March R. Smith - University of St Thomas - Minnesota CISC Class Today Homework scheduleHomework schedule Upcoming labUpcoming lab RecapRecap Encapsulated Security PayloadEncapsulated Security Payload Key exchange - strategiesKey exchange - strategies Internet Key Exchange – the problemInternet Key Exchange – the problem Diffie Hellman and Public KeysDiffie Hellman and Public Keys

Recap Project Schedule – Proposal due todayProject Schedule – Proposal due today Homework – Due ThursdayHomework – Due Thursday Lab – Due ThursdayLab – Due Thursday Protecting packet integrityProtecting packet integrity –Encrypted checksum problems –Keyed Hash and HMAC IPSECIPSEC March R. Smith - University of St Thomas - Minnesota

IP Security Protocol – IPSEC Security protection that’s IP routableSecurity protection that’s IP routable We authenticate the IP addressesWe authenticate the IP addresses We encrypt everything inside the IP headerWe encrypt everything inside the IP header March R. Smith - University of St Thomas - Minnesota

Separate Headers AH – Authentication HeaderAH – Authentication Header –Keeps the packet intact ESP – Encapsulating Security PayloadESP – Encapsulating Security Payload –A ‘generic’ security format, originally just for encryption –Now does both encryption and authentication March R. Smith - University of St Thomas - Minnesota

Authentication Header – ‘AH’ Protects unchanging bits of the IP headerProtects unchanging bits of the IP header “SPI” – Security Parameter Index“SPI” – Security Parameter Index –Identifies the keying and hash algorithm to use March R. Smith - University of St Thomas - Minnesota

Encapsulating Security Payload- ESP (8 bit bytes)SPI Sequence Number Payload Data(variable) Padding (variable) Pad LengthNext Header Integrity Check(variable) March R. Smith - University of St Thomas - Minnesota Modern style, including integrity protectionModern style, including integrity protection –Internal format still depends on the crypto used –SPI picks the crypto format; the format determines variables Main problem: how long is the integrity check?Main problem: how long is the integrity check? May be length = 0, especially if the crypto does it alreadyMay be length = 0, especially if the crypto does it already

A Specific Example: CBC Only IV and encrypted data live inside the ‘payload’IV and encrypted data live inside the ‘payload’ Only the enclosed data is protected.Only the enclosed data is protected. March R. Smith - University of St Thomas - Minnesota

March R. Smith - University of St Thomas - Minnesota Secret Key Management Two elementsTwo elements –How do you assign individual keys –How do you update keys Assignment – how many keys do we need?Assignment – how many keys do we need? –“One Big Cryptonet” –Pairwise user-user –Pairwise user-server (“key distribution center) Updating – given the assignment strategiesUpdating – given the assignment strategies –Manual –Automatic

March R. Smith - University of St Thomas - Minnesota Automatic key updating How do we get the new key?How do we get the new key? –Internal update use a ‘pseudo random number generator’use a ‘pseudo random number generator’ “Forward secrecy” problem“Forward secrecy” problem –Random update Use a new, randomly generated keyUse a new, randomly generated key Share with the cryptonetShare with the cryptonet How do we transmit random keys?How do we transmit random keys? –Chained update Send it using the existing crypto keySend it using the existing crypto key “Forward secrecy” problem“Forward secrecy” problem –KEK-based update Use a separate “key encrypting key”Use a separate “key encrypting key” Data is only sent with “data keys” or “session keys”Data is only sent with “data keys” or “session keys” Only use KEK to send newly generated sessionOnly use KEK to send newly generated session

March R. Smith - University of St Thomas - Minnesota Key Distribution Center (KDC) Each user has a unique personal keyEach user has a unique personal key –Contacts KDC to get a session key –KDC sends keys encrypted with users’ personal keys ExampleExample –Bob wants to talk to Alice –Bob contacts KDC, says “I want to talk to Alice” –KDC sends two copies of the session key One encrypted with Bob’s personal keyOne encrypted with Bob’s personal key One encrypted with Alice’s personal keyOne encrypted with Alice’s personal key This is the basis of KerberosThis is the basis of Kerberos –Encrypted keys are called “tickets”

March R. Smith - University of St Thomas - Minnesota Uses a pair of keys: the Private Key and the Public KeyUses a pair of keys: the Private Key and the Public Key Usually, one key of the pair decrypts what the other key encrypts, and vice versaUsually, one key of the pair decrypts what the other key encrypts, and vice versa “Asymmetric Encryption”“Asymmetric Encryption” Encryption Procedure Clear Text Clear Text Public Key Encryption Cipher Text Public Key Decryption Procedure Private Key

March R. Smith - University of St Thomas - Minnesota Public Key cryptography Diffie HellmanDiffie Hellman ‘Distributive property’ of exponents‘Distributive property’ of exponents –(B X ) Y = (B Y ) X Or, in Diffie-Hellman:Or, in Diffie-Hellman: –(B X mod M) Y mod M = (B Y mod M) X mod M –(B X mod M) * (B Y mod M) mod M ! = (B Y mod M) X mod M Modulus makes it impractical to reverseModulus makes it impractical to reverse

March R. Smith - University of St Thomas - Minnesota RSA Weird variantWeird variant Multiply two primesMultiply two primes –Product is part of the key –2 other numbers form rest of the key “Public” number (often 3 or 65537)“Public” number (often 3 or 65537) “Private” number (the modular inverse)“Private” number (the modular inverse) Works in both directions – encrypt and decryptWorks in both directions – encrypt and decrypt

March R. Smith - University of St Thomas - Minnesota Applications Sharing a keySharing a key –Diffie Hellman approach –RSA approach Digital signaturesDigital signatures –Creating one, RSA –Checking one, RSA

March R. Smith - University of St Thomas - Minnesota Using Public Key Diffie HellmanDiffie Hellman –I can share one secret with another D-H user I use the other user’s PUBLIC key with my PRIVATE keyI use the other user’s PUBLIC key with my PRIVATE key RSARSA –If I have a user’s PUBLIC key, I can send them a secret I encrypt the secret with THEIR public keyI encrypt the secret with THEIR public key They decrypt with their own private keyThey decrypt with their own private key –I can use my PRIVATE key to “sign” things I encrypt a hash (checksum) with my PRIVATE keyI encrypt a hash (checksum) with my PRIVATE key Others can check the result with my PUBLIC keyOthers can check the result with my PUBLIC key

March R. Smith - University of St Thomas - Minnesota Digital Signature Concept Honest Abe must possess the private key in order to produce the digital signatureHonest Abe must possess the private key in order to produce the digital signature Honest Abe’s Private Key Document Signed Document Signed: Honest Abe ‘I certify that this is really true and Signature Procedure Honest Abe ‘I certify that this is really true and

March R. Smith - University of St Thomas - Minnesota Signature Procedure Digital Signature Validation Alice trusts Honest AbeAlice trusts Honest Abe Alice needs proof that Abe wrote the documentAlice needs proof that Abe wrote the document Abe’s public key shows that Abe signed the document with his private keyAbe’s public key shows that Abe signed the document with his private key Honest Abe’s Public Key Valid Signature Valid Document Alice Digital Signature ‘I certify that this is really true and

March R. Smith - University of St Thomas - Minnesota Decryption Procedure Secret Key Secret Key (temporary) Random Number Generator Encryption Procedure Cipher Text RSA Encrypting Secret Keys First send the secret key, then send the dataFirst send the secret key, then send the data Encryption Procedure { } Public Key Clear Text John J. Jones Clear Text John J. Jones Decryption Procedure Private Key

March R. Smith - University of St Thomas - Minnesota Hash Digital Signatures Signature is the hash value, encrypted with the private keySignature is the hash value, encrypted with the private key Associates the document’s contents with the signerAssociates the document’s contents with the signer Detects changes to documentDetects changes to document Encryption Procedure Private Key ‘I certify that this is really true and Signed Document Digital Signature ‘I certify that this is really true and

March R. Smith - University of St Thomas - Minnesota Valid? = Digital Signature Validation Decrypt the hash with the public keyDecrypt the hash with the public key Compare with the document’s hashCompare with the document’s hash Hash Public Key Signed Document Digital Signature Hash Decryption Engine

March R. Smith - University of St Thomas - Minnesota Real Public Key Applications I.e. places where it really does something valuableI.e. places where it really does something valuable Secrecy (sharing keys)Secrecy (sharing keys) –Secret file sharing (PGP) –SSL: browsers, Secure Shell Integrity (digital signatures)Integrity (digital signatures) –Verifying downloaded software –Verifying messages –Verifying public key “owners”

March R. Smith - University of St Thomas - Minnesota Creating a Certificate People generally trust Honest AbePeople generally trust Honest Abe Abe attests that has the public key 3,5555Abe attests that has the public key 3,5555www.bank.com Abe digitally signs a certificate to say thisAbe digitally signs a certificate to say this Abe is a certificate authority (CA) since he certifies the owners of public keysAbe is a certificate authority (CA) since he certifies the owners of public keys Key: 3,5555 Honest Abe’s Private Key Signature Procedure Key: 3,5555

March R. Smith - University of St Thomas - Minnesota Validating a Certificate The initial strategy in SSL-enabled BrowsersThe initial strategy in SSL-enabled Browsers Every Web server with SSL has a certificateEvery Web server with SSL has a certificate Only one Certificate Authority’s public keyOnly one Certificate Authority’s public key –RSA Security, later Verisign, serves as “Honest Abe” Problems with scalability, delegationProblems with scalability, delegation From Authentication © Used by permission

March R. Smith - University of St Thomas - Minnesota Multiple CAs in the Browser Browsers maintain a list of “Honest Abes”Browsers maintain a list of “Honest Abes” Users can add a new CA when encounteredUsers can add a new CA when encountered –Security issue – is a new CA really honest, or not? From Authentication © Used by permission

March R. Smith - University of St Thomas - Minnesota Public Key Infrastructure A catch-all term for the services required to support the widespread use of public keys Server and client software to support public keysServer and client software to support public keys Software to create and distribute certificatesSoftware to create and distribute certificates Trustworthy organizations to issue reliable certificatesTrustworthy organizations to issue reliable certificates Mechanisms so that organizations can recognize each other’s certificatesMechanisms so that organizations can recognize each other’s certificates

March R. Smith - University of St Thomas - Minnesota Commercial PKI Commercial PKIs use a hierarchical strategy Certificates are created and signed by special certificate authority softwareCertificates are created and signed by special certificate authority software Each certificate authority belongs to an enterprise and carries a unique keyEach certificate authority belongs to an enterprise and carries a unique key The enterprise is responsible for ensuring the accuracy of certificatesThe enterprise is responsible for ensuring the accuracy of certificates –Commercial certifiers like Verisign, Inc., rely on stringent, published rules and procedures defined in their Certification Practices Statement and Certificate Policy –Private corporations may rely on internal controls and limits on certificate usage

March R. Smith - University of St Thomas - Minnesota Alternative to the CA/PKI “Pretty Good Privacy” (PGP) uses web of trust strategy Traditional ‘Web of Trust’Traditional ‘Web of Trust’ –Anyone may sign a certificate –Certificates may carry multiple signatures –Individuals must personally decide on authenticity, based on the signatures –Pairwise trust relationships, extended based upon interpersonal transitive trust Current on-line key directoryCurrent on-line key directory –Directory itself “signs” its certificates –Authenticity based on an exchange (!?!)

March R. Smith - University of St Thomas - Minnesota Issues with PKI StandardizationStandardization InteroperabilityInteroperability Poorly defined trust relationshipsPoorly defined trust relationships Confidentiality of Private/Secret signing keysConfidentiality of Private/Secret signing keys DeploymentDeployment –Infrastructure cost –Infrastructure complexity –Enrollment costs –Client deployment costs

March R. Smith - University of St Thomas - Minnesota “Group quiz” How can I send an encrypted message to 2 other people without sharing a secret with all 3?How can I send an encrypted message to 2 other people without sharing a secret with all 3? Assume we’ve shared public keysAssume we’ve shared public keys Pull out a piece of paperPull out a piece of paper Draw the answer, put the group names on itDraw the answer, put the group names on it

March R. Smith - University of St Thomas - Minnesota That’s it Questions?Questions? Creative Commons License This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.