Upload
judith-copeland
View
219
Download
0
Embed Size (px)
Citation preview
The Application of Public Key Cryptography to
Network Security
Ted Reinhardt
Course 94.470
Learning Objectives
• Understand how public key cryptography can be used to provide network security services such as:– Confidentiality– Non-repudiation– Authentication– Notarization
Crypto System
a pair of data transformations:– one encrypts– the other decrypts
Encryptplain text
Decryptcipher text plain text
key key
Encryption
Ek(m) c
m plain text message
c cipher text
k key
Decryption
Dk(c) m
c ciphertext
m message
k key
Symmetric Key Crypto System
• same key is used for both transformations
Encryptplain text
Decryptciphertext
plain text
Key=1 Key=1
IBM IBMHAL
A B C D E F G H I J K L M N O P Q R S T U V W X Y ZZ A B C D E F G H I J K L M N O P Q R S T U V W X Y
A word about symmetric key crypto systems
• Keys must be protected at all times at least to the highest level of the information exchanged for the entire useful life of the message.
• Key distribution is therefore expensive
• Keys must be changed frequently
• large symmetric crypto networks are a nightmare to manage
Public Key Crypto System
a pair of data transformations:– one encrypts– the other decrypts
Encryptplain text
Decryptciphertext plain text
public key private key
IBM IBM03422AFDS
=
An Engineering Love StoryOur Cast of Players
Alice Bob
Carl
Hopelessly in love with BobTotally Clueless
A spy for a tabloid newspaper
Public Key Crypto System
• complementary key pairs
• one private key, and a corresponding public keyName Public Private
Alice 7 13
Bob 11 23
Carl 71 53
Public Key Crypto System
• Alice encrypts message for Bob’s eyes only.
AliceEncrypt
plain text BobDecrypt
cipher textplain text
Sender to Receiver Confidentiality
Name Public Private
Alice 7 13
Bob 11 23
Carl 71 53
Bob’s Public Key11
Bob’s Private Key23
I LOVE YOU #$@deew I LOVE YOU
Public Key Crypto System
• Bob encrypts message for Alice’s eyes only.
BobEncrypt
plain text AliceDecrypt
ciphertextplain text
Sender to Receiver Confidentiality
Name Public Private
Alice 7 13
Bob 11 23
Carl 71 53
Alice’s Public Key7
Alice’s Private Key13
Confidentiality - Objective 1
• Sender to Receiver Confidentiality
• Encrypt with Public Key of the Addressee
• Equivalent to sealing an envelope by encrypting
• Only the Receiver can decode with his own Private Key (as long as the Private Key is kept Private).
Public Key Cryptosystem
• Alice digitally signs message for Bob
AliceEncrypt
plain text BobDecrypt
cipher textplain text
Authentication / Digital Signature
Name Public Private
Alice 7 13
Bob 11 23
Carl 71 53
Alice’s Private Key13
Alice’s Public Key7
Authentication & Non-Repudiation Objective #2
• Sender encrypts message with own private key
• Receiver decrypts message with senders public key.
• Correct decryption indicates the message is authentic.
Public Key Crypto System
• Alice signs and seals message for Bob
AliceEncrypt
plain text AliceEncrypt
ciphertext Ciphered
Ciphertext
Combined Digital Signature and Encryption
Name Public Private
Alice 7 13
Bob 11 23
Carl 71 53
Sign Seal
Alice’s Private Key13
Bob’s Public Key11
Public Key Crypto System
• Bob unseals message, and authenticates it
BobDecrypt
Ciphered
cipher text
Bob Decrypts
message+ signature
clear text
Combined Decryption and Authentication
Name Public Private
Alice 7 13
Bob 11 23
Carl 71 53
Opens Authenticates
Bob’s Private Key23
Alice’s Public Key7
Blind Notarization
• Alice encrypts and signs a message for Bob’s Eyes Only
• Alice send’s the message to Carl who takes Alices encrypted and signed message, adds a date time stamp (11AM 18 March 2015), and then signs it.
• Bob can decode it and check the date time if there is a dispute.
Date-time stamp +Notary’s Signature
Blind Notarization
Alice
NotaryServices
BobSigned by Alice
Sealed for Bob’s Eyes Only
Vulnerability in Key Management
• Certification of Public Keys is required otherwise subject to middle man attack.
Name Public Private
Alice 71 53
Bob 71 23
Carl 71 53
Carl can nowread the messageand then re-encryptfor the intended receiver
Carl can now
masquerade as
Alice
Solution to VulnerabilityCertificate Authority
• Certification of Public Keys is required otherwise subject to middle man attack.
Certificate Authority isrecognized by all parties
Alice Public Key=13 Expiry=10-Aug-2016
DigitallySigned bythe CA
Symmetric vs Asymmetric
• Public Key Crypto– Simplifies Key Management
–Slow– Provides Digital Signature
• Symmetric Key Crypto– Black Bag Key Management
–Fast
HybridBest of Both Worlds
• Use Symmetric Key as session key to encrypt data using Symmetric Key Cryptography– it is faster
• Use Public Key to Encrypt Session Key– fewer key management problems
Message Digest
• A one way function that provides a unique hash based on a data stream input
– MD5 (Deprecated)– SHA-256– SHA-384
Signature and Integrity Implementation
Message Digest
Plain text
Digitally Sign
Integrity
Digest
Signed Digest
Message Digest
Plain text
Digest
COMPARE
Practicalities of Implementation
SymmetricEncryption
Plain text
Random Session Key
Cipher text
Public KeyEncryption Alice’s Session Key
Public KeyEncryption Bob’s Session Key
Alice’s Pub Key
Bob’s Pub Key
Layer 3Virtual Private Network
VPN Gateway
VPN Gateway
InternetCertificateAuthority
Directory
Bob
Alice
Layer 4Secure Sockets Layer
Transport Layer Security
ProtectedWeb Server
FirewallTLS Appliance
Internet
Tunnel
TLS Enabled Browser
Issues
• Who is going to be the CA
• How does a CA decide to trust another CA
• If someone is no longer ok, how do you revoke their credentials and distribute the info
• What is the basis for trust – Certificate Policies, Certificate Practice
Statements
Issues
• What is required to make a legally binding transaction?
• Where do you store the private key?
• Key Escrow --- can someone backup your key for you in the event of loss?
• How do you authenticate people far away the first time?
• What algorithms are ok to use?