Presentation on theme: "Public Key Infrastructure Alex Bardas. What is Cryptography ? Cryptography is a mathematical method of protecting information –Cryptography is part of,"— Presentation transcript:
Public Key Infrastructure Alex Bardas
What is Cryptography ? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to, security In modern computing, crypto is used to remediate deficiencies in the cyber space
Cryptographic Hash If the message content is changed, the hash will be different (provides integrity guarantee) Knowing the hash does not reveal the input message Hashing is NOT encryption! Examples: SHA-1 Text Message (variable length) Cryptographic Hash Function “Unique” Fixed-length String (Hash or Digest)
Image source: Cryptographic Hash Example
Encryption vs. Hashing Image source:
Symmetric Encryption (Secret-key Encryption) Encryption and decryption use the same key Examples: AES Clear Text MessageEncryption Algorithm Encrypted Message Shared Key Encrypted MessageDecryption Algorithm Clear Text Message Shared Key 1. 2.
Asymmetric Encryption (Public-key Encryption) Every party has a pair of keys: Encryption and decryption use different keys It is hard to infer private key from the public key Examples: RSA, El-Gamal Public Key: announced to everyone Private Key: known to the owner only
Asymmetric Encryption (Public-key Encryption) Clear Text MessageEncryption Algorithm Encrypted Message Public Key Encrypted MessageDecryption Algorithm Clear Text Message Private Key 1. 2.
Digital Signature Based on asymmetric crypto - Examples: RSA, DSA, El-Gamal Properties of a Digital Signature: 1.Verification of the validity of a digital signature needs only the public key 2.Only the owner of the corresponding private key can produce a valid signature There is also MAC (Message Authentication Code) – signing using a shared key (based on symmetric cryptography)
Digital Signature MessageSigning Algorithm Signed Message Private Key Signed MessageVerification Algorithm Signature is valid Public Key 1. 2.
A digitally signed Message Image source:
Public Crypto Challenge Alice has Bob’s Public Key Bob has Alice’s Public Key I am out of luck today -What if Alice and Bob cannot meet and exchange public keys ? -What if Alice and Bob don’t know each other ? -How to do they know that the public key that they are using belongs to the other legitimate party and not to a malicious third party ?
Man-In-The-Middle Alice thinks she has Bob’s Public Key Bob thinks he has Alice’s Public Key 1.Eve has Bob’s and Alice legitimate public keys 2.“Somehow” Alice and Bob have Eve’s public keys 3.It’s Eve’s lucky day
How to Distribute Public Keys ? Ad-Hoc public key distribution (distribute at will) – Alice and Bob exchange public keys in a reliable way Public directory (similar to the telephone directory) – Use a read-only directory (hard to modify/forge in a large scale) Published on paper
Public Key Distribution We want to distribute public keys in electronic form, NOT on paper How to verify the authenticity of the digital directory? Use digital signature
Certification Authority (CA) Alice and Bob don’t know each other but they both trust Cindy (Certification Authority) Alice and Bob have Cindy’s public key Cindy certifies Alice and Bob’s public keys => Digital Certificates
Digital Certificates Cindy’s (CA) Digital Signature What does the certificate tell us? This public key belongs to Alice. Alice is not a CA (Certification Authority)
Public Key Infrastructure What if Alice and Bob do not have a common friend? – Cindy cannot be everywhere, Bob knows her but Alice doesn’t We have to find a trustworthy person that knows Cindy and Alice – Carl knows Cindy but doesn’t know Alice directly – Carl knows John and John knows Alice Certification chain
Multiple Certification Authorities (CAs) R R L 11 L 12 L 21 L 22 L 23 L 24 L 31 L 32 L 33 L 34 L 35 L 36 L 37 L 38 CA hierarchy Alice Bob John Carl Cindy
How are we getting the CA keys? Web Browsers are coming with an important number of root CA keys Other CA’s or single digital certificates can be added by the user (can be risky)
Valid Certificate (signed by VeriSign)
Valid Certificate Example
Certificates Warnings in Different Web Browsers
Sources of Information CIS751 Basic Crypto & PKI slide sets by Xinming (Simon) Ou – Kansas State University