Lecture 7 Signature Schemes - PowerPoint PPT Presentation

1 / 134
About This Presentation
Title:

Lecture 7 Signature Schemes

Description:

Hash Function, Digital Signature & Public Key Infrastructure Review: Security Requirements In the context of communications across a network, the following attacks ... – PowerPoint PPT presentation

Number of Views:184
Avg rating:3.0/5.0
Slides: 135
Provided by: Uten134
Category:

less

Transcript and Presenter's Notes

Title: Lecture 7 Signature Schemes


1
Hash Function, Digital Signature Public Key
Infrastructure
2
Review Security Requirements
  • In the context of communications across a
    network, the following attacks can be identified
  • disclosure
  • traffic analysis
  • masquerade
  • content modification
  • sequence modification
  • timing modification
  • source repudiation
  • destination repudiation

Symmetric/Asymmetric cryptography
Generally regarded as Message Authentication
Come under the heading of digital signature
Require a combination of the use of digital
signature and protocol design
3
Review Security Services
  • Authentication Provides the assurance of
    someones identity
  • Confidentiality Protects against disclosure to
    unauthorized identities
  • Non-Repudiation Protects against communications
    originator to later deny it
  • Integrity Protects from unauthorized data
    alteration

4
Review Services, Mechanisms, Algorithms
A typical security protocol provides one or more
services
Services
SSL, IPSEC, TLS, SSH, etc...
Mechanisms
Signatures
Encryption
Hashing
Algorithms
DSA
RSA
RSA
DES
SHA
MD5
Services are built from Mechanisms Mechanisms are
implemented using Algorithms
5
Review Message Authentication
Message Authentication
Hash Function
Message Authentication Code
Message Encryption
6
Message Authentication Hash functions
7
Hash Functions
  • Can use for encryption, authentication and
    digital signature.
  • Hash function accepts a variable-size message M
    as input and produces
  • a fixed-size output, referred to as a hash
    code H(M).
  • A cryptographic hash function h takes as input a
    message or arbitrary
  • length and produces as output a message
    digest of fixed length, for
  • example 160 bits as depicted in Figure.

8
Defining Hashing
If you were to give someone the number 1,765,335
and ask he/she to determine your original number,
it would be virtually impossible for he/she to
work backwards and derive to the original
number of 12,345. If you give her/him the
multiplier (143), she could easily determine the
original number.
Input Value
Multiplier
Formula
Result
12,345
143
Value Multiplier
1,765,335
Plaintext
Key
Algorithm
Ciphertext
9
A Practical Use of Hash Algorithm
Hashed value Store on card
123456 PIN entered on keypad
459384502392 123456 hashed
10
A Practical Use of Hash Algorithm
Hashed value Store on card
459384502392 123456 hashed
123456 PIN entered on keypad
Use Hashing Algorithm The hash value is based on
algorithm
Haval MD2 MD4 MD5 SHA Hash Functions (SHA-1,
SHA-2)
11
One-way HASH function
12
Hash Functions
  • Hash code does not use a key.
  • Hash code is a function only of the input
    message.
  • Hash code is also referred to as a message
    digest or hash value.
  • The hash code is a function of all the bits of
    the message and provides
  • an error-detection capability.
  • A change to any bit or bits in the message
    results in a change to the
  • hash code.

13
Hash Function Properties
  • a Hash Function produces a fingerprint of some
    file/message/data
  • h H(M)
  • condenses a variable-length message M
  • to a fixed-sized fingerprint
  • assumed to be public

14
Requirements for Hash Functions
  • Purpose of the HASH function is to produce a
    fingerprint.
  • Properties of a HASH function H
  • H can be applied to a block of data at any size
  • H produces a fixed length output
  • H(x) is easy to compute for any given x.
  • For any given block x, it is computationally
    infeasible to find x such that H(x) h
  • One-way property
  • For any given block x, it is computationally
    infeasible to find with H(y) H(x).
  • Weak collision resistance
  • It is computationally infeasible to find any pair
    (x, y) such that H(x) H(y)
  • Strong collision resistance

15
Simple Hash Functions
  • are several proposals for simple functions
  • based on XOR of message blocks
  • not secure since can manipulate any message and
    either not change hash or change hash also
  • need a stronger cryptographic function

16
Hash Functions Operations(In term of Hashing,
Signing, and Applications)
  • One useful application of hash functions is to
    make signature schemes
  • more efficient.
  • The hash function is made public.
  • Starting with a message m, Alice calculates the
    hash h(m). This output h(m)
  • is significantly smaller, and hence signing
    the hash may be done more
  • quickly than signing the entire message.
  • Alice calculates the signed message sig(h(m))
    for the hash function and
  • uses it as the signature of the message.
  • The pair (m, sig(h(m))) now conveys basically
    the same knowledge as the
  • original signature scheme did.
  • It has the advantages that it is faster to
    create (under the reasonable
  • assumption that the hash operation is quick)
    and requires less resources
  • for transmission or storage.

17
In Term of Security
  • Suppose Eve has possession of Alices signed
    message (m, sig(h(m))).
  • She has another message m to which she wants
    she to add Alices
  • signature.
  • This means that she needs sig(h(m))
    sig(h(m)) in particular, she needs
  • h(m) h(m).
  • If the hash function is one-way, Eve will find
    it hard to find any such m.
  • The chance that her desired m will work is very
    small. Moreover,
  • since we require our hash function to be
    strongly collision-free, it is
  • unlikely that eve can find two messages m1 ?
    m2 with the same
  • signatures.
  • Of course, if she did, she could have Alice sign
    m1, then transfer her
  • signature to m2. But Alice would get
    suspicious since m1 (and m2)
  • would very likely be meaningless messages.

18
Check on Data Integrity
  • Hash function also can be employed as a check on
    data integrity.
  • The question of data integrity comes up in
    basically two scenarios.
  • First when the data (encrypted or not) are
    being transmitted to another
  • person and a noisy communication channel
    introduces errors to the data.
  • Second An observer rearranges the transmission
    in some manner
  • before it gets to the receiver. Either way,
    the data have become corrupted.
  • Example
  • Suppose Alice sends Bob long messages about
    financial transactions
  • with Eve and encrypts them in blocks.
  • Perhaps Eve deduces that the tenth block of each
    message lists the
  • amount of money that is to be deposited to
    Eves account.
  • She could easily substitute the tenth block from
    one message into
  • another and increase the deposit.

19
Check on Data Integrity
  • Another situation
  • Alice might send Bob a message consisting of
    several blocks of
  • data, but one of the blocks is lost during
    transmission. Bob might
  • not ever realize that the block is missing.
  • Here is how function can be used. Say we send
    (m, h(m)) over the
  • communications channel and it is received as
    (M, H). To check
  • whether errors might have occurred, the
    recipient computes h(M)
  • and sees whether it equals H. If any errors
    occurred, it is likely that
  • h(M) ? H, because of the collision-free
    properties of h.

20
List of Cryptographic Hash Function
  • Haval
  • MD2
  • MD4
  • MD5
  • N-Hash
  • RIPEMD-160
  • SHA Hash Functions (SHA-0, SHA-1, SHA-2)
  • Snefru
  • Tiger
  • Whirlpool

21
Other Secure HASH functions
SHA-1 MD5 RIPEMD-160
Digest length 160 bits 128 bits 160 bits
Basic unit of processing 512 bits 512 bits 512 bits
Number of steps 80 (4 rounds of 20) 64 (4 rounds of 16) 160 (5 paired rounds of 16)
Maximum message size 264-1 bits
22
Digital Signature / Signature Schemes
23
Signature schemes
  • digital signature schemes


MACs in the public-key setting
24
Problem Authentication
24
25
Problem Authentication
25
26
Scenario
26
27
Scenario
27
28
Scenario
28
29
Scenario
29
30
Scenario
30
31
Digital Signatures
  • have looked at message authentication
  • but does not address issues of lack of trust
  • A few scenarios (transfer funds, mail message)
  • digital signatures provide the ability to
    (properties)
  • verify author, date time of signature
  • authenticate message contents
  • be verified by third parties to resolve disputes
  • hence include authentication function with
    additional capabilities

32
Digital Signature Properties
  • must depend on the message signed
  • must use information unique to sender
  • to prevent both forgery and denial
  • must be relatively easy to produce
  • must be relatively easy to recognize verify
  • be computationally infeasible to forge
  • with new message for existing digital signature
  • with fraudulent digital signature for given
    message
  • be practical save digital signature in storage

33
Digital Signatures Categories
Digital signatures
Arbitrated Digital Signature
Direct Digital Signature
34
Direct Digital Signatures
  • involve only sender receiver
  • assumed receiver has senders public-key
  • digital signature made by sender signing entire
    message or hash with private-key
  • can encrypt using receivers public-key
  • important that sign first then encrypt message
    signature
  • security depends on senders private-key

35
Arbitrated Digital Signatures
  • involves use of arbiter A
  • validates any signed message
  • then dated and sent to recipient
  • requires suitable level of trust in arbiter
  • can be implemented with either private or
    public-key algorithms
  • arbiter may or may not see message

36
Authentication Protocols
  • used to convince parties of each others identity
    and to exchange session keys
  • may be one-way or mutual
  • key issues are
  • confidentiality to protect session keys
  • timeliness to prevent replay attacks

37
Replay Attacks
  • where a valid signed message is copied and later
    resent
  • simple replay
  • repetition that can be logged
  • repetition that cannot be detected
  • backward replay without modification
  • countermeasures include
  • use of sequence numbers (generally impractical)
  • timestamps (needs synchronized clocks)
  • challenge/response (using unique nonce)

38
Using Symmetric Encryption
  • as discussed previously can use a two-level
    hierarchy of keys
  • usually with a trusted Key Distribution Center
    (KDC)
  • each party shares own master key with KDC
  • KDC generates session keys used for connections
    between parties
  • master keys used to distribute these to them

39
Needham-Schroeder Protocol
  • original third-party key distribution protocol
  • for session between A B mediated by KDC
  • protocol overview is
  • 1. A?KDC IDA IDB N1
  • 2. KDC?A EKaKs IDB N1 EKbKsIDA
  • 3. A?B EKbKsIDA
  • 4. B?A EKsN2
  • 5. A?B EKsf(N2)

40
Needham-Schroeder Protocol
  • used to securely distribute a new session key for
    communications between A B
  • but is vulnerable to a replay attack if an old
    session key has been compromised
  • then message 3 can be resent convincing B that is
    communicating with A
  • modifications to address this require
  • timestamps (Denning 81)
  • using an extra nonce (Neuman 93)

41
Using Public-Key Encryption
  • have a range of approaches based on the use of
    public-key encryption
  • need to ensure have correct public keys for other
    parties
  • using a central Authentication Server (AS)
  • various protocols exist using timestamps or nonces

42
Denning AS Protocol
  • Denning 81 presented the following
  • 1. A?AS IDA IDB
  • 2. AS?A EKRasIDAKUaT EKRasIDBKUbT
  • 3. A?B EKRasIDAKUaT EKRasIDBKUbT
    EKUbEKRasKsT
  • note session key is chosen by A, hence AS need
    not be trusted to protect it
  • timestamps prevent replay but require
    synchronized clocks

43
One-Way Authentication
  • required when sender receiver are not in
    communications at same time (eg. email)
  • have header in clear so can be delivered by email
    system
  • may want contents of body protected sender
    authenticated

44
Using Symmetric Encryption
  • can refine use of KDC but cant have final
    exchange of nonces, vis
  • 1. A?KDC IDA IDB N1
  • 2. KDC?A EKaKs IDB N1 EKbKsIDA
  • 3. A?B EKbKsIDA EKsM
  • does not protect against replays
  • could rely on timestamp in message, though email
    delays make this problematic

45
Public-Key Approaches
  • have seen some public-key approaches
  • if confidentiality is major concern, can use
  • A?B EKUbKs EKsM
  • has encrypted session key, encrypted message
  • if authentication needed use a digital signature
    with a digital certificate
  • A?B M EKRaH(M) EKRasTIDAKUa
  • with message, signature, certificate

46
Digital Signature Standard (DSS)
  • US Govt approved signature scheme FIPS 186
  • uses the SHA hash algorithm
  • designed by NIST NSA in early 90's
  • DSS is the standard, DSA is the algorithm
  • a variant on ElGamal and Schnorr schemes
  • creates a 320 bit signature, but with 512-1024
    bit security
  • security depends on difficulty of computing
    discrete logarithms

47
DSA Key Generation
  • have shared global public key values (p,q,g)
  • a large prime p 2L
  • where L 512 to 1024 bits and is a multiple of 64
  • choose q, a 160 bit prime factor of p-1
  • choose g h(p-1)/q
  • where hltp-1, h(p-1)/q (mod p) gt 1
  • users choose private compute public key
  • choose xltq
  • compute y gx (mod p)

48
DSA Signature Creation
  • to sign a message M the sender
  • generates a random signature key k, kltq
  • nb. k must be random, be destroyed after use, and
    never be reused
  • then computes signature pair
  • r (gk(mod p))(mod q)
  • s (k-1.SHA(M) x.r)(mod q)
  • sends signature (r,s) with message M

49
DSA Signature Verification
  • having received M signature (r,s)
  • to verify a signature, recipient computes
  • w s-1(mod q)
  • u1 (SHA(M).w)(mod q)
  • u2 (r.w)(mod q)
  • v (gu1.yu2(mod p)) (mod q)
  • if vr then signature is verified
  • see book web site for details of proof why

50
Summary
  • have considered
  • digital signatures
  • authentication protocols (mutual one-way)
  • digital signature standard

51
Message Authentication Codes the idea
(m, tTagk(m))
m ? 0,1
Vrfyk(m) ? yes,no
Alice
Bob
k
k
k is chosen randomly from some set K
51
52
Signature Schemes
(m, tTagk(m))
m ? 0,1
Vrfyk(m) ? yes,no
Alice
Alice
Bob
Bob
k
pk
k
sk
(pk,sk) Gen(1n)
1n
53
Advantages of the signature schemes
  • Digital signatures are
  • publicly verifiable
  • transferable
  • provide non-repudiation

54
Anyone can verify the signatures
Sign(sk3,m)
P2
public register
P3
sk3
pk1
pk2
pk3
pk4
pk5
1. Sign(sk3,m)
Sign(sk3,m)
P4
2. reads pk3
P1
3. computes Vrfy(pk3,m)
P5
55
Look at the MACs...
k
k
(m, tTagk(m))
m ? 0,1
Alice
Bob
  • Why shall I trust you?
  • You could have created t yourself (because you
    know k)
  • I dont know k, so how can I verify the tag?

Look, I got (m,t) from Alice
Carol
56
Signatures are publicly-verifiable!
skA
pkA
(m, s Signsk(m))
m ? 0,1
Alice
Bob
Look, I got (m,s) from Alice
I can calculate Vrfy(pkA,m,s) and check.
Carol
57
So, the signatures are transferable
Alice
skA
Alice signed m
Alice signed m
Alice signed m
s Sign(sk3,m)
I believe it!
I believe it!
I believe it!
(m,s)
(m,s)
(m,s)
pkA
pkA
pkA
pkA
P2
P1
P4
P3
58
Non-repudiation
skA
pkA
(m, s Signsk(m))
m ? 0,1
Alice
Bob
Ive got (m,s) from Alice
Its not true!I never signed m!
Vrfy(pk,m,s) yesso you cannot repudiate
signing m...
Judge
59
Digital Signature Schemes
A digital signature scheme is a tuple
(Gen,Sign,Vrfy) of poly-time algorithms, such
that
  • the key-generation algorithm Gen takes as input a
    security parameter 1n and outputs a pair
    (pk,sk),
  • the signing algorithm Sign takes as input a key
    sk and a message m?0,1 and outputs a signature
    s,
  • the verification algorithm Vrfy takes as input a
    key pk, a message m and a signature s, and
    outputs a bit b ? yes, no.

If Vrfypk(m,s) yes then we say that s is a
valid signature on the message m.
60
Correctness
  • We require that it always holds that
  • Vrfypk(m,Signsk(m)) yes
  • What remains is to define security of a MAC.

61
Other popular signature schemes
  • Based on discrete log
  • ElGamal signatures
  • Digital Signature Standard (DSS)
  • (also based on other groups elliptic curves)

62
Public Key Infrastructure
63
Overview
  1. Simple Fundamental
  2. Qualified signatures
  3. PKI and trust management
  4. Introduction to the key establishment protocols

64
Public Key Infrastructures
Alice
Charlie
Reggie
Eve
Bob
Sender Receiver
Certification Authority
Registration Authority
Hacker
Receiver Sender
65
Public Key Infrastructures
  • Alice and Bob, want to be able to communicate
    securely by sending messages to each other.
  • They want to be able to use trustworthy digital
    signature technology to protect the integrity of
    their messages, and they may also want to use
    encryption to keep the contents of their messages
    secret. To achieve all this, they've decided to
    use a PKI (Public Key Infrastructure) system, and
    digital certificates.

66
Public Key Infrastructures
  • Alice and Bob, want to enroll in a PKI system.
  • Charlie runs a Certification Authority (CA), and
    will be issuing certificates to Alice and Bob.
  • To make Charlie's job easier, he relies on his
    twin brother Reggie, a Registration Authority
    (RA), who interacts with Alice and Bob on
    Charlie's behalf.

67
Public Key Infrastructures
  • Alice and Bob want to enroll in a PKI system, and
    have decided to purchase certificates from
    Charlie, a Certification Authority.
  • To do this, they'll first need to contact Reggie,
    a Registration Authority who has an agreement
    with Charlie, to prove their identities. (Having
    Reggie conduct part of the enrolment proceedings
    makes Charlie's job a little easier.) But before
    they do that, they'll each have to generate a
    signing key for themselves.

CA
RA
68
Public Key Infrastructures
  • Let's see the procedure Alice goes through to
    enroll in the PKI. Bob will have to go through
    the exact same process.
  • First Alice asks her computer to generate a
    private signing key and a public key. Her private
    key is for her use only, and she must never share
    it with anyone. Her public key can be available
    to the world (in fact it will be included in the
    certificate issued by Charlie), and anyone can
    use it to verify her digital signature on a
    message.

Alices Public Key
Alices Private Key
69
Public Key Infrastructures
  • Next, she goes to visit Reggie, a Registration
    Authority, at his office. It is Reggie's duty to
    verify Alice's identity, so that he can say to
    Charlie that he has made sure that Alice is
    Alice. Since Charlie will be issuing a
    certificate to her, and the certificate conveys a
    high level of assurance that
  • Alice is who she says she is, and people will be
    trusting that, Charlie needs Reggie to be very
    careful about this.
  • Alice shows Reggie proof of government-issued
    photo identification.

RA
  • Since Reggie trusts the government that issued
    these identification cards, he is extremely
    certain that Alice is who she says she is he has
    authenticated Alice's identity. Next, he must
    transfer this knowledge to Charlie.

70
Public Key Infrastructures
  • Reggie has a secure encrypted computer link to
    his twin brother Charlie, the CA, so it is easy
    for him to notify Charlie of Alice's enrolment,
    and to let him know that he has authenticated her
    identity.
  • He makes up a reference number for Alice's
    account, gives it to her, and also uses this
    number to enroll her with Charlie over the
    encrypted link. In return, over the same
    encrypted link, Charlie sends Reggie an
    authorization code that Alice will use later.

Alices enrolment Information
Authorization Code For Alice
CA
RA
  • Instead of giving Alice the authorization code,
    he sends it to her office voicemail box. This is
    an extra check to make sure that Alice has
    supplied appropriate contact information.

71
Public Key Infrastructures
  • Alice can now return to her office. She uses her
    computer to create a certificate-request form.
    This form includes the following
  • her enrolment information, as given to Reggie
    earlier (name, address, etc.)
  • the authorization code that Charlie made, which
    Reggie left in her voicemail
  • her public key
  • Then, she digitally signs her certificate-request
    form, using her private key. This is very
    important, because she needs to prove that she
    possesses the private key that corresponds to the
    certificate that Charlie will be issuing her. If
    she can't prove she has the private key, Charlie
    won't issue the certificate.

Reference Number and Certificate Request
RA
72
Public Key Infrastructures
  • Charlie can check her signature using her public
    key.
  • Alice logs into Charlie's web site using her
    reference number and submits her certificate
    request form.
  • After receiving Alice's certificate request, he
    has to do some checking to make sure it's OK.
  • First, he checks to make sure the reference
    number and authorization code match what they are
    supposed to.
  • The authorization code inside Alice's certificate
    request must be the same as what Charlie has on
    file.

Reference Number and Certificate Request
RA
73
Public Key Infrastructures
  • Since Reggie had verified Alice's identity when
    the authorization code was given to her, Charlie
    knows that the certificate request came from
    Alice, and not somebody else pretending to be
    Alice.
  • Next, he takes the public key from the
    certificate request, and uses it to verify the
    digital signature on the request. If the
    signature is correct, then he knows Alice does
    possess her private key.
  • Having authenticated her identity, and verified
    that she has the right private key, Charlie
    issues the certificate in Alice's name and sends
    it back to her.

Certification Approved
Subject Alice Name Alice Issuer
Charlie
CA
Issued 21-08-2008
74
Public Key Infrastructures
  • Charlie also publishes the certificate in his
    public repository, so that anybody receiving a
    message from Alice can check her certificate.
  • After Bob has his certificate too, Alice and Bob
    can use digital signatures to ensure the
    integrity and sender's identity of their
    messages.

75
Public Key Infrastructures
  • If Alice and Bob want to use encryption to keep
    the contents of their messages secret, then they
    will also need a separate set of encryption keys
    and certificates for that purpose.
  • They can obtain these certificates at the same
    time as they obtain their signing certificates.

76
Overview
  1. Simple Fundamental
  2. Qualified signatures
  3. PKI and trust management
  4. Introduction to the key establishment protocols

77
QuestionHow to maintain the public register?
  • We start with the case when the public keys are
    used for signing that is legally binding.
  • Then we consider other cases.

78
A problem
skA
pkA
(m, s Signsk(m))
m ? 0,1
Alice
Bob
I got (m,s) from Alice
Its not true!I never signed m!
Vrfy(pk,m,s) yesso you cannot repudiate
signing m...
But pk is not my public key!
Judge
79
Solution certification authorities
  • A simplified view

comes with her ID and pkAlice
(pkCert,skCert)
Certification Authority
Alice
checks the ID of Alice and issues a
certificate SignskCert(pkAlice is a public key
of Alice)
Now, everyone can verify that pkAlice is a public
key of Alice. So Alice can attach it to every
signature
really everyone?
80
What is needed to verify the certificate
  • To verify the certificate coming from Cert one
    needs
  • to know the public key of the Cert
  • to trust Cert.
  • It is better if Cert also keeps a document
  • I, Alice certify that pkAlice is my public key
  • with a written signature of Alice.

81
How does it look from the legal point of view?
  • What matters at the end is if you can convince
    the judge.
  • Many countries have now a special law regulating
    these things.
  • In Malaysia it isMCMC

82
Malaysian Certificate Authorities
  • Digicert

83
So, what to do if you want to issue the qualified
signatures?
  • You have to go to one of this companies and get a
    qualified certificate (it costs!).
  • The certificate is valid just for some given
    period.

84
What if the secret key is lost?
  1. In this case you have to revoke the
    certificate.Every authority maintains a list of
    revoked certificates.
  2. The certificates come with some insurance.

85
Plan
  • Qualified signatures
  • PKI and trust management
  • Introduction to the key establishment protocols

86
In many case one doesnt want to use the
qualified signatures
  • The certificates cost.
  • Its risky to use them
  • How do you know what your computer is really
    signing?Computers have viruses, Trojan horses,
    etc.
  • You can use external (trusted) hardware but it
    should have a display (so you can see what is
    signed).
  • Remember qualified signatures are equivalent to
    the written ones!

87
Practical solution
In many cases the qualified signatures are an
overkill.
Instead, people use non-qualified signatures.
The certificates are distributed using a
public-key infrastructure (PKI).
88
Users can certify keys of the other users
knows pk2
knows pk3
P2
P1
P3
pk3
pk1
pk2
trusts P2
P1 believesthat pk3 is a public key of P3
P2 certifies that pk3 is a public key of P3
signature of P2
this should be done only if P2 really met P3 in
person and verified his identity
89
Users can certify keys of the other users
knows pk2
knows pk3
knows pk4
P2
P1
P3
P4
pk1
pk4
pk3
pk2
trusts P2
trusts P3
P2 certifies that pk3 is a public key of P3
signature of P2
P1 believesthat pk3 is a public key of P3
P3 certifies that pk4 is a public key of P4
signature of P3
90
knows pk2
knows pk3
knows pk4
knows pk5
P2
P1
P3
P4
P5
pk3
pk1
pk4
pk4
pk2
trusts P2
trusts P3
This is called acertificate chain
trusts P4
P2 certifies that pk3 is a public key of P3
signature of P2
P1 believesthat pk3 is a public key of P3
P3 certifies that pk4 is a public key of P4
signature of P3
P4 certifies that pk5 is a public key of P5
signature of P4
91
A problem
knows pk2
knows pk3
knows pk4
P2
P1
P3
P4
pk3
pk1
pk4
pk2
trusts P2
trusts P3
  • What if P1 does not know P3?
  • How can he trust him?
  • Answer P2 can recommend P3 to P1.

92
A question is trust transitive?
Does
P2
P1
P3
pk3
pk1
pk2
trusts P2
trusts P3
imply
P2
P1
P3
pk3
pk1
pk2
?
trusts P3
93
Example
I can recommend P3
P2
P1
P3
pk3
pk1
pk2
trusts thatP2 is a veryhonest person
trusts thatP3 is a veryhonest person
P2
P1
P3
pk3
pk1
pk2
doesnt trust that P3 is honest, because he
thinks that P2 is honest but naive
94
Moral
  • Trust is not transitive
  • P1 trusts in the certificates issued by P2
  • is not the same as saying
  • P1 trusts that
  • if
  • P2 says you can trust the certificates issued by
    P3
  • then
  • one can trust the certificates issued by P3

95
Recommendation levels
level 1 recommendation A you can trusts in
all the certificates issued by B level 2
recommendation A you can trust that all the
level 1 recommendations issued by B level 3
recommendation B you can trust that all the
level 2 recommendations issued by B and so on.
. .
  • Recursively
  • level i1 recommendation
  • A you can trust that all the level i
    recommendations issued by B

96
Now, if
P2
P1
P3
P4
P2 issues a recommendation of level 2 for P3
P3 issues a recommendation of level 1 for P4
P2 trust in all the recommendations issued by P2
then
P2
P4
P1
P3
trusts the certificates issued by P4
Of course the recommendations also need to be
signed. Starts to look complicated...
97
How is it solved in practice?
  • In popular standard is X.509 the recommendation
    is included into a certificate.
  • Here the level of recommendations is bounded
    using a field called basic constraints.
  • X.509 is used for example in SSL.
  • SSL is implemented is implemented in every
    popular web-browser.
  • So, lets look at it.

98
(No Transcript)
99
(No Transcript)
100
(No Transcript)
101
(No Transcript)
102
(No Transcript)
103
Concrete example
  • Lets go to the Banca Di Roma website

104
a certificatechain
105
(No Transcript)
106
(No Transcript)
107
(No Transcript)
108
The typical picture
web browser knows these certificates
. . .
Verisign
DigiCert
Entrust
  • Implicit assumptions
  • the author of the browser is honest,
  • the author of the browser is competent
  • nobody manipulated the browser

is it always true?
VerisignEurope
VerisignUSA
VerisignItaly
a certificate path
Banca di Roma
109
(No Transcript)
110
Is it so important to check it?
  • Yes!
  • For example the last element in the chain can be
    anybody (who paid to Verising for a certificate).
  • For sure we do not want to trust the certificates
    issued by anyone.

111
So, what happens when a user contacts the bank?
sends(cert1,..., certn)
Alice
Bank
If Alices browser knows cert1 it canverify the
chain and read the public key of the bank from
certn
112
What happens if the certification path is invalid?
  • For example if the first certificate in the path
    is not known to the user.
  • Experiment lets delete the Verisign
    certificate for the configuration of the
    browser...

113
(No Transcript)
114
What happens?
115
Another popular PKI
  • Pretty Good Privacy (PGP) every user can act as
    a certification authority.
  • Hence the name
  • Web of Trust

116
Introduction to the key establishment protocols
117
Suppose Alice and Bob want to authenticate to
each other...
internet
Bob
Alice
Observation authentication itself is not very
useful.More useful key establishment
118
Protocols for key establishment
  • Suppose Alice and Bob want to establish a fresh
    session key in an authentic way.
  • When is it possible?
  • Using symmetric cryptography Alice and Bob can
    use some trusted server S.
  • Using asymmetric cryptography e.g. using PKI.

119
Symmetric cryptography
share a private keyKAS
share a private keyKBS
server S
Alice
Bob
  • The server can help Alice and Bob to establish a
    session key.
  • (in reality its not so trivial to design a
    secure protocol)

120
The public-key cryptography
sends(cert1,..., certn)
sends(cert1,..., certn)
Alice
Bob
  • If they accepted the certificate paths they can
    establish a session key
  • Alice selects a random key K.
  • Alice encrypts K with Bobs public key, and sign
    is it with her private key, and sends it to Bob.
  • Bob verifies the signature and decrypts the K.
  • Again in reality its not that simple...

121
What if one of the parties doesnt have a
certificate?
  • Typical situation in real life...
  • E.g. a bank can verify authenticity of Alice by
    asking her for a secret password.
  • This password is provided to her (in a physical
    way) when she opened an account.
  • How to prevent the dictionary attacks?
  • Not so trivial...

122
Designing the key establishment protocols
  • It is an active area of research.
  • Its more complicated than one may think...
  • On the next slides we show some common errors.

123
An idea (1)
key shared by Alice and the server KAS
key shared by Bob and the server KBS
server S
(A,B)
selects a random KAB
EncKAS(KAB), EncKBS(KAB)
(EncKBS (KAB),A)
Alice
Bob
124
An attack
key shared by Alice and the server KAS
key shared by Bob and the server KBS
server S
(A,B)
Im talking to D
selects a random KAB
EncKAS(KAB), EncKBS(KAB)
(EncKBS(KAB),A)
(EncKBS (KAB),D)
Alice
Bob
125
An idea (2)
key shared by Alice and the server KAS
key shared by Bob and the server KBS
server S
(A,B)
selects a random KAB
EncKAS(KAB,B), EncKBS(KAB,A)
EncKBS(KAB,A)
Bob
Alice
126
A replay attack
the adversary stores the values that the server
sent in the previous session and replays
them. So, the key is not fresh...
(A,B)
EncKAS(KAB,B), EncKBS(KAB,A)
EncKBS(KAB,A)
Alice
Bob
127
How to protect against the replay attacks?
  • Nonce number used once.
  • Nonce is a random number generated by one party
    and returned to that party to show that a message
    is newly generated.

128
An idea (3) Needham Schreoder 1972.
key shared by Alice and the server KAS
key shared by Bob and the server KBS
server S
(A,B,NA)
selects a random KAB
EncKAS(KAB, B, NA, EncKBS(KAB,A))
EncKBS(KAB,A)
EncKAB(NB)
EncKAB(NB 1)
Bob
Alice
129
An attack on Needham Schroeder
Assume that an old session key KAB is known to
the adversary.
EncKBS(KAB,A)
EncKAB(NB)
EncKAB(NB 1)
Bob
130
The final solution
key shared by Alice and the server KAS
key shared by Bob and the server KBS
server S
(A,B,NA,NB)
selects a random KAB
EncKAS(KAB, B, NA) EncKBS(KAB, A, NB)
(B,NB)
EncKBS(KAB, A, NB)
Alice
Bob
131
Other desirable features
  1. Forward-securityif an adversary breaks into the
    machine at some time t the previous session keys
    remain secret.
  2. DeniabilityA user can always deny that he sent
    some message.
  3. Resistance to denial-of-service attacks(dont
    put to much work on the server!).

132
Another (real-life) problem
  • Alice and Bob may use different versions of the
    protocol.
  • Therefore at the beginning of the protocol they
    have to agree on the ciphers that they will use.
  • How to do agree in a secure way?

Alice I prefer to use AES, but I can also use
DES
Alice I can only use DES,
Bob I can only use DES,
Bob I prefer to use AES, but I can also use
DES
Alice
Bob
Theyll end up using DES!
133
Protocols used in practice
  • Symmetric Kerberos
  • Asymmetric SSL, SSH, IPSec...

134
Thank You See You Next Week Have A Nice Weekend
How Do You Want Protect Your Network System
Write a Comment
User Comments (0)
About PowerShow.com