You are on page 1of 56

# Digital Signature, Digital Certificate

## CSC1720 Introduction to Internet

Essential Materials

Outline

Introduction Cryptography
Secret-key algorithms Public-key algorithms Message-Digest algorithms

Digital Signature Digital Certificate Public Key Infrastructure (PKI) Secure Electronic Transaction (SET) Summary
2 All copyrights reserved by C.C. Cheung 2003.

## CSC1720 Introduction to Internet

Introduction

Cryptography and digital certificates are first appeared in closed commercial, financial network and military systems. We can send/receive secure e-mail, connect to secure website to purchase goods or obtain services. Problem: How do we implement them in this global, open network, Internet? To what level of encryption is sufficient to provide safe and trust services on the Net?
3 All copyrights reserved by C.C. Cheung 2003.

## CSC1720 Introduction to Internet

Cryptography

3 cryptographic algorithms:
Message-digest algorithms

Map variable-length plaintext to fixed-length ciphertext. Use one single key to encrypt and decrypt. Use 2 different keys public key and private key.
4 All copyrights reserved by C.C. Cheung 2003.

Secret-key algorithms

Public-key algorithms

## CSC1720 Introduction to Internet

Keys

It is a variable value that is used by cryptographic algorithms to produce encrypted text, or decrypt encrypted text. The length of the key reflects the difficulty to decrypt from the encrypted message.
Key Ciphertext Key

Plaintext

Encryption

Decryption

Plaintext

## All copyrights reserved by C.C. Cheung 2003.

Key length

It is the number of bits (bytes) in the key. A 2-bit key has four values
00, 01, 10, 11 in its key space

A key of length n has a key space of 2^n distinct values. E.g. the key is 128 bits
101010101010.10010101111111 There are 2^128 combinations
340 282 366 920 938 463 463 374 607 431 768 211 456

## All copyrights reserved by C.C. Cheung 2003.

Secret-key Encryption

Use a secret key to encrypt a message into ciphertext. Use the same key to decrypt the ciphertext to the original message. Also called Symmetric cryptography.
Secret Key Ciphertext Secret Key

Plaintext

Encryption

Decryption

Plaintext

## Secret Key How to?

Original Text + Encryption Secret key = Encrypted Text

Encrypted Text +

Original Text

## All copyrights reserved by C.C. Cheung 2003.

Secret-Key Problem?

All keys need to be replaced, if one key is compromised. Not practical for the Internet environment. On the other hand, the encryption speed is fast. Suitable to encrypt your personal data.
All copyrights reserved by C.C. Cheung 2003.

## CSC1720 Introduction to Internet

Secret-Key algorithms
Algorithm Name Blowfish DES IDEA RC2 RC4 RC5 Triple DES
CSC1720 Introduction to Internet

10

## All copyrights reserved by C.C. Cheung 2003.

Public-key Encryption

Involves 2 distinct keys public, private. The private key is kept secret and never be divulged, and it is password protected (Passphase). The public key is not secret and can be freely distributed, shared with anyone. It is also called asymmetric cryptography. Two keys are mathematically related, it is infeasible to derive the private key from the public key. 100 to 1000 times slower than secret-key algorithms.
Public Key Ciphertext
11

Private Key

Plaintext

Encryption

Decryption

Plaintext

## How to use 2 different keys?

Just an example:
Public Key = 4, Private Key = 1/4, message M = 5 Encryption:
Ciphertext C = M * Public Key 5 * 4 = 20

Decryption:
Plaintext M = C * Private Key 20 * = 5

## CSC1720 Introduction to Internet 12 All copyrights reserved by C.C. Cheung 2003.

Public-Private Encryption
Public key Public key stored in the directory First, create public and private key Public Key Directory

Private key Public Key Private key Private key stored in your personal computer
CSC1720 Introduction to Internet 13 All copyrights reserved by C.C. Cheung 2003.

## Message Encryption (User A sends message to User B)

Public Key Directory User Bs Public Key

## Text Encryption User A

CSC1720 Introduction to Internet 14

Encrypted Text

## All copyrights reserved by C.C. Cheung 2003.

Message Encryption
Original Message Encrypted Message

15

User A

User B

Encrypted Text

16

## Decryption with your Private key

Encrypted Text
Private key stored in your personal computer

User B

## User Bs Private key

Decryption

Original Text
CSC1720 Introduction to Internet 17 All copyrights reserved by C.C. Cheung 2003.

Asymmetric algorithms
Algorithm Name DSA El Gamal RSA Diffie-Hellman Key Length (bits) Up to 448 56 128 Up to 2048

18

## How difficult to crack a key?

Attacker
Individual attacker Small group Academic Network Large company Military Intelligence agency

Computer Resources
One high-performance desktop machine & Software 16 high-end machines & Software 256 high-end machines & Software \$1,000,000 hardware budget \$1,000,000 hardware budget + advanced technology

Keys / Second
2^17 2^24 2^21 2^24 2^25 2^28 2^43 2^55

## Key Length 40 56 64 80 128

Individual Small Attacker Group Weeks Centuries Millennia Infeasible Infeasible Days Decades Centuries Infeasible Infeasible

19

## Crack DES-3 (Secret-key)

Distributed.net connects 100,000 PCs on the Net, to get a record-breaking 22 hr 15 min to crack the DES algorithm. Speed: 245 billion keys/s Win \$10,000

20

## All copyrights reserved by C.C. Cheung 2003.

Message-Digest Algorithms

It maps a variable-length input message to a fixed-length output digest. It is not feasible to determine the original message based on its digest. It is impossible to find an arbitrary message that has a desired digest. It is infeasible to find two messages that have the same digest.
21 All copyrights reserved by C.C. Cheung 2003.

## CSC1720 Introduction to Internet

Message-Digest How to

A hash function is a math equation that create a message digest from message. A message digest is used to create a unique digital signature from a particular document. MD5 example
22

Hash Function

Digest

23

## All copyrights reserved by C.C. Cheung 2003.

Message-Digest
Message-Digest Algorithm MD2 Digest Length (bits) 128

## References: MD2 MD4 MD5 SHA

MD4
MD5 Secure Hash Algorithm (SHA)
CSC1720 Introduction to Internet 24

128
128 160

25

## All copyrights reserved by C.C. Cheung 2003.

Digital Signature

## Digital signature can be used in all electronic communications

Web, e-mail, e-commerce

It is an electronic stamp or seal that append to the document. Ensure the document being unchanged during transmission.
26 All copyrights reserved by C.C. Cheung 2003.

## How digital Signature works?

User A Transmit via the Internet

Use As private key to sign the document User B received the document with signature attached User B

27

## Digital Signature Generation and Verification

Message Sender Message Hash function Digest Private Key Encryption Signature Message Receiver Message Hash function

Public Key

28

## All copyrights reserved by C.C. Cheung 2003.

Digital Signature

Reference

29

## All copyrights reserved by C.C. Cheung 2003.

Key Management

They need the file contains the key They need the passphrase for that key

## If you have never written down your passphrase or told anyone

Very hard to crack Brute-force attack wont work

30

## All copyrights reserved by C.C. Cheung 2003.

Digital Certificates

Digital Certificate is a data with digital signature from one trusted Certification Authority (CA). This data contains:
Who owns this certificate Who signed this certificate The expired date User name & email address

31

## All copyrights reserved by C.C. Cheung 2003.

Digital Certificate

Reference

32

## A Digital ID typically contains the following information:

Your public key, Your name and email address Expiration date of the public key, Name of the CA who issued your Digital ID

33

## Certification Authority (CA)

A trusted agent who certifies public keys for general use (Corporation or Bank).
User has to decide which CAs can be trusted.

The model for key certification based on friends and friends of friends is called Web of Trust.
The public key is passing from friend to friend. Works well in small or high connected worlds. What if you receive a public key from someone you dont know?

34

Root Certificate

CA Certificate

CA Certificate

Browser Cert.

Server Cert.

35

B A Alice

Bob C

36

## Public Key Infrastructure (PKI)

PKI is a system that uses public-key encryption and digital certificates to achieve secure Internet services. There are 4 major parts in PKI.
Certification Authority (CA) A directory Service Services, Banks, Web servers Business Users

37

38

## All copyrights reserved by C.C. Cheung 2003.

PKI Structure
Certification Authority Directory services

39

4 key services

## Authentication Digital Certificate

To identify a user who claim who he/she is, in order to access the resource.

## Non-repudiation Digital Signature

To make the user becomes unable to deny that he/she has sent the message, signed the document or participated in a transaction.

Confidentiality - Encryption
To make the transaction secure, no one else is able to read/retrieve the ongoing transaction unless the communicating parties.

Integrity - Encryption
To ensure the information has not been tampered during transmission.

40

## All copyrights reserved by C.C. Cheung 2003.

Certificate Signers

41

42

## Secure Web Communication

Server authentication is necessary for a web client to identify the web site it is communicating with. To use SSL, a special type of digital certificate Server certificate is used. Get a server certificate from a CA.
E.g. www.hitrust.com.hk, www.cuhk.edu.hk/ca/

Install a server certificate at the Web server. Enable SSL on the Web site. Client authentication Client certificates
43 All copyrights reserved by C.C. Cheung 2003.

## Strong and Weak Encryption

Strong encryption
Encryption methods that cannot be cracked by brute-force (in a reasonable period of time). The world fastest computer needs thousands of years to compute a key.

Weak encryption
A code that can be broken in a practical time frame. 56-bit encryption was cracked in 1999. 64-bit will be cracked in 2011. 128-bit will be cracked in 2107.

44

## Pretty Good Privacy (PGP)

Release in June 1991 by Philip Zimmerman (PRZ) PGP is a hybrid cryptosystem that allows user to encrypt and decrypt. Use session key a random generated number from the mouse movement or keystrokes Demo & Tutorial
45 All copyrights reserved by C.C. Cheung 2003.

## PGP Public Key

Philip R Zimmermann's Public Keys Current DSS/Diffie-Hellman Key: Key fingerprint: 055F C78F 1121 9349 2C4F 37AF C746 3639 B2D7 795E -----BEGIN PGP PUBLIC KEY BLOCK----Version: PGP 7.0.3 mQGiBDpU6CcRBADCT/tGpBu0EHpjd3G11QtkTWYnihZDBdenjYV2EvotgRZAj5h4ewprq1u/zqzGBYpiYL/9j+5XDFcoWF24bzsUmHXsbD Siv+XEyQND1GUdx4wVcEY5rNjkArX06XuZzObvXFXOvqRj6LskePtw3xLf5uj8jPN0Nf6YKnhfGIHRWQCg/0UAr3hMK6zcA/egvWRGsm9d JecD/18XWekzt5JJeK3febJO/3Mwe43O6VNOxmMpGWOYTrhivyOb/ZLgLedqX+MeXHGdGroARZ+kxYq/a9y5jNcivD+EyN+IiNDPD64rl00 FNZksx7dijD89PbIULDCtUpps2J0gk5inR+yzinf+jDyFnn5UEHI2rPFLUbXWHJXJcp0UBACBkzDdesPjEVXZdTRTLk0sfiWEdcBM/5GpNsw MlK4A7A6iqJoSNJ4pO5Qq6PYOwDFqGir19WEfoTyHW0kxipnVbvq4q2vAhSIKOqNEJGxg4DTEKecf3xCdJ0kW8dVSogHDH/c+Q4+RFQ q/31aev3HDy20YayxAE94BWIsKkhaMyokAYQQfEQIAIQUCOlTwWwIHABcMgBE/xzIEHSPp6mbdtQCcnbwh33TcYQAKCRDHRjY5std5Xl e4AKCh1dqtFxD/BiZMqdP1eZYG8AZgTACfU7VX8NpIaGmdyzVdrSDUo49AJae0IlBoaWxpcCBSLiBaaW1tZXJtYW5uIDxwcnpAbWl0LmV kdT6JAFUEEBECABUFAjpU6CcFCwkIBwMCGQEFGwMAAAAACgkQx0Y2ObLXeV5WUQCfWWfTDHzSezrDawgN2Z4Qb7dHKooAoJyV nm61utdRsdLr2e6QnV5Z0yjjiQBGBBARAgAGBQI6VOkSAAoJEGPLaR3669X8JPcAnim4+Hc0oteQZrNUeuMSuirNVUr7AKC1WXJI7gwM q0Agz07hQs++POJBMokARgQQEQIABgUCOlcobQAKCRDXjLzlZqdLMVBtAKDa5VPcb6NVH6tVeEDJUv+tBjp6oACeLoNtfbs2rvJkgKDH WEIDmJdgy2GJAD8DBRA6WP4Y8CBzV/QUlSsRAkmdAKC3TfkSSeh+poPFnMfW+/Y/+AAEEpGSUYAAQEAAAEAAQAA/9sAQwAKBwc IBwYKCAgICwoKCw4YEA4NDQ4dFRYRGCMfJSQiHyIhJis3LyYpNCkhIjBBMTQ5Oz4+PiUuRElDPEg3PT47///EALUQAAIBAwMCBAMFB .. QQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6On q8fLz9PX29/j5+v/EAB8BAAMBAQEBAQEBAQEAAAAAAAABAgMEBQYHCAkKC//EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAU hMQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWp zdHV2d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp6vLz9PX29/j5+v/aAA wDAQACEQMRAD8A9mooooAKKKKACsjW/Eum6FGTdS7pcfLEv3j/AIfjWV428XHQrf7HY4e/lHXIxEvqfevH7y8lupXmmuJppWOZJC+AD9 aly7GkIX1Z3OpfE3Up3K2EUVumcdN7fy/pWLL4415wPM1GWPJyNpK/0Fc5btG/Pktkfx7yTVhYAGLsAxbryf5c5rNvzNlG3Q6yz8ZaxEyudQ kcZ+7JtYH867PRfG9nfIsd7/o8p/iI+U/4V5EI/IGV+XUGfnHy9iUsiGSa6q6Jew1XpTDJvAAICDACNUV4K2PS6h574Z3NaBsIQe5jkVO48MS ohjC6s29CjPhlU79cQIYWmBpuNfwroZ6zltyz6Y2Fm65V0IfvVicR7zvFFCOhahMuk1cr+Qp936OMEq9sLZGxTjClgwrHGS7YpMSZrEC7bp OmERjo4F/n5YmCHJCH8QzCOc9+80gjVEsHiJVABrC8yykjKL5x1V/PSArE4QtMLbkBPGmQYOw8bx6jCHoO43QjUzbqRfBMHZqWVJyoII ZCp+n13XM4+NO/cDVsZ8bjch0LIOyMrT85n24yfXRlP0s7BFjLm59Jjhf4djuJWikJawWETlypAy86OYRRuwCbIyNauBeTKy+avZvF2oLvpw H4UnudpC06/O0jkj2lQpn9EEUw11RwO6sq9zYTwAUyKerN00cbCfyiZl01CIo0btcTO6hQK3c67PaloJ9lVH8/mH7LuqkMLDH5ugkpzmed/8 SorfqVkakne6b4mRySFCBXaVZoKmDHzcH2oSSMhM9exyh6dzi1bGu6JAEwEGBECAAwFAjpU6CcFGwwAAAAACgkQx0Y2ObLXeV7lb QCg+N+fI3bzqF9+fB50J5sFHVHM7hYAn0+9AfDl5ncnr4D7 ReMDlYoIZwRR =Bgy+ -----END PGP PUBLIC KEY BLOCK-----

46

PGP encryption

## CSC1720 Introduction to Internet

Reference
47 All copyrights reserved by C.C. Cheung 2003.

PGP decryption

## CSC1720 Introduction to Internet

Reference
48 All copyrights reserved by C.C. Cheung 2003.

## Secure SHell (SSH)

Provide an encrypted secure channel between client and server. Replacement for telnet and ftp. Reference: SSH

49

## Secure Shell & Secure FTP

Secure Shell Secure FTP

50

## Secure Electronic Transaction (SET)

This protocol is developed by Visa and MasterCard specifically for the secure credit card transactions on the Internet. SET encrypts credit card and purchase information before transmission over the Internet. SET allows the merchants identify be authenticated via digital certificates, also allows the merchant to authenticate users through their digital certificates (more difficult to someones stolen credit card). SET DEMO
51 All copyrights reserved by C.C. Cheung 2003.

## There are four parts in the SET system.

A software wallet on the users computer Cardholder. A commerce server that runs on the merchants web site Merchant. The payment server that runs at the merchants bank Acquiring bank. The Certification Authority Issuing bank.

SET FAQs
52 All copyrights reserved by C.C. Cheung 2003.

SET

53

## All copyrights reserved by C.C. Cheung 2003.

Privacy-Enhanced E-mail

Encrypted Signed

54

Summary

## Make sure you understand the relationship between

Encryption Digital Signature Digital Certificate Certificate Authority

Understand which Public/Private key should be used to encrypt/decrypt message to/from you? Discuss PGP, SET, SSH, encrypted email.
55 All copyrights reserved by C.C. Cheung 2003.

## CSC1720 Introduction to Internet

References

Digital Certificate (Applied Internet Security) By Feghhi, Feghhi, Williams Addison Wesley Basic Crytography Digital Signature PKI Resources SET Resources General Definitions Digital ID FAQ
The End. Thank you for your patience!
56 All copyrights reserved by C.C. Cheung 2003.