luibPc eKy fsueIrtcrnartu - PowerPoint PPT Presentation

Patman
luibpc eky fsueirtcrnartu l.
Skip this Video
Loading SlideShow in 5 Seconds..
luibPc eKy fsueIrtcrnartu PowerPoint Presentation
Download Presentation
luibPc eKy fsueIrtcrnartu

play fullscreen
1 / 29
Download Presentation
luibPc eKy fsueIrtcrnartu
303 Views
Download Presentation

luibPc eKy fsueIrtcrnartu

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. luibPc eKyfsueIrtcrnartu oeJ dlofrdO E5 7E9 0M 2r0 6a

  2. Public KeyInfrastructure Joe Oldford EE 579 02 Mar 06

  3. Spartans vs. Persians

  4. Overview • Introduction • Classical (symmetric) Cryptography • Public Key (asymmetric) Cryptography • Digital Signatures • Public Key Infrastructures • Insecurities • Summary

  5. Symmetric Cryptography Shared Secret Key

  6. Symmetric Cryptography • Same function and key are used for both encryption and decryption.

  7. Public Key Cryptography Separate Unrelated Keys

  8. Public Key Cryptography • The encryption and decryption functions use separate unrelated keys.

  9. PUBLIC Your encryption algorithm Your encryption key SECRET Your decryption key What goes public and what doesn’t??

  10. What does this mean?? • Anyone can encrypt a message using your public key. • Only you can decrypt it. • No one can derive your decryption (secret) key from your algorithm and encryption (public) key. • The encryption and decryption order are reversible What if I encrypt a message using my secret key??

  11. Digital Signatures

  12. Too good to be true? • Public Key Cryptosystems are very computationally intensive. • Practical only for very short messages i.e. secret key exchange, message hashes • Public Key cryptosystems cannot be proven secure. Hmmm….. Could the NSA break them…..

  13. Writing a Digital Cheque

  14. Writing a Digital Cheque

  15. Public Key technology provides: • Strong authentication. Users can securely identify themselves to other users and servers on a network without sending secret information (for example, passwords) over the network. • Data integrity. The verifier of a digital signature can easily determine whether or not digitally signed data has been altered since it was signed. • Support for non-repudiation. The user who signed data cannot successfully deny signing that data.

  16. So then, is this enough… Not quite, how do we ensure: • Secret Key management • Public Directory security Need a Public Key Infrastructure (ITU-T standard X.509)

  17. What is a public key infrastructure? (ITU-T standard X.509) • A public key infrastructure (PKI) is the comprehensive system required to provide public-key encryption and digital signature services. • A PKI enables the use of encryption and digital signature services across a wide variety of applications by establishing and maintaining a trustworthy networking environment.

  18. Public Key Infrastructure (X.509) • Registration • Key Generation • Certification • Key Backup • Key Update • Certificate Revocation

  19. Certification Authorities (CA) • Act as agents of trust in a PKI • Create certificates for user’s by generating key sets and digitally signing a user’s data set. • The CA’s signature ensures that any tampering with the contents can easily be detected

  20. Registration – Key Generation • New users must register with the CA • The CA generates at least two separate key pairs, one pair for encryption and one pair for digital signing • Public keys are published in the CA’s directory • Secret keys MUST be kept secure, usually stored on a device; magnetic card, smart card

  21. Digital Certificates • Each user’s registered identity is stored in a digital format known as a digital certificate. • Digital Certificates contain (at least): -unique username -user’s public key -generating algorithm -validity period -specific use of the public key -name of the CA -certificate serial #

  22. Digital Certificates

  23. Key Backup • A business must be able to retrieve encrypted data when users lose their decryption keys • Decryption keys are backed up securely by the CA • Signing keys must NOT be backed up, to support non-repudiation the signing key must be under the sole control of the user at all times

  24. Key Update • Cryptographic key pairs should not be used forever • Updating key pairs should be transparent to the user, i.e. automatically updated • Key history must be maintained and securely managed by the key backup and recovery system

  25. Certificate Revocation • Certificate’s can be revoked before expiring • Revoked certificates are managed by the CA through a Certificate Revocation List • The revocation status of the certificate must be checked prior to each use.

  26. So can we attack a PKI…. • Representation problem • Single key pair for challenge response and signing • Insecure updating

  27. Summary • Symmetric Cryptography • Public Key Cryptography • Digital Signatures • Framework of X.509 – PKI • Attacks on a PKI

  28. References • J. Buchmann. Introduction to Cryptography. Springer-Verlag, 2002 • S. Singh. The Code Book. Anchor Books, 1999 • Trusted Public-Key Infrastructure: http://www.entrust.com/resources/whitepapers.cfm

  29. Questions?