Introduction to Cryptography - WEB.NCF.CAweb.ncf.ca/an386/publications/presentations/introcrypto.pdf · Andre Vellino 23 June 2000 9 RSA Public Key Algorithm • RSA is named after

Introduction to Cryptography Introduction to Cryptography

Andre VellinoAndre Vellino

Disruptive Network ServicesDisruptive Network Services

23 June 2000Andre Vellino 2

Outline

• Brief History of Cryptography

• Objectives of Modern Cryptography

• Symmetric vs. Public Key Cryptography

• Hashing and Digital Signatures

• Certificates and Certificate Authorities

• SSL Protocol

• Outline of Certification Services for Personal Identity Management


A Brief History of Cryptography

— Monoalphabetic Simple Substitution Cipher (e.g. Caesar Cipher 100 B.C.)

— Polyalphabetic Substitution Cipher (e.g. Vigenère Cipher) 1586— One-Time Pad (length(key) = length(plaintext)) 1917 — Rotor Machines (Multiple Vigenère Systems – Enigma) 1940s— Diffie-Hellman Public Key Cryptography 1976 — Data Encryption Standard (DES) 1977— Advanced Encryption Standard (AES) 2000

Plaintext PlaintextCiphertext

Key Key

Encryption Decryption


Objectives of Modern Cryptography

• Privacy (encryption)— Preserve confidentiality; guard against snooping

• Integrity (modification detection codes)— Guard against tampering

• Authenticity (digital signatures)— Ensure the source of the message; guard against forgery

— Ensure the non-repudiation of transactions

• Trust (certificate authorities)— Certify the authenticity of public keys and digital signatures


Encryption w/ Symmetric Keys

This is a secret message

This is a secret message3

Bob

Alice


f

f-1


Same Key(communicated out-of-band)


Authentication w/ Symmetric Keys

Bob’s identity confirmedEncrypt Alice’s challengewith shared secret key

BobAliceSelect random challenge



Bob

Alice f

f-1


B’s public / private keys


B’s public key

Encryption w/ Public Keys


Authentication w/ Public Keys

Encrypt challenge with Bob’sPublic key Decrypt Alice’s challenge

using Bob’s private key

BobAliceSelect random challenge

B’s public / private keys

Bob’s Identity Confirmed


RSA Public Key Algorithm

• RSA is named after its inventors Rivest, Shamir and Adleman. RSA is used for symmetric key exchange and digital signatures.

• Choose two large (at least 250 bits) primes p and q and call their product n (modulus). p and q are secret, but their product, n = p x q, is public.

• Choose a number E relatively prime to φ(n)=(p-1) x (q-1) (i.e. E and φ(n) have no common factors except 1)

• Find the inverse D of E modulo φ(n) (that is, find D such that E x D - 1 is divisible by φ(n)).

• The public key is <E, n>; the private key is <D, n>.

• To encrypt a message m, m < n, using the public key, compute theciphertext c = m ^ E mod n.

• To decrypt a ciphertext c, c < n, using the private key, compute the message m = c ^ D mod n.

• To sign a message m, m < n, using the private key, compute the signature s = m ^ D mod n.


Secure Hash Functions / Message Digests

• Message (M) + One-Way Hash functions(H) -> Hash code(h), i.e. H(M) = h

• Goals for H: — given M, it is easy to compute h— given h, it is hard to compute M such that H(M)=h

i.e. message cannot be deduced from the hash— it is hard to find another message (M’) such that H(M)=H(M’) i.e.

H(M) is “unique”— it is hard to find any two random messages M and M’ such that

H(M)=H(M’) (i.e. to make sure there are no “collisions”)

• Used for digital signatures and time-stamping

• MD5 and SHA-1


m1 m2 m3 mN

Constant Digest Digest Digest Digest Hash value

MD5

• Message Digest 5 (MD5) takes a message, divided into a number of 512-bit blocks (sixteen 32-bit words) and produces a 128-bit hash value (four 32-bit words).

• The message digest is initialized to a fixed value and the message is processed in 512-bit blocks where each stage of the computation modifies the current value of the digest using the next block of the message. The final value is the hash value for the entire message:


Digital Signatures

Bob

Alice h

A’s public / private keys

A’s public key

Ete3\k

g

✡ ❂●❉❃

✏ ❉❖❁▼❅

❋❅❙▲Alice

g-1

Ete3\k

✡ ❂●❉❃

✏ ❉❖❁▼❅

❋❅❙▲Alice

h

Ete3\k

✡ ❂●❉❃

✏ ❉❖❁▼❅

❋❅❙▲Alice


Public Keys vs. Symmetric Keys

Public Key Cryptography— Users have Public / Private key pairs

— Public Keys must be certified

— Larger key lengths needed to achieve the same security

— Used for distribution of symmetric keys

• Ciphers— Diffie-Hellman key exchange

(discrete logarithms)

— RSA (prime number factorization)

— ECC (elliptic curves)

Symmetric Key Cryptography— Same private key for both

communicating parties

— Much (1000x) faster than PK for encryption/decryption

— Smaller key lengths

• Ciphers— DES (56 bit keys), 3-DES

— RC4 (128 bit key)

— SKIPJACK (80 bit key –declassified June ‘98)

— IDEA

— AES (5 candidates in the running)


Key Management Problems

• Distributing keys— Obtaining someone else’s public key

— Distributing your own public key

• Key certification

• Establishing a shared symmetric key with another party— Confidentiality: Is it really known only to the other party?

— Authentication: Is it really shared with the intended party?

• Key storage— Secure storage of keys

• Revocation / Verification— Revoking published keys

— Determining whether a published key is still valid


The Public Key Distribution Problem

Bob

Alice

A’s public key M’s public keythat B believes is A’s

Malicious Mallet

Man-in-the-middle attack

Alice tries to send her public key to Bob, but Mallet intercepts it and substitutes his own public key.

When Bob encrypts a message to Alice with Mallet’s key, Mallet can decrypt it, and re-encrypt it with Alice’s real public key.


What is a Certificate Authority

Original intent of a certification authority (CA) was to guarantee the connection between a public key and an “entity”, which can be

— A person

— A role

— An organization— A pseudonym

— A piece of hardware or software

— An account (bank or credit card)

Role was later expanded to certify all sorts of other things— Are they a bona fide business?— Can you trust their web server?

— Can you trust the software they write?

— Is their account in good standing?— Are they over 18?


Digital Certificates

A document containing information about an individual or organization, including its public key, that is digitally signed by a Certificate Authority whose public key is well-known.

Typical X.509 certificate

Serial Number Issuer NameValidity Time IntervalSubject Name Public KeyUsage ConstraintsPolicies

00:EC:A0:A7:8B:6E:75:6A:01

Verisign14 Aug 1998 to 14 Aug, 2006

LL Bean 1C:D5:8E:82:BE:70:55:8E:39:61

Type/ Web / Email Notify User

CA Digital Signaturesignature cipher

A7:8B:6E:75: 8E:82:BE:70:55RC4 + MD5


Certificates Signed by Certificate Authorities

• Alice Generates a pair of keys

• CA verify Alice’s identity out of band

• Sends her public key to the CA, encrypted w/ the CA’s well-known public key (only the CA can decrypt it).

• CA signs a document associating her name etc. w/ her public key

Alice Certificate Authority

Alice’ s public key

Alice’s Private/Public Keys

Alice

Verisign

Out of BandVerification


Example X.509 CertificateCertificate:

Data:

Version: v3 (0x2)

Serial Number: 3 (0x3)

Signature Algorithm: PKCS #1 MD5 With RSA Encryption

Issuer: OU=Ace Certificate Authority, O=Ace Industry, C=US

Validity:

Not Before: Fri Oct 17 18:36:25 1997

Not After: Sun Oct 17 18:36:25 1999

Subject: CN=Jane Doe, OU=Finance, O=Ace Industry, C=US

Subject Public Key Info:

Algorithm: PKCS #1 RSA Encryption

Public Key:

Modulus:

00:ca:fa:79:98:8f:19:f8:d7:de:e4:49:80:48:e6:2a:2a:86:

ed:27:40:4d:86:b3:05:c0:01:bb:50:15:c9:de:dc:85:19:22:

43:7d:45:6d:71:4e:17:3d:f0:36:4b:5b:7f:a8:51:a3:a1:00:

98:ce:7f:47:50:2c:93:36:7c:01:6e:cb:89:06:41:72:b5:e9:

73:49:38:76:ef:b6:8f:ac:49:bb:63:0f:9b:ff:16:2a:e3:0e:

9d:3b:af:ce:9a:3e:48:65:de:96:61:d5:0a:11:2a:a2:80:b0:

7d:d8:99:cb:0c:99:34:c9:ab:25:06:a8:31:ad:8c:4b:aa:54:

91:f4:15

Public Exponent: 65537 (0x10001)

Extensions:

Identifier: Certificate Type

Critical: no

Certified Usage:

SSL Client

Identifier: Authority Key Identifier

Critical: no

Key Identifier:

f2:f2:06:59:90:18:47:51:f5:89:33:5a:31:7a:e6:5c:fb:36:

26:c9

Signature:

Algorithm: PKCS #1 MD5 With RSA Encryption

Signature:

6d:23:af:f3:d3:b6:7a:df:90:df:cd:7e:18:6c:01:69:8e:54:65:fc:06:

30:43:34:d1:63:1f:06:7d:c3:40:a8:2a:82:c1:a4:83:2a:fb:2e:8f:fb:

f0:6d:ff:75:a3:78:f7:52:47:46:62:97:1d:d9:c6:11:0a:02:a2:e0:cc:

2a:75:6c:8b:b6:9b:87:00:7d:7c:84:76:79:ba:f8:b4:d2:62:58:c3:c5:

b6:c1:43:ac:63:44:42:fd:af:c8:0f:2f:38:85:6d:d6:59:e8:41:42:a5:

4a:e5:26:38:ff:32:78:a1:38:f1:ed:dc:0d:31:d1:b0:6d:67:e9:46:a8:

dd:c4


Trust Models

“Generally, an entity can be said to “trust” a second entity when it (the first entity) makes the assumption that the second entity will behave exactly as the first entity expects.” X.509

• Two parties trust each other via Third-party trust (CAs)

• CAs have “domains” (e.g. employees in a Corporation)

• If two CAs with different domains trust each other they can cross-certify each other’s members by — signing each other’s certificate (Direct Cross Certification)

— certifying themselves with a “Root” CA (Two Tiered Certification)

• Users can develop a “web of trust”


Trust Model Example: Direct Cross Certification

Nortel

Nortel Employees

CA

CA Domain

Bay Networks

Bay Networks Employees

CA

CA Domain

Cross Certification

Mutual Trust Among Employees


PGP “Web of Trust” Model

• Bob trusts Ted and Carol who trust Peter and Paul who trust Alice— Therefore Bob trusts that “Alice’s key” came from Alice

• Web of trust more closely reflects human relationship trust models

Alice

Bob

Carol

Ted

Peter

Mary

Paul


How SSL Works (Handshake Protocol)

Client

Server

Client Hello (v2)SSL version (3.0)Cipher specifications16 byte random challenge

Pre-Master Secret + ✰❒❅✍✭❁▲▼❅❒ ✳❅❃❒❅▼ +

Pre-Master Secret

Master Secret

Master Secret

MAC Secret Server Write Key

Client Write Key

MAC Secret Server Write Key

Client Write Key

Server HelloSSL version (3.0)32 byte random challenge Session IDCipher suiteCompression

Server CertificateServer Key ExchangeServer Hello Done

Server Certificate

CA Signature List

Client Key ExchangeChange Cipher SpecFinished (encrypted)

Change Cipher SpecFinished (encrypted)


Single Sign-On w/ Client Certificates

Server

Verisign

Random Challenge String

Q;lwekjdEasd.e

Alice

Verisign

Directory Server

Alice

Verisign

+

✱✛●◗❅❋❊❄✥❁▲❄✎

Signed Random String

Private key


Objectives of PIM-Mediated Certification

• Certify the identity and addresses of subscribers to third parties

• Enable User-specific Single Login to secure web sites with whom users have accounts

• Ensure confidentiality of communications

• Offer anonymous certification of selected identity attributes

• Enable users to sign digital documents


Ascertaining Credentials Anonymously

• Scenario 1: PIM issues (is the CA for) an anonymous certificate whose identity attributes PIM has already ascertained.— e.g. anon3575 is Male + has an address in Canada

• Scenario 2: PIM requests, on the user’s behalf, that a trusted 3rd party sign an anonymous document certifying some user credential to which PIM is not privy.— Example: have Employer sign a certificate asserting that an

Anonymous PIM user works for Employer and earns more than 30,000$

— Establish a protocol that enables Employer to sign a “blinded” document that only PIM/User can associate with the employee


Blinded Signatures Protocol

— PIM prepares, on behalf of the user, N certificates stating thatAnonUser[Random#] currently works for Employer & earns more than 30,000$

— PIM “blinds” each statement with a different “blinding factor”

— PIM send all the statements to Employer

— Employer asks PIM for N-1 statements associating AnonUser[Random#] with an employee name and providing the blinding factor

— Employer verifies each N-1 statement and that employee exists and earns more that 30,000.

— Employer signs the last (blinded) certificate and returns it to PIM

— PIM “unblinds” the anonymous, Employer-signed certificate.

— Only PIM/User can associate AnonUser [Random#] to UserName


References

• Richard E. Smith, Internet Cryptography, Addison-Wesley, 1997.

• Bruce Schneier, Applied Cryptography, John Wiley & Sons, 1996

• Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone Handbook of Applied Cryptography, CRC Press, 1996

• RSA Labs FAQ (216 pages) http://www.rsalabs.com/faq/index.html

• David Chaum, Achieving Electronic Privacy, Scientific American, August 1992, p. 96-101 http://www.virtualschool.edu/mon/Economics/ChaumElectronicPrivacy.html

Introduction to Cryptography - WEB.NCF.CAweb.ncf.ca/an386/publications/presentations/introcrypto.pdf · Andre Vellino 23 June 2000 9 RSA Public Key Algorithm • RSA is named after

Documents