Digital Signature & Digital Certificate
-
Upload
nirmalya-roy -
Category
Documents
-
view
225 -
download
0
Transcript of Digital Signature & Digital Certificate
-
8/2/2019 Digital Signature & Digital Certificate
1/56
Digital Signature,Digital Signature,
Digital CertificateDigital Certificate
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet
Essential MaterialsEssential Materials
-
8/2/2019 Digital Signature & Digital Certificate
2/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.22
OutlineOutline
IntroductionIntroduction
CryptographyCryptography
SecretSecret--keyalgorithmskeyalgorithms PublicPublic--keyalgorithmskeyalgorithms
MessageMessage--DigestalgorithmsDigestalgorithms
Digital SignatureDigital Signature
Digital CertificateDigital Certificate Public KeyInfrastructure (PKI)Public KeyInfrastructure (PKI)
SecureElectronic Transaction (SET)SecureElectronic Transaction (SET)
SummarySummary
-
8/2/2019 Digital Signature & Digital Certificate
3/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.33
IntroductionIntroduction
CryptographyCryptography andanddigitalcertificatesdigitalcertificates arefirstarefirstappearedinclosedcommercial,financialappearedinclosedcommercial,financial
networkandmilitarysystems.networkandmilitarysystems. Wecansend/receivesecureeWecansend/receivesecuree--mail,connectmail,connect
tosecurewebsitetopurchasegoodsortosecurewebsitetopurchasegoodsorobtainservices.obtainservices.
Problem:Problem: HowdoweimplementtheminthisHowdoweimplementtheminthisglobal,opennetwork,Internet?global,opennetwork,Internet?
TowhatlevelofencryptionissufficienttoTowhatlevelofencryptionissufficienttoprovidesafeandtrustservicesonthe Net?providesafeandtrustservicesonthe Net?
-
8/2/2019 Digital Signature & Digital Certificate
4/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.44
CryptographyCryptography
3 cryptographicalgorithms:3 cryptographicalgorithms:
MessageMessage--digestalgorithmsdigestalgorithms
MapvariableMapvariable--lengthplaintexttofixedlengthplaintexttofixed--lengthlengthciphertext.ciphertext.
SecretSecret--keyalgorithmskeyalgorithms
Useone
single
key
to
encrypt
and
decrypt
.Use
one
single
key
to
encrypt
and
decrypt
.
PublicPublic--keyalgorithmskeyalgorithms
Use 2 differentkeysUse 2 differentkeys publickeyandprivatepublickeyandprivatekey.key.
-
8/2/2019 Digital Signature & Digital Certificate
5/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.55
KeysKeys
Itisavariablevaluethatisused byItisavariablevaluethatisused bycryptographicalgorithmstoproducecryptographicalgorithmstoproduce
encryptedtext,ordecryptencryptedtext.encryptedtext,ordecryptencryptedtext. ThelengthofthekeyreflectsthedifficultyThelengthofthekeyreflectsthedifficulty
todecryptfromtheencryptedmessage.todecryptfromtheencryptedmessage.
Encryption DecryptionPlaintext PlaintextCiphertext
Key Key
-
8/2/2019 Digital Signature & Digital Certificate
6/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.66
Key lengthKey length
Itisthenumberofbits (bytes)inthekey.Itisthenumberofbits (bytes)inthekey.
A 2A 2--bitkeyhasfourvaluesbitkeyhasfourvalues
00, 01, 10, 11 initskeyspace00, 01, 10, 11 initskeyspace
AkeyoflengthAkeyoflengthnn hasakeyspaceof2^nhasakeyspaceof2^ndistinctvalues.distinctvalues.
E.g. thekeyis 128 bitsE.g. thekeyis 128 bits 101010101010101010101010.10010101111111.10010101111111
Thereare 2^128 combinationsThereare 2^128 combinations
340 282 366 920 938 463 463 374 607 431 768 211 456340 282 366 920 938 463 463 374 607 431 768 211 456
-
8/2/2019 Digital Signature & Digital Certificate
7/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.77
SecretSecret--key Encryptionkey Encryption
UseasecretkeytoencryptamessageUseasecretkeytoencryptamessageintociphertext.intociphertext.
UsethesamekeytodecrypttheUsethesamekeytodecrypttheciphertexttotheoriginalmessage.ciphertexttotheoriginalmessage.
AlsocalledAlsocalledSymmetriccryptographySymmetriccryptography..
Encryption DecryptionPlaintext PlaintextCiphertext
SecretKey SecretKey
-
8/2/2019 Digital Signature & Digital Certificate
8/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.88
Secret Key How to?Secret Key How to?
Encrypted TextOriginal Text
+
Secretkey
=
Encrypted Text Original TextSecretkey
+ =
Encryption
Decryption
-
8/2/2019 Digital Signature & Digital Certificate
9/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.99
SecretSecret--Key Problem?Key Problem?
Allkeysneedto beAllkeysneedto bereplaced,ifonekeyreplaced,ifonekeyiscompromised.iscompromised.
NotpracticalforNotpracticalfortheInternettheInternetenvironment.environment.
Ontheotherhand,Ontheotherhand,
theencryptiontheencryptionspeedisfast.speedisfast.
SuitabletoencryptSuitabletoencryptyourpersonaldata.yourpersonaldata.
-
8/2/2019 Digital Signature & Digital Certificate
10/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.1010
SecretSecret--Key algorithmsKey algorithms
Algorithm NameAlgorithm Name Key Length (bits)Key Length (bits)
BlowfishBlowfish Upto 448Upto 448
DESDES 5656
IDEAIDEA 128128
RC2RC2 Upto 2048Upto 2048
RC4RC4 Upto 2048Upto 2048RC5RC5 Upto 2048Upto 2048
TripleDESTripleDES 192192
References:
BlowfishDESIDEARC2RC4
RC5
DES-3
-
8/2/2019 Digital Signature & Digital Certificate
11/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.1111
PublicPublic--key Encryptionkey Encryption
Involves 2 distinctkeysInvolves 2 distinctkeys publicpublic,,privateprivate..
Theprivatekeyiskeptsecretandnever bedivulged,anditisTheprivatekeyiskeptsecretandnever bedivulged,anditispasswordprotected (Passphase).passwordprotected (Passphase).
Thepublickeyisnotsecretandcan befreelydistributed,Thepublickeyisnotsecretandcan befreelydistributed,sharedwithanyone.sharedwithanyone.
ItisalsocalledItisalsocalledasymmetriccryptographyasymmetriccryptography..
Twokeysaremathematicallyrelated,itisinfeasibletoderiveTwokeysaremathematicallyrelated,itisinfeasibletoderivetheprivatekeyfromthepublickey.theprivatekeyfromthepublickey.
100 to 1000 timesslowerthansecret100 to 1000 timesslowerthansecret--keyalgorithms.keyalgorithms.
Encryption DecryptionPlaintext PlaintextCiphertext
Public Key Private Key
-
8/2/2019 Digital Signature & Digital Certificate
12/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.1212
How to use 2 different keys?How to use 2 different keys?
Justanexample:Justanexample:
Public KeyPublic Key = 4,= 4,Private KeyPrivate Key = 1/4,= 1/4,message M = 5message M = 5
Encryption:Encryption:
CiphertextC = M *CiphertextC = M * Public KeyPublic Key
5 * 4 = 205 * 4 = 20 Decryption:Decryption:
PlaintextM = C *PlaintextM = C * Private KeyPrivate Key
20 *20 * = 5= 5
-
8/2/2019 Digital Signature & Digital Certificate
13/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.1313
PublicPublic--Private EncryptionPrivate Encryption
First,createpublic
andprivatekey
Publickey
Privatekey
Privatekey
Privatekeystoredinyourpersonalcomputer
Public KeyDirectory
Public Key
Publickeystoredinthedirectory
-
8/2/2019 Digital Signature & Digital Certificate
14/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.1414
Message EncryptionMessage Encryption
((User AUser A sends message tosends message to User BUser B))
Public KeyDirectory
Text
UserA
UserBsPublic Key
Encryption
EncryptedText
-
8/2/2019 Digital Signature & Digital Certificate
15/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.1515
Message EncryptionMessage Encryption
Original Message Encrypted Message
-
8/2/2019 Digital Signature & Digital Certificate
16/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.1616
Transfer Encrypted DataTransfer Encrypted Data
UserA
EncryptedTextEncryptedText
Insecure Channel
UserB
-
8/2/2019 Digital Signature & Digital Certificate
17/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.1717
Decryption with yourDecryption with your
Private keyPrivate keyEncrypted
Text
UserBsPrivatekey
Privatekeystoredinyourpersonalcomputer
Decryption
Original Text
UserB
-
8/2/2019 Digital Signature & Digital Certificate
18/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.1818
Asymmetric algorithmsAsymmetric algorithms
Algorithm NameAlgorithm Name Key Length (bits)Key Length (bits)
DSADS A Upto 448Upto 448
El GamalEl Gamal 5656
RSARSA 128128
DiffieDiffie--HellmanHellman Upto 2048Upto 2048
References:
DSAEl GamalRSADiffie-Hellman
-
8/2/2019 Digital Signature & Digital Certificate
19/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.1919
How difficult to crack a key?How difficult to crack a key?
KeyKeyLengthLength
IndividualIndividualAttackerAttacker
SmallSmallGroupGroup
AcademicAcademicNetworkNetwork
Large CompanyLarge Company MilitaryInteligenceMilitaryInteligenceAgencyAgency
4040 WeeksWeeks DaysDays HoursHours MillisecondsMilliseconds MicrosecondsMicroseconds
5656 CenturiesCenturies DecadesDecades Years Years HoursHours SecondsSeconds
6464 MillenniaMillennia CenturiesCenturies DecadesDecades DaysDays MinutesMinutes
8080 InfeasibleInfeasible InfeasibleInfeasible InfeasibleInfeasible CenturiesCenturies CenturiesCenturies
128128 InfeasibleInfeasible InfeasibleInfeasible InfeasibleInfeasible InfeasibleInfeasible MillenniaMillennia
AttackerAttacker Computer ResourcesComputer Resources Keys/ SecondKeys/ Second
IndividualattackerIndividualattacker OnehighOnehigh--performancedesktopmachine & Softwareperformancedesktopmachine & Software 2^172^17 2^242^24
SmallgroupSmallgroup 16 high16 high--endmachines & Softwareendmachines & Software 2^212^21 2^242^24
Academic NetworkAcademic Network 256 high256 high--endmachines & Softwareendmachines & Software 2^252^25 2^282^28
LargecompanyLargecompany $1,000,000 hardware budget$1,000,000 hardware budget 2^432^43
MilitaryIntelligenceagencyMilitaryIntelligenceagency $1,000,000 hardware budget+advancedtechnology$1,000,000 hardware budget+advancedtechnology 2^552^55
-
8/2/2019 Digital Signature & Digital Certificate
20/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.2020
Crack DESCrack DES--3 (Secret3 (Secret--key)key)
Distributed.netconnects100,000 PCsonthe Net,togetarecord-breaking22 hr 15 mintocracktheDES algorithm.
Speed: 245 billionkeys/s
Win$10,000
-
8/2/2019 Digital Signature & Digital Certificate
21/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.2121
MessageMessage--DigestDigest
AlgorithmsAlgorithms ItmapsavariableItmapsavariable--lengthinputlengthinput
messagetoafixedmessagetoafixed--lengthoutputlengthoutput
digest.digest. ItisnotfeasibletodeterminetheItisnotfeasibletodeterminethe
originalmessage basedonitsdigest.originalmessage basedonitsdigest.
ItisimpossibletofindanarbitraryItisimpossibletofindanarbitrarymessagethathasadesireddigest.messagethathasadesireddigest.
ItisinfeasibletofindtwomessagesItisinfeasibletofindtwomessagesthathavethesamedigest.thathavethesamedigest.
-
8/2/2019 Digital Signature & Digital Certificate
22/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.2222
MessageMessage--Digest How toDigest How to
AhashfunctionisaAhashfunctionisamathequationthatmathequationthat
createamessagecreateamessagedigestfrommessage.digestfrommessage.
AmessagedigestisAmessagedigestisusedtocreateausedtocreateauniquedigitaluniquedigitalsignaturefromasignaturefromaparticulardocument.particulardocument.
MD5 exampleMD5 example
HashFunction
Original Message(Document,E-mail)
Digest
-
8/2/2019 Digital Signature & Digital Certificate
23/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.2323
Message Digest DemoMessage Digest Demo
-
8/2/2019 Digital Signature & Digital Certificate
24/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.2424
MessageMessage--DigestDigest
MessageMessage--DigestDigestAlgorithmAlgorithm
DigestLengthDigestLength(bits)(bits)
MD2MD2 128128
MD4MD4 128128
MD5MD5 128128
SecureHashSecureHashAlgorithm (SHA)Algorithm (SHA)
160160
References:
MD2MD4MD5
SHA
-
8/2/2019 Digital Signature & Digital Certificate
25/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.2525
Break TimeBreak Time 15 minutes15 minutes
-
8/2/2019 Digital Signature & Digital Certificate
26/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.2626
Digital SignatureDigital Signature
Digitalsignaturecan beusedinallDigitalsignaturecan beusedinallelectroniccommunicationselectroniccommunications
Web,eWeb,e--mail,email,e--commercecommerce
ItisanelectronicstamporsealthatItisanelectronicstamporsealthatappendtothedocument.appendtothedocument.
EnsurethedocumentbeingEnsurethedocumentbeingunchangedduringtransmission.unchangedduringtransmission.
-
8/2/2019 Digital Signature & Digital Certificate
27/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.2727
How digital SignatureHow digital Signature
works?works?UserA
UserB
UseAsprivatekeytosignthedocument
TransmitviatheInternet
UserBreceivedthedocumentwith
signatureattachedVerifythesignaturebyAspublickeystoredatthedirectory
-
8/2/2019 Digital Signature & Digital Certificate
28/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.2828
Digital Signature GenerationDigital Signature Generation
and Verificationand VerificationMessage Sender Message Receiver
Message Message
Hashfunction
Digest
Encryption
Signature
Hashfunction
Digest
Decryption
ExpectedDigest
PrivateKey
PublicKey
-
8/2/2019 Digital Signature & Digital Certificate
29/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.2929
Digital SignatureDigital Signature
ReferenceReference
-
8/2/2019 Digital Signature & Digital Certificate
30/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.3030
Key ManagementKey Management
PrivatekeyarepasswordPrivatekeyarepassword--protected.protected.
Ifsomeonewantyourprivatekey:Ifsomeonewantyourprivatekey:
TheyneedthefilecontainsthekeyTheyneedthefilecontainsthekey
TheyneedthepassphraseforthatkeyTheyneedthepassphraseforthatkey
IfyouhaveneverwrittendownyourIfyouhaveneverwrittendownyour
passphraseortoldanyonepassphraseortoldanyone VeryhardtocrackVeryhardtocrack
BruteBrute--forceforce attackwonattackwontworktwork
-
8/2/2019 Digital Signature & Digital Certificate
31/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.3131
Digital CertificatesDigital Certificates
Digital CertificateisadatawithdigitalDigital Certificateisadatawithdigitalsignaturefromonetrustedsignaturefromonetrusted
CertificationAuthority (CA).CertificationAuthority (CA).
Thisdatacontains:Thisdatacontains:
WhoownsthiscertificateWhoownsthiscertificate
WhosignedthiscertificateWhosignedthiscertificate TheexpireddateTheexpireddate
Username & emailaddressUsername & emailaddress
-
8/2/2019 Digital Signature & Digital Certificate
32/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.3232
Digital CertificateDigital Certificate
ReferenceReference
-
8/2/2019 Digital Signature & Digital Certificate
33/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.3333
Elements of Digital Cert.Elements of Digital Cert.
ADigitalIDtypicallycontainsthefollowinginformation:ADigitalIDtypicallycontainsthefollowinginformation:
Yourpublickey,YournameandemailaddressYourpublickey,Yournameandemailaddress
Expirationdateofthepublickey, Nameofthe CAwhoissuedyourDigitalIDExpirationdateofthepublickey, Nameofthe CAwhoissuedyourDigitalID
-
8/2/2019 Digital Signature & Digital Certificate
34/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.3434
Certification AuthorityCertification Authority
(CA)(CA) AtrustedagentwhocertifiespublickeysforAtrustedagentwhocertifiespublickeysfor
generaluse (CorporationorBank).generaluse (CorporationorBank).
Userhastodecidewhich CAscan betrusted.Userhastodecidewhich CAscan betrusted. Themodelforkeycertification basedonThemodelforkeycertification basedon
friendsandfriendsoffriendsiscalledfriendsandfriendsoffriendsiscalledWebWebofTrustofTrust .. Thepublickeyispassingfromfriendtofriend.Thepublickeyispassingfromfriendtofriend.
Workswellinsmallorhighconnectedworlds.Workswellinsmallorhighconnectedworlds.
WhatifyoureceiveapublickeyfromsomeoneWhatifyoureceiveapublickeyfromsomeoneyoudonyoudontknow?tknow?
-
8/2/2019 Digital Signature & Digital Certificate
35/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.3535
CA model (Trust model)CA model (Trust model)
RootCertificate
CA Certificate
Browser Cert.
CA Certificate
Server Cert.
-
8/2/2019 Digital Signature & Digital Certificate
36/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.3636
Web of Trust modelWeb of Trust model
Bob
A
B
Alice
D
C
-
8/2/2019 Digital Signature & Digital Certificate
37/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.3737
Public Key InfrastructurePublic Key Infrastructure
(PKI)(PKI) PKIisasystemthatusespublicPKIisasystemthatusespublic--keykey
encryptionanddigitalcertificatestoencryptionanddigitalcertificatesto
achievesecureInternetservices.achievesecureInternetservices.
Thereare 4 majorpartsinPKI.Thereare 4 majorpartsinPKI.
CertificationAuthority (CA)CertificationAuthority (CA)
Adirectory ServiceAdirectory Service Services,Banks, Web serversServices,Banks, Web servers
BusinessUsersBusinessUsers
-
8/2/2019 Digital Signature & Digital Certificate
38/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.3838
Digital 21 . gov .hkDigital 21 . gov .hk
Reference:AnofficialhomepagewhichprovideslotofPKI,e-commerceinformation
-
8/2/2019 Digital Signature & Digital Certificate
39/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.3939
PKI StructurePKI Structure
CertificationAuthority Directoryservices
User
Services,Banks,Webservers
Public/Private Keys
-
8/2/2019 Digital Signature & Digital Certificate
40/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.4040
4 key services4 key services
AuthenticationAuthentication Digital CertificateDigital Certificate Toidentifyauserwhoclaimwhohe/sheis,inordertoaccessToidentifyauserwhoclaimwhohe/sheis,inordertoaccess
theresource.theresource.
NonNon--repudiationrepudiation
Digital SignatureDigital Signature Tomaketheuser becomesunabletodenythathe/shehassentTomaketheuser becomesunabletodenythathe/shehassentthemessage,signedthedocumentorparticipatedinathemessage,signedthedocumentorparticipatedinatransaction.transaction.
ConfidentialityConfidentiality-- EncryptionEncryption Tomakethetransactionsecure,nooneelseisabletoTomakethetransactionsecure,nooneelseisableto
read/retrievetheongoingtransactionunlessthecommunicatingread/retrievetheongoingtransactionunlessthecommunicatingparties.parties.
IntegrityIntegrity-- EncryptionEncryption ToensuretheinformationhasnotbeentamperedduringToensuretheinformationhasnotbeentamperedduring
transmission.transmission.
-
8/2/2019 Digital Signature & Digital Certificate
41/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.4141
Certificate SignersCertificate Signers
-
8/2/2019 Digital Signature & Digital Certificate
42/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.4242
Certificate EnrollmentCertificate Enrollment
and Distributionand Distribution
-
8/2/2019 Digital Signature & Digital Certificate
43/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.4343
Secure WebSecure Web
CommunicationCommunication ServerauthenticationisnecessaryforawebServerauthenticationisnecessaryforaweb
clienttoidentifytheweb siteitisclienttoidentifytheweb siteitis
communicatingwith
.communicating
with
.
Touse SSL,aspecialtypeofdigitalTouse SSL,aspecialtypeofdigitalcertificatecertificate ServercertificateServercertificate isused.isused.
Getaservercertificatefroma CA.Getaservercertificatefroma CA.
E.g.E.g. www.hitrust.com.hkwww.hitrust.com.hk,,www.cuhk.edu.hk/ca/www.cuhk.edu.hk/ca/ Installaservercertificateatthe Web server.Installaservercertificateatthe Web server.
Enable SSL onthe Web site.Enable SSL onthe Web site.
ClientauthenticationClientauthentication ClientcertificatesClientcertificates
-
8/2/2019 Digital Signature & Digital Certificate
44/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.4444
Strong and WeakStrong and Weak
EncryptionEncryption StrongencryptionStrongencryption
Encryptionmethodsthatcannotbecracked byEncryptionmethodsthatcannotbecracked bybrutebrute--force (inareasonableperiodoftime).force (inareasonableperiodoftime).
TheworldfastestcomputerneedsthousandsofTheworldfastestcomputerneedsthousandsofyearstocomputeakey.yearstocomputeakey.
WeakencryptionWeakencryption Acodethatcan be brokeninapracticaltimeAcodethatcan be brokeninapracticaltime
frame.frame. 5656--bitencryptionwascrackedin 1999.bitencryptionwascrackedin 1999.
6464--bitwill becrackedin 2011.bitwill becrackedin 2011.
128128--bitwill becrackedin 2107.bitwill becrackedin 2107.
-
8/2/2019 Digital Signature & Digital Certificate
45/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.4545
Pretty Good PrivacyPretty Good Privacy
(PGP)(PGP) ReleaseinJune 1991 byPhilipReleaseinJune 1991 byPhilip
Zimmerman (PRZ)Zimmerman (PRZ)
PGPisahybridcryptosystemthatPGPisahybridcryptosystemthatallowsusertoencryptanddecrypt.allowsusertoencryptanddecrypt.
UsesessionkeyUsesessionkeyarandomgeneratedarandomgenerated
numberfromthemousemovementornumberfromthemousemovementorkeystrokeskeystrokes
Demo &Demo & TutorialTutorial
-
8/2/2019 Digital Signature & Digital Certificate
46/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.4646
PGP Public KeyPGP Public Key
Philip R Zimmermann's Public KeysPhilip R Zimmermann's Public Keys
Current DSS/DiffieCurrent DSS/Diffie--Hellman Key:Hellman Key:
Key fingerprint: 055F C78F 1121 9349 2C4F 37AF C746 3639 B2D7 795EKey fingerprint: 055F C78F 1121 9349 2C4F 37AF C746 3639 B2D7 795E
----------BEGIN PGP PUBLIC KEY BLOCKBEGIN PGP PUBLIC KEY BLOCK----------
Version: PGP 7.0.3Version: PGP 7.0.3
mQGiBDpU6CcRBADCT/tGpBu0EHpjd3G11QtkTWYnihZDBdenjYV2EvotgRZAj5h4ewprq1u/zqzGBYpiYL/9j+5XDFcoWF24bzsUmHXsbDmQGiBDpU6CcRBADCT/tGpBu0EHpjd3G11QtkTWYnihZDBdenjYV2EvotgRZAj5h4ewprq1u/zqzGBYpiYL/9j+5XDFcoWF24bzsUmHXsbDSiv+XEyQND1GUdx4wVcEY5rNjkArX06XuZzObvXFXOvqRj6LskePtw3xLf5uj8jPN0Nf6YKnhfGIHRWQCg/0UAr3hMK6zcA/egvWRGsm9dSiv+XEyQND1GUdx4wVcEY5rNjkArX06XuZzObvXFXOvqRj6LskePtw3xLf5uj8jPN0Nf6YKnhfGIHRWQCg/0UAr3hMK6zcA/egvWRGsm9dJecD/18XWekzt5JJeK3febJO/3Mwe43O6VNOxmMpGWOYTrhivyOb/ZLgLedqX+MeXHGdGroARZ+kxYq/a9y5jNcivD+EyN+IiNDPD64rl00JecD/18XWekzt5JJeK3febJO/3Mwe43O6VNOxmMpGWOYTrhivyOb/ZLgLedqX+MeXHGdGroARZ+kxYq/a9y5jNcivD+EyN+IiNDPD64rl00FNZksx7dijD89PbIULDCtUpps2J0gk5inR+yzinf+jDyFnn5UEHI2rPFLUbXWHJXJcp0UBACBkzDdesPjEVXZdTRTLk0sfiWEdcBM/5GpNswFNZksx7dijD89PbIULDCtUpps2J0gk5inR+yzinf+jDyFnn5UEHI2rPFLUbXWHJXJcp0UBACBkzDdesPjEVXZdTRTLk0sfiWEdcBM/5GpNswMlK4A7A6iqJoSNJ4pO5Qq6PYOwDFqGir19WEfoTyHW0kxipnVbvq4q2vAhSIKOqNEJGxg4DTEKecf3xCdJ0kW8dVSogHDH/c+Q4+RFQMlK4A7A6iqJoSNJ4pO5Qq6PYOwDFqGir19WEfoTyHW0kxipnVbvq4q2vAhSIKOqNEJGxg4DTEKecf3xCdJ0kW8dVSogHDH/c+Q4+RFQq/31aev3HDy20YayxAE94BWIsKkhaMyokAYQQfEQIAIQUCOlTwWwIHABcMgBE/xzIEHSPp6mbdtQCcnbwh33TcYQAKCRDHRjY5std5Xlq/31aev3HDy20YayxAE94BWIsKkhaMyokAYQQfEQIAIQUCOlTwWwIHABcMgBE/xzIEHSPp6mbdtQCcnbwh33TcYQAKCRDHRjY5std5Xle4AKCh1dqtFxD/BiZMqdP1eZYG8AZgTACfU7VX8NpIaGmdyzVdrSDUo49AJae0IlBoaWxpcCBSLiBaaW1tZXJtYW5uIDxwcnpAbWl0LmVe4AKCh1dqtFxD/BiZMqdP1eZYG8AZgTACfU7VX8NpIaGmdyzVdrSDUo49AJae0IlBoaWxpcCBSLiBaaW1tZXJtYW5uIDxwcnpAbWl0LmVkdT6JAFUEEBECABUFAjpU6CcFCwkIBwMCGQEFGwMAAAAACgkQx0Y2ObLXeV5WUQCfWWfTDHzSezrDawgN2Z4Qb7dHKooAoJyVkdT6JAFUEEBECABUFAjpU6CcFCwkIBwMCGQEFGwMAAAAACgkQx0Y2ObLXeV5WUQCfWWfTDHzSezrDawgN2Z4Qb7dHKooAoJyVnm61utdRsdLr2e6QnV5Z0yjjiQBGBBARAgAGBQI6VOkSAAoJEGPLaR3669X8JPcAnim4+Hc0oteQZrNUeuMSuirNVUr7AKC1WXJI7gwMnm61utdRsdLr2e6QnV5Z0yjjiQBGBBARAgAGBQI6VOkSAAoJEGPLaR3669X8JPcAnim4+Hc0oteQZrNUeuMSuirNVUr7AKC1WXJI7gwMq0Agz07hQs++POJBMokARgQQEQIABgUCOlcobQAKCRDXjLzlZqdLMVBtAKDa5VPcb6NVH6tVeEDJUv+tBjp6oACeLoNtfbs2rvJkgKDHq0Agz07hQs++POJBMokARgQQEQIABgUCOlcobQAKCRDXjLzlZqdLMVBtAKDa5VPcb6NVH6tVeEDJUv+tBjp6oACeLoNtfbs2rvJkgKDHWEIDmJdgy2GJAD8DBRA6WP4Y8CBzV/QUlSsRAkmdAKC3TfkSSeh+poPFnMfW+/Y/+AAEEpGSUYAAQEAAAEAAQAA/9sAQwAKBwcWEIDmJdgy2GJAD8DBRA6WP4Y8CBzV/QUlSsRAkmdAKC3TfkSSeh+poPFnMfW+/Y/+AAEEpGSUYAAQEAAAEAAQAA/9sAQwAKBwcIBwYKCAgICwoKCw4YEA4NDQ4dFRYRGCMfJSQiHyIhJis3LyYpNCkhIjBBMTQ5Oz4+PiUuRElDPEg3PT47///EALUQAAIBAwMCBAMFBIBwYKCAgICwoKCw4YEA4NDQ4dFRYRGCMfJSQiHyIhJis3LyYpNCkhIjBBMTQ5Oz4+PiUuRElDPEg3PT47///EALUQAAIBAwMCBAMFB
....
QQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6OnQQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6Onq8fLz9PX29/j5+v/EAB8BAAMBAQEBAQEBAQEAAAAAAAABAgMEBQYHCAkKC//EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAUq8fLz9PX29/j5+v/EAB8BAAMBAQEBAQEBAQEAAAAAAAABAgMEBQYHCAkKC//EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAU
hMQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWphMQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp6vLz9PX29/j5+v/aAAzdHV2d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp6vLz9PX29/j5+v/aAAwDAQACEQMRAD8A9mooooAKKKKACsjW/Eum6FGTdS7pcfLEv3j/AIfjWV428XHQrf7HY4e/lHXIxEvqfevH7y8lupXmmuJppWOZJC+AD9wDAQACEQMRAD8A9mooooAKKKKACsjW/Eum6FGTdS7pcfLEv3j/AIfjWV428XHQrf7HY4e/lHXIxEvqfevH7y8lupXmmuJppWOZJC+AD9aly7GkIX1Z3OpfE3Up3K2EUVumcdN7fy/pWLL4415wPM1GWPJyNpK/0Fc5btG/Pktkfx7yTVhYAGLsAxbryf5c5rNvzNlG3Q6yz8ZaxEyudQaly7GkIX1Z3OpfE3Up3K2EUVumcdN7fy/pWLL4415wPM1GWPJyNpK/0Fc5btG/Pktkfx7yTVhYAGLsAxbryf5c5rNvzNlG3Q6yz8ZaxEyudQkcZ+7JtYH867PRfG9nfIsd7/o8p/iI+U/4V5EI/IGV+XUGfnHy9iUsiGSa6q6Jew1XpTDJvAAICDACNUV4K2PS6h574Z3NaBsIQe5jkVO48MSkcZ+7JtYH867PRfG9nfIsd7/o8p/iI+U/4V5EI/IGV+XUGfnHy9iUsiGSa6q6Jew1XpTDJvAAICDACNUV4K2PS6h574Z3NaBsIQe5jkVO48MSohjC6s29CjPhlU79cQIYWmBpuNfwroZ6zltyz6Y2Fm65V0IfvVicR7zvFFCOhahMuk1cr+Qp936OMEq9sLZGxTjClgwrHGS7YpMSZrEC7bpohjC6s29CjPhlU79cQIYWmBpuNfwroZ6zltyz6Y2Fm65V0IfvVicR7zvFFCOhahMuk1cr+Qp936OMEq9sLZGxTjClgwrHGS7YpMSZrEC7bpOmERjo4F/n5YmCHJCH8QzCOc9+80gjVEsHiJVABrC8yykjKL5x1V/PSArE4QtMLbkBPGmQYOw8bx6jCHoO43QjUzbqRfBMHZqWVJyoIIOmERjo4F/n5YmCHJCH8QzCOc9+80gjVEsHiJVABrC8yykjKL5x1V/PSArE4QtMLbkBPGmQYOw8bx6jCHoO43QjUzbqRfBMHZqWVJyoIIZCp+n13XM4+NO/cDVsZ8bjch0LIOyMrT85n24yfXRlP0s7BFjLm59Jjhf4djuJWikJawWETlypAy86OYRRuwCbIyNauBeTKy+avZvF2oLvpwZCp+n13XM4+NO/cDVsZ8bjch0LIOyMrT85n24yfXRlP0s7BFjLm59Jjhf4djuJWikJawWETlypAy86OYRRuwCbIyNauBeTKy+avZvF2oLvpwH4UnudpC06/O0jkj2lQpn9EEUw11RwO6sq9zYTwAUyKerN00cbCfyiZl01CIo0btcTO6hQK3c67PaloJ9lVH8/mH7LuqkMLDH5ugkpzmed/8H4UnudpC06/O0jkj2lQpn9EEUw11RwO6sq9zYTwAUyKerN00cbCfyiZl01CIo0btcTO6hQK3c67PaloJ9lVH8/mH7LuqkMLDH5ugkpzmed/8SorfqVkakne6b4mRySFCBXaVZoKmDHzcH2oSSMhM9exyh6dzi1bGu6JAEwEGBECAAwFAjpU6CcFGwwAAAAACgkQx0Y2ObLXeV7lbSorfqVkakne6b4mRySFCBXaVZoKmDHzcH2oSSMhM9exyh6dzi1bGu6JAEwEGBECAAwFAjpU6CcFGwwAAAAACgkQx0Y2ObLXeV7lbQCg+N+fI3bzqF9+fB50J5sFHVHM7hYAn0+9AfDl5ncnr4D7 ReMDlYoIZwRR =Bgy+QCg+N+fI3bzqF9+fB50J5sFHVHM7hYAn0+9AfDl5ncnr4D7 ReMDlYoIZwRR =Bgy+
----------END PGP PUBLIC KEY BLOCKEND PGP PUBLIC KEY BLOCK----------
-
8/2/2019 Digital Signature & Digital Certificate
47/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.4747
PGP encryptionPGP encryption
ReferenceReference
-
8/2/2019 Digital Signature & Digital Certificate
48/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.4848
PGP decryptionPGP decryption
ReferenceReference
-
8/2/2019 Digital Signature & Digital Certificate
49/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.4949
Secure SHell (SSH)Secure SHell (SSH)
ProvideanProvideanencryptedencrypted
securechannelsecurechannelbetweenclientbetweenclientandserver.andserver.
ReplacementforReplacementfor
telnetandftp.telnetandftp. Reference:Reference:SSHSSH
-
8/2/2019 Digital Signature & Digital Certificate
50/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.5050
Secure Shell & Secure FTPSecure Shell & Secure FTP
Secure Shell SecureFTP
TheHostsPublic Key
-
8/2/2019 Digital Signature & Digital Certificate
51/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.5151
Secure ElectronicSecure Electronic
Transaction (SET)Transaction (SET) Thisprotocolisdeveloped byVisaand MasterCardThisprotocolisdeveloped byVisaand MasterCard
specificallyforthesecurecreditcardtransactionsspecificallyforthesecurecreditcardtransactionsontheInternet.ontheInternet.
SET encryptscreditcardandpurchaseinformationSET encryptscreditcardandpurchaseinformationbeforetransmissionovertheInternet.beforetransmissionovertheInternet.
SET allowsthemerchantSET allowsthemerchantsidentify beauthenticatedsidentify beauthenticatedviadigitalcertificates,alsoallowsthemerchanttoviadigitalcertificates,alsoallowsthemerchantto
authenticateusersthroughtheirdigitalcertificatesauthenticateusersthroughtheirdigitalcertificates(moredifficulttosomeone(moredifficulttosomeonesstolencreditcard).sstolencreditcard).
SET DEMOSET DEMO
-
8/2/2019 Digital Signature & Digital Certificate
52/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.5252
Secure ElectronicSecure Electronic
Transaction (SET)Transaction (SET) Therearefourpartsinthe SET system.Therearefourpartsinthe SET system.
AsoftwareAsoftwarewalletwallet ontheuserontheuserscomputerscomputerCardholderCardholder
..
AcommerceserverthatrunsonthemerchantAcommerceserverthatrunsonthemerchantssweb siteweb siteMerchantMerchant ..
ThepaymentserverthatrunsatthemerchantThepaymentserverthatrunsatthemerchantssbankbankAcquiring bankAcquiring bank..
The CertificationAuthorityThe CertificationAuthorityIssuing bankIssuing bank..
SET FAQsSET FAQs
-
8/2/2019 Digital Signature & Digital Certificate
53/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.5353
SETSET
-
8/2/2019 Digital Signature & Digital Certificate
54/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.5454
PrivacyPrivacy--Enhanced EEnhanced E--mailmail
Encrypted
Signed
-
8/2/2019 Digital Signature & Digital Certificate
55/56
CSC1720CSC1720 IntroductiontoInternetIntroductiontoInternet Allcopyrightsreserved by C.C. Cheung 2003.Allcopyrightsreserved by C.C. Cheung 2003.5555
SummarySummary
MakesureyouunderstandtherelationshipMakesureyouunderstandtherelationshipbetweenbetween EncryptionEncryption
Digital SignatureDigital Signature
Digital CertificateDigital Certificate
CertificateAuthorityCertificateAuthority
UnderstandwhichPublic/PrivatekeyshouldUnderstandwhichPublic/Privatekeyshouldbeusedtoencrypt/decryptmessagebeusedtoencrypt/decryptmessageto/fromyou?to/fromyou?
DiscussPGP, SET, SSH,encryptedemail.DiscussPGP, SET, SSH,encryptedemail.
-
8/2/2019 Digital Signature & Digital Certificate
56/56
CSC1720CSC1720 Introduction to InternetIntroduction to Internet All copyrights reserved by C C Cheung 2003All copyrights reserved by C C Cheung 20035656
ReferencesReferences
Digital Certificate (AppliedInternet Security)ByDigital Certificate (AppliedInternet Security)ByFeghhi,Feghhi, WilliamsFeghhi,Feghhi, Williams Addison WesleyAddison Wesley
Basic CrytographyBasic Crytography
Digital SignatureDigital Signature
PKI ResourcesPKI Resources
SET ResourcesSET Resources
GeneralDefinitionsGeneralDefinitions
DigitalIDFAQDigitalIDFAQ
TheEnd.TheEnd.
Thankyouforyourpatience!Thankyouforyourpatience!