Public Key Infrastructure
Alex Bardas
What is Cryptography ?
• Cryptography is a mathematical method of protecting information– Cryptography is part of, but not equal to,
security
• In modern computing, crypto is used to remediate deficiencies in the cyber space
Cryptographic Primitives
• Four Cryptographic Primitives:
1. Cryptographic Hash
2. Symmetric Encryption
3. Asymmetric Encryption
4. Digital Signatures
Cryptographic Hash
• If the message content is changed, the hash will be different (provides integrity guarantee)
• Knowing the hash does not reveal the input message
Hashing is NOT encryption!
Examples: SHA-1
Text Message(variable length)
Cryptographic Hash Function
“Unique” Fixed-length String (Hash or Digest)
Image source: http://en.wikipedia.org/wiki/File:Cryptographic_Hash_Function.svg
Cryptographic Hash Example
Encryption vs. Hashing
Image source: http://www.unixwiz.net/techtips/iguide-crypto-hashes.html
Symmetric Encryption (Secret-key Encryption)
• Encryption and decryption use the same key• Examples: AES
Clear Text Message Encryption Algorithm
Encrypted Message
Shared Key
Encrypted Message Decryption Algorithm
Clear Text Message
Shared Key
1.
2.
Asymmetric Encryption (Public-key Encryption)
• Every party has a pair of keys: <Kpub , Kpriv>
• Encryption and decryption use different keys• It is hard to infer private key from the public key
Examples: RSA, El-Gamal
Public Key: announced to
everyone
Private Key: known to the owner only
Asymmetric Encryption (Public-key Encryption)
Clear Text Message Encryption Algorithm
Encrypted Message
Public Key
Encrypted Message Decryption Algorithm
Clear Text Message
Private Key
1.
2.
Digital Signature
• Based on asymmetric crypto - Examples: RSA, DSA, El-Gamal
• Properties of a Digital Signature:1. Verification of the validity of a digital signature
needs only the public key
2. Only the owner of the corresponding private key can produce a valid signature
There is also MAC (Message Authentication Code) – signing using a shared key (based on symmetric cryptography)
Digital Signature
Message Signing Algorithm
Signed Message
Private Key
Signed Message Verification Algorithm
Signature is valid
Public Key
1.
2.
A digitally signed Email Message
Image source: http://www.wintellect.com/cs/blogs/pmehner/archive/2009/10/10/howto-obtain-and-configure-a-free-certificate-for-digitally-signing-your-outlook-2007-email.aspx
Public Crypto Challenge
Alice has Bob’s Public
KeyBob has Alice’s
Public KeyI am out of
luck today
- What if Alice and Bob cannot meet and exchange public keys ?- What if Alice and Bob don’t know each other ?- How to do they know that the public key that they are using belongs to the other
legitimate party and not to a malicious third party ?
Man-In-The-Middle
Alice thinks she has
Bob’s Public Key Bob thinks
he has Alice’s
Public Key
1. Eve has Bob’s and Alice legitimate public keys2. “Somehow” Alice and Bob have Eve’s public keys3. It’s Eve’s lucky day
How to Distribute Public Keys ?
• Ad-Hoc public key distribution (distribute at will)– Alice and Bob exchange public keys in a reliable
way• Public directory (similar to the telephone
directory)– Use a read-only directory (hard to modify/forge in
a large scale)• Published on paper
Public Key Distribution
• We want to distribute public keys in electronic form, NOT on paper
• How to verify the authenticity of the digital directory?Use digital signature
Certification Authority (CA)
• Alice and Bob don’t know each other but they both trust Cindy (Certification Authority)
• Alice and Bob have Cindy’s public key
• Cindy certifies Alice and Bob’s public keys => Digital Certificates
Digital Certificates
Cindy’s (CA) Digital Signature
What does the certificate tell us?• This public key belongs to Alice. • Alice is not a CA (Certification Authority)
Public Key Infrastructure
• What if Alice and Bob do not have a common friend?
– Cindy cannot be everywhere, Bob knows her but Alice doesn’t
• We have to find a trustworthy person that knows Cindy and Alice– Carl knows Cindy but doesn’t know Alice directly– Carl knows John and John knows Alice
• Certification chain
Multiple Certification Authorities (CAs)
R
L11 L12
L21 L22L23 L24
L31 L32 L33 L34 L35 L36 L37 L38
CA hierarchy
Alice Bob
John
Carl
Cindy
How are we getting the CA keys?
• Web Browsers are coming with an important number of root CA keys
• Other CA’s or single digital certificates can be added by the user (can be risky)
Valid Certificate (signed by VeriSign)
Valid Certificate Example
Certificates Warnings in Different Web Browsers
Sources of Information
• CIS751 Basic Crypto & PKI slide sets by Xinming (Simon) Ou – Kansas State University
Top Related