Symmetric Encryption Mom’sSecretApplePieRecipe Mom’sSecretApplePieRecipe The same key is used to encrypt and decrypt the data. DES is one example. Pie Key Important Concepts
Symmetric Encryption The Advantages ° Secure ° Widely Used ° The encrypted text is compact ° Fast The Disadvantages ° Complex Administration ° Requires Secret Key Sharing ° Large Number of Keys ° No non-repudiation ° Keys are Subject to interception Important Concepts
Asymmetric Encryption One half of a key pair is used to encrypt, the other half is used to decrypt. RSA is one example. Mom’sSecretApplePieRecipe Mom’sSecretApplePieRecipe PublicKeyRecipient’sPublicKeyRecipient’sPrivateKeyPrivateKey Important Concepts
Asymmetric Encryption The Advantages ° Secure ° No secret sharing ° No prior relationship ° Easier Administration ° Far fewer keys ° Supports non- repudiation The Disadvantages ° Slower than symmetric key ° The encrypted text is larger than a symmetric version ° point to multi-point does not scale Important Concepts
The Combination Mom’sSecretApplePieRecipe RandomSymmetricKey Bill’sPublicKey Mom’s Secret Apple Pie Recipe Encrypted To:Bill “Digital Envelope” “Key Wrapping” Important Concepts
The Combination You get the best of both worlds ° The benefits of Symmetric Key Speed Compact Encrypted Text ° The benefits of Public Key Simpler Key management Digital Signature Non-Repudiation
Mom’sSecretApplePieRecipe Digest Certifying Authority’s Digital Signature Digital Certificates Encrypted Certificate Name, Address, OrganizationOwner’s Public Key Certificate Validity Dates All you need is the CA’s public key to verify the certificate and extract the certified public key Important Concepts
What is a Certificate? A signed packet of identifying attributes Identifying Attributes: ° Subject Name (the user being identified) ° Public Key ° Issuer Name (trusted source identifying user) ° Validity Period ° Signature Specified in: ° RFC 2459 ° x.509 v 1-3 Serial Number : 6cb0dad0137a5fa79888f Validity : Nov.08, Nov.08,1998 Subject / Name / Organization Locality = Internet Organization = VeriSign, Inc. Organizational Unit = VeriSign Class 2 CA - Individual Subscriber Organizational Unit = Incorp. by Ref.,LIAB.LTD(c)96 Organizational Unit = Digital ID Class 2 - Netscape Common Name = Mom Address = Unstructured Address = RR2, Pieland, USA Status: Valid Public Key: ie86502hhd009dkias736ed55ewfgk98dszbcvcq m85k309nviidywtoofkkr2834kl Signed By : VeriSign, Inc.: kdiowurei495729hshsg0925h309afhwe09721h akndnxnzkjoaioeru y5 Important Concepts
Digital Signatures Clear Text “Hash” Digest Clear Text Encrypted Digest Hi level Functionality Non-Repudiation
Digital Signatures Mom’sSecretApplePieRecipe “Hash Function” Digest Mom’sSecretApplePieRecipe DigestEncrypted Digest ‘ DigestEncrypted “match?” Signer’sPublicKey Hi level Functionality Non-Repudiation
Key Generation Standards ° RFC 2510 Key may be generated by End Entity, RA, or CA – ANSI x not specified but commonly used ° PKCS #11 Key may be generated by End Entity, RA, or CA – RSA ( ) – DSA ( ) – ECDSA Certificate Issuance
Certificate Creation Standards ° PKCS #1 ° RFC 2459 Certificate and CRL Profile Specifies the the type and format of a certificate – essentially x.509 with some modification Uses PKCS #1 specifiers – MD5 with RSA for signature – SHA-1 with RSA for signature Certificate Issuance
How do you assure that you get a real (and valid) public key? X.509 Digital Certificate “I officially notarize the association “I officially notarize the association between this particular User, and between this particular User, and this particular Public Key” this particular Public Key”
How do I validate a certificate? For a certificate to be valid, the following checks must normally succeed: ° today’s date must fall between the starting and ending validity dates for the certificate ° the signature must be valid ° the contents of the certificate must not have changed ° the certificate issuer must be one we trust ° the certificate must not have been revoked