890 likes | 1.06k Views
COEN 250. Cryptography, Certificates, PKI, X509 Standard. Cryptography. Scrambles a plain-text into crypto-text. Enables to descramble plain text. Originally used to provides confidentiality of information. Now also used for authentication (of person, of message, …) integrity validity
E N D
COEN 250 Cryptography, Certificates, PKI, X509 Standard
Cryptography • Scrambles a plain-text into crypto-text. • Enables to descramble plain text. • Originally used to provides confidentiality of information. • Now also used for • authentication (of person, of message, …) • integrity • validity • non-repudiation • …
Cryptography and the Federal Agency • Federal standards documented in Federal Information Processing Standards (FIPS) Publications • NIST Recommendations and guidelines documented in NIST Special Publications (SPs) • Cryptographic modules and algorithms that are validated against these specifications.
Cryptography and the Federal Agency • FIPS: • Mandatory standard • Adopted via a signature by the Secretary of Commerce • NIST Recommendation: • Similar to FIPS • Not signed by the SoC • Example: • Federal agency requires use of encryption to protect its data. • Approved algorithm shall be used • AES and TDEA are the only algorithms currently approved for data encryption • When AES is used, it shall be used as specified in FIPS 197 • When TDEA is used, it shall be used as specified in SP 800-16
Cryptography and the Federal Agency • Other Standards: • American National Standards Institute (ANSI) • X9 standards committee working in security, crypto • www.x9.org • Institute of Electrical and Electronics Engineers (IEEE) • Internet Engineering Task Force (IETF)
Symmetric Cryptography • Uses the same key for encryption, decryption
Symmetric Cryptography • Current Standards • Data Encryption Standard (DES) 1977 • Broken • Withdrawn in 2005 • Triple Data Encryption Algorithm (TDEA) • Uses DES as a component • Not broken, but phased out in 2030 • Advanced Encryption Standard (AES)
Asymmetric Cryptography • Uses different key for encryption, decryption
Message Authentication Codes • Condenses message into a short hash • SHA1, … MD5, … are appropriate cryptographically secure hash functions • For example, encrypt only the MAC with a key known to sender and receiver. • FIPS 198: The Keyed Hash Message Authentication Code
Message Authentication Code • Alternatively, use a secret key. • This also provides authentication.
Use of Asymmetric Cryptography • Generic idea: Make one key public. • How? • Website • Website can be spoofed. • On your business card • Works for individuals, requires recipient to type in several lines of gibberish correctly. • From a trusted source • Going back and back: Where does the trust stem from?
Use of Asymmetric Cryptography • Notations: • E – public key, D – secret key • EC (M) – encryption of M using key C. • DC(M) – decryption of M using key C. • Asymmetric cryptography key identities • DEED(M) = M • DDEE(M) = M
Use of Asymmetric Cryptography • Secret Transmission of messages • Alice uses public key of Bob to encrypt her messages to him: EE(Bob)(M). • Bob uses his private key to decrypt the message: DD(Bob)EE(Bob)(M).
Use of Asymmetric Cryptography • Signing a message I: • Alice encrypts the message with her private key: ED(Alice)(M). • Bob decrypts with her public key and obtains M = DE(Alice) ED(Alice)(M). • If M makes sense, Bob knows that someone with Alice secret key send the message.
Use of Asymmetric Cryptography • Signing a message II • This method avoids encryption of the whole message. • Asymmetric cryptography is very compute intensive. • Alice uses a MAC of her message: MAC(M). • She sends Bob M and ED(Alice)(MAC(M)). • Bob calculates • MAC(M) = DE(Alice) (ED(Alice)(MAC(M))). • Bob verifies that this is the correct MAC. • Bob concludes that the message was sent by someone knowing Alice’s private key.
Key Management • Generic Rules: • Use symmetric cryptography as much as possible for performance. • Never use keys more than once or for more than one function. • Use key wrapping (encrypting keys) • Key Management becomes an issue.
Key Management • Key Management Life Cycles: • Key establishment • Key generation • Key distribution • Key backup / recovery, key escrow • Key replacement / update (rekeying) • Key revocation • Key expiration / Key termination / Key destruction
Key Management • Keys have limited lifetimes: • Cryptanalysis is easier with more material. • Breaking WEP involves harvesting a large number of packets. • Once found, a compromised key continues to do damage.
Key Management • Key Generation • Currently no federal standard for symmetric key generation • Not all pseudo random number generation algorithms and implementations are created equal • Key Transport • Distribution of keying material from one party to another party • Key Agreement • Protocols that create shared keying material • NIST SP 800-56 • Key Management Guidelines • NIST SP 800-57
Key Management • Key generation • Uses random number generation • Pseudo-random generation derived from a seed • WEP: seed based on user key word. Not as random as appeared. • Hardware random number generation • Combined methods
Key Management • Key distribution • Has issues of authentication and confidentiality. • Diffie-Hellman protocol solves confidentiality: • Allows two parties to agree on a common secret. • Subject to the man-in-the-middle attack • Alice thinks that she shares a secret with Bob. • In reality, she communicates with M, and shares the secret with him. • M shares another secret with Bob.
Key Management • Key backup / recovery • Accidental loss of key • hardware failure, forgotten password … • Control of encrypted information • Employer cannot entrust enterprise-critical data to complete control of a single / group of employees. • Key escrow • To preserve possibility of access by law enforcement agencies. • In the UK, it is a crime to withhold a key to encrypted data under subpoena. • In the US, such a law is seen to contradict 5th amendment protection.
Key Management • Key destruction • Secure key destruction is far easier than secure file erasure. • Key destruction destroys accessibility to encrypted data. • Key archiving • Necessary for validation of old signatures, of integrity of old messages, …
Key Management • Symmetric key transport: • Send symmetric key along, protected by public key of recipient. • Saves on processing time
Diffie-Hellman • Uses calculation modulo p, p a large prime. • Chooses generatorg. • Ideally, gx, x = 0, …, p -2 runs through all numbers 1, … p -1. • Uses the fact that calculating powers gx is computationally feasible. • But discrete logarithm (given gx find x) is not.
Diffie Hellman • Alice generates random number a mod p. • Bob generates random number b mod p. • Alice sends Bob gamod p. • Bob sends Alice gbmod p. • Alice calculates (gb)a mod p. • Bob calculates (ga)b mod p. • These numbers are identical and the shared key.
Diffie Hellman • Man in the middle attack Bob Man in the Middle Alice
Diffie Hellman • Alice sends Bob gamod p. • But message goes to alien. Alien sends Bob gc mod p. • Bob sends Alice gbmod p. • But message goes to alien. Alien sends Alice gd mod p. • Alice calculates (gd)a mod p. • Bob calculates (gc)b mod p. • These set up a secure communication channel between the alien and Bob and one between the alien and Alice.
Diffie Hellman • Secure against eavesdroppers. • Can be secured against man-in-the-middle by using authenticated gbmod p or by using a published value gbmod p.
Diffie Hellman and all other schemes • The problem is one of authentication and trust.
Certificates • THE authentication mechanism for E-commerce. • Allows customers to authenticate the e-merchant. • Misrepresentation of e-merchants is the goal of phishing.
Certificates • Working Mechanism • Certificate is a signed message containing an (e-merchants) public key. • Signer needs to be trusted. • Signer public key needs to be loaded at user workstation. • User needs to be able to trust that key.
Certificates OS Vendor installs CA public key in Browser Certification Authority ECA Browse to website Sends ECA(Ms. Li, ELi), ELi(Session Key) Authenticates by using session key.
Certificates • Key distribution • Crucial for authentication, privacy, signing, … • Public Key Technology can use Certificates • Certificate Authority (CA)generates certificates: • Certificate = (Name, Public Key)signed by CA • All nodes need to be preconfigured with public key by CA.
Certificate Authority vs. Key Distribution Center • CA in contrast to KDC: • CA does not need to be online. • CA not a distributed computing entity. • Simpler, hence more secure. • CA crash merely prevents setting up new users. • Certificates are not security sensitive. They can be stored anywhere with universal read privileges. • Deleting a certificate would disable the use of the public key. • A compromised CA cannot read conversations, fake conversations, … • However, it can issue bogus certificates. • CA more secure, more convenient than KDC.
Certificate Revocation • A certificate guarantees a public key. • But public keys become unusable if the corresponding private key is stolen. • Certificates should not be eternal • They need an expiration date. • CA needs to be able to revoke a public key.
Certificate Structure • Certificate includes: • User’s name • User’s public key • Expiration time • Serial number of certificate • CA name • Issuing CA’s signature on the entire contents of the certificate.
Certificate Revocation • Certificate Revocation List (CRL) • Published periodically by each CA. • Lists serial numbers of certificates that should not be honored. • CRLs have issue time.
Certificate Revocation • Push or Pull model • Pull: Users access CRL remotely. • Push: Broadcast CRL. • Needs reliable distribution mechanism. • Needs small CRL. • US DoD Multi-level Information System Security Initiative (MISSI) developed a PKI for the Defense Messaging System. • Used CRL broadcasting only for revocation caused by key compromises. • Reliable access to all participants.
Certificate Revocation • Make certificate revocation unnecessary by handing out only short-lived certificates.
Certificate Revocation Lists • CRLs • CRLs can be very large. • Publish mostly only a -list. • -list can be very short, often empty. • Users update their private copy of the CRL. • From time to time, publish a full list, or give one only to new users.
Certificate Revocation Lists • First Valid Certificate • Goal: Allow to compress CRLs. • Certificates have no expiration date. • CRL contains a first valid certificate field. • All certificates with a serial number lower than the valid certificate field are invalid.
Certificate Revocation Lists • On-Line Revocation Service (OLRS) • System can be queried over the net whether a certificate is invalid. • If unavailable, Alice can choose to accept certificates on trust. • OLRS certificates • OLRS can issue a certificate stating: • “Bob’s certificate is valid as of 6:05 GMT, January 20, 2005.”
Certificate Revocation Lists • Good Lists vs. Bad Lists • Good lists are much bigger. • Good list publishes all licenses. • Hence, good list contains hashes of certificates. • Good lists solve one security problem: • A CA employee can issue a bogus certificate off the books, possibly reusing a valid serial number. • The bogus certificate cannot be put on the bad list, but the good list can be audited.
Certification Paths • Alice wants to communicate with Bob: • Bob has a certificate from Cristal. • Alice does not know Cristal. • Therefore, Alice needs a certificate of Crystal’s public key. • Crystal has a certificate from Dan. • Alice does not know Dan. • Therefore Alice needs a certificate of Dan’s public key. • …
Alice Bob Crystal Dan Eve Fred Microsoft Trust Anchors • Alice needs to trust someone in the certificate chain.
Certificate Authorities • Organization might have its own Certificate Authority. • Independent Certificate Authorities are like notaries: • Trusted. • Disinterested. • Attesting to designated facts.
Public Key Infrastructure • PKI consists of the components necessary to securely distribute public keys. • Certification Authorities • Repository for retrieving certificates • Method of revoking certificates • Method of evaluation a chain of certificates
Public Key Infrastructure • Issuer: signs certificate with name and key. • Subject: name contained in a certificate. • Target: The name in the name-key association that someone wants to trust. • Verifier / Relying Party: Evaluator of a chain of certificates. • Principal: Anyone with a public key. • Trust Anchor: public key that someone has decided to always trust.
PKI Trust Models • Monopoly: • There is one single CA in the world. • Vatican, US government, UN, Microsoft, Sun, Verisign, Chief rabbinate, … • The key of the universal trust anchor could never be changed without causing mayhem. • CA needs to verify every-one.