You are on page 1of 56

# Digital Signature, Digital Certificate

## CSC1720 Introduction to Internet Essential Materials

Outline
 

Introduction Cryptography
SecretSecret-key algorithms Public-key algorithms PublicMessageMessage-Digest algorithms

    

Digital Signature Digital Certificate Public Key Infrastructure (PKI) Secure Electronic Transaction (SET) Summary
2 All copyrights reserved by C.C. Cheung 2003.

## CSC1720 Introduction to Internet

Introduction


 

Cryptography and digital certificates are first appeared in closed commercial, financial network and military systems. We can send/receive secure e-mail, connect eto secure website to purchase goods or obtain services. Problem: How do we implement them in this global, open network, Internet? To what level of encryption is sufficient to provide safe and trust services on the Net?
3 All copyrights reserved by C.C. Cheung 2003.

## CSC1720 Introduction to Internet

Cryptography


3 cryptographic algorithms:
MessageMessage-digest algorithms


Map variable-length plaintext to fixed-length variablefixedciphertext. Use one single key to encrypt and decrypt. Use 2 different keys public key and private key.
4 All copyrights reserved by C.C. Cheung 2003.

SecretSecret-key algorithms


PublicPublic-key algorithms


## CSC1720 Introduction to Internet

Keys


It is a variable value that is used by cryptographic algorithms to produce encrypted text, or decrypt encrypted text. The length of the key reflects the difficulty to decrypt from the encrypted message.
Key Key

Plaintext

Encryption

Ciphertext

Decryption

Plaintext

## All copyrights reserved by C.C. Cheung 2003.

Key length
 

It is the number of bits (bytes) in the key. A 2-bit key has four values 200, 01, 10, 11 in its key space

A key of length n has a key space of 2^n distinct values. E.g. the key is 128 bits
101010101010 101010101010.10010101111111 There are 2^128 combinations
340 282 366 920 938 463 463 374 607 431 768 211 456

## All copyrights reserved by C.C. Cheung 2003.

SecretSecret-key Encryption


Use a secret key to encrypt a message into ciphertext. Use the same key to decrypt the ciphertext to the original message. Also called Symmetric cryptography. cryptography
Secret Key Secret Key Ciphertext

Plaintext

Encryption

Decryption

Plaintext

## Secret Key How to?

Original Text + Secret key = Encrypted Text

Encryption

Encrypted Text +

Original Text

## All copyrights reserved by C.C. Cheung 2003.

SecretSecret-Key Problem?


All keys need to be replaced, if one key is compromised. Not practical for the Internet environment. On the other hand, the encryption speed is fast. Suitable to encrypt your personal data.
All copyrights reserved by C.C. Cheung 2003.

## CSC1720 Introduction to Internet

SecretSecret-Key algorithms
Algorithm Name Blowfish DES IDEA RC2 RC4 RC5 Triple DES
CSC1720 Introduction to Internet

10

## All copyrights reserved by C.C. Cheung 2003.

PublicPublic-key Encryption
 

 

Involves 2 distinct keys public, private. public, private. The private key is kept secret and never be divulged, and it is password protected (Passphase). The public key is not secret and can be freely distributed, shared with anyone. It is also called asymmetric cryptography. cryptography Two keys are mathematically related, it is infeasible to derive the private key from the public key. 100 to 1000 times slower than secret-key algorithms. secretPublic Key Private Key

Plaintext

Encryption

Ciphertext
11

Decryption

Plaintext

## How to use 2 different keys?



Just an example:
Public Key = 4, Private Key = 1/4, message M = 5 Encryption:
Ciphertext C = M * Public Key  5 * 4 = 20


Decryption:
Plaintext M = C * Private Key  20 * = 5

CSC1720 Introduction to Internet 12 All copyrights reserved by C.C. Cheung 2003.

PublicPublic-Private Encryption
Public key Public key stored in the directory First, create public and private key Public Key Directory

Private key Public Key Private key Private key stored in your personal computer
CSC1720 Introduction to Internet 13 All copyrights reserved by C.C. Cheung 2003.

## Message Encryption (User A sends message to User B) B)

Public Key Directory User Bs Public Key

## Text Encryption User A

CSC1720 Introduction to Internet 14

Encrypted Text

## All copyrights reserved by C.C. Cheung 2003.

Message Encryption
Original Message Encrypted Message

15

User A

User B

Encrypted Text

16

## Decryption with your Private key

Encrypted Text Private key stored in your personal computer

## User B User Bs Private key Decryption

Original Text
CSC1720 Introduction to Internet 17 All copyrights reserved by C.C. Cheung 2003.

Asymmetric algorithms
Algorithm Name DSA El Gamal RSA DiffieDiffie-Hellman Key Length (bits) Up to 448 56 128 Up to 2048

18

## How difficult to crack a key?

Attacker Individual attacker Small group Academic Network Large company Military Intelligence agency Computer Resources One high-performance desktop machine & Software high16 high-end machines & Software high256 high-end machines & Software high\$1,000,000 hardware budget \$1,000,000 hardware budget + advanced technology Keys / Second 2^17 2^24 2^21 2^24 2^25 2^28 2^43 2^55

## Key Length 40 56 64 80 128

Individual Small Attacker Group Weeks Centuries Millennia Days Decades Centuries

19

## Crack DES-3 (Secret-key) DES- (Secret-

Distributed.net connects 100,000 PCs on the Net, to get a record-breaking 22 hr 15 min to crack the DES algorithm. Speed: 245 billion keys/s Win \$10,000

20

## All copyrights reserved by C.C. Cheung 2003.

MessageMessage-Digest Algorithms


  

It maps a variable-length input variablemessage to a fixed-length output fixeddigest. It is not feasible to determine the original message based on its digest. It is impossible to find an arbitrary message that has a desired digest. It is infeasible to find two messages that have the same digest.
21 All copyrights reserved by C.C. Cheung 2003.

## CSC1720 Introduction to Internet

MessageMessage-Digest How to


A hash function is a math equation that create a message digest from message. A message digest is used to create a unique digital signature from a particular document. MD5 example
22

Hash Function

Digest

23

## All copyrights reserved by C.C. Cheung 2003.

MessageMessage-Digest
MessageMessage-Digest Algorithm MD2 MD4 MD5 Secure Hash Algorithm (SHA)
CSC1720 Introduction to Internet 24

## Digest Length (bits) 128 128 128 160

References: MD2 MD4 MD5 SHA

25

## All copyrights reserved by C.C. Cheung 2003.

Digital Signature


## Digital signature can be used in all electronic communications

Web, e-mail, e-commerce ee-

It is an electronic stamp or seal that append to the document. Ensure the document being unchanged during transmission.
26 All copyrights reserved by C.C. Cheung 2003.

## How digital Signature works?

User A Transmit via the Internet

Use As private key to sign the document User B received the document with signature attached

User B

27

## Digital Signature Generation and Verification

Message Sender Message Hash function Digest Private Key Encryption Signature Message Receiver Message Hash function

Public Key

Digest

28

## All copyrights reserved by C.C. Cheung 2003.

Digital Signature

Reference

29

## All copyrights reserved by C.C. Cheung 2003.

Key Management
 

They need the file contains the key They need the passphrase for that key

## If you have never written down your passphrase or told anyone

Very hard to crack BruteBrute-force attack wont work won

30

## All copyrights reserved by C.C. Cheung 2003.

Digital Certificates


Digital Certificate is a data with digital signature from one trusted Certification Authority (CA). This data contains:
Who owns this certificate Who signed this certificate The expired date User name & email address

31

## All copyrights reserved by C.C. Cheung 2003.

Digital Certificate

Reference

32



## A Digital ID typically contains the following information:

Your public key, Your name and email address Expiration date of the public key, Name of the CA who issued your Digital ID

33

## Certification Authority (CA)



A trusted agent who certifies public keys for general use (Corporation or Bank).
User has to decide which CAs can be trusted.

The model for key certification based on friends and friends of friends is called Web of Trust. Trust
The public key is passing from friend to friend. Works well in small or high connected worlds. What if you receive a public key from someone you dont know? don

34

Root Certificate

CA Certificate

CA Certificate

Browser Cert.

Server Cert.

35

B A Alice

Bob D C

36

## Public Key Infrastructure (PKI)



PKI is a system that uses public-key publicencryption and digital certificates to achieve secure Internet services. There are 4 major parts in PKI.
Certification Authority (CA) A directory Service Services, Banks, Web servers Business Users

37

38

## All copyrights reserved by C.C. Cheung 2003.

PKI Structure
Certification Authority Directory services

39

4 key services


## Authentication Digital Certificate

To identify a user who claim who he/she is, in order to access the resource.

## NonNon-repudiation Digital Signature

To make the user becomes unable to deny that he/she has sent the message, signed the document or participated in a transaction.

Confidentiality - Encryption
To make the transaction secure, no one else is able to read/retrieve the ongoing transaction unless the communicating parties.

Integrity - Encryption
To ensure the information has not been tampered during transmission.

40

## All copyrights reserved by C.C. Cheung 2003.

Certificate Signers

41

42

## Secure Web Communication



 

Server authentication is necessary for a web client to identify the web site it is communicating with. To use SSL, a special type of digital certificate Server certificate is used. certificate Get a server certificate from a CA.
E.g. www.hitrust.com.hk, www.cuhk.edu.hk/ca/ www.hitrust.com.hk,

  

Install a server certificate at the Web server. Enable SSL on the Web site. Client authentication Client certificates
43 All copyrights reserved by C.C. Cheung 2003.

## Strong and Weak Encryption



Strong encryption
Encryption methods that cannot be cracked by brutebrute-force (in a reasonable period of time). The world fastest computer needs thousands of years to compute a key.

Weak encryption
A code that can be broken in a practical time frame. 5656-bit encryption was cracked in 1999. 6464-bit will be cracked in 2011. 128128-bit will be cracked in 2107.

44

## Pretty Good Privacy (PGP)



Release in June 1991 by Philip Zimmerman (PRZ) PGP is a hybrid cryptosystem that allows user to encrypt and decrypt. Use session key a random generated number from the mouse movement or keystrokes keystrokes Demo & Tutorial
45 All copyrights reserved by C.C. Cheung 2003.

## PGP Public Key

    

Philip R Zimmermann's Public Keys Current DSS/Diffie-Hellman Key: DSS/DiffieKey fingerprint: 055F C78F 1121 9349 2C4F 37AF C746 3639 B2D7 795E -----BEGIN -----BEGIN PGP PUBLIC KEY BLOCK----BLOCK----Version: PGP 7.0.3 mQGiBDpU6CcRBADCT/tGpBu0EHpjd3G11QtkTWYnihZDBdenjYV2EvotgRZAj5h4ewprq1u/zqzGBYpiYL/9j+5XDFcoWF24bzsUmHXsbD Siv+XEyQND1GUdx4wVcEY5rNjkArX06XuZzObvXFXOvqRj6LskePtw3xLf5uj8jPN0Nf6YKnhfGIHRWQCg/0UAr3hMK6zcA/egvWRGsm9d JecD/18XWekzt5JJeK3febJO/3Mwe43O6VNOxmMpGWOYTrhivyOb/ZLgLedqX+MeXHGdGroARZ+kxYq/a9y5jNcivD+EyN+IiNDPD64rl00 FNZksx7dijD89PbIULDCtUpps2J0gk5inR+yzinf+jDyFnn5UEHI2rPFLUbXWHJXJcp0UBACBkzDdesPjEVXZdTRTLk0sfiWEdcBM/5GpNsw MlK4A7A6iqJoSNJ4pO5Qq6PYOwDFqGir19WEfoTyHW0kxipnVbvq4q2vAhSIKOqNEJGxg4DTEKecf3xCdJ0kW8dVSogHDH/c+Q4+RFQ q/31aev3HDy20YayxAE94BWIsKkhaMyokAYQQfEQIAIQUCOlTwWwIHABcMgBE/xzIEHSPp6mbdtQCcnbwh33TcYQAKCRDHRjY5std5Xl e4AKCh1dqtFxD/BiZMqdP1eZYG8AZgTACfU7VX8NpIaGmdyzVdrSDUo49AJae0IlBoaWxpcCBSLiBaaW1tZXJtYW5uIDxwcnpAbWl0LmV kdT6JAFUEEBECABUFAjpU6CcFCwkIBwMCGQEFGwMAAAAACgkQx0Y2ObLXeV5WUQCfWWfTDHzSezrDawgN2Z4Qb7dHKooAoJyV nm61utdRsdLr2e6QnV5Z0yjjiQBGBBARAgAGBQI6VOkSAAoJEGPLaR3669X8JPcAnim4+Hc0oteQZrNUeuMSuirNVUr7AKC1WXJI7gwM q0Agz07hQs++POJBMokARgQQEQIABgUCOlcobQAKCRDXjLzlZqdLMVBtAKDa5VPcb6NVH6tVeEDJUv+tBjp6oACeLoNtfbs2rvJkgKDH WEIDmJdgy2GJAD8DBRA6WP4Y8CBzV/QUlSsRAkmdAKC3TfkSSeh+poPFnMfW+/Y/+AAEEpGSUYAAQEAAAEAAQAA/9sAQwAKBwc IBwYKCAgICwoKCw4YEA4NDQ4dFRYRGCMfJSQiHyIhJis3LyYpNCkhIjBBMTQ5Oz4+PiUuRElDPEg3PT47///EALUQAAIBAwMCBAMFB .. QQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6On q8fLz9PX29/j5+v/EAB8BAAMBAQEBAQEBAQEAAAAAAAABAgMEBQYHCAkKC//EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAU hMQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWp zdHV2d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp6vLz9PX29/j5+v/aAA wDAQACEQMRAD8A9mooooAKKKKACsjW/Eum6FGTdS7pcfLEv3j/AIfjWV428XHQrf7HY4e/lHXIxEvqfevH7y8lupXmmuJppWOZJC+AD9 aly7GkIX1Z3OpfE3Up3K2EUVumcdN7fy/pWLL4415wPM1GWPJyNpK/0Fc5btG/Pktkfx7yTVhYAGLsAxbryf5c5rNvzNlG3Q6yz8ZaxEyudQ kcZ+7JtYH867PRfG9nfIsd7/o8p/iI+U/4V5EI/IGV+XUGfnHy9iUsiGSa6q6Jew1XpTDJvAAICDACNUV4K2PS6h574Z3NaBsIQe5jkVO48MS ohjC6s29CjPhlU79cQIYWmBpuNfwroZ6zltyz6Y2Fm65V0IfvVicR7zvFFCOhahMuk1cr+Qp936OMEq9sLZGxTjClgwrHGS7YpMSZrEC7bp OmERjo4F/n5YmCHJCH8QzCOc9+80gjVEsHiJVABrC8yykjKL5x1V/PSArE4QtMLbkBPGmQYOw8bx6jCHoO43QjUzbqRfBMHZqWVJyoII ZCp+n13XM4+NO/cDVsZ8bjch0LIOyMrT85n24yfXRlP0s7BFjLm59Jjhf4djuJWikJawWETlypAy86OYRRuwCbIyNauBeTKy+avZvF2oLvpw H4UnudpC06/O0jkj2lQpn9EEUw11RwO6sq9zYTwAUyKerN00cbCfyiZl01CIo0btcTO6hQK3c67PaloJ9lVH8/mH7LuqkMLDH5ugkpzmed/8 SorfqVkakne6b4mRySFCBXaVZoKmDHzcH2oSSMhM9exyh6dzi1bGu6JAEwEGBECAAwFAjpU6CcFGwwAAAAACgkQx0Y2ObLXeV7lb QCg+N+fI3bzqF9+fB50J5sFHVHM7hYAn0+9AfDl5ncnr4D7 ReMDlYoIZwRR =Bgy+ -----END -----END PGP PUBLIC KEY BLOCK----BLOCK-----

 

46

## All copyrights reserved by C.C. Cheung 2003.

PGP encryption


CSC1720 Introduction to Internet

Reference
47 All copyrights reserved by C.C. Cheung 2003.

PGP decryption


CSC1720 Introduction to Internet

Reference
48 All copyrights reserved by C.C. Cheung 2003.

## Secure SHell (SSH)



Provide an encrypted secure channel between client and server. Replacement for telnet and ftp. Reference: SSH

49

## Secure Shell & Secure FTP

Secure Shell Secure FTP

50

## Secure Electronic Transaction (SET)



This protocol is developed by Visa and MasterCard specifically for the secure credit card transactions on the Internet. SET encrypts credit card and purchase information before transmission over the Internet. SET allows the merchants identify be authenticated merchant via digital certificates, also allows the merchant to authenticate users through their digital certificates (more difficult to someones stolen credit card). someone SET DEMO
51 All copyrights reserved by C.C. Cheung 2003.



## There are four parts in the SET system.

A software wallet on the users computer wallet user Cardholder. Cardholder A commerce server that runs on the merchants merchant web site Merchant. Merchant The payment server that runs at the merchants merchant bank Acquiring bank. bank The Certification Authority Issuing bank. bank

SET FAQs
52 All copyrights reserved by C.C. Cheung 2003.

SET

53

## All copyrights reserved by C.C. Cheung 2003.

PrivacyPrivacy-Enhanced E-mail E-

Encrypted Signed

54

Summary


## Make sure you understand the relationship between

Encryption Digital Signature Digital Certificate Certificate Authority

Understand which Public/Private key should be used to encrypt/decrypt message to/from you? Discuss PGP, SET, SSH, encrypted email.
55 All copyrights reserved by C.C. Cheung 2003.

## CSC1720 Introduction to Internet

References
      

Digital Certificate (Applied Internet Security) By Feghhi, Feghhi, Williams Addison Wesley Basic Crytography Digital Signature PKI Resources SET Resources General Definitions Digital ID FAQ The End. Thank you for your patience!
56 All copyrights reserved by C.C. Cheung 2003.

 