You are on page 1of 56

Digital Signature, Digital Certificate

CSC1720 Introduction to Internet Essential Materials

Outline
 

Introduction Cryptography
SecretSecret-key algorithms Public-key algorithms PublicMessageMessage-Digest algorithms

    

Digital Signature Digital Certificate Public Key Infrastructure (PKI) Secure Electronic Transaction (SET) Summary
2 All copyrights reserved by C.C. Cheung 2003.

CSC1720 Introduction to Internet

Introduction


 

Cryptography and digital certificates are first appeared in closed commercial, financial network and military systems. We can send/receive secure e-mail, connect eto secure website to purchase goods or obtain services. Problem: How do we implement them in this global, open network, Internet? To what level of encryption is sufficient to provide safe and trust services on the Net?
3 All copyrights reserved by C.C. Cheung 2003.

CSC1720 Introduction to Internet

Cryptography


3 cryptographic algorithms:
MessageMessage-digest algorithms


Map variable-length plaintext to fixed-length variablefixedciphertext. Use one single key to encrypt and decrypt. Use 2 different keys public key and private key.
4 All copyrights reserved by C.C. Cheung 2003.

SecretSecret-key algorithms


PublicPublic-key algorithms


CSC1720 Introduction to Internet

Keys


It is a variable value that is used by cryptographic algorithms to produce encrypted text, or decrypt encrypted text. The length of the key reflects the difficulty to decrypt from the encrypted message.
Key Key

Plaintext

Encryption

Ciphertext

Decryption

Plaintext

CSC1720 Introduction to Internet

All copyrights reserved by C.C. Cheung 2003.

Key length
 

It is the number of bits (bytes) in the key. A 2-bit key has four values 200, 01, 10, 11 in its key space

A key of length n has a key space of 2^n distinct values. E.g. the key is 128 bits
101010101010 101010101010.10010101111111 There are 2^128 combinations
340 282 366 920 938 463 463 374 607 431 768 211 456

CSC1720 Introduction to Internet

All copyrights reserved by C.C. Cheung 2003.

SecretSecret-key Encryption


Use a secret key to encrypt a message into ciphertext. Use the same key to decrypt the ciphertext to the original message. Also called Symmetric cryptography. cryptography
Secret Key Secret Key Ciphertext

Plaintext

Encryption

Decryption

Plaintext

CSC1720 Introduction to Internet

All copyrights reserved by C.C. Cheung 2003.

Secret Key How to?


Original Text + Secret key = Encrypted Text

Encryption

Encrypted Text +

Secret key = Decryption

Original Text

CSC1720 Introduction to Internet

All copyrights reserved by C.C. Cheung 2003.

SecretSecret-Key Problem?


All keys need to be replaced, if one key is compromised. Not practical for the Internet environment. On the other hand, the encryption speed is fast. Suitable to encrypt your personal data.
All copyrights reserved by C.C. Cheung 2003.

CSC1720 Introduction to Internet

SecretSecret-Key algorithms
Algorithm Name Blowfish DES IDEA RC2 RC4 RC5 Triple DES
CSC1720 Introduction to Internet

Key Length (bits) Up to 448 56 128 Up to 2048 Up to 2048 Up to 2048 192


10

References: Blowfish DES IDEA RC2 RC4 RC5 DES-3

All copyrights reserved by C.C. Cheung 2003.

PublicPublic-key Encryption
 

 

Involves 2 distinct keys public, private. public, private. The private key is kept secret and never be divulged, and it is password protected (Passphase). The public key is not secret and can be freely distributed, shared with anyone. It is also called asymmetric cryptography. cryptography Two keys are mathematically related, it is infeasible to derive the private key from the public key. 100 to 1000 times slower than secret-key algorithms. secretPublic Key Private Key

Plaintext

Encryption

Ciphertext
11

Decryption

Plaintext

CSC1720 Introduction to Internet

All copyrights reserved by C.C. Cheung 2003.

How to use 2 different keys?




Just an example:
Public Key = 4, Private Key = 1/4, message M = 5 Encryption:
Ciphertext C = M * Public Key  5 * 4 = 20


Decryption:
Plaintext M = C * Private Key  20 * = 5

CSC1720 Introduction to Internet 12 All copyrights reserved by C.C. Cheung 2003.

PublicPublic-Private Encryption
Public key Public key stored in the directory First, create public and private key Public Key Directory

Private key Public Key Private key Private key stored in your personal computer
CSC1720 Introduction to Internet 13 All copyrights reserved by C.C. Cheung 2003.

Message Encryption (User A sends message to User B) B)


Public Key Directory User Bs Public Key

Text Encryption User A


CSC1720 Introduction to Internet 14

Encrypted Text

All copyrights reserved by C.C. Cheung 2003.

Message Encryption
Original Message Encrypted Message

CSC1720 Introduction to Internet

15

All copyrights reserved by C.C. Cheung 2003.

Transfer Encrypted Data

User A

User B

Encrypted Text Insecure Channel

Encrypted Text

CSC1720 Introduction to Internet

16

All copyrights reserved by C.C. Cheung 2003.

Decryption with your Private key


Encrypted Text Private key stored in your personal computer

User B User Bs Private key Decryption

Original Text
CSC1720 Introduction to Internet 17 All copyrights reserved by C.C. Cheung 2003.

Asymmetric algorithms
Algorithm Name DSA El Gamal RSA DiffieDiffie-Hellman Key Length (bits) Up to 448 56 128 Up to 2048

References: DSA El Gamal RSA Diffie-Hellman

CSC1720 Introduction to Internet

18

All copyrights reserved by C.C. Cheung 2003.

How difficult to crack a key?


Attacker Individual attacker Small group Academic Network Large company Military Intelligence agency Computer Resources One high-performance desktop machine & Software high16 high-end machines & Software high256 high-end machines & Software high$1,000,000 hardware budget $1,000,000 hardware budget + advanced technology Keys / Second 2^17 2^24 2^21 2^24 2^25 2^28 2^43 2^55

Key Length 40 56 64 80 128

Individual Small Attacker Group Weeks Centuries Millennia Days Decades Centuries

Academic Network Hours Years Decades Infeasible Infeasible


19

Large Company Milliseconds Hours Days Centuries Infeasible

Military Inteligence Agency Microseconds Seconds Minutes Centuries Millennia

Infeasible Infeasible Infeasible Infeasible

CSC1720 Introduction to Internet

All copyrights reserved by C.C. Cheung 2003.

Crack DES-3 (Secret-key) DES- (Secret-

Distributed.net connects 100,000 PCs on the Net, to get a record-breaking 22 hr 15 min to crack the DES algorithm. Speed: 245 billion keys/s Win $10,000

CSC1720 Introduction to Internet

20

All copyrights reserved by C.C. Cheung 2003.

MessageMessage-Digest Algorithms


  

It maps a variable-length input variablemessage to a fixed-length output fixeddigest. It is not feasible to determine the original message based on its digest. It is impossible to find an arbitrary message that has a desired digest. It is infeasible to find two messages that have the same digest.
21 All copyrights reserved by C.C. Cheung 2003.

CSC1720 Introduction to Internet

MessageMessage-Digest How to


A hash function is a math equation that create a message digest from message. A message digest is used to create a unique digital signature from a particular document. MD5 example
22

Original Message (Document, E-mail)

Hash Function

Digest

CSC1720 Introduction to Internet

All copyrights reserved by C.C. Cheung 2003.

Message Digest Demo

CSC1720 Introduction to Internet

23

All copyrights reserved by C.C. Cheung 2003.

MessageMessage-Digest
MessageMessage-Digest Algorithm MD2 MD4 MD5 Secure Hash Algorithm (SHA)
CSC1720 Introduction to Internet 24

Digest Length (bits) 128 128 128 160


References: MD2 MD4 MD5 SHA

All copyrights reserved by C.C. Cheung 2003.

Break Time 15 minutes

CSC1720 Introduction to Internet

25

All copyrights reserved by C.C. Cheung 2003.

Digital Signature


Digital signature can be used in all electronic communications


Web, e-mail, e-commerce ee-

It is an electronic stamp or seal that append to the document. Ensure the document being unchanged during transmission.
26 All copyrights reserved by C.C. Cheung 2003.

CSC1720 Introduction to Internet

How digital Signature works?


User A Transmit via the Internet

Use As private key to sign the document User B received the document with signature attached

Verify the signature by As public key stored at the directory

User B

CSC1720 Introduction to Internet

27

All copyrights reserved by C.C. Cheung 2003.

Digital Signature Generation and Verification


Message Sender Message Hash function Digest Private Key Encryption Signature Message Receiver Message Hash function

Public Key

Decryption Expected Digest

Digest

CSC1720 Introduction to Internet

28

All copyrights reserved by C.C. Cheung 2003.

Digital Signature

Reference

CSC1720 Introduction to Internet

29

All copyrights reserved by C.C. Cheung 2003.

Key Management
 

Private key are password-protected. passwordIf someone want your private key:
They need the file contains the key They need the passphrase for that key

If you have never written down your passphrase or told anyone


Very hard to crack BruteBrute-force attack wont work won

CSC1720 Introduction to Internet

30

All copyrights reserved by C.C. Cheung 2003.

Digital Certificates


Digital Certificate is a data with digital signature from one trusted Certification Authority (CA). This data contains:
Who owns this certificate Who signed this certificate The expired date User name & email address

CSC1720 Introduction to Internet

31

All copyrights reserved by C.C. Cheung 2003.

Digital Certificate

Reference

CSC1720 Introduction to Internet

32

All copyrights reserved by C.C. Cheung 2003.

Elements of Digital Cert.




A Digital ID typically contains the following information:


Your public key, Your name and email address Expiration date of the public key, Name of the CA who issued your Digital ID

CSC1720 Introduction to Internet

33

All copyrights reserved by C.C. Cheung 2003.

Certification Authority (CA)




A trusted agent who certifies public keys for general use (Corporation or Bank).
User has to decide which CAs can be trusted.

The model for key certification based on friends and friends of friends is called Web of Trust. Trust
The public key is passing from friend to friend. Works well in small or high connected worlds. What if you receive a public key from someone you dont know? don

CSC1720 Introduction to Internet

34

All copyrights reserved by C.C. Cheung 2003.

CA model (Trust model)


Root Certificate

CA Certificate

CA Certificate

Browser Cert.

Server Cert.

CSC1720 Introduction to Internet

35

All copyrights reserved by C.C. Cheung 2003.

Web of Trust model


B A Alice

Bob D C

CSC1720 Introduction to Internet

36

All copyrights reserved by C.C. Cheung 2003.

Public Key Infrastructure (PKI)




PKI is a system that uses public-key publicencryption and digital certificates to achieve secure Internet services. There are 4 major parts in PKI.
Certification Authority (CA) A directory Service Services, Banks, Web servers Business Users

CSC1720 Introduction to Internet

37

All copyrights reserved by C.C. Cheung 2003.

Digital 21 . gov .hk

Reference: An official homepage which provides lot of PKI, e-commerce information

CSC1720 Introduction to Internet

38

All copyrights reserved by C.C. Cheung 2003.

PKI Structure
Certification Authority Directory services

Public/Private Keys User

Services, Banks, Webservers

CSC1720 Introduction to Internet

39

All copyrights reserved by C.C. Cheung 2003.

4 key services


Authentication Digital Certificate


To identify a user who claim who he/she is, in order to access the resource.

NonNon-repudiation Digital Signature


To make the user becomes unable to deny that he/she has sent the message, signed the document or participated in a transaction.

Confidentiality - Encryption
To make the transaction secure, no one else is able to read/retrieve the ongoing transaction unless the communicating parties.

Integrity - Encryption
To ensure the information has not been tampered during transmission.

CSC1720 Introduction to Internet

40

All copyrights reserved by C.C. Cheung 2003.

Certificate Signers

CSC1720 Introduction to Internet

41

All copyrights reserved by C.C. Cheung 2003.

Certificate Enrollment and Distribution

CSC1720 Introduction to Internet

42

All copyrights reserved by C.C. Cheung 2003.

Secure Web Communication




 

Server authentication is necessary for a web client to identify the web site it is communicating with. To use SSL, a special type of digital certificate Server certificate is used. certificate Get a server certificate from a CA.
E.g. www.hitrust.com.hk, www.cuhk.edu.hk/ca/ www.hitrust.com.hk,

  

Install a server certificate at the Web server. Enable SSL on the Web site. Client authentication Client certificates
43 All copyrights reserved by C.C. Cheung 2003.

CSC1720 Introduction to Internet

Strong and Weak Encryption




Strong encryption
Encryption methods that cannot be cracked by brutebrute-force (in a reasonable period of time). The world fastest computer needs thousands of years to compute a key.

Weak encryption
A code that can be broken in a practical time frame. 5656-bit encryption was cracked in 1999. 6464-bit will be cracked in 2011. 128128-bit will be cracked in 2107.

CSC1720 Introduction to Internet

44

All copyrights reserved by C.C. Cheung 2003.

Pretty Good Privacy (PGP)




Release in June 1991 by Philip Zimmerman (PRZ) PGP is a hybrid cryptosystem that allows user to encrypt and decrypt. Use session key a random generated number from the mouse movement or keystrokes keystrokes Demo & Tutorial
45 All copyrights reserved by C.C. Cheung 2003.

CSC1720 Introduction to Internet

PGP Public Key


    

Philip R Zimmermann's Public Keys Current DSS/Diffie-Hellman Key: DSS/DiffieKey fingerprint: 055F C78F 1121 9349 2C4F 37AF C746 3639 B2D7 795E -----BEGIN -----BEGIN PGP PUBLIC KEY BLOCK----BLOCK----Version: PGP 7.0.3 mQGiBDpU6CcRBADCT/tGpBu0EHpjd3G11QtkTWYnihZDBdenjYV2EvotgRZAj5h4ewprq1u/zqzGBYpiYL/9j+5XDFcoWF24bzsUmHXsbD Siv+XEyQND1GUdx4wVcEY5rNjkArX06XuZzObvXFXOvqRj6LskePtw3xLf5uj8jPN0Nf6YKnhfGIHRWQCg/0UAr3hMK6zcA/egvWRGsm9d JecD/18XWekzt5JJeK3febJO/3Mwe43O6VNOxmMpGWOYTrhivyOb/ZLgLedqX+MeXHGdGroARZ+kxYq/a9y5jNcivD+EyN+IiNDPD64rl00 FNZksx7dijD89PbIULDCtUpps2J0gk5inR+yzinf+jDyFnn5UEHI2rPFLUbXWHJXJcp0UBACBkzDdesPjEVXZdTRTLk0sfiWEdcBM/5GpNsw MlK4A7A6iqJoSNJ4pO5Qq6PYOwDFqGir19WEfoTyHW0kxipnVbvq4q2vAhSIKOqNEJGxg4DTEKecf3xCdJ0kW8dVSogHDH/c+Q4+RFQ q/31aev3HDy20YayxAE94BWIsKkhaMyokAYQQfEQIAIQUCOlTwWwIHABcMgBE/xzIEHSPp6mbdtQCcnbwh33TcYQAKCRDHRjY5std5Xl e4AKCh1dqtFxD/BiZMqdP1eZYG8AZgTACfU7VX8NpIaGmdyzVdrSDUo49AJae0IlBoaWxpcCBSLiBaaW1tZXJtYW5uIDxwcnpAbWl0LmV kdT6JAFUEEBECABUFAjpU6CcFCwkIBwMCGQEFGwMAAAAACgkQx0Y2ObLXeV5WUQCfWWfTDHzSezrDawgN2Z4Qb7dHKooAoJyV nm61utdRsdLr2e6QnV5Z0yjjiQBGBBARAgAGBQI6VOkSAAoJEGPLaR3669X8JPcAnim4+Hc0oteQZrNUeuMSuirNVUr7AKC1WXJI7gwM q0Agz07hQs++POJBMokARgQQEQIABgUCOlcobQAKCRDXjLzlZqdLMVBtAKDa5VPcb6NVH6tVeEDJUv+tBjp6oACeLoNtfbs2rvJkgKDH WEIDmJdgy2GJAD8DBRA6WP4Y8CBzV/QUlSsRAkmdAKC3TfkSSeh+poPFnMfW+/Y/+AAEEpGSUYAAQEAAAEAAQAA/9sAQwAKBwc IBwYKCAgICwoKCw4YEA4NDQ4dFRYRGCMfJSQiHyIhJis3LyYpNCkhIjBBMTQ5Oz4+PiUuRElDPEg3PT47///EALUQAAIBAwMCBAMFB .. QQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6On q8fLz9PX29/j5+v/EAB8BAAMBAQEBAQEBAQEAAAAAAAABAgMEBQYHCAkKC//EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAU hMQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWp zdHV2d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp6vLz9PX29/j5+v/aAA wDAQACEQMRAD8A9mooooAKKKKACsjW/Eum6FGTdS7pcfLEv3j/AIfjWV428XHQrf7HY4e/lHXIxEvqfevH7y8lupXmmuJppWOZJC+AD9 aly7GkIX1Z3OpfE3Up3K2EUVumcdN7fy/pWLL4415wPM1GWPJyNpK/0Fc5btG/Pktkfx7yTVhYAGLsAxbryf5c5rNvzNlG3Q6yz8ZaxEyudQ kcZ+7JtYH867PRfG9nfIsd7/o8p/iI+U/4V5EI/IGV+XUGfnHy9iUsiGSa6q6Jew1XpTDJvAAICDACNUV4K2PS6h574Z3NaBsIQe5jkVO48MS ohjC6s29CjPhlU79cQIYWmBpuNfwroZ6zltyz6Y2Fm65V0IfvVicR7zvFFCOhahMuk1cr+Qp936OMEq9sLZGxTjClgwrHGS7YpMSZrEC7bp OmERjo4F/n5YmCHJCH8QzCOc9+80gjVEsHiJVABrC8yykjKL5x1V/PSArE4QtMLbkBPGmQYOw8bx6jCHoO43QjUzbqRfBMHZqWVJyoII ZCp+n13XM4+NO/cDVsZ8bjch0LIOyMrT85n24yfXRlP0s7BFjLm59Jjhf4djuJWikJawWETlypAy86OYRRuwCbIyNauBeTKy+avZvF2oLvpw H4UnudpC06/O0jkj2lQpn9EEUw11RwO6sq9zYTwAUyKerN00cbCfyiZl01CIo0btcTO6hQK3c67PaloJ9lVH8/mH7LuqkMLDH5ugkpzmed/8 SorfqVkakne6b4mRySFCBXaVZoKmDHzcH2oSSMhM9exyh6dzi1bGu6JAEwEGBECAAwFAjpU6CcFGwwAAAAACgkQx0Y2ObLXeV7lb QCg+N+fI3bzqF9+fB50J5sFHVHM7hYAn0+9AfDl5ncnr4D7 ReMDlYoIZwRR =Bgy+ -----END -----END PGP PUBLIC KEY BLOCK----BLOCK-----

 

CSC1720 Introduction to Internet

46

All copyrights reserved by C.C. Cheung 2003.

PGP encryption


CSC1720 Introduction to Internet

Reference
47 All copyrights reserved by C.C. Cheung 2003.

PGP decryption


CSC1720 Introduction to Internet

Reference
48 All copyrights reserved by C.C. Cheung 2003.

Secure SHell (SSH)




Provide an encrypted secure channel between client and server. Replacement for telnet and ftp. Reference: SSH

CSC1720 Introduction to Internet

49

All copyrights reserved by C.C. Cheung 2003.

Secure Shell & Secure FTP


Secure Shell Secure FTP

The Hosts Public Key

CSC1720 Introduction to Internet

50

All copyrights reserved by C.C. Cheung 2003.

Secure Electronic Transaction (SET)




This protocol is developed by Visa and MasterCard specifically for the secure credit card transactions on the Internet. SET encrypts credit card and purchase information before transmission over the Internet. SET allows the merchants identify be authenticated merchant via digital certificates, also allows the merchant to authenticate users through their digital certificates (more difficult to someones stolen credit card). someone SET DEMO
51 All copyrights reserved by C.C. Cheung 2003.

CSC1720 Introduction to Internet

Secure Electronic Transaction (SET)




There are four parts in the SET system.


A software wallet on the users computer wallet user Cardholder. Cardholder A commerce server that runs on the merchants merchant web site Merchant. Merchant The payment server that runs at the merchants merchant bank Acquiring bank. bank The Certification Authority Issuing bank. bank

SET FAQs
52 All copyrights reserved by C.C. Cheung 2003.

CSC1720 Introduction to Internet

SET

CSC1720 Introduction to Internet

53

All copyrights reserved by C.C. Cheung 2003.

PrivacyPrivacy-Enhanced E-mail E-

Encrypted Signed

CSC1720 Introduction to Internet

54

All copyrights reserved by C.C. Cheung 2003.

Summary


Make sure you understand the relationship between


Encryption Digital Signature Digital Certificate Certificate Authority

Understand which Public/Private key should be used to encrypt/decrypt message to/from you? Discuss PGP, SET, SSH, encrypted email.
55 All copyrights reserved by C.C. Cheung 2003.

CSC1720 Introduction to Internet

References
      

Digital Certificate (Applied Internet Security) By Feghhi, Feghhi, Williams Addison Wesley Basic Crytography Digital Signature PKI Resources SET Resources General Definitions Digital ID FAQ The End. Thank you for your patience!
56 All copyrights reserved by C.C. Cheung 2003.

 

CSC1720 Introduction to Internet