03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.

Slides:



Advertisements
Similar presentations
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Advertisements

Introduction of Grid Security
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
23 Oct PKI for the Mystified Introduction to Public Key Infrastructure and Cryptography Ivaylo Kostadinov.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)
Principles of Information Security, 2nd edition1 Cryptography.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
Tony BrettOUCS Course Code ZAB 9 February Security – Encryption and Digital Signatures Tony Brett Oxford University Computing Services February.
1 Authentication Protocols Celia Li Computer Science and Engineering York University.
Computer Science Public Key Management Lecture 5.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.
Cryptography 101 Frank Hecker
Digital Certificates. What is a Digital Certificate? A digital certificate is the equivalent of your business card in the e-commerce world. It says who.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
Security Keys, Signatures, Encryption. Slides by Jyrki Nummenmaa ‘
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Cryptography, Authentication and Digital Signatures
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.
1 Cryptography NOTES. 2 Secret Key Cryptography Single key used to encrypt and decrypt. Key must be known by both parties. Assuming we live in a hostile.
Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Chapter 8 – Network Security Two main topics Cryptographic algorithms and mechanisms Firewalls Chapter may be hard to understand if you don’t have some.
Digital Certificate Operation in a Complex Environment Presentation to the IT Support Staff Conference 24 June 2004.
Digital Signatures, Message Digest and Authentication Week-9.
1 Normal executable Infected executable Sequence of program instructions Entry Original program Entry Jump Replication and payload Viruses.
Washington System Center © 2005 IBM Corporation August 25, 2005 RDS Training Secure Socket Layer (SSL) Overview z/Series Security (Mary Sweat, Greg Boyd)
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Public Key Encryption, Secure WWW Transactions & Digital Signatures.
Digital Signatures and Digital Certificates Monil Adhikari.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
Secure HTTP (HTTPS) Pat Morin COMP 2405.
The Secure Sockets Layer (SSL) Protocol
Public Key Infrastructure (PKI)
Secure Sockets Layer (SSL)
Security through Encryption
Created by : Ashish Shah, J.M. PATEL COLLEGE OF COMMERCE
The Secure Sockets Layer (SSL) Protocol
Chapter 4 Cryptography / Encryption
Created by : Ashish Shah, J.M. PATEL COLLEGE OF COMMERCE
Public-Key, Digital Signatures, Management, Security
PKI (Public Key Infrastructure)
Electronic Payment Security Technologies
Presentation transcript:

03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services

03 December 2003 DCOCE Der-kot-chee Digital Certificate Operation in a Complex Environment

03 December 2003 Authentication The act of verifying that an electronic identity (username, login name etc.) is being employed by the person to whom it was issued –Strictly it should mean "establishing the validity of something, such as an identity". (The procedure as indicated by the definition above is very difficult indeed.)

03 December 2003 Authorisation Associating rights or capabilities with a subject Authorisation usually comes after authentication –i.e. once the service knows who it is (Authenticated), it then proceeds to decide what that person/subject can do (Authorisation)

03 December 2003 The DCOCE project DCOCE is about authentication with digital certificates Digital certificates use Public Key Infrastructure (PKI) –PKI is very secure –but can be difficult to administer –and a lot of people don't understand it too well

03 December 2003 The DCOCE project Digital certificates and PKI rely upon trust Trust relies upon co-operation (or understanding) between organisations Oxford University is a Complex Environment –DCOCE –If it can work here... But let's get back to PKI and how it works

03 December 2003 PKI (Public Key Infrastructure) A key is like a code sheet A public key is an odd concept –why would you reveal your secret code in public? We need to understand symmetric keys and asymmetric keys

03 December 2003 Principles of encryption SubstitutionTransposition Symmetric encryption etc. …

03 December 2003 Principles of encryption Symmetric encryption Encryption Decryption Plaintext Ciphertext Key and encryption algorithm

03 December 2003 Example using the Data Encryption Standard (DES) Principles of encryption Symmetric encryption $> des -e “Mary had a little lamb” output.des Enter key: oucskey Enter key again: oucskey $> The result: $> cat output.des !¢ðuýåćßÞf 謶׀ עжТφẸỆ≈∞▪ﲑ $>

03 December 2003 Example using the Data Encryption Standard (DES) continued… Principles of encryption Symmetric encryption $> des -d output.des text.des Enter key: oucskey Enter key again: oucskey $>cat text.des Mary had a little lamb $> To decrypt:

03 December 2003 Example using the Data Encryption Standard (DES) continued… Principles of encryption Symmetric encryption $> des -d output.des text.des Enter key: oucsquay Enter key again: oucsquay Corrupted file or wrong key $>cat text.des uýåćß#¬`謶׀ φẸỆעжТ עжТ $> Trying to decrypt with the wrong key:

03 December 2003 So you have to have the same key as your correspondent –how do you send the key safely? You also have to tell your correspondent the algorithm! –(not necessarily a problem) How do you transmit these things in the first place? Principles of encryption Symmetric encryption

03 December 2003 How safe are encryption algorithms anyway? Example using (DES) continued… Principles of encryption Symmetric encryption What about a ‘brute force’ attack? i.e. ‘guessing’ at the key “oucskey” DES algorithm has a 56-bit key. Therefore, there are 2 56 = 72,057,594,037,900,000 different keys 834 days at a billion keys per second But for a typed key, effectively 96 8 (83 days)

03 December 2003 How safe are encryption algorithms anyway? –A good algorithm is sound –Safety is dependent on key length Key distribution is problematic –but if you can, symmetric is fine! Principles of encryption Symmetric encryption –except that you need a key for everyone you communicate with!!

03 December 2003 Principles of encryption Then there was asymmetric encryption –Whitfield Diffie and Martin Hellman (1975) –Each party has two keys (public and private) –Anything encrypted with key1 can only be decrypted with key2 –Asymmetric!

03 December 2003 Decryption Asymmetric encryption Plaintext Ciphertext Encryption Key 1 and encryption algorithm

03 December 2003 Plaintext Ciphertext Encryption Key 1 and encryption algorithm If Key 1 = private, Key2 must be corresponding public If Key 1 = public, Key2 must be corresponding private Key 2 and encryption algorithm Decryption Asymmetric encryption

03 December 2003 Public and private keys Keys exist in pairs –Keep one private (very secret) and 'publish' one –Public keys can exist on certificates Encryption can be done by either key –If it is your key pair, you can use the private key –Anyone else can use the public key to encrypt something

03 December 2003 Private keys Extremely secret! If you send something encrypted by a private key, it can be read by everyone, but they know it came from you. –Authentication

03 December 2003 Public keys Not at all secret! –Widely available, but must be trusted –May be supplied as part of a certificate If you send something using a public key, it can only be read by the entity to which it is addressed. –Secure communications (But secure communications (e.g. SSL) isn’t quite as simple as that!)

03 December 2003 How can I trust a public key? Someone can use a public key to prove their identity to me –but only if I trust that public key –there's public keys out there that say they belong to George Bush etc. So if someone I trusted endorsed (signed) that public key –hold that thought for a moment...

03 December 2003 Signing things with keys Keys can be used to sign things –encrypt a bit of text with your private key (can be attached 'securely' to the 'document') –people can de-crypt it with the public key and know that it was signed by you

03 December 2003 How can I trust a public key? Put that public key on a certificate Get someone you trust to sign the certificate –If the certificate is tampered with, the signature is broken Organisations who sign public keys/certificates are called Certification Authorities (CA)

03 December 2003 Public Key Infrastructure You create a key pair Put one key of the pair on a certificate Send the certificate (request) to the CA Present yourself or identify yourself to the Registration Authority (RA) The RA tells the CA that you are OK The CA sends you the signed certificate

03 December 2003 Public Key Infrastructure Now you have a signed certificate, people and services can trust that you are who you say you are Present your certificate to a service Tell them something encrypted by your private key They like your certificate and know it is you

03 December 2003 Public Key Infrastructure You keep your private key very secret –Obey the rules for this! Your public key is on the certificate Services must trust the CA Your certificate will have an expiry date –after which you may have to re-visit the RA Your certificate can be revoked at any time

Authentication using certificates and public/private keys Web server Hello Mary had a little lamb End user Mary had a little lamb Mary had a little lamb Mary had a little lamb Client authentication OK. The server is happy that the end user is Mr Bloggs himself!

03 December 2003 Public Key Infrastructure Asymmetric encryption = public/private keys Symmetric encryption is faster –but how do you deliver the keys Asymmetric encryption is used in SSL –Secure Sockets Layer, very common Also used in client authentication (less common, at the moment)

Authentication using certificates and public/private keys Web server End user Challenge Phrase (Random message) Encryption protocols Encryption protocols OK Random connection identifier (server) Public CA key OK!Or client may not have CA public key (receives message that certificate is not known) | Cancel | Always Trust | Trust this time | Setting up the session and server authentication Challenge Phrase (Random message) Random connection identifier (server) Server pub. key and cert.

Authentication using certificates and public/private keys Web server End user Public CA key Setting up the session and server authentication Challenge Phrase (Random message) Random connection identifier (server) Master session key Symmetric key pairs (Encrypted) Server pub. key and cert.

Authentication using certificates and public/private keys Web server End user Public CA key Setting up the session and server authentication Challenge Phrase (Random message) Random connection identifier (server) Master session key ReadWrite Symmetric key pairs Random connection identifier (server) Symmetric key pairs ReadWrite Random connection identifier (server) Challenge Phrase (Random message) Challenge Phrase (Random message) Then client authentication begins! (as we looked at before) Server pub. key and cert.

03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services