Cryptography Encryption/Decryption Franci Tajnik CISA Franci Tajnik.

CryptographyEncryption/Decryption

Franci Tajnik CISAFranci Tajnik CISA

Franci Tajnik

CISA 2002 Franci Tajnik

cryptographic system

cryptographic algoritm ( math. function)cryptographic algoritm ( math. function) keys ( word, number, phrase )keys ( word, number, phrase ) protokolprotokol

convert plain text to cipher textconvert plain text to cipher text


Symmetric method DES

Cipher text

Plaintext

SymetricKeySender Receiver

Plaintext

Cipher text


Asymmetric Key Generation

SeedData

GenerationProgram

SecretKey

PublicKey

AsymmetricRelationship


Asymmetric method RSA

Cipher text

Plaintext

Sender Receiver

Plaintext

Cipher text

Public

Private

Secrecy


Asymmetric method RSA Authentication

Cipher text

Plaintext

Sender Receiver

Plaintext

Cipher text

Public

Private

Plaintext

Plaintext

Plaintext


PGP princip

Plaintext

Sender Receiver

Plaintext

Public

Private

One time Session key

Encry. Sessionkey

Cipher text

Cipher textEncry. Session

.key

Cipher text

Encry. Sessionkey


Digital signatures

Cipher text

Plaintext

Sender Receiver

Plaintext

Cipher text

Public

Private


Digital signature

Plaintext

Sender

Receiver

Public

Private

message digest160

hash

signature Plaintext

signature Plaintext

message digest160

hash

message digest160


Digital signature

Plaintext

SenderReceiver

Private S

message digest160

hash

signature Plaintext

signature Plaintext

message digest160

hash

message digest160

Public R

Private R

Public S


E-mail security

Plaintext

Sender

Receiver

Private S

message digest160

hash

signature Plaintext

signature Plaintext

message digest160

hash

message digest160

Public R

Private R

Public S

One time Session key

Dec.SESS.

KeY

ENC.SESS.

KEY


Certification Authority Registration Authority

Holder

Certificate information

Public Holder

CA

Digital signature

Private

Public Holder

Digital certificate

RA


Digital signature

Plaintext

SenderReceiver

Private S

message digest160

hash

signaturePlaintext

signature Plaintext

message digest160

hash

message digest160

Public R

Private R

Dig.cert.

Dig.cert.

Dig.cert.CA S


Certification Authority

software for issue the certificatessoftware for issue the certificates creates certificatescreates certificates digitaly signs certificatedigitaly signs certificate

Registration AuthorityRegistration Authority people, processes, toolspeople, processes, tools administration of usersadministration of users


Problems

Do you trust the certification company?Do you trust the certification company? What validation process does the company What validation process does the company

undertake to ensure that an entity is who undertake to ensure that an entity is who they claim to be before issuing a certificate?they claim to be before issuing a certificate?

Who certifies the Certification Authority?Who certifies the Certification Authority?


Certification Process

CertificationAuthority

User

VerifiesCredentials

CreatesCertificate

GeneratesKey Set

Presents PublicKey and

Credentials

ReceivesCertificate

PublicDistribution


Requirements for a CA

Outstanding integrity - recognised by othersOutstanding integrity - recognised by others

Financial backing to cover potential Financial backing to cover potential liabilitiesliabilities


Requirements of a CA

Physically secure environmentPhysically secure environment Tamper resistant modules for its Tamper resistant modules for its

cryptographic processingcryptographic processing Ability to generate key pairsAbility to generate key pairs Random number generatorRandom number generator Ability to check signaturesAbility to check signatures Ability to sign certificatesAbility to sign certificates


Requirements of a CA

Software to support all certificate formatsSoftware to support all certificate formats Clear security policyClear security policy Secure, auditable procedures for certificate Secure, auditable procedures for certificate

productionproduction Directory of certificates (including archived Directory of certificates (including archived

certificates)certificates)


PGP certificate format

PGP version numberPGP version number certificate holders public keycertificate holders public key certificate holders informationcertificate holders information digital signature of certificate ownerdigital signature of certificate owner

using holders private key (self signature)using holders private key (self signature) certificate validity periodcertificate validity period encryption algorrthmencryption algorrthm


X.509 certificate format X.509 version numberX.509 version number certificate holders public keycertificate holders public key serial number of certificateserial number of certificate certificate holders unique identifiercertificate holders unique identifier certificate validity periodcertificate validity period unique name of CAunique name of CA digital signature of CAdigital signature of CA signature algorithmsignature algorithm


Cross Verification

Where there is more than one Certification Where there is more than one Certification Authority there must be a way of relying on Authority there must be a way of relying on certificates provided by other Certification certificates provided by other Certification AuthoritiesAuthorities


Conclusions

The auditor has to accept the integrity of the The auditor has to accept the integrity of the underlying algorithmsunderlying algorithms

The role of the Certification Authority is The role of the Certification Authority is critical to the operational processcritical to the operational process

Certification Authorities will be the key to Certification Authorities will be the key to the entire Public Key Infrastructure (PKI) the entire Public Key Infrastructure (PKI) processprocess

Cryptography Encryption/Decryption Franci Tajnik CISA Franci Tajnik.

Documents

Transcript of Cryptography Encryption/Decryption Franci Tajnik CISA Franci Tajnik.