals H. If any errors occurred, it is likely that h(M) ≠ H, because of the collision-free properties of h.
20
List of Cryptographic Hash Function
Haval
MD2
MD4
MD5
N-Hash
RIPEMD-160
SHA Hash Functions (SHA-0, SHA-1, SHA-2)
Snefru
Tiger
Whirlpool
21
Other Secure HASH functions
SHA-1 MD5 RIPEMD-160
Digest length 160 bits 128 bits 160 bits
Basic unit of processing
512 bits 512 bits 512 bits
Number of steps 80 (4 rounds of 20)
64 (4 rounds of 16)
160 (5 paired rounds of 16)
Maximum message size
264-1 bits
22
Digital Signature / Signature SchemesDigital Signature / Signature Schemes
23
Signature schemes
digital signature schemes≈MACs in the public-key setting
2424
Problem: Authentication
2525
Problem: Authentication
2626
Scenario
2727
Scenario
2828
Scenario
2929
Scenario
3030
Scenario
31
Digital Signatures
• have looked at message authentication – but does not address issues of lack of trust– A few scenarios (transfer funds, mail message)
• digital signatures provide the ability to (properties): – verify author, date & time of signature– authenticate message contents – be verified by third parties to resolve disputes
• hence include authentication function with additional capabilities
32
Digital Signature Properties
• must depend on the message signed• must use information unique to sender
– to prevent both forgery and denial
• must be relatively easy to produce• must be relatively easy to recognize & verify• be computationally infeasible to forge
– with new message for existing digital signature– with fraudulent digital signature for given message
• be practical save digital signature in storage
33
Digital Signatures Categories
Digital signatures
Arbitrated Digital SignatureDirect Digital Signature
34
Direct Digital Signatures
• involve only sender & receiver• assumed receiver has sender’s public-key• digital signature made by sender signing
entire message or hash with private-key• can encrypt using receivers public-key• important that sign first then encrypt message
& signature• security depends on sender’s private-key
35
Arbitrated Digital Signatures
• involves use of arbiter A– validates any signed message– then dated and sent to recipient
• requires suitable level of trust in arbiter• can be implemented with either private or
public-key algorithms• arbiter may or may not see message
36
Authentication Protocols
• used to convince parties of each others identity and to exchange session keys
• may be one-way or mutual• key issues are
– confidentiality – to protect session keys– timeliness – to prevent replay attacks
37
Replay Attacks
• where a valid signed message is copied and later resent– simple replay– repetition that can be logged– repetition that cannot be detected– backward replay without modification
• countermeasures include– use of sequence numbers (generally impractical)– timestamps (needs synchronized clocks)– challenge/response (using unique nonce)
38
Using Symmetric Encryption
• as discussed previously can use a two-level hierarchy of keys
• usually with a trusted Key Distribution Center (KDC)– each party shares own master key with KDC– KDC generates session keys used for connections
between parties– master keys used to distribute these to them
39
Needham-Schroeder Protocol
• original third-party key distribution protocol• for session between A B mediated by KDC• protocol overview is:
1. A→KDC: IDA || IDB || N1
2. KDC→A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ]
3. A→B: EKb[Ks||IDA]
4. B→A: EKs[N2]
5. A→B: EKs[f(N2)]
40
Needham-Schroeder Protocol
• used to securely distribute a new session key for communications between A & B
• but is vulnerable to a replay attack if an old session key has been compromised– then message 3 can be resent convincing B that is
communicating with A• modifications to address this require:
– timestamps (Denning 81)– using an extra nonce (Neuman 93)
41
Using Public-Key Encryption
• have a range of approaches based on the use of public-key encryption
• need to ensure have correct public keys for other parties
• using a central Authentication Server (AS)• various protocols exist using timestamps or
nonces
42
Denning AS Protocol
• Denning 81 presented the following:1. A→AS: IDA || IDB
2. AS→A: EKRas[IDA||KUa||T] || EKRas[IDB||KUb||T] 3. A→B: EKRas[IDA||KUa||T] || EKRas[IDB||KUb||T] ||
EKUb[EKRas[Ks||T]] • note session key is chosen by A, hence AS
need not be trusted to protect it• timestamps prevent replay but require
synchronized clocks
43
One-Way Authentication
• required when sender & receiver are not in communications at same time (eg. email)
• have header in clear so can be delivered by email system
• may want contents of body protected & sender authenticated
44
Using Symmetric Encryption
• can refine use of KDC but can’t have final exchange of nonces, vis:1. A→KDC: IDA || IDB || N1
2. KDC→A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ]
3. A→B: EKb[Ks||IDA] || EKs[M]
• does not protect against replays– could rely on timestamp in message, though email
delays make this problematic
45
Public-Key Approaches
• have seen some public-key approaches• if confidentiality is major concern, can use:
A→B: EKUb[Ks] || EKs[M]
– has encrypted session key, encrypted message
• if authentication needed use a digital signature with a digital certificate:A→B: M || EKRa[H(M)] || EKRas[T||IDA||KUa]
– with message, signature, certificate
46
Digital Signature Standard (DSS)
• US Govt approved signature scheme FIPS 186• uses the SHA hash algorithm • designed by NIST & NSA in early 90's • DSS is the standard, DSA is the algorithm• a variant on ElGamal and Schnorr schemes • creates a 320 bit signature, but with 512-1024 bit
security • security depends on difficulty of computing discrete
logarithms
47
DSA Key Generation
• have shared global public key values (p,q,g): – a large prime p = 2L
• where L= 512 to 1024 bits and is a multiple of 64
– choose q, a 160 bit prime factor of p-1 – choose g = h(p-1)/q
• where h<p-1, h(p-1)/q (mod p) > 1
• users choose private & compute public key: – choose x<q – compute y = gx (mod p)
48
DSA Signature Creation
• to sign a message M the sender:– generates a random signature key k, k<q – nb. k must be random, be destroyed after use,
and never be reused
• then computes signature pair: r = (gk(mod p))(mod q)
s = (k-1.SHA(M)+ x.r)(mod q)
• sends signature (r,s) with message M
49
DSA Signature Verification
• having received M & signature (r,s) • to verify a signature, recipient computes:
w = s-1(mod q)
u1= (SHA(M).w)(mod q)
u2= (r.w)(mod q)
v = (gu1.yu2(mod p)) (mod q)
• if v=r then signature is verified • see book web site for details of proof why
50
Summary
• have considered:– digital signatures– authentication protocols (mutual & one-way)– digital signature standard
5151
Alice Bob
(m, t=Tagk(m))(m, t=Tagk(m))
k k
m є {0,1}*m є {0,1}*
k is chosen randomly from some set K
k is chosen randomly from some set K
Vrfyk(m) є {yes,no}Vrfyk(m) є {yes,no}
Message Authentication Codes – the idea
52
Signature Schemes
Alice Bob
k k
1n1n
Alice Bob
(m, t=Tagk(m))(m, t=Tagk(m))
sk pk
m є {0,1}*m є {0,1}*
(pk,sk) := Gen(1n)(pk,sk) := Gen(1n)
Vrfyk(m) є {yes,no}Vrfyk(m) є {yes,no}
53
Advantages of the signature schemes
Digital signatures are:
1. publicly verifiable2. transferable3. provide non-repudiation
54
Anyone can verify the signatures
P5
P1
P2
P4
pk1
pk2
pk3
pk4
pk5
1. Sign(sk 3,m
)
1. Sign(sk 3,m
)
public register:Sign(sk3,m)Sign(sk3,m)
Sign
(sk 3,m
)Si
gn(s
k 3,m)
2. reads pk32. reads pk3
sk3sk3
3. computes Vrfy(pk3,m)3. computes Vrfy(pk3,m)
P3
55
Look at the MACs...
Alice Bob
(m, t=Tagk(m))(m, t=Tagk(m))
k k
m є {0,1}*m є {0,1}*
Carol
Look, I got (m,t) from AliceLook, I got (m,t) from AliceWhy shall I trust you?
1. You could have created t yourself (because you know k)
2. I don’t know k, so how can I verify the tag?
Why shall I trust you?
1. You could have created t yourself (because you know k)
2. I don’t know k, so how can I verify the tag?
56
Signatures are publicly-verifiable!
Alice Bob
(m, σ =Signsk(m))(m, σ =Signsk(m))
skA pkA
m є {0,1}*m є {0,1}*
Carol
I can calculate
Vrfy(pkA,m,σ)
and check.
I can calculate
Vrfy(pkA,m,σ)
and check.
Look, I got (m,σ) from AliceLook, I got (m,σ) from Alice
57
So, the signatures are transferable
P2 P3
Alice
P4P1
σ =
Sign
(sk 3,m
)σ
= Si
gn(s
k 3,m)
skAskA
(m,σ)(m,σ) (m,σ)(m,σ) (m,σ)(m,σ)
“Alice signed m”
“Alice signed m”
pkApkA pkApkA pkApkA pkApkA
“Alice signed m”
“Alice signed m”
“Alice signed m”
“Alice signed m”
I believe it!I believe it! I believe it!I believe it! I believe it!I believe it!
58
Non-repudiation
Alice Bob
(m, σ =Signsk(m))(m, σ =Signsk(m))
skA pkA
m є {0,1}*m є {0,1}*
Judge
“I’ve got (m,σ) from Alice”“I’ve got (m,σ) from Alice”
It’s not true!I never signed m!
It’s not true!I never signed m!
Vrfy(pk,m,σ) = yesso you cannot repudiate signing m...
Vrfy(pk,m,σ) = yesso you cannot repudiate signing m...
59
Digital Signature Schemes
A digital signature scheme is a tuple (Gen,Sign,Vrfy) of poly-time algorithms, such that:A digital signature scheme is a tuple (Gen,Sign,Vrfy) of poly-time algorithms, such that:
• the key-generation algorithm Gen takes as input a security parameter 1n and outputs a pair (pk,sk),
• the signing algorithm Sign takes as input a key sk and a message mє{0,1}* and outputs a signature σ,
• the verification algorithm Vrfy takes as input a key pk, a message m and a signature σ, and outputs a bit b є {yes, no}.
• the key-generation algorithm Gen takes as input a security parameter 1n and outputs a pair (pk,sk),
• the signing algorithm Sign takes as input a key sk and a message mє{0,1}* and outputs a signature σ,
• the verification algorithm Vrfy takes as input a key pk, a message m and a signature σ, and outputs a bit b є {yes, no}.
If Vrfypk(m,σ) = yes then we say that σ is a valid signature on the message m.If Vrfypk(m,σ) = yes then we say that σ is a valid signature on the message m.
60
Correctness
We require that it always holds that:
Vrfypk(m,Signsk(m)) = yes
What remains is to define security of a MAC.
61
Other popular signature schemes
Based on discrete log:
• ElGamal signatures
• Digital Signature Standard (DSS)
(also based on other groups – elliptic curves)
62
Public Key Infrastructure
Public Key Infrastructure
63
Overview
1. Simple Fundamental2. Qualified signatures3. PKI and trust management4. Introduction to the key
establishment protocols
64
Public Key Infrastructures
Alice CharlieReggieEveBob
SenderReceiver
CertificationAuthority
RegistrationAuthority
HackerReceiverSender
65
Alice and Bob, want to be able to communicate securely by sending messages to each other.
They want to be able to use trustworthy digital signature technology to protect the integrity of their messages, and they may also want to use encryption to keep the contents of their messages secret. To achieve all this, they've decided to use a PKI (Public Key Infrastructure) system, and digital certificates.
Public Key Infrastructures
66
Alice and Bob, want to enroll in a PKI system.
Charlie runs a Certification Authority (CA), and will be issuing certificates to Alice and Bob.
To make Charlie's job easier, he relies on his twin brother Reggie, a Registration Authority (RA), who interacts with Alice and Bob on Charlie's behalf.
Public Key Infrastructures
67
Alice and Bob want to enroll in a PKI system, and have decided to purchase certificates from Charlie, a Certification Authority.
To do this, they'll first need to contact Reggie, a Registration Authority who has an agreement with Charlie, to prove their identities. (Having Reggie conduct part of the enrolment proceedings makes Charlie's job a little easier.) But before they do that, they'll each have to generate a signing key for themselves.
Public Key Infrastructures
RA CA
68
Let's see the procedure Alice goes through to enroll in the PKI. Bob will have to go through the exact same process.
First Alice asks her computer to generate a private signing key and a public key. Her private key is for her use only, and she must never share it with anyone. Her public key can be available to the world (in fact it will be included in the certificate issued by Charlie), and anyone can use it to verify her digital signature on a message.
Public Key Infrastructures
Alice’s Public Key
Alice’s Private Key
69
Next, she goes to visit Reggie, a Registration Authority, at his office. It is Reggie's duty to verify Alice's identity, so that he can say to Charlie that he has made sure that Alice is Alice. Since Charlie will be issuing a certificate to her, and the certificate conveys a high level of assurance that
Alice is who she says she is, and people will be trusting that, Charlie needs Reggie to be very careful about this.
Alice shows Reggie proof of government-issued photo identification.
Public Key Infrastructures
RA
Identity Card
AliceFemaleSerdang, Selangor
600606-02-8679
Since Reggie trusts the government that issued these identification cards, he is extremely certain that Alice is who she says she is: he has authenticated Alice's identity. Next, he must transfer this knowledge to Charlie.
70
Reggie has a secure encrypted computer link to his twin brother Charlie, the CA, so it is easy for him to notify Charlie of Alice's enrolment, and to let him know that he has authenticated her identity.
He makes up a reference number for Alice's account, gives it to her, and also uses this number to enroll her with Charlie over the encrypted link. In return, over the same encrypted link, Charlie sends Reggie an authorization code that Alice will use later.
Public Key Infrastructures
RA CA
Alice’s enrolment Information
Authorization Code For Alice
Instead of giving Alice the authorization code, he sends it to her office voicemail box. This is an extra check to make sure that Alice has supplied appropriate contact information.
71
Alice can now return to her office. She uses her computer to create a certificate-request form. This form includes the following:
her enrolment information, as given to Reggie earlier (name, address, etc.)
the authorization code that Charlie made, which Reggie left in her voicemail
her public key
Then, she digitally signs her certificate-request form, using her private key. This is very important, because she needs to prove that she possesses the private key that corresponds to the certificate that Charlie will be issuing her. If she can't prove she has the private key, Charlie won't issue the certificate.
Public Key Infrastructures
RAReference Number and Certificate Request
72
Charlie can check her signature using her public key.
Alice logs into Charlie's web site using her reference number and submits her certificate request form.
After receiving Alice's certificate request, he has to do some checking to make sure it's OK.
First, he checks to make sure the reference number and authorization code match what they are supposed to.
The authorization code inside Alice's certificate request must be the same as what Charlie has on file.
Public Key Infrastructures
RAReference Number and Certificate Request
73
Since Reggie had verified Alice's identity when the authorization code was given to her, Charlie knows that the certificate request came from Alice, and not somebody else pretending to be Alice.
Next, he takes the public key from the certificate request, and uses it to verify the digital signature on the request. If the signature is correct, then he knows Alice does possess her private key.
Having authenticated her identity, and verified that she has the right private key, Charlie issues the certificate in Alice's name and sends it back to her.
Public Key Infrastructures
CA
Certification Approved
Subject : AliceName : Alice Issuer : Charlie
Issued21-08-2008
74
Charlie also publishes the certificate in his public repository, so that anybody receiving a message from Alice can check her certificate.
After Bob has his certificate too, Alice and Bob can use digital signatures to ensure the integrity and sender's identity of their messages.
Public Key Infrastructures
CA
Certification Approved
Subject : AliceName : Alice Issuer : Charlie
Issued21-08-2008
75
If Alice and Bob want to use encryption to keep the contents of their messages secret, then they will also need a separate set of encryption keys and certificates for that purpose.
They can obtain these certificates at the same time as they obtain their signing certificates.
Public Key Infrastructures
76
Overview
1. Simple Fundamental2. Qualified signatures3. PKI and trust management4. Introduction to the key
establishment protocols
77
Question:How to maintain the public register?
1. We start with the case when the public keys are used for signing that is legally binding.
2. Then we consider other cases.
78
A problem
Alice Bob
(m, σ =Signsk(m))(m, σ =Signsk(m))
skA pkA
m є {0,1}*m є {0,1}*
Judge
I got (m,σ) from AliceI got (m,σ) from AliceIt’s not true!I never signed m!It’s not true!I never signed m!
Vrfy(pk,m,σ) = yesso you cannot repudiate signing m...Vrfy(pk,m,σ) = yesso you cannot repudiate signing m...
But pk is not my public key!But pk is not my public key!
79
Solution: certification authorities
A simplified view:
comes with her ID and pkAlicecomes with her ID and pkAlice
(pkCert,skCert)(pkCert,skCert)
checks the ID of Alice and issues a certificate:
SignskCert(“pkAlice is a public key of Alice”)
checks the ID of Alice and issues a certificate:
SignskCert(“pkAlice is a public key of Alice”)
Alice
Now, everyone can verify that pkAlice is a public key of Alice. So Alice can attach it to every signature
Certification AuthorityCertification Authority
really everyone?really everyone?
80
What is needed to verify the certificate
To verify the certificate coming from Cert one needs:
1. to know the public key of the Cert2. to trust Cert.
It is better if Cert also keeps a document:“I, Alice certify that pkAlice is my public key”
with a written signature of Alice.
81
How does it look from the legal point of view?
What matters at the end is if you can convince the judge.
Many countries have now a special law regulating these things.
In Malaysia it is:MCMC
82
Malaysian Certificate Authorities:
Digicert
83
So, what to do if you want to issue the qualified signatures?
You have to go to one of this companies and get a qualified certificate (it costs!).
The certificate is valid just for some given period.
84
What if the secret key is lost?
1. In this case you have to revoke the certificate.Every authority maintains a list of revoked certificates.
2. The certificates come with some insurance.
85
Plan
1. Qualified signatures2. PKI and trust management3. Introduction to the key
establishment protocols
86
In many case one doesn’t want to use the qualified signatures
1. The certificates cost.
2. It’s risky to use them:
How do you know what your computer is really signing?Computers have viruses, Trojan horses, etc.
You can use external (trusted) hardware but it should have a display (so you can see what is signed).
Remember: qualified signatures are equivalent to the written ones!
87
In many cases the qualified signatures are an overkill.In many cases the qualified signatures are an overkill.
The certificates are distributed using a public-key infrastructure (PKI).The certificates are distributed using a public-key infrastructure (PKI).
Instead, people use non-qualified signatures.Instead, people use non-qualified signatures.
Practical solution
88
Users can certify keys of the other users
P1 P3P2
pk3pk3pk1pk1 pk2pk2
knows pk2knows pk2 knows pk3knows pk3
“trusts” P2“trusts” P2
P2 certifies that pk3 is a public key of P3P2 certifies that pk3 is a public key of P3 signature of P2signature of P2
P1 believesthat pk3 is a public key of P3
P1 believesthat pk3 is a public key of P3
this should be done only if P2 really met P3 in person and verified his identitythis should be done only if P2 really met P3 in person and verified his identity
89
P1 P3P2
pk3pk3pk1pk1 pk2pk2
knows pk2knows pk2 knows pk3knows pk3
“trusts” P2“trusts” P2
P4
pk4pk4
knows pk4knows pk4
“trusts” P3“trusts” P3
P2 certifies that pk3 is a public key of P3P2 certifies that pk3 is a public key of P3 signature of P2signature of P2
P3 certifies that pk4 is a public key of P4P3 certifies that pk4 is a public key of P4 signature of P3signature of P3
P1 believesthat pk3 is a public key of P3
P1 believesthat pk3 is a public key of P3
Users can certify keys of the other users
90
P1 P3P2
pk3pk3pk1pk1 pk2pk2
knows pk2knows pk2 knows pk3knows pk3
“trusts” P2“trusts” P2
P4
pk4pk4
P2 certifies that pk3 is a public key of P3P2 certifies that pk3 is a public key of P3 signature of P2signature of P2
P3 certifies that pk4 is a public key of P4P3 certifies that pk4 is a public key of P4 signature of P3signature of P3
P1 believesthat pk3 is a public key of P3
P1 believesthat pk3 is a public key of P3
“trusts” P3“trusts” P3
knows pk4knows pk4
P5
pk4pk4
“trusts” P4“trusts” P4
P4 certifies that pk5 is a public key of P5P4 certifies that pk5 is a public key of P5 signature of P4signature of P4
This is called acertificate chainThis is called a
certificate chain
knows pk5knows pk5
91
A problem
What if P1 does not know P3?How can he trust him?
Answer: P2 can recommend P3 to P1.
P1 P3P2
pk3pk3pk1pk1 pk2pk2
knows pk2knows pk2 knows pk3knows pk3
“trusts” P2“trusts” P2
P4
pk4pk4
“trusts” P3“trusts” P3
knows pk4knows pk4
92
A question: is trust transitive?
P1 P3P2
pk3pk3pk1pk1 pk2pk2
“trusts” P2“trusts” P2 “trusts” P3“trusts” P3
P1 P3P2
pk3pk3pk1pk1 pk2
“trusts” P3“trusts” P3
Does:
imply:
?
93
Example
P1 P3P2
pk3pk3pk1pk1 pk2pk2
trusts thatP2 is a veryhonest person
trusts thatP2 is a veryhonest person
P1 P3P2
pk3pk3pk1pk1 pk2pk2
doesn’t trust that P3
is honest, because he thinks that P2 is honest but naive
doesn’t trust that P3
is honest, because he thinks that P2 is honest but naive
trusts thatP3 is a veryhonest person
trusts thatP3 is a veryhonest person
I can recommend P3I can recommend P3
94
Moral
Trust is not transitive:
“P1 trusts in the certificates issued by P2”
is not the same as saying:
“P1 trusts that if
P2 says you can trust the certificates issued by P3
thenone can trust the certificates issued by P3”
95
level 1 recommendation:
A: ”you can trusts in all the certificates issued by B”
level 2 recommendation:
A : “you can trust that all the level 1 recommendations issued by B”
level 3 recommendation:
B : “you can trust that all the level 2 recommendations issued by B”
and so on. . .
level 1 recommendation:
A: ”you can trusts in all the certificates issued by B”
level 2 recommendation:
A : “you can trust that all the level 1 recommendations issued by B”
level 3 recommendation:
B : “you can trust that all the level 2 recommendations issued by B”
and so on. . .
Recommendation levels
Recursively:level i+1 recommendation:A : “you can trust that all the level i recommendations issued by B”
96
P1 P3P2 P4
P1 P3P2 P4
trusts the certificates issued by P4trusts the certificates issued by P4
Now, if:
then
Of course the recommendations also need to be signed.Starts to look complicated...
P2 issues a recommendationof level 2 for P3
P2 issues a recommendationof level 2 for P3
P3 issues a recommendationof level 1 for P4
P3 issues a recommendationof level 1 for P4
P2 trustin all the recommendations issued by P2
P2 trustin all the recommendations issued by P2
97
How is it solved in practice?
In popular standard is X.509 the recommendation is included into a certificate.
Here the level of recommendations is bounded using a field called basic constraints.
X.509 is used for example in SSL.
SSL is implemented is implemented in every popular web-browser.
So, let’s look at it.
98
99
100
101
102
this field limits the recommendation
depth(here it’s unlimited)
103
Concrete example
Let’s go to the Banca Di Roma website
104
a certificatechain
105
the second certificate wassigned by ”Verisign Primary Authority” for“Verisign Inc”.
(it’s not strange, we willdiscuss it)
106
Look here
107
The third certificatewas issued by Verisign Inc.for Banca di Roma
108
The typical picture
web browser knows these certificates
Verisign DigiCert Entrust . . .
VerisignEurope
VerisignUSA
VerisignItaly
Banca di Roma
a certificate path
Implicit assumptions:
• the author of the browser is honest,• the author of the browser is competent• nobody manipulated the browser
is it always true?
is it always true?
109
CA1
CA2
CA3
CAn
client
cert1cert1
cert2cert2
cert3cert3
certn-1certn-1
certncertn
Moreover:each certi has a number di denoting a maximal depth of certificate chain from this point (this limits the recommendation depth)
That is, we need to have:di ≥ n - i
Moreover:each certi has a number di denoting a maximal depth of certificate chain from this point (this limits the recommendation depth)
That is, we need to have:di ≥ n - i
All these certificates have tohave a flag “Is a Certification Authority” switched on.
d1
d2
d3
dn
110
Is it so important to check it?
Yes!
For example: the last element in the chain can be anybody (who paid to Verising for a certificate).
For sure we do not want to trust the certificates issued by anyone.
111
So, what happens when a user contacts the bank?
Alice
sends(cert1,..., certn)
sends(cert1,..., certn)
If Alice’s browser knows cert1 it canverify the chain and read the public key of the bank from certn
Bank
112
What happens if the certification path is invalid?
For example if the first certificate in the path is not known to the user.
Experiment: let’s delete the Verisign certificate for the configuration of the browser...
113
114
What happens?
115
Another popular PKI
Pretty Good Privacy (PGP) – every user can act as a certification authority.
Hence the name:Web of Trust
116
Introduction to the key establishment protocols
117
Suppose Alice and Bob want to authenticate to each other...
internet
Observation: authentication itself is not very useful.More useful: key establishment
Alice Bob
118
Protocols for key establishment
Suppose Alice and Bob want to establish a fresh session key in an authentic way.
When is it possible?
• Using symmetric cryptography: Alice and Bob can use some trusted server S.
• Using asymmetric cryptography: e.g. using PKI.
119
Symmetric cryptography
The server can help Alice and Bob to establish a session key.(in reality it’s not so trivial to design a secure protocol)
Alice Bob
server S
share a private keyKAS
share a private keyKBS
120
The public-key cryptography
Alice
sends(cert1,..., certn)
sends(cert1,..., certn)
If they accepted the certificate paths they can establish a session key:
1. Alice selects a random key K. 2. Alice encrypts K with Bob’s public key, and sign is it with her
private key, and sends it to Bob.3. Bob verifies the signature and decrypts the K.
Again: in reality it’s not that simple...
Bob
sends(cert’1,..., cert’n)
sends(cert’1,..., cert’n)
121
What if one of the parties doesn’t have a certificate?
Typical situation in real life...
E.g. a bank can verify authenticity of Alice by asking her for a secret password.
This password is provided to her (in a physical way) when she opened an account.
How to prevent the dictionary attacks?
Not so trivial...
122
Designing the key establishment protocols
It is an active area of research.
It’s more complicated than one may think...
On the next slides we show some common errors.
123
An idea (1)
Alice Bob
server S
key shared by Alice and the server: KAS
key shared by Bob and the server: KBS
(“A,B”)(“A,B”)
EncKAS(KAB),
EncKBS(KAB)
EncKAS(KAB),
EncKBS(KAB)
(EncKBS (KAB),”A”)(EncKBS (KAB),”A”)
selects a random KAB selects a random KAB
124
An attack
Alice Bob
server S
key shared by Alice and the server: KAS
key shared by Bob and the server: KBS
(A,B)(A,B)
EncKAS(KAB),
EncKBS(KAB)
EncKAS(KAB),
EncKBS(KAB)
(EncKBS(KAB),”A”)(EncKBS(KAB),”A”)
selects a random KAB selects a random KAB
(EncKBS (KAB),”D”)(EncKBS (KAB),”D”)
I’m talking to D
I’m talking to D
Eve
125
An idea (2)
Alice Bob
server S
key shared by Alice and the server: KAS
key shared by Bob and the server: KBS
(A,B)(A,B)
EncKAS(KAB,”B”),
EncKBS(KAB,”A”)
EncKAS(KAB,”B”),
EncKBS(KAB,”A”)
EncKBS(KAB,”A”)EncKBS(KAB,”A”)
selects a random KAB selects a random KAB
126
A replay attack
Alice Bob
(A,B)(A,B)
EncKAS(K’AB,”B”),EncKBS(K’AB,”A”)EncKAS(K’AB,”B”),EncKBS(K’AB,”A”)
EncKBS(K’AB,”A”)EncKBS(K’AB,”A”)
the adversary stores the values that the server sent in the previous session and replays them.
So, the key is not fresh...Eve
127
How to protect against the replay attacks?
Nonce – “number used once”.
Nonce is a random number generated by one party and returned to that party to show that a message is newly generated.
128
An idea (3): Needham Schreoder 1972.
Alice Bob
server S
key shared by Alice and the server: KAS
key shared by Bob and the server: KBS
(“A,B”,NA)(“A,B”,NA)
EncKAS(KAB, “B”, NA, EncKBS
(KAB,”A”))EncKAS(KAB, “B”, NA, EncKBS
(KAB,”A”))
EncKBS(KAB,”A”)EncKBS(KAB,”A”)
selects a random KAB selects a random KAB
EncKAB(NB – 1)EncKAB(NB – 1)
EncKAB(NB)EncKAB(NB)
129
An attack on Needham Schroeder
Bob
EncKBS(K’AB,”A”)EncKBS(K’AB,”A”)
EncK’AB(NB – 1)EncK’AB(NB – 1)
EncK’AB(NB)EncK’AB(NB)
Assume that an old session key K’AB is known to the adversary.
Eve
130
The final solution
Alice Bob
server S
key shared by Alice and the server: KAS
key shared by Bob and the server: KBS
(“A,B”,NA,NB)(“A,B”,NA,NB)
EncKAS(KAB, “B”, NA)
EncKBS(KAB, “A”, NB)
EncKAS(KAB, “B”, NA)
EncKBS(KAB, “A”, NB)
selects a random KAB selects a random KAB
EncKBS(KAB, “A”, NB)EncKBS(KAB, “A”, NB)
(“B”,NB)(“B”,NB)
131
Other desirable features
1. Forward-security:if an adversary breaks into the machine at some time t the previous session keys remain secret.
2. Deniability:A user can always deny that he sent some message.
3. Resistance to denial-of-service attacks(don’t put to much work on the server!).
132
Eve
Another (real-life) problem
Alice and Bob may use different versions of the protocol.
Therefore at the beginning of the protocol they have to agree on the ciphers that they will use.
How to do agree in a secure way?
Alice Bob
Alice:I prefer to use AES, but I can also use DES
Alice:I can onlyuse DES,
Bob:I can onlyuse DES,
Bob:I prefer to use AES, but I can also use DES
They’ll end up using DES!
133
Protocols used in practice
• Symmetric: Kerberos
• Asymmetric: SSL, SSH, IPSec...
134
How Do You Want Protect Your Network System
Thank YouSee You Next Week
Have A Nice Weekend