Upload
zhi-guan
View
4.197
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Network and Information Security Lab, Peking UniversityMay 14, 2008
CPK CryptosystemCombined Public Key Cryptosystem
Theory and Practice
Network and Information Security Lab, Peking UniversityMay 14, 2008
Timeline
1978
Kohnfelder Certificate Idea
1976
Public Key Cryptography,
Public fileDiffie, Hellman
Identity BasedCryptography,the first idea
Shamir
1984
X.509 Certificate v1,X.500, CA
ITU-T
1988
first IBS schemeShamir
1986
Network and Information Security Lab, Peking UniversityMay 14, 2008
Timeline
2000
No Practical IBE schemewas founded since
1984
PGP,Web of TrustZimmerman
1991
SPKI,SDSI
1995
X.509 Certificate v3,PKIX
1996
Network and Information Security Lab, Peking UniversityMay 14, 2008
Timeline
2001
First PracticalIBE scheme from Weil Pairing
Boneh, Franklin
CocksIBE,
not bandwidth efficient
CPKkey management, IBE, IBS
Nan, Chen
2004
Network and Information Security Lab, Peking UniversityMay 14, 2008
Public File
• Public File (1976)
• Public File ( trusted directory ) is a key directory that users could consult to find other user’s public key
Network and Information Security Lab, Peking UniversityMay 14, 2008
Certificate
• Loren Kohnfelder, “Toward a Practical Public-Key Cryptosystem”
• Separate trust and look-up
Network and Information Security Lab, Peking UniversityMay 14, 2008
X.500, X.509v1
Network and Information Security Lab, Peking UniversityMay 14, 2008
PEM (Privacy Enhanced Mail)
• PEM use ITU’s X.509 Certificate
• X.509 in PEM VS X.509 in X.500
• Bind name and public key
• Access control
• DN can’t be accepted
• Failed :(
Network and Information Security Lab, Peking UniversityMay 14, 2008
PGP
• Global distinguished name, by email address
• Need no global TTP or CA
• Web of trust
Network and Information Security Lab, Peking UniversityMay 14, 2008
PKIX
CertificateArchitecture
Network and Information Security Lab, Peking UniversityMay 14, 2008
SPKI
• Simple Public Key Infrastructure, by C. Ellison
• Emphasizes on authorization rather than authentication
• SPKI Certificates bind attributes to Public Key directly
Network and Information Security Lab, Peking UniversityMay 14, 2008
PKI Challenges
Network and Information Security Lab, Peking UniversityMay 14, 2008
PKI Challenges
89 PKI in federal agencies of US from 1998 to 2005
Network and Information Security Lab, Peking UniversityMay 14, 2008
Identity Based Cryptography
• Idea from Shamir 1984, the public key can be arbitrary string.
• The private key is generated by a trusted authority named PKG (private key generator) and distributed to users.
• Shamir’s original motivation was to simplify the certificate management in email system.
• Identity based encryption (IBE), identity based signature scheme (IBS).
Network and Information Security Lab, Peking UniversityMay 14, 2008
IBC Schemes
• 1986 first IBS scheme
• 2001 first practical IBE scheme
❖ Boneh-Franklin IBE from pairing
❖ Cocks IBE
• 2004 CPK (Combined Public Key)
❖ Support IBE and IBS
Network and Information Security Lab, Peking UniversityMay 14, 2008
Certificate vs IdentityDigital Public Key Certificates
• Features
– Digital object (no typing!)
– Tamper-evident
– Issued by a TTP
– Complete user identification
– Fixed expiration
• Drawbacks
– Must trust issuer
Serial Number:
Certificate for:
Company:
Issued By:
Email Address:
Activation:
Expiration:
Public Key:
206
Bob Smith
Fox Consulting
Awfully Big Certificate Co.
Jan. 10, 2000
Jan. 10, 2002
24219743597430832a2187b6219a
75430d843e432f21e09bc080da43
509843
ABC’s digital signature
0a213fe67de49ac8e9602046fa7de2239316ab233dec
70095762121aef4fg66854392ab02c4
Network and Information Security Lab, Peking UniversityMay 14, 2008
Encryption in PKI
Certificate
Online CertificateDatabase
Recipient’sCertificate
CertificateRequest
Encryption
RecipientSender
At least 3 steps
Network and Information Security Lab, Peking UniversityMay 14, 2008
Encryption in CPK
Sender Recipient
Identity Based Encryption
Encryption Public Key isRecipient’s identity,
i.e. the phone number
Only 1 step!
Network and Information Security Lab, Peking UniversityMay 14, 2008
Encryption in CPK
Sender Recipient
Identity Based Encryption
Encryption Public Key isRecipient’s identity,
i.e. the phone number
Only 1 step!
Network and Information Security Lab, Peking UniversityMay 14, 2008
Definition
• Setup run by PKG, with the security parameter t as input, the public system params, and the secret master-key which will be kept inside PKG, as output.
• Extract run by PKG, with the params, master-key and the user’s identity string ID as input, the user’s private key dID as output. The output private key will be sent back to user through secure channel.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Definition (cont.)
• Encrypt run by user, with params, recipient’s ID and message M as input; encrypted cipher text C as output. Sender should get trusted copy of params before encrypt.
• Decrypt run by receiver, with params, his private key dID and the cipher text C as input; the decrypted plaintext M as output. Receiver should authenticate himself to the PKG and retrieve his private key dID before decrypt.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Definition of IBS
• Also include four algorithms:
❖ Setup, Extract, Sign and Verify
• The signer’s private key is generated from PKG, PKG can forge a signature.
• So IBS can not be used in “non-negative” applications.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Applications
• Alternative to PKI, without key and certificate management.
• Expiration of public keys
• Delegations of decryption keys
Network and Information Security Lab, Peking UniversityMay 14, 2008
Key Revocation in PKI
• Check the validation of certificate/public key before apply it.
❖ CRL (Certificate Revocation List)
❖ OCSP (Online Certificate Status Protocol)
Network and Information Security Lab, Peking UniversityMay 14, 2008
Revocation in IBC
• Identity can be revoked, such as hardware serial number.
• Identity can not be revoked, such as email address, phone number: Identity’ = Identity || time. The private key for identity appended with time is not valid for a limited period.
❖ Example: [email protected] || MAY2008
• Mechanisms similar to PKI.
Network and Information Security Lab, Peking UniversityMay 14, 2008
CPK (Combined Public Key)
• One of identity based cryptography scheme
• CPK (Combined Public Key)
❖ At first, it is a key management scheme
❖ Second, it provides identity based encryption and and signature scheme.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Elliptic Curve Cryptography
y2 = x3 + ax + b (mod p)
G is a point on elliptic curve, n is the order of cyclic group <G>
Private key d is random selected integer in [1, n-1]
Corresponding public key Q = dG.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Private Matrix Generation
The trusted authority PKG (Private Key Generator) generates a m×n matrix in which elements are randomly generated ECC private keys (integers in [1, n-1]). The private matrix should be kept secretly in PKG.
sij !R [1, n" 1]
!
"""#
s11 s12 · · · s1n
s21 s22 · · · s2n...
.... . .
...sm1 sm2 · · · smn
$
%%%&
private matrix
RNGRand integers
In PKG
Network and Information Security Lab, Peking UniversityMay 14, 2008
Public Matrix Generation
!
"""#
s11G s12G · · · s1nGs21G s22G · · · s2nG
......
. . ....
sm1G sm2G · · · smnG
$
%%%&
public matrix!
"""#
s11 s12 · · · s1n
s21 s22 · · · s2n...
.... . .
...sm1 sm2 · · · smn
$
%%%&
private matrix
key pair
Public Matrix is generated by PKG from the Private Matrix, elements in Public Matrix is the public key of corresponding private key in Private Matrix. The public matrix is publicly available for all users.
In PKG
Network and Information Security Lab, Peking UniversityMay 14, 2008
Map Algorithm
!h1, h2, . . . , hn" # H(ID)
Map algorithm H(ID) is a cryptographic hash algorithm, maps an arbitrary string ID to column indexes of private matrix and public matrix.
hi is the index of i-th column of public/private matrix.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Private Key Extraction
Input user’s identity ID
Map identity to indexes of matrix
Select one element through each column of the private matrix by the index
Add selected private keys,the result is user’s private key corresponding to his identity ID.
!
"""#
s11 s12 · · · s1n
s21 s22 · · · s2n...
.... . .
...sm1 sm2 · · · smn
$
%%%&
dID =n!1!
i=0
shi,i (mod p)
!h1, h2, . . . , hn" # H(ID)
IDIn PKG
Network and Information Security Lab, Peking UniversityMay 14, 2008
Public Key Extraction
!
"""#
s11G s12G · · · s1nGs21G s22G · · · s2nG
......
. . ....
sm1G sm2G · · · smnG
$
%%%&
QID =n!1!
i=0
shiiG
!h1, h2, . . . , hn" # H(ID)
ID
Input user’s identity ID
Map identity to indexes of matrix
Select one element through each column of the Public matrix by the index
Add (elliptic curve point add) selected private keys, the result is user’s public key corresponding to his identity ID.
In User
Network and Information Security Lab, Peking UniversityMay 14, 2008
Identity Based Encryption
CPK-Encrypt (Message, ID, PublicMatrix) {CPK-ExtractPublicKey (ID, PublicMatrix) -> PublicKeyECIES-Encrypt (Message, PublicKey) -> Ciphertext}
CPK-Decrypt (Ciphertext, PrivateKey) {ECIES-Decrypt (Ciphertext, PrivateKey) -> Plaintext}
ECIES: Elliptic Curve Integrated Encryption Scheme
Network and Information Security Lab, Peking UniversityMay 14, 2008
Identity Based Signature
CPK-Sign (Message, PrivateKey) {ECDSA-Sign (Message, PrivateKey) -> Signature}
CPK-Verify (Message, PublicMatrix, SignerID, Signature) {CPK-ExtractPublicKey(PublicMatrix, SignerID) -> PublicKeyECDSA-Verify(Message, Signature, PublicKey);}
ECDSA: Elliptic Curve Digital Signature Algorithm
Network and Information Security Lab, Peking UniversityMay 14, 2008
Big Picture
!h1, h2, . . . , hn" # H(ID)
!
"""#
s11G s12G · · · s1nGs21G s22G · · · s2nG
......
. . ....
sm1G sm2G · · · smnG
$
%%%&QID =
n!1!
i=0
shiiG
!
"""#
s11 s12 · · · s1n
s21 s22 · · · s2n...
.... . .
...sm1 sm2 · · · smn
$
%%%&dID =
n!1!
i=0
shi,i (mod p)H(ID)
H(ID)
Network and Information Security Lab, Peking UniversityMay 14, 2008
Security
• Collisions
❖ 32×32 require map algorithm provides 32×5 = 160 bits
❖ Birthday after 280 accounts
• Collusion
❖ 32×32 require 1024 non-linear related collusion private keys.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Collusion Resistance
• Verification only applications, small matrix
• Without the threat of large scale collusion: matrix size compatible to collusion scale.
• With the threat of large scale collusion:
❖ extend matrix size
❖ protect private key by hardware
❖ revoke the matrix periodically
Network and Information Security Lab, Peking UniversityMay 14, 2008
CPK USB Token
Tamper Resistant Key Storage
CPK USB Token
32-BitSecure
CPU
PubKeyCryptoEngine
USBInterface
CPKAES,SHA1ECC
0.6s per ECDSA signature generation or ECDH computation
Network and Information Security Lab, Peking UniversityMay 14, 2008
Collision Resistance
• Expand matrix size.
❖ matrix size larger than MAX collusion amount.
• Tamper resistant module for the protection of private keys.
❖ Smart Card,
❖ USB Secure Token,
❖ TPM, etc.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Original Scheme
!h1, h2, . . . , hn" # H(ID)
!
"""#
s11G s12G · · · s1nGs21G s22G · · · s2nG
......
. . ....
sm1G sm2G · · · smnG
$
%%%&QID =
n!1!
i=0
shiiG
!
"""#
s11 s12 · · · s1n
s21 s22 · · · s2n...
.... . .
...sm1 sm2 · · · smn
$
%%%&dID =
n!1!
i=0
shi,i (mod p)H(ID)
H(ID)
Network and Information Security Lab, Peking UniversityMay 14, 2008
Generalized Scheme
H(ID) ! "a1, a2, . . . , an#, ai $ Z!p
{s1, s2, . . . , sn} dID =n!
i=1
aisi
Private Key Set User’s Private Key
H(ID)
QID =n!
i=1
(gsi)ai{gs1 , gs2 , . . . , gsn}
Public Key Set User’s Public Key
H(ID)
General DH group ❮g❯, private key is s, public key is gs.
ExtractPublic Key
ExtractPrivate Key
MapAlgorithm
Network and Information Security Lab, Peking UniversityMay 14, 2008
Extensions
• CPK can be established on any cryptosystems with the property that the combination of key pairs are still valid keypair.
• For example:
❖ Cryptosystems based on Diffie-Hellman Group, in which private key is integer d, the
corresponding public key is gd
❖ Cryptosystems based on elliptic curve cryptography.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Extensions
• The CPK scheme can convert any cryptosystem with key combination property into identity based cryptosystem, not only IBE and IBS, but also:
❖ Identity based Signcryption by converting signcryption schemes based on DH group.
❖ Identity based short signature, convert BLS short signature to identity based short signature (160 bits signature compare to 320 bit DSA or ECDSA signature).
Network and Information Security Lab, Peking UniversityMay 14, 2008
Advantage of CPK
• Simple
• Efficient, especially for resource constrained environment, such as embedded device.
• Support different cryptosystems, ElGamal (ElGamal Encryption, DSA, ...), Elliptic Curve Cryptography, Pairing Based Cryptography and others.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Key Length
Bits of Security
ECC (CPK)
Pairing (BF-IBE)
RSA
80 160 512 1024
112 224 1024 2048
128 256 1536 3072
192 384 3840 7680
256 512 7680 15360
Network and Information Security Lab, Peking UniversityMay 14, 2008
Performance
• CPK (on Core 2 1.83GHz CPU)
❖ ~ 400 times/s CPK-ECIES encryption, decryption CPK-ECDSA signature verification. ~1900 times/s CPK-ECDSA signature generation
• Pairing (P3 1GHz CPU)
❖ ~ 30 to 90 times of pairing computation
• CPK is faster and require less codes.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Real-world Applications
Secure Email
Network and Information Security Lab, Peking UniversityMay 14, 2008
CPK
CPK Secure Mail
To: [email protected]: [email protected]: hello
Contents: this is the plaintext message to be signed and encrypted by CPK.
Original mail
To: [email protected]: [email protected]: xxxxxx
Contents: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Signature:xxxxxxxxxxxxxxxxx
Encryptionkey ID
To be encrypted Data
Enveloped mail
Network and Information Security Lab, Peking UniversityMay 14, 2008
Real-world Applications
WebIBC:Identity Based Cryptography
for Client Side Securityin Web Applications
Network and Information Security Lab, Peking UniversityMay 14, 2008
Target
• Web based applications like Gmail or Google Doc can do harm to user security and privacy.
• Our solution: bring public key cryptography to Web browsers, include public key encryption and signature generation.
• All the cryptography operations and key usage are inside the browser and implemented in JavaScript and HTML only, require no plug-ins and provider “open source” guarantee.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Challenges
• Private key: JavaScript can not read keys in local file system.
• Public key: acquire other’s public key or certificate is not easy for JavaScript programs in Web browser.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Solution
• Private key: utilize fragment identifier in bookmark URL as the private key storage. The fragment identifier in URL will never be transfered through the Internet.
• Public key: in CPK, i.e. identity based cryptosystem, the email address and other meaningful string is the public key.
http://www.domain.com/#skey=sdfBksLdfljksDjfls=
fragment identifier starts from #
fragment identifier
Network and Information Security Lab, Peking UniversityMay 14, 2008
Workflow
Browser
PKG
WebApp
! ID
" skey
# m
pk.js
$ URL
% setup
& save
' message
( webibc.js, mpk.js
) do
* forward
Secure Channel
Public Channel
Network and Information Security Lab, Peking UniversityMay 14, 2008
Workflow
1. The authority trusted by Alice and Bob establishes a PKG, which will generate the system parameters including the public matrix.
2. Web application embeds WebIBC into these systems together with the public system parameters released by the PKG.
3. Alice registers to the PKG with her ID.
4. PKG returns Alice’s private key.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Workflow
5. Alice can append the private key as an fragment identifier to the Web application’s URL, then save it as a bookmark into the browser.
6. Now Alice can use this bookmark to log into the web application. It should be noted that the browser will send the URL without the fragment identifier, so the private key is secure.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Workflow
7. The WebIBC JavaScript files will also be downloaded from the server, including the public matrix of system.
8. Alice uses this web application as normal, entering Bob’s email address and message content into the form. When Alice presses the send button, WebIBC JavaScript programs will get the email address from the form as public key and get private key from URL, encrypt and sign the message.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Workflow
9. Then message will be sent to the server.
10. Because the message has been protected, the Web application can do no evil to the message but only forward it to Bob. Bob can also login into his web application and decrypt the message by his private key in the fragment identifier and verify the message through the public matrix, similar to Alice.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Performance
0.5KB 2KB 10KB
Safari
Firefox
IE
Opera
1383.7 1,492 2,071
1,523 1,661 2,401
1,459 1,698 2,791
2,110 2,349 3,628
0
1000
2000
3000
4000
Safari Firefox IE Opera
0.5 KB2 KB10 KB
ms
ms
ms
ms
Network and Information Security Lab, Peking UniversityMay 14, 2008
Real-world Applications
Code Signing
Network and Information Security Lab, Peking UniversityMay 14, 2008
CPK Code Signing
• Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered.
• All sorts of code should be signed, including tools, applications, scripts, libraries, plug-ins, and other “code-like” data.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Code Signing Overview
• A unique identifier, used to identify the code or to determine to which groups or categories the code belongs.
• A collection of checksums of the various parts of the program, such as the identifier, the main executable, the resource files.
• A digital signature, which signs the seal to guarantee its integrity.
Network and Information Security Lab, Peking UniversityMay 14, 2008
What it can do
• Content Source: End users can confirm that the software really comes from the publisher who signed it.
• Content Integrity: End users can verify that the software has not been altered or corrupted since it was signed.
Network and Information Security Lab, Peking UniversityMay 14, 2008
What it can NOT do
• It can’t guarantee that the code is free of security vulnerabilities.
• It can’t guarantee that a program will not load unsafe or altered code—such as untrusted plug-ins—during execution.
• It can’t determine how much to “trust” the code.
• Attacks from administrator.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Other Disadvantages
• The user is likely to be bothered with additional dialog boxes and prompts for unsigned code that they don’t see with signed code, and unsigned code might not work as expected with some system components.
• Computation and storage overhead.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Code Signing Applications
• Anti-virus, anti-rootkit
• Parent control
• Trusted computing.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Code Signing on Linux
exec()
sys_execve()
LSM HookCodesign
Kernel Module
Codesign
User-space
Daemon
Netlink Socket
True/False
mmap()
Network and Information Security Lab, Peking UniversityMay 14, 2008
Code Signing on Linux
• Codesign Tool: used to create, check, and display code signatures.
• Kernel Module: Implement LSM (Linux Security Module) hook to check the signature in ELF.
• User-space Daemon: Do the checking, called by kernel module through Netlink socket.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Code Signing Extension
Check
Engine
Intranet
Policy DB
Kernel Module
Daemon
Host
host root
enterprise admin
Kernel Module
Daemon
Host
host root
Kernel Module
Daemon
Host
host root
Network and Information Security Lab, Peking UniversityMay 14, 2008
CPK Code Signing in Solaris
• Support signing on ELF binary, Java byte code and shell scripts.
• Based on Solaris kernel level cryptographic framework
❖ MPI (multi-precision integer library)
❖ ECC (elliptic curve cryptography library)
❖ Block cipher, Digest algorithms ...
Network and Information Security Lab, Peking UniversityMay 14, 2008
User Space
Kernel Space
execl( ) execle() execv()
execve ( )
_syscall( SYS_execve )
execve()
Network and Information Security Lab, Peking UniversityMay 14, 2008
Kernel Space
exece()
exec_common()
gexec()
elfexec() aoutexec() intpexec() javaexec()
uts/common/os/exec.c
functions in kernel modules: uts/common/exec/*
switch (exectype)
elf a.out script java
Network and Information Security Lab, Peking UniversityMay 14, 2008
Kernel Space (with CPK)
exece()
exec_common()
gexec()
elfexec()
with CPK
signature
checking
uts/common/os/exec.c
switch (exectype)
elf a.out script java
intpexec()
with CPK
signature
checking
javaexec()
Network and Information Security Lab, Peking UniversityMay 14, 2008
CPK Kernel Modules
common/
crypto/
ecc
common/crypto/cpk
common/
mpi
common/
crypto/
sha1,sha2
uts/common/exec/elf
(with CPK checking)
Pub MatrixPolicy
uts/common/exec/intp
(with CPK checking)
Network and Information Security Lab, Peking UniversityMay 14, 2008
Real-world Applications
CPK in Solaris
Network and Information Security Lab, Peking UniversityMay 14, 2008
CPK Crypto Library
• A module of libcrypto
• Support error stack
• Support Id based cryptography
• Support ASN.1 encoding
• Support PKCS #7 cryptography message syntax
Network and Information Security Lab, Peking UniversityMay 14, 2008
Compatible to Standards
• SECG (Standards for Efficient Cryptography Group) SEC 1: Elliptic Curve Cryptography, version 1.7 (current working draft).
• IBCS (Identity Based Cryptography Standard), the identity syntax (draft).
• PKCS #7: Cryptography Message Syntax
• PKCS #11:Cryptographic Token Interface
• ASN.1/DER encoding
Network and Information Security Lab, Peking UniversityMay 14, 2008
Supported Platforms
• Solaris, loadable module
• POSIX, CPK library
• Win32, CPK library, require pthread Win32
• Java, on Solaris with Cryptographic Framework supported.
Network and Information Security Lab, Peking UniversityMay 14, 2008
CPK Soft Token
!"#
$%&'()*+,#&-*+./0*,123$45667
4%8/+9',$+:;-%,<+/)*=%+>
?*-/,48%-,189@;>0'66A'%7
2+%B9C*+,#&-*+./0*,123$45667
;>0'66D
>*+&*8A'%
;>0'66D
'%.--%>*&A'%
;>0'66D
0;>A'%
89@0;>
!$E
!/B/,F;;
$G$HH,F;;
CPK Software Stack
2F?,
)%C(8*
$%))/&C,
I9&*,J%%8>9-
2F?,
)%C(8*
Network and Information Security Lab, Peking UniversityMay 14, 2008
CPK Hard TokenCPK Hard Token (current)
!"#$%&'()!*+(,%$-./"%0
12.3
#&41'4
#&4560
7"3'1-.%(839.%:$5.(;<=7!>??@
7<=(A$%B9"0.3
C"0.3(A$%B/$%.
=.%3.#(D.E.#
)'.%(D.E.#
Network and Information Security Lab, Peking UniversityMay 14, 2008
OpenSolaris cryptoadm
# cryptoadm list -vm Provider: /SunStudioProjects/p11/dist/Debug/Sun12-Solaris-x86/libcpkp11.so Number of slots: 1 Slot #1 Description: CPK Crypto Softtoken Manufacturer: Guan Zhi PKCS#11 Version: 2.20 Hardware Version: 0.0 Firmware Version: 0.0 Token Present: True Slot Flags: CKF_TOKEN_PRESENT Token Label: CPK PKCS#11 Software token Manufacturer ID: Guan Zhi Model: 1.0 Serial Number: Hardware Version: 0.0 Firmware Version: 0.0 UTC Time: PIN Length: 0-0 Flags:
Network and Information Security Lab, Peking UniversityMay 14, 2008
Key Management Framework
!"#$%&$'()*+(),,-
!"#$%&'$(&)*+,-
.-)+,-$.-)+,-$
./-00./-001!21!2
!-3$"454'-6-5*$#,46-78,9!-3$"454'-6-5*$#,46-78,9
.:.;.:.;
..;..;
<4=4>?<4=4>?
<@:<@:
<@:
<@:
(,8=&A-,
(,8=&A-,
B..C:(1
B..C:(1
D&'-?*C"DE
D& '-?*C"DE
@F:"C"DE
@F:"C"DE
!"#!"#
D-=-08G6-5*D-=-08G6-5*
@-,*&H&)4*-@-,*&H&)4*-
I40&A4*&85I40&A4*&85
(,8=&A-,?(,8=&A-,?
!-3!-3
"'6*"'6*
(,8=&A-,?(,8=&A-,?
B..C:(1B..C:(1
$$ (!$!-,J-,8?
(!$!-,J-,8?
(+J0&)$!-3
(+J0&)$!-3
(!KLL;(!KLL;
([email protected]([email protected] N..N.. #&0-?#&0-? L@.(L@.( @F;@F; (!1O(!1O
25,8006-5*25,8006-5*
(,8=&A-,?(,8=&A-,?
!"#$%#&'()*
(,8',466&5'$:(1
#+*+,-$#+*+,-$
15*-',4*&85$7&*/15*-',4*&85$7&*/
!"#!"#
Network and Information Security Lab, Peking UniversityMay 14, 2008
CPK in Solaris KMF
!"#$%&$'()*+(),,-
!"#$%&'$(&)*+,-
.-)+,-$.-)+,-$
./-00./-001!21!2
!-3$"454'-6-5*$#,46-78,9!-3$"454'-6-5*$#,46-78,9
.:.;.:.;
..;..;
<4=4>?<4=4>?
<@:<@:
<@:
<@:
(,8=&A-,
(,8=&A-,
B..C:(1
B..C:(1
D&'-?*C"DE
D& '-?*C"DE
@F:"C"DE
@F:"C"DE
!"#!"#
D-=-08G6-5*D-=-08G6-5*
@-,*&H&)4*-@-,*&H&)4*-
I40&A4*&85I40&A4*&85
(,8=&A-,?(,8=&A-,?
!-3!-3
"'6*"'6*
(,8=&A-,?(,8=&A-,?
B..C:(1B..C:(1
$$ (!$!-,J-,8?
(!$!-,J-,8?
(+J0&)$!-3
(+J0&)$!-3
(!KLL;(!KLL;
([email protected]([email protected] N..N.. #&0-?#&0-? L@.(L@.( @F;@F; (!1O(!1O
25,8006-5*25,8006-5*
(,8=&A-,?(,8=&A-,?
!"#$%#&'()*
(,8',466&5'$:(1
#+*+,-$#+*+,-$
15*-',4*&85$7&*/15*-',4*&85$7&*/
!"#!"#
Network and Information Security Lab, Peking UniversityMay 14, 2008
CPK in Solaris KMF
!"#$%&$'()*+(),,-
!"#$%&'$(&)*+,-
.-)+,-$.-)+,-$
./-00./-001!21!2
!-3$"454'-6-5*$#,46-78,9!-3$"454'-6-5*$#,46-78,9
.:.;.:.;
..;..;
<4=4>?<4=4>?
<@:<@:
<@:
<@:
(,8=&A-,
(,8=&A-,
B..C:(1
B..C:(1
D&'-?*C"DE
D& '-?*C"DE
@F:"C"DE
@F:"C"DE
!"#!"#
D-=-08G6-5*D-=-08G6-5*
@-,*&H&)4*-@-,*&H&)4*-
I40&A4*&85I40&A4*&85
(,8=&A-,?(,8=&A-,?
!-3!-3
"'6*"'6*
(,8=&A-,?(,8=&A-,?
B..C:(1B..C:(1
$$ (!$!-,J-,8?
(!$!-,J-,8?
(+J0&)$!-3
(+J0&)$!-3
(!KLL;(!KLL;
([email protected]([email protected] N..N.. #&0-?#&0-? L@.(L@.( @F;@F; (!1O(!1O
25,8006-5*25,8006-5*
(,8=&A-,?(,8=&A-,?
!"#$%#&'()*
(,8',466&5'$:(1
#+*+,-$#+*+,-$
15*-',4*&85$7&*/15*-',4*&85$7&*/
!"#!"#CPK
Network and Information Security Lab, Peking UniversityMay 14, 2008
Real-world Applications
Graphical e-Stamp
Network and Information Security Lab, Peking UniversityMay 14, 2008
CPK e-Stamp
CPK Digital Signature
• Signer’s identity is converted to a stamp graph on the fly.
Network and Information Security Lab, Peking UniversityMay 14, 2008
Supported Document Types
Network and Information Security Lab, Peking UniversityMay 14, 2008
Real-world Applications
e-Bank Security forChina Minsheng Banking Corp.
Network and Information Security Lab, Peking UniversityMay 14, 2008
民生银行CPK电子印章系统
Network and Information Security Lab, Peking UniversityMay 14, 2008
CPK票据电子印章系统结构
Network and Information Security Lab, Peking UniversityMay 14, 2008
制章流程
Network and Information Security Lab, Peking UniversityMay 14, 2008
ID-Key制作流程
Network and Information Security Lab, Peking UniversityMay 14, 2008
签章,验章流程
Network and Information Security Lab, Peking UniversityMay 14, 2008
服务器端签章,验章功能
Network and Information Security Lab, Peking UniversityMay 14, 2008
客户端签章,验章功能
Network and Information Security Lab, Peking UniversityMay 14, 2008
印章的维护和管理
Network and Information Security Lab, Peking UniversityMay 14, 2008
Real-world Applications
Secure Gateway
Network and Information Security Lab, Peking UniversityMay 14, 2008
Services
保密数据交换平台
授权管理系统 密级标识系统密级标识策略中心
Web浏览 电子邮件 电子文档 即时通讯
Network and Information Security Lab, Peking UniversityMay 14, 2008
Architecture
!"#!$
#$78&
%&'( %&'(
Email!"Web!"#$%&!"
)*#!$+,-.
%
&
/
0
%
&
1
2
3
4
5
6
%
&
7
8
5
6
'()"*+,
-./%&0123456
Network and Information Security Lab, Peking UniversityMay 14, 2008
Security Middle Ware
Introduction Common Data Security Architecture
Below CSSM are add-in security modules that perform cryptographic operations andmanipulate certificates. Add-in security modules may be provided by independent software andhardware vendors as competitive products. Applications use CSSM to direct their requests tomodules from specific vendors or to any module that performs the required services.Applications can use multiple service providers of all types concurrently. Add-in modulesaugment the set of available security services.
CDSA’s extensible architecture allows new module types to be included that accommodateprudent division of labor. Signing services and key management services can be added at theSystem Security Services Layer and the Security Add-in Modules layer in CDSA. An appropriatedegree of visibility of lower layers may be reflected at higher layers, such that a completesecurity profile can be managed uniformly. Independent software and hardware vendors mayspecialize in their chosen area of expertise and package their products as appropriate. Forexample, hardware-specific cryptographic device vendors can also provide tamper-resistantstorage facilities in the same add-in module.
Applications in C and C++
ElectiveModule
Manager
DL ModuleManager
CL ModuleManager
AC ModuleManager
TP ModuleManager
CSPManager
Data Store
NewCategoryof Service
Data StorageLibrary
CertificateLibrary
AuthorizationComputation
Library
Trust ModelLibrary
CryptographicServiceProvider
Security ContextsIntegrity Services
CSSM Security API EM-API
SPI TPI ACI CLI DLI EMI
Layered Services
Figure 1-1 The Common Data Security Architecture for all Platforms
1.2.3 Layered Security Services
Layered Security Services are between application and basic CSSM services. Software at thislayer may:
• Define high-level security abstractions (such as secure electronic mail services)
• Provide transparent security services (such as secure file systems or private communication)
• Make CSSM security services accessible to applications developed in languages other thanthe C language
• Provide tools to manage the security infrastructure
Applications can invoke the CSSM APIs directly, or use layered services to access securityservices on a platform. The use of security services through a layered service can be opaque.Legacy layered services, such as the Sockets protocol and HTTP, can be enhanced with security
Part 1: Common Data Security Architecture (CDSA) 7
Applications
Network and Information Security Lab, Peking UniversityMay 14, 2008
Security Middle Ware
Introduction Common Data Security Architecture
Below CSSM are add-in security modules that perform cryptographic operations andmanipulate certificates. Add-in security modules may be provided by independent software andhardware vendors as competitive products. Applications use CSSM to direct their requests tomodules from specific vendors or to any module that performs the required services.Applications can use multiple service providers of all types concurrently. Add-in modulesaugment the set of available security services.
CDSA’s extensible architecture allows new module types to be included that accommodateprudent division of labor. Signing services and key management services can be added at theSystem Security Services Layer and the Security Add-in Modules layer in CDSA. An appropriatedegree of visibility of lower layers may be reflected at higher layers, such that a completesecurity profile can be managed uniformly. Independent software and hardware vendors mayspecialize in their chosen area of expertise and package their products as appropriate. Forexample, hardware-specific cryptographic device vendors can also provide tamper-resistantstorage facilities in the same add-in module.
Applications in C and C++
ElectiveModule
Manager
DL ModuleManager
CL ModuleManager
AC ModuleManager
TP ModuleManager
CSPManager
Data Store
NewCategoryof Service
Data StorageLibrary
CertificateLibrary
AuthorizationComputation
Library
Trust ModelLibrary
CryptographicServiceProvider
Security ContextsIntegrity Services
CSSM Security API EM-API
SPI TPI ACI CLI DLI EMI
Layered Services
Figure 1-1 The Common Data Security Architecture for all Platforms
1.2.3 Layered Security Services
Layered Security Services are between application and basic CSSM services. Software at thislayer may:
• Define high-level security abstractions (such as secure electronic mail services)
• Provide transparent security services (such as secure file systems or private communication)
• Make CSSM security services accessible to applications developed in languages other thanthe C language
• Provide tools to manage the security infrastructure
Applications can invoke the CSSM APIs directly, or use layered services to access securityservices on a platform. The use of security services through a layered service can be opaque.Legacy layered services, such as the Sockets protocol and HTTP, can be enhanced with security
Part 1: Common Data Security Architecture (CDSA) 7
Applications
Network and Information Security Lab, Peking UniversityMay 14, 2008
Secure Gateway Hardware
Network and Information Security Lab, Peking UniversityMay 14, 2008
Secure Gateway Software
软件系统
安全增强操作系统
安全增强内核
安全模块
Network and Information Security Lab, Peking UniversityMay 14, 2008
Reference
• Xianghao Nan, Zhong Chen. CPK Algorithm Patent, Publication Number - WO/2006/074611.
• Zhi Guan, Zhen Cao, Xuan Zhao, Ruichuan Chen, Zhong Chen, Xianghao Nan. WebIBC: Identity Based Cryptography for Client Side Security in Web Applications. ICDCS '08, 2008.
• Zhen Cao, Hui Deng, Yuanchen Ma, and Po Hu. Integrating Identity Based Cryptography with Cryptographically Generated Addresses in Mobile IPv6. In Proceeding of ICCSA '07, LNCS 4706, 2007.
• Qi Jing, Jianbin Hu, Zhong Chen. C4W: An Energy Efficient Public Key Cryptosystem for Large-Scale Wireless Sensor Networks. In IEEE International Conference on Mobile Ad hoc and Sensor Systems (MASS) '06, 2006.
• Wen Tang, Xianghao Nan, and Zhong Chen. Combined public key cryptosystem. Proceedings of International Conference on Software,Telecommunications and Computer Networks (SoftCOM‚Äô04), 2004.