310 likes | 326 Views
Learn about using public key cryptography for network security services like confidentiality, authentication, and non-repudiation with practical examples and case studies.
E N D
The Application of Public Key Cryptography to Network Security Ted Reinhardt
Learning Objectives • Understand how public key cryptography can be used to provide network security services such as: • Confidentiality • Non-repudiation • Authentication • Notarization
Crypto System a pair of data transformations: • one encrypts • the other decrypts Encrypt Decrypt cipher text plain text plain text key key
Encryption Ek(m) c m plain text message c cipher text k key Decryption Dk(c) m c ciphertext m message k key
Symmetric Key Crypto System • same key is used for both transformations A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y HAL IBM IBM plain text Encrypt Decrypt ciphertext plain text Key=1 Key=1
A word about symmetric key crypto systems • Keys must be protected at all times at least to the highest level of the information exchanged for the entire useful life of the message. • Key distribution is therefore expensive • Keys must be changed frequently • large symmetric crypto networks are a nightmare to manage
Rijndael RC6 Twofish Casear RC4 CAST DES Triple DES Symmetric Algorithms Rijndael
Public Key Crypto System a pair of data transformations: • one encrypts • the other decrypts 03422AFDS IBM IBM Encrypt Decrypt ciphertext plain text plain text = public key private key
An Engineering Love StoryOur Cast of Players Carl A spy for a tabloid newspaper Bob Alice Totally Clueless Hopelessly in love with Bob
Public Key Crypto System • complementary key pairs • one private key, and a corresponding public key Name Public Private Alice 7 13 Bob 11 23 Carl 71 53 Private !!!
Name Public Private Alice 7 13 Bob 11 23 Carl 71 53 Public Key Crypto System • Alice encrypts message for Bob’s eyes only. Bob’s Public Key 11 Bob’s Private Key 23 plain text Alice Encrypt Bob Decrypt cipher text plain text I LOVE YOU #$@deew I LOVE YOU Sender to Receiver Confidentiality
Name Public Private Alice 7 13 Bob 11 23 Carl 71 53 Public Key Crypto System • Bob encrypts message for Alice’s eyes only. Alice’s Public Key 7 Alice’s Private Key 13 plain text Bob Encrypt Alice Decrypt ciphertext plain text Sender to Receiver Confidentiality
Confidentiality - Objective 1 • Sender to Receiver Confidentiality • Encrypt with Public Key of the Addressee • Equivalent to sealing an envelope by encrypting • Only the Receiver can decode with his own Private Key (as long as the Private Key is kept Private).
Name Public Private Alice 7 13 Bob 11 23 Carl 71 53 Public Key Cryptosystem • Alice digitally signs message for Bob Alice’s Public Key 7 Alice’s Private Key 13 plain text Alice Encrypt Bob Decrypt cipher text plain text Authentication / Digital Signature
Authentication & Non-Repudiation Objective #2 • Sender encrypts message with own private key • Receiver decrypts message with senders public key. • Correct decryption indicates the message is authentic.
Name Public Private Alice 7 13 Bob 11 23 Carl 71 53 Public Key Crypto System • Alice signs and seals message for Bob Bob’s Public Key 11 Alice’s Private Key 13 Ciphered Ciphertext Alice Encrypt Alice Encrypt ciphertext plain text Seal Sign Combined Digital Signature and Encryption
Name Public Private Alice 7 13 Bob 11 23 Carl 71 53 Public Key Crypto System • Bob unseals message, and authenticates it Alice’s Public Key 7 Bob’s Private Key 23 clear text Bob Decrypt Bob Decrypts message+ signature Ciphered cipher text • Authenticates Opens Combined Decryption and Authentication
Blind Notarization • Alice encrypts and signs a message for Bob’s Eyes Only • Alice send’s the message to Carl who takes Alices encrypted and signed message, adds a date time stamp (11AM 20 Sep 2004), and then signs it. • Bob can decode it and check the date time if there is a dispute.
Blind Notarization Notary Services Date-time stamp + Notary’s Signature Alice Signed by Alice Sealed for Bob’s Eyes Only Bob
Vulnerability in Key Management • Certification of Public Keys is required otherwise subject to middle man attack. Name Public Private Alice 71 53 Bob 71 23 Carl 71 53 Carl can now masquerade as Alice Carl can now read the message and then re-encrypt for the intended receiver
Solution to VulnerabilityCertificate Authority • Certification of Public Keys is required otherwise subject to middle man attack. Digitally Signed by the CA Alice Public Key=13 Expiry=10-Aug-2004 Certificate Authority is recognized by all parties
Symmetric vs Asymmetric • Public Key Crypto • Simplifies Key Management • Slow • Provides Digital Signature • Symmetric Key Crypto • Black Bag Key Management • Fast
HybridBest of Both Worlds • Use Symmetric Key as session key to encrypt data using Symmetric Key Cryptography • it is faster • Use Public Key to Encrypt Session Key • fewer key management problems
Message Digest • A one way function that provides a unique hash based on a data stream input (very low incidence of collision). • MD5 (Deprecated) • SHA-2 • SHA-3
Message Digests using SHA-3 Pay John $10.00 051ab8f030f65d80b5d736f4bc64e92139b9a1fdd7e4385b5b202c00cdbdc6e48b180ecff9ce03937ecd400d85dc558bd7e0d6bbc963d5e2ca5310e7206e08d1 Different Pay John $1,000,000.00 120b13f10e9c523d0e046af0a0b648e257472a0cf1795c6b4c4850fa8b25cac612a3ed1293364d1848fd8f858c58d15fd28854eba78aef203af35691fd2412da
Signature and Integrity Implementation Plain text Message Digest Plain text Message Digest Digest Digest Digitally Sign Signed Digest Integrity COMPARE
Practicalities of Implementation Plain text Symmetric Encryption Cipher text Random Session Key Alice’s Pub Key Public Key Encryption Alice’s Session Key Bob’s Pub Key Public Key Encryption Bob’s Session Key
Layer 3Virtual Private Network Alice VPN Gateway Internet Directory Certificate Authority VPN Gateway Bob
Layer 4Secure Sockets LayerTransport Layer Security TLS Appliance Protected Web Server Firewall Tunnel Internet TLS Enabled Browser
Issues • Who is going to be the CA • How does a CA decide to trust another CA • If someone is no longer ok, how do you revoke their credentials and distribute the info • What is the basis for trust • Certificate Policies, Certificate Practice Statements
Issues • What is required to make a legally binding transaction? • Where do you store the private key? • Key Escrow --- can someone backup your key for you in the event of loss? • How do you authenticate people far away the first time? • What algorithms are ok to use?