CIS3360: Chapter 8: Cryptography Application of Public Cryptography Cliff Zou Spring 2012

1. CIS3360: Chapter 8: CryptographyApplication of Public CryptographyCliff ZouSpring 2012 Network Security TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAA

2. Acknowledgement • Some slides are modified from the slides provided by textbook: • Computer Networking: A Top Down Approach Featuring the Internet, J. Kurose & K. Ross, Addison Wesley, 4rd ed., 2007 Network Security

3. Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator. verifiable, nonforgeable: recipient (Alice) can prove to someone that Bob, and no one else (including Alice), must have signed document Digital Signatures Network Security

4. Simple digital signature for message m: Bob signs m by encrypting with his private key KB, creating “signed” message, KB(m) - K B Digital Signatures - - Bob’s private key Bob’s message, P Dear Alice Oh, how I have missed you. I think of you all the time! …(blah blah blah) Bob Bob’s message, P, signed (encrypted) with his private key Public key encryption algorithm Network Security

5. Suppose Alice receives: msg P’, and its digital signature Alice verifies P’ signed by Bob by applying Bob’s public key to checks if Alice thus verifies that: Bob signed P. No one else signed P. Bob signed P and not a different P’. Non-repudiation: Alice can take P, and its signature to court and prove that Bob signed P. Digital Signatures (more) Network Security

6. Computationally expensive to public-key-encrypt long messages Goal: fixed-length, easy- to-compute digital “fingerprint” apply hash function H to m, get fixed size message digest, H(m). Hash function properties: many-to-1 produces fixed-size msg digest (fingerprint) given message digest x, computationally infeasible to find m such that x = H(m) Message Digests large message P H: Hash Function H(m) Network Security

7. MD5 hash function widely used (RFC 1321) computes 128-bit message digest in 4-step process. arbitrary 128-bit string x, appears difficult to construct msg m whose MD5 hash is equal to x. SHA-1 is also used. US standard [NIST, FIPS PUB 180-1] 160-bit message digest Hash Function Algorithms Network Security

8. Digital signature = signed message digest H: Hash function H: Hash function large message m large message m + - digital signature (decrypt) digital signature (encrypt) K K B B + H(m) H(m) Bob sends digitally signed message: Alice verifies signature and integrity of digitally signed message: encrypted msg digest H(m) Bob’s private key Bob’s public key encrypted msg digest equal ? No confidentiality ! Network Security

9. Public key problem: When Alice obtains Bob’s public key (from web site, e-mail, diskette), how does she know it is Bob’s public key, not Trudy’s? Solution: trusted certification authority (CA) Trusted Intermediaries Network Security

10. + + digital signature (encrypt) K K B B K CA Certification Authorities • Certification authority (CA): binds public key to particular entity, E. • E (person, router) registers its public key with CA. • E provides “proof of identity” to CA. • CA creates certificate binding E to its public key. • certificate containing E’s public key digitally signed by CA – CA says “this is E’s public key” Bob’s public key CA private key certificate for Bob’s public key, signed by CA - Bob’s identifying information Network Security

11. + + digital signature (decrypt) K K B B K CA Certification Authorities • When Alice wants Bob’s public key: • gets Bob’s certificate (Bob or elsewhere). • apply CA’s public key to Bob’s certificate, get Bob’s public key Bob’s public key CA public key + Network Security

12. A certificate contains: • Serial number (unique to issuer) • info about certificate owner, including algorithm and key value itself (not shown) • info about certificate issuer • valid dates • digital signature by issuer Network Security

13. Internet Web Security Architecture Web Server B CA K+B Client A Cert Request EK+B(KAB, R) EKAB(R) EKAB(m) Network Security

14. Internet Web Security Conditions • Clients’ web browsers have built-in CAs. • CAs are trustable • Web servers have certificates in CAs. • Q: What if a server has no certificate? • Example: SSH servers Network Security

15. SSH Example Web Server B Client A • Initial setup: • Trust the first-time connection • Save the server’s public key EK+B(KAB, R) EKAB(R) EKAB(m) Network Security

16. . KS( ) + KB + . + KB( ) Secure e-mail • Assumption: Public keys are pre-distributed securely • E.g: through CA, or pre-established like SSH • Alice wants to send confidential e-mail, m, to Bob. KS KS(m ) m Internet KS • Alice: • generates random symmetric private key, KS. • encrypts message with KS (for efficiency) • also encrypts KS with Bob’s public key. • sends both KS(m) and K+B(KS) to Bob. Network Security

17. D() E() + - KB KB + - D() E() Secure e-mail • Alice wants to send confidential e-mail, m, to Bob. KS EKS(m ) EKS(m ) m m KS Internet KS • Bob: • uses his private key to decrypt and recover KS • uses KS to decrypt EKS(m) to recover m Network Security

18. + - KA KA - + . . + - KA( ) KA( ) . . H(m ) m H( ) H( ) compare Internet m H(m ) m Secure e-mail (continued) • Alice wants to provide sender authentication message integrity. • Alice digitally signs message. • sends both message (in the clear) and digital signature. Network Security

19. . KS( ) + - KA KB + + KS m . - KA( ) . H( ) m Internet KS . + KB( ) Secure e-mail (continued) • Alice wants to provide secrecy, sender authentication, message integrity. Alice uses three keys: her private key, Bob’s public key, newly created symmetric key Network Security