10 views

Original Title: Lecture 1 - Cryptography

Uploaded by Aya Puertollano

Lecture 1 - Cryptography

Attribution Non-Commercial (BY-NC)

- Digital Signature
- Crypto Products Backgrounder R0
- fips186-2-change1
- Kmip Spec 1.0 CD 06
- e-voting using pgp
- Cryptography-The Science of Hiding Information
- 140sp1571
- Answer Review Week 4_Suryadin Akbar_1113100.pdf
- Information Technology Act
- Signatureryhtrhtrdh
- cryptography in networking
- Fawkes
- Encryption
- RSA
- Identity Based Data Uploading on Proxy Oriented Data Integrity Checking in Public Cloud
- Blockchain Guide
- DigitalSignature_Forouzan
- ccna-7
- TRIPLE LAYER SECURE ENCRYPTION: BY COMBINED RSA, IMAGE STEGANOGRAPHY&DIGITAL SIGNATURE.
- PKI and Digital SignaturesWA.1

You are on page 1of 84

Lesson Planning

The lesson should include lecture, demonstrations, discussions and assessments The lesson can be taught in person or using remote instruction

Major Concepts

Describe how the types of encryption, hashes, and digital signatures work together to provide confidentiality, integrity, and authentication Describe the mechanisms to ensure data integrity and authentication Describe the mechanisms used to ensure data confidentiality Describe the mechanisms used to ensure data confidentiality and authentication using a public key

Lesson Objectives

Upon completion of this lesson, the successful participant will be able to:

1. Describe the requirements of secure communications including integrity, authentication, and confidentiality 2. Describe cryptography and provide an example 3. Describe cryptanalysis and provide an example 4. Describe the importance and functions of cryptographic hashes 5. Describe the features and functions of the MD5 algorithm and of the SHA-1 algorithm 6. Explain how we can ensure authenticity using HMAC 7. Describe the components of key management

Lesson Objectives

8. Describe how encryption algorithms provide confidentiality 9. Describe the function of the DES algorithms 10. Describe the function of the 3DES algorithm 11. Describe the function of the AES algorithm 12. Describe the function of the Software Encrypted Algorithm (SEAL) and the Rivest ciphers (RC) algorithm 13. Describe the function of the DH algorithm and its supporting role to DES, 3DES, and AES 14. Explain the differences and their intended applications 15. Explain the functionality of digital signatures 16. Describe the function of the RSA algorithm 17. Describe the principles behind a public key infrastructure (PKI)

Lesson Objectives

18. Describe the various PKI standards 19. Describe the role of CAs and the digital certificates that they issue in a PKI 20. Describe the characteristics of digital certificates and CAs

Secure Communications

CSA

MARS

Firewall

VPN IPS

CSA

VPN

Remote Branch

Iron Port

CSA

CSA

CSA CSA

CSA

Web Server Email Server

CSA

DNS

Traffic between sites must be secure Measures must be taken to ensure it cannot be altered, forged, or deciphered if intercepted

Authentication

An ATM Personal Information Number (PIN) is required for authentication. The PIN is a shared secret between a bank account holder and the financial institution.

Integrity

An unbroken wax seal on an envelop ensures integrity. The unique unbroken seal ensures no one has read the contents.

Confidentiality

Julius Caesar would send encrypted messages to his generals in the battlefield. Even if intercepted, his enemies usually could not read, let alone decipher, the messages.

I O D Q N H D V W D W W D F N D W G D Z Q

History

Scytale - (700 BC)

Vigenre table

Transposition Ciphers

1 FLANK EAST ATTACK AT DAWN

Clear Text

Ciphered Text

1 FLANK EAST ATTACK AT DAWN

Clear text

Shift the top scroll over by three characters (key of 3), an A becomes D, B becomes E, and so on.

2

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

Cipherered text

Cipher Wheel

1 FLANK EAST ATTACK AT DAWN

Clear text

Shifting the inner wheel by 3, then the A becomes D, B becomes E, and so on.

Cipherered text

A B C D E F G H

a a b c d e f g h

b b c d e f g h i

c c d e f g h i j

d d e f g h i j k

e e f g h i j k l

f f g h i j k l m

Vigenre Table

g g h i j k l m n h h i j k l m n o i i j k l m n o p j j k l m n o p q k k l m n o p q r l l m n o p q r s m m n o p q r s t n n o p q r s t u o o p q r s t u v p p q r s t u v w q q r s t u v w x r r s t u v w x y s s t u v w x y z t t u v w x y z a

u u v w x y z a b

v v w x y z a b c

w w x y z a b c d

x x y z a b c d e

y y z a b c d e f

z z a b c d e f g

I

J K

i

j k

j

k l

k

l m

l

m n

m

n o

n

o p

o

p q

p

q r

q

r s

r

s t

s

t u

t

u v

u

v w

v

w x

w

x y

x

y z

y

z a

z

a b

a

b c

b

c d

c

d e

d

e f

e

f g

f

g h

g

h i

h

i j

L

M N

l

m n

m

n o

n

o p

o

p q

p

q r

q

r s

r

s t

s

t u

t

u v

u

v w

v

w x

w

x y

x

y z

y

z a

z

a b

a

b c

b

c d

c

d e

d

e f

e

f g

f

g h

g

h i

h

i j

i

j k

j

k l

k

l m

O

P Q

o

p q

p

q r

q

r s

r

s t

s

t u

t

u v

u

v w

v

w x

w

x y

x

y z

y

z a

z

a b

a

b c

b

c d

c

d e

d

e f

e

f g

f

g h

g

h i

h

i j

i

j k

j

k l

k

l m

l

m n

m

n o

n

o p

R

S T U V W X Y Z

r

s t u v w x y z

s

t u v w x y z a

t

u v w x y z a b

u

v w x y z a b c

v

w x y z a b c d

w

x y z a b c d e

x

y z a b c d e f

y

z a b c d e f g

z

a b c d e f g h

a

b c d e f g h i

b

c d e f g h i j

c

d e f g h i j k

d

e f g h i j k l

e

f g h i j k l m

f

g h i j k l m n

g

h i j k l m n o

h

i j k l m n o p

i

j k l m n o p q

j

k l m n o p q r

k

l m n o p q r s

l

m n o p q r s t

m

n o p q r s t u

n

o p q r s t u v

o

p q r s t u v w

p

q r s t u v w x

q

r s t u v w x y

Stream Ciphers

Invented by the Norwegian Army Signal Corps in 1950, the ETCRRM machine uses the Vernam stream cipher method. It was used by the US and Russian governments to exchange information. Plain text message is eXclusively OR'ed with a key tape containing a random stream of data of the same length to generate the ciphertext. Once a message was enciphered the key tape was destroyed. At the receiving end, the process was reversed using an identical key tape to decode the message.

Defining Cryptanalysis

Allies decipher secret NAZI encryption code!

Cryptanalysis is from the Greek words krypts (hidden), and anal (to loosen or to untie). It is the practice and ein the study of determining the meaning of encrypted information (cracking the code), without access to the shared secret key.

Cryptanalysis Methods

Brute Force Attack

Known Ciphertext

With a Brute Force attack, the attacker has some portion of ciphertext. The attacker attempts to unencrypt the ciphertext with all possible keys.

Meet-in-the-Middle Attack

Known Ciphertext

Use every possible decryption key until a result is found matching the corresponding plaintext.

Known Plaintext

Use every possible encryption key until a result is found matching the corresponding ciphertext.

With a Meet-in-the-Middle attack, the attacker has some portion of text in both plaintext and ciphertext. The attacker attempts to unencrypt the ciphertext with all possible keys while at the same time encrypt the plaintext with another set of possible keys until one match is found.

1

There are 6 occurrences of the cipher letter D and 4 occurrences of the cipher letter W.

2 IODQN HDVW DWWDFN DW GDZQ

Cipherered text

Replace the cipher letter D first with popular clear text letters including E, T, and finally A.

Trying A would reveal the shift pattern of 3.

Defining Cryptology

Cryptology

+

Cryptography

Cryptanalysis

Cryptanalysis

Integrity Authentication Confidentiality

DES 3DES AES SEAL RC (RC2, RC4, RC5, and

RC6)

MD5 SHA

HASH

NIST

HASH w/Key

Rivest

Encryption

Hashing Basics

Hashes are used for integrity assurance. Hashes are based on one-way functions. The hash function hashes arbitrary data into a fixed-length digest known as the hash value, message digest, digest, or fingerprint.

Data of Arbitrary Length

e883aa0b24c09f

Hashing Properties

Arbitrary length text

X

Why is x not in Parens?

h = H (x)

Hash Function

(H)

Why is H in Parens?

Hash Value

e883aa0b24c09f

Hashing in Action

Vulnerable to man-in-the-middle attacks

Hashing does not provide security to transmission.

MD5 with 128-bit hashes SHA-1 with 160-bit hashes

Internet

Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars Pay to Alex Jones $1000.00 One Thousand and xx/100 Dollars

4ehIDx67NMop9

12ehqPx67NMoX

MD5

MD5 is a ubiquitous hashing algorithm Hashing properties

One-way functioneasy to compute hash and infeasible to compute data given a hash Complex sequence of simple binary operations (XORs, rotations, etc.) which finally produces a 128-bit hash. MD5

SHA is similar in design to the MD4 and MD5 family of hash functions

Takes an input message of no more than 264 bits Produces a 160-bit message digest

SHA

The algorithm is slightly slower than MD5. SHA-1 is a revision that corrected an unpublished flaw in the original SHA. SHA-224, SHA-256, SHA-384, and SHA-512 are newer and more secure versions of SHA and are collectively known as SHA-2.

SHA

Hashing Example

In this example the clear text entered is displaying hashed results using MD5, SHA-1, and SHA256. Notice the difference in key lengths between the various algorithm. The longer the key, the more secure the hash function.

Features of HMAC

Uses an additional secret key as input to the hash function The secret key is known to the sender and receiver

Adds authentication to integrity assurance Defeats man-in-the-middle attacks

Data of Arbitrary Length

Secret Key

e883aa0b24c09f

The same procedure is used for generation and verification of secure fingerprints

HMAC Example

Data

Pay to Terry Smith One Hundred and xx/100 $100.00 Dollars

Received Data

Secret Key

Pay to Terry Smith One Hundred and xx/100 $100.00 Dollars

Secret Key

4ehIDx67NMop9

4ehIDx67NMop9

$100.00 Dollars

If the generated HMAC matches the sent HMAC, then integrity and authenticity have been verified. If they dont match, discard the message.

4ehIDx67NMop9

Using Hashing

Data Integrity Data Authenticity

Entity Authentication

Routers use hashing with secret keys Ipsec gateways and clients use hashing algorithms Software images downloaded from the website have checksums Sessions can be encrypted

Key Management

Key Generation Key Verification

Key Management

Key Storage

Key Exchange

Keyspace

DES Key

56-bit

Keyspace

11111111 11111111 11111111 11111111 11111111 11111111 11111111

# of Possible Keys

72,000,000,000,000,000

Twice as much time

256

57-bit

257

144,000,000,000,000,00 0 288,000,000,000,000,00 0

58-bit

258

59-bit

259

With 60-bit DES an attacker would require sixteen more time than 56-bit DES

576,000,000,000,000,00 0

11111111 11111111 11111111 1,152,000,000,000,000,0 60-bit 11111111 11111111 11111111 11111111 00 For each bit added to the DES 1111 the attacker would require twice the amount of time to key, search the keyspace.

260

Longer keys are more secure but are also more resource intensive and can affect throughput.

Types of Keys

Symmetric Key Protection up to 3 years Protection up to 10 years Asymmetric Key Digital Signature Hash

Protection up to 20 years

Protection up to 30 years Protection against quantum computers

Calculations are based on the fact that computing power will continue to grow at its present rate and the ability to perform brute-force attacks will grow at the same rate. Note the comparatively short symmetric key lengths illustrating that symmetric algorithms are the strongest type of algorithm.

Key Properties

Shorter keys = faster processing, but less secure

For Data Link Layer confidentiality, use proprietary link-encrypting devices For Network Layer confidentiality, use secure Network Layer protocols such as the IPsec protocol suite For Session Layer confidentiality, use protocols such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS) For Application Layer confidentiality, use secure e-mail, secure database sessions (Oracle SQL*net), and secure messaging (Lotus Notes sessions)

Symmetric Encryption

Key Pre-shared key Key

Encrypt

$1000

$!@#IQ

Decrypt

$1000

Best known as shared-secret key algorithms The usual key length is 80 - 256 bits A sender and receiver must share a secret key Faster processing because they use simple mathematical operations. Examples include DES, 3DES, AES, IDEA, RC2/4/5/6, and Blowfish.

The XOR operator results in a 1 when the value of either the first bit or the second bit is a 1 The XOR operator results in a 0 when neither or both of the bits is 1

Plain Text Key (Apply) XOR (Cipher Text) Key (Re-Apply) XOR (Plain Text)

1 0 1 0 1

1 1 0 1 1

0 0 0 0 0

1 1 0 1 1

0 0 0 0 0

0 1 1 1 0

1 0 1 0 1

1 1 0 1 1

Asymmetric Encryption

Encryption Key Two separate keys which are not shared Decryption Key

Encrypt

$1000

%3f7&4

Decrypt

$1000

Also known as public key algorithms The usual key length is 5124096 bits A sender and receiver do not share a secret key Relatively slow because they are based on difficult computational algorithms Examples include RSA, ElGamal, elliptic curves, and DH.

Symmetric Algorithms

Symmetric Encryption Algorithm Key length (in bits)

Description

DES

56

Designed at IBM during the 1970s and was the NIST standard until 1997. Although considered outdated, DES remains widely in use. Designed to be implemented only in hardware, and is therefore extremely slow in software. Based on using DES three times which means that the input data is encrypted three times and therefore considered much stronger than DES. However, it is rather slow compared to some new block ciphers such as AES. Fast in both software and hardware, is relatively easy to implement, and requires little memory. As a new encryption standard, it is currently being deployed on a large scale. SEAL is an alternative algorithm to DES, 3DES, and AES.

3DES

AES

Software Encryption

160

blank blank 1100101 01010010110010101 01010010110010101

64 bits

64bits

64bits

0101010010101010100001001001001 0101010010101010100001001001001

Selecting an Algorithm

DES

The algorithm is trusted by the cryptographic community The algorithm adequately protects against brute-force attacks

3DES

Yes

AES

Verdict is still out Yes

Yes

DES Scorecard

Description Timeline Type of Algorithm Key size (in bits) Speed Time to crack

(Assuming a computer could try 255 keys per second)

Data Encryption Standard Standardized 1976 Symmetric 56 bits Medium Days (6.4 days by the COPACABANA machine, a

specialized cracking device)

Resource Consumption

Medium

ECB

Message of Five 64-Bit Blocks

Initialization Vector

CBC

Message of Five 64-Bit Blocks

DES

DES

DES

DES

DES

DES

DES

DES

DES

DES

Considerations

Change keys frequently to help prevent brute-force attacks. Use a secure channel to communicate the DES key from the sender to the receiver. Consider using DES in CBC mode. With CBC, the encryption of each 64bit block depends on previous blocks. Test a key to see if it is a weak key before using it.

DES

3DES Scorecard

Description Timeline Type of Algorithm Key size (in bits) Speed Time to crack

(Assuming a computer could try 255 keys per second)

Triple Data Encryption Standard Standardized 1977 Symmetric 112 and 168 bits Low 4.6 Billion years with current technology Medium

Resource Consumption

Encryption Steps

1

The clear text from Alice is encrypted using Key 1. That ciphertext is decrypted using a different key, Key 2. Finally that ciphertext is encrypted using another key, Key 3.

When the 3DES ciphered text is received, the process is reversed. That is, the ciphered text must first be decrypted using Key 3, encrypted using Key 2, and finally decrypted using Key 1.

AES Scorecard

Description Timeline Type of Algorithm Key size (in bits) Speed Time to crack

(Assuming a computer could try 255 keys per second)

Advanced Encryption Standard Official Standard since 2001 Symmetric 128, 192, and 256 High 149 Trillion years Low

Resource Consumption

Advantages of AES

The key is much stronger due to the key length AES runs faster than 3DES on comparable hardware AES is more efficient than DES and 3DES on comparable hardware

The plain text is now encrypted using 128 AES

SEAL Scorecard

Description Timeline Type of Algorithm Key size (in bits) Speed Time to crack

(Assuming a computer could try 255 keys per second)

Symmetric 160 High Unknown but considered very safe Low

Resource Consumption

Description Timeline Type of Algorithm Key size (in bits) RC2 1987 Block cipher 40 and 64 RC4 1987 Stream cipher 1 - 256 RC5 1994 Block cipher 0 to 2040 bits (128 suggested) RC6 1998 Block cipher 128, 192, or 256

DH Scorecard

Description Timeline Type of Algorithm Key size (in bits) Speed Time to crack

(Assuming a computer could try 255 keys per second)

Diffie-Hellman Algorithm 1976 Asymmetric 512, 1024, 2048 Slow Unknown but considered very safe

Resource Consumption

Medium

Using Diffie-Hellman

Alice

Shared

1

Bob

Calc

1 3

Secret

Shared

Secret

Calc

5, 23

2

5, 23

56mod 23 =

8 8

1. Alice and Bob agree to use the same two numbers. For example, the base number g=

6.

56 modulo 23) = 8 (Y) and

8 (Y) to Bob.

Using Diffie-Hellman

Alice

Shared Secret Calc Shared

Bob

Secret

Calc

5, 23

5, 23 6

5

8 8 19 19 mod 23 = 2

56mod 23 =

6

15

515mod 23 = 19

6

815mod 23 =

15, performed the DH algorithm: modulo p = (515 modulo 23) = 19 (Y) and sent the new number 19 (Y) to

The result (2) is the same for both Alice and Bob. This number can now be used as a shared secret key by the encryption algorithm.

Encryption Key Encryption Plain text Encrypted text Decryption Key Decryption Plain text

Key length ranges from 5124096 bits Key lengths greater than or equal to 1024 bits can be trusted Key lengths that are shorter than 1024 bits are considered unreliable for most algorithms

Computer A acquires Computer Bs public key

1 Can I get your Public Key please? Here is my Public Key.

Bobs Public Key

Computer A

Encryption Algorithm

4

Encrypted Text

Computer B

Encryption Algorithm

Encrypted Text

Computer A uses Computer Bs public key to encrypt a message using an agreed-upon algorithm

Computer B uses its private key to decrypt and reveal the message

Alice encrypts a message with her private key

1

Alices Private Key

Bob uses the public key to successfully decrypt the message and authenticate that the message did, indeed, come from Alice.

Encrypted Text

Encryption Algorithm

3

4

Encrypted Text

Computer A

Encrypted Text

Alices Public Key

Computer B

Encryption Algorithm

Bob needs to verify that the message actually came from Alice. He requests and acquires Alices public key

Key length (in bits) Description 512, 1024, 2048

Invented in 1976 by Whitfield Diffie and Martin Hellman. Two parties to agree on a key that they can use to encrypt messages The assumption is that it is easy to raise a number to a certain power, but difficult to compute which power was used given the number and the outcome.

DH

512 - 1024

Created by NIST and specifies DSA as the algorithm for digital signatures. A public key algorithm based on the ElGamal signature scheme. Signature creation speed is similar with RSA, but is slower for verification.

Developed by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT in 1977 Based on the current difficulty of factoring very large numbers Suitable for signing as well as encryption Widely used in electronic commerce protocols Based on the Diffie-Hellman key agreement. Described by Taher Elgamal in 1984and is used in GNU Privacy Guard software, PGP, and other cryptosystems. The encrypted message becomes about twice the size of the original message and for this reason it is only used for small messages such as secret keys Invented by Neil Koblitz in 1987 and by Victor Miller in 1986. Can be used to adapt many cryptographic algorithms Keys can be much smaller

512 to 2048

EIGamal

512 - 1024

160

Authenticates a source, proving a certain party has seen, and has signed, the data in question Signing party cannot repudiate that it signed the data Guarantees that the data has not changed from the time it was signed

Authenticity

Integrity Nonrepudiation

Digital Signatures

The signature is authentic and not forgeable: The signature is proof that the signer, and no one else, signed the document. The signature is not reusable: The signature is a part of the document and cannot be moved to a different document. The signature is unalterable: After a document is signed, it cannot be altered. The signature cannot be repudiated: For legal purposes, the signature and the document are considered to be physical things. The signer cannot claim later that they did not sign it.

The sending device creates a hash of the document

Data

Confirm Order

The receiving device accepts the document with digital signature and obtains the public key

Signature Verified 0a77b3440

hash

Signed Data

Confirm Order ____________ 0a77b3440

4

Signature Algorithm

3 The sending device encrypts only the hash 0a77b3440 with the private key of the signer The signature algorithm generates a digital signature and obtains the public key

5

Verification Key

The publisher of the software attaches a digital signature to the executable, signed with the signature key of the publisher. The user of the software needs to obtain the public key of the publisher or the CA certificate of the publisher if PKI is used.

DSA Scorecard

Description Timeline Type of Algorithm Advantages: Digital Signature Algorithm (DSA) 1994

Signature generation is fast

RSA Scorecard

Description Timeline Ron Rivest, Adi Shamir, and Len Adleman 1977 Asymmetric algorithm 512 - 2048 Signature verification is fast

Type of Algorithm

Key size (in bits) Advantages:

Properties of RSA

One hundred times slower than DES in hardware One thousand times slower than DES in software Used to protect small amounts of data Ensures confidentiality of data thru encryption Generates digital signatures for authentication and nonrepudiation of data

Alice applies for a drivers license.

after her identity is proven.

PKI terminology to remember:

PKI: A service framework (hardware, software, people, policies and procedures) needed to support large-scale public key-based technologies. Certificate: A document, which binds together the name of the entity and its public key and has been signed by the CA Certificate authority (CA): The trusted third party that signs the public keys of entities in a PKI-based system

http://www.verisign.com http://www.entrust.com

http://www.verizonbusiness.com/

http://www.novell.com

http://www.rsa.com/ http://www.microsoft.com

Usage Keys

When an encryption certificate is used much more frequently than a signing certificate, the public and private key pair is more exposed due to its frequent usage. In this case, it might be a good idea to shorten the lifetime of the key pair and change it more often, while having a separate signing private and public key pair with a longer lifetime. When different levels of encryption and digital signing are required because of legal, export, or performance issues, usage keys allow an administrator to assign different key lengths to the two pairs. When key recovery is desired, such as when a copy of a users private key is kept in a central repository for various backup reasons, usage keys allow the user to back up only the private key of the encrypting pair. The signing private key remains with the user, enabling true nonrepudiation.

X.509

Many vendors have proposed and implemented proprietary solutions Progression towards publishing a common set of standards for PKI protocols and data formats

X.509v3

X.509v3 is a standard that describes the certificate structure. X.509v3 is used with:

Secure web servers: SSL and TLS Web browsers: SSL and TLS Email programs: S/MIME IPsec VPNs: IKE

X.509v3 Applications

SSL Internet Mail Server S/MIME External Web Server EAP-TLS Cisco Secure ACS CA Server

Internet

Enterprise Network

IPsec

VPN Concentrator

Certificates can be used for various purposes. One CA server can be used for all types of authentication as long as they support the same PKI procedures.

PKCS PKCS PKCS PKCS PKCS PKCS PKCS PKCS PKCS PKCS

#1: RSA Cryptography Standard #3: DH Key Agreement Standard #5: Password-Based Cryptography Standard #6: Extended-Certificate Syntax Standard #7: Cryptographic Message Syntax Standard #8: Private-Key Information Syntax Standard #10: Certification Request Syntax Standard #12: Personal Information Exchange Syntax Standard #13: Elliptic Curve Cryptography Standard #15: Cryptographic Token Information Format Standard

PKCS#7 PKCS#10

CA

Certificate

Signed Certificate

PKCS#7

A PKI communication protocol used for VPN PKI enrollment Uses the PKCS #7 and PKCS #10 standards

Certificates issued by one CA Centralized trust decisions Single point of failure

Root CA

Hierarchical CA Topology

Root CA

Subordinate CA

Cross-Certified CAs

CA2

CA1

CA3

Registration Authorities

2 Completed Enrollment Request Forwarded to CA

CA

Enrollment request

RA

3 1 Certificate Issued

After the Registration Authority adds specific information to the certificate request and the request is approved under the organizations policy, it is forwarded on to the Certification Authority

The CA will sign the certificate request and send it back to the host

Alice and Bob telephone the CA administrator and verify the public key and serial number of Out-of-Band the certificate

Out-of-Band Authentication of the CA Certificate

3

CA Admin POTS CA

1 3

CA Certificate

CA Certificate

Enterprise Network

2 2

Alice and Bob request the CA certificate that contains the CA public key

The certificate is retrieved and the certificate is installed onto the system

Out-of-Band Authentication of the CA Certificate POTS CA

1 3 1 2

The CA administrator telephones to confirm their submittal and the public key and issues the certificate by adding some additional data to the request, and digitally signing it all

Out-of-Band Authentication of the CA Certificate POTS

CA Admin

Certificate Request

Certificate Request 3

Enterprise Network

Both systems forward a certificate request which includes their public key. All of this information is encrypted using the public key of the CA

Authenticating

Bob and Alice exchange certificates. The CA is no longer involved

2 2

1

Certificate (Alice)

Certificate (Bob)

Each party verifies the digital signature on the certificate by hashing the plaintext portion of the certificate, decrypting the digital signature using the CA public key, and comparing the results.

To authenticate each other, users have to obtain the certificate of the CA and their own certificate. These steps require the out-of-band verification of the processes. Public-key systems use asymmetric keys where one is public and the other one is private. Key management is simplified because two users can freely exchange the certificates. The validity of the received certificates is verified using the public key of the CA, which the users have in their possession. Because of the strength of the algorithms, administrators can set a very long lifetime for the certificates.

End

- Digital SignatureUploaded bySomeshwar Singh
- Crypto Products Backgrounder R0Uploaded bywsboldt
- fips186-2-change1Uploaded byapi-3825760
- Kmip Spec 1.0 CD 06Uploaded bysonali_raisonigroup
- e-voting using pgpUploaded byprvigneshkumar
- Cryptography-The Science of Hiding InformationUploaded byMuktesh Chander IPS
- 140sp1571Uploaded bytombakcs
- Answer Review Week 4_Suryadin Akbar_1113100.pdfUploaded byHonest Syarof Esabella
- Information Technology ActUploaded bySiddharthJain
- cryptography in networkingUploaded byed3uzacoi1zy
- FawkesUploaded by2013scribd001
- RSAUploaded bykaran5230
- SignatureryhtrhtrdhUploaded byajhired
- EncryptionUploaded bynarri_dagar2009
- Identity Based Data Uploading on Proxy Oriented Data Integrity Checking in Public CloudUploaded byIRJET Journal
- Blockchain GuideUploaded byKaique Silva
- DigitalSignature_ForouzanUploaded byShubham Agrawal
- ccna-7Uploaded byPaulo Rijo
- TRIPLE LAYER SECURE ENCRYPTION: BY COMBINED RSA, IMAGE STEGANOGRAPHY&DIGITAL SIGNATURE.Uploaded byIJAR Journal
- PKI and Digital SignaturesWA.1Uploaded bywasirifie
- What is a Digital Signature-writeupUploaded byAnonymous eSi1iZTNG
- Trusted Document Signing Based on Use of Biometric (Face) KeysUploaded byIJCSDF
- 185Uploaded byVikesh Sohotoo
- ppt bandana.pptxUploaded byBandana Rajanandini
- 07 CryptographyUploaded byJamesKJaak
- 7 CryptographyUploaded byVanathi Priyadharshini
- Lecture 1Uploaded byRandy Concepcion
- Advanced Computer Networks - CS716 Power Point Slides Lecture 40Uploaded byTaran Aulakh
- ijcta2011020439Uploaded bySanyam Shukla
- Wireless Sensor Networks Security Survey Using CryptographyUploaded byAnonymous vQrJlEN

- Goldie Locks and the Three Least Privileged DesktopsUploaded byShifu Mohamed
- IRJET-A Profit Maximization Scheme in Cloud Computing with QoSUploaded byIRJET Journal
- Chapter 4Uploaded byRaquelScarlettGonzálezHernández
- Amp Si2035 DatasheetUploaded byElectromate
- ThinkCentre-m72e-datasheetUploaded byrogrom
- test.txtUploaded byGaurav Asati
- Toshiba l64 Tv Uputstvo-EnglishUploaded byVeljko Ocokoljić
- Council Venturing Officers Job DescriptionUploaded byAnthony Crosby
- howto-17.05Uploaded byAhmed Sharif
- Strengths&Weaknesses of Google Inc.Uploaded byReylanAquino
- EtapUploaded byNogdalla Munir
- Commissioning-Testing-Complex-Busbar-Protection-Schemes.pdfUploaded byJoel Alcantara
- Huawei_STB_VERSI BARU EC6108V9.pdfUploaded byAdpoe Nyetzz
- DocumentUploaded byJyoti Yadav
- Tri Fold Separate 03 13Uploaded byogautier
- Foundation Network 1Uploaded byNantawan Gantong
- 47529041 CP R75 Secure Platform Admin GuideUploaded byDinesh Pal
- Xcell92Uploaded byVinay Garg
- Start Guide P2P User Interface LinuxUploaded byAlexandreJOsé
- EKCC-W Sequencing Controller 4PEN341705-1 Installation Manuals EnglishUploaded byNano Salam
- BroadVision 8.2 Content GuideUploaded byjsunil18
- Linux ProjectUploaded byPatrick
- Dual CellHSPA SummaryUploaded byAlsp77
- Bsnl (Training Report)Uploaded byAditya Prasad
- Smooth Board User GuideUploaded byMiguel Gonzalez Ramirez
- Excel to PDF Linux Command LineUploaded byBrandy
- Java.Uploaded bymahatik
- OnGuard_SNMPUploaded byEsteban Michel Vázquez Barreto
- CSE590 Lectures 9 10Uploaded bysatsrini
- Rules on Electronic EvidenceUploaded byJuan Lennon