4Symmetric Key Cryptosystem Consider a key length = 4 Key = BAND Poly alphabetic CipherConsider a key length = 4Key = BANDA B C D E F G H I J K L M N O P Q R S T U V W X Y ZPlain Text M= E BUS INES SB AND BAND BCipher Text E(M)= G CIW KOSW U
5M C Symmetric-key Cryptosystems Es Ds Sender Receiver Secret Key OverviewSymmetric-key CryptosystemsEncryptionEsDecryptionDsSenderReceiverMCSecretKeySecure ChannelIntruder
6M C Symmetric-key Cryptosystems Es Ds Sender Receiver Secret Key OverviewSymmetric-key CryptosystemsEncryptionEsDecryptionDsSenderReceiverMCSecretKeySecure ChannelIntruder
7M C Asymmetric-key Cryptosystems EK DK Sender Receiver Public Key OverviewAsymmetric-key CryptosystemsEncryptionEKDecryptionDKSenderReceiverMCPublicKeyPrivateIntruder
8Overview of Digital Signature Signer’s Private KeyEncryptedDigestDigestSignedDocumentHashAlgorithmRemember, a digital signature involves services provided by Certificate Authority (CA)
9Verifying the Digital Signature for Authentication and Integrity Digest?Hash AlgorithmDigestSigner’sPublic KeyAnd so does the process of verifying the validity of a digital signature
12Digital Certificate X509 Standard Each certificate contains the public-key of a user and is signedwith the private-key of a trustedcertificate authority
13Certificate Authority In an uncontrolled system, anyone could publish a new public-key and assume a new identity.Any Participant can send his public-key to any other one broadcast the key
14Certificate Authority This would be like allowing anyone to issue his or her own passport or driving licensesThis is clearly unacceptable for any application that, like electronic commerce, requires authentication and non-repudiation.In order to assure a proper information exchange mechanism, an important entity should be involved in the process which is the Certificate Authority (CA).
15Certificate Authority Cont. Distribution of Public KeysPublic key Certificate
16Certificate Authority Requirements of setting up the CACompatibility with existing Internet based Certificate AuthoritiesIt should be possible to use the certificates in applications such as Netscape navigators, secure , and custom built business-to-business e-commerce applications.Certificates must be consistent with accepted standards; such the widely recognized X.509 certificate formats.
17Certificate Authority Effective Distribution mechanismsDirectory server support:-includes client certificates, and certificate validity status.Certificates accompanying signatures:-The certificate, being signed by the ECA, enables the receiving party to check the validity of both the certificate, and the accompanying signature.Support for certificate revocation:-
18Certificate Authority Revocation of CertificatesThe user’s private key is compromisedThe user is no longer certified by this CAThe CA’s certificate is compromised
19CA never sees the private key Certificate management cycleRequest certificatefor key linked with LIR IDProgramCertificateAuthorityCertificateRevocation requestCertificate is includedin the Certificate Revocation List (CRL)Request a certificateSend browser formSend public keyCertificateUserCA never sees the private keyCertificateSome time later the user wants to revoke the certificate…
20PKI Component Certificate Authority (CA). Issues Digital CertificatesAuthorization Authority (AA).Response for Digital Certificate (DC) requestRegistration Authority (RA).Contains a database for DC and Certificate Revocation ListCRL.Directory Services.Handles DC exchange.Applications.
21PKI Implementation Issuing the Certificate Practice Statement (CPS). A statement of Practices that CA employs in issuing DC.Building the PKI as according CPS.Training for users and administration Staff.Connections to secured systems that could circumvented the PKI must be ended.Integration with the different applications.
22Using Biometrics and Smart Token in Electronic signature
23How a citizen can apply for a Smart Token Step 1The citizen (Applicant A) provides his National Security Number Card (NSN) to one of the Service Provider (SP).Step 2SP sends the NSN information to the CA.Step 3CA checks for Applicant already has a DC or revoked with RA.Step 4If A is applying first time, CA asks for authorization from AA.Step 5AA responses for CA.Step 6CA asks A to generate his keys pair.Step 7The Two pairs are generated inside the applicant smart Token.Step 8The public Key is sent to the CA.Step 9The CA generates and sends the DC back to the applicant Token.Step 10The token is trained for the applicant finger print.
24Sender side Pre Session Stage CA Sender (S) Receiver (R) 2 check validitySender (S)Receiver (R)1 S wants to communicate with R3 SDC3 RDC
25Sender side Sender PC Sender Token Sender Data 1- Selecting the message M to be sent from the sender PC(SPC).2- According to the Hashing Algorithm (HA) stored in theSPC , M will be hashed and the message digest (MD)will be generated.3- The message digest MD is transferred from the SPC tothe sender Smart Token (SST).6- Using a random number generator (RNG), a sessionkey (SK) will be generated inside the SPC.7- Encrypting M+SDS+SDC using symmetric keyencryption algorithm SKEA and Sk as encryption keyand call it the encrypted signed message (ESM).8- Extracting the receiver public key (RPUK) from theRDC available in the SCL.9- Encrypt the SK with RPUK using PKUK to create DigitalEnvelop (DE) send ESM+DE.Sender TokenMD4- Using public key cryptographicalgorithm (PKCA) ,the MD isencrypted with the senderprivate key (SPRK) to get thesender digital signature (SDS).5- The SDS+ a copy from thesender digital certificate (SDC)are sent back to the SPC.Sender DataSDSSDCESM + DE
26Sender side Third Process Sender PC Receiver PC ESM + DE Encrypted Signed message (ESM)Encrypted session keyBy receiver public key (DE)Sender PCESM +Receiver PC
27Receiver side Receiver PC Receiver Token 2- Using PKEA the DE 1-DE is sent to the receiver smarttoken (RST).4- By the SK the message will be Decryptedusing the same SKEA Now we have :M+ SDS + SDC.5- The SDC received from CA is comparedwith SDC received from the sender toassure its validity. If its valid the procedurecontinue , aborted otherwise.6- Decrypt the SDS by the sender public keySPUK contained in the SDC to get MD. Callit MD1.8- Using M generate a message digest MDusing the same HA. Call it MD2.7- Compare the two digests MD1 and MD2. IfMD1 and MD2 are identical then messageaccepted otherwise the message isrejected.Receiver Token2- Using PKEA the DEis Decrypted by theRPRK to get thesession key SK.3- Send SK back to theRE PCDEReceived DataSKESM + DE
29Token Block Diagram Smart Token Block Biometric Device InterfaceBusUSB including power supply
30SMART TOKEN BLOCK RAM ROM RSA En /Dec Algorithm USB BUS BUS USB interfaceBUSBiometric InterfaceROMPrivate KeyCertificate contain Public KeyFinger print of the ownerRAMProcessing and result storageRSA En /Dec Algorithm& Key GenerationBiometric DeviceInterface BusPower supply from USBControl unitFeature extraction & recognitionImageprocessingUSBBUS
41Step (7) Smoothing procedure • The presence of undesired spikes and breaks present in a thinned ridge map may lead to many spurious minutiae being detected.• Therefore, before the minutiae detection, a smoothing procedure is applied to remove spikes and to join broken ridges.
45Minutiae MatchingAlignment of the input ridge and the template ridge
46Applying the matching algorithm to an input minutiae set and a template (a) input minutiae set(b) template minutiae set
47Applying the matching algorithm to an input minutiae set and a template (Cont.) (d) matching result where template minutiae and their correspondences are connected by green lines.(c) alignment result based on the minutiae marked with green circles
48PKI Assessments CPS CA AA RA CRL policies. Certificate Usage with applications.Auditing.Cryptographic devices and dataCryptographic AlgorithmsCritical Information Flow.Sensitive Software Applications.Key Managements.Network Devices Hosts, Routers, firewalls, switches).
49Examples for PKI applications .E-Gov services (Pension, ..).E-Election (voting).Group decision making.Multi signature.Notarizing.E-payment.Medical care.Note: It is up to the application to deploy the smart token.