1 / 33

The Application of Public Key Cryptography to Network Security

The Application of Public Key Cryptography to Network Security. Ted Reinhardt reinhardt@ncf.ca Course 94.470. Learning Objectives. Understand how public key cryptography can be used to provide network security services such as: Confidentiality Non-repudiation Authentication

vicki
Télécharger la présentation

The Application of Public Key Cryptography to Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Application of Public Key Cryptography to Network Security Ted Reinhardt reinhardt@ncf.ca Course 94.470

  2. Learning Objectives • Understand how public key cryptography can be used to provide network security services such as: • Confidentiality • Non-repudiation • Authentication • Notarization

  3. Crypto System a pair of data transformations: • one encrypts • the other decrypts Encrypt Decrypt cipher text plain text plain text key key

  4. Encryption Ek(m)  c m plain text message c cipher text k  key Decryption Dk(c)  m c ciphertext m message k  key

  5. Symmetric Key Crypto System • same key is used for both transformations A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y HAL IBM IBM plain text Encrypt Decrypt ciphertext plain text Key=1 Key=1

  6. A word about symmetric key crypto systems • Keys must be protected at all times at least to the highest level of the information exchanged for the entire useful life of the message. • Key distribution is therefore expensive • Keys must be changed frequently • large symmetric crypto networks are a nightmare to manage

  7. Rijndael RC6 Twofish Casear RC4 CAST DES Triple DES Symmetric Algorithms Rijndael

  8. Public Key Crypto System a pair of data transformations: • one encrypts • the other decrypts 03422AFDS IBM IBM Encrypt Decrypt ciphertext plain text plain text = public key private key

  9. An Engineering Love StoryOur Cast of Players Carl A spy for a tabloid newspaper Bob Alice Totally Clueless Hopelessly in love with Bob

  10. Public Key Crypto System • complementary key pairs • one private key, and a corresponding public key Name Public Private Alice 7 13 Bob 11 23 Carl 71 53 Private !!!

  11. Name Public Private Alice 7 13 Bob 11 23 Carl 71 53 Public Key Crypto System • Alice encrypts message for Bob’s eyes only. Bob’s Public Key 11 Bob’s Private Key 23 plain text Alice Encrypt Bob Decrypt cipher text plain text I LOVE YOU #$@deew I LOVE YOU Sender to Receiver Confidentiality

  12. Name Public Private Alice 7 13 Bob 11 23 Carl 71 53 Public Key Crypto System • Bob encrypts message for Alice’s eyes only. Alice’s Public Key 7 Alice’s Private Key 13 plain text Bob Encrypt Alice Decrypt ciphertext plain text Sender to Receiver Confidentiality

  13. Confidentiality - Objective 1 • Sender to Receiver Confidentiality • Encrypt with Public Key of the Addressee • Equivalent to sealing an envelope by encrypting • Only the Receiver can decode with his own Private Key (as long as the Private Key is kept Private).

  14. Name Public Private Alice 7 13 Bob 11 23 Carl 71 53 Public Key Cryptosystem • Alice digitally signs message for Bob Alice’s Public Key 7 Alice’s Private Key 13 plain text Alice Encrypt Bob Decrypt cipher text plain text Authentication / Digital Signature

  15. Authentication & Non-Repudiation Objective #2 • Sender encrypts message with own private key • Receiver decrypts message with senders public key. • Correct decryption indicates the message is authentic.

  16. Name Public Private Alice 7 13 Bob 11 23 Carl 71 53 Public Key Crypto System • Alice signs and seals message for Bob Bob’s Public Key 11 Alice’s Private Key 13 Ciphered Ciphertext Alice Encrypt Alice Encrypt ciphertext plain text Seal Sign Combined Digital Signature and Encryption

  17. Name Public Private Alice 7 13 Bob 11 23 Carl 71 53 Public Key Crypto System • Bob unseals message, and authenticates it Alice’s Public Key 7 Bob’s Private Key 23 clear text Bob Decrypt Bob Decrypts message+ signature Ciphered cipher text • Authenticates Opens Combined Decryption and Authentication

  18. Blind Notarization • Alice encrypts and signs a message for Bob’s Eyes Only • Alice send’s the message to Carl who takes Alices encrypted and signed message, adds a date time stamp (11AM 20 Sep 2004), and then signs it. • Bob can decode it and check the date time if there is a dispute.

  19. Blind Notarization Notary Services Date-time stamp + Notary’s Signature Alice Signed by Alice Sealed for Bob’s Eyes Only Bob

  20. Vulnerability in Key Management • Certification of Public Keys is required otherwise subject to middle man attack. Name Public Private Alice 71 53 Bob 71 23 Carl 71 53 Carl can now masquerade as Alice Carl can now read the message and then re-encrypt for the intended receiver

  21. Solution to VulnerabilityCertificate Authority • Certification of Public Keys is required otherwise subject to middle man attack. Digitally Signed by the CA Alice Public Key=13 Expiry=10-Aug-2004 Certificate Authority is recognized by all parties

  22. Symmetric vs Asymmetric • Public Key Crypto • Simplifies Key Management • Slow • Provides Digital Signature • Symmetric Key Crypto • Black Bag Key Management • Fast

  23. HybridBest of Both Worlds • Use Symmetric Key as session key to encrypt data using Symmetric Key Cryptography • it is faster • Use Public Key to Encrypt Session Key • fewer key management problems

  24. Message Digest • A one way function that provides a unique hash based on a data stream input • MD5 (deprecated) • SHA-256, 384, 512 • SHA-3 (emerging)

  25. Message Digests

  26. Message Digests $ SHA-256 (“Pay John $100.00”) e21a53edb61cec8fc53b9794911671f1330345fd673a9ed02ee9e38ac32ad3dd $ SHA-256 ( “Pay John $1000.00”) 499ae2dca86c11949ce3f44a11ccf2b0ff295bd0667d6eb204c7235e3491b949

  27. Signature and Integrity Implementation Plain text Message Digest Plain text Message Digest Digest Digest Digitally Sign Signed Digest Integrity COMPARE

  28. Practicalities of Implementation Plain text Symmetric Encryption Cipher text Random Session Key Alice’s Pub Key Public Key Encryption Alice’s Session Key Bob’s Pub Key Public Key Encryption Bob’s Session Key

  29. Layer 3Virtual Private Network Alice VPN Gateway Internet Directory Certificate Authority VPN Gateway Bob

  30. Layer 4Secure Sockets LayerTransport Layer Security SSL Appliance Protected Web Server Firewall Tunnel Internet SSL Enabled Browser

  31. Issues • Who is going to be the CA • How does a CA decide to trust another CA • If someone is no longer ok, how do you revoke their credentials and distribute the info • What is the basis for trust • Certificate Policies, Certificate Practice Statements

  32. Issues • What is required to make a legally binding transaction? • Where do you store the private key? • Key Escrow --- can someone backup your key for you in the event of loss? • How do you authenticate people far away the first time? • What algorithms are ok to use?

  33. References • www.counterpane.com Cryptogram News • Cryptography and Data Security (D. Denning) • Applied Cryptography (B. Schneier) • Communications Security (W. Ford)

More Related