Cryptography Lecture 27
Public-key infrastructure (PKI)
Use signatures for secure key distribution! Alice asks the CA to sign the binding (Alice, pk) certCAAlice = SignskCA(Alice, pk) (CA must verify Alice’s identity out of band)
PKI models We saw two models last time: Roots of trust Web of trust
Public repository Store certificates in a central repository E.g., MIT PGP keyserver To find Alice’s public key Get all public keys for “Alice,” along with certificates on those keys Look for a certificate signed by someone you trust whose public key you already have
PKI in practice… Does not work quite as well as in theory… Proliferation of root CAs Compromises of CAs Revocation Users/browsers may not verify certificates
SSL/TLS How can you securely send your credit card number to Amazon? Secure Socket Layer (Netscape, mid-’90s) Transport Layer Security TLS 1.0 (1999) TLS 1.2 (2008) TLS 1.3 (2018) Used by every web browser for https connections
SSL/TLS Goals Not goals Understand (at a high level) a real-world crypto protocol Pull together everything learned in this course Not goals Understanding low-level details/implementation Defining or proving security
SSL/TLS Two phases Handshake protocol Record-layer protocol Establish a shared key between two entities Record-layer protocol Use the shared key for secure communication
Handshake protocol https://bank.com, NC pk, cert, NB Verify! c =Encpk(pmk) pkCA sk, pk, certCABank mk = H(pmk, NC, NB) kC, k’C, kS, k’S = G(mk) Macmk(transcript) pmk = Decsk(c) mk = H(pmk, NC, NB) kC, k’C, kS, k’S = G(mk) Verify! Macmk(transcript’) Verify!
Record-layer protocol Parties now share kC, k’C, kS, k’S Client uses kC, k’C to encrypt/authenticate all messages it sends Server uses kS, k’S to encrypt/authenticate all messages it sends Prevents reflection attacks Sequence numbers prevent replay attacks
Final review
Exam details Open book/notes Covers material from the entire semester No electronic devices Covers material from the entire semester Focus will be on material since the midterm Practice exam posted
Topics we covered Defining security E.g., for private-key encryption: perfect secrecy, EAV-security, CPA-security, CCA-security Security definitions will be tested Must be able to write pseudocode and give analysis showing that some scheme is insecure because it does not satisfy a given definition Assumptions Primitives (PRGs, stream ciphers, PRFs, block ciphers, hash functions) and instantiations (AES, SHA-256, …) Number-theoretic assumptions Proofs
Topics we covered Private-key encryption Message authentication codes Hash functions and applications Constructions of: Stream ciphers (LFSRs) Block ciphers (SPNs, Feistel networks) Hash functions (Davies-Meyer, Merkle-Damgard) Generic attacks on hash functions, block ciphers, etc.
Topics we covered Number theory/group theory RSA assumption, dlog assumption, DH assumptions Diffie-Hellman key exchange Public-key encryption Digital signatures
Goals Understand real-world crypto Almost everything we have covered in class is used in practice, or is the basis for something used in practice Know when to use different schemes Understand the formal guarantees that different schemes provide To make sure you understand a scheme, ask yourself if you could implement it