Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS 5950/6030 – Computer Security and Information Assurance Section 2: Introduction to Cryptology (Part 2) Dr. Leszek Lilien Department of Computer Science.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CS 5950/6030 – Computer Security and Information Assurance Section 2: Introduction to Cryptology (Part 2) Dr. Leszek Lilien Department of Computer Science."— Presentation transcript:

1 CS 5950/6030 – Computer Security and Information Assurance Section 2: Introduction to Cryptology (Part 2) Dr. Leszek Lilien Department of Computer Science Western Michigan University Slides based on Security in Computing. Third Edition by Pfleeger and Pfleeger. Using some slides courtesy of: Prof. Aaron Striegel — course taught at U. of Notre Dame Prof. Barbara Endicott-Popovsky and Prof. Deborah Frincke (U. Idaho) — taught at U. Washington Prof. Jussipekka Leiwo — taught at Vrije Universiteit (Free U.), Amsterdam, The Netherlands Slides not created by the above authors are © 2006 by Leszek T. Lilien Requests to use original slides for non-profit purposes will be gladly granted upon a written request.

2 2 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Introduction to Cryptology – Part 1 Covered: 2A. Terminology and Background 2A.1. Threats to Messages 2A.2. Basic Terminology and Notation 2A.3. Requirements for Crypto Protocols 2A.4. Representing Characters 2B. Basic Types of Ciphers 2B.1. Substitution Ciphers a. The Ceasar Cipher b. Other Substitution Ciphers c. One-Time Pads 2B.2. Transposition Ciphers 2B.3. Product Ciphers 2C. Making „Good” Ciphers 2C.1. Criteria for „Good” Ciphers 2C.2. Stream and Block Ciphers 2C.3. Cryptanalysis 2C.4. Symmetric and Asymm. Cryptosystems

3 3 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 2D. The DES (Data Encryption Standard) Algorithm 2D.1. Background and History of DES 2D.2. Overview of DES 2D.3. Double and Triple DES 2D.4. Security of DES 2E. The Clipper Story 2F. AES (Advanced Encryption Standard) 2F.1. The AES Contest 2F.2. Overview of Rijndael 2F.3. Strength of AES 2F.4. Comparison of DES and AES... Part 1 of Section 2 Ended Here... Introduction to Cryptology – Part 1 Covered (cont.)

4 4 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Introduction to Cryptology – Part 2 Outline (1) 2G. Public Key Encryption (PKE) 2G.1. Motivation for PKE 2G.2. Characteristics of PKE 2G.3. RSA (Rivest-Shamir-Adelman) Encryption 2H. The Uses of Encryption 2H.1. Cryptographic Hash Functions 2H.2. Key Exchange 2H.3. Digital Signatures a. Problem Definition b. Properties of Electronic Signatures c. Using PKE for Digital Signatures d. Using Hash Fcns for Digital Signatures

5 5 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Introduction to Cryptology – Part 2 Outline (2) 2H. The Uses of Encryption – cont. 2H.4. Certificates a. Introduction b. Trust Through a Common Respected Individual c. Certificates for Identity Authentication d. Trust Without a Single Hierarchy

6 6 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 2G. Public Key Encryption (PKE) Recall: Two main types of cryptosystems: Classical (= symmetric) Public key (= asymmetric) Outline 2G.1. Motivation for PKE 2G.2. Characteristics of PKE 2G.3. RSA (Rivest-Shamir-Adelman) Encryption

7 7 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 2G.1. Motivation for PKE (1) So far - cryptosystems with secret keys Problems: A lot of keys o(n 2 ) keys for n users (n * (n-1) /2 keys) — if each must be able to communicate with each Distributing so many keys securely Secure storage for the keys User with n keys can’t just memorize them Can have a system with significantly fewer keys? Yes!

8 8 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Motivation for PKE (2) 1976 — Diffie and Hellman — new kind of cryptosystem: public key cryptosystem = asymmetric cryptosystem Key pairs: Each user owns one private key Each user shares the corresponding public key with n-1 remaining users => n users share each public key Only 2n keys for n users 2n = n * (1 + n * 1/n) Since public key is shared by n people: 1 „owner” + (n-1) others = n 1/n since each part „owns” 1/n of the public key Even if each communicates with each Reduction from o(n 2 ) to o(n) ! n key pairs are:,,...,

9 9 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 2G.2. Characteristics of PKE (1)  PKE requirements 1.It must be computationally easy to encipher or decipher a message given the appropriate key 2.It must be computationally infeasible to derive k PRIV from k PUB 3.It must be computationally infeasible to determine k PRIV from a chosen plaintext attack [cf. Barbara Endicott-Popovsky, U. Washington]

10 10 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Characteristics of PKE (2) Key pair characteristics One key is inverse of the other key of the pair i.e., it can undo encryption provided by the other: D(k PRIV, E(k PUB, P)) = P D(k PUB, E(k PRIV, P)) = P One of the keys can be public since each key does only half of E ”+” D As shown above – need both E and D to get P back

11 11 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Characteristics of PKE (3) Two E/D possibilities for key pair P = D(k PRIV, E(k PUB, P)) User encrypts msg with k PUB (k PUB” ”locks”) Recipient decrypts msg with k PRIV (k PRIV ”unlocks”) OR P = D(k PUB, E(k PRIV, P))(e.g., in RSA) User encrypts msg with k PRIV (k PRIV ”locks”) Recipient decrypts msg with key k PUB (k PUB ”unlocks”) Do we still need symmetric encryption (SE) systems? Yes, PKEs are 10,000+ times (!) slower than SEs PKEs use exponentiation – involves multiplication and division SEs use only bit operations (add, XOR< substitute, shift) – much faster

12 12 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 2G.3. RSA Encryption (1) RSA = Rivest, Shamir, and Adelman (MIT), 1978 Underlying hard problem: Number theory – determining prime factors of a given (large) number (ex. factoring of small #: 5  5, 6  2 *3) Arithmetic modulo n How secure is RSA? So far remains secure (after all these years...) Will sb propose a quick algorithm to factor large numbers? Will quantum computing break it? TBD

13 13 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 RSA Encryption (2) In RSA: P = E (D(P)) = D(E(P)) (order of D/E does not matter) More precisely: P = E(k E, D(k D, P)) = D(k D, E(k E, P)) Encryption:C = P e mod nK E = e Given C, it is very difficult to find P without knowing K D Decryption:P = C d mod nK D = d

14 14 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 2H. The Uses of Encryption PKE is much slower than SE (symmetric E) PKEs only for specialized, infrequent tasks SEs – a real workhorse Four applications of encryption (& outline)  Cryptographic Hash Functions (subsec. 2H.1)  Key Exchange (subsec. 2H.2)  Digital Signatures (subsec. 2H.3)  Certificates (subsec. 2H.4)

15 15 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 2H.1. Cryptographic Hash Functions (1) Integrity: How can you be sure that a recived msg/doc was not modified by an attacker or malfunction? Answer: use cryptography to ensure integrity Idea: Wax seals on letters in Middle Ages — easy to see if broken Cryptographic „seal” on doc/msg — so that any change to it will be readily detected

16 16 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Cryptographic Hash Fcns (2) A technique: compute a hash fcn / checksum / msg digest More formally: Problem: How to send n-bit msg so that R can easily verify that it is intact Solution: Send a msg of n+k bits n bits — original msg k bits — checksum = msg digest Generated based on the n bits

17 17 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Cryptographic Hash Fcns (3) Simple Parity for Error Detection (1) Simple (non-cryptographic) technique: parity Add a single parity bit to detect if a message is correct Example 1: odd parity Force the block of data to have an odd # of 1’s Data = 1011— n = 4 Sent block = 10110— n+k = 4+1 — looked at ‘1011’, added 0 to have odd # of 1’s Data = 0110 Sent block= 01101 — looked at ‘0110’, added 1 to have odd # of 1’s Example 2: ASCII parity bit ASCII has 7 bits for data, 8th bit is single parity bit Either odd or even parity used [cf. A. Striegel, U. Notre Dame]

18 18 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 How parity enhances msg integrity? Can detect error in 1 bit (or in odd # of bits) e,.g, if R gets 01001, R knows it’s wrong (S sent 01101) Cannot detect error in 2 bits (or in even # of bits) Bec. parity stays OK -> undetectable integrity violation e.g, if R gets 01011, R knows it’s wrong (S sent 01101) Cannot repair errors either E.g., R doesn’t know which bit in 01001 is wrong [cf. A. Striegel, U. Notre Dame] Cryptographic Hash Fcns (4) Simple Parity for Error Detection (2)

19 19 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Cryptographic Hash Fcns (5) Better Checksums against Errors & Attacks There are better checksums than simple odd/even parity Can detect multiple errors Can even repair multiple errors These checksums are to fix errors, not deal with attacks For attacks need cryptographic checksums / strong hash functions

20 20 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Cryptographic Hash Fcns (6) Strong Hash Function Formal definition: strong hash function (cryptographic checksum) is h: A -> B such that: 1)For any x  A, h(x) is easy to compute 2)For any y  B, it is computationally infeasible to find inverse of y, i.e., x  A such that h(x) = y 3)It is computationally infeasible to find a pair of colliding input values, i.e. x, x’  A such that x ≠ x’ and h(x) = h(x’) Alternate (stronger) form for (3): Given any x  A, it is computationally infeasible to find x’  A such that x ≠ x’ and h(x) = h(x’)  Due to (1) and (2), hash fcn is a one-way function [cf. A. Striegel, U. Notre Dame, Barbara Endicott-Popovsky, U. Washington]

21 21 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Cryptographic Hash Fcns (7) Collisions & Attacks on Msg Integrity (1) Note: n bits of msg (x) mapped into k bits of its checksum (y) k collisions must exist But it is computationally infeasible to find collisions for good hash fcns Goal of a successful attack on msg integrity: Change msg1 in such a way that checksum remains unchanged (so R doesn’t detect the forgery) I.e., find msg2 that collides with the original msg1 w.r.t. checksum value Finding msg2 is computationally infeasible (for good hash) => forging msg1 undetectably is computationally infeasible [cf. A. Striegel, U. Notre Dame]

22 22 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Pigeonhole principle n containers for n+1 objects (n pigeonholes for n+1 pigeons) => at least 1 container will hold two objects Example:  n = length(msg) = 5, k = length(hash)= 3  2 5 =32 possible msgs vs. 2 3 =8 possible hash values => at least 4 (= 32/8) different msgs hash into the same value (collisions!)  Real msgs and hash values are much longer than 5 or 3 bits! We know that collisions exist but: => much tougher to find collisions => much tougher to forge them [cf. A. Striegel, U. Notre Dame] Cryptographic Hash Fcns (8) Collisions & Attacks on Msg Integrity (2)

23 23 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Cryptographic Hash Fcns (9) File Checksum File checksum Calculated, a fcn defined on all bits of the file Result encrypted and stored with the file Each time file used by legitimate users, checksum recalculated, encrypted, stored with the file File sent to R When file received by R: R decrypts checksum c1 received in the file R independently calculates file checksum c2 If c1 = c2 => file integrity is OK Otherwise – file integrity violated

24 24 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Cryptographic Hash Fcns (10) Keyed vs. Keyless Crypto Checksum (1) Keyed crypto checksum Key needed to compute checksum Keyed hash fcns DES, AES Use it in chaining mode: link next msg block to value of the previous msg block Example chaining: E(current block) XOR E(previous block) => connects block to all previous blocks  If file sent, file’s checksum could be the last block  If chaining used, file checksum (=last block) depends on all previous blocks => depends on all bits of the file

25 25 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Cryptographic Hash Fcns (11) Keyed vs. Keyless Crypto Checksum (2) Keyed crypto checksum – CONT. Used for integrity + authentication Integrity: checksum makes msg modification difficult Authentication: only S and R know symmetric key R: if msg integrity is OK, it must have been sent by S

26 26 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Cryptographic Hash Fcns (12) Keyed vs. Keyless Crypto Checksum (3) Keyless crypto checksum No key required to compute checksum Keyless hash functions MD5/MD4: any msg  128-bit digest (hash, checksum) SHA/SHS: any msg  160-bit digest Other: MD2, HAVAL, Snefru,... Used for integrity (not authentication) Integrity: checksum makes msg modification difficult (with truly public key anybody can send msg, but nobody but S can easily modify this msg) No authentication: n (or all) people know public key – R can’t prove which one of them sent a given msg [cf. A. Striegel, U. Notre Dame, Barbara Endicott-Popovsky, U. Washington]

27 27 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 2H.2. Key Exchange (1) Motivation: X and Y don’t know each other X needs to send protected msg to Y E.g., shopping on a web site  can do it if can securely exchange K E This is the problem of key exchange Important Hard Circular (chicken-’n-egg) problem? „To establish secure session need secure channel” Circle can be broken – by public key cryptography Can send public key even on insecure channel

28 28 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Key Exchange (2) Deriving Symmetric Key via PKE (1) Given S and R / k PRIV-S, k PUB-S -- k PRIV-R, k PUB-R Solution 1: S determines secret key K S encrypts K with k PRIV-S : C = E(k PRIV-S, K) S sends C to R R decrypts C to get K: D(k PUB-S, C) = K S & R communicate using secret (symmetric) key K BUT: Solution 1 is not good!!! Question: Why?

29 29 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Key Exchange (3) Deriving Symmetric Key via PKE (2) Given S and R / k PRIV-S, k PUB-S -- k PRIV-R, k PUB-R Solution 1: S determines secret key K S encrypts K with k PRIV-S : C = E(k PRIV-S, K) S sends C to R R decrypts C to get K: D(k PUB-S, C) = K S & R communicate using secret (symmetric) key K BUT: Solution 1 is not good !!! Answer: Attacker who has k PUB-S can also perform decryption! The easier the more people know k PUB-S Trivial if k PUB-S is truly public

30 30 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Key Exchange (4) Deriving Symmetric Key via PKE (3) Solution 2: S determines secret key K S encrypts K with k PUB-R : C = E(k PUB-R, K) S sends C to R R decrypts C to get K: D(k PRIV-R, C) = K S & R communicate using secret (symmetric) key K Solution 2 is better Only R can decode K (only R knows k PRIV-R )...but Solution 2 still is not quite good Question: Why? Hint: what about msg authentication?

31 31 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Key Exchange (5) Deriving Symmetric Key via PKE (4) Solution 2: S determines secret key K S encrypts K with k PUB-R : C = E(k PUB-R, K) S send C to R R decrypts C to get K: D(k PRIV-R, C) = K S & R communicate using secret (symmetric) key K Solution 2 is better Only R can decode K (only R knows k PRIV-R )...but Solution 2 still is not quite good Answer: No msg authentication (R has no assurance that msg was sent by S – anybody could have encoded with k PUB-R )

32 32 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Key Exchange (6) Deriving Symmetric Key via PKE (5) Solution 3: S determines secret key K S encrypts K with both k PRIV-S & k PUB-R : C = E(k PUB-R, E(k PRIV-S, K)) S sends C to R R decrypts C to get K: D( k PUB-S, D(k PRIV-R, C) ) -- order important ! make sure you see this (see Fig. 2-11 p.78) Solution 3 is good! Only R can decode K (only R knows k PRIV-R ) Authentication: R is assured that S sent C Only S could have encoded K with k PRIV-S

33 33 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 2H.3. Digital Signatures (1) Outline: a. Problem Definition b. Properties of Electronic Signatures c. Using PKE for Digital Signatures d. Using Hash Fcns for Digital Signatures

34 34 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Digital Signatures (2) a. Problem Definition (1) Motivation: Need to sign and transmit electronic doc’s or msgs, incl. checks Analogous to signing & transmitting „paper” letters, doc’s, etc., incl. checks Roles of signatures (for both paper a& electronic) Proves unforgeability of doc/letter/check Authenticates person S who signed doc/letter/check Provides non-repudiation: S cannot say sb else signed it Facilitates proving integrity (e.g., 2 signed legal copies for 2 parties) Note: signature might not identify the signing person if not legible

35 35 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Digital Signatures (3) Problem Definition (2) Security requirements for digital signatures: Signature will not reveal signer’s private key Only owner of private key can produce a valid signature Verification of a correct signature succeeds Modification of a signed message can be detected [cf. J. Leiwo]

36 36 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Digital Signatures (4) b. Properties of Electronic Signatures (1) M – msg / Sg(S, M) – signature of S on M Note: M = C or M = P M = P – if authentication but no secrecy needed Required properties for electronic signatures: Unforgeable: Only S can produce the pair [M, Sg(S, M)] Authenticable (can verify authenticity)/ non-repudiable: R can verify that Sg(S,M) in [M, Sg(S, M)] comes from S  Only S could have produced M”+”Sg(S,M)  Sg(S, M) is firmly attached to M M Sg(S, M)

37 37 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Digital Signatures (5) Properties of Electronic Signatures (2) Desirable properties for electr. signatures: Not alterable (assures „integrity”) : Once sent, M”+”Sg(S,M) cannot be undetectably altered by S, R, or interceptor [I’d rather consider this a part of „unforgeability” above] Not reusable: If M is received again, S detects that M is „old” E.g., can’t deposit a copy of a check to „double-deposit” Digital signature is a protocol that mimics effect of signature on paper M Sg(S, M)

38 38 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Digital Signatures (6) c. Using PKE for Digital Signatures (1) Transmitting signed msgs with PKE Original message: Privacy transformation: C = E(P, K PUB-R ) Only R can decrypt it (with K PRIV-R ) Authenticity transformation = signing: Sg = Sg(S, C) = D(C, K PRIV-S ) Only S can produce Sg(S, C) (with K PRIV-S ) Sent message:  Note: Remember that for some PKE algorithms (incl RSA): D( E(M, _), _ ) = E( D(M, _), _ ) = M (commutativity of E-D) C Sg P

39 39 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Digital Signatures (7) Using PKE for Digital Signatures (2) Transmitting signed msgs with PKE - cont. Received msg: [ C = E(P, K PUB-R ) ] [Sg = Sg(S, C) = D(C, K PRIV-S )] R verifies Sg with S’s public key K PUB-S : If E( Sg, K PUB-S ) = C, then signature is valid bec. E( Sg, K PUB-S ) = E( D(C, K PRIV-S ), K PUB-S ) = C R decodes C with R’s private key K PRIV-R : P = D(C, K PRIV-R ) C Sg

40 40 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Digital Signatures (8) Using PKE for Digital Signatures (3) Properties: [ C = E(P, K PUB-R ) ] [Sg = Sg(S, C) = D(C, K PRIV-S )] Unforgeability: If C is forged, it will not „correspond” to Sg ( i.e., E( Sg, K PUB-S ) ≠ C ) Authenticity: If Sg is valid, S is authenticated (only S can produce valid S’s signature) Non-repudiation (undeniability): If Sg is valid, only S could have produced it, and have sent C”+”Sg C Sg

41 41 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Digital Signatures (9) d. Using Hash Fcns for Digital Signatures Using hash fcn H in digital signatures — signature over H(m), not over m length H(m) << length (m) Before: Now: [Fig — cf. J. Leiwo] s = Sg D A (x) = D(x, K PRIV-A ) E A (x) = E(x, K PUB-A ) Note: Any alteration of m is detected by B’s „Verify” step even if m is not encoded with K PUB-B —due to use of H(m) m Sg(S, H(m)) m Sg(S, m) m = P or m = C

42 42 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 2H.4. Certificates (1) Outline a. Introduction b. Trust Through a Common Respected Individual c. Certificates for Identity Authentication d. Trust Without a Single Hierarchy

43 43 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Certificates (2) a. Introduction (1) Need for trust in human interactions Trust w.r.t.: Individuals Institutions (e.g., bank, hospital, car dealer) Artifacts (e.g., car, Internet browser, software house) Trust in small village vs. big city Small village: implicit trust Everybody knows everybody Mr. X „feels” how much to trust Ms. Y Big city: need to consider trust explicitly Ask around to find trusted entities Inquire friends, office mates, etc. about good car dealer, dentist, etc. Check „reputation databases” E.g., BBB=Better Business Bureau

44 44 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Certificates (3) Introduction (2) Selected trust characteristics Trust comes in degrees of trust Vs. binary trust (with a single trust threshold) Ubiquity of trust in social and artificial systems Many users/computer systems err by trusting blindly (trust without evidence or verification!) E.g., OS trusts all application pgms – any allowed to run E.g., sers trust unknown web sites with personal data

45 45 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Certificates (4) Introduction (3) Basic means of building trust toward person / institution / artifact X Familiarity with X Person: face, voice, handwriting, etc. Institution: company name, image, good will, etc Artifact: manufacturer name, perceived quality, etc First-hand experience wih X’s activities/performance Good or bad experience (trust or distrust grows) Reputation of X determined by evidence / credentials Reputation = second-hand knowledge of X’s actions/perf. Reputation databases (e.g., BBB, industry organizations, etc.) with „good” evidence or lack of „bad” evidence) Credentials: X’s driver license, library card, credit card Affiliation of X with person/institution/artifact Y Trust/distrust toward Y rubs off on X

46 46 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Certificates (5) Introduction (4) Basic means of verifying trust toward person / institution / artifact X „Dovyeryay noh provyeryay” („Trust but verify”, a Russian proverb) — Ronald Reagan (at the start of historic negotiations with Gornachev) Verify one’s experience Check own notes about X’s activities/performance Verify reputation evidence / credentials Call back to verify phone number Check user feedback about quality of artifact (online) Check reputation DB (e.g., consumer reports, BBB) for data Verify affiliation Check with employer if X still employed Check reputation of Y with which X is affiliated

47 47 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Certificates (6) Introduction (5) Often trust is based on appearance of authenticity, without careful verification E.g., business order from Company A sent to company B Order sent w/o careful verification of A by B Why? Verification is expensive Trust prevails in business Risk of fraud or swindle is low B might be „insured” against being cheated A trusted third-party intermediary assumes transaction risk E.g., buyer’s bank guarantees a transaction payment Appearance of authenticity can be used by fraudster

48 48 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Certificates (7) Introduction (6) Need similarly common and efficient/effective trust mechanisms in the Cyber Space Need somebody or something to: assume risks OR vouch for the other party A trusted third party is a basis for trust When two interacting parties do not trust each other sufficiently

49 49 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 b. Trust Through Common Trusted Individual (1) Hierarchical structure of organizations CEO / Divisions/ Departments / Groups / Projects CEO doesn’t know engineers directly Still, CEO controls all via intermediate managers => hierarchy as basis for trust in an organization Example Ann meets Andy Andy claims he works for the same company Ann can verify via common trusted individual / trusted third party (TTP)  via Bill and Betty if Bill knows/trusts Betty  via Bill and Camilla, otherwise Camilla Betty Bill Ann Andy

50 50 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Trust Through Common Trusted Individual (2) Analogous approach for crypto key exchange Example Ann and Andy want to comm- unicate Ann gives K PUB-Ann to Bill Bill passes K PUB-Ann to Camilla (or to Betty if he trusts her) Camilla passes K PUB-Ann to Betty Betty passes K PUB-Ann to Andy Camilla is TTP (trusted third party) Camilla Betty Bill Ann Andy

51 51 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Trust Through Common Trusted Individual (3) In reality need to pass more than just K PUB-Ann Every sender attaches an evidence of identity Ann: Statement of Identity (SoI) Bill, Camilla Betty: Transmittal of Identity (ToI) Andy receives K PUB-Ann with: Ann’s proof of identity Proof of identity for all intermediaries Proof that each inter- mediary received K PUB-Ann from trusted sender E.g., Betty sends K PUB-Ann with the stmt: „I am Betty and I received this key, SoI, and 2 ToIs from a person I know to be Camilla” K PUB-Ann +SoI K PUB-Ann +SoI+ToI Camilla Betty Bill Ann Andy K PUB-Ann +SoI +2 ToIs K PUB-Ann +SoI +3 ToIs

52 52 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Trust Through Common Trusted Individual (4) In reality need to pass more than just K PUB-Ann – CONT. Andy can verify chain of evidence (SoI + ToI’s) This assures Andy that key was sent by Ann and not forged Public key authentication (delivered by trusted people) Binding of key to Ann Trustworthy Ann’s identification as sender of this key K PUB-Ann +SoI K PUB-Ann +SoI+ToI Camilla Betty Bill Ann Andy K PUB-Ann +SoI +2 ToIs K PUB-Ann +SoI +3 ToIs

53 53 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Trust Through Common Trusted Individual (5) Works pretty well within an org There’s always sb common & trusted for any 2 employees (at the top or below) Problems : 1)If Bill, Camilla, or Betty out of town, Ann & Andy have to wait for key exchange 2)Person at the top works too hard to exchange all keys quickly K PUB-Ann +SoI K PUB-Ann +SoI+ToI Camilla Betty Bill Ann Andy K PUB-Ann +SoI +2 ToIs K PUB-Ann +SoI +3 ToIs

54 54 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Camilla Betty Bill Ann Andy Trust Through Common Trusted Individual (6) Protocol Solving Problem 1 (TTP absence) :  Idea: preauthenticated public key for (single) future use  Ann asks Bill for complete chain from top down to her  Bill provides chain:  Ann requests for TOIs for her SOI ahead of time  Ann receives from Bill 2 TOIs:  TOI#637: “I, Bill, gave this TOI to Ann to confirm her identity for SOI#27” + Bill’s signature  TOI#5492: “I, Camilla, gave this TOI to Bill to confirm his identity for TOI#637” + Camilla’s signature  Ann can use SOI+TOIs any time  Think about full scenario Hint: Andy prepares his SOI+TOIs ahead of time

55 55 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Trust Through Common Trusted Individual (7) Protocol Solving Problem 2 (TTP’s heavy workload) :  Idea: preauthenticated public key for unlimited future use  Top TTP (e.g., a CEO) sends his TOIs to all Division Mgr  “I, Sushil, company CEO, attest to the identity of the Auto Division Mgr Diana, and I entrust Diana with attesting identities of her subordinates.”  Each Division Mgr sends TOIs to all Dept Mgrs  E.g., “I, Diana, Auto Division Mgr, attest to the identity of the Engine Dept Mgr Debbie, and I entrust Debbie with attesting identities of her subordinates.”  Note: Division Mgr is a TTP for all people working in her Division  …...

56 56 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Trust Through Common Trusted Individual (8) Protocol Solving Problem 2 (TTP’s heavy workload) :—CONT  …...  Each Group Leader sends TOIs to all Task Leaders  E.g., “I, Camille, Piston Group Leader, attest to the identity of the Piston Rings Task Leader Bill, and I entrust Bill with attesting identities of his subordinates.”  Note: Group Leader is a TTP for all people working in her Group  Each Task Leader sends TOIs to all his employees  E.g., “I, Bill, Piston Rings Task Leader, attest to the identity of Piston Rings Engineer Ann.”  Note: Task Leader is a TTP for all people working on his Task  Chain: Sushil—Diana—…—Camilla—Bill—Ann  Good exercise: Think about protocol details – work out full scenario

57 57 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 c. Certificates to Authenticate Identity (1) Certificate for X TTP’s signature certifies trustworthiness of binding K PUB-X with X’s identity I.e., states that K PUB-X is really X’s public key How are certificates created? Identifier of X K PUB-X TTP’s Signature

58 58 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Certificates to Authenticate Identity (2) Creating certificates for the company example Sushil (CEO) (chain: Sushil—Diana—…—Camilla—Bill—Ann) Establishes Posts K PUB-Sushil for every Division Mgr to copy Receives request for certificate (encoded with K PUB-Sushil ) from Division Mgr X Creates M X = (knows K PUB-X ) E.g., M Diana = Signs M X with Sg Sushil Sg Sushil = D(M X, K PRIV-Sushil ) ‘Diana’ K PUB-Diana ‘Diana’ K PUB-Diana Sg Sushil

59 59 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Certificates to Authenticate Identity (3) Creating certificates... example—CONT. Sushil encrypts M X and Sg Sushil with K PRIV-Sushil, producing certificate for Div.Mgr X: Cert X = E(, K PRIV-Sushil ) Note: Others can read certificate, but only its issuer can update it! E.g., produces certificate for Diana: Cert Diana = E(, K PRIV-Sushil ) Sends certificate to Div. Mgr X ‘Diana’ K PUB-Diana Sg Sushil Cert Diana (shading indicates encryption) ‘Diana’ K PUB-Diana Sg Sushil

60 60 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 DIGRESSION—Note and understand these distinctions:  Using asymmetric cryptosystems: encrypt msg / sign msg / encrypt certificate  Encrypt msg – S encrypts (E) with R’s public key  R decrypts msg with R’s private key  Sign msg – to sign a msg, S uses decryption algorithm D with S’s private key  R authenticates signature using encryption algorithm E with S’s public key  Encrypt certificate – after signing a (pre-)certificate, its issuer encrypts (E) the whole (pre-) certficate with his own private key  Anybody who receives certificate can verify it by using decryption alg. D with certificate issuers’ public keys  But only certificate issuer can update a certificate she issued!

61 61 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Certificates to Authenticate Identity (4) Creating certificates... example – CONT. Diana (Div. Mgr) (chain: Sushil—Diana—…—Camilla—Bill—Ann) Establishes Posts K PUB-Diana for every subordinate to copy Sends request for certificate to her boss (Sushil) — as mentioned above (request encoded with K PUB-Sushil ) Receives certificate from her boss Cert Diana = E(, K PRIV-Sushil ) ‘Diana’ K PUB-Diana Sg Sushil

62 62 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Certificates to Authenticate Identity (5) Creating certificates... example – CONT. Diana receives request for certificate from Y, one of her Dept Mgrs Creates M Y = (knows K PUB-Y ) E.g., M Debbie = Signs M Y with Sg Diana Encrypts M Y and signature with K PRIV-Diana, producing pre-certificate for Dept Mgr X: preCert Y = E(, K PRIV-Diana ) E.g., produces pre-certificate for Debbie: preCert Debbie = E(, K PRIV-Diana ) ‘Debbie’ Sg Diana K PUB-Debbie preCert Debbie

63 63 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Certificates to Authenticate Identity (6) Creating certificates... example – CONT. Diana attaches to preCert Y her own certificate, producing certificate for Y: Cert Y = preCert Y || Cert Diana E.g., produces certificate for Debbie: Cert Debbie = preCert Debbie || Cert Diana Sends Y’s certificate to Y... <procedure repetead by all mgrs from the chain below Diana and above Bill>... ‘Debbie’ Sg Diana K PUB-Debbie ‘Diana’ Sg Sushil K PUB-Diana ‘Debbie’ Sg Diana K PUB-Debbie Cert Debbie —incl. Debbie’s preCert (top half encr. with K PRIV-Diana ) and Diana’s Cert (bootom half encr. with K PRIV-Sushil ) preCert Debbie

64 64 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Certificates to Authenticate Identity (7) Creating certificates... example – CONT. Bill (Task Leader) (chain: Sushil—Diana—…—Camilla—Bill—Ann) Establishes Posts K PUB-Bill for every subordinate to copy Sends request for certificate to his boss (Camilla) (request encoded with K PUB-Camilla ) Receives certificate from his boss (Camilla) Cert Bill = E(, K PRIV-Camilla ) ‘Bill’ K PUB-Bill Sg Camilla

65 65 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Certificates to Authenticate Identity (8) Certificates for the company example – CONT. Bill receives request for certificate from Z, one of his Engineers Creates M Z = (knows K PUB-Z ) E.g., M Ann = Signs M Z with Sg Bill Encrypts M Z and signature with K PRIV-Bill, producing pre-certificate for Engineer Z: preCert Z = E(, K PRIV-Bill ) E.g., produces pre-certificate for Ann: preCert Ann = E(, K PRIV-Bill ) ‘Ann’ K PUB-Ann Sg Bill preCert Ann

66 66 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Certificates to Authenticate Identity (9) Certificates for the company example – CONT. Bill attaches his Cert Bill to preCert Z, producing certificate for Z: Cert Z = preCert Z || Cert Bill Can become loooong! Cert Bill = preCert Bill || Cert Camilla = preCert Bill || preCert Camilla || Cert... = preCert Bill || preCert Camilla ||... || Cert Debbie = preCert Bill || preCert Camilla ||... || preCert Debbie || Cert Diana (cont.) ‘Ann’ K PUB-Ann Sg Bill preCert Ann

67 67 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Certificates to Authenticate Identity (10) Certificates for the company example – CONT. E.g., if the full certification chain is: Sushil—Diana—Debbie—Ahmet—Camilla—Bill—Ann then the certificate for Ann is: Cert Ann = preCert Ann || preCert Bill || preCert Camilla || preCert Ahmet || preCert Debbie || Cert Diana Notes: - Diana has Cert defined by CEO => no preCert Diana - Cert’s become longer closer to the bottom of hierrarchy After creating Cert Z, Bill sends it to Z E.g., sends Cert Ann to Ann ‘X’ K PUB-X Sg TTP_of_X preCert X

68 68 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Certificates to Authenticate Identity (11) We don’t want such loooong certificates! Note:The taller hierarchy the longer certificates Solution: Flatten the certificate hierarchy The ultimate: 1-level „hierarchy: Everybody (in a given organization) gets certificates from a single trusted Certificate Authority (CA) Note: If there is only single CA (not a chain of certifiers), there are no pre-certificates, only (flat) certificates (signed by CA only)

69 69 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Certificates to Authenticate Identity (12) Requirements for a certification scheme: 1)Any participant can read Cert to determine X and K PUB-X. 2)Any participant can verify that Cert originated from CA (Certificate Authority) and is not counterfeit. 3)Only CA can create and update Cert. 4)Any participant can verify the currency of Cert. To this end, each Cert must include a timestamp (not discussed by us). Q: Does our scheme satify these requirements? [cf. Stallings - „Cryptography and Network Security”

70 70 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Certificates to Authenticate Identity (13) Requirements for a certification scheme: 1)Any participant can read Cert to determine X and K PUB-X. 2)Any participant can verify that Cert originated from CA (Certificate Authority) and is not counterfeit. 3)Only CA can create and update Cert. 4)Any participant can verify the currency of Cert. A to the Q: „Does our scheme satify these requirements?” 1)Yes: Can decrypt with K PUB-CA. 2)Yes: If can be decrypted with K PUB-CA, must’ve been encrypted by CA. 3)Yes: Only CA can encrypt Cert with K PUB-CA. 4)No, but...: Our scheme included no timestamps – but can be extended. [cf. Stallings - „Cryptography and Network Security”

71 71 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 d. Trust Without a Single Hierarchy (1) Certificate structure relies on TTP at the top of certificate hierarchy TTP is not certified by anybody! Must be very trustworthy If a „natural” hierarchy exists, certificate infrastructure can be based on it E.g., in a company Q: What if there is no „natural” hierarchy to use? E.g., Web sites on the Internet A: Can designate a person/organization to vouch for authenticity of people or documents E.g., a notary public for legal documents E.g., Registrar’s Office for grades

72 72 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Trust Without a Single Hierarchy (2) Q: How to find a trusted entity on the Internet? Not hierarchical organization Despite hierarchy of naming No „top” entity A: Some entities that are widely trusted outside Cyberspace, create certification entities in the Cyberspace E.g., C&W HKT, SecureNet, Verisign, eTrust in US Each one is at the „top” Each one has its users who trust it Different people, applications, etc., can and do use different TTPs (CAs) for certification

73 73 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Trust Without a Single Hierarchy (3) Considerations for key distribution protocols (such as the ones involving TTP or CA) : What are the operational restrictions? E.g., need for 7/24 operation What are the trust requirements? How are failures dealt with? How efficient is the protocol? How easy to implement is the protocol?... [cf. J. Leiwo]

74 74 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Remember and understand these distinctions:  Symmetric vs. asymmetric crypto systems  Asymmetric used:  to provide secure channel for exchange of symmetric keys  to encrypt vs. sign vs. whole certificate encryption  Asymmetric crypto system: Encrypt msg vs. sign msg vs. encrypt (pre-)certificate  Encrypt msg – S encrypts (E) with R’s public key  R decrypts msg with R’s private key  Sign msg – to sign a msg, S uses decryption algorithm D with S’s private key  R authenticates signature using encryption algorithm E with S’s public key  Encrypt (pre-)certificate – after signing a (pre-)certificate, certificate issuer encrypts (E) the whole (pre-)certficate with his own private key  Anybody who receives certificate can verify it by using decryption alg. D with certificate issuers’ public keys  But only certificate issuer can update certificates she issued!

75 75 © 2006 by Leszek T. Lilien Section 2-1 – Computer Security and Information Assurance – Spring 2006 Exercise scenarios to see you understand this well  Symmetric/asymmetric crypto systems  Asymmetric used to exchange symmetric keys  Using asymmetric cryptosystems: encrypt msg vs. sign msg vs. encrypt (pre-)certificate

76 End of: Introduction to Cryptology

Download ppt "CS 5950/6030 – Computer Security and Information Assurance Section 2: Introduction to Cryptology (Part 2) Dr. Leszek Lilien Department of Computer Science."

Similar presentations

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Lecture4 – Introduction to Cryptography 2 Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.

Lecture4 – Introduction to Cryptography 2 Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.
CS 5700 Computer Security and Information Assurance Section 4: Introduction to Cryptology - Part 2 Dr. Leszek Lilien Department of Computer Science Western.

CS 5700 Computer Security and Information Assurance Section 4: Introduction to Cryptology - Part 2 Dr. Leszek Lilien Department of Computer Science Western.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.

Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Digital Signatures Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Digital.

Digital Signatures Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Digital.
CS 5950/6030 Network Security Class 11 (M, 9/26/05) Leszek Lilien Department of Computer Science Western Michigan University [Based on Security in Computing.

CS 5950/6030 Network Security Class 11 (M, 9/26/05) Leszek Lilien Department of Computer Science Western Michigan University [Based on Security in Computing.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
DIGITAL SIGNATURES Fred Piper & Mert Özarar Codes & Ciphers Ltd 12 Duncan Road Richmond Surrey TW9 2JD Information Security Group Royal Holloway, University.

DIGITAL SIGNATURES Fred Piper & Mert Özarar Codes & Ciphers Ltd 12 Duncan Road Richmond Surrey TW9 2JD Information Security Group Royal Holloway, University.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
Cryptographic Technologies

Cryptographic Technologies
CS 5950/6030 Network Security Class 12 (W, 9/28/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.

CS 5950/6030 Network Security Class 12 (W, 9/28/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.

Similar presentations

Ads by Google