public key cryptography

1

http://herraiz.org

Public key cryptography: a practical Public key cryptography: a practical approachapproach

Israel Herraiz <[email protected]>

<[email protected]>

KeyID FE0A7AF3

Fingerprint D0DA E915 BFDD E5CD 8BA0 B159 7E97 2ACB FE0A 7AF3

Slides and additional info athttp://mat.caminos.upm.es/~iht/pkc/

mailto:[email protected]

mailto:[email protected]

http://mat.caminos.upm.es/~iht/pkc/

2

http://herraiz.org

Privacy in electronic communicatiosPrivacy in electronic communicatios

Can we ensureprivacy in electroniccommunications?

3

http://herraiz.org

Reaching GoogleReaching Google 1 10.8.0.1 (10.8.0.1) 2 192.168.1.1 (192.168.1.1) 3 62.81.125.179.static.user.ono.com (62.81.125.179) 4 10.115.49.217 (10.115.49.217) 5 10.127.151.49 (10.127.151.49) 6 10.127.10.137 (10.127.10.137) 7 10.127.10.133 (10.127.10.133) 8 10.127.3.82 (10.127.3.82) 9 213.242.71.21 (213.242.71.21)10 ae-5-5.ebr1.Paris1.Level3.net (4.69.141.42)11 ae-45-45.ebr1.London1.Level3.net (4.69.143.101)12 ae-1-51.edge3.London1.Level3.net (4.69.139.73)13 unknown.Level3.net (212.113.15.186)14 209.85.255.78 (209.85.255.78)15 66.249.95.173 (66.249.95.173)16 216.239.49.45 (216.239.49.45)17 * * *18 ww-in-f147.1e100.net (209.85.229.147)

1 10.8.0.1 (10.8.0.1) 2 192.168.1.1 (192.168.1.1) 3 62.81.125.179.static.user.ono.com (62.81.125.179) 4 10.115.49.217 (10.115.49.217) 5 10.127.151.49 (10.127.151.49) 6 10.127.10.137 (10.127.10.137) 7 10.127.10.133 (10.127.10.133) 8 10.127.3.82 (10.127.3.82) 9 213.242.71.21 (213.242.71.21)10 ae-5-5.ebr1.Paris1.Level3.net (4.69.141.42)11 ae-45-45.ebr1.London1.Level3.net (4.69.143.101)12 ae-1-51.edge3.London1.Level3.net (4.69.139.73)13 unknown.Level3.net (212.113.15.186)14 209.85.255.78 (209.85.255.78)15 66.249.95.173 (66.249.95.173)16 216.239.49.45 (216.239.49.45)17 * * *18 ww-in-f147.1e100.net (209.85.229.147)

4

http://herraiz.org

Reaching GoogleReaching Google 1 10.8.0.1 (10.8.0.1) 2 192.168.1.1 (192.168.1.1) 3 62.81.125.179.static.user.ono.com (62.81.125.179) 4 10.115.49.217 (10.115.49.217) 5 10.127.151.49 (10.127.151.49) 6 10.127.10.137 (10.127.10.137) 7 10.127.10.133 (10.127.10.133) 8 10.127.3.82 (10.127.3.82) 9 213.242.71.21 (213.242.71.21)10 ae-5-5.ebr1.Paris1.Level3.net (4.69.141.42)11 ae-45-45.ebr1.London1.Level3.net (4.69.143.101)12 ae-1-51.edge3.London1.Level3.net (4.69.139.73)13 unknown.Level3.net (212.113.15.186)14 209.85.255.78 (209.85.255.78)15 66.249.95.173 (66.249.95.173)16 216.239.49.45 (216.239.49.45)17 * * *18 ww-in-f147.1e100.net (209.85.229.147)

1 10.8.0.1 (10.8.0.1) 2 192.168.1.1 (192.168.1.1) 3 62.81.125.179.static.user.ono.com (62.81.125.179) 4 10.115.49.217 (10.115.49.217) 5 10.127.151.49 (10.127.151.49) 6 10.127.10.137 (10.127.10.137) 7 10.127.10.133 (10.127.10.133) 8 10.127.3.82 (10.127.3.82) 9 213.242.71.21 (213.242.71.21)10 ae-5-5.ebr1.Paris1.Level3.net (4.69.141.42)11 ae-45-45.ebr1.London1.Level3.net (4.69.143.101)12 ae-1-51.edge3.London1.Level3.net (4.69.139.73)13 unknown.Level3.net (212.113.15.186)14 209.85.255.78 (209.85.255.78)15 66.249.95.173 (66.249.95.173)16 216.239.49.45 (216.239.49.45)17 * * *18 ww-in-f147.1e100.net (209.85.229.147)

Getafe

Barcelona

MinneapolisParis

LondonAtlanta

New YorkLos Angeles

Atlanta

5

http://herraiz.org

Hops while attempting to reach Hops while attempting to reach GoogleGoogle

6

http://herraiz.org

Is it that bad?Is it that bad?

What kind of privateInformation can be

captured?

7

http://herraiz.org

Non-cyphered informationNon-cyphered information

● Geolocalization● Using your IP address

● Web browser and operating system● Any info written in a form

● Including passwords

● Cookies● Have a look and take care

– http://www.youtube.com/watch?v=yyLdxO6xvh8– http://www.youtube.com/watch?v=1FgKL2ywrX0

http://www.youtube.com/watch?v=yyLdxO6xvh8

http://www.youtube.com/watch?v=1FgKL2ywrX0

8

http://herraiz.org

Is it important?Is it important?

● Strong PK crypto illegal in France up to 2004

● PK implementations in software considered weapons in the US

● Software export restrictions in EU and US

http://en.wikipedia.org/wiki/Phil_Zimmermann

http://en.wikipedia.org/wiki/Key_disclosure_lawhttp://en.wikipedia.org/wiki/Cryptography_law

http://en.wikipedia.org/wiki/Export_of_cryptography_in_the_United_States#History

http://en.wikipedia.org/wiki/Phil_Zimmermann

http://en.wikipedia.org/wiki/Key_disclosure_law

http://en.wikipedia.org/wiki/Cryptography_law

http://en.wikipedia.org/wiki/Export_of_cryptography_in_the_United_States#History

9

http://herraiz.org

Solution

Enforce cypheringusing public key

cryptography

10

http://herraiz.org

CryptographyCryptography

● Traditionally, cyphering was done using a password and an algorithm

● Symmetric approach● Password shared by both peers

● Public key cryptography● Insecure channel● Private and secure communication without any

previous physical contact

11

http://herraiz.org

Public key cryptography (PKP)Public key cryptography (PKP)

Pub Pri Pub Pri

12

http://herraiz.org

Public key cryptographyPublic key cryptography

Pri PriPubPub

Pub Pub

Keyserver

13

http://herraiz.org

Criptografía de clave públicaCriptografía de clave pública

Pri PriPubPub

Pub Pub

Keyserver

Hi there!

14

http://herraiz.org


Pri PriPubPub

Pub Pub

Keyserver

0F231A5

Pub

15

http://herraiz.org


Pri PriPubPub

Pub Pub

Keyserver

0F231A5

Pub

16

http://herraiz.org


Pri PriPubPub

Pub Pub

Keyserver

Hi there!

17

http://herraiz.org

How does it work?How does it work?

● PKP Algorithms● Prime number factorization

● From a mathematical point of view, all messages can be decrypted

● From a computational point of view, decrypting a message without the private key takes too long

– Key length is a crucial property

18

http://herraiz.org

Public key samplePublic key sample

-----BEGIN PGP PUBLIC KEY BLOCK-----Version: GnuPG v2.0.19 (GNU/Linux)

JeP5F/eRS9G8EE1fObRRW6mRf+bGSeluFEMiOi3UB/5P0GBx8iM0QIjezR0R+2n8bMjuJmWHTjvEeplnx9iual4J4BT/9FznFs7o4tFVVfYBacFrhWjQyAf2xoP3gyn35OlV55VHVB+oidXUVNSNHZbXwrd1sH42x7x8o17PDFJrWjiq4kAb2EfSOIuSS6naK9Y06bqh3yRbVtRdZOuCLcY8QJwt/mx//uQqG6NuSvYhx1QyC6g==XuDESOIuSSamQINBEtUTeQBEACejdGQhscmsDXM7xG2/ZYFpMQg/GmPlJ85uJJUkLr2T+5Rw8XvVfZjNZkMwsq94BGFrBxu477tKhQ5wiUBBz/jJ01a39Wrazgp21fvEon2T0Vay45t2BYbU4AF815UL6o74YlW5SLdAofwylZS8pX4CKjGAB0T+fDiwkAepQl45nzX0ulv

-----END PGP PUBLIC KEY BLOCK-----

19

http://herraiz.org

Private key samplePrivate key sample

-----BEGIN PGP PRIVATE KEY BLOCK-----Version: GnuPG v2.0.19 (GNU/Linux)

mQINBEtUTeQBEACejdGQhscmsDXM7xG2/ZYFpMQg/GmPlJ85uJJUkLr2T+5Rw8XvJeP5F/eRS9G8EE1fObRRW6mRf+bGSeluFEMiOi3UB/5P0GBx8iM0QIjezR0R+2n8VfZjNZkMwsq94BGFrBxu477tKhQ5wiUBBz/jJ01a39Wrazgp21fvEon2T0Vay45t2BYbU4AF815UL6o74YlW5SLdAofwylZS8pX4CKjGAB0T+fDiwkAepQl45nzX0ulvbMjuJmWHTjvEeplnx9iual4J4BT/9FznFs7o4tFVVfYBacFrhWjQyAf2xoP3gyn35OlV55VHVB+oidXUVNSNHZbXwrd1sH42x7x8o17PDFJrWjiq4kAb2EfSOIuSS6naK9Y06bqh3yRbVtRdZOuCLcY8QJwt/mx//uQqG6NuSvYhx1QyC6g==XuDESOIuSSa

-----END PGP PRIVATE KEY BLOCK-----

20

http://herraiz.org

KeyserversKeyservers

● Internet hosts that contain public keys● Federated services

● All servers contain all the public keys in the world

● Public keyserver in Spain thanks to RedIRIS● URL: pgp.rediris.es

21

http://herraiz.org

Message signingMessage signing

Pri PriPubPub

Pub Pub

Keyserver

Hi there!

22

http://herraiz.org


Pri PriPubPub

Pub Pub

Keyserver

Hi there!

Created with theprivate key

23

http://herraiz.org


Pri PriPubPub

Pub Pub

Keyserver

Hi there!

24

http://herraiz.org

Signing and encryptingSigning and encrypting

Pri PriPubPub

Pub Pub

Keyserver

Hi there!

25

http://herraiz.org


Pri PriPubPub

Pub Pub

Keyserver

FAD43A

Pub

26

http://herraiz.org


Pri PriPubPub

Pub Pub

Keyserver

FAD43A

Pub

27

http://herraiz.org


Pri PriPubPub

Pub Pub

Keyserver

Hi there!

28

http://herraiz.org


Pri PriPubPub

Pub Pub

Keyserver

Hi there!

29

http://herraiz.org

Identity certificationIdentity certification

How do you know thatpublic keys belong to their

legitimate owners?

Public key

Barack Obama

Can we ensure that thekey does belong to

Barack Obama?

30

http://herraiz.org

Identity certificationIdentity certification

Certificate Authorities

Trust chain

31

http://herraiz.org

Public key signingPublic key signing

● Public keys are plain text documents that can be cryptographically signed

● Mutual public signing adds identity certification to PKP schemes

32

http://herraiz.org


Pri PriPubPub

Pub Pub

Keyserver

Barack Obama

33

http://herraiz.org


Pri PriPubPub

Pub Pub

Keyserver

Barack Obama

Key FE0A7AF2Name Barack ObamaFingerprint D0DA E915 BFDD E5CD 8BA0 B159 7E97 2ACB FE0A 7AF2

34

http://herraiz.org


Pri PriPubPub

Pub Pub

Keyserver

Barack Obama


35

http://herraiz.org


Pri PriPubPub

Pub Pub

Keyserver

Barack Obama

Show meyour passport


36

http://herraiz.org

Passport

BarackObama


Pri PriPubPub

Pub Pub

Keyserver

Barack Obama


Show meyour passport

37

http://herraiz.org


PriPub

Pub Pub

Keyserver


Pub

Barack ObamaD0DA E915 BFDD E5CD 8BA0 B159 7E97 2ACB FE0A 7AF2

Download key FE0A7AF2

38

http://herraiz.org


PriPub

Pub Pub

Keyserver


Pub


39

http://herraiz.org


PriPub

Pub Pub

Keyserver


Pub


40

http://herraiz.org


PriPub

Pub Pub

Keyserver

PriPub

Barack Obama

Key signing isoften mutual

41

http://herraiz.org


Barack Obama

Pub

Pub

Pub

Is he Barack Obama?

Trust chain

42

http://herraiz.org

Signing partySigning party

43

http://herraiz.org

Take awayTake away

PK Cryptog.Secure comms.

throughinsec. channels

Each user createsa public-private

key pair

Keyserverscontain every

key in the world

Trust chainIdentity cert.

through public key signing

public key cryptography

Education

us http

law http

care http

public key sample

private key sample

pgp private key block

world public keyserver

toolong key length