prev

next

of 36

View

26Download

0

Embed Size (px)

DESCRIPTION

Lecture 14: Public Key Infrastructure. David Evans http://www.cs.virginia.edu/evans. CS588: Security and Privacy University of Virginia Computer Science. Using RSA to Encrypt. Use 1024-bit modulus (RSA recommends >= 768) Encrypt 1M file 1024 1024-bit messages - PowerPoint PPT Presentation

David Evanshttp://www.cs.virginia.edu/evansCS588: Security and PrivacyUniversity of VirginiaComputer ScienceLecture 14:Public Key Infrastructure

CS588 Spring 2005

Using RSA to EncryptUse 1024-bit modulus (RSA recommends >= 768)Encrypt 1M file1024 1024-bit messagesTo calculate Me requires log2e 1024-bit modular multipliesWhy does no one use RSA like this?About 100-1000 times slower than DESNeed to be careful not to encrypt particular MsCan speed up encryption by choosing e that is an easy number to multiply by (e.g., 3 or 216 + 1)But, decryption must use non-easy d (~1024 bits)

CS588 Spring 2005

AlternativesUse RSA to establish a shared secret key for symmetric cipher (DES, RC6, ...)Lose external authentication, non-repudiation properties of public-key cryptosystemsSign (encrypt with private key) a hash of the messageA short block that is associated with the message

CS588 Spring 2005

RSA PaperThe need for a courier between every pair of users has thus been replaced by the requirement for a single secure meeting between each user and the public file manager when the user joins the system.

CS588 Spring 2005

Key ManagementPublic keys only useful if you know:The public key matches the entity you think it does (and no one else).The entity is trustworthy.

CS588 Spring 2005

Approach 1: Public AnnouncementPublish public keys in a public forumUSENET groupsAppend to email messagesNew York Time classifiedsEasy for rogue to pretend to be someone else

CS588 Spring 2005

Approach 2: Public DirectoryTrusted authority maintains directory mapping names to public keysEntities register public keys with authority in some secure wayAuthority publishes directoryPrint using watermarked paper, special fonts, etc.Allow secure electronic access

CS588 Spring 2005

Can we avoid needing an on-line directory?

CS588 Spring 2005

CertificatesLoren Kohnfelder, MIT 4th year thesis project, 1978: Towards a Practical Public-key CryptosystemPublic-key communication works best when the encryption functions can reliably be shared among the communicants (by direct contact if possible). Yet when such a reliable exchange of functions is impossible the next best thing is to trust a third party. Diffie and Hellman introduce a central authority known as the Public File Each individual has a name in the system by which he is referenced in the Public File. Once two communicants have gotten each others keys from the Public File then can securely communicate. The Public File digitally signs all of its transmission so that enemy impersonation of the Public File is precluded.

CS588 Spring 2005

CertificatesTrustMe.comAliceBob{ alice@alice.org, KUA }Use anything like this?

CS588 Spring 2005

Data encrypted using secret key exchanged using some public keyassociated with some certificate.

CS588 Spring 2005

CS588 Spring 2005

SSL (Secure Sockets Layer)Simplified TLS Handshake ProtocolClientServerHelloCheck Certificate using KUCA Pick random KFind K using KRSTextbook, Section 12.5

CS588 Spring 2005

CertificatesVarySignAliceBob{ alice@alice.org, KUA }How does TrustMe.com decide whether to provide Certificate?

CS588 Spring 2005

Verifying IdentitiesVarySignAliceBob{ alice@alice.org, KUA }$$$$

CS588 Spring 2005

With over half a million businesses authenticated, VeriSign follows a rigorous and independently audited authentication process. All involved VeriSign employees pass stringent background checks, and each authentication is split between multiple individuals. We maintain physically secure facilities, including biometric screening on entry.

CS588 Spring 2005

VeriSigns Certificate Classes Secure Site SSL CertificateSupports 40-bit session keyProves: you are communicating with someone willing to pay VeriSign $598 (or with ~$1000 to break a 40-bit key)Except they have a free 14-day trial (but it uses a different Trial CA key)

CS588 Spring 2005

CS588 Spring 2005

Secure Site Pro Certificate $995 per yeartrue 128-bit key128-bit encryption offers 288 times as many possible combinations as 40-bit encryption. Thats over a trillion times a trillion times stronger.trillion = 1012 trillion * trillion = 1024 Verisigns marketing claim could be: trillion times a trillion times a trillion times a trillion times a trillion times a trillion times a trillion times ten thousand (in Britain it is a trillions time a trillion times a trillion times a trillion times a billion times a thousand) times stronger (but that would sound even sillier!)Businesses authentication: out-of-band communication, records

CS588 Spring 2005

CS588 Spring 2005

Limiting The DamageVarySign.comAliceBob{ alice@alice.org, KUA }CA = EKRTrustMe[alice@alice.org, cert id, expiration time, KUA]CAChecks expiration time > now

CS588 Spring 2005

CS588 Spring 2005

Revoking CertificatesVarySign.comAliceBob{ alice@alice.org, KUA }CACASend me the CRL

CS588 Spring 2005

Revoked!

CS588 Spring 2005

Certificate QuestionsHow do participants acquire the authoritys public key?If authoritys private key is compromised, everything is vulnerable!Keep the key locked up well

CS588 Spring 2005

Problems with CertificatesDepends on a certificate authorityNeeds to be a big, trusted entityNeeds to make money (or be publically funded)Need to acquire a certificateMakes anonymity difficultRequires handshaking

CS588 Spring 2005

PGP (Pretty Good Privacy)Keyring: list of public keys, signed by owners private keyAlices keyring:EKRAlice (, )Exchanging Keyrings (Web of Trust)Complete Trust: I trust Alices keyring (add the public key pairings to my own keyring)Partial Trust: I sort of trust Alice, but require confirmation from someone else too (I need to get EKRCathy () before trusting KUBob

CS588 Spring 2005

Avoiding CertificatesWhat if your identity (e.g., your email address) is your public key?

Is it possible to do this with RSA?Do you want your email address to be a 200-digit random number?

CS588 Spring 2005

Identity Based Encryption[Shamir 1984], [Boneh & Franklin 2003]

public-key = identityprivate-key = F(master-key, identity)

The owner of the master-key is the new authority. Must be careful who it gives private keys to.

CS588 Spring 2005

Key-Generating ServiceHolds master-keyParticipants request private keys from KGSSends s to KGS, requests corresponding private keyKGS authenticates requestorIf valid, computes F(master-key, s) and sends over secure channelHow does the trust given to the KGS compare to that given to CA in SSL?KGS can decrypt all messages! With certificates, certificate owner still has her own private key.But, CA can impersonate anyone by generating acertificate with a choosen public-key.

CS588 Spring 2005

Shamirs IBE Signature SchemeSetup: done by KGSSelect p, q large primesN = pqChoose e relatively prime to (N) (p-1)(q-1)Choose d satisfying ed 1 mod (N) Choose h a cryptographic hash functionPublish N, e and h to all participantsKeep d secret master-key

CS588 Spring 2005

Shamirs SignaturesGenerating a private keyprivatekey(ID) = IDd mod NCan only be done by KGS (d is master secret)Signing a message M with identity IDObtain g = privatekey(ID) from KGSChoose random r less than N Compute signature (s, t):t = re mod Ns = g rh(t || M) mod NWarning: book typesetting is off and wrong range for h!

CS588 Spring 2005

Verifying a SignatureKGS produced g = IDd mod NRecipient knows ID and M, system parameters e and N

t = re mod Ns = g rh(t || M) mod NVerify (ID, s, t, M)se = ID th(t || M) mod N (IDd rh(t || M))e mod N IDderh(t || M)e mod N ID reh(t || M) mod N ID th(t || M) mod NWhat does non-forgability of a Shamir IBE signature rely on?

CS588 Spring 2005

Identity-Based EncryptionShamirs scheme signatures only, not encryptionBoneh & Franklin, 2001First practical and provably secure IBE schemeBuilds on elliptic curves

CS588 Spring 2005

Issues in IBEComplete trust in KGSWith Boneh & Franklins system can use secret sharing techniques to divide this trust among multiple entitiesCould you do this with Shamirs IBE signatures?RevocationCan include expiration times in identitiesBut no way to revoke granted private keys

CS588 Spring 2005

ChargeRead Chapter 13 in the bookLook at the certificate chains when you browse the webFind a certificate with a trust chain more than two levels deepUpdate your browser CRLs: when were they last updated?

CS588 Spring 2005