ICS 180 May 4th, Guest Lecturer: Einar Mykletun

Similar documents
Lecture 16 Public Key Certification and Revocation

Lecture 14. Public Key Certification and Revocation

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Lecture 2 Applied Cryptography (Part 2)

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

1. Diffie-Hellman Key Exchange

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Spring 2010: CS419 Computer Security

Public Key Algorithms

Diffie-Hellman. Part 1 Cryptography 136

PROVING WHO YOU ARE TLS & THE PKI

Public-Key Infrastructure NETS E2008

Lecture Notes 14 : Public-Key Infrastructure

Chapter 9: Key Management

Authentication in Distributed Systems

Data Security and Privacy. Topic 14: Authentication and Key Establishment

CT30A8800 Secured communications

Public-key Cryptography: Theory and Practice

CS 425 / ECE 428 Distributed Systems Fall 2017

Key Management and Distribution

Fall 2010/Lecture 32 1

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Digital Certificates Demystified

Cryptography and Network Security Chapter 14

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Certificateless Public Key Cryptography

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

CSE 565 Computer Security Fall 2018

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Kurose & Ross, Chapters (5 th ed.)

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

CS Computer Networks 1: Authentication

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Using Cryptography CMSC 414. October 16, 2017

Cryptography and Network Security

Session key establishment protocols

Session key establishment protocols

Introduction to Cryptography Lecture 11

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Understanding HTTPS CRL and OCSP

Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution

ECE 646 Lecture 3. Key management

Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Cryptography and Network Security Chapter 10. Fourth Edition by William Stallings

Lecture 15 Public Key Distribution (certification)

Chapter 9 Public Key Cryptography. WANG YANG

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Cryptography (Overview)

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

CSC 774 Network Security

Chapter 9. Public Key Cryptography, RSA And Key Management

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Identification Schemes

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Encryption. INST 346, Section 0201 April 3, 2018

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Cryptographic Protocols 1

CSC/ECE 774 Advanced Network Security

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

(2½ hours) Total Marks: 75

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Information Security CS 526

T Cryptography and Data Security

Introduction to Cryptography Lecture 10

Crypto meets Web Security: Certificates and SSL/TLS

Public Key Cryptography, OpenPGP, and Enigmail. 31/5/ Geek Girls Carrffots GVA

UNIT - IV Cryptographic Hash Function 31.1

Overview. SSL Cryptography Overview CHAPTER 1

Computer Security 3e. Dieter Gollmann. Chapter 15: 1

Key management. Pretty Good Privacy

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Public Key Establishment

IBM i Version 7.2. Security Digital Certificate Manager IBM

Real-time protocol. Chapter 16: Real-Time Communication Security

Lecture 4: Cryptography III; Security. Course Administration

Datasäkerhetsmetoder föreläsning 7

Grenzen der Kryptographie

Configuring SSL. SSL Overview CHAPTER

Efficient Quantum-Immune Keyless Signatures with Identity

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Key Agreement Schemes

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

IBM. Security Digital Certificate Manager. IBM i 7.1

Public Key Infrastructures

Course Administration

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

Cryptography and Network Security

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Key management. Required Reading. Stallings, Cryptography and Network Security: Principles and Practice, 5/E or 6/E

Key Management and Distribution

Transcription:

ICS 180 May 4th, 2004 Guest Lecturer: Einar Mykletun 1

Symmetric Key Crypto 2

Symmetric Key Two users who wish to communicate share a secret key Properties High encryption speed Limited applications: encryption Based on permutations and substitutions No mathematical assumptions Candidates: DES, 3-DES, AES, Blowfish Problem: Key Distribution 3

Public Key Crypto Solves Key Distribution problem but 4

Public-Key Cryptography Each user has a unique public-private key pair Alice - K Apriv, K Apub Bob - K Bpriv, K Bpub The public key can be given to anyone The private key is not shared with anyone, including a trusted third party (authentication server) The public key is a one-way function of the privatekey (hard to compute private key from public one) Used for key distribution/agreement, message encryption, and digital signatures 5

Origins of Public Key Concept credited to Diffie and Hellman, 1976 New Directions in Cryptography Motivation - wanted a scheme whereby Alice could send a message to Bob without the need for Alice and Bob to share a secret or for a Trusted Third Party -- called public-key because Alice & Bob need only exchange public keys to set up a secret channel Invented earlier by British at CESG http://www.cesg.gov.uk/about/nsecret.htm 6

Public-Key Agreement Method whereby Alice and Bob can agree on a secret key to use with DES, AES, or some other symmetric encryption algorithm Need a shared secret They do this after exchanging only public keys They each compute a secret session key K derived from their own private key and the other s public key. They both arrive at the same K independently 7

Diffie-Hellman Method 1) Shared prime p and generator g Alice: private x a and public y a = g Xa mod p Bob: private x b and public y b = g Xb mod p x a = log g y a mod p (hard to compute) 2) They swap public keys Alice computes: K = y b Xa mod p = g Xb Xa mod p Bob computes: K = y a Xb mod p = g Xa Xb mod p What can K be used for? 8

Math Strength Depends on difficulty of computing the discrete logarithm The best known methods are exponentially hard - same as factoring e.g., given n, find p, q where n = p * q Need to use numbers on the order of 768 bits (230 digits) or bigger Implementations typically use 512 (155), 1024 (310) or 2048 (621) bits (digits). 9

Sending Messages To send message M to Bob, only Bob s key is used Alice Bob: C = E Bpub (M) Bob decrypts: M = D Bpriv (C) In practice, use to distribute symmetric key K Alice Bob: C K = E Bpub (K), C M = E K (M) Bob decrypts: K = D Bpriv (C K ), M = D K (C M ) Alice and Bob then use K to encrypt/decrypt messages SSL: www.amazon.com 10

Public Key Cryptography solved the Key Distribution Problem but introduces another one 11

Certificate Revocation 12

Who is Alice? Bob? Certificates How do we tie Alice to her public key? Certificates are issued by Certificate Authorities States that owner of this certificate has the following public key Certificate is signed How about the signer of the certificate? 13

CA CA checks that requesting user is who he claims to be (in the certificate request) CA s own certificate is signed by a higherlevel CA. Root CA s certificate is selfsigned and his identity/name is wellknown CA is a critical part of the system and must operate in a secure and predictable way according to some policy 14

Who needs them? Certificates checked by verifiers to find out correct public key of the target entity A verifier must: know the public key of the CA (CAs?) trust all CAs involved Certificate checking is verification of the signature and validity of certificate 15

Verifying a PKC How can one verify a PKC? Need a PKI Otherwise, if PKC is self-signed (as in PGP) and must be trusted directly Prinicipal (P) Verifier CA Certificate (P) CA Certificate (P) CA Revocation Information Revocation Information 16

PKI and Revocation CA s PKC must itself be validated Need CA PKC s issuer s PKC, etc. Every PKC has own validity period What if a certificate must be invalidated before the expiration date? (e.g., private key compromise) 17

Requirements for revocation Timeliness Must check most recent revocation status Efficiency Computation Bandwidth and storage Availability Security 18

Verifying a certificate (assuming common CA) 19

Revocation methods CRL (Certificate Revocation List) CRL-DP, indirect CRL, dynamic CRL-DP, delta-crl, windowed CRL, etc. OCSP explicit CRS implicit CRT Authenticated Data Structures E.g., Certificate Update Scheme, skiplists 20

CRLs Off-line mechanism CRL = list of revoked certificates (e.g., SNs) signed by a revocation authority (RA) RA not always CA that issued the revoked PKC Periodically issued: daily, weekly, monthly, etc. 21

Pros & Cons of CRLs Pros Simple Don t need secure channels for CRL distribution Cons Timeliness: window of vulnerability CRLs can be huge How to distribute CRLs reliably? 22

X.509 CRL Format 23

Variation: Indirect CRL CRL issuer is a distinct entity: revocation authority (TTP) Can aggregate multiple CRLs from different CAs verifier can avoid requesting different CRLs from different sources problem: trust in the TTP 24

PKI and Revocation On January 29 and 30, 2001, VeriSign, Inc. issued two certificates for Authenticode Signing to an individual fraudulently claiming to be an employee of Microsoft Corporation. Any code signed by these certificates appears to be legitimately signed by Microsoft. Users who try to run code signed with these certificates will generally be presented with a warning dialog, but who wouldn't trust a valid certificate issued by VeriSign, and claimed to be for Microsoft? Certificates were very soon placed onto a CRL, but: the code that checks the signatures for ActiveX controls, Office Macros, and so on, doesn't do any CRL processing. According to Microsoft: since the certificates don't have a CRL Distribution Point (DP), it's impossible to find and use the CRL! 25

Delta CRL simple variation starting point: a base CRL (infrequent) distribution of delta CRL which contains the changes occurred delta CRLs are smaller can be issued more frequently 26

Certificate Revocation Tree (CRT) proposed by Kocher (1998) based on hash trees hash trees first proposed by Merkle in another context in 1979 (one-time signatures) improvement to Lamport-Diffie OTS scheme based on the following idea: A wants to sign a bit of information. A gives B the image (y) produced as y=f(x) Eventually A reveals the pre-image: x B checks that: y=f(x) 27

CRT contd. express ranges of SN of PKC s as tree leaf labels: E.g., (5 -- 12) means: 5 and 12 are revoked, the others larger than 5 and smaller than 12 are okay Place the hash of the range in the leaf response includes the corresponding tree leaf, the necessary hash values along the path to the root, the signed root the CA periodically updates the structure and distributes to un-trusted servers called Confirmation Issuers 28

query: Is 67 revoked? Signed root (N 3,0 ) SHA Example of CRT N 2,0 N 2,1 SHA SHA N 1,0 N 1,1 N 1,2 N 1,3 SHA SHA SHA SHA SHA N 0,0 N 0,1 N 0,2 N 0,3 N 0,4 N 0,5 N 0,6 N 0,7 SHA SHA SHA SHA SHA SHA SHA (- to 7) (7 to 23) (23 to 27) (27 to 37) (37 to 49) (49 to 54) (54 to 88) (88 to + ) 29

Characteristics of CRT response represents a proof length of proof is O(log n) only one real signature for tree root (could be done off-line) 30

Explicit Revocation: OCSP OCSP = On-line Certificate Status Protocol (RFC 2560) - June 1999 In place of or, as a supplement to, checking CRLs Obtain instantaneous status of a PKC OCSP may be used for sensitive, volatile settings (e.g., stock trades, electronic funds transfer) 31

OCSP players 1. Cert request End entity ( seller ) 2. CA OCSP responder 6. Transaction response 5. OCSP response / Error message 3. Transaction + request End entity ( buyer ) 4. OCSP request 32

OCSP definitive response all definitive responses have to be signed: either by issuing CA or by a Trusted Responder (OCSP client trusts the TR s PKC) or by a CA Authorized Responder which has a special PKC (issued by the CA) saying that it can issue OCSP responses on CA s behalf 33

Responses for each certificate Response format: target PKC SN PKC status: good - positive answer revoked - permanently/temporarily (on-hold) unknown - responder doesn t know about the certificate being requested response validity interval optional extensions 34

Security Considerations on-line method DoS vulnerability flood of queries + generating signatures! unsigned responses false responses pre-computing responses offers some protection against DoS pre-computing responses allows replay attacks (as no nonce included) but OCSP signing key can be kept offline 35

Open questions Consistency between CRL and OCSP responses possible to have a certificate with two different statuses. How is handled such a thing? If OCSP is more timely and provides the same information as CRLs do we still need CRLs? Which method should come first - priority to OCSP or to CRL? 36

Implicit Revocation: Certificate Revocation System (CRS) proposed by Micali (1996) aimed to improve CRL communication costs basic idea: signing a message for every certificate stating its status use of off-line/on-line signature scheme to reduce update cost 37

CRS: creation of a certificate Two new parameters in PKC: Y MAX and N Y MAX =f MAX (Y 0 ) N=f(N 0 ) Y 0,N 0 per PKC secrets stored by CA f is a public one-way function 38

How CRS works CA daily update U k for each certificate C k Directory -if still valid U k =Y 365-i =f 365-i (Y 0 ) -if revoked U k =N 0 NOTE: i=0 at the issuance date Q: Is Ck v alid? A: U k Verifier 39

What is cryptography? Some terminology Cryptography Cryptanalysis Cryptology What is cryptography used for? 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback