1. Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands

2. Mar 19, 2002Mårten Trolin2 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities

3. Mar 19, 2002Mårten Trolin3 Assignment Completely solved assignment gives 4 points Chaining not implemented gives 2 points –Penalty for delay – one point per day Common problems –Static Initialization Vector (IV) –Padding not bijectional –Encryption algorithm used

4. Mar 19, 2002Mårten Trolin4 Initialization Vector (IV) In CBC mode, the IV is used for the first XOR Using a constant IV always gives the same ciphertext for a certain clear text. A good system should generate the IV dynamically –From some random generator –From the system time, etc. Since the IV is necessary for decryption, the IV must be given in clear in the output –The IV itself is not secret, and giving it in clear does not create a security problem.

5. Mar 19, 2002Mårten Trolin5 Padding If the clear text is not a multiple of the block length, some padding must be used. The padding must be bijectional, i.e., the extra characters added must be removed after decryption –Padding by adding spaces to the clear text does not work, since you can’t know if the spaces were added during padding, or if they were in the clear text from the beginning How to create a bijectional padding?

6. Mar 19, 2002Mårten Trolin6 Bijectional padding schemes A padding scheme is bijectional if depad(pad(s)) = s. If there are certain characters that for some reason cannot appear in the clear text, they can be used for padding. –In general, this is not a good solution, since such conditions may change. Example: Let l be the length of the original clear text, and let b be the block length. Set l´ the smallest multiple of b such that l´ > l. Create a string of length l´ whose first l bytes are the clear text. Set the last byte to l´ - l. –This is reversible, since when decrypting, it is possible to read the last byte and remove the corresponding number of padding characters.

7. Mar 19, 2002Mårten Trolin7 Encryption algorithm used In the assignment, you need the “basic” DES encryption. Since ECB (Electronic Code Book) provides encryption without any further processing, this is what we want. –In Java, use “DES/ECB/NoPadding” –In other libraries, either call DES directly, or ECB without padding

8. Mar 19, 2002Mårten Trolin8 Key management The applicant generates a key pair (public key and private key). The public key is sent to the Certificate Authority (CA) together with identifying data. The CA verifies the data and signs it with its private key (creating a certificate). The signed certificate is sent back to the issuer. Note: No secret information is ever transmitted!

9. Mar 19, 2002Mårten Trolin9 Key managent – getting a certificate Server Certificate Authority Private key Public key Public key and request information Certificate Verifies that the information in the request is correct Generates key pair

10. Mar 19, 2002Mårten Trolin10 Verifying a certificate The user needs to know the public key of the CA –Web browser come with certain CA public keys installed. To verify the validity of a certificate, the user must –verify the digital signature in the certificate with the CA public key –verify that the identifying information is what it should be.

11. Mar 19, 2002Mårten Trolin11 Certificate chains Certificates can be chained –Each certificate in the chain is signed with the private key of the certificate above. If the user knows the root certificate, he can verify that each step is valid. Using chains, the CA can outsource signing to other organizations it trusts without giving away its private key.

12. Mar 19, 2002Mårten Trolin12 Certificate chains The end user certificates are verified by following the chain up to the root certificate authority (CA) –If every step in the chain is valid, the end user certificate is considered valid.

13. Mar 19, 2002Mårten Trolin13 SSL/TLS SSL (Secure Socket Layer) and TLS (Transport Layer Security) are standards for how to secure TCP/IP communications –As of the latest revision, TLS is the official name for what used to be called SSL. However, SSL is still the word most frequently used. TLS is a layer on top of the TCP layer

14. Mar 19, 2002Mårten Trolin14 TLS IP TCP HTTPTLS IP TCP HTTP Not secureSecure

15. Mar 19, 2002Mårten Trolin15 TLS Uses public keys and certificates for key negotiation –Certificates in X.509 format Symmetric cryptography for actual communication –Exact cipher used decided during hand-shake. TLS standard defines certain commands that can be used in communication

16. Mar 19, 2002Mårten Trolin16 TLS roles TLS defines two roles, the server and the client. The client always initiates the communication. –Example: Web browser The server stands ready to respond to a request from the server –Example: Web server

17. Mar 19, 2002Mårten Trolin17 TLS messages TLS defines several messages The messages are used in different stages –Handshake Key establishment Authentication Resuming a session –Sending data –Closing a transaction

18. Mar 19, 2002Mårten Trolin18 Initiating a transaction without authentication Client Server ClientHello ServerHello ServerKeyExchange ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished ServerHelloDone