David Evans cs.virginia/evans

  • View
    24

  • Download
    0

Embed Size (px)

DESCRIPTION

Lecture 14: Public Key Infrastructure. David Evans http://www.cs.virginia.edu/evans. CS588: Security and Privacy University of Virginia Computer Science. Using RSA to Encrypt. Use 1024-bit modulus (RSA recommends >= 768) Encrypt 1M file 1024 1024-bit messages - PowerPoint PPT Presentation

Text of David Evans cs.virginia/evans

  • David Evanshttp://www.cs.virginia.edu/evansCS588: Security and PrivacyUniversity of VirginiaComputer ScienceLecture 14:Public Key Infrastructure

    CS588 Spring 2005

  • Using RSA to EncryptUse 1024-bit modulus (RSA recommends >= 768)Encrypt 1M file1024 1024-bit messagesTo calculate Me requires log2e 1024-bit modular multipliesWhy does no one use RSA like this?About 100-1000 times slower than DESNeed to be careful not to encrypt particular MsCan speed up encryption by choosing e that is an easy number to multiply by (e.g., 3 or 216 + 1)But, decryption must use non-easy d (~1024 bits)

    CS588 Spring 2005

  • AlternativesUse RSA to establish a shared secret key for symmetric cipher (DES, RC6, ...)Lose external authentication, non-repudiation properties of public-key cryptosystemsSign (encrypt with private key) a hash of the messageA short block that is associated with the message

    CS588 Spring 2005

  • RSA PaperThe need for a courier between every pair of users has thus been replaced by the requirement for a single secure meeting between each user and the public file manager when the user joins the system.

    CS588 Spring 2005

  • Key ManagementPublic keys only useful if you know:The public key matches the entity you think it does (and no one else).The entity is trustworthy.

    CS588 Spring 2005

  • Approach 1: Public AnnouncementPublish public keys in a public forumUSENET groupsAppend to email messagesNew York Time classifiedsEasy for rogue to pretend to be someone else

    CS588 Spring 2005

  • Approach 2: Public DirectoryTrusted authority maintains directory mapping names to public keysEntities register public keys with authority in some secure wayAuthority publishes directoryPrint using watermarked paper, special fonts, etc.Allow secure electronic access

    CS588 Spring 2005

  • Can we avoid needing an on-line directory?

    CS588 Spring 2005

  • CertificatesLoren Kohnfelder, MIT 4th year thesis project, 1978: Towards a Practical Public-key CryptosystemPublic-key communication works best when the encryption functions can reliably be shared among the communicants (by direct contact if possible). Yet when such a reliable exchange of functions is impossible the next best thing is to trust a third party. Diffie and Hellman introduce a central authority known as the Public File Each individual has a name in the system by which he is referenced in the Public File. Once two communicants have gotten each others keys from the Public File then can securely communicate. The Public File digitally signs all of its transmission so that enemy impersonation of the Public File is precluded.

    CS588 Spring 2005

  • CertificatesTrustMe.comAliceBob{ alice@alice.org, KUA }Use anything like this?

    CS588 Spring 2005

  • Data encrypted using secret key exchanged using some public keyassociated with some certificate.

    CS588 Spring 2005

  • CS588 Spring 2005

  • SSL (Secure Sockets Layer)Simplified TLS Handshake ProtocolClientServerHelloCheck Certificate using KUCA Pick random KFind K using KRSTextbook, Section 12.5

    CS588 Spring 2005

  • CertificatesVarySignAliceBob{ alice@alice.org, KUA }How does TrustMe.com decide whether to provide Certificate?

    CS588 Spring 2005

  • Verifying IdentitiesVarySignAliceBob{ alice@alice.org, KUA }$$$$

    CS588 Spring 2005

  • With over half a million businesses authenticated, VeriSign follows a rigorous and independently audited authentication process. All involved VeriSign employees pass stringent background checks, and each authentication is split between multiple individuals. We maintain physically secure facilities, including biometric screening on entry.

    CS588 Spring 2005

  • VeriSigns Certificate Classes Secure Site SSL CertificateSupports 40-bit session keyProves: you are communicating with someone willing to pay VeriSign $598 (or with ~$1000 to break a 40-bit key)Except they have a free 14-day trial (but it uses a different Trial CA key)

    CS588 Spring 2005

  • CS588 Spring 2005

  • Secure Site Pro Certificate $995 per yeartrue 128-bit key128-bit encryption offers 288 times as many possible combinations as 40-bit encryption. Thats over a trillion times a trillion times stronger.trillion = 1012 trillion * trillion = 1024 Verisigns marketing claim could be: trillion times a trillion times a trillion times a trillion times a trillion times a trillion times a trillion times ten thousand (in Britain it is a trillions time a trillion times a trillion times a trillion times a billion times a thousand) times stronger (but that would sound even sillier!)Businesses authentication: out-of-band communication, records

    CS588 Spring 2005

  • CS588 Spring 2005

  • Limiting The DamageVarySign.comAliceBob{ alice@alice.org, KUA }CA = EKRTrustMe[alice@alice.org, cert id, expiration time, KUA]CAChecks expiration time > now

    CS588 Spring 2005

  • CS588 Spring 2005

  • Revoking CertificatesVarySign.comAliceBob{ alice@alice.org, KUA }CACASend me the CRL

    CS588 Spring 2005

  • Revoked!

    CS588 Spring 2005

  • Certificate QuestionsHow do participants acquire the authoritys public key?If authoritys private key is compromised, everything is vulnerable!Keep the key locked up well

    CS588 Spring 2005

  • Problems with CertificatesDepends on a certificate authorityNeeds to be a big, trusted entityNeeds to make money (or be publically funded)Need to acquire a certificateMakes anonymity difficultRequires handshaking

    CS588 Spring 2005

  • PGP (Pretty Good Privacy)Keyring: list of public keys, signed by owners private keyAlices keyring:EKRAlice (, )Exchanging Keyrings (Web of Trust)Complete Trust: I trust Alices keyring (add the public key pairings to my own keyring)Partial Trust: I sort of trust Alice, but require confirmation from someone else too (I need to get EKRCathy () before trusting KUBob

    CS588 Spring 2005

  • Avoiding CertificatesWhat if your identity (e.g., your email address) is your public key?

    Is it possible to do this with RSA?Do you want your email address to be a 200-digit random number?

    CS588 Spring 2005

  • Identity Based Encryption[Shamir 1984], [Boneh & Franklin 2003]

    public-key = identityprivate-key = F(master-key, identity)

    The owner of the master-key is the new authority. Must be careful who it gives private keys to.

    CS588 Spring 2005

  • Key-Generating ServiceHolds master-keyParticipants request private keys from KGSSends s to KGS, requests corresponding private keyKGS authenticates requestorIf valid, computes F(master-key, s) and sends over secure channelHow does the trust given to the KGS compare to that given to CA in SSL?KGS can decrypt all messages! With certificates, certificate owner still has her own private key.But, CA can impersonate anyone by generating acertificate with a choosen public-key.

    CS588 Spring 2005

  • Shamirs IBE Signature SchemeSetup: done by KGSSelect p, q large primesN = pqChoose e relatively prime to (N) (p-1)(q-1)Choose d satisfying ed 1 mod (N) Choose h a cryptographic hash functionPublish N, e and h to all participantsKeep d secret master-key

    CS588 Spring 2005

  • Shamirs SignaturesGenerating a private keyprivatekey(ID) = IDd mod NCan only be done by KGS (d is master secret)Signing a message M with identity IDObtain g = privatekey(ID) from KGSChoose random r less than N Compute signature (s, t):t = re mod Ns = g rh(t || M) mod NWarning: book typesetting is off and wrong range for h!

    CS588 Spring 2005

  • Verifying a SignatureKGS produced g = IDd mod NRecipient knows ID and M, system parameters e and N

    t = re mod Ns = g rh(t || M) mod NVerify (ID, s, t, M)se = ID th(t || M) mod N (IDd rh(t || M))e mod N IDderh(t || M)e mod N ID reh(t || M) mod N ID th(t || M) mod NWhat does non-forgability of a Shamir IBE signature rely on?

    CS588 Spring 2005

  • Identity-Based EncryptionShamirs scheme signatures only, not encryptionBoneh & Franklin, 2001First practical and provably secure IBE schemeBuilds on elliptic curves

    CS588 Spring 2005

  • Issues in IBEComplete trust in KGSWith Boneh & Franklins system can use secret sharing techniques to divide this trust among multiple entitiesCould you do this with Shamirs IBE signatures?RevocationCan include expiration times in identitiesBut no way to revoke granted private keys

    CS588 Spring 2005

  • ChargeRead Chapter 13 in the bookLook at the certificate chains when you browse the webFind a certificate with a trust chain more than two levels deepUpdate your browser CRLs: when were they last updated?

    CS588 Spring 2005