luibPc eKyfsueIrtcrnartu oeJ dlofrdO E5 7E9 0M 2r0 6a
Public KeyInfrastructure Joe Oldford EE 579 02 Mar 06
Overview • Introduction • Classical (symmetric) Cryptography • Public Key (asymmetric) Cryptography • Digital Signatures • Public Key Infrastructures • Insecurities • Summary
Symmetric Cryptography Shared Secret Key
Symmetric Cryptography • Same function and key are used for both encryption and decryption.
Public Key Cryptography Separate Unrelated Keys
Public Key Cryptography • The encryption and decryption functions use separate unrelated keys.
PUBLIC Your encryption algorithm Your encryption key SECRET Your decryption key What goes public and what doesn’t??
What does this mean?? • Anyone can encrypt a message using your public key. • Only you can decrypt it. • No one can derive your decryption (secret) key from your algorithm and encryption (public) key. • The encryption and decryption order are reversible What if I encrypt a message using my secret key??
Too good to be true? • Public Key Cryptosystems are very computationally intensive. • Practical only for very short messages i.e. secret key exchange, message hashes • Public Key cryptosystems cannot be proven secure. Hmmm….. Could the NSA break them…..
Public Key technology provides: • Strong authentication. Users can securely identify themselves to other users and servers on a network without sending secret information (for example, passwords) over the network. • Data integrity. The verifier of a digital signature can easily determine whether or not digitally signed data has been altered since it was signed. • Support for non-repudiation. The user who signed data cannot successfully deny signing that data.
So then, is this enough… Not quite, how do we ensure: • Secret Key management • Public Directory security Need a Public Key Infrastructure (ITU-T standard X.509)
What is a public key infrastructure? (ITU-T standard X.509) • A public key infrastructure (PKI) is the comprehensive system required to provide public-key encryption and digital signature services. • A PKI enables the use of encryption and digital signature services across a wide variety of applications by establishing and maintaining a trustworthy networking environment.
Public Key Infrastructure (X.509) • Registration • Key Generation • Certification • Key Backup • Key Update • Certificate Revocation
Certification Authorities (CA) • Act as agents of trust in a PKI • Create certificates for user’s by generating key sets and digitally signing a user’s data set. • The CA’s signature ensures that any tampering with the contents can easily be detected
Registration – Key Generation • New users must register with the CA • The CA generates at least two separate key pairs, one pair for encryption and one pair for digital signing • Public keys are published in the CA’s directory • Secret keys MUST be kept secure, usually stored on a device; magnetic card, smart card
Digital Certificates • Each user’s registered identity is stored in a digital format known as a digital certificate. • Digital Certificates contain (at least): -unique username -user’s public key -generating algorithm -validity period -specific use of the public key -name of the CA -certificate serial #
Key Backup • A business must be able to retrieve encrypted data when users lose their decryption keys • Decryption keys are backed up securely by the CA • Signing keys must NOT be backed up, to support non-repudiation the signing key must be under the sole control of the user at all times
Key Update • Cryptographic key pairs should not be used forever • Updating key pairs should be transparent to the user, i.e. automatically updated • Key history must be maintained and securely managed by the key backup and recovery system
Certificate Revocation • Certificate’s can be revoked before expiring • Revoked certificates are managed by the CA through a Certificate Revocation List • The revocation status of the certificate must be checked prior to each use.
So can we attack a PKI…. • Representation problem • Single key pair for challenge response and signing • Insecure updating
Summary • Symmetric Cryptography • Public Key Cryptography • Digital Signatures • Framework of X.509 – PKI • Attacks on a PKI
References • J. Buchmann. Introduction to Cryptography. Springer-Verlag, 2002 • S. Singh. The Code Book. Anchor Books, 1999 • Trusted Public-Key Infrastructure: http://www.entrust.com/resources/whitepapers.cfm