Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Signatures. Public Key Cryptography Public Key Cryptography Requirements 1.It must be computationally easy to encipher or decipher a message.

Published byOscar Dennis Modified over 8 years ago

Similar presentations

Presentation on theme: "Digital Signatures. Public Key Cryptography Public Key Cryptography Requirements 1.It must be computationally easy to encipher or decipher a message."— Presentation transcript:

1 Digital Signatures

2 Public Key Cryptography

3 Public Key Cryptography Requirements 1.It must be computationally easy to encipher or decipher a message given the appropriate key 2.It must be computationally infeasible to derive the private key from the public key 3.It must be computationally infeasible to determine the private key from a chosen plaintext attack

4 RSA Exponentiation cipher Relies on the difficulty of determining the number of numbers relatively prime to a large integer n

5 Background Totient function  (n) –Number of positive integers less than n and relatively prime to n Relatively prime means with no factors in common with n Example:  (10) = 4 –1, 3, 7, 9 are relatively prime to 10 Example:  (21) = 12 –1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 are relatively prime to 21

6 Algorithm Choose two large prime numbers p, q –Let n = pq; then  (n) = (p–1)(q–1) –Choose e < n such that e is relatively prime to  (n). –Compute d such that ed mod  (n) = 1 Public key: (e, n); private key: d Encipher: c = m e mod n Decipher: m = c d mod n

7 Example: Confidentiality Take p = 7, q = 11, so n = 77 and  (n) = 60 Alice chooses e = 17, making d = 53 Bob wants to send Alice secret message HELLO (07 04 11 11 14) –07 17 mod 77 = 28 –04 17 mod 77 = 16 –11 17 mod 77 = 44 –14 17 mod 77 = 42 Bob sends 28 16 44 44 42

8 Example Alice receives 28 16 44 44 42 Alice uses private key, d = 53, to decrypt message: –28 53 mod 77 = 07 –16 53 mod 77 = 04 –44 53 mod 77 = 11 –42 53 mod 77 = 14 Alice translates message to letters to read HELLO –No one else could read it, as only Alice knows her private key and that is needed for decryption

9 Example: Integrity/Authentication Take p = 7, q = 11, so n = 77 and  (n) = 60 Alice chooses e = 17, making d = 53 Alice wants to send Bob message HELLO (07 04 11 11 14) so Bob knows it is what Alice sent (no changes in transit, and authenticated) –07 53 mod 77 = 35 –04 53 mod 77 = 09 –11 53 mod 77 = 44 –14 53 mod 77 = 49 Alice sends 35 09 44 44 49

10 Example Bob receives 35 09 44 44 49 Bob uses Alice’s public key, e = 17, n = 77, to decrypt message: –35 17 mod 77 = 07 –09 17 mod 77 = 04 –44 17 mod 77 = 11 –49 17 mod 77 = 14 Bob translates message to letters to read HELLO –Alice sent it as only she knows her private key, so no one else could have enciphered it –If (enciphered) message’s blocks (letters) altered in transit, would not decrypt properly

11 Example: Both Alice wants to send Bob message HELLO both enciphered and authenticated (integrity-checked) –Alice’s keys: public (17, 77); private: 53 –Bob’s keys: public: (37, 77); private: 13 Alice enciphers HELLO (07 04 11 11 14): –(07 53 mod 77) 37 mod 77 = 07 –(04 53 mod 77) 37 mod 77 = 37 –(11 53 mod 77) 37 mod 77 = 44 –(14 53 mod 77) 37 mod 77 = 14 Alice sends 07 37 44 44 14

12 Security Services Confidentiality –Only the owner of the private key knows it, so text enciphered with public key cannot be read by anyone except the owner of the private key Authentication –Only the owner of the private key knows it, so text enciphered with private key must have been generated by the owner

13 More Security Services Integrity –Enciphered letters cannot be changed undetectably without knowing private key Non-Repudiation –Message enciphered with private key came from someone who knew it

14 Warnings Encipher message in blocks considerably larger than the examples here –If 1 character per block, RSA can be broken using statistical attacks (just like classical cryptosystems) –Attacker cannot alter letters, but can rearrange them and alter message meaning Example: reverse enciphered message of text ON to get NO

15 Cryptographic Checksums

16 Mathematical function to generate a set of k bits from a set of n bits (where k ≤ n). –k is smaller then n except in unusual circumstances Example: ASCII parity bit –ASCII has 7 bits; 8th bit is “parity” –Even parity: even number of 1 bits –Odd parity: odd number of 1 bits

17 Hashing

18 Definition Cryptographic checksum h: A  B: 1.For any x  A, h(x) is easy to compute 2.For any y  B, it is computationally infeasible to find x  A such that h(x) = y 3.It is computationally infeasible to find two inputs x, x  A such that x ≠ x and h(x) = h(x) –Alternate form (stronger): Given any x  A, it is computationally infeasible to find a different x  A such that h(x) = h(x).

19 Collisions If x ≠ x and h(x) = h(x), x and x are a collision –Pigeonhole principle: if there are n containers for n+1 objects, then at least one container will have 2 objects in it. –Application: if there are 32 files and 8 possible cryptographic checksum values, at least one value corresponds to at least 4 files

20 Keys Keyed cryptographic checksum: requires cryptographic key –DES in chaining mode: encipher message, use last n bits. Requires a key to encipher, so it is a keyed cryptographic checksum. Keyless cryptographic checksum: requires no cryptographic key –MD5 and SHA-1 are best known; others include MD4, HAVAL, and Snefru

21 Public Key Infrastructure

22 Key exchange –Session vs. interchange keys –Classical, public key methods Cryptographic key infrastructure –Certificates

23 Notation X  Y : { Z || W } k X,Y –X sends Y the message produced by concatenating Z and W enciphered by key k X,Y, which is shared by users X and Y A  T : { Z } k A || { W } k A,T –A sends T a message consisting of the concatenation of Z enciphered using k A, A’s key, and W enciphered using k A,T, the key shared by A and T r 1, r 2 nonces (nonrepeating random numbers)

24 Session, Interchange Keys Alice wants to send a message m to Bob –Assume public key encryption –Alice generates a random cryptographic key k s and uses it to encipher m To be used for this message only Called a session key –She enciphers k s with Bob;s public key k B k B enciphers all session keys Alice uses to communicate with Bob Called an interchange key –Alice sends { m } k s { k s } k B

25 Secret-key systems structure

26 Benefits Limits amount of traffic enciphered with single key –Standard practice, to decrease the amount of traffic an attacker can obtain Prevents some attacks –Example: Alice will send Bob message that is either “BUY” or “SELL”. Eve computes possible ciphertexts { “BUY” } k B and { “SELL” } k B. Eve intercepts enciphered message, compares, and gets plaintext at once

27 Key Exchange Algorithms Goal: Alice, Bob get shared key –Key cannot be sent in clear Attacker can listen in Key can be sent enciphered, or derived from exchanged data plus data not known to an eavesdropper –Alice, Bob may trust third party –All cryptosystems, protocols publicly known Only secret data is the keys, ancillary information known only to Alice and Bob needed to derive keys Anything transmitted is assumed known to attacker

28 Classical Key Exchange Bootstrap problem: how do Alice, Bob begin? –Alice can’t send it to Bob in the clear! Assume trusted third party, Cathy –Alice and Cathy share secret key k A –Bob and Cathy share secret key k B Use this to exchange shared key k s

29 Simple Protocol Alice Cathy { request for session key to Bob } k A Alice Cathy { k s } k A || { k s } k B Alice Bob { k s } k B

30 Problems How does Bob know he is talking to Alice? –Replay attack: Eve records message from Alice to Bob, later replays it; Bob may think he’s talking to Alice, but he isn’t –Session key reuse: Eve replays message from Alice to Bob, so Bob re-uses session key Protocols must provide authentication and defense against replay

31 Needham-Schroeder AliceCathy Alice || Bob || r 1 AliceCathy { Alice || Bob || r 1 || k s || { Alice || k s } k B } k A AliceBob { Alice || k s } k B AliceBob { r 2 } k s AliceBob { r 2 – 1 } k s

32 Public Key Key Exchange Here interchange keys known –e A, e B Alice and Bob’s public keys known to all –d A, d B Alice and Bob’s private keys known only to owner Simple protocol –k s is desired session key Alice Bob { k s } e B

33 Problem and Solution Vulnerable to forgery or replay –Because e B known to anyone, Bob has no assurance that Alice sent message Simple fix uses Alice’s private key –k s is desired session key Alice Bob { { k s } d A } e B

34 Notes Can include message enciphered with k s Assumes Bob has Alice’s public key, and vice versa –If not, each must get it from public server –If keys not bound to identity of owner, attacker Eve can launch a man-in-the-middle attack (next slide; Cathy is public server providing public keys) Solution to this (binding identity to keys) discussed later as public key infrastructure (PKI)

35 Man-in-the-Middle Attack AliceCathy send Bob’s public key Eve Cathy send Bob’s public key Eve Cathy eBeB Alice eEeE Eve Alice Bob { k s } e E Eve Bob { k s } e B Eve intercepts request Eve intercepts message

36 Cryptographic Key Infrastructure Goal: bind identity to key Classical: not possible as all keys are shared –Use protocols to agree on a shared key (see earlier) Public key: bind identity to public key –Crucial as people will use key to communicate with principal whose identity is bound to key –Erroneous binding means no secrecy between principals –Assume principal identified by an acceptable name

37 Certificates Create token (message) containing –Identity of principal (here, Alice) –Corresponding public key –Timestamp (when issued) –Other information (perhaps identity of signer) signed by trusted authority (here, Cathy) C A = { e A || Alice || T } d C

38 Use Bob gets Alice’s certificate –If he knows Cathy’s public key, he can decipher the certificate When was certificate issued? Is the principal Alice? –Now Bob has Alice’s public key Problem: Bob needs Cathy’s public key to validate certificate –Problem pushed “up” a level –Two approaches: Merkle’s tree, signature chains

39 The Problem Create certificate –Generate hash of certificate –Encipher hash with issuer’s private key Validate –Obtain issuer’s public key –Decipher enciphered hash –Recompute hash from certificate and compare Problem: getting issuer’s public key

40 PKI basic entities and operations

41 X.509 Certificate Some certificate components in X.509v3: –Version –Serial number –Signature algorithm identifier: hash algorithm –Issuer’s name; uniquely identifies issuer –Interval of validity –Subject’s name; uniquely identifies subject –Subject’s public key –Signature: enciphered hash

42 X.509 Certificate Validation Obtain issuer’s public key –The one for the particular signature algorithm Decipher signature –Gives hash of certificate Recompute hash from certificate and compare –If they differ, there’s a problem Check interval of validity –This confirms that certificate is current

43 Issuers Certification Authority (CA): entity that issues certificates

44 Multiple Issuers Multiple issuers pose validation problem Alice’s CA is Cathy; Bob’s CA is Don; how can Alice validate Bob’s certificate? Have Cathy and Don cross-certify –Each issues certificate for the other

45 Cross certificates

46 Validation and Cross-Certifying Certificates: –Cathy > –Dan –Cathy > –Dan > Alice validates Bob’s certificate –Alice obtains Cathy > –Alice uses (known) public key of Cathy to validate Cathy > –Alice uses Cathy > to validate Dan >

47 Certification Path Validation process

48 X.509 in Practice In the X.509 system, a CA issues a certificate binding a public key to a particular Distinguished Name in the X.500 tradition, or to an Alternative Name such as an e-mail address or a DNS-entry. An organization's trusted root certificates can be distributed to all employees so that they can use the company PKI system. Browsers such as Internet Explorer, Netscape/Mozilla, Opera and Safari come with root certificates pre-installed, so SSL certificates from larger vendors who have paid for the privilege of being pre- installed will work instantly. In effect the browsers' owners determine which CAs are trusted third parties for the browsers' users. –Although these root certificates can be removed or disabled, users rarely do so. –If pre-installed root certificates are removed on the Microsoft-platform, the operating-system re-installs them as soon as a web-site using the certificate is visited.

49 X.509 in Practice X.509 also includes standards for certificate revocation list (CRL) implementations, an often neglected aspect of PKI systems. The IETF-approved way of checking a certificate's validity is the Online Certificate Status Protocol (OCSP). Popular browsers like Internet Explorer and Firefox don't check for certificate revocation by default. The time lag for performing the checking could be one of the reasons.

50 A Sample X.509 certificate

51 This is an example of a decoded X.509 certificate for www.freesoft.org, generated with OpenSSL -- the actual certificate is about 1KB in size. It was issued by Thawte (since acquired by VeriSign), as stated in the Issuer field. Its subject contains many personal details, but the most important part is usually the common name (CN), as this is the part that must match the host being authenticated. Also included is an RSA public key (modulus and public exponent), followed by the signature, computed by taking a MD5 hash of the first part of the certificate and encrypting it with Thawte's RSA private key.

52 Certificate Validation To validate this certificate, one needs the certificate that matches the Issuer (Thawte Server CA) of the first certificate. First one verifies that the second certificate is of a CA kind; that is, that it can be used to issue other certificates. –This is done by inspecting a value of the CA attribute in the X509x3 extension section. Then the RSA public key from the CA certificate is used to decode the signature on the first certificate to obtain a MD5 hash, which must match an actual MD5 hash computed over the rest of the certificate.

53 An example CA certificate

54 This is an example of a self-signed certificate, as the issuer and subject are the same. There's no way to verify this certificate except by checking it against itself; instead, these top-level certificates are manually stored by web browsers. –Thawte is one of the root certificate authorities recognized by both Microsoft and Netscape. –This certificate comes with the web browser and is trusted by default. –As a long-lived, globally trusted certificate that can sign anything (as there are no constraints in the X509v3 Basic Constraints section), its matching private key has to be closely guarded.

55 Digital Signature

56 Construct that authenticated origin, contents of message in a manner provable to a disinterested third party (“judge”) Sender cannot deny having sent message (service is “nonrepudiation”) –Limited to technical proofs Inability to deny one’s cryptographic key was used to sign –One could claim the cryptographic key was stolen or compromised Legal proofs, etc., probably required; not dealt with here

57 Common Error Classical: Alice, Bob share key k –Alice sends m || { m } k to Bob This is a digital signatureWRONG This is not a digital signature –Why? Third party cannot determine whether Alice or Bob generated message

58 Classical Digital Signatures Require trusted third party –Alice, Bob each share keys with trusted party Cathy To resolve dispute, judge gets { m } k Alice, { m } k Bob, and has Cathy decipher them; if messages matched, contract was signed Alice Bob Cathy Bob Cathy Bob { m }k Alice { m }k Bob

59 Public Key Digital Signatures Alice’s keys are d Alice, e Alice Alice sends Bob m || { m } d Alice In case of dispute, judge computes { { m } d Alice } e Alice and if it is m, Alice signed message –She’s the only one who knows d Alice !

60

61 Digital signature with message encryption and decryption

62

63 RSA Digital Signatures Use private key to encipher message –Protocol for use is critical Key points: –Never sign random documents, and when signing, always sign hash and never document Mathematical properties can be turned against signer –Sign message first, then encipher Changing public keys causes forgery

64 Key Points Key management critical to effective use of cryptosystems –Different levels of keys (session vs. interchange) Keys need infrastructure to identify holders, allow revoking –Key escrowing complicates infrastructure Digital signatures provide integrity of origin and content Much easier with public key cryptosystems than with classical cryptosystems

Download ppt "Digital Signatures. Public Key Cryptography Public Key Cryptography Requirements 1.It must be computationally easy to encipher or decipher a message."

Similar presentations

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.
Digital Signatures Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Digital.

Digital Signatures Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Digital.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Computer Security Key Management

Computer Security Key Management
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-1 Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-1 Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.

1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.
Chapter 9: Key Management

Chapter 9: Key Management
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
1 Key Management CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 1, 2004.

1 Key Management CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 1, 2004.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

Similar presentations

Ads by Google