The Application of Public Key Cryptography to

Network Security

Ted Reinhardt

reinhardt@ncf.ca

Course 94.470

Learning Objectives

• Understand how public key cryptography can be used to provide network security services such as:– Confidentiality– Non-repudiation– Authentication– Notarization

Crypto System

a pair of data transformations:– one encrypts– the other decrypts

Encryptplain text

Decryptcipher text plain text

key key

Encryption

Ek(m) c

m plain text message

c cipher text

k key

Decryption

Dk(c) m

c ciphertext

m message

k key

Symmetric Key Crypto System

• same key is used for both transformations

Encryptplain text

Decryptciphertext

plain text

Key=1 Key=1

IBM IBMHAL

A B C D E F G H I J K L M N O P Q R S T U V W X Y ZZ A B C D E F G H I J K L M N O P Q R S T U V W X Y

A word about symmetric key crypto systems

• Keys must be protected at all times at least to the highest level of the information exchanged for the entire useful life of the message.

• Key distribution is therefore expensive

• Keys must be changed frequently

• large symmetric crypto networks are a nightmare to manage

Symmetric Algorithms

• Rijndael• RC6• Twofish• Casear• RC4• CAST• DES• Triple DES

Rijndael

Public Key Crypto System

a pair of data transformations:– one encrypts– the other decrypts

Encryptplain text

Decryptciphertext plain text

public key private key

IBM IBM03422AFDS

=

An Engineering Love StoryOur Cast of Players

Alice Bob

Carl

Hopelessly in love with BobTotally Clueless

A spy for a tabloid newspaper

Public Key Crypto System

• complementary key pairs

• one private key, and a corresponding public keyName Public Private

Alice 7 13

Bob 11 23

Carl 71 53

Public Key Crypto System

• Alice encrypts message for Bob’s eyes only.

AliceEncrypt

plain text BobDecrypt

cipher textplain text

Sender to Receiver Confidentiality

Name Public Private

Alice 7 13

Bob 11 23

Carl 71 53

Bob’s Public Key11

Bob’s Private Key23

I LOVE YOU #$@deew I LOVE YOU

Public Key Crypto System

• Bob encrypts message for Alice’s eyes only.

BobEncrypt

plain text AliceDecrypt

ciphertextplain text

Sender to Receiver Confidentiality

Name Public Private

Alice 7 13

Bob 11 23

Carl 71 53

Alice’s Public Key7

Alice’s Private Key13

Confidentiality - Objective 1

• Sender to Receiver Confidentiality

• Encrypt with Public Key of the Addressee

• Equivalent to sealing an envelope by encrypting

• Only the Receiver can decode with his own Private Key (as long as the Private Key is kept Private).

Public Key Cryptosystem

• Alice digitally signs message for Bob

AliceEncrypt

plain text BobDecrypt

cipher textplain text

Authentication / Digital Signature

Name Public Private

Alice 7 13

Bob 11 23

Carl 71 53

Alice’s Private Key13

Alice’s Public Key7

Authentication & Non-Repudiation Objective #2

• Sender encrypts message with own private key

• Receiver decrypts message with senders public key.

• Correct decryption indicates the message is authentic.

Public Key Crypto System

• Alice signs and seals message for Bob

AliceEncrypt

plain text AliceEncrypt

ciphertext Ciphered

Ciphertext

Combined Digital Signature and Encryption

Name Public Private

Alice 7 13

Bob 11 23

Carl 71 53

Sign Seal

Alice’s Private Key13

Bob’s Public Key11

Public Key Crypto System

• Bob unseals message, and authenticates it

BobDecrypt

Ciphered

cipher text

Bob Decrypts

message+ signature

clear text

Combined Decryption and Authentication

Name Public Private

Alice 7 13

Bob 11 23

Carl 71 53

Opens Authenticates

Bob’s Private Key23

Alice’s Public Key7

Blind Notarization

• Alice encrypts and signs a message for Bob’s Eyes Only

• Alice send’s the message to Carl who takes Alices encrypted and signed message, adds a date time stamp (11AM 18 March 2015), and then signs it.

• Bob can decode it and check the date time if there is a dispute.

Date-time stamp +Notary’s Signature

Blind Notarization

Alice

NotaryServices

BobSigned by Alice

Sealed for Bob’s Eyes Only

Vulnerability in Key Management

• Certification of Public Keys is required otherwise subject to middle man attack.

Name Public Private

Alice 71 53

Bob 71 23

Carl 71 53

Carl can nowread the messageand then re-encryptfor the intended receiver

Carl can now

masquerade as

Alice

Solution to VulnerabilityCertificate Authority

• Certification of Public Keys is required otherwise subject to middle man attack.

Certificate Authority isrecognized by all parties

Alice Public Key=13 Expiry=10-Aug-2016

DigitallySigned bythe CA

Symmetric vs Asymmetric

• Public Key Crypto– Simplifies Key Management

–Slow– Provides Digital Signature

• Symmetric Key Crypto– Black Bag Key Management

–Fast

HybridBest of Both Worlds

• Use Symmetric Key as session key to encrypt data using Symmetric Key Cryptography– it is faster

• Use Public Key to Encrypt Session Key– fewer key management problems

Message Digest

• A one way function that provides a unique hash based on a data stream input

– MD5 (Deprecated)– SHA-256– SHA-384

Message Digests

Signature and Integrity Implementation

Message Digest

Plain text

Digitally Sign

Integrity

Digest

Signed Digest

Message Digest

Plain text

Digest

COMPARE

Practicalities of Implementation

SymmetricEncryption

Plain text

Random Session Key

Cipher text

Public KeyEncryption Alice’s Session Key

Public KeyEncryption Bob’s Session Key

Alice’s Pub Key

Bob’s Pub Key

Layer 3Virtual Private Network

VPN Gateway

VPN Gateway

InternetCertificateAuthority

Directory

Bob

Alice

Layer 4Secure Sockets Layer

Transport Layer Security

ProtectedWeb Server

FirewallTLS Appliance

Internet

Tunnel

TLS Enabled Browser

Issues

• Who is going to be the CA

• How does a CA decide to trust another CA

• If someone is no longer ok, how do you revoke their credentials and distribute the info

• What is the basis for trust – Certificate Policies, Certificate Practice

Statements

Issues

• What is required to make a legally binding transaction?

• Where do you store the private key?

• Key Escrow --- can someone backup your key for you in the event of loss?

• How do you authenticate people far away the first time?

• What algorithms are ok to use?

References

• RSA FAQ http://www.rsa.com/rsalabs/faq/• www.counterpane.com Cryptogram News• Cryptography and Data Security (D. Denning)• Applied Cryptography (B. Schneier)• Communications Security (W. Ford)