580 likes | 666 Vues
Data Security and Cryptology, XI Digital Signature, its’ Infrastructure and Usage in Estonia. November 12th , 2014 Valdo Praust mois @ mois .ee Lecture Course in Estonian IT College Autumn 2014. Main Types of Cryptoalgorithms.
E N D
Data Security and Cryptology, XI Digital Signature, its’ Infrastructure and Usage in Estonia November 12th, 2014 Valdo Praust mois@mois.ee Lecture Course in Estonian IT College Autumn 2014
Main Types of Cryptoalgorithms Symmetric cryptoalgorithms or secret-key crypotoalgorithmsare traditional (historical) cryptoalgorithms Asymmetric cryptoalgorithms or public-key crypotoalgorithmsare widely spread within last 30 years Cryptographic message digests and similar constructions Special-purpose algorithmsfor proofing, authentication etc
Cryptographic Hash or Cryptographic Message Digest Cryptgraphic hash (krüptoräsi)orcryptographic message digest (krüptograafiline sõnumilühend) orfingerprint or thumbprint is digest with a fixed lenght which is computed from an arbitrary-length message using an one-way function One-way function (ühesuunaline funktsioon) is such a function which is easy comutable but an inverse function is unfeasible (practically uncomputable)
Cryptographic Message Digest: Usage If we have a given message-hash pair and the hash corresponds to the message then we can always sure that the hash is certainly calculated from the given message Main usage of hashes are ensuring the integrity (usually helps public-key algorithm) Practically secure hash functions find a hash which lenght is at least 160 bit (in enhanced security cases 256 bits)
Cryptographic Hash: Usage Main usage of cryptographic hashes are authentication and ensuring of integrity (for example in digital signatures) One of the main reasons of cryptographis hashes’ usage is that public-key cryptoalgorithm is unsuitable for processing of long plaintexts
Most-Of-Used Hash Functions • SHA-1– was constructed in 1996 in NSA using the same principles that were earlier used in MD4 but increasing the security (using longer values). Lenght of hash is 160 bits (20 bytes) • RIPEMD-160– was constructed in Belgium in early 1990s. Finds 160-bit (20-byte) hash The practically used hash functions must compute at most 160-bit hash(twice as long hash as was a minimal lenght of practically secure symmetric cryptoalgorithm, i.e. 2 x 80 bits)
Practically Unsecure Hash Functions • MD2, MD4– preseccors of MD5, made by Ron Rivesti, found 128-bit hash • MD5– made by Ron Rivest in 1980s. Founds 128-bit hash (digest) For these hash functions there has been found both collisions and practical breaking expoits. Despite of this fact MD5 is still unfotunately in use in numerous places
Enhanced Security: RIPEMD-256 and SHA-2 • RIPEMD-256 is successor of RIPEMD-160 with a hash lenght of 256 bits (breaking is much more harder) • SHA-2 is a family of hash functions with longer than 160-bit hash (224, 256, 384 or 512 bits) It’s reasonable to use RIPEMD-256 or SHA-2 in the following two cases: • for a long-term security (longer as 5-10 years) • for an enhanced level of security (enhanced level of integrity)
Protocol (protokoll) determines, which information moves between different subjects and who/how/when transforms it Cryptoprotocol is a protocol where transformings include different cryptoalgorithms (symmetric, asymmetric, hash algorithms) and/oe key generations Essence of a Cryptoprotcol There are a lot of different cryptoprotocols. The most-of-spread cryptoprotocol (in Internet) is TLS (Transport Layer Security)
Is constructed to work in Internet, i.e. in the network which bases on TCP/IP Enables to autenticate different (both) parties Enable to change the symmetric algorithm’s key for secure transfer of information and to transfer information securely Includes to the higher-level protocols, adding the security to the basic functionality: ssh instead of telnet https instead of http secure ftp instead of ftp TLS: Main Properties and Facts
TLS Channel TLS makes a secure channel(turvaline sidekanal) over a network which have following three properties: • Channel is a private. After the parties has changed the encryption keys, all transferrable data are encrypted • Channel is authenticated. It’s possible both-side authentication but also a single-side authentication • TLS enables to check the successful receiving of all packages (necessary property for a batch mode information transfer – TCP/IP protocol)
TLS Security and Problems • If B has his private key and the signed message already sent to A,it’s impossible to masquerade B to A– it is protected by cryptographic algorithms • It’s impossible to eavesdrop the communication between A and B without knowing the secret keys • But there remains a problem: if instead of real B the communication with A was started by a “false B” it can’t be discovered by A This problem cannot be solved only by TLS – it needs some additional resources
Dokcument as a Data Source An organized human activity has based on mediated information called data already in centuries. But in most of cases we need that data can be considered also as documents • Documents are such a data, where there are • some (legal) meaning of data • a certain an unchangable relationsahip with data, creator of data and creation time of data Until the late 1990s a document was synonym of a paper document
Evidentiary Value of a Document Document is a data where two following conditions are satisfied: • there’s possible to identify the creator of a document (and sometimes also a creation time) • there’s possible to verify that the document has remained unchanged after its’ creation (both occasionally and by the deliberate act) These properties together are called evidentiary value of a document (dokumendi tõestusväärtus) For a creation and preservetion of documents we can’t use any such a method where one or both evidetiary value properties are not satisfied
Evidentiary Value of a Traditional Paper Document • For a paper document all information (text, pictures, tabeles etc) is beared to the paper sheet by some permanent method which excludes erasing. Therefore a paper sheet (data carrier) can always be considered as a document itself • Paper document is binded with its creator by an handwritten signature(omakäeline allkiri) These two widely-spread techniques ensure the evidentiary value of a traditional paper document
Evidentiary Value of a Digital Document: a Big Problem A fact: a digital information is usually kept and stored in a way which can’t permanently bind data to the data carrier. Multple writable media (hard disks, flash memory etc) are mass-used Conclusion: for a digital documents we can’t use the same methods as we use in paper documents – handwritten signature doesn’t help us because there isn’t any media by which the signature is related. Therefore, we must achieve evidentiary value in a different way
Acheiving the Integrity Data integrity (andmete terviklus) is a ensuring that data are originated (information was stored into the data) by a certain subject and haven’t been altered (both occidentially and by a deliberate act) Differently from paper documents the integrity of digital data isn’t a default property: it must be achieved by some special activities (safeguards) Actually only possibility is a using of digital signature (digitaalsignatuur, digisignatuur) which is based on public-key cryptography Bureaucrats speak about evidentiary value, which is higly similar to integrity (used by IT security specialists)
Solution of Integrity for Digital Documents – a Digital Signature When it’s impossible to achieve the integrity (evidentiary value) on the level of data carrier, the only possibility is to use a technique which bind the data itself to the creator using mathematical relationships Actually this technique is called digital signature(digitaalallkiri, digiallkiri) which is up to present the only way, how we can ensure the provable integrity under the multiple rewritable media paradigm
Technical and Legal Views to Digital Signature A legal digital signature (digitaalallkiri, digiallkiri) is a legal concept which gives thedocumentanevidentary value as handwritten signature gives such a value topaper-based document A technical digital signature (digitaalsignatuur, sigisignatuur) is a technical or cryptotechnical construction which uses public-key cryptoalgorithm for achieving the integrity • Up to present the only known way for giving a legal digital signature is a using of technical digital signature • Each legal digital signature is (up to present) a technical digital signature. But each technical digital signature isn’t of course a legal digital signature – it needs some authorities called public key infrastructure
Essence of (Legal) Digital Signature Digital signature uses the methods offered by a public-key cyrpotialgorihm (its use in digital signature or integrity acheiving mode) (A legal) digital signature (digitaalallkiri, digiallkiri) is an additional data set which is added to signable document (signable data set) and which is created by a signer(allkirjastaja) using both the signable document and a private key of a signer and is performed by mathematical operations
Public-Key Cryptoalgorithm Public-key cryptoalgorithm (avaliku võtmega krüptoalgoritm) or asymmetric cryptoalgorithm (asümmeetriline krüptoalgoritm) uses two keys– if we encrypt by one key, we can decrypt it later by another key These keys are generated by a mathematical algrothm and are mathematically related to each other but there’s impossible in practice (infeasible) to found from public key to private key
Public-Key Cryptoalgorithm: Keys Keys of public-key cryptoalgorithm are called usually public key and private key (avalik võti ja privaatvõti) • Public key is usually known for all parties (is public) • Private key is usually known or can be used only by a keypair owner (for a legal digital signature case by a signer)
Giving of a Digital Signature In order to give a digital signature, the signer must have earlier-generated public-key cryptoalgorithm keypair(avaliku võtmega krüptoalgoritmi võtmepaar), which consists of: private key (privaatvõti, isiklik võti) public key (avalik võti) Both keys are digital data sets (bitstreams) Digital signature, which is given by a private key, is verifiable by the corresponding public key
Cryptographic Hash or Cryptographic Message Digest Cryptgraphic hash (krüptoräsi)orcryptographic message digest (krüptograafiline sõnumilühend) is digest with a fixed lenght which is computed from an arbitrary-length message using an one-way function This is a one-way relation(ühesuunaline seos) - for a given digest it’s impossible to restore the message Conclusion: if digest corresponds to message we can be always sure that the digest is computed just from the given message
The Role of Hash in Digital Signatures Digital signature is usually given to hash of a document, not to an original (long) document This is necessary, because the public-key algorithm is unsuitable for encryption of long messages (it works thousands times slower than a typical symmetric algorithm) Because it’s impossible to (re)construct a message using a hash, then the digital signature, which given to hash, is as good as a digital signature which is given to an original document (in the mean on integrity)
Private Key and its Usage Therefore we must keep private key extremly carefully preventing its unauthorized usage and spread The sufficiently secret way is to generate and use the public key in a special hardware device, for example in a chipcard (kiipkaart) consisting both a key generation and encryption algoritms and having possibilites of private key usage only inside the chip and unability to read private key outside the chip Estonian ID-Card and Mobile ID-Card are both such a cryptographic chipcards Everyone, who has a private key of a signer can give unauthorizedly a digital signature of a signer
Private Key as a Chipcard Such a chip/device, where it’s impossible to read some internal values (keys) from the device, are called non-reverse-engineerable(pöördkonstrueerimatu) device
A Necessity for a Certification Service Above-mentioned technique allows to bind a document to the public key (keypair) of a signer We are interested in binding a document with a signer as a physical person - whith his/her name, personal or national idenfication number (isikukood) etc. Solution: we must additionally (previously) to bind the personal identification data of signer to the public key of a signer
Principles of Certification Certificates are usually issued by a special certificartion authorities(CAs, sertifitseerimiskeskus, sertifitseerimisteenuse osutaja) Binding of personal idenfication data (name, personal identification number) to public key is called certification(sertifitseerimine) A result of certification (by the means of digital signature) is a certificate(sertifikaat) which is always a digital document
Certificate Instead of public keys there are always spread and used certificates (consisting these keys). For a verification of digital signature it’s always mandatory to have a certificate of a signer A certificate(sertifikaat) is a digital document created and signed digitally by a certification authority. Certificate typically consists of personal data of signature owner, private key of signature owner and a specific certificate-related data (issuer, expiration date, issuing time etc)
Problems (Necessity for Additional Subjects) We can’t excude the cases when a private key will still appear to the hands of unauthorized persons.In these cases the unauthorized owner of key can produce an unlimited amount of digital signatures Solution: we must allow the revocation of certificates (sertifikaatide tühistamine) Revocation is not so simple. We must ensure that these singatures, which are given before revocation must remain valid, but none of these signatures, which are tried to give after revocation, will became valid
Solution of Certificates’ Revocation Problem We need to acheive the long-time evidence value of signed documents: we must to able prove the evidence even a couple of years or even decades after the hypothetical revocation of corresponding certificates Conclusion: we must add two following techniques to the (legal) digital signature infrastructure: • We must add a provable time-stamp to all activies/results (signatures, revocation acts, etc) • We must create a comparison possibility of different time stamps before signature verification (is there any revocation act which time is earlier than a time of a signature?)
Time-Stamp Principles Time-stamp(ajatempel) is an additional data set which is added to the original data set. There’s possibility to provably compare the creation time of different timestaps (data sets) Time-stapms are issued by a certain time-stamp authorities(ajatemplikeskused, ajatempliteenuse osutajad) Time-stamp authority calculates the next time-stamp from the following sources using one-way funtsion (hash): • from the data (hash), which is sent to time-stamp authority • from the previously issued time-stamp
Time-Stamp Principles One-way chaining of sequential time-stamps ensures that there is impossible to change already issued time-stamps and there is impossible to issue new time-stamp between already issued time-stamps • All time-stamps and their’ issuing times and calculating algoroithms are public • Time-stamp was taken from a time-stamp authority immediately after the calculating of the digital signature
Digitally Unsuitable Technique: a Revocation List Certificates’ revocation list(sertifikaatide tühistuslist) is a list kept by a certification authority(-ies), which consists of data of all possible revocations An initial idea was to check each signature against a revocation list online during the each verification of signature Why such a solution is unsuitable?
Shortcomings of Revocation List Technique Each signature verification needs online-query Revocation list will became a real bottle-neck What will happen with signed documents when certification authority (revocation list) disappear (has been destroyed)? It’s reasonable that signature (document) verification ability always preserves with the document, not in different place or using some different (additional) authorities
A Suitable Technique: Validity of Approval Validity of approal(kehtivuskinnitus) is a query to certification authority which has made immediately after giving a digital signature Validity of approval is stored next to the signature and is (with a corresponding certificate and time-stamp) a digital proof that during the signing process the certificate was valid (there’s no revocations in force) When digital signature in equipped with such a validity of approval then it’s possible to verify signature without any online connections. But a sigining process (taking of time-stamp and validity of approval) always needs online connection
Digital Document with Digital Signature with all NecessaryAdditionalRequisites
Certification Infrastructure • Certification infrastructure(sertifitseerimise taristu) or public-key infrastructure (PKI, avaliku võtme taristu) consists of five following mandatory components necessary for secure giving and verifying of digital signatures: • non-reverese-engineerably realized hardware-based public-key container • certification authority (CA) • validity of approval service (at the CA) • time-stamping authority • organization and coordination of services (usually in national level)
Data Format Data format(andmevorming, vorming) — a desciption how different type of information – text, picture, voice, video etc – is coded into the queue of 0’s and 1’s A pre-agreed (standardised) data format gives to data (to data file) a concrete and unique meaning. If we have data but do not have the data format desciption, then we do not have the information, carried by the data
From Data Format to Meaning Different data formats are supported by a different application software, which usually allow to write the file in certain format, or to made the content of data (information) human-perceptable etc. A typical end-user usually don’t know anything about different data formats and interpretation. He/she usually associates the certain format only to the certain software which is able to interpretate these format(s). End user usually receives only an human-perceptable form, prepared by the software, so-calles WYSIWYG (What You See Is What You Get, in Estonian adekvaatkuva)
Demands to the Signable Document Format Digital signature is technically binded to the bitstream, but we sign a documnt with a certain meaning (text, pictures, hypertext etc). Relationship between meaning and bitstream is determined by a used data format (andmevorming) Conclusion: for signing there are suitable onlyu these formats which have a unique meaning and which description is publicly available Recommended formats: PDF, RTF, JPG, GIF... Unrecommended formats:DOC, DOCX, XLS, XLSX, ...