Signature Validity States

Similar documents
Belgian eid Card Technicalities

EXBO e-signing Automated for scanned invoices

IFY e-signing Automated for scanned invoices

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

Chapter 9: Key Management

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Certificateless Public Key Cryptography

Digital signatures: How it s done in PDF

Public-key Cryptography: Theory and Practice

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

Server-based Certificate Validation Protocol

Public Key Establishment

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Public Key Infrastructures

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

ETSI TS V1.2.2 ( )

Course Administration

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Digital Certificates Demystified

CT30A8800 Secured communications

EDTA, itext and INBATEK Conference. Bangkok, July 27, 2017

Add or remove a digital signature in Office files

Public-Key Infrastructure NETS E2008

L8: Public Key Infrastructure. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Digital Certificates. PKI and other TTPs. 3.3

Cryptography and Network Security

Lecture Notes 14 : Public-Key Infrastructure

UNIT - IV Cryptographic Hash Function 31.1

Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

ETSI TS V1.3.1 ( )

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

Lecture 4: Cryptography III; Security. Course Administration

ETSI TS V1.2.1 ( ) Technical Specification

Validation Policy r tra is g e R ANF AC MALTA, LTD

Pretty Good Privacy (PGP)

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

ETSI ES V1.1.3 ( )

INSTRUCTION FOR OPERATION WITH DESKTOP SIGNER

Internet Engineering Task Force (IETF) Request for Comments: 6283 Category: Standards Track. July 2011

Overview of Authentication Systems

6 Public Key Infrastructure 6.1 Certificates Structure of an X.509 certificate X.500 Distinguished Name and X.509v3 subjectalternativename

Resolution of comments on Drafts ETSI EN to ETSI EN May 2014

Security Digital Certificate Manager

Authentication in Distributed Systems

IBM. Security Digital Certificate Manager. IBM i 7.1

Overview & Specification

Configuring SSL CHAPTER

CSE 565 Computer Security Fall 2018

Cryptographic Checksums

Policy for electronic signature based on certificates issued by the hierarchies of. ANF Autoridad de Certificación

Configuring SSL. SSL Overview CHAPTER

IBM i Version 7.2. Security Digital Certificate Manager IBM

Chapter 10: Key Management

Requiring Digital Signatures and Certificates

Bart Preneel PKI. February Public Key Establishment. PKI Overview. Keys and Lifecycle Management. How to establish public keys?

Configuring SSL. SSL Overview CHAPTER

ECE 646 Lecture 3. Key management

Introduction to Cryptography Lecture 10

Public Key Infrastructures

When HTTPS Meets CDN: A Case of Authentication in Delegated Services. J. Liang, J. Jiang, H. Duan, K. Li, T. Wan, J. Wu

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

Verteilte Systeme (Distributed Systems)

Diffie-Hellman. Part 1 Cryptography 136

SSL Certificates Certificate Policy (CP)

Garantía y Seguridad en Sistemas y Redes

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

Understanding HTTPS CRL and OCSP

Electronic Seal Administrator Guide Published:December 27, 2017

OPTIMISTIC NON-REPUDIABLE INFORMATION EXCHANGE

Fall 2010/Lecture 32 1

Cryptanalysis of a fair anonymity for the tor network

e-sign and TimeStamping

SM9 identity-based cryptographic algorithms Part 2: Digital signature algorithm

ETSI TS V1.5.1 ( )

Certificate Revocation : A Survey

T Cryptography and Data Security

Disclosure text - PDS (PKI Disclosure Statement) for electronic signature and authentication certificates

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

CertDigital Certification Services Policy

Avira Certification Authority Policy

ISO/IEC INTERNATIONAL STANDARD

SSH Communications Tectia SSH

Xolido Sign Desktop. Xolido Sign Desktop. V2.2.1.X User manual XOLIDO. electronic signature, notifications and secure delivery of documents

DIGITALSIGN - CERTIFICADORA DIGITAL, SA.

Computer Security 3e. Dieter Gollmann. Chapter 15: 1

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Certification Policy of CERTUM s Certification Services Version 4.0 Effective date: 11 August 2017 Status: archive

Configuring Certificate Authorities and Digital Certificates

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Kurose & Ross, Chapters (5 th ed.)

Send documentation comments to

Key Escrow. Desirable Properties

Grid Security Infrastructure

Transcription:

Validity States Danny De Cock Danny.DeCock@esat.kuleuven.be Katholieke Universiteit Leuven/Dept. Elektrotechniek (ESAT) Computer Security and Industrial Cryptography (COSIC) Kasteelpark Arenberg 10, bus 2452 B-3001 Heverlee Belgium Slide 1

Validity A B C D E F G H I J K Time verification generation Start using key pair Publish public key Key pair generation Public key expires Private key expires [CJ]: New valid signatures may be generated [AC], [K, [: All signature verifications fail [J, [: Illegal to generate new signatures [C, [: s can be legally binding if verified in [CJ[ Slide 3

Validity with Revocation A B C D E F G H I J K Key pair generation verification generation Revoked certificate Suspended certificate Incident Last valid signature before the incident [GH]: s created in [GI] should be invalid, H may be equal to I [I, [: Illegal to generate new signatures [CG[: New valid signatures may be generated [AC], [H, [: verification returns invalid [CF]: s validated before F may be valid forever Time Public key expires Private key expires Slide 4

Long Term s Alice produces a digital signature on data D that will resist time: Alice collects a time stamp ts 1 from a trusted third party (TTP) Alice produces a digital signature DigSig Alice (D,ts 1 ) on the time stamp ts 1 and the data D TTP validates a digital signature DigSig Alice (D,ts 1 ) at time ts 2 TTP computes a digital signature DigSig TTP (DigSig Alice (D,ts 1 ),ts 2 ) if and only if the TTP Has validated Alice s digital signature, and Confirms that the signature and Alice s full certificate chain was valid at time ts 2 Alice can now indefinitely rely on DigSig TTP (DigSig Alice (D,ts 1 ),ts 2 ), even if her public key must be revoked, e.g., at time ts 3 (after ts 2 ), or if her public key expires ts 1 DigSig Alice (D,ts 1 ) ts 2 DigSig TTP (DigSig Alice (D,ts 1 ),ts 2 ) ts 3 Time Note: This procedure assumes that no cryptographic weaknesses are discovered in the signature generation and validation algorithms and procedures Slide 5

Archiving Signed Data Digital signatures remain valid forever if one stores: The digitally signed data The digital signature on the data The signer s certificate A proof of validity of the signer s certificate The verification timestamp of the signature Bottom line: The integrity of this data should be protected! There is no need to retrieve the status of a certificate in the past! Protect your proofs in a digital vault Slide 6

Generation/Verification 2 3 PIN Creation Engine 1 4 Hash 5 6 8 10 9 OCSP Hash Verification Engine Bob 12 P Alice 7 CRL 1. Compute hash of message 2. Prepare signature 3. Present user PIN 4. SCD generates digital signature 5. Collect digital signature 6. Retrieve signer certificate 10. Compute hash on received message 7. Verify the certificate s revocation status. Verify digital signature 8. Retrieve public key from signer certificate 12. SVD outputs valid signature 9. Retrieve digital signature on the message or invalid signature Beware Bob should validate Alice s certificate Beware Belgian eid Card, Technical Aspects Slide 7

Generation Steps 2 3 PIN Creation Engine P 1 4 hash 5 Alice Alice s application 1. Calculates the cryptographic hash on the data to be signed 2. Prepares her eid card to generate an authentication signature or to generate a non-repudiation signature 3. Alice presents her PIN to her eid card 4. Her card generates the digital signature on the cryptographic hash 5. The application collects the digital signature from her eid card Bob receives an envelope with a digitally signed message and a certificate Belgian eid Card, Technical Aspects Slide 8

Bob Verification Steps 6. Retrieves the potential sender s certificate 7. Verifies the certificate s revocation status 8. Extracts Alice s public key from her certificate 9. Retrieves the signature from the message 10. Calculates the hash on the received message. Verifies the digital signature with the public key and the hash 12. If the verification succeeds, Bob knows that the eid card of Alice was used to produce the digital signature 6 The message comes from Alice is a business decision 8 7 9 10 OCSP CRL hash Bob Verification Engine 12 Belgian eid Card, Technical Aspects Slide 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback