250 likes | 405 Views
P ublic K ey I nfrastructure. Alex Bardas. What is Cryptography ?. Cryptography is a mathematical method of protecting information Cryptography is part of, but not equal to, security In modern computing, crypto is used to remediate deficiencies in the cyber space.
E N D
Public Key Infrastructure Alex Bardas
What is Cryptography ? • Cryptography is a mathematical method of protecting information • Cryptography is part of, but not equal to, security • In modern computing, crypto is used to remediate deficiencies in the cyber space
Cryptographic Primitives • Four Cryptographic Primitives: • Cryptographic Hash • Symmetric Encryption • Asymmetric Encryption • Digital Signatures
Cryptographic Hash • If the message content is changed, the hash will be different (provides integrity guarantee) • Knowing the hash does not reveal the input message Hashing is NOT encryption! Examples: SHA-1 “Unique” Fixed-length String (Hash or Digest) Text Message (variable length) Cryptographic Hash Function
Cryptographic Hash Example Image source: http://en.wikipedia.org/wiki/File:Cryptographic_Hash_Function.svg
Encryption vs. Hashing Image source: http://www.unixwiz.net/techtips/iguide-crypto-hashes.html
Symmetric Encryption (Secret-key Encryption) • Encryption and decryption use the same key • Examples: AES Encrypted Message Clear Text Message Clear Text Message Encrypted Message Encryption Algorithm Decryption Algorithm 1. Shared Key Shared Key 2.
Asymmetric Encryption (Public-key Encryption) • Every party has a pair of keys: <Kpub , Kpriv> • Encryption and decryption use different keys • It is hard to infer private key from the public key Examples: RSA, El-Gamal Public Key: announced to everyone Private Key: known to the owner only
Asymmetric Encryption (Public-key Encryption) 1. Encrypted Message Clear Text Message Clear Text Message Encrypted Message Encryption Algorithm Decryption Algorithm Public Key Private Key 2.
Digital Signature • Based on asymmetric crypto - Examples: RSA, DSA, El-Gamal • Properties of a Digital Signature: • Verification of the validity of a digital signature needs only the public key • Only the owner of the corresponding private key can produce a valid signature • There is also MAC (Message Authentication Code) – signing using a shared key (based on symmetric cryptography)
Digital Signature 1. Signed Message Signature is valid Message Signed Message Signing Algorithm Verification Algorithm Private Key Public Key 2.
A digitally signed Email Message Image source: http://www.wintellect.com/cs/blogs/pmehner/archive/2009/10/10/howto-obtain-and-configure-a-free-certificate-for-digitally-signing-your-outlook-2007-email.aspx
Public Crypto Challenge Alice has Bob’s Public Key Bob has Alice’s Public Key I am out of luck today • What if Alice and Bob cannot meet and exchange public keys ? • What if Alice and Bob don’t know each other ? • How to do they know that the public key that they are using belongs to the other legitimate party and not to a malicious third party ?
Man-In-The-Middle Alice thinks she has Bob’s Public Key Bob thinks he has Alice’s Public Key Eve has Bob’s and Alice legitimate public keys “Somehow” Alice and Bob have Eve’s public keys It’s Eve’s lucky day
How to Distribute Public Keys ? • Ad-Hoc public key distribution (distribute at will) • Alice and Bob exchange public keys in a reliable way • Public directory (similar to the telephone directory) • Use a read-only directory (hard to modify/forge in a large scale) • Published on paper
Public Key Distribution • We want to distribute public keys in electronic form, NOT on paper • How to verify the authenticity of the digital directory? Use digital signature
Certification Authority (CA) • Alice and Bob don’t know each other but they both trust Cindy (Certification Authority) • Alice and Bob have Cindy’s public key • Cindy certifies Alice and Bob’s public keys => Digital Certificates
Digital Certificates Cindy’s (CA) Digital Signature • What does the certificate tell us? • This public key belongs to Alice. • Alice is not a CA (Certification Authority)
Public Key Infrastructure • What if Alice and Bob do not have a common friend? • Cindy cannot be everywhere, Bob knows her but Alice doesn’t • We have to find a trustworthy person that knows Cindy and Alice • Carl knows Cindy but doesn’t know Alice directly • Carl knows John and John knows Alice • Certification chain
Multiple Certification Authorities (CAs) Carl R L11 L12 CA hierarchy John Cindy L23 L21 L22 L24 L31 L32 L33 L35 L34 L36 L37 L38 Alice Bob
How are we getting the CA keys? • Web Browsers are coming with an important number of root CA keys • Other CA’s or single digital certificates can be added by the user (can be risky)
Sources of Information • CIS751 Basic Crypto & PKI slide sets by Xinming (Simon) Ou – Kansas State University