Background Network Security - Certificates, Keys and Signatures - Dr. John Keeney 3BA33 Slides Sources: Karl Quinn, Donal O Mahoney, Henric Johnson, Charlie Kaufman, Wikipedia, Google, Brian Raiter. Recommended Reading: Stallings, W. Cryptography and Network Security: Principles and Practice, 2 nd edition. Prentice Hall, 1999 Scneier, B. Applied Cryptography, New York: Wiley, 1996 Pfleeger, C. Security in Computing. Prentice Hall, 1997. Mel, H.X. Baker, D. Cryptography Decrypted. Addison Wesley, 2001. Wikipedia 18/04/2007 2 verify to a 3rd party that a msg is an unaltered copy of the msg a signer produces. Digital signatures are (1) Authentic Works in a similar manner to hand written signature. (2) Unforgeable Or at least extremely difficult to forge. (3) Non-repudiable, or are they?? Human can always say it wasn t him/her! The encrypted digest is the signature. by use of cryptography. 18/04/2007 4 18/04/2007 3 Based on an irreversible binding to a msg of a secret known only to the signer. Achieved by encrypting a msg, or a digest, using a key only known to the signer. The digest is a fixed length value computed via a secure digest function. A secure digest function is similar to a checksum but it is very unlikely that a similar digest will be produced for two different msg. 1
Hashing Hashes and Randomness Takes arbitrary sized input, generates fixed size output Cryptographic hash one-way (computationally infeasible to find input for a particular hash value) collision-resistant (can t find two inputs that yield same hash) output should look random Want it to be irreversible infeasible to find a message with a particular hash e.g., with passwords, be able to verify hash of a pwd without being able to discover the pwd from the hash Each hash value seen in practice should have about 1/2 the bits set Changing one bit out input should change about 1/2 the bits (unpredictable which) Two outputs should be uncorrelated, regardless of how closely related the inputs 18/04/2007 5 18/04/2007 6 can be implement using (1) Public Key Cryptography i.e. RSA algorithm. (2) Secret Keys Cryptography Actually, Message Authentication Codes (MACS) 18/04/2007 7 Public Key Public key cryptography is generally used. Originator creates the signature using their private key. A recipient can decrypt the signature by using the originator s corresponding public key. Note that the receiver has to be sure that the public key really does belong to the originator. 18/04/2007 8 2
Alice wants to digitally sign a document, M, so that Bob, the recipient, can verify that she is M s originator. Signing (1) Alice computes a digest of M. = Digest(M). (2) Alice encrypts the digest with her private key, and appends it to M. M, {Digest(M)}K Apriv Verifying Bob obtains the document, extract M and computes Digest(M) Bob decrypts {Digest(M)}K Apriv using Alice s public key, K Apub, and compares the result with his own Digest(M) computation. If they match then the signatures have been verified. NOTE: the whole thing: M, {Digest(M)}K Apriv Can also be encrypted to give {M, {Digest(M)}K Apriv }K Bpub So that only Bob can read M, and know that M is from Alice 18/04/2007 9 18/04/2007 10 Shared Key Note that the key must be disclosed for verification. Also referred to as Message Authentication Codes (MAC s) to reflect their more limited purpose. Very low cost signing technique Alice generates a random key K for signing and distributes it over secure channels. 18/04/2007 11 Signing (1)Alice concatenates M with the shared secret key K. (2)Then she computes the digest of the result h = H(M+K). (3)She now send the signed document, [M] K = M,h where the digest h is a MAC. 18/04/2007 12 3
Verifying (1) Bob already has K (2) Bob concatenates the shared secret key K with M. (3) Then computes the digest h = H(M+K) (4) The signature is verified if h = h. : Summary Shared Key 18/04/2007 13 Public / Private Key 18/04/2007 14 Secure Digest Functions A secure digest function should have the following properties; (1) Given M, it is easy to compute h. (2) Given h, it is hard to compute M. (3) Given M, it is hard to find another message M, such that H(M) = H(M ). Note that (1) & (2) characterise one-way functions. 18/04/2007 15 Secure Digest Function Examples MD5 Fifth in a sequence of Message Digest algorithms developed by Rivest (MD5). 128-bit digest. Efficient Algorithm. SHA-7 Secure Hash Algorithm (SHA). 160-bit digest. Slower than MD5 Offers greater security than MD5 against brute-force and birthday attacks. 18/04/2007 16 4
Certificates Certificates are documents that contain some message, M, that is signed by the author. Used to bind additional information, e.g. public key to an identity Consider Alice and Bob the Banker. Alice needs to be sure that it is indeed Bob she is talking too, and conversely Bob needs to authenticate Alice as being Alice. Below is Alice s bank account certificate 1. Certificate Type: Account Number 2. Name: Alice 3. Account: 123456 4. Cert Authority: Bob s Bank 5. Signature: {Digest(Field 2 + Field 3)}K Bpriv 18/04/2007 17 Certificates Alice s bank account certificate allows her to certify to a vendor, Carol, that she has a bank account with Bob the bank and the number is xxxxx and the name of the account is Alices name. Carol can accept this cert and charge items to the bank account number if signature can be validated This is done by finding and using Bob s public key to verify that Alice s certificate was actually signed by Bob the bank. Note: Bob s key might not be trustworthy, cos Alice could have created K Bpriv(fake) and K Bpub(fake) and then created a forged certificate from Bob s bank! Carol therefore needs a certificate that contains Bob s public key, signed by a trusted authority. Trusted Authority = Banker Federation = Fred. 18/04/2007 18 Certificates Fred s public key authenticity could also be questioned. So the problem becomes recursive This recursion can be broken by ensuring Carol gets Fred s public key with a certain degree of confidence this is a certificate chain. (Someone else verifies Fred s key ) This can be achieved by personal transfer or via a trusted third party. Public Key certificate for Bob s bank. 1. Certificate Type: Account Number 2. Name: Alice 3. Account: 123456 4. Cert Authority: Bob s Bank Certificate Standards X.509 Most widely used standard for certificates. Part of the X.500 standard for the construction of global directories of names and attributes. X.509 is used in cryptography as a format definition for free standing certificates. Public key is bound to a named entity called a subject. Binding is in the signature, which is issued by an Issuer. Single certificate may have multiple signatures X.509 Certificate Format Subject: Distinguished Name, Public Key Issuer: Distinguished Name, Signature Validity Period: Not Before, Not After Admin Info: Version, Serial Extended Info: 5. Signature: {Digest(Field 2 + Field 3)}K Bpriv 18/04/2007 19 18/04/2007 20 5
Certificate Standards X.500 global directory service Service that stores collections of bindings between names and attributes that looks up entities that match attribute-based specifications. I.e. What is the name of the user with Telephone number = 016081335? So for our purposes what is the public key of the user with Name = X, and Attributes = Y,Z. Certificates Infrastructure Infrastructure Certificates need some infrastructure in place to allow users to verify a given certificate. This can be done centrally or via a distributed system. So how are certificates, and their certificate chains, verified and disseminated? (1) Trusted Third Party (TTP) (2) Certificate Authority (CA) (3) Simple Public Key Infrastructure (SPKI) 18/04/2007 21 18/04/2007 22 Certificates Infrastructure 1: A Trusted Third Party (TTP) Alice wants to carry out some transaction with Bob. Alice wants to be sure that Bob is who he say he is and Bob vice versa. Carol, who is trusted by both Alice and Bob, offers to undertake this authentication process. 18/04/2007 23 Certificates Infrastructure 2: A Certificate Authority (CA) Well known organisation establish themselves to act as certificate authorities. Verisign, CREN, etc. One can then obtain an X.509 public key certificates from them by submitting satisfactory evidence of their identity. Therefore, a 2 step verification process. 1a: Bob obtains public key cert for Alice from a CA. or 1b: Alice sends Bob a cert containing her public key signed by a trustworthy CA 2: If Bob trusts the CA, he can trust Alice s cert and public key 18/04/2007 24 6
Certificate Infrastructure 3: Simple Public Key Infrastructure (SPKI) X.509 relies on global uniqueness, which can cause long chains of certification that must be validated to someone who is trusted and deployed primarily in closed solutions. deployed primarily in closed solutions SPKI is a scheme for the creation and management of sets of public certificates. A standard form for digital certificates whose main purpose is authorisation rather than authentication Certs are about authorised actions and subjects, rather than identity Credentials can directly authorise actions, there is less need to authenticate a user One authorised action can be the delegation of trustedness Chains of certificates can be processed using logical inference to produce derived certificates. E.g. Bob believed Alice s key is K Apub and Bob is authorised to delegate trust Carol trusts Bob on Alice s public key, Key Revocation Certificates invalidated before expiration The users secret key is assumed to be compromised. The user is no longer certified by this CA. The CA s certificate is assumed to be compromised. May be due to change in circumstance (e.g., someone leaving company) Problems Entity revoking certificate authorized to do so Revocation information circulates to everyone fast enough Network delays, infrastructure problems may delay information Therefore, Carol believes that Alice s public key is K Apub 18/04/2007 25 18/04/2007 26 Certificate Revocation If a users private key is compromised, then they must report this to the CA CA periodically issues a BLACK LIST called a Certificate Revocation List (CRL) Each certificate SHOULD contain a CRL Distribution Point Clients should periodically download CRLs for checking CRL Management can be difficult Always a time-lag between compromise, revocation and CRL checking Date of This Update Date of Next update Issuer Name Issuer Signature Certificate Number, Revocation Date Certificate Number, Revocation Date Certificate Number, Revocation Date Certificate Revocation List 18/04/2007 27 Certificate Revocation Lists Only issued by the CA which issues the corresponding certificates. All CRLs have a (often short) lifetime in which they are valid To prevent spoofing or denial-of-service attacks, CRLs are usually signed by the issuing CA and therefore carry a digital signature CRLs must be checked whenever one wants to rely on a certificate to ensure the cert is still valid 18/04/2007 28 7
Key Escrow Key escrow system allows authorized third party to recover key Useful when keys belong to roles, such as system operator, rather than individuals Business: recovery of backup keys Law enforcement: recovery of keys that authorized parties require access to Goal: provide this without weakening cryptosystem Very controversial 18/04/2007 29 Authentication vs Authorisation All access control is based on identity Identity may have multiple representations Identities are bound to principals continuum of trust levels Authentication is the mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions: Who is the user? Is the user really who he/she represents himself to be? Authorisation, by contrast, is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. Authorisation systems provide answers to the questions: Is authenticated user X authorised to access resource R? Is authenticated user X authorised to perform operation P? Is authenticated user X authorised to perform operation P on resource R? 18/04/2007 30 8