Hash Function, Digital Signature & Public Key Infrastructure

1

Hash Function, Digital Signature

& Public Key Infrastructure

2

Review: Security Requirements

In the context of communications across a network, the following attacks can be identified:

disclosuretraffic analysismasqueradecontent modificationsequence modificationtiming modificationsource repudiationdestination repudiation

Symmetric/Asymmetric cryptography

Generally regarded as Message Authentication

Come under the heading of digital signature

Require a combination of the use of digital signature and protocol design

3

Review: Security Services Authentication: Provides the assurance of

someone’s identity Confidentiality: Protects against disclosure to

unauthorized identities Non-Repudiation: Protects against

communications originator to later deny it Integrity: Protects from unauthorized data

alteration

4

Review: Services, Mechanisms, Algorithms

A typical security protocol provides one or more services

Services

Mechanisms

Algorithms

Services are built from MechanismsMechanisms are implemented using Algorithms

SSL, IPSEC, TLS, SSH, etc...SSL, IPSEC, TLS, SSH, etc...

Signatures

Signatures

Encryption

Encryption HashingHashing

DSADSA RSARSA RSARSA DESDES SHASHA MD5MD5

5

Review: Message Authentication

Message AuthenticationMessage Authentication

Hash FunctionHash FunctionMessage Authentication Code Message Authentication Code Message EncryptionMessage Encryption

6

Message Authentication:Hash functions

Message Authentication:Hash functions

7

Hash Functions

Can use for encryption, authentication and digital signature.

Hash function accepts a variable-size message M as input and produces a fixed-size output, referred to as a hash code H(M).

A cryptographic hash function h takes as input a message or arbitrary length and produces as output a message digest of fixed length, for example 160 bits as depicted in Figure.

…. 0 1 1 0 1 1 0 1 1 ….

1 0 ….. 1 0

Long Message

160-Bit Message digest

…. 0 1 1 0 1 1 0 1 1 ….

1 0 ….. 1 0

…. 0 1 1 0 1 1 0 1 1 ….

1 0 ….. 1 0

Long Message

160-Bit Message digest

8

Defining Hashing

If you were to give someone the number 1,765,335 and ask he/she to determine your original number, it would be virtually impossible for he/she to “work backwards” and derive to the original number of 12,345.

If you give her/him the multiplier (143), she could easily determine the original number.

Input Value Multiplier Formula Result

12,345 143 Value * Multiplier 1,765,335

Plaintext Key Algorithm Ciphertext

9

A Practical Use of Hash Algorithm

DRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJ

DRJ Independent BankDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJDRJ Independent Bank DRJ Independent Bank DRJ

DRJ Independent Bank

459384502392

DRJ INDEPENDENT BANK

459384502392 = 123456 hashed

123456PIN entered on keypad

Hashed value Store on card

10

A Practical Use of Hash Algorithm

DRJ INDEPENDENT BANK

459384502392 = 123456 hashed 123456PIN entered on keypad

Hashed value Store on card

DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK


459384502392

DRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANKDRJ Independent Bank DRJ Independent Bank DRJ Independent bank DRJ BANK


459384502392

Use Hashing AlgorithmThe hash value is based on algorithm

Haval MD2 MD4 MD5SHA Hash Functions (SHA-1, SHA-2)

11

One-way HASH functionOne-way HASH function

12

Hash Functions

Hash code does not use a key.

Hash code is a function only of the input message.

Hash code is also referred to as a message digest or hash value.

The hash code is a function of all the bits of the message and provides an error-detection capability.

A change to any bit or bits in the message results in a change to the hash code.

13

Hash Function Properties

a Hash Function produces a fingerprint of some file/message/data

h = H(M)

condenses a variable-length message M

to a fixed-sized fingerprint

assumed to be public

14

Requirements for Hash Functions

Purpose of the HASH function is to produce a ”fingerprint.Properties of a HASH function H :

1. H can be applied to a block of data at any size2. H produces a fixed length output3. H(x) is easy to compute for any given x.4. For any given block x, it is computationally infeasible to

find x such that H(x) = h– One-way property

5. For any given block x, it is computationally infeasible to find with H(y) = H(x).

– Weak collision resistance

6. It is computationally infeasible to find any pair (x, y) such that H(x) = H(y)

– Strong collision resistance

xy

15

Simple Hash Functions

are several proposals for simple functions

based on XOR of message blocks

not secure since can manipulate any message and either not change hash or change hash also

need a stronger cryptographic function

16

Hash Functions Operations(In term of: Hashing, Signing, and Applications)

One useful application of hash functions is to make signature schemes more efficient.

The hash function is made public.

Starting with a message m, Alice calculates the hash h(m). This output h(m) is significantly smaller, and hence signing the hash may be done more quickly than signing the entire message.

Alice calculates the signed message sig(h(m)) for the hash function and uses it as the signature of the message.

The pair (m, sig(h(m))) now conveys basically the same knowledge as the original signature scheme did.

It has the advantages that it is faster to create (under the reasonable assumption that the hash operation is quick) and requires less resources for transmission or storage.

17

In Term of Security

Suppose Eve has possession of Alice’s signed message (m, sig(h(m))).

She has another message m’ to which she wants she to add Alice’s signature.

This means that she needs sig(h(m’)) = sig(h(m)); in particular, she needs h(m’) = h(m).

If the hash function is one-way, Eve will find it hard to find any such m’.

The chance that her desired m’ will work is very small. Moreover, since we require our hash function to be strongly collision-free, it is unlikely that eve can find two messages m1 ≠ m2 with the same

signatures.

Of course, if she did, she could have Alice sign m1, then transfer her

signature to m2. But Alice would get suspicious since m1 (and m2)

would very likely be meaningless messages.

18

Check on Data Integrity

Hash function also can be employed as a check on data integrity.

The question of data integrity comes up in basically two scenarios. First: when the data (encrypted or not) are being transmitted to another

person and a noisy communication channel introduces errors to the data. Second: An observer rearranges the transmission in some manner

before it gets to the receiver. Either way, the data have become corrupted.

Example: Suppose Alice sends Bob long messages about financial transactions

with Eve and encrypts them in blocks. Perhaps Eve deduces that the tenth block of each message lists the

amount of money that is to be deposited to Eve’s account. She could easily substitute the tenth block from one message into

another and increase the deposit.

IntegrityThe assurance that data received are exactly as sent by an authorized entity (i.e., contain no modification, insertion, deletion.

19

Check on Data Integrity

Another situation:

Alice might send Bob a message consisting of several blocks of data, but one of the blocks is lost during transmission. Bob might not ever realize that the block is missing.

Here is how function can be used. Say we send (m, h(m)) over the communications channel and it is received as (M, H). To check whether errors might have occurred, the recipient computes h(M) and sees whether it equals H. If any errors occurred, it is likely that h(M) ≠ H, because of the collision-free properties of h.

20

List of Cryptographic Hash Function

Haval

MD2

MD4

MD5

N-Hash

RIPEMD-160

SHA Hash Functions (SHA-0, SHA-1, SHA-2)

Snefru

Tiger

Whirlpool

21

Other Secure HASH functions

SHA-1 MD5 RIPEMD-160

Digest length 160 bits 128 bits 160 bits

Basic unit of processing

512 bits 512 bits 512 bits

Number of steps 80 (4 rounds of 20)

64 (4 rounds of 16)

160 (5 paired rounds of 16)

Maximum message size

264-1 bits

22

Digital Signature / Signature SchemesDigital Signature / Signature Schemes

23

Signature schemes

digital signature schemes≈MACs in the public-key setting

2424

Problem: Authentication

2525

Problem: Authentication

2626

Scenario

2727

Scenario

2828

Scenario

2929

Scenario

3030

Scenario

31

Digital Signatures

• have looked at message authentication – but does not address issues of lack of trust– A few scenarios (transfer funds, mail message)

• digital signatures provide the ability to (properties): – verify author, date & time of signature– authenticate message contents – be verified by third parties to resolve disputes

• hence include authentication function with additional capabilities

32

Digital Signature Properties

• must depend on the message signed• must use information unique to sender

– to prevent both forgery and denial

• must be relatively easy to produce• must be relatively easy to recognize & verify• be computationally infeasible to forge

– with new message for existing digital signature– with fraudulent digital signature for given message

• be practical save digital signature in storage

33

Digital Signatures Categories

Digital signatures

Arbitrated Digital SignatureDirect Digital Signature

34

Direct Digital Signatures

• involve only sender & receiver• assumed receiver has sender’s public-key• digital signature made by sender signing

entire message or hash with private-key• can encrypt using receivers public-key• important that sign first then encrypt message

& signature• security depends on sender’s private-key

35

Arbitrated Digital Signatures

• involves use of arbiter A– validates any signed message– then dated and sent to recipient

• requires suitable level of trust in arbiter• can be implemented with either private or

public-key algorithms• arbiter may or may not see message

36

Authentication Protocols

• used to convince parties of each others identity and to exchange session keys

• may be one-way or mutual• key issues are

– confidentiality – to protect session keys– timeliness – to prevent replay attacks

37

Replay Attacks

• where a valid signed message is copied and later resent– simple replay– repetition that can be logged– repetition that cannot be detected– backward replay without modification

• countermeasures include– use of sequence numbers (generally impractical)– timestamps (needs synchronized clocks)– challenge/response (using unique nonce)

38

Using Symmetric Encryption

• as discussed previously can use a two-level hierarchy of keys

• usually with a trusted Key Distribution Center (KDC)– each party shares own master key with KDC– KDC generates session keys used for connections

between parties– master keys used to distribute these to them

39

Needham-Schroeder Protocol

• original third-party key distribution protocol• for session between A B mediated by KDC• protocol overview is:

1. A→KDC: IDA || IDB || N1

2. KDC→A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ]

3. A→B: EKb[Ks||IDA]

4. B→A: EKs[N2]

5. A→B: EKs[f(N2)]

40

Needham-Schroeder Protocol

• used to securely distribute a new session key for communications between A & B

• but is vulnerable to a replay attack if an old session key has been compromised– then message 3 can be resent convincing B that is

communicating with A• modifications to address this require:

– timestamps (Denning 81)– using an extra nonce (Neuman 93)

41

Using Public-Key Encryption

• have a range of approaches based on the use of public-key encryption

• need to ensure have correct public keys for other parties

• using a central Authentication Server (AS)• various protocols exist using timestamps or

nonces

42

Denning AS Protocol

• Denning 81 presented the following:1. A→AS: IDA || IDB

2. AS→A: EKRas[IDA||KUa||T] || EKRas[IDB||KUb||T] 3. A→B: EKRas[IDA||KUa||T] || EKRas[IDB||KUb||T] ||

EKUb[EKRas[Ks||T]] • note session key is chosen by A, hence AS

need not be trusted to protect it• timestamps prevent replay but require

synchronized clocks

43

One-Way Authentication

• required when sender & receiver are not in communications at same time (eg. email)

• have header in clear so can be delivered by email system

• may want contents of body protected & sender authenticated

44

Using Symmetric Encryption

• can refine use of KDC but can’t have final exchange of nonces, vis:1. A→KDC: IDA || IDB || N1

2. KDC→A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ]

3. A→B: EKb[Ks||IDA] || EKs[M]

• does not protect against replays– could rely on timestamp in message, though email

delays make this problematic

45

Public-Key Approaches

• have seen some public-key approaches• if confidentiality is major concern, can use:

A→B: EKUb[Ks] || EKs[M]

– has encrypted session key, encrypted message

• if authentication needed use a digital signature with a digital certificate:A→B: M || EKRa[H(M)] || EKRas[T||IDA||KUa]

– with message, signature, certificate

46

Digital Signature Standard (DSS)

• US Govt approved signature scheme FIPS 186• uses the SHA hash algorithm • designed by NIST & NSA in early 90's • DSS is the standard, DSA is the algorithm• a variant on ElGamal and Schnorr schemes • creates a 320 bit signature, but with 512-1024 bit

security • security depends on difficulty of computing discrete

logarithms

47

DSA Key Generation

• have shared global public key values (p,q,g): – a large prime p = 2L

• where L= 512 to 1024 bits and is a multiple of 64

– choose q, a 160 bit prime factor of p-1 – choose g = h(p-1)/q

• where h<p-1, h(p-1)/q (mod p) > 1

• users choose private & compute public key: – choose x<q – compute y = gx (mod p)

48

DSA Signature Creation

• to sign a message M the sender:– generates a random signature key k, k<q – nb. k must be random, be destroyed after use,

and never be reused

• then computes signature pair: r = (gk(mod p))(mod q)

s = (k-1.SHA(M)+ x.r)(mod q)

• sends signature (r,s) with message M

49

DSA Signature Verification

• having received M & signature (r,s) • to verify a signature, recipient computes:

w = s-1(mod q)

u1= (SHA(M).w)(mod q)

u2= (r.w)(mod q)

v = (gu1.yu2(mod p)) (mod q)

• if v=r then signature is verified • see book web site for details of proof why

50

Summary

• have considered:– digital signatures– authentication protocols (mutual & one-way)– digital signature standard

5151

Alice Bob

(m, t=Tagk(m))(m, t=Tagk(m))

k k

m є {0,1}*m є {0,1}*

k is chosen randomly from some set K

k is chosen randomly from some set K

Vrfyk(m) є {yes,no}Vrfyk(m) є {yes,no}

Message Authentication Codes – the idea

52

Signature Schemes

Alice Bob

k k

1n1n

Alice Bob


sk pk

m є {0,1}*m є {0,1}*

(pk,sk) := Gen(1n)(pk,sk) := Gen(1n)

Vrfyk(m) є {yes,no}Vrfyk(m) є {yes,no}

53

Advantages of the signature schemes

Digital signatures are:

1. publicly verifiable2. transferable3. provide non-repudiation

54

Anyone can verify the signatures

P5

P1

P2

P4

pk1

pk2

pk3

pk4

pk5

1. Sign(sk 3,m

)

1. Sign(sk 3,m

)

public register:Sign(sk3,m)Sign(sk3,m)

Sign

(sk 3,m

)Si

gn(s

k 3,m)

2. reads pk32. reads pk3

sk3sk3

3. computes Vrfy(pk3,m)3. computes Vrfy(pk3,m)

P3

55

Look at the MACs...

Alice Bob


k k

m є {0,1}*m є {0,1}*

Carol

Look, I got (m,t) from AliceLook, I got (m,t) from AliceWhy shall I trust you?

1. You could have created t yourself (because you know k)

2. I don’t know k, so how can I verify the tag?

Why shall I trust you?

1. You could have created t yourself (because you know k)

2. I don’t know k, so how can I verify the tag?

56

Signatures are publicly-verifiable!

Alice Bob

(m, σ =Signsk(m))(m, σ =Signsk(m))

skA pkA

m є {0,1}*m є {0,1}*

Carol

I can calculate

Vrfy(pkA,m,σ)

and check.

I can calculate

Vrfy(pkA,m,σ)

and check.

Look, I got (m,σ) from AliceLook, I got (m,σ) from Alice

57

So, the signatures are transferable

P2 P3

Alice

P4P1

σ =

Sign

(sk 3,m

)σ

= Si

gn(s

k 3,m)

skAskA

(m,σ)(m,σ) (m,σ)(m,σ) (m,σ)(m,σ)

“Alice signed m”


pkApkA pkApkA pkApkA pkApkA





I believe it!I believe it! I believe it!I believe it! I believe it!I believe it!

58

Non-repudiation

Alice Bob


skA pkA

m є {0,1}*m є {0,1}*

Judge

“I’ve got (m,σ) from Alice”“I’ve got (m,σ) from Alice”

It’s not true!I never signed m!

It’s not true!I never signed m!

Vrfy(pk,m,σ) = yesso you cannot repudiate signing m...

Vrfy(pk,m,σ) = yesso you cannot repudiate signing m...

59

Digital Signature Schemes

A digital signature scheme is a tuple (Gen,Sign,Vrfy) of poly-time algorithms, such that:A digital signature scheme is a tuple (Gen,Sign,Vrfy) of poly-time algorithms, such that:

• the key-generation algorithm Gen takes as input a security parameter 1n and outputs a pair (pk,sk),

• the signing algorithm Sign takes as input a key sk and a message mє{0,1}* and outputs a signature σ,

• the verification algorithm Vrfy takes as input a key pk, a message m and a signature σ, and outputs a bit b є {yes, no}.

• the key-generation algorithm Gen takes as input a security parameter 1n and outputs a pair (pk,sk),

• the signing algorithm Sign takes as input a key sk and a message mє{0,1}* and outputs a signature σ,

• the verification algorithm Vrfy takes as input a key pk, a message m and a signature σ, and outputs a bit b є {yes, no}.

If Vrfypk(m,σ) = yes then we say that σ is a valid signature on the message m.If Vrfypk(m,σ) = yes then we say that σ is a valid signature on the message m.

60

Correctness

We require that it always holds that:

Vrfypk(m,Signsk(m)) = yes

What remains is to define security of a MAC.

61

Other popular signature schemes

Based on discrete log:

• ElGamal signatures

• Digital Signature Standard (DSS)

(also based on other groups – elliptic curves)

62

Public Key Infrastructure

Public Key Infrastructure

63

Overview

1. Simple Fundamental2. Qualified signatures3. PKI and trust management4. Introduction to the key

establishment protocols

64

Public Key Infrastructures

Alice CharlieReggieEveBob

SenderReceiver

CertificationAuthority

RegistrationAuthority

HackerReceiverSender

65

Alice and Bob, want to be able to communicate securely by sending messages to each other.

They want to be able to use trustworthy digital signature technology to protect the integrity of their messages, and they may also want to use encryption to keep the contents of their messages secret. To achieve all this, they've decided to use a PKI (Public Key Infrastructure) system, and digital certificates.


66

Alice and Bob, want to enroll in a PKI system.

Charlie runs a Certification Authority (CA), and will be issuing certificates to Alice and Bob.

To make Charlie's job easier, he relies on his twin brother Reggie, a Registration Authority (RA), who interacts with Alice and Bob on Charlie's behalf.


67

Alice and Bob want to enroll in a PKI system, and have decided to purchase certificates from Charlie, a Certification Authority.

To do this, they'll first need to contact Reggie, a Registration Authority who has an agreement with Charlie, to prove their identities. (Having Reggie conduct part of the enrolment proceedings makes Charlie's job a little easier.) But before they do that, they'll each have to generate a signing key for themselves.


RA CA

68

Let's see the procedure Alice goes through to enroll in the PKI. Bob will have to go through the exact same process.

First Alice asks her computer to generate a private signing key and a public key. Her private key is for her use only, and she must never share it with anyone. Her public key can be available to the world (in fact it will be included in the certificate issued by Charlie), and anyone can use it to verify her digital signature on a message.


Alice’s Public Key

Alice’s Private Key

69

Next, she goes to visit Reggie, a Registration Authority, at his office. It is Reggie's duty to verify Alice's identity, so that he can say to Charlie that he has made sure that Alice is Alice. Since Charlie will be issuing a certificate to her, and the certificate conveys a high level of assurance that

Alice is who she says she is, and people will be trusting that, Charlie needs Reggie to be very careful about this.

Alice shows Reggie proof of government-issued photo identification.


RA

Identity Card

AliceFemaleSerdang, Selangor

600606-02-8679

Since Reggie trusts the government that issued these identification cards, he is extremely certain that Alice is who she says she is: he has authenticated Alice's identity. Next, he must transfer this knowledge to Charlie.

70

Reggie has a secure encrypted computer link to his twin brother Charlie, the CA, so it is easy for him to notify Charlie of Alice's enrolment, and to let him know that he has authenticated her identity.

He makes up a reference number for Alice's account, gives it to her, and also uses this number to enroll her with Charlie over the encrypted link. In return, over the same encrypted link, Charlie sends Reggie an authorization code that Alice will use later.


RA CA

Alice’s enrolment Information

Authorization Code For Alice

Instead of giving Alice the authorization code, he sends it to her office voicemail box. This is an extra check to make sure that Alice has supplied appropriate contact information.

71

Alice can now return to her office. She uses her computer to create a certificate-request form. This form includes the following:

her enrolment information, as given to Reggie earlier (name, address, etc.)

the authorization code that Charlie made, which Reggie left in her voicemail

her public key

Then, she digitally signs her certificate-request form, using her private key. This is very important, because she needs to prove that she possesses the private key that corresponds to the certificate that Charlie will be issuing her. If she can't prove she has the private key, Charlie won't issue the certificate.


RAReference Number and Certificate Request

72

Charlie can check her signature using her public key.

Alice logs into Charlie's web site using her reference number and submits her certificate request form.

After receiving Alice's certificate request, he has to do some checking to make sure it's OK.

First, he checks to make sure the reference number and authorization code match what they are supposed to.

The authorization code inside Alice's certificate request must be the same as what Charlie has on file.


RAReference Number and Certificate Request

73

Since Reggie had verified Alice's identity when the authorization code was given to her, Charlie knows that the certificate request came from Alice, and not somebody else pretending to be Alice.

Next, he takes the public key from the certificate request, and uses it to verify the digital signature on the request. If the signature is correct, then he knows Alice does possess her private key.

Having authenticated her identity, and verified that she has the right private key, Charlie issues the certificate in Alice's name and sends it back to her.


CA

Certification Approved

Subject : AliceName : Alice Issuer : Charlie

Issued21-08-2008

74

Charlie also publishes the certificate in his public repository, so that anybody receiving a message from Alice can check her certificate.

After Bob has his certificate too, Alice and Bob can use digital signatures to ensure the integrity and sender's identity of their messages.


CA

Certification Approved

Subject : AliceName : Alice Issuer : Charlie

Issued21-08-2008

75

If Alice and Bob want to use encryption to keep the contents of their messages secret, then they will also need a separate set of encryption keys and certificates for that purpose.

They can obtain these certificates at the same time as they obtain their signing certificates.


76

Overview

1. Simple Fundamental2. Qualified signatures3. PKI and trust management4. Introduction to the key


77

Question:How to maintain the public register?

1. We start with the case when the public keys are used for signing that is legally binding.

2. Then we consider other cases.

78

A problem

Alice Bob


skA pkA

m є {0,1}*m є {0,1}*

Judge

I got (m,σ) from AliceI got (m,σ) from AliceIt’s not true!I never signed m!It’s not true!I never signed m!

Vrfy(pk,m,σ) = yesso you cannot repudiate signing m...Vrfy(pk,m,σ) = yesso you cannot repudiate signing m...

But pk is not my public key!But pk is not my public key!

79

Solution: certification authorities

A simplified view:

comes with her ID and pkAlicecomes with her ID and pkAlice

(pkCert,skCert)(pkCert,skCert)

checks the ID of Alice and issues a certificate:

SignskCert(“pkAlice is a public key of Alice”)

checks the ID of Alice and issues a certificate:

SignskCert(“pkAlice is a public key of Alice”)

Alice

Now, everyone can verify that pkAlice is a public key of Alice. So Alice can attach it to every signature

Certification AuthorityCertification Authority

really everyone?really everyone?

80

What is needed to verify the certificate

To verify the certificate coming from Cert one needs:

1. to know the public key of the Cert2. to trust Cert.

It is better if Cert also keeps a document:“I, Alice certify that pkAlice is my public key”

with a written signature of Alice.

81

How does it look from the legal point of view?

What matters at the end is if you can convince the judge.

Many countries have now a special law regulating these things.

In Malaysia it is:MCMC

82

Malaysian Certificate Authorities:

Digicert

83

So, what to do if you want to issue the qualified signatures?

You have to go to one of this companies and get a qualified certificate (it costs!).

The certificate is valid just for some given period.

84

What if the secret key is lost?

1. In this case you have to revoke the certificate.Every authority maintains a list of revoked certificates.

2. The certificates come with some insurance.

85

Plan

1. Qualified signatures2. PKI and trust management3. Introduction to the key


86

In many case one doesn’t want to use the qualified signatures

1. The certificates cost.

2. It’s risky to use them:

How do you know what your computer is really signing?Computers have viruses, Trojan horses, etc.

You can use external (trusted) hardware but it should have a display (so you can see what is signed).

Remember: qualified signatures are equivalent to the written ones!

87

In many cases the qualified signatures are an overkill.In many cases the qualified signatures are an overkill.

The certificates are distributed using a public-key infrastructure (PKI).The certificates are distributed using a public-key infrastructure (PKI).

Instead, people use non-qualified signatures.Instead, people use non-qualified signatures.

Practical solution

88

Users can certify keys of the other users

P1 P3P2

pk3pk3pk1pk1 pk2pk2

knows pk2knows pk2 knows pk3knows pk3

“trusts” P2“trusts” P2

P2 certifies that pk3 is a public key of P3P2 certifies that pk3 is a public key of P3 signature of P2signature of P2

P1 believesthat pk3 is a public key of P3


this should be done only if P2 really met P3 in person and verified his identitythis should be done only if P2 really met P3 in person and verified his identity

89

P1 P3P2

pk3pk3pk1pk1 pk2pk2



P4

pk4pk4

knows pk4knows pk4






Users can certify keys of the other users

90

P1 P3P2

pk3pk3pk1pk1 pk2pk2



P4

pk4pk4






knows pk4knows pk4

P5

pk4pk4



This is called acertificate chainThis is called a

certificate chain

knows pk5knows pk5

91

A problem

What if P1 does not know P3?How can he trust him?

Answer: P2 can recommend P3 to P1.

P1 P3P2

pk3pk3pk1pk1 pk2pk2



P4

pk4pk4


knows pk4knows pk4

92

A question: is trust transitive?

P1 P3P2

pk3pk3pk1pk1 pk2pk2

“trusts” P2“trusts” P2 “trusts” P3“trusts” P3

P1 P3P2

pk3pk3pk1pk1 pk2


Does:

imply:

?

93

Example

P1 P3P2

pk3pk3pk1pk1 pk2pk2

trusts thatP2 is a veryhonest person


P1 P3P2

pk3pk3pk1pk1 pk2pk2

doesn’t trust that P3

is honest, because he thinks that P2 is honest but naive

doesn’t trust that P3

is honest, because he thinks that P2 is honest but naive



I can recommend P3I can recommend P3

94

Moral

Trust is not transitive:

“P1 trusts in the certificates issued by P2”

is not the same as saying:

“P1 trusts that if

P2 says you can trust the certificates issued by P3

thenone can trust the certificates issued by P3”

95

level 1 recommendation:

A: ”you can trusts in all the certificates issued by B”


A : “you can trust that all the level 1 recommendations issued by B”


B : “you can trust that all the level 2 recommendations issued by B”

and so on. . .


A: ”you can trusts in all the certificates issued by B”


A : “you can trust that all the level 1 recommendations issued by B”


B : “you can trust that all the level 2 recommendations issued by B”

and so on. . .

Recommendation levels

Recursively:level i+1 recommendation:A : “you can trust that all the level i recommendations issued by B”

96

P1 P3P2 P4

P1 P3P2 P4

trusts the certificates issued by P4trusts the certificates issued by P4

Now, if:

then

Of course the recommendations also need to be signed.Starts to look complicated...

P2 issues a recommendationof level 2 for P3




P2 trustin all the recommendations issued by P2

P2 trustin all the recommendations issued by P2

97

How is it solved in practice?

In popular standard is X.509 the recommendation is included into a certificate.

Here the level of recommendations is bounded using a field called basic constraints.

X.509 is used for example in SSL.

SSL is implemented is implemented in every popular web-browser.

So, let’s look at it.

98

99

100

101

102

this field limits the recommendation

depth(here it’s unlimited)

103

Concrete example

Let’s go to the Banca Di Roma website

104

a certificatechain

105

the second certificate wassigned by ”Verisign Primary Authority” for“Verisign Inc”.

(it’s not strange, we willdiscuss it)

106

Look here

107

The third certificatewas issued by Verisign Inc.for Banca di Roma

108

The typical picture

web browser knows these certificates

Verisign DigiCert Entrust . . .

VerisignEurope

VerisignUSA

VerisignItaly

Banca di Roma

a certificate path

Implicit assumptions:

• the author of the browser is honest,• the author of the browser is competent• nobody manipulated the browser

is it always true?

is it always true?

109

CA1

CA2

CA3

CAn

client

cert1cert1

cert2cert2

cert3cert3

certn-1certn-1

certncertn

Moreover:each certi has a number di denoting a maximal depth of certificate chain from this point (this limits the recommendation depth)

That is, we need to have:di ≥ n - i

Moreover:each certi has a number di denoting a maximal depth of certificate chain from this point (this limits the recommendation depth)

That is, we need to have:di ≥ n - i

All these certificates have tohave a flag “Is a Certification Authority” switched on.

d1

d2

d3

dn

110

Is it so important to check it?

Yes!

For example: the last element in the chain can be anybody (who paid to Verising for a certificate).

For sure we do not want to trust the certificates issued by anyone.

111

So, what happens when a user contacts the bank?

Alice

sends(cert1,..., certn)


If Alice’s browser knows cert1 it canverify the chain and read the public key of the bank from certn

Bank

112

What happens if the certification path is invalid?

For example if the first certificate in the path is not known to the user.

Experiment: let’s delete the Verisign certificate for the configuration of the browser...

113

114

What happens?

115

Another popular PKI

Pretty Good Privacy (PGP) – every user can act as a certification authority.

Hence the name:Web of Trust

116

Introduction to the key establishment protocols

117

Suppose Alice and Bob want to authenticate to each other...

internet

Observation: authentication itself is not very useful.More useful: key establishment

Alice Bob

118

Protocols for key establishment

Suppose Alice and Bob want to establish a fresh session key in an authentic way.

When is it possible?

• Using symmetric cryptography: Alice and Bob can use some trusted server S.

• Using asymmetric cryptography: e.g. using PKI.

119

Symmetric cryptography

The server can help Alice and Bob to establish a session key.(in reality it’s not so trivial to design a secure protocol)

Alice Bob

server S

share a private keyKAS

share a private keyKBS

120

The public-key cryptography

Alice



If they accepted the certificate paths they can establish a session key:

1. Alice selects a random key K. 2. Alice encrypts K with Bob’s public key, and sign is it with her

private key, and sends it to Bob.3. Bob verifies the signature and decrypts the K.

Again: in reality it’s not that simple...

Bob

sends(cert’1,..., cert’n)

sends(cert’1,..., cert’n)

121

What if one of the parties doesn’t have a certificate?

Typical situation in real life...

E.g. a bank can verify authenticity of Alice by asking her for a secret password.

This password is provided to her (in a physical way) when she opened an account.

How to prevent the dictionary attacks?

Not so trivial...

122

Designing the key establishment protocols

It is an active area of research.

It’s more complicated than one may think...

On the next slides we show some common errors.

123

An idea (1)

Alice Bob

server S

key shared by Alice and the server: KAS

key shared by Bob and the server: KBS

(“A,B”)(“A,B”)

EncKAS(KAB),

EncKBS(KAB)

EncKAS(KAB),

EncKBS(KAB)

(EncKBS (KAB),”A”)(EncKBS (KAB),”A”)

selects a random KAB selects a random KAB

124

An attack

Alice Bob

server S



(A,B)(A,B)

EncKAS(KAB),

EncKBS(KAB)

EncKAS(KAB),

EncKBS(KAB)

(EncKBS(KAB),”A”)(EncKBS(KAB),”A”)


(EncKBS (KAB),”D”)(EncKBS (KAB),”D”)

I’m talking to D

I’m talking to D

Eve

125

An idea (2)

Alice Bob

server S



(A,B)(A,B)

EncKAS(KAB,”B”),

EncKBS(KAB,”A”)

EncKAS(KAB,”B”),

EncKBS(KAB,”A”)

EncKBS(KAB,”A”)EncKBS(KAB,”A”)


126

A replay attack

Alice Bob

(A,B)(A,B)

EncKAS(K’AB,”B”),EncKBS(K’AB,”A”)EncKAS(K’AB,”B”),EncKBS(K’AB,”A”)

EncKBS(K’AB,”A”)EncKBS(K’AB,”A”)

the adversary stores the values that the server sent in the previous session and replays them.

So, the key is not fresh...Eve

127

How to protect against the replay attacks?

Nonce – “number used once”.

Nonce is a random number generated by one party and returned to that party to show that a message is newly generated.

128

An idea (3): Needham Schreoder 1972.

Alice Bob

server S



(“A,B”,NA)(“A,B”,NA)

EncKAS(KAB, “B”, NA, EncKBS

(KAB,”A”))EncKAS(KAB, “B”, NA, EncKBS

(KAB,”A”))

EncKBS(KAB,”A”)EncKBS(KAB,”A”)


EncKAB(NB – 1)EncKAB(NB – 1)

EncKAB(NB)EncKAB(NB)

129

An attack on Needham Schroeder

Bob

EncKBS(K’AB,”A”)EncKBS(K’AB,”A”)

EncK’AB(NB – 1)EncK’AB(NB – 1)

EncK’AB(NB)EncK’AB(NB)

Assume that an old session key K’AB is known to the adversary.

Eve

130

The final solution

Alice Bob

server S



(“A,B”,NA,NB)(“A,B”,NA,NB)

EncKAS(KAB, “B”, NA)

EncKBS(KAB, “A”, NB)

EncKAS(KAB, “B”, NA)

EncKBS(KAB, “A”, NB)


EncKBS(KAB, “A”, NB)EncKBS(KAB, “A”, NB)

(“B”,NB)(“B”,NB)

131

Other desirable features

1. Forward-security:if an adversary breaks into the machine at some time t the previous session keys remain secret.

2. Deniability:A user can always deny that he sent some message.

3. Resistance to denial-of-service attacks(don’t put to much work on the server!).

132

Eve

Another (real-life) problem

Alice and Bob may use different versions of the protocol.

Therefore at the beginning of the protocol they have to agree on the ciphers that they will use.

How to do agree in a secure way?

Alice Bob

Alice:I prefer to use AES, but I can also use DES

Alice:I can onlyuse DES,

Bob:I can onlyuse DES,

Bob:I prefer to use AES, but I can also use DES

They’ll end up using DES!

133

Protocols used in practice

• Symmetric: Kerberos

• Asymmetric: SSL, SSH, IPSec...

134

How Do You Want Protect Your Network System

Thank YouSee You Next Week

Have A Nice Weekend

Documents

Hash Function, Digital Signature & Public Key Infrastructure