Introduction to Cryptography Introduction to Cryptography Andre Vellino Andre Vellino Disruptive Network Services Disruptive Network Services
Introduction to Cryptography Introduction to Cryptography
Andre VellinoAndre Vellino
Disruptive Network ServicesDisruptive Network Services
23 June 2000Andre Vellino 2
Outline
• Brief History of Cryptography
• Objectives of Modern Cryptography
• Symmetric vs. Public Key Cryptography
• Hashing and Digital Signatures
• Certificates and Certificate Authorities
• SSL Protocol
• Outline of Certification Services for Personal Identity Management
23 June 2000Andre Vellino 3
A Brief History of Cryptography
— Monoalphabetic Simple Substitution Cipher (e.g. Caesar Cipher 100 B.C.)
— Polyalphabetic Substitution Cipher (e.g. Vigenère Cipher) 1586— One-Time Pad (length(key) = length(plaintext)) 1917 — Rotor Machines (Multiple Vigenère Systems – Enigma) 1940s— Diffie-Hellman Public Key Cryptography 1976 — Data Encryption Standard (DES) 1977— Advanced Encryption Standard (AES) 2000
Plaintext PlaintextCiphertext
Key Key
Encryption Decryption
23 June 2000Andre Vellino 4
Objectives of Modern Cryptography
• Privacy (encryption)— Preserve confidentiality; guard against snooping
• Integrity (modification detection codes)— Guard against tampering
• Authenticity (digital signatures)— Ensure the source of the message; guard against forgery
— Ensure the non-repudiation of transactions
• Trust (certificate authorities)— Certify the authenticity of public keys and digital signatures
23 June 2000Andre Vellino 5
Encryption w/ Symmetric Keys
This is a secret message
This is a secret message3
Bob
Alice
This is a secret message3
f
f-1
This is a secret message
Same Key(communicated out-of-band)
23 June 2000Andre Vellino 6
Authentication w/ Symmetric Keys
Bob’s identity confirmedEncrypt Alice’s challengewith shared secret key
BobAliceSelect random challenge
23 June 2000Andre Vellino 7
This is a secret message3
Bob
Alice f
f-1
This is a secret message
B’s public / private keys
This is a secret message
B’s public key
Encryption w/ Public Keys
23 June 2000Andre Vellino 8
Authentication w/ Public Keys
Encrypt challenge with Bob’sPublic key Decrypt Alice’s challenge
using Bob’s private key
BobAliceSelect random challenge
B’s public / private keys
Bob’s Identity Confirmed
23 June 2000Andre Vellino 9
RSA Public Key Algorithm
• RSA is named after its inventors Rivest, Shamir and Adleman. RSA is used for symmetric key exchange and digital signatures.
• Choose two large (at least 250 bits) primes p and q and call their product n (modulus). p and q are secret, but their product, n = p x q, is public.
• Choose a number E relatively prime to φ(n)=(p-1) x (q-1) (i.e. E and φ(n) have no common factors except 1)
• Find the inverse D of E modulo φ(n) (that is, find D such that E x D - 1 is divisible by φ(n)).
• The public key is <E, n>; the private key is <D, n>.
• To encrypt a message m, m < n, using the public key, compute theciphertext c = m ^ E mod n.
• To decrypt a ciphertext c, c < n, using the private key, compute the message m = c ^ D mod n.
• To sign a message m, m < n, using the private key, compute the signature s = m ^ D mod n.
23 June 2000Andre Vellino 10
Secure Hash Functions / Message Digests
• Message (M) + One-Way Hash functions(H) -> Hash code(h), i.e. H(M) = h
• Goals for H: — given M, it is easy to compute h— given h, it is hard to compute M such that H(M)=h
i.e. message cannot be deduced from the hash— it is hard to find another message (M’) such that H(M)=H(M’) i.e.
H(M) is “unique”— it is hard to find any two random messages M and M’ such that
H(M)=H(M’) (i.e. to make sure there are no “collisions”)
• Used for digital signatures and time-stamping
• MD5 and SHA-1
23 June 2000Andre Vellino 11
m1 m2 m3 mN
Constant Digest Digest Digest Digest Hash value
MD5
• Message Digest 5 (MD5) takes a message, divided into a number of 512-bit blocks (sixteen 32-bit words) and produces a 128-bit hash value (four 32-bit words).
• The message digest is initialized to a fixed value and the message is processed in 512-bit blocks where each stage of the computation modifies the current value of the digest using the next block of the message. The final value is the hash value for the entire message:
23 June 2000Andre Vellino 12
Digital Signatures
Bob
Alice h
A’s public / private keys
A’s public key
Ete3\k
g
✡ ❂●❉❃
✏ ❉❖❁▼❅
❋❅❙▲Alice
g-1
Ete3\k
✡ ❂●❉❃
✏ ❉❖❁▼❅
❋❅❙▲Alice
h
Ete3\k
✡ ❂●❉❃
✏ ❉❖❁▼❅
❋❅❙▲Alice
23 June 2000Andre Vellino 13
Public Keys vs. Symmetric Keys
Public Key Cryptography— Users have Public / Private key pairs
— Public Keys must be certified
— Larger key lengths needed to achieve the same security
— Used for distribution of symmetric keys
• Ciphers— Diffie-Hellman key exchange
(discrete logarithms)
— RSA (prime number factorization)
— ECC (elliptic curves)
Symmetric Key Cryptography— Same private key for both
communicating parties
— Much (1000x) faster than PK for encryption/decryption
— Smaller key lengths
• Ciphers— DES (56 bit keys), 3-DES
— RC4 (128 bit key)
— SKIPJACK (80 bit key –declassified June ‘98)
— IDEA
— AES (5 candidates in the running)
23 June 2000Andre Vellino 14
Key Management Problems
• Distributing keys— Obtaining someone else’s public key
— Distributing your own public key
• Key certification
• Establishing a shared symmetric key with another party— Confidentiality: Is it really known only to the other party?
— Authentication: Is it really shared with the intended party?
• Key storage— Secure storage of keys
• Revocation / Verification— Revoking published keys
— Determining whether a published key is still valid
23 June 2000Andre Vellino 15
The Public Key Distribution Problem
Bob
Alice
A’s public key M’s public keythat B believes is A’s
Malicious Mallet
Man-in-the-middle attack
Alice tries to send her public key to Bob, but Mallet intercepts it and substitutes his own public key.
When Bob encrypts a message to Alice with Mallet’s key, Mallet can decrypt it, and re-encrypt it with Alice’s real public key.
23 June 2000Andre Vellino 16
What is a Certificate Authority
Original intent of a certification authority (CA) was to guarantee the connection between a public key and an “entity”, which can be
— A person
— A role
— An organization— A pseudonym
— A piece of hardware or software
— An account (bank or credit card)
Role was later expanded to certify all sorts of other things— Are they a bona fide business?— Can you trust their web server?
— Can you trust the software they write?
— Is their account in good standing?— Are they over 18?
23 June 2000Andre Vellino 17
Digital Certificates
A document containing information about an individual or organization, including its public key, that is digitally signed by a Certificate Authority whose public key is well-known.
Typical X.509 certificate
Serial Number Issuer NameValidity Time IntervalSubject Name Public KeyUsage ConstraintsPolicies
00:EC:A0:A7:8B:6E:75:6A:01
Verisign14 Aug 1998 to 14 Aug, 2006
LL Bean 1C:D5:8E:82:BE:70:55:8E:39:61
Type/ Web / Email Notify User
CA Digital Signaturesignature cipher
A7:8B:6E:75: 8E:82:BE:70:55RC4 + MD5
23 June 2000Andre Vellino 18
Certificates Signed by Certificate Authorities
• Alice Generates a pair of keys
• CA verify Alice’s identity out of band
• Sends her public key to the CA, encrypted w/ the CA’s well-known public key (only the CA can decrypt it).
• CA signs a document associating her name etc. w/ her public key
Alice Certificate Authority
Alice’ s public key
Alice’s Private/Public Keys
Alice
Verisign
Out of BandVerification
23 June 2000Andre Vellino 19
Example X.509 CertificateCertificate:
Data:
Version: v3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Issuer: OU=Ace Certificate Authority, O=Ace Industry, C=US
Validity:
Not Before: Fri Oct 17 18:36:25 1997
Not After: Sun Oct 17 18:36:25 1999
Subject: CN=Jane Doe, OU=Finance, O=Ace Industry, C=US
Subject Public Key Info:
Algorithm: PKCS #1 RSA Encryption
Public Key:
Modulus:
00:ca:fa:79:98:8f:19:f8:d7:de:e4:49:80:48:e6:2a:2a:86:
ed:27:40:4d:86:b3:05:c0:01:bb:50:15:c9:de:dc:85:19:22:
43:7d:45:6d:71:4e:17:3d:f0:36:4b:5b:7f:a8:51:a3:a1:00:
98:ce:7f:47:50:2c:93:36:7c:01:6e:cb:89:06:41:72:b5:e9:
73:49:38:76:ef:b6:8f:ac:49:bb:63:0f:9b:ff:16:2a:e3:0e:
9d:3b:af:ce:9a:3e:48:65:de:96:61:d5:0a:11:2a:a2:80:b0:
7d:d8:99:cb:0c:99:34:c9:ab:25:06:a8:31:ad:8c:4b:aa:54:
91:f4:15
Public Exponent: 65537 (0x10001)
Extensions:
Identifier: Certificate Type
Critical: no
Certified Usage:
SSL Client
Identifier: Authority Key Identifier
Critical: no
Key Identifier:
f2:f2:06:59:90:18:47:51:f5:89:33:5a:31:7a:e6:5c:fb:36:
26:c9
Signature:
Algorithm: PKCS #1 MD5 With RSA Encryption
Signature:
6d:23:af:f3:d3:b6:7a:df:90:df:cd:7e:18:6c:01:69:8e:54:65:fc:06:
30:43:34:d1:63:1f:06:7d:c3:40:a8:2a:82:c1:a4:83:2a:fb:2e:8f:fb:
f0:6d:ff:75:a3:78:f7:52:47:46:62:97:1d:d9:c6:11:0a:02:a2:e0:cc:
2a:75:6c:8b:b6:9b:87:00:7d:7c:84:76:79:ba:f8:b4:d2:62:58:c3:c5:
b6:c1:43:ac:63:44:42:fd:af:c8:0f:2f:38:85:6d:d6:59:e8:41:42:a5:
4a:e5:26:38:ff:32:78:a1:38:f1:ed:dc:0d:31:d1:b0:6d:67:e9:46:a8:
dd:c4
23 June 2000Andre Vellino 20
Trust Models
“Generally, an entity can be said to “trust” a second entity when it (the first entity) makes the assumption that the second entity will behave exactly as the first entity expects.” X.509
• Two parties trust each other via Third-party trust (CAs)
• CAs have “domains” (e.g. employees in a Corporation)
• If two CAs with different domains trust each other they can cross-certify each other’s members by — signing each other’s certificate (Direct Cross Certification)
— certifying themselves with a “Root” CA (Two Tiered Certification)
• Users can develop a “web of trust”
23 June 2000Andre Vellino 21
Trust Model Example: Direct Cross Certification
Nortel
Nortel Employees
CA
CA Domain
Bay Networks
Bay Networks Employees
CA
CA Domain
Cross Certification
Mutual Trust Among Employees
23 June 2000Andre Vellino 22
PGP “Web of Trust” Model
• Bob trusts Ted and Carol who trust Peter and Paul who trust Alice— Therefore Bob trusts that “Alice’s key” came from Alice
• Web of trust more closely reflects human relationship trust models
Alice
Bob
Carol
Ted
Peter
Mary
Paul
23 June 2000Andre Vellino 23
How SSL Works (Handshake Protocol)
Client
Server
Client Hello (v2)SSL version (3.0)Cipher specifications16 byte random challenge
Pre-Master Secret + ✰❒❅✍✭❁▲▼❅❒ ✳❅❃❒❅▼ +
Pre-Master Secret
Master Secret
Master Secret
MAC Secret Server Write Key
Client Write Key
MAC Secret Server Write Key
Client Write Key
Server HelloSSL version (3.0)32 byte random challenge Session IDCipher suiteCompression
Server CertificateServer Key ExchangeServer Hello Done
Server Certificate
CA Signature List
Client Key ExchangeChange Cipher SpecFinished (encrypted)
Change Cipher SpecFinished (encrypted)
23 June 2000Andre Vellino 24
Single Sign-On w/ Client Certificates
Server
Verisign
Random Challenge String
Q;lwekjdEasd.e
Alice
Verisign
Directory Server
Alice
Verisign
+
✱✛●◗❅❋❊❄✥❁▲❄✎
Signed Random String
Private key
23 June 2000Andre Vellino 25
Objectives of PIM-Mediated Certification
• Certify the identity and addresses of subscribers to third parties
• Enable User-specific Single Login to secure web sites with whom users have accounts
• Ensure confidentiality of communications
• Offer anonymous certification of selected identity attributes
• Enable users to sign digital documents
23 June 2000Andre Vellino 26
Ascertaining Credentials Anonymously
• Scenario 1: PIM issues (is the CA for) an anonymous certificate whose identity attributes PIM has already ascertained.— e.g. anon3575 is Male + has an address in Canada
• Scenario 2: PIM requests, on the user’s behalf, that a trusted 3rd party sign an anonymous document certifying some user credential to which PIM is not privy.— Example: have Employer sign a certificate asserting that an
Anonymous PIM user works for Employer and earns more than 30,000$
— Establish a protocol that enables Employer to sign a “blinded” document that only PIM/User can associate with the employee
23 June 2000Andre Vellino 27
Blinded Signatures Protocol
— PIM prepares, on behalf of the user, N certificates stating thatAnonUser[Random#] currently works for Employer & earns more than 30,000$
— PIM “blinds” each statement with a different “blinding factor”
— PIM send all the statements to Employer
— Employer asks PIM for N-1 statements associating AnonUser[Random#] with an employee name and providing the blinding factor
— Employer verifies each N-1 statement and that employee exists and earns more that 30,000.
— Employer signs the last (blinded) certificate and returns it to PIM
— PIM “unblinds” the anonymous, Employer-signed certificate.
— Only PIM/User can associate AnonUser [Random#] to UserName
23 June 2000Andre Vellino 28
References
• Richard E. Smith, Internet Cryptography, Addison-Wesley, 1997.
• Bruce Schneier, Applied Cryptography, John Wiley & Sons, 1996
• Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone Handbook of Applied Cryptography, CRC Press, 1996
• RSA Labs FAQ (216 pages) http://www.rsalabs.com/faq/index.html
• David Chaum, Achieving Electronic Privacy, Scientific American, August 1992, p. 96-101 http://www.virtualschool.edu/mon/Economics/ChaumElectronicPrivacy.html