# Lecture 5 Key Management and Public- Key Cryptography Stefan Dziembowski www.dziembowski.net MIM UW 9.11.12 ver 1.1.

## Presentation on theme: "Lecture 5 Key Management and Public- Key Cryptography Stefan Dziembowski www.dziembowski.net MIM UW 9.11.12 ver 1.1."— Presentation transcript:

Lecture 5 Key Management and Public- Key Cryptography Stefan Dziembowski www.dziembowski.net MIM UW 9.11.12 ver 1.1

Plan 1.The problem of key distribution 2.The idea of Merkle, Diffie and Hellman 3.The solution of Rivest, Shamir and Adleman 4.Public-Key Infrastructures 5.Identity-based encryption

How to distribute the cryptographic keys? If the users can meet in person beforehand – it’s simple. But what to do if they cannot meet? (a typical example: on-line shopping)

A naive solution: P5P5 P1P1 P3P3 P2P2 P4P4 K 13 K 12 K 14 K 15 give to every user P i a separate key K ij to communicate with every P j

P5P5 P1P1 P3P3 P2P2 P4P4 In general: a quadratic number of keys is needed

Key Distribution Centers Some server (a Key Distribution Center, KDC) “gives the keys” to the users – feasible if the users are e.g. working in one company – infeasible on the internet – relies on the honesty of KDC – KDC needs to be permanently available –...

How to establish a key with a trusted server? Not so trivial as it may seem! AB key shared by Alice and the server: K AS key shared by Bob and the server: K BS server S want to establish a fresh session key

Notation {M} K – a message M encrypted and authenticated with K Formally: K=(K 0,K 1 ) {M} K = Tag K 0 (Enc K 1 (M)),Enc K 1 (M))

An idea (1) A B server S key shared by Alice and the server: K AS key shared by Bob and the server: K BS (A,B) {K AB } K AS {K AB } K BS {K AB } K BS, A selects a random K AB

An attack AB server S key shared by Alice and the server: K AS key shared by Bob and the server: K BS (A,B) {K AB } K AS {K AB } K BS {K AB } K BS, A selects a random K AB {K AB } K BS, D I’m talking to D

An idea (2) A B server S key shared by Alice and the server: K AS key shared by Bob and the server: K BS (A,B) {K AB, B} K AS {K AB, A} K BS selects a random K AB

A replay attack AB (A,B) {K AB, B} K AS {K AB, A} K BS the adversary stores the values that the server sent in the previous session and replays them. So, the key is not fresh...

How to protect against the replay attacks? Nonce – “number used once”. Nonce is a random number generated by one party and returned to that party to show that a message is newly generated.

An idea (3): Needham Schreoder 1972. AB server S key shared by Alice and the server: K AS key shared by Bob and the server: K BS A,B,N A {K AB, B, N A, {K AB, A} K BS } K AS {K AB, A} K BS selects a random K AB {N B - 1} K AB {N B } K AB

An attack on Needham Schroeder Bob {X AB, A} K BS {N B - 1} X AB {N B } X AB Assume that an old session key X AB is known to the adversary. If e.g. X AB is used as one-time pad this may happen...

The final solution AB server S key shared by Alice and the server: K AS key shared by Bob and the server: K BS (A,B,N A,N B ) {K AB, B, N A } K AS {K AB, A, N B } K BS selects a random K AB {K AB, A, N B } K BS (B,N B )

Plan 1.The problem of key distribution 2.The idea of Merkle, Diffie and Hellman 3.The solution of Rivest, Shamir and Adleman 4.Public-Key Infrastructure 5.Identity-based encryption

The solution without KDC Public-Key Cryptography Whitfield Diffie and Martin Hellman (1976)Ralph Merkle (1974)

A little bit of history Diffie and Hellman were the first to publish a paper containing the idea of the public-key cryptography: W.Diffie and M.E.Hellman, New directions in cryptography IEEE Trans. Inform. Theory, IT-22, 6, 1976, pp.644-654. A similar idea was described by Ralph Merkle: – in 1974 he described it in a project proposal for a Computer Security course at UC Berkeley (it was rejected) – in 1975 he submitted it to the CACM journal (it was rejected) (see http://www.merkle.com/1974/ )http://www.merkle.com/1974/ It 1997 the GCHQ (the British equivalent of the NSA) revealed that they new it already in 1973.

The idea Alice Bob k k m m c := Enc(k,m) Dec(k,c) c := Enc(pk,m) Dec(sk,c) pk sk Instead of using one key k, use 2 keys (pk,sk), where pk is used for encryption, sk is used for decryption. pk can be public, and only sk has to be kept secret! That’s why it’s called: public-key cryptography pk can be public, and only sk has to be kept secret! That’s why it’s called: public-key cryptography

The same thing works for authentication sk is used for computing a tag, pk is used for verifying correctness of the tag. Alice Bob k k m m (m,t := Tag(k,m)) Vrfy(k,m,t) (m,t := Sign(sk,m)) Vrfy(pk,m,t) pksk this will be called “signatures” Sign – the signing algorithm this will be called “signatures” Sign – the signing algorithm

Anyone can send encrypted messages to anyone else P5P5 P1P1 P3P3 P2P2 P4P4 pk 1 pk 2 pk 3 pk 4 pk 5 2. reads pk 3 1. P 1 wants to send m to P 3 3. sends Enc(pk 3,m) public register: sk 3 4. P 3 computes Dec(sk 3,m)

Anyone can verify the signatures P5P5 P1P1 P2P2 P4P4 pk 1 pk 2 pk 3 pk 4 pk 5 1. Sign(sk 3,m) public register: Sign(sk 3,m) 2. reads pk 3 sk 3 3. computes Vrfy(pk 3,m) P3P3

Advantages of the signature schemes Digital signatures are: 1.publicly verifiable 2.transferable 3.provide non-repudiation (we explain it on the next slides)

Look at the MACs... Alice Bob (m, t=Tag k (m)) k k m є {0,1}* Carol Look, I got (m,t) from Alice Why shall I trust you? 1.You could have created t yourself (because you know k) 2.I don’t know k, so how can I verify the tag? Why shall I trust you? 1.You could have created t yourself (because you know k) 2.I don’t know k, so how can I verify the tag?

Signatures are publicly-verifiable! Alice Bob (m, σ =Sign sk (m)) sk A pk A m є {0,1}* Carol I can calculate Vrfy(pk A,m,σ) and check. I can calculate Vrfy(pk A,m,σ) and check. Look, I got (m,σ) from Alice

So, the signatures are transferable P2P2 P3P3 Alice P4P4 P1P1 σ = Sign(sk 3,m) sk A (m,σ) “Alice signed m” pk A “Alice signed m” I believe it!

Non-repudiation Alice Bob (m, σ =Sign sk (m)) sk A pk A m є {0,1}* Judge “I’ve got (m,σ) from Alice” It’s not true! I never signed m! Vrfy(pk,m,σ) = yes so you cannot repudiate signing m...

Things that need to be discussed Who maintains “the register”? How to contact it securely? How to revoke the key (if it is lost)?... We will discuss these things later (when we will be talking about the Public-Key Infrastructure)

anyone can lock it But is it possible? In “physical world”: yes! Examples: 1.“normal” signatures 2.padlocks: the key is needed to unlock

Diffie and Hellman (1976) Diffie and Hellman proposed the public key cryptography in 1976. They just proposed the concept, not the implementation. They have also shown a protocol for key- exchange.

The observation of Diffie and Hellman: plaintexts ciphertexts (pk, sk) – the key pair Enc(pk,x) Dec(sk,y) easy only if one knows sk tags (“signatures”) messages Vrfy(pk,x) Sign(sk,y) easy only if one knows sk public-key encryption: signature schemes: Looks similar...

Trapdoor permutations (informal definition) X X X X easy easy: one can compute Enc pk -1 if one knows a trapdoor sk hard (otherwise) easy: one can compute Enc pk -1 if one knows a trapdoor sk hard (otherwise) Enc pk this is denoted Dec sk A family of permutations indexed by pk є keys : { Enc pk : X → X } pk є keys such that for every key pk there exists a key sk, and:

How to encrypt a message m messages plaintexts m := Dec sk (c) c := Enc pk (m) one can compute it only if one knows sk encryption: decryption : Warning: In general it’s not that simple. We will explain it later.

How to sign a message m signatures messages Dec sk (m) Enc pk (m) one can compute it only if one knows sk signing: verifying: Warning: In general it’s not that simple. We will explain it later.

Plan 1.The problem of key distribution 2.The idea of Merkle, Diffie and Hellman 3.The solution of Rivest, Shamir and Adleman 4.Public-Key Infrastructure 5.Identity-based encryption

Do such functions exist? Ron Rivest, Adi Shamir, and Leonard Adleman (1977) Yes: exponentiation modulo N, where N is a product of two large primes. RSA function is (conjectured to be) a trapdoor permutation!

The RSA function N = pq, such that p and q are random primes, and |p| = |q| e – random such that gcd(e, (p-1)(q-1)) = 1 d – random such that ed = 1 (mod (p-1)(q-1)) pk := (N,e) sk := (N,d) Enc pk : Z N → Z N is defined as: Enc pk (m) = m e mod N. Dec sk : Z N → Z N is defined as: Dec sk (c) = c d mod N.

Questions and doubts N = pq, such that p and q are random primes, and |p| = |q| e – random such that gcd(e, (p-1)(q-1)) = 1 d – such that ed = 1 (mod (p-1)(q-1)) pk := (N,e) sk := (N,d) Enc pk : Z N → Z N is defined as: Enc pk (m) = m e mod N. Dec sk : Z N → Z N is defined as: Dec sk (c) = c d mod N. How large these primes need to be? How to sample them? Can exponentiation be done efficiently? looks a bit strange... Enc pk (1) = 1 e mod N = 1 Oops... Enc pk (1) = 1 e mod N = 1 Oops... encryption is deterministic... We will address it later...

Is RSA secure? Is RSA secure: 1.as an encryption scheme? 2.as a signature scheme? The answer is not that simple. First, we would need to define security! We will do it on the next lectures. Is RSA secure: 1.as an encryption scheme? 2.as a signature scheme? The answer is not that simple. First, we would need to define security! We will do it on the next lectures.

P5P5 P1P1 P3P3 P2P2 P4P4 pk 1 pk 2 pk 3 pk 4 pk 5 public register: sk 3 sk 5 sk 4 sk 1 sk 2 Remember this slide?

Question: How to maintain the public register? 1.We start with the case when the public keys are used for signing that is legally binding. 2.Then we consider other cases.

A problem Alice Bob (m, σ =Sign sk (m)) sk A pk A m є {0,1}* Judge I got (m,σ) from Alice It’s not true! I never signed m! Vrfy(pk,m,σ) = yes so you cannot repudiate signing m... But pk is not my public key!

Solution: certification authorities A simplified view: comes with her ID and pk Alice (pk Cert,sk Cert ) checks the ID of Alice and issues a certificate: Sign sk Cert (“pk Alice is a public key of Alice”) checks the ID of Alice and issues a certificate: Sign sk Cert (“pk Alice is a public key of Alice”) Alice Now, everyone can verify that pk Alice is a public key of Alice. So Alice can attach it to every signature Certification Authority really everyone?

What is needed to verify the certificate To verify the certificate coming from Cert one needs: 1.to know the public key of the Cert 2.to trust Cert. It is better if Cert also keeps a document: “I, Alice certify that pk Alice is my public key” with a written signature of Alice.

Ustawa o podpisie elektronicznymUstawa o podpisie elektronicznym, z dnia 18 września 2001 r. (Dz.U.01.130.1450) 28 str. (ISIP), na podst. dyrektywy EU 1999/93/ECISIP1999/93/EC Ustawa o podpisie elektronicznymUstawa o podpisie elektronicznym, z dnia 18 września 2001 r. (Dz.U.01.130.1450) 28 str. (ISIP), na podst. dyrektywy EU 1999/93/ECISIP1999/93/EC How does it look from the legal point of view? What matters at the end is if you can convince the judge. Many countries have now a special law regulating these things. In Poland:

The qualified signature is equivalent to the written one! A signature obtained this way is called a qualified digital signature. A certificate issued by such an authority is called a qualified certificate. This law defines the conditions to become an official certification authority

Polish Certificate Authorities: Krajowa Izba Rozliczeniowa, Polska Wytwórnia Papierów Wartościowych Unizeto Technologies MobiCert Enigma S.O.I. This list is maintained by Narodowe Centrum Certyfikacji NCCERT

So, what to do if you want to issue the qualified signatures? You have to go to one of this companies and get a qualified certificate (it costs!). The certificate is valid just for some given period.

What if the secret key is lost? 1.In this case you have to revoke the certificate. Every authority maintains a list of revoked certificates. 2.The certificates come with some insurance.

Plan 1.The problem of key distribution 2.The idea of Merkle, Diffie and Hellman 3.The solution of Rivest, Shamir and Adleman 4.Public-Key Infrastructure 5.Identity-based encryption

In many case one doesn’t want to use the qualified signatures 1.The certificates cost. 2.It’s risky to use them: How do you know what your computer is really signing? Computers have viruses, Trojan horses, etc. You can use external (trusted) hardware but it should have a display (so you can see what is signed). Remember: qualified signatures are equivalent to the written ones!

In many cases the qualified signatures are an overkill. The certificates are distributed using a public-key infrastructure (PKI). Instead, people use non-qualified signatures. Practical solution

Users can certify keys of the other users P1P1 P3P3 P2P2 pk 3 pk 1 pk 2 knows pk 2 knows pk 3 “trusts” P 2 P 2 certifies that pk 3 is a public key of P 3 signature of P 2 P 1 believes that pk 3 is a public key of P3 this should be done only if P 2 really met P 3 in person and verified his identity

P1P1 P3P3 P2P2 pk 3 pk 1 pk 2 knows pk 2 knows pk 3 “trusts” P 2 P4P4 pk 4 knows pk 4 “trusts” P 3 P 2 certifies that pk 3 is a public key of P 3 signature of P 2 P 3 certifies that pk 4 is a public key of P 4 signature of P 3 P 1 believes that pk 4 is a public key of P 4

P1P1 P3P3 P2P2 pk 3 pk 1 pk 2 knows pk 2 knows pk 3 “trusts” P 2 P4P4 pk 4 P 2 certifies that pk 3 is a public key of P 3 signature of P 2 P 3 certifies that pk 4 is a public key of P 4 signature of P 3 P 1 believes that pk 5 is a public key of P 5 “trusts” P 3 knows pk 4 P5P5 pk 4 “trusts” P 4 P 4 certifies that pk 5 is a public key of P 5 signature of P 4 This is called a certificate chain knows pk 5

A problem What if P 1 does not know P 3 ? How can he trust him? Answer: P 2 can recommend P 3 to P 1. P1P1 P3P3 P2P2 pk 3 pk 1 pk 2 knows pk 2 knows pk 3 “trusts” P 2 P4P4 pk 4 “trusts” P 3 knows pk 4

A question: is trust transitive? P1P1 P3P3 P2P2 pk 3 pk 1 pk 2 “trusts” P 2 “trusts” P 3 P1P1 P3P3 P2P2 pk 3 pk 1 pk 2 “trusts” P 3 Does: imply: ?

Example P1P1 P3P3 P2P2 pk 3 pk 1 pk 2 trusts that P 2 is a very honest person P1P1 P3P3 P2P2 pk 3 pk 1 pk 2 doesn’t trust that P 3 is honest, because he thinks that P 2 is honest but naive doesn’t trust that P 3 is honest, because he thinks that P 2 is honest but naive trusts that P 3 is a very honest person I can recommend P 3

Moral Trust is not transitive: “P 1 trusts in the certificates issued by P 2 ” is not the same as saying: “P 1 trusts that if P 2 says you can trust the certificates issued by P 3 then one can trust the certificates issued by P 3 ”

level 1 recommendation: A: ”you can trusts in all the certificates issued by B” level 2 recommendation: A : “you can trust that all the level 1 recommendations issued by B” level 3 recommendation: B : “you can trust that all the level 2 recommendations issued by B” and so on... level 1 recommendation: A: ”you can trusts in all the certificates issued by B” level 2 recommendation: A : “you can trust that all the level 1 recommendations issued by B” level 3 recommendation: B : “you can trust that all the level 2 recommendations issued by B” and so on... Recommendation levels Recursively: level i+1 recommendation: A : “you can trust that all the level i recommendations issued by B”

P1P1 P3P3 P2P2 P4P4 P1P1 P3P3 P2P2 P4P4 trusts the certificates issued by P 4 Now, if: then Of course the recommendations also need to be signed. Starts to look complicated... P 2 issues a recommendation of level 2 for P 3 P 2 issues a recommendation of level 2 for P 3 P 3 issues a recommendation of level 1 for P 4 P 3 issues a recommendation of level 1 for P 4 P 1 trusts in all the recommendations of level 2 issued by P 2 P 1 trusts in all the recommendations of level 2 issued by P 2

How is it solved in practice? In popular standard is X.509 the recommendation is included into a certificate. Here the level of recommendations is bounded using a field called basic constraints. X.509 is used for example in SSL. SSL is implemented is implemented in every popular web- browser. So, let’s look at it.

this field limits the recommendation depth (here it’s unlimited)

Concrete example Let’s go to the Banca Di Roma website

a certificate chain

the second certificate was signed by ”Verisign Primary Authority” for “Verisign Inc”. (it’s not strange, we will discuss it)

Look here

The third certificate was issued by Verisign Inc. for Banca di Roma

The typical picture web browser knows these certificates VerisignDigiCert Entrust... Verisign Europe Verisign USA Verisign Italy Banca di Roma a certificate path Implicit assumptions: the author of the browser is honest, the author of the browser is competent nobody manipulated the browser is it always true?

CA 1 CA 2 CA 3 CA n client cert 1 cert 2 cert 3 cert n-1 cert n Moreover: each cert i has a number d i denoting a maximal depth of certificate chain from this point (this limits the recommendation depth) That is, we need to have: d i ≥ n - i Moreover: each cert i has a number d i denoting a maximal depth of certificate chain from this point (this limits the recommendation depth) That is, we need to have: d i ≥ n - i All these certificates have to have a flag “Is a Certification Authority” switched on. d1d1 d2d2 d3d3 dndn

Is it so important to check it? Yes! For example: the last element in the chain can be anybody (who paid to Verising for a certificate). For sure we do not want to trust the certificates issued by anyone.

So, what happens when a user contacts the bank? Alice sends (cert 1,..., cert n ) If Alice’s browser knows cert 1 it can verify the chain and read the public key of the bank from cert n Bank

What happens if the certification path is invalid? For example if the first certificate in the path is not known to the user. Experiment: let’s delete the Verisign certificate for the configuration of the browser...

What happens?

Other information that the certificats contain information about the signature algorithm validity (dates) adress of the certificate revocation list

Another popular PKI Pretty Good Privacy (PGP) – every user can act as a certification authority. Hence the name: Web of Trust

Plan 1.The problem of key distribution 2.The idea of Merkle, Diffie and Hellman 3.The solution of Rivest, Shamir and Adleman 4.Public-Key Infrastructures 5.Identity-based encryption

Identity based cryptography Main idea: the identifier ID of the user is it’s public key. (e.g. ID = user’s email address). ID: luigi@gmail.com C = Enc(ID,M) message M question: What is the private key?

Solution luigi@gmail.com sergio@yahoo.com gianni@gmail.com holds a master secret key SK central authority secret key SK gianni@gmail.com : Extract(SK, gianni@gmail.com) secret key of SK sergio@yahoo.com : Extract(SK, sergio@yahoo.com) secret key of SK luigi@gmail.com : Extract(SK, sergio@yahoo.com) sent over a secure link

How to decrypt luigi@gmail.com C = Enc(luigi@gmail.com, M) message M knows SK luigi@gmail.com calculates M=Dec(Sk luigi, C) calculates M=Dec(Sk luigi, C)

ID-based encryption Main advantage: no need for PKI Drawbacks: users need to trust an authority, and they need to have a secure link to it, key revocation?

ID-based encrypion Proposed by Adi Shamir in 1984. (he only implemented the identity-based signatures) First schemes were proposed by Boneh and Franklin (2001) and, independently Cocks (2001). In 2002 Boneh started a company Voltage Security that produces solutions based on his ID-based scheme.

© 2012 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.

Download ppt "Lecture 5 Key Management and Public- Key Cryptography Stefan Dziembowski www.dziembowski.net MIM UW 9.11.12 ver 1.1."

Similar presentations