apr 22, 2003mårten trolin1 agenda course high-lights – symmetric and asymmetric cryptography –...

Apr 22, 2003 Mårten Trolin 1

AgendaAgenda

Course high-lights– Symmetric and asymmetric cryptography– Digital signatures and MACs– Certificates– Protocols

Interactive Non-interactive

– Smart-cards


Symmetric vs. asymmetric Symmetric vs. asymmetric cryptographycryptography

Symmetric ciphers – sender and recipient use the same key– Dkey(Ekey(m)) = m

Substitution cipher is an example of a symmetric cipher Impractical for big systems – number of keys is quadratic

in the number of users The solution – asymmtric algorithms. Think of a locked

mailbox! Different keys for encryption and decryption– Dprivate key(Epublic key(m)) = m


Hash functionsHash functions

A hash function computes a fixed length value from a variable length source– Example: Check sums in communication protocols– Indices in databases

More convenient to handle a hash of a document instead of the document itself

We will consider cryptographically secure hash functions.


Properties of good hash Properties of good hash functionsfunctions

Let H be a hash functionOne-way

– Given v, unfeasible to compute an x such that H(x) = v

Collision-free– Infeasible to find x1 and x2 such that H(x1) =

H(x2) and x1 x2


Digital signaturesDigital signatures

Used to ensure authenticity.A digital signatures binds a document to a

person.In a public key infrastructure (PKI), a

person produces a digital signature using his private key

The signature can be verified using the public key.


Use of a digital signatureUse of a digital signature

Signature generation

Private key

Document

Signature Signature verification

Public key

Document

OK / not OK

Signer Verifier


Message Authentication Message Authentication CodesCodes

Digital signatures requires public/private keys The same functionality can be achieved with

symmetric keys– Called MAC – Message Authentication Code– Signer and verifier uses the same key

Question: What are the advantages compared to digital signatures? What are the disadvantages?


Two simple MACsTwo simple MACs

Let Ekey, Dkey be a symmetric cipher, and let H be a hash function. Let m be the message to MAC and let k be the symmetric key.

First proposition: Compute a hash of the document and encrypt it– Ek(H(m))

Second proposition: Concatinate the message and the key and compute the hash– H(m k)


Interactive ProtocolInteractive Protocol

TCP/IP

User(pu, su)

Web serverUser’s public key pu

Symmetric key k encrypted under pu

Communication encrypted under k

Generates symmetric key k

Decrypts k using su


User(pu, su)

Web server

User’s public key pu

Symmetric key k encrypted under pm

Communication encrypted under k

Generates symmetric key k

Decrypts k using su

Replaces pu with his own pm

Man in the middle(pm, sm)

pm

Decrypts k using sm and reencrypts using pu

Symmetric key k encrypted under pu


Public key certificatesPublic key certificates

A public key certificate consists of– A public key– Information on the owner

Name, address, photograph, finger-print, credit card number, etc.

– A signature on the above data by a trusted party Trusted party could be the government, a bank, etc.

User’s public key

Identification data

Digital signature by CA

User’s Private key

Public information

Private information


Certificate chainsCertificate chains

Certificates can be chained– Each certificate in the chain

is signed with the private key of the certificate above.

If the user knows the root certificate, he can verify that each step is valid.

Using chains, the CA can outsource signing to other organizations it trusts without giving away its private key.

E n d ce rtif ica te

In te rm e d ia te ce rt if ica te

R o o t ce rtf ica te


Certificate chainsCertificate chains

E n d u se r 1 E n d u se r 2

In te rm e d ia te C A 1

E n d u se r 3 E n d u se r 4


E n d u se r 5


R o o t C A

The end user certificates are verified by following the chain up to the root certificate authority (CA)– If every step in the chain is valid, the end user certificate is

considered valid.


SSL/TLSSSL/TLS

SSL (Secure Socket Layer) and TLS (Transport Layer Security) are standards for how to secure TCP/IP communications

TLS is a layer on top of the TCP layer


TLSTLS

IP

TCP

HTTP TLS

IP

TCP

HTTP

Not secure Secure


TLS HandshakeTLS Handshake

Client Server

ClientHello

ServerHello

ServerKeyExchange

ClientKeyExchange

ChangeCipherSpec

Finished

ChangeCipherSpec

Finished

ServerHelloDone

Certificate


Non-interactive protocolsNon-interactive protocols

For interactive protocols, the symmetric key is decided in the handshake. For non-interactive protocols, this must be solved in another way.– The key cannot be negotiated.– Encrypt a session key using the recipients

public key.


Session key in non-interactive Session key in non-interactive protocolsprotocols

For non-interactive protocols, the sender generates a session key.

The session key is encrypted using the recipient’s public key.– Recipient’s public key must be known in advance.

The message is encrypted with the (symmetric) session key. The encrypted message consists of the encrypted session key and the cipher text.

The recipient decrypts the session key with his private key and decrypts the message.


Pretty Good PrivacyPretty Good Privacy

Protocol overview– Symmetric session key encrypted with

asymmetric keyKey management

– Distributed, non-centralizedTrust model

– Web of trust– Introducers


Password generated keys – Password generated keys – problems and solutionsproblems and solutions

Password generated keys suffer from the same general problem as passwords for authentication.– Number of passwords is relatively small – possible to

create a list with all possible passwords and corresponding keys.

Use a salt to avoid dictionary attacks. Make key generation “slow”, to make brute-force

attacks more time consuming.


Generating keysGenerating keys

Key generation requires a good source of random bits– Bad key material makes system vulnerable to attacks.

Has been done in practice.– Hardware generators provide the best source.– For end-user applications - some user interaction can be

used (mouse movement, key strokes, etc.)– Using system time for high security requirements is a

bad idea! For high-security applications, key generation

should take place in a closed environment.


Distributing symmetric keysDistributing symmetric keys

Symmetric keys are very sensitive and must be distributed with great care.

Depending on how valueable the key is, different approaches are possible.– Send the key to recipient by physically secure means,

e.g., by courier, by registered mail etc.– If a common key exists, send the new key encrypted

under the common key.– Split the key into components and send the key

components with different security officers.


What Is a Smart-CardWhat Is a Smart-Card

A smart-card is a small computerOften placed on a credit-card sized plastic

cardCan have contacts or be contact-lessHas a well-defined interface

– Can have secret information that is protected from direct access

First appeared in the 1970s


Advantages with Smart-CardsAdvantages with Smart-Cards

Can have secret data– Data used for internal computations and never revealed

in clear– Example: PIN and keys can be stored on card

Can process data and save information– Count transactions– Check PIN and count unsuccessful tries– Different behavior depending on geographic location– Cryptographic functions

Uses the secret keys

apr 22, 2003mårten trolin1 agenda course high-lights – symmetric and asymmetric cryptography –...

Documents

key d key e key

key question

public key information

p u slide

users public key identific

s u slide

public key infrastructure

p u communication