1 / 24

Security

Security . Keys, Signatures, Encryption. Slides by. Jyrki Nummenmaa ‘. Keys. Keys are the basis for encryption. They can be used for - identification, - encryption, - signatures, - and certificates. We will skip the mathematics and only explain how the keys can be used.

Download Presentation

Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Keys, Signatures, Encryption

  2. Slides by Jyrki Nummenmaa ‘

  3. Keys • Keys are the basis for encryption. • They can be used for - identification, - encryption, - signatures, - and certificates. • We will skip the mathematics and only explain how the keys can be used.

  4. Using a secret key -General • Messages are encrypted using a secret key known for both parties. • Usually faster algorithms than with public/private key pairs. • Problem: How can both parties get to know the secret key whilst keeping it secret?

  5. Using a secret key -Encryption • The sender encrypts the message using an algorithm (which may be publicly well know) and the secret key (which is secret, as the name implies) • The recipient decrypts the message using a well-known algorithm and the secret key (of course, the algorithms must be matching).

  6. Using a private/public key pair -General • Each communicating agent has a private key, only known to herself, and a public key, known to all. • Principle: both keys are needed for certain operations (next slides will explain more). • Slower algorithms than with the single secret key.

  7. Using a private/public key pair -Generating a key pair • The key pair is generated using a random number algorithm in such a way that the keys match. • The private key can be protected with a passphrase, which you must know to be able to use the private key (to create the “real” private key from the passphrase and the permanently stored private key.

  8. Using a private/public key pair -Encryption • A sender encrypts a document using the recipient’s public key (known to everyone) and a well-known algorithm. • Decryption is in practice only possible with the recipients private key (known to the recipient only) - no-one else can read the encrypted document.

  9. Encryption in practice for communicating secure processes • As secret key algorithms are faster, it is practical to use the public keys to agree on a one-time session secret key. • For this, both parties can create one-time session key pairs (private and public). • The secret session key is used for communication. • This is what e.g. SSL does.

  10. Using a private/public key pair -Message integrity/1 • Message integrity = the message has not been changed or corrupted • Tentative solution: calculate a code from the document and send it along. On receipt, a new code is being calculated and compared with the code that was sent. If they match, the message has not changed.

  11. Using a private/public key pair -Message integrity/2 • The tentative solution works against corruption (a checksum). • However, if someone wants to change the message, then she could also change the code (checksum).

  12. Using a private/public key pair -Message integrity/3 • Improved solution: compute the code using the senders private key and the message. (Encrypt the code using the private key.) = Create a signature or electronically sign the document. • The recipient can use sender’s public key to decrypt the code. Then it is possible to check message integrity.

  13. Using a private/public key pair -Message integrity/4 • Q: What’s the difference between this and encryption? • A: The information the sender is giving out can be public and non-encrypted. It is only if you want to verify that the message has not been changed that you use the sender’s public key to check this.

  14. Authentication/1 • Suppose you receive mail from Elvis.Presley@heaven.com and you also get Elvis’ public key. • You receive messages which open with the public key -> you conclude that they have been sent using a matching private key. • How can you be sure who the sender is?

  15. Authentication/2 • Several possibilities: • It is Elvis himself, it is really his e-mail address, it is really his public key. • It is Elvis’s e-mail address, but someone is misusing it somehow, and he has generated a public/private key pair and sent you the public key (public part). • It is not even Elvis’ e-mail address.

  16. Authentication/3 • The real question is: How can you be sure of a sender’s identity in the Internet world? • Quite often, you are convinced that such a person or company exists. • Then, you need to know if the e-mail and the identity match.

  17. Authentication/4Certificates • A certificate is a document where someone states that a public key really belongs to the right person/company. • A certificate must be digitally signed by someone. • That someone may be a person, but more generally, it is a Certificate Authority (CA).

  18. Authentication/5Certificate Authorities • A Certificate Authority (CA) is generally-trusted generally-known enterprise. • The CA makes it’s public key (or a message digest of it) publicly available so widely that it is not practical for anyone else to claim to be that CA. • The CA (like VeriSign, see www.verisign.com) usually charges money for its services.

  19. Authentication/6Certification • The CA digitally signs public keys. (Or gives digital identities with private keys and matching digitally signed public keys.) • Anyone can check the certificate against the CA’s public key, thus making sure that the CA certifies the public key.

  20. Authentication/7Levels of certification • There are different levels of certification, on the following lines • Certifying that a public key and an e-mail address belong together. • Certifying that a public key and a person’s identity belong together (for this you need to visit the CA in person). • Certifying that a company’s name and a public key belong together… • Read more from VeriSign.

  21. Authentication/8Certification chains • A certified person or company can give a certificate to another. • For example, if a CA (A) gives a certificate to Netscape (B), and Netscape gives a certificate to some Java applet programming company (C), then you can verify B’s public key using A’s and C’s public key using B’s.

  22. Authentication/9Certification risks • It all comes back to a CA, either directly or via a certificate chain. • In fact, it all comes back to the CA’s private key. • If someone guesses or steals or is able to compute (shouldn’t be possible) the CA’s private key, everything collapses.

  23. Available implementations • Java offers a java.security package which comes with Java2 (jdk1.2.2) and a java.cryptix package, which is only available in the US, however, there are other implementations, like the one on www.cryptix.org. • SSL can be used through shttp. • However, we will start with PGP, which does not require programming.

  24. PGP (Pretty Good Privacy) • PGP is a public/private key pair system. • PGP is publicly available on e.g. kielo.uta.fi - start with pgp -h • PGP can be used for encryption and signatures. • You will need to create yourself a key pair, after which you can start operating with it.

More Related