Key Exchange We talk about symmetric keys here The problem is almost circular: To establish an encrypted session, you need an encrypted means to exchange keys.
Key Exchange Public Key cryptography can help ?! Then, suppose that To see how, suppose S:(Sender) and R:(Receiver) want to derive a shared symmetric key, remember that S and R have their own keys and their each others public keys S keys are (kPR-S, kPU-S) plus R’s public key R keys are (kPR-R, kPU-R) plus S’s public key Then, suppose that S chooses any symmetric key K S sends E(kPR-S,K) to R R takes S’s public key, removes the encryption, and obtains K OOPS, any eavesdropper who can get S’s public key can also obtain K let S send E(kPU-R, K)to R. Then, only R can decrypt K OOPS, R has no assurance that K came from S The solution is for S to send to R: E(kPU-R, E(kPR-S, K))
Key Exchange E(kPU-R, E(kPR-S, Message))
Digital Signatures
Electronic Record Very easy to make copies Very fast distribution Easy archiving and retrieval Copies are as good as original Easily modifiable Environmental Friendly Because of 4 & 5 together, these lack authenticity
Why Digital Signatures? To provide Authenticity, Integrity and Non-repudiation to electronic Documents & Communicated Messages To use the Internet as the safe and secure medium for e-Commerce and e-Governance One cd rom=one tree
Digital Signatures A digital signature is a protocol that produces the same effect as a real signature: It is a mark that only the sender can make but other people can easily recognize that it belongs to the sender Two conditions It must be unforgeable: If person P signs message M with signature S(P,M), it is impossible for anyone else to produce the pair [M, S(P,M)] It must be authentic: If a person R receives the pair[M, S(P,M)]supposedly from P, then R can check/verify that the signature is really from P Only P could have created this signature, and the signature is firmly attached to M
Digital Signatures Two more properties It is not alterable: after being transmitted, M cannot be changed by S, R, or an interceptor. It is not reusable: if a previous message presented again will be instantly detected by R.
Digital Signatures efcc61c1c03db8d8ea8569545c073c814a0ed755 I agree efcc61c1c03db8d8ea8569545c073c814a0ed755 I am an Engineer. ea0ae29b3b2c20fc018aaca45c3746a057b893e7 I am a Engineer. 01f1d8abd9c2e6130870842055d97d315dff1ea3 These are digital signatures of the same person on different documents Any message irrespective of its length can be compressed or shortened uniquely into a smaller length message called the Digest or the Hash. Digital Signatures are numbers They are document content dependent
What is Digital Signature? Hash value of a message: when encrypted with the private key of a person is his digital signature on that e-Document/Message Digital Signature of a person therefore varies from document to document thus ensuring authenticity of each word of that document. As the public key of the signer is known, anyone can verify the message and the digital signature
Digital Signatures Private Key – Used for making digital signature Each individual generates his own key pair [Public key known to everyone & Private key only to the owner] Private Key – Used for making digital signature Public Key – Used to verify the digital signature
Public Key Cryptography Encryption Technologies Confidentiality Document Document Encrypted Document Encrypted Document Public Key of B Private Key of B
[2048 bit Key Example (including Algorithm identifier)] RSA Key pair Lifetime of data RSA key size Up to 2010 1024 bits Up to 2030 2048 bits Up to 2031 onwards 3072 bits Recommended RSA key sizes depending on lifetime of confidential data [2048 bit Key Example (including Algorithm identifier)] Private Key 3082 010a 0282 0101 00b1 d311 e079 5543 0708 4ccb 0542 00e2 0d83 463d e493 bab6 06d3 0d59 bd3e c1ce 4367 018a 21a8 efbc ccd0 a2cc b055 9653 8466 0500 da44 4980 d854 0aa5 2586 94ed 6356 ff70 6ca3 a119 d278 be68 2a44 5e2f cfcc 185e 47bc 3ab1 463d 1ef0 b92c 345f 8c7c 4c08 299d 4055 eb3c 7d83 deb5 f0f7 8a83 0ea1 4cb4 3aa5 b35f 5a22 97ec 199b c105 68fd e6b7 a991 942c e478 4824 1a25 193a eb95 9c39 0a8a cf42 b2f0 1cd5 5ffb 6bed 6856 7b39 2c72 38b0 ee93 a9d3 7b77 3ceb 7103 a938 4a16 6c89 2aca da33 1379 c255 8ced 9cbb f2cb 5b10 f82e 6135 c629 4c2a d02a 63d1 6559 b4f8 cdf9 f400 84b6 5742 859d 32a8 f92a 54fb ff78 41bc bd71 28f4 bb90 bcff 9634 04e3 459e a146 2840 8102 0301 0001 RSA claims that 1024-bit keys are likely to become crackable some time between 2006 and 2010 and that 2048-bit keys are sufficient until 2030. The NIST recommends 2048-bit keys for RSA. An RSA key length of 3072 bits should be used if security is required beyond 2030. Currently (as of 2017-05-11) 2048-bit keys are most popular for use with RSA, and 2048 bit keys should also be used with classic Diffie-Hellman. These offer about the same security as a symmetric encryption algorithm with 112 bits of security. Public Key 3082 01e4 f267 0142 0f61 dd12 e089 5547 0f08 4ccb 0542 00e2 0d83 463d e493 bab6 0673 0d59 bf3e c1ce 4367 012a 11a8 efbc ccd0 a2cc b055 9653 8466 0500 da44 4980 d8b4 0aa5 2586 94ed 6356 ff70 6ca3 a119 d278 be68 2a44 5e2f cfcc 185e 47bc 3ab1 463d 1df0 b92c 345f 8c7c 4c08 299d 4055 eb3c 7d83 deb5 f0f7 8a83 0ea1 4cb4 3aa5 b35f 5a22 97ec 199b c105 68fd e6b7 a991 942c e478 4824 1a25 193a eb95 9c39 0a8a cf42 b250 1cd5 5ffb 6bed 6856 7b39 2c72 38b0 ee93 a9d3 7b77 3ceb 7103 a938 4a16 6c89 2aca da33 1379 c255 8ced 9cbb f2cb 5b10 f82e 6135 c629 4c2a d02a 63d1 6559 b4f8 cdf9 f400 84b6 5742 859d 32a8 f92a 54fb ff78 41bc bd71 28f4 bb90 bcff 9634 04de 45de af46 2240 8410 02f1 0001
Signed Messages OK Sent thru’ Internet Sender Receiver Message if Calculated Hash Message Signed Message Sent thru’ Internet Message + signature Message + Signature if OK Signatures verified COMPARE Hash Hash SIGN hash With Sender’s Private key Decrypt Signature With Sender’s Public Key Sender Receiver
Paper signatures vs. Digital Signatures Parameter Paper Electronic Authenticity May be forged Can not be copied Integrity Signature independent of the document Signature depends on the contents of the document Non-repudiation Handwriting expert needed Error prone Any computer user Error free
Private Key Protection The Private key generated is to be protected and kept secret. The responsibility of the secrecy of the key lies with the owner. The key is secured using PIN Protected soft token Smart Cards Hardware Tokens
PIN protected soft tokens The Private key is encrypted and kept on the Hard Disk in a file, this file is password protected. This forms the lowest level of security in protecting the key, as The key is highly reachable. PIN can be easily known or cracked. Soft tokens are also not preferred because The key becomes static and machine dependent. The key is in known file format.
Smart Cards The Private key is generated in the crypto module residing in the smart card. The key is kept in the memory of the smart card. The key is highly secured as it doesn’t leave the card, the message digest is sent inside the card for signing, and the signatures leave the card. The card gives mobility to the key and signing can be done on any system. (Having smart card reader)
Hardware Tokens They are similar to smart cards in functionality as Key is generated inside the token. Key is highly secured as it doesn’t leave the token. Highly portable. Machine Independent. iKEY is one of the most commonly used token as it doesn’t need a special reader and can be connected to the system using USB port.
Hardware Tokens Smart Card iKey Biometrics – adds another level of security to these tokens
Public Key Deception Impostor/Deceiver Claims to be a True Party True party has a public and private key Impostor/Deceiver also has a public and private key Impostor sends impostor’s own public key to the verifier Says, “This is the true party’s public key” This is the critical step in the deception
Public Key Deception If verifier accepts the impostor’s public key as the true party’s public key, Impostor will be authenticated through any public key authentication method, because their private key will work Impostor can also decrypt messages sent by the verifier if these messages are encrypted with the impostor’s public key
Public Key Deception Moral: Public key encryption for privacy, confidentiality, authentication, and message integrity only works if The verifier gets the true party’s public key independently of the applicant, From a trusted third party
Digital Certificates Created by a Certificate Authority (CA) Certificate Authority is the trusted third party Certificate Authority Digital Certificate Authenticated Party
Public Key Infrastructure (PKI) Some Trusted Agency is required which certifies the association of an individual with the key pair. Certifying Authority (CA) This association is done by issuing a certificate to the user by the CA Public Key Certificate (PKC) All public key certificates are digitally signed by the CA
Digital Certificates A public key and user's identity are bound together in a certificate, which is then signed by someone called a Certificate Authority (CA) Certifying the accuracy of the binding. The algorithms to generate a matched pair of public and private keys are publicly known, and software that does it is widely available. So if Alice wanted to use a public key cipher, she could generate her own pair of public and private keys, keep the private key hidden, and publicize the public key. But how can she publicize her public key— assert that it belongs to her—in such a way that other participants can be sure it really belongs to her?
The University of Adelaide, School of Computer Science 8 May 2019 Digital Certificates A complete scheme for certifying bindings between public keys and identities— what key belongs to who—is called a Public Key Infrastructure (PKI). A PKI starts with the ability to verify identities and bind them to keys out of band. By “out of band,” we mean something outside the network and the computers that comprise it, such as in the following scenarios. Himmm, if Alice and Bob are individuals who know each other, then they could get together in the same room and Alice could give her public key to Bob directly, perhaps on a business card. If Bob is an organization, Alice the individual could present conventional identification, perhaps involving a photograph or fingerprints. If Alice and Bob are computers owned by the same company, then a system administrator could configure Bob with Alice’s public key. A digitally signed statement of a public key binding is called a public key certificate, or simply a Certificate Chapter 2 — Instructions: Language of the Computer
The University of Adelaide, School of Computer Science 8 May 2019 Digital Certificates One of the major standards for certificates is known as X.509. This standard leaves a lot of details open, but specifies a basic structure. A certificate clearly must include: the identity of the entity being certified the public key of the entity being certified the identity of the signer the digital signature a digital signature algorithm identifier (which cryptographic hash and which cipher) Chapter 2 — Instructions: Language of the Computer
Certificates: Paper vs. Electronic
Certificate Authorities Unfortunately, certificate authorities are not regulated You must only use certificate authorities you trust Company can be its own certificate authority for internal authentication among its hardware and software systems
Certification Authorities The University of Adelaide, School of Computer Science 8 May 2019 Certification Authorities A certification authority or certificate authority (CA) is an entity claimed (by someone) to be trustworthy for verifying identities and issuing public key certificates. There are commercial CAs, governmental CAs, and even free CAs. To use a CA, you must know its own key. You can learn that CA’s key, however, if you can obtain a chain of CA-signed certificates that starts with a CA whose key you already know. Then you can believe any certificate signed by that new CA Chapter 2 — Instructions: Language of the Computer
Certifying Authority Must be widely known and trusted Must have well defined Identification process before issuing the certificate Provides online access to all the certificates issued Provides online access to the list of certificates revoked Displays online the license issued by the Controller Displays online approved Certification Practice Statement (CPS) Must adhere to IT Act/Rules/Regulations and Guidelines
Public-Key Certification User Certificate User Name User’s Public Key CA’s Name Validity Digital Signature of CA Certificate Class User’s Email Address Serial No. Certificate Database User Name & other credentials Signed by using CA’s private key Certificate Request License issued by CCA Publish User’s Public key User 1 certificate User 2 certificate . Public Public Private Web site of CA Key pair Generation
Digital Certificates Each digital certificate has its own digital signature, signed (encrypted) by the private key of the certificate authority Provides message integrity so that an impostor cannot change the name field in the digital certificate to its own
Digital Certificates Certificate authorities may revoke digital certificates before the expiration date listed in the digital certificate Revoked certificate ID numbers are placed in a Certificate Revocation List (CRL) Verifier must check with the certificate authority to determine if a digital certificate is on the CRL Without the CRL check, digital certificates do not support authentication
Digital Certificates Recap A digital signature gives the public key of a named party This is needed for public key authentication, to prevent public key deception However, a digital certificate alone does NOT provide authentication
Public Key Infrastructures (PKIs) Private key creation and distribution Digital certificate creation and distribution Certificate Revocation List checking
PKIs To use public key methods, an organization must establish a comprehensive Public Key Infrastructure (PKI) A PKI automates most aspects of using public key encryption and authentication Uses a PKI Server PKI Server
PKIs PKI Server Creates (Public Key , Private Key) Pairs Distributes private keys to applicants securely Often, private keys are embedded in delivered software Private Key PKI Server
PKIs PKI Server Provides Certificate Revocation List (CRL) Checks Distributes digital certificates to verifiers Checks Certificate Revocation List before sending digital certificates Digital Certificate PKI Server
PKIs CRL Checks If applicant gives verifier a digital certificate, The verifier must check the certificate revocation list CRL PKI Server OK? OK or Revoked
Role of controller Controller of Certifying Authorities as the “Root” Authority certifies the technologies, infrastructure and practices of all the Certifying Authorities licensed to issue Digital Signature Certificates
Summary Each individual has a pair of keys Public key of each individual is certified by a CA (Certifying Authority) Public keys of CAs are certified by the Controller Public key of the Controller is self certified Public keys of everyone are known to all concerned and are also available on the web Certification Practice Statement is displayed on the web site
Verification of Signatures Key Generation True Random Numbers RSA Key Pair [Private/Public Key] i.e. 128-bits for symmetric key algorithms i.e. at least 2048-bits for public-key algorithms. Digital Signature Generate Message Digest [i.e. SHA1] Encrypting Digest using Private Key [Signatures] Attaching the Signatures to the message. Verification of Signatures Run the test for Authentication, Integrity and Non-repudiation. Digital Signature Certificate i.e. ITU X.509 v3 A digital certificate is necessary for a digital signature because it provides the public key that can be used to validate the private key that is associated with a digital signature. Digital certificates make it possible for digital signatures to be used as a way to authenticate digital information.