640 likes | 1.13k Views
Digital Signature and PKI Technology. Computer Networks and Internet Engineering Division Centre for Development of Advanced Computing (C-DAC) Electronics City, Bangalore. Agenda. Introduction to Cryptography Hash Functions Asymmetric key Cryptography PKI Components Digital Certificate
E N D
Digital Signature and PKI Technology Computer Networks and Internet Engineering Division Centre for Development of Advanced Computing (C-DAC)Electronics City, Bangalore.
Agenda • Introduction to Cryptography • Hash Functions • Asymmetric key Cryptography • PKI Components • Digital Certificate • Digital Signature • Trust Model
For trust worthiness in e-Transactions The application should provide the appropriate levels of assurances of : Privacy (Confidentiality): Ensuring that Data/Message/Document is kept confidential so that it is not read by unauthorized person Authenticity: Ensuring that Data/Message/Documentare genuine Integrity : Ensuring that Data/Message/Document is kept protected so that it is not modified by unauthorized person Non-Repudiation: Ensuring that one party of a transaction cannot deny having sent/received a transaction
Cryptography The study & practice of hiding, encrypting or secret writing; It uses mathematical & logical principles to secure information Plaintext: The message which has to be sent to other party. Encryption / Decryption: The process of transforming plain text input to an un-interpretable form is called Encryption. Decryption is reverse of Encryption. Therefore, this is a two-way function. 4
Cryptography… Cipher text: The message after it is encoded Key. This is a unique value (bit pattern, alphabetical sequence) that is used by the cipher for encryption/decryption The Cryptosystems are broadly classified into two: Symmetric Key Cryptography Asymmetric Key Cryptography 5
------- ------- ------- ------- ------- ------- ++++++ ++++++ ++++++ ++++++ ++++++ ++++++ ------- ------- ------- ------- ------- ------- “The quick brown fox jumps over the lazy dog” “The quick brown fox jumps over the lazy dog” “AxCv;5bmEseTfid3)fGsmWe#4^,sdgfMwir3:dkJeTsY8R\s@!q3%” Encryption / Decryption Decryption Encryption
Cryptographic Components • Major cryptographic components are: • Hash Functions • Symmetric Key Cryptography • Asymmetric Key Cryptography
Hash Function • A hash function is a cryptographic mechanism that operates as one-way function • Creates a digital representation or "fingerprint“ (Message Digest) • Fixed size output • Change to a message produces different digest Examples : MD5 , Secure Hashing Algorithm (SHA) 8
Hash - Example Hi Jai, I will be in the park at 3 pm Veeru Message Hi Jai, I will be in the park at 8 pm Veeru Hash Algorithm Message Digest d4216ytf6b9385fe502b165dfe8cec17 cfa2ce53017030315fde705b9382d9f4 Digests are Different
Hash - Consistency Aug 29, 2010 Dec 21, 2011 Hi Jai, I will be in the park at 3 pm Veeru Message Hi Jai, I will be in the park at 3 pm Veeru Hash Algorithm Message Digest cfa2ce53017030315fde705b9382d9f4 cfa2ce53017030315fde705b9382d9f4 Digests are Same
Hash - Uniqueness Hi Jai, I will be in the park at 3 pm Veeru Message Hello World, We are Launching new product soon. abcxyz Hash Algorithm Message Digest cfa2ce53017030315fde705b9382d9f4 cfa2ce53017030315fde705b9382d9f4 Digests are Same!! ?
Hash – One-way cfa2ce53017030315fde705b9382d9f4 X Hi Jai, I will be in the park at 3 pm Veeru
MD5 and SHA Message Hi Jai, I will be in the park at 3 pm Veeru Hi Jai, I will be in the park at 3 pm Veeru Hi Jai, I will be in the park at 3 pm Veeru SHA-2 SHA-1 MD5 Message Digest cfa2ce53017030315fde705b9382d9f4 2g5487f56r4etert654trc5d5e8d5ex5gttahy55e 1f695127f210144329ef98e6da4f4adb92c5f182 128 Bits 160 Bits 224/256/384/512
Symmetric Key Cryptography • Also called as Secret Key Cryptography or Single Key Cryptography. • Uses one key shared by both sender and receiver. • This key is used for both encryption and decryption. • Both parties have to agree on the key before start of the communication • Encryption and Decryption is extremely fast comparing to asymmetric cryptography Issues: • Jai and Veeru must agree on the secret key without anyone else finding out • Compromise of shared key leads to compromise of communication • Secure Key Distribution and Scaling
Encryption / Decryption Common key Message Message Encrypt Encrypted Message A B Decrypt Eavesdropper
Asymmetric Key Cryptography • Also called as Public Key Cryptography • Uses a related key pair wherein one is Private key and another is Public key • One for encryption, another for decryption • Knowledge of the encryption key doesn’t give you knowledge of the decryption key • A tool generates a related key pair (public & private key) • Publish the public key in a directory X Public Key Private Key KnJGdDzGSIHDZuOE iWLI+4jxMqmqVfAKr2E X Computationally Infeasible
Asymmetric Key Encryption Message Public key Private key Message Encrypted Message A B Encrypt Decrypt Eavesdropper
Confidentiality Encryption with Shared Key Encryption with Shared Key Jai Shared Key Shared Key Veeru Gabbar Message Message Encrypted Message Encryptor Hi Veeru I am Jai Decryptor Hi Veeru I am Jai #$23R*7&#e Encryption with Public Key of Receiver Encryption with Public Key of Receiver Jai Veeru Veeru’s Public Key Private Key Gabbar Message Message Encrypted Message Encryptor Hi Veeru I am Jai Decryptor Hi Veeru I am Jai TG8O&*%$6vk
Authenticity Encryption with Shared Key Shared Key Shared Key Veeru Gabbar Message Message Encrypted Message Encryptor Hi Veeru I am Jai Decryptor Hi Veeru I am Jai #$23R*7&#e Encryption with Private Key of Sender Jai Veeru Jai’s Private Key Jai’s Public Key Gabbar Message Message Encrypted Message Encryptor Hi Veeru I am Jai Decryptor Hi Veeru I am Jai #$23R*7&#e
Integrity using Symmetric Key Integrity Jai Veeru Shared Key Shared Key Gabbar Enc.Digest Enc.Digest Message Dec. Digest Message Enc. Digest Enc. Digest Digest Hi Veeru I am Jai %*t% Hi Veeru I am Jai Message Comp. Digest Confidentiality & Integrity Veeru Shared Key - 2 Shared Key - 2 Gabbar Enc. Digest Message Encrypted Message %*t% Hi Veeru I am Jai #$23R*7&#e Enc. Digest #$23R*7&#e Message
Integrity using Asymmetric Key Integrity Jai Veeru Jai’s Private Key Jai’s Public Key Gabbar Signature Computed Digest Message Dec. Digest Message Signature Digest Hi Veeru I am Jai %*t% Hi Veeru I am Jai Message Comp. Digest Confidentiality & Integrity Veeru’s Public Key Veeru Private Key Gabbar Signature Message Encrypted Message %*t% Hi Veeru I am Jai #$23R*7&#e #$23R*7&#e Signature Message
Symmetric Key Pros and Cons What can be achieved using Symmetric Key ? • Confidentiality • Integrity • Authentication What about Non-repudiation ?
Asymmetric Key Pros and Cons Weakness • Extremely slow Strength • Solves problem of passing the key Key Aspects • Public key encryption; RSA Misconceptions • More secure • Has made Symmetric encryption obsolete
Objective of the Indian IT Act 2000 • To grant legal recognition to records maintained in electronic form • To prescribe methods for authenticating electronic records • To define computer system and computer network misuse and make it legally actionable
Authentication Method Prescribed by the Indian IT Act 2000 • The Act specifies that authentication must be by Digital Signatures based upon Asymmetric Key Cryptography and Hash Functions. • The National Root CA uses a 2048 bit RSA key pair • Other CA and end entities use 1024 bit RSA key pairs
Regulation of Certifying Authorities • The IT Act provides the Controller for Certifying Authorities (CCA) to license and regulate the working of CA. • The CCA operates RCAI for certifying the public keys of CA’s using it private key
Certifying Authority (CA) • Certifying authority is an entity which issues Digital Certificate • It is a Trusted third party • CA’s are the important characteristics of Public Key Infrastructure (PKI) Responsibilities of CA • Verify the credentials of the person requesting for the certificate (RA’s responsibility) • Issue certificates • Revoke certificate • Generate and upload CRL
Hierarchical Trust Model • The IT Act mandates a hierarchical Trust Model • For a Digital Signature to have legal validity, it must derive its trust from the Root CA certificate National Root CA Licensed CA Licensed CA Licensed CA Subscribers Subscribers Subscribers
Licensed CA’s in India • National Root CA • Only issues CA certificates for licensed CAs • 7 CAs licensed under the National Root CA • SafeScrypt (www.safescrypt.com) • TCS (www.tcs-ca.tcs.co.in) • MTNL (www.mtnltrustline.com) • nCode (www.ncodesolutions.com) • National Informatics Centre (https://nicca.nic.in) • IDRBT (idbrtca.org.in) • 3i Infotech • As of now approx. 23,00,000 (2.3 Million) certificates have been issued.
Digital Certificate • A digital certificate binds the owners public key, name email and other necessary information together Veeru Info: Name: Veeru Department: AMD Certificate Info: Serial No: 93939 Exp Date: Veeru’s Public Key Digital Certificate Sign
Structure of Digital Certificate • The structure of a X.509 v3 digital certificate is as follows: • Certificate • Version • Serial Number • Algorithm ID • Issuer • Validity • Not Before • Not After • Subject • Subject Public Key Info • Public Key Algorithm • Subject Public Key • Issuer Unique Identifier (Optional) • Subject Unique Identifier (Optional) • Extensions (Optional) • ... • Certificate Signature Algorithm • Certificate Signature
Hand Signature vs Digital Signature • A Hand Signature on a document is • a unique pattern dependant on some secret known only to the signer and • additionally on the content of the message being signed • A Digital signature of a message is • a number dependent on some secret known only to the signer and • additionally on the content of the message being signed • Signatures must be verifiable • Applications • Authentication, • Data Integrity • Non-repudiation
Digital Signature • Key pairs of every individual • Public key : known to everyone • Private key: known only to the owner • To digitally sign an electronic document the signer uses his/her Private key • To verify a digital signature the verifier uses the signer’s Public key
Digital Signing – Step 1 This is an example of how to create a message digest and how to digitally sign a document using Public Key cryptography Hash Message Digest
Digital Signing – Step 2 Encrypt with private key Message Digest Digital Signature
Digital Signing – Step 3 This is an example of how to create a message digest and how to digitally sign a document using Public Key cryptography Append Digital Signature Digital Signature
Digital Signature verification This is an example of how to create a message digest and how to digitally sign a document using Public Key cryptography Hash Message Digest Decrypt with public key Message Digest Digital Signature
SHA-1 PRIV Digital Signature Algorithm (Eg: RSA) Hash Signing a Document Electronic documents of any type and any length can be digitally signed as follows... An electronic document is fed into a one-way hash algorithm (SHA-1) to produce a fixed-length “hash value” The “hash value” is a fixed number that is extremely sensitive to any changes in the document—even a single bit changed will result in a different hash value The resulting hash value is next fed into the Digital Signature Algorithm (DSA) using the signer’s private key The output of the Digital Signature Algorithm is the actual digital signature that can be attached to the original document to form a signed document Signed Document Private Key Hash
SHA-1 PUB YES Digital Signature Algorithm (Eg: RSA) =? NO Validating a Digital Signature The signature is fed into the Digital Signature Algorithm using the public key of the signer (from their certificate) and producing what should be the same hash value Finally, the two hash values are compared to see if they are equal If the hash values are equal, then the signature is valid—i.e., the source is authenticated and the document has not been modified The original document is used to re-compute the one-way hash value If the hash values are not equal, then the signature is invalid—i.e., either the source is not who they claim to be or the document has been modified Signed Document Public Key Hash Hash
Case 1: E-Procurement Digital Signature Certificates used by Vendors and Issuers of a Tender Process of e-Procurement for Indian Railways
Process flow chart Attach corrigendum Create tender notice Time stamp Time stamp E-TENDER BOX E-TENDER BOX Attach tender document Upload Tender Upload Tender Upload Tender encrypt HTML receipt SUBMIT BID SUBMIT BID Digital signature Digital signature Digital signature Digital signature Digital signature Free download Free download Free download Free download Vender Registration Vender Registration Digital Certificate Digital Certificate Digital Certificate Digital Certificate Digital Certificate
Post tender opening work flow E-TENDER BOX Time lock Contracts requests Decrypt With PK Decrypt and Open Upload Generate Tabulation View online Store archive CONTRACT Rate-wise technical commercial
PKI-enabled Applications • Passport Seva Project (PSP) • PKI-enabled Internet Banking Transactions • Currently implemented and used by corporate customers • Mobile PKI • PKI-enabled SMS for Internet Banking
PKI-enabled Applications by C-DAC • PKI based Workflow • PKI based Secure Messaging System • PKI based Authentication for Web based services • Mobile PKI Solutions for m-Commerce website authentication
References • Cryptography and Network security – principles and practice William Stallings • Applied Cryptography, Second Edition: Bruce Schneier • http://campustechnology.com/articles/39190_2 • http://csrc.nist.gov/ • Handbook of Applied Cryptography, by Menezes • http://en.wikipedia.org • Cryptographic Techniques for N/w Security