CS262 FS13 15 - Informatikinformatik.unibas.ch/uploads/media/cs262-20130524-2up.pdf · CS262 —...
-
Upload
trannguyet -
Category
Documents
-
view
224 -
download
3
Transcript of CS262 FS13 15 - Informatikinformatik.unibas.ch/uploads/media/cs262-20130524-2up.pdf · CS262 —...
Christian Tschudin & !omas Meyer
Departement Mathematik und Informatik, Universität Basel
Internet-Technologien (CS262)
Netzwerksicherheit: Methoden
!". Mai !#$%
CS262 — FS13 — Netzwerksicherheit: Methoden
Computer Networking:A Top Down Approach,International Version,!th edition. Jim Kurose, Keith RossPearson Addison-Wesley, March "##$.
A note on the use of these ppt slides:We’re making these slides freely available to all (faculty, students, readers). !ey’re in PowerPoint form so you can add, modify, and delete slides (including this one) and slide content to suit your needs. !ey obviously represent a lot of work on our part. In return for use, we only ask the following: If you use these slides (e.g., in a class) in substantially unaltered form, that you mention their source (after all, we’d like people to use our book!) If you post any slides in substantially unaltered form on a www site, that you note that they are adapted from (or perhaps identical to) our slides, and note our copyright of this material.
!anks and enjoy! JFK/KWR
All material copyright "##$-%&"&J.F Kurose and K.W. Ross, All Rights Reserved
!
(with changes CS262 UniBasel, %&'%)
Chapter (Security in Computer Networks
CS262 — FS13 — Netzwerksicherheit: Methoden
Chapter !: Network SecurityChapter goals: understand principles of network security:
cryptography and its many uses beyond “confidentiality”
authentication message integrity
security in practice: firewalls and intrusion detection systems security in application, transport, network, link layers
"
CS262 — FS13 — Netzwerksicherheit: Methoden #
!." What is network security?!.# Principles of cryptography!.$ Message integrity!.% Securing e-mail!.& Securing '() connections: **+!., Network layer security: -)sec!.. Securing wireless +/0s!.! Operational security: firewalls and -1* (see slide set .)
Chapter ! roadmap
CS262 — FS13 — Netzwerksicherheit: Methoden
What is network security?
Confidentiality: only sender, intended receiver should “understand” message contents sender encrypts message receiver decrypts message
Authentication: sender, receiver want to confirm identity of each other
Message integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection
Access and availability: services must be accessible and available to users
$
CS262 — FS13 — Netzwerksicherheit: Methoden
Friends and enemies: Alice, Bob, Trudy
well-known in network security worldBob, Alice (lovers!) want to communicate “securely”Trudy (intruder) may intercept, delete, add messages
securesender
securereceiver
channel data, control messages
data data
Alice Bob
Trudy
%
CS262 — FS13 — Netzwerksicherheit: Methoden
Who might Bob, Alice be?
… well, real-life Bobs and Alices!Web browser/server for electronic transactions
(e.g., on-line purchases)on-line banking client/server10* serversrouters exchanging routing table updatesother examples?
&
CS262 — FS13 — Netzwerksicherheit: Methoden
)ere are bad guys (and girls) out there!
Q: What can a “bad guy” do?A: A lot!
eavesdrop: intercept messages actively insert messages into connection impersonation: can fake (spoof) source address in packet (or any
field in packet) hijacking: “take over” ongoing connection by removing sender or
receiver, inserting himself in place denial of service: prevent service from being used by others (e.g., by
overloading resources)
'
CS262 — FS13 — Netzwerksicherheit: Methoden
Security Protocols in the Stack
Q: Where in the protocol stack security belongs?A: Every layer has something to contribute: ❖ physical: avoid wiretapping (tubes containing gas at high pressure)❖ link: link encryption (local scope only)❖ network: encrypt IP packet (!"sec)❖ transport: encrypt entire end-to-end sessions❖ application: handle authentication and nonrepudiation issues❖ human: ...
...Most security failures are due to lax security procedures(social engineering attacks)
(
CS262 — FS13 — Netzwerksicherheit: Methoden
Chapter ! roadmap
!." What is network security?!.# Principles of cryptography!.$ Message integrity!.% Securing e-mail!.& Securing '() connections: **+!., Network layer security: -)sec!.. Securing wireless +/0s!.! Operational security: firewalls and -1*
)*
CS262 — FS13 — Netzwerksicherheit: Methoden
)e language of cryptography
m plaintext messageKA(m) ciphertext, encrypted with key KA
m = KB(KA(m))
plaintext plaintextciphertext
KA
encryptionalgorithm
decryption algorithm
Alice’s encryptionkey
Bob’s decryptionkey
KB
))
CS262 — FS13 — Netzwerksicherheit: Methoden
Simple encryption schemesubstitution cipher: substituting one thing for another
monoalphabetic cipher: substitute one letter for another
plaintext: abcdefghijklmnopqrstuvwxyz
ciphertext: MNBVCXZASDFGHJKLPOIUYTREWQ
plaintext: bob. i love you. aliceciphertext: NKN. S GKTC WKY. MGSBC
e.g.:
Key: the mapping from the set of !" lettersto the set of !" letters
)!
CS262 — FS13 — Netzwerksicherheit: Methoden
Polyalphabetic encryptionn monoalphabetic ciphers, M",M#,…,Mn
Cycling pattern: e.g., n=#, M#,M$,M%,M$,M!; M#,M$,M%,M$,M!;
For each new plaintext symbol, use subsequent monoalphabetic pattern in cyclic pattern dog: d from M#, o from M$, g from M%
Key: the n ciphers and the cyclic pattern
)"
CS262 — FS13 — Netzwerksicherheit: Methoden
Breaking an encryption scheme
Cipher-text only attack: Trudy has ciphertext that she can analyze
Two approaches: Search through all keys: must
be able to di!erentiate resulting plaintext from gibberish
Statistical analysis,e.g. frequency analysis
Known-plaintext attack: Trudy has some plaintext corresponding to some ciphertext e.g., in monoalphabetic cipher,
Trudy determines pairings for a,l,i,c,e,b,o,
Chosen-plaintext attack: Trudy can get the ciphertext for some chosen plaintext
)#
CS262 — FS13 — Netzwerksicherheit: Methoden
Types of Cryptography
Crypto often uses keys: Algorithm is known to everyone Only “keys” are secret
Public key cryptography Involves the use of two keys
Symmetric key cryptography Involves the use one key
Hash functions Involves the use of no keys Nothing secret: How can this be useful?
)$
CS262 — FS13 — Netzwerksicherheit: Methoden
Symmetric key cryptography
symmetric key crypto: Bob and Alice share same (symmetric) key: Ke.g., key is knowing substitution pattern in mono alphabetic
substitution cipherQ: how do Bob and Alice agree on key value?
plaintextciphertext
KS
encryptionalgorithm
decryption algorithm
S
K S
plaintextmessage, m
K (m)S
m = KS(KS(m))
)%
CS262 — FS13 — Netzwerksicherheit: Methoden
Two types of symmetric ciphers
Stream ciphers encrypt one bit at time
Block ciphers Break plaintext message in equal-size blocks Encrypt each block as a unit
)&
CS262 — FS13 — Netzwerksicherheit: Methoden
Stream Ciphers
Combine each bit of keystream with bit of plaintext to get bit of ciphertext
m(i) = i&' bit of messageks(i) = i&' bit of keystreamc(i) = i&' bit of ciphertextc(i) = ks(i) ⊕ m(i) (⊕ = exclusive or)
m(i) = ks(i) ⊕ c(i)
keystreamgenerator
key keystream
pseudo random
)'
CS262 — FS13 — Netzwerksicherheit: Methoden
"#$ Stream Cipher
2(3 is a popular stream cipher Extensively analyzed and considered good Key can be from $ to %&' bytes Used in ()" for *+%.$$ Can be used in ,,-
)(
CS262 — FS13 — Netzwerksicherheit: Methoden
Block ciphers
Message to be encrypted is processed in blocks of k bits (e.g., ,%-bit blocks).
"-to-" mapping is used to map k-bit block of plaintextto k-bit block of ciphertext
Example with k=$:
input output+++ $$+++$ $$$+$+ $+$+$$ $++
input output$++ +$$$+$ +$+$$+ +++$$$ ++$
What is the ciphertext for +$+$$+++$$$$ ?
!*
CS262 — FS13 — Netzwerksicherheit: Methoden
Block ciphers
How many possible mappings are there for k=$? How many .-bit inputs? How many permutations of the .-bit inputs? Answer: #+,.%+ ; not very many!
In general, #k! mappings; huge for k=,%Problem:
Table approach requires table with %"% entries, each entry with '# bits
Table too big: instead use function that simulates a randomly permuted table
!)
CS262 — FS13 — Netzwerksicherheit: Methoden
Prototype function'#-bit input
S#
*bits
* bits
S!
*bits
* bits
S$
*bits
* bits
S%
*bits
* bits
S(
*bits
* bits
S"
*bits
* bits
S)
*bits
* bits
S*
*bits
* bits
'#-bit intermediate
'#-bit output
Loop for n rounds
*-bit to*-bitmapping
From Kaufmanet al
!!
CS262 — FS13 — Netzwerksicherheit: Methoden
Why rounds in prototype?
If only a single round, then one bit of input a4ects at most ! bits of output.
In #nd round, the ! a4ected bits get scattered and inputted into multiple substitution boxes.
How many rounds? How many times do you need to shu/e cards Becomes less e0cient as n increases
!"
CS262 — FS13 — Netzwerksicherheit: Methoden
Encrypting a large message
Why not just break message in ,%-bit blocks, encrypt each block separately? If same block of plaintext appears twice, will give same ciphertext.
How about: Generate random '#-bit number r(i) for each plaintext block m(i) Calculate c(i) = KS( m(i) ⊕ r(i) )
Transmit c(i), r(i), i=$,%,…
At receiver: m(i) = KS(c(i)) ⊕ r(i)
Problem: ine0cient, need to send c(i) and r(i)
!#
CS262 — FS13 — Netzwerksicherheit: Methoden
Cipher Block Chaining %#&#'
+,+ generates its own random numbers Have encryption of current block depend on result of previous block
c(i) = KS( m(i) ⊕ c(i-") )
m(i) = KS( c(i)) ⊕ c(i-")
How do we encrypt first block? Initialization vector (IV): random block = c(#)
IV does not have to be secret
Change IV for each message (or session) Guarantees that even if the same message is sent repeatedly, the
ciphertext will be completely di!erent each time
!$
CS262 — FS13 — Netzwerksicherheit: Methoden
Cipher Block Chainingcipher block: if input
block repeated, will produce same cipher text:
t=" m(#) = “HTTP/#.#” blockcipher
c(#) = “k$!-aM.!”
…
cipher block chaining: 123 i45 input block, m(i), with previous block of cipher text, c(i-$) c(+) transmitted to receiver
in clear what happens in “677"/$.$”
scenario from above?
+
m(i)
c(i)
t=". m(#() = “HTTP/#.#” blockcipher
c(#() = “k$!-aM.!”
blockcipher
c(i-$)
!%
CS262 — FS13 — Netzwerksicherheit: Methoden
Symmetric key crypto: *+,
15*: Data Encryption Standard/0 encryption standard [1203 #--$] )"-bit symmetric key, "%-bit plaintext inputBlock cipher with cipher block chainingHow secure is 450?
8), Challenge: &'-bit-key-encrypted phrase decrypted (brute force) in less than a day
No known good analytic attack
making 450 more secure: 98),: encrypt . times with . di:erent keys
(actually encrypt, decrypt, encrypt)
!&
CS262 — FS13 — Netzwerksicherheit: Methoden
Symmetric key crypto: *+,
initial permutation #" identical “rounds” of
function application, each using di6erent %* bits of key
final permutation
450 operation
!'
CS262 — FS13 — Netzwerksicherheit: Methoden
-+,: Advanced Encryption Standard
new (Nov. #66") symmetric-key 0-*' standard, replacing 15*processes data in "#! bit blocks"#!, "7#, or #&, bit keysbrute force decryption (try each key) taking " sec on 15*,
takes "%7 trillion years for /5*
!(
CS262 — FS13 — Netzwerksicherheit: Methoden
Public Key Cryptography
symmetric key crypto requires sender, receiver
know shared secret keyQ: how to agree on key in
first place (particularly if never “met”)?
public key cryptography radically di6erent
approach [Di7e-Hellman(", 809:;]
sender, receiver do not share secret key
public encryption key known to all
private decryption key known only to receiver
"*
CS262 — FS13 — Netzwerksicherheit: Methoden
Public Key Exchange
❖ Problem: two (unauthorized) parties want to exchange a session key
❖ Di8e-Hellman-Merkle Key Exchange Protocol:
❖ first “public key distribution” method
❖ published $;<' (together with the idea of asymetric cryptography)
❖ based on an modulo arithmetic
")
CS262 — FS13 — Netzwerksicherheit: Methoden
Prerequisite: modular arithmetic
x mod n = remainder of x when divide by n Facts:
[(a mod n) + (b mod n)] mod n = (a+b) mod n[(a mod n) - (b mod n)] mod n = (a-b) mod n[(a mod n) * (b mod n)] mod n = (a*b) mod n
9us (a mod n)d mod n = ad mod n Example: x="%, n="6, d=#:
(x mod n)d mod n = %# mod "6 = ,xd = "%# = "7, xd mod "6 = ,
"!
CS262 — FS13 — Netzwerksicherheit: Methoden
Di.e-Hellman-Merkle Key Exchange
Initialization: Find common large number n
❖ Chose big prime n (min. !.. digits)such that (n-!)/" is also prime
❖ Chose y<n such that y is a primitive root of n,i.e. for each i in #...n-# there is an a where ya mod n = i
❖ Alice and Bob must negotiate n and y,but these values may be public.
""
CS262 — FS13 — Netzwerksicherheit: Methoden
Di.e-Hellman-Merkle Key ExchangeProtocol
"#
1. chose big A randomly
2. compute α = yA mod n
3. send α to Bob
4. receive β from Bob
5. compute kA = βA mod n
Alice Bob
1. chose big B randomly
2. compute β = yB mod n
3. send β to Alice
4. receive α from Alice
5. compute kB = αB mod n
magic happens: k = kA = kB
k is used as session key
CS262 — FS13 — Netzwerksicherheit: Methoden
Di.e-Hellman-Merkle Key ExchangeExample (with small number): n=$$, y=<
"$
1. chose A=.
2. α = yA mod n = <$ mod $$ = %
3. send α=% to Bob
4. receive β=# from Bob
5. kA = βA mod n = #$ mod $$ = ;
Alice Bob
magic happens: k = kA = kB = -
k=- is used as session key
1. chose B='
2. β = yA mod n = <" mod $$ = #
3. send β=# to Bob
4. receive α=" from Bob
5. kB = αB mod n = %" mod $$ = ;
CS262 — FS13 — Netzwerksicherheit: Methoden
Why does DHM Key Exchange Work?
❖ Fact: (x mod n)B mod n = xB mod n
❖ (yA mod n)B mod n =yAB mod n =yBA mod n =(yB mod n)A mod n
"%
CS262 — FS13 — Netzwerksicherheit: Methoden
Applications of DHM
❖ Common secret k is used as symmetric session key,e.g. AES
❖ Many generalizations exist:❖ three parties❖ other algebraic foundations
❖ Used in SSL (secure web, secure shell, etc.)
"&
CS262 — FS13 — Netzwerksicherheit: Methoden
Asymetric cryptography
plaintextmessage, m
ciphertextencryptionalgorithm
decryption algorithm
Bob’s public key
plaintextmessageK (m)
B+
K B+
Bob’s privatekey
K B-
m = K (K (m))B+
B-
"'
CS262 — FS13 — Netzwerksicherheit: Methoden
Public key encryption algorithms
need K ( ) and K ( ) such thatB B. .
given public key K , it should be impossible to compute private key K B
B
Requirements:
#
!
809: Rivest, Shamir, Adleman algorithm
+ -
K (K (m)) = m BB
- +
+-
"(
CS262 — FS13 — Netzwerksicherheit: Methoden
"(): ge*ing ready
A message is a bit pattern.A bit pattern can be uniquely represented by an integer
number. <us encrypting a message is equivalent to encrypting a
number.Examplem= #..#...# . <is message is uniquely represented by the
decimal number #%). To encrypt m, we encrypt the corresponding number, which
gives a new number (the ciphertext).
#*
CS262 — FS13 — Netzwerksicherheit: Methoden
/,-: Creating public/private key pair
#. Choose two large prime numbers p, q. (e.g., #.!% bits each)
!. Compute n = pq, z = Φ(n) = (p-!)(q-!)
$. Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”).
%. Choose d such that ed-! is exactly divisible by z. (in other words: ed mod z = ! ).
). Public key is (n,e). Private key is (n,d).
K B+
K B-
#)
CS262 — FS13 — Netzwerksicherheit: Methoden
"(): Encryption, decryption.. Given (n,e) and (n,d) as computed above
#. To encrypt message m (<n), compute
c = m mod ne
!. To decrypt received bit pattern, c, compute
m = c mod nd
m = (m mod n)e mod ndMagichappens!
c
#!
(i.e., remainder when m is divide by n)e
(i.e., remainder when c is divide by n)d
CS262 — FS13 — Netzwerksicherheit: Methoden
/,- example:Bob chooses p=$, q=%. <en n=&$, z="#.
e=$ (so e, z relatively prime).d="' (so ed-! exactly divisible by z).
bit pattern m me c = m mod ne
....#... #! !%*$! #(
c m = c mod nd
#( $%"&'%()*"#')(#&"(#&"$""%*(**+#)"'&) #!cd
encrypt:
decrypt:
Encrypting *-bit messages.
#"
CS262 — FS13 — Netzwerksicherheit: Methoden
Why does "() work?
Must show that cd mod n = m where c = me mod n
Fact: for any x and y: xy mod n = x(y mod z) mod n where n= pq and z = (p-")(q-")
<us, cd mod n = (me mod n)d mod n
= med mod n = m(ed mod z) mod n = m# mod n = m
##
CS262 — FS13 — Netzwerksicherheit: Methoden
/,-: another important property
<e following property will be very useful later:
K (K (m)) = m BB
- +K (K (m))
BB+ -=
use public key first, followed by private
key
use private key first, followed by public
key
Result is the same!
#$
CS262 — FS13 — Netzwerksicherheit: Methoden
Follows directly from modular arithmetic:
(me mod n)d mod n = med mod n = mde mod n = (md mod n)e mod n
Why ?
#%
K (K (m)) = m BB
- +K (K (m))
BB+ -=
CS262 — FS13 — Netzwerksicherheit: Methoden
Why is "() Secure?suppose you know Bob’s public key (n,e). How hard is it to
determine d?essentially need to find factors of n without knowing the
two factors p and q. fact: factoring a big number is hard.
Generating "() keyshave to find big primes p and qapproach: make good guess then apply testing rules
(see Kaufman)
#&
CS262 — FS13 — Netzwerksicherheit: Methoden
Session keys
Exponentiation is computationally intensive15* is at least "66 times faster than 2*/
Session key, KS
Bob and Alice use 2*/ to exchange a symmetric key KS
Once both have KS, they use symmetric key cryptography
#'
CS262 — FS13 — Netzwerksicherheit: Methoden
Chapter ! roadmap
!." What is network security?!.# Principles of cryptography!.$ Message integrity!.% Securing e-mail!.& Securing '() connections: **+!., Network layer security: -)sec!.. Securing wireless +/0s!.! Operational security: firewalls and -1*
#(
CS262 — FS13 — Netzwerksicherheit: Methoden
Message Integrityallows communicating parties to verify that received
messages are authentic. Content of message has not been altered Source of message is who/what you think it is Message has not been replayed Sequence of messages is maintained
let’s first talk about message digests
$*
CS262 — FS13 — Netzwerksicherheit: Methoden
Message Digests
function H( ) that takes as input an arbitrary length message and outputs a fixed-length string:“message signature”
note that H( ) is a many-to-# function
H( ) is often called a “hash function”
desirable properties:easy to calculateirreversibility:
Can’t determine m from H(m)collision resistance:
computationally di,cultto produce m and m’such that H(m) = H(m’)seemingly random output
large message
m
H: HashFunction
H(m)
$)
CS262 — FS13 — Netzwerksicherheit: Methoden
Internet checksum: poor message digest
Internet checksum has some properties of hash function:❖ produces fixed length digest ($'-bit sum) of input❖ is many-to-one❖ but given message with given hash value, it is easy to find another message
with same hash value. e.g.,: simplified checksum: add #-byte chunks at a time:
I O U 10 0 . 99 B O B
49 4F 55 3130 30 2E 3939 42 D2 42
message ASCII format
B2 C1 D2 AC
I O U 90 0 . 19 B O B
49 4F 55 3930 30 2E 3139 42 D2 42
message ASCII format
B2 C1 D2 ACdi:erent messagesbut identical checksums!
$!
CS262 — FS13 — Netzwerksicherheit: Methoden
Hash Function Algorithms
=4> hash function widely used (8?+ #$!#) computes #!*-bit message digest in %-step process. used for integrity verification in Linux SW (ISO, RPM) but: well-known attacks
• possible to construct collisions (since !..))• today: only takes minutes to find a collision for a given
message (!..")
•should only be used to recognize bit errors,not for cryptographic signatures (see later)
$"
CS262 — FS13 — Netzwerksicherheit: Methoden
Hash Function Algorithms
0@9-# is also used. /0 standard [NIST, FIPS PUB "%#-"]
#".-bit message digest
$#
CS262 — FS13 — Netzwerksicherheit: Methoden
Message Authentication Code 01-23
mes
sage
H( )
s
MAC
mes
sage
MAC
mes
sage
MAC
s
H( ) MAC
MAC
compare
s = shared secret
Authenticates sender Verifies message integrity No encryption ! Also called “keyed hash” Notation: MDm = H(s||m) ; send m||MDm
$$
CS262 — FS13 — Netzwerksicherheit: Methoden
+,)#
popular :/( standard addresses some subtle security flaws operation (two pass):
($) concatenates secret to front of message. hashes concatenated message (MD& or SHA-$) (%) concatenates secret to front of digest
hashes combination again
$%
CS262 — FS13 — Netzwerksicherheit: Methoden
End-point authentication
want to be sure of the originator of the message – end-point authentication
assuming Alice and Bob have a shared secret, will :/( provide end-point authentication? we do know that Alice created message.
… but did she send it?
$&
CS262 — FS13 — Netzwerksicherheit: Methoden
=>?Transfer ;"Mfrom Bill to Trudy
=>?Transfer ;"M fromBill to Trudy
Playback attack
=>? =f(msg,s)
$'
CS262 — FS13 — Netzwerksicherheit: Methoden
“I am Alice”
R
=>?Transfer ;"M from Bill to Susan
=>? =f(msg,s,R)
$(
Defending against playback a4ack: nonce
CS262 — FS13 — Netzwerksicherheit: Methoden
Digital Signatures
cryptographic technique analogous to hand-written signatures.
sender (Bob) digitally signs document, establishing he is document owner/creator.
goal is similar to that of =9+, except now use public-key cryptography
verifiable, nonforgeable: recipient (Alice) can prove to someone that Bob, and no one else (including Alice), must have signed document
%*
CS262 — FS13 — Netzwerksicherheit: Methoden
Digital Signatures
simple digital signature for message m:Bob signs m by encrypting with his private key KB, creating
“signed” message, KB(m)--
��������� �����"�����!���������#� �������������#� ���������������%����������������
��
Bob’s message, m
Public keyencryptionalgorithm
Bob’s privatekey
K B-
��$��������������������������#������"�����������!������#
K B-(m)
%)
CS262 — FS13 — Netzwerksicherheit: Methoden
large message
mH: Hashfunction H(m)
digitalsignature(encrypt)
Bob’s private
key K B-
+
Bob sends digitally signed message:
Alice verifies signature and integrity of digitally signed message:
KB(H(m))-
encrypted msg digest
KB(H(m))-
encrypted msg digest
large message
m
H: Hashfunction
H(m)
digitalsignature(decrypt)
H(m)
Bob’s public
key K B+
equal ?
%!
Digital signature = signed message digest
CS262 — FS13 — Netzwerksicherheit: Methoden
Digital Signatures (more) suppose Alice receives msg m, digital signature KB(m)
Alice verifies m signed by Bob by applying Bob’s public key KB to KB(m) then checks KB(KB(m) ) = m.
if KB(KB(m) ) = m, whoever signed m must have used Bob’s private key.
�
��
�
�
�
�
Alice thus verifies that:❖ Bob signed m.❖ no one else signed m.❖ Bob signed m and not m’.
Non-repudiation:Alice can take m, and signature KB(m) to court and
prove that Bob signed m.
�
%"
CS262 — FS13 — Netzwerksicherheit: Methoden
Public-key certi-cation
motivation: Trudy plays pizza prank on Bob Trudy creates e-mail order:
Dear Pizza Store, Please deliver to me four pepperoni pizzas. (ank you, Bob
Trudy signs order with her private key Trudy sends order to Pizza Store Trudy sends to Pizza Store her public key, but says it’s Bob’s public
key.
Pizza Store verifies signature; then delivers four pizzas to Bob. Bob doesn’t even like Pepperoni
%#
CS262 — FS13 — Netzwerksicherheit: Methoden
Certi5cation Authorities 02-3
Certification authority (+9): binds public key to particular entity, E.
E (person, router) registers its public key with +9. E provides “proof of identity” to -..
-. creates certificate binding E to its public key.
certificate containing E’s public key digitally signed by -. –-. says “this is E’s public key”
Bob’s public
key K B+
Bob’s identifying
information
digitalsignature(encrypt)
CA private
key K CA-
K B+
certificate for Bob’s public key, signed
by ?>%$
CS262 — FS13 — Netzwerksicherheit: Methoden
Certi5cation Authorities 02-3when Alice wants Bob’s public key:
gets Bob’s certificate (Bob or elsewhere). apply +9’s public key to Bob’s certificate,
get Bob’s public key
Bob’s public
key K B+
digitalsignature(decrypt)
CA public
key K CA
+
K B+
%%
CS262 — FS13 — Netzwerksicherheit: Methoden
Certi-cates: summary
primary standard <.&67 (2=( >3?@)certificate contains:
issuer name
entity name, address, domain name, etc. entity’s public key digital signature (signed with issuer’s private key)
Public-Key Infrastructure ()A-) certificates, certification authorities often considered “heavy”
%&