CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating...
Transcript of CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating...
![Page 1: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/1.jpg)
CS 4770: Cryptography
CS 6750: Cryptography and Communication Security
Alina Oprea
Associate Professor, CCIS
Northeastern University
March 29 2018
![Page 2: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/2.jpg)
Outline
• ElGamal encryption
– Based on Diffie-Hellman key exchange
– CPA secure
• Digital signatures
– Integrity in public-key world
– Equivalent of MACs
– Public verifiability
• Distribution of public keys
2
![Page 3: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/3.jpg)
The ElGamal system (a modern view)
G: finite cyclic group of order q
We construct a pub-key enc. system (Gen, Enc, Dec):
• Key generation Gen:
– choose random generator g in G and random x in Zq
– output sk = x , pk = (g, h=gx )
3
Enc( pk=(g,h), m) :
y ⟵ Zq , u ⟵ gy , k ⟵ hy
c ⟵ k∙m
output (u, c)
Dec( sk=x, (u,c) ) :
k ⟵ ux
m ⟵ k-1∙c
output m
![Page 4: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/4.jpg)
Decisional Diffie-Hellman
4
Let G be a finite cyclic group and g generator of G
G = { 1 , g , g2 , g3 , … , gq-1 }
q is the order of G
Definition: We say that DDH is hard in G if for all PPT adversaries D:
|Pr[ D( gx ,gy ,gxy ) = 1 ] - Pr[ D( gx ,gy ,gz ) = 1 ] | < negligible
G, q and g are public and known to D
x, y, z are chosen uniformly at random in {1,…q-1}
![Page 5: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/5.jpg)
Security
Theorem: Let G be a cyclic group of order q. Assuming that the
DDH problem is hard, then El-Gamal encryption is CPA secure.
In particular, for every PPT adversary A attacking the CPA security
of El-Gamal:
Pr[ExpΠ,𝐴CPA 𝑛 = 1] = 1/2 + negligible(n)
5
![Page 6: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/6.jpg)
Proof of security - Intuition
Enc(pk=(g,h), m)Π
Π’ Enc’(pk=(g,h), m)
1. Success of adversary to break Π and Π’ in CPA game is similar
2. Success of adversary to break Π’ in CPA game is negligible
Under the assumption that DDH is hard !
6
y ⟵ Zq , u ⟵ gy
c ⟵ hy∙m (= gxy∙m)
output (u, c)
y ⟵ Zq , u ⟵ gy , z ⟵ Zq
c ⟵ gz∙m
output (u, c)
![Page 7: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/7.jpg)
Malleability of El-Gamal
To encrypt message m:
• c = (gy, hy∙m), for y random
Multiply second part of ciphertext by α
• c’ = (gy, hy∙m∙α) is a valid encryption of m∙α
El-Gamal is malleable and not CCA-secure
7
![Page 8: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/8.jpg)
Signature schemes
digital signature schemes≈MACs in the public-key setting
8
![Page 9: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/9.jpg)
9
Alice Bob
(m, t=Tagk(m))
k k
m є {0,1}*
k is chosen randomly from some set {0,1}n
Message Authentication Codes
Verk(m) є {yes,no}
![Page 10: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/10.jpg)
Signature Schemes
Alice Bob
k k
Security parameter n
Alice Bob
(m, t=Signsk(m))
sk pk
m є {0,1}*
(pk,sk) := Gen(n)
Verpk(m) є {yes,no}
10
![Page 11: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/11.jpg)
Advantages of signature schemes
Digital signatures are:
1. publicly verifiable
2. transferable
3. provide non-repudiation
11
![Page 12: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/12.jpg)
Anyone can verify the signatures
P1
P2
P4
pk1
pk2
pk3
pk4
pk5
public register:Sign(sk3,m)
2. reads pk3
sk3
3. computes Ver(pk3,m)
P3
12
![Page 13: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/13.jpg)
Look at the MACs...
Alice Bob
(m, t=Tagk(m))
k k
Carol
Look, I got (m,t) from AliceWhy shall I trust you?
1. You could have created t yourself (because you know k)
2. I don’t know k, so how can I verify the tag?
m є {0,1}*
13
![Page 14: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/14.jpg)
Signatures are publicly-verifiable!
Alice Bob
(m, σ =Signsk(m))
skA pkA
Carol
I can calculate
Ver(pkA,m,σ)
and check.
Look, I got (m,σ) from Alice
14
m є {0,1}*
![Page 15: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/15.jpg)
So, the signatures are transferable
P2 P3
Alice
P4P1
σ=
Sign
(sk A
,m)
skA
(m,σ) (m,σ) (m,σ)
“Alice signed m”
pkA pkA pkA
“Alice signed m”
“Alice signed m”
I believe it! I believe it! I believe it!
15
pkA
![Page 16: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/16.jpg)
Non-repudiation
Alice Bob
(m, σ =Signsk(m))
skA pkA
Judge
“I’ve got (m,σ) from Alice”
It’s not true!I never signed m!
Ver(pk,m,σ) = yesso you cannot repudiate signing m...
16
m є {0,1}*
![Page 17: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/17.jpg)
Digital Signature Schemes
A digital signature scheme is a tuple (Gen,Sign,Ver) of poly-time algorithms, such that:
• the key-generation algorithm Gen takes as input a security parameter n and outputs a pair (pk,sk),
• the signing algorithm Sign takes as input a key sk and a message mє{0,1}* and outputs a signature σ,
• the verification algorithm Ver takes as input a key pk, a message mand a signature σ, and outputs a bit b є {yes, no}.
If Verpk(m,σ) = yes then we say that σ is a valid signature on the message m.
17
![Page 18: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/18.jpg)
Correctness
We require that it always holds that:
Verpk(m,Signsk(m)) = Yes with high probability
What remains is to define security.
18
![Page 19: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/19.jpg)
How to define security?
We have to assume that the adversary can see some pairs(m1,σ1),..., (mt,σt)
As in the case of MACs, we need to specify:
1. how the messages m1,...,mt are chosen,
2. what is the goal of the adversary.
We assume that
1. The adversary is allowed to chose m1,...,mt.
2. The goal of the adversary is to produce a valid signature on some m’ such that m’ ≠ m1,...,mt.
19
![Page 20: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/20.jpg)
security parametern
selects (pk,sk) = Gen(1n)
oracle
m1
mt
. . .We say that the adversary breaks the signature scheme if at the end
she outputs (m’, σ’) such that
1. Ver(m’, σ’) = yes2. m’ ≠ m1,...,mt
adversary
pk
Signsk(m1)
Signsk(mt)
20
![Page 21: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/21.jpg)
The security definition
We say that (Gen,Sign,Ver) is existentially unforgeable under an adaptive chosen-message attack if
A
polynomial-timeadversary A
P(A breaks it) is negligible (in n)
sometimes we just say: unforgeable (if the context is clear)
21
![Page 22: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/22.jpg)
Security experiment for Signatures
22
• Experiment ExpΠ,𝐴Sign
𝑛 :
1. Choose (pk,sk)← 𝐺𝑒𝑛(𝑛)
2. m,σ← 𝐴𝑆𝑖𝑔𝑛𝑠𝑘() 𝑝𝑘
3. Output 1 if Verpk(m, σ) = 1 and m was not queried to the Sign() oracle
4. Output 0 otherwise
(Gen,Tag,Ver) is a secure (existential unforgeable) signature if:
For every PPT adversary 𝐴:
Pr[ExpΠ,𝐴Sign
𝑛 = 1] is negligible in n
![Page 23: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/23.jpg)
signaturesmessages
check if m’=m
σ := F-1 (sk,m)
m’ := F(pk,σ)
signing:
verifying:
In general it’s not that simple.
How to design secure signature schemes?
{F, F-1 : X → X}(pk,sk) є keys -- a trapdoor permutation
Remember this idea?
23
Inverse trapdoor
Trapdoor
![Page 24: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/24.jpg)
The “handbook RSA signatures”
N = pq - RSA modulus
e is such that gcd(e, φ(N)) = 1,d is such that ed = 1 (mod φ(N))
Sign(d,N) (m) = md mod N and
Ver(e,N) (m, σ) = yes iff σe = m mod N
Correctness:
σe = (md)e
= mde
= m1
= m
24
![Page 25: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/25.jpg)
Problems with the “handbook RSA” [1/2]
The adversary can forge a signature on a “random” message m.
Given the public key (N,e):he just selects a random σ and computes
m = σe mod N.
Trivially, σ is a valid signature on m.
A “no-message attack”:
25
![Page 26: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/26.jpg)
Problems with the “handbook RSA” (2/2)
How to forge a signature on an arbitrary message m? Use the homomorphic properties of RSA.
oracle
m1adversary
Signsk(m1) = m1d mod N
Signsk(m2) = m2d mod N
(N,e)
chooses:1. random m1
2. m2 := m / m1 mod N m2
computes (mod N):
m1d · m2
d
= (m1 · m2)d
= md
this is a valid signature on m
26
![Page 27: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/27.jpg)
Solution
Before computing the RSA function – apply hash function H.
N = pq, such that p and q are large random primese is such that gcd(e, φ(N)) = 1d is such that ed = 1 (mod φ(N))
Signd: ZN* → ZN
* is defined as:Sign(m) = md mod N.
Vrfyeis defined as:Vrfye(m,σ) = yes iff σe =m (mod N)
Signd: ZN* → ZN
* is defined as:Sign(m) = H(m)d mod N.
Vereis defined as:Vere(m,σ) = yes iff σe = H(m) (mod N)
27
Hash-and-sign paradigm
![Page 28: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/28.jpg)
Fact (security of the Full Domain Hash)
• Let H : {0,1}* → ZN* be a hash function modeled as a random function.
• Suppose the RSA assumption holds
Then the “hashed RSA” is existentially unforgeable signature
N = pq, such that p and q are large random primese is such that gcd(e, φ(N)) = 1d is such that ed = 1 (mod φ(N))
Signd: ZN* → ZN
* is defined as:Sign(m) = H(m)d mod N.
Vereis defined as:Vere(m,σ) = yes
iff σe = H(m) (mod N)
hashed RSA
28
![Page 29: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/29.jpg)
Other popular signature schemes
• Rabin signatures (based on squaring mod N=pq)
Based on discrete log:
• ElGamal signatures
• Digital Signature Standard (DSS)
• Schnorr signatures
(also based on other groups – elliptic curves)
29
![Page 30: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/30.jpg)
Secure communication on the Internet
• Generate public key, secret key pair
– Using Miller-Rabin primality testing
• Distribute the Public Key
– Using digital signatures and PKI
• Generate and share secret key
– Using Public Key CCA secure encryption
• Communicate securely
– Using symmetric-key authenticated encryption
30
![Page 31: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/31.jpg)
Authenticity of Public Keys
?
Problem: How does Alice know that the public key
she received is really Bob’s public key?
private key
AliceBob
public key
31
![Page 32: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/32.jpg)
Distribution of Public Keys
• Public announcement or public directory
– Risks: forgery and tampering
• Public-key certificate
– Signed statement specifying the key and identity
• SigAlice(“Bob”, PKBob)
– Could Bob sign his own certificate?
• Common approach: certificate authority (CA)
– An agency responsible for certifying public keys
– It generates certificates for domain names (example.com) on the web
32
![Page 33: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/33.jpg)
Trusted Certificate Authorities
33
![Page 34: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/34.jpg)
Acquiring a Certificate
BofA
VerisignPBofA
CSRbofa.com
PBofA
1. Generate a new keypair
2. Generate a Certificate Signing Request (CSR).
Contains BofA’s details, the DNS name for the cert, and PBofA
3. Verify that the requestor owns the domain in the CSR
4. Generate a new certificate using the data in the CSR, sign it with the CA’s private key
SBofA SVerisign
34
- Serial number- Owner’s domain- Owner’s public key- CA public key- Expiration date
![Page 35: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/35.jpg)
CA Hierarchy or PKI
• Browsers, operating systems, etc. have trusted root certificate authorities– Firefox 3 includes certificates of 135 trusted root CAs
• A Root CA signs certificates for intermediate CAs, they sign certificates for lower-level CAs, etc.– Certificate “chain of trust”
• SigVerisign(“NEU”, PKNEU), SigNEU(“CCS”, PKCCS)
• CA is responsible for verifying the identities of certificate requestors, domain ownership
35
![Page 36: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/36.jpg)
Certificate Hierarchy - PKI
Root CA
Intermediate CA
Users
SigCA(“NEU”, PKNEU)
SigNEU(“CCS”, PKCCS)
PKCA ,SKCA
PKCA
.com
neu.com
ccs.neu. com
36
![Page 37: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/37.jpg)
Comodo
37
What if CA secret key is compromised?
![Page 38: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/38.jpg)
Recover from secret key compromise
• Revocation is very important
• Many valid reasons to revoke a certificate– Private key corresponding to the certified public key
has been compromised
– User stopped paying his certification fee to the CA and the CA no longer wishes to certify him
– CA’s certificate has been compromised!
• Methods– Certificate expiration
– Certificate revocation • Certificate Revocation Lists (CRL)
• Online Certificate Status Protocol (OCSP)
38
![Page 39: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/39.jpg)
Key insights
• Digital signature schemes– Analogs of MACs in public-key setting– Public verifiability– Transferability– Non-repudiation
• Constructions– Hash-and-sign: Full-Domain Hash RSA
• PKI infrastructure– Distribute public keys– Hierarchical CA model– Single CA compromise can result in breaches– Revocation has a number of issues in practice
39
![Page 40: CS 4770: Cryptography CS 6750: Cryptography and … · CA Hierarchy or PKI •Browsers, operating systems, etc. have trusted root certificate authorities –Firefox 3 includes certificates](https://reader031.fdocuments.net/reader031/viewer/2022021915/5cd03ea288c993924d8d9d87/html5/thumbnails/40.jpg)
Acknowledgement
Some of the slides and slide contents are taken from http://www.crypto.edu.pl/Dziembowski/teachingand fall under the following:
©2012 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.
We have also used slides from Prof. Dan Boneh online cryptography course at
Stanford University:
http://crypto.stanford.edu/~dabo/courses/OnlineCrypto/
40