Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 14: Public Key Infrastructure.

Similar presentations


Presentation on theme: "David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 14: Public Key Infrastructure."— Presentation transcript:

1 David Evans http://www.cs.virginia.edu/evans CS588: Security and Privacy University of Virginia Computer Science Lecture 14: Public Key Infrastructure

2 CS588 Spring 20052 Using RSA to Encrypt Use 1024-bit modulus (RSA recommends >= 768) Encrypt 1M file –1024 1024-bit messages –To calculate M e requires log 2 e 1024-bit modular multiplies Why does no one use RSA like this? –About 100-1000 times slower than DES –Need to be careful not to encrypt particular M s –Can speed up encryption by choosing e that is an easy number to multiply by (e.g., 3 or 2 16 + 1) –But, decryption must use non-easy d (~1024 bits)

3 CS588 Spring 20053 Alternatives Use RSA to establish a shared secret key for symmetric cipher (DES, RC6,...) –Lose external authentication, non- repudiation properties of public-key cryptosystems Sign (encrypt with private key) a hash of the message –A short block that is associated with the message

4 CS588 Spring 20054 RSA Paper “The need for a courier between every pair of users has thus been replaced by the requirement for a single secure meeting between each user and the public file manager when the user joins the system.”

5 CS588 Spring 20055 Key Management Public keys only useful if you know: 1.The public key matches the entity you think it does (and no one else). 2.The entity is trustworthy.

6 CS588 Spring 20056 Approach 1: Public Announcement Publish public keys in a public forum –USENET groups –Append to email messages –New York Time classifieds Easy for rogue to pretend to be someone else

7 CS588 Spring 20057 Approach 2: Public Directory Trusted authority maintains directory mapping names to public keys Entities register public keys with authority in some secure way Authority publishes directory –Print using watermarked paper, special fonts, etc. –Allow secure electronic access

8 CS588 Spring 20058 Can we avoid needing an on-line directory?

9 CS588 Spring 20059 Certificates Loren Kohnfelder, MIT 4 th year thesis project, 1978: Towards a Practical Public-key Cryptosystem “Public-key communication works best when the encryption functions can reliably be shared among the communicants (by direct contact if possible). Yet when such a reliable exchange of functions is impossible the next best thing is to trust a third party. Diffie and Hellman introduce a central authority known as the Public File… Each individual has a name in the system by which he is referenced in the Public File. Once two communicants have gotten each other’s keys from the Public File then can securely communicate. The Public File digitally signs all of its transmission so that enemy impersonation of the Public File is precluded.”

10 CS588 Spring 200510 Certificates TrustMe.com Alice Bob { alice@alice.org, KU A } C A = E KR TrustMe [“alice@alice.org”, KU A ] { bob@bob.com, KU B } C B = E KR TrustMe [“bob@bob.com”, KU B ] CBCB CACA Use anything like this?

11 CS588 Spring 200511 Data encrypted using secret key exchanged using some public key associated with some certificate.

12 CS588 Spring 200512

13 CS588 Spring 200513 SSL (Secure Sockets Layer) Simplified TLS Handshake Protocol Client Server Hello KR CA [Server Identity, KU S ] Check Certificate using KU CA Pick random K KU S [K] Find K using KR S Secure channel using K Textbook, Section 12.5

14 CS588 Spring 200514 Certificates VarySign Alice Bob { alice@alice.org, KU A } C A = E KR TrustMe [“alice@alice.org”, KU A ] { bob@bob.com, KU B } C B = E KR TrustMe [“bob@bob.com”, KU B ] CBCB CACA How does TrustMe.com decide whether to provide Certificate?

15 CS588 Spring 200515 VarySign Alice Bob { alice@alice.org, KU A } C A = E KR TrustMe [“alice@alice.org”, KU A ] { bob@bob.com, KU B } C B = E KR TrustMe [“bob@bob.com”, KU B ] CBCB CACA Verifying Identities $$$$

16 CS588 Spring 200516 With over half a million businesses authenticated, VeriSign follows a rigorous and independently audited authentication process. All involved VeriSign employees pass stringent background checks, and each authentication is split between multiple individuals. We maintain physically secure facilities, including biometric screening on entry.

17 CS588 Spring 200517 VeriSign’s Certificate Classes “Secure Site” SSL Certificate –Supports 40-bit session key –Proves: you are communicating with someone willing to pay VeriSign $598 (or with ~$1000 to break a 40-bit key) –Except they have a free 14-day trial (but it uses a different Trial CA key)

18 CS588 Spring 200518

19 CS588 Spring 200519 “Secure Site Pro” Certificate $995 per year “true 128-bit key” “128-bit encryption offers 2 88 times as many possible combinations as 40-bit encryption. That’s over a trillion times a trillion times stronger.” trillion = 10 12 trillion * trillion = 10 24 Verisign’s marketing claim could be: “ trillion times a trillion times a trillion times a trillion times a trillion times a trillion times a trillion times ten thousand (in Britain it is a trillions time a trillion times a trillion times a trillion times a billion times a thousand) times stronger” (but that would sound even sillier!) Businesses authentication: “out-of-band” communication, records

20 CS588 Spring 200520

21 CS588 Spring 200521 VarySign.com Alice Bob { alice@alice.org, KU A } C A = E KR TrustMe [“alice@alice.org”, cert id, expiration time, KU A ] CACA Limiting The Damage Checks expiration time > now

22 CS588 Spring 200522

23 CS588 Spring 200523 Revoking Certificates VarySign.com Alice Bob { alice@alice.org, KU A } CACA CACA Send me the CRL … E KR TrustMe [CRL]

24 CS588 Spring 200524 Revoked!

25 CS588 Spring 200525 Certificate Questions How do participants acquire the authority’s public key? If authority’s private key is compromised, everything is vulnerable! –Keep the key locked up well

26 CS588 Spring 200526 Problems with Certificates Depends on a certificate authority –Needs to be a big, trusted entity –Needs to make money (or be publically funded) Need to acquire a certificate –Makes anonymity difficult –Requires handshaking

27 CS588 Spring 200527 PGP (Pretty Good Privacy) Keyring: list of public keys, signed by owner’s private key Alice’s keyring: E KR Alice (, ) Exchanging Keyrings (Web of Trust) –Complete Trust: I trust Alice’s keyring (add the public key pairings to my own keyring) –Partial Trust: I sort of trust Alice, but require confirmation from someone else too (I need to get E KR Cathy ( ) before trusting KU Bob

28 CS588 Spring 200528 Avoiding Certificates What if your identity (e.g., your email address) is your public key? Is it possible to do this with RSA? Do you want your email address to be a 200-digit “random” number?

29 CS588 Spring 200529 Identity Based Encryption [Shamir 1984], [Boneh & Franklin 2003] public-key = identity private-key = F (master-key, identity) The owner of the master-key is the new authority. Must be careful who it gives private keys to.

30 CS588 Spring 200530 Key-Generating Service Holds master-key Participants request private keys from KGS Sends s to KGS, requests corresponding private key KGS authenticates requestor If valid, computes F (master-key, s) and sends over secure channel How does the trust given to the KGS compare to that given to CA in SSL? KGS can decrypt all messages! With certificates, certificate owner still has her own private key. But, CA can impersonate anyone by generating a certificate with a choosen public-key.

31 CS588 Spring 200531 Shamir’s IBE Signature Scheme Setup: done by KGS –Select p, q large primes –N = pq –Choose e relatively prime to  (N) (p-1)(q-1) –Choose d satisfying ed  1 mod  (N) –Choose h a cryptographic hash function Publish N, e and h to all participants Keep d secret master-key

32 CS588 Spring 200532 Shamir’s Signatures Generating a private key privatekey( ID ) = ID d mod N –Can only be done by KGS ( d is master secret) Signing a message M with identity ID –Obtain g = privatekey( ID ) from KGS –Choose random r less than N –Compute signature ( s, t ): t = r e mod N s = g r h(t || M) mod N Warning: book typesetting is off and wrong range for h !

33 CS588 Spring 200533 Verifying a Signature KGS produced g = ID d mod N Recipient knows ID and M, system parameters e and N t = r e mod N s = g r h(t || M) mod N Verify ( ID, s, t, M ) s e = ID t h(t || M) mod N (ID d r h(t || M) ) e mod N  ID de r h(t || M)e mod N  ID r eh(t || M) mod N  ID t h(t || M) mod N What does non-forgability of a Shamir IBE signature rely on?

34 CS588 Spring 200534 Identity-Based Encryption Shamir’s scheme – signatures only, not encryption Boneh & Franklin, 2001 –First practical and provably secure IBE scheme –Builds on elliptic curves

35 CS588 Spring 200535 Issues in IBE Complete trust in KGS –With Boneh & Franklin’s system can use secret sharing techniques to divide this trust among multiple entities –Could you do this with Shamir’s IBE signatures? Revocation –Can include expiration times in identities –But no way to revoke granted private keys

36 CS588 Spring 200536 Charge Read Chapter 13 in the book Look at the certificate chains when you browse the web –Find a certificate with a trust chain more than two levels deep Update your browser CRLs: when were they last updated?


Download ppt "David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 14: Public Key Infrastructure."

Similar presentations


Ads by Google