Public key cryptography

50
2001/03/26 r.innocente 1 Public Key Cryptography, Digital Certificates, Transport Layer Security and Internet encrypted services Roberto Innocente [email protected]

Transcript of Public key cryptography

2001/03/26 r.innocente 1

Public Key Cryptography,Digital Certificates,

Transport Layer Securityand

Internet encrypted services

Roberto Innocente

[email protected]

2001/03/26 r.innocente 2

Summary

• PKC (Public Key Cryptography) Introduction

• Digital Certificates

• SSL/TLS

• Use of SSL/TLS over Internet

• Encrypted services: pop, imap, smtp

2001/03/26 r.innocente 3

Cryptographic systemstaxonomy

• Symmetric key cryptography• same key for encryption and decryption• relatively fast• RC2, RC4, DES, triple DES

• Asymmetric key cryptography• different keys for encryption/decryption• slow• RSA, ElGamal, Elliptic curves

2001/03/26 r.innocente 4

Symmetric Key Cryptography

Encryption DecryptionPlaintext

Ciphertext

Plaintext

m c=K(m) m=K(c)

m messagec cipher textK key

key K

K.K=1

2001/03/26 r.innocente 5

Asymmetric Key Cryptography

Encryption DecryptionPlaintext

Ciphertext

Plaintext

Encryptionkey E

Decryptionkey D

m c=E(m) m=D(c)

m messagec cipher textE encryption keyD decryption key

D.E=1

2001/03/26 r.innocente 6

Another classification

• Secret Key Cryptography• the key is kept secret

• it requires a secure channel to be transmitted

• Public Key Crytpography• one key (the deciphering key) is kept secret

• the other key is made public

2001/03/26 r.innocente 7

Public-Key Cryptography Diffie – Hellmann (1976)

• Each user generates a pair of inverse transformation E and D.

• The deciphering key D must be kept secret but need never be communicated on a channel

• The enciphering key E can be made public by placing it in a public directory (Public File)

The original idea here is that keys can be produced in pairsand that it can be very hard to generate a key from the other

2001/03/26 r.innocente 8

PKC algorithms

Since DH idea in 1976 many algorithms have

been proposed, most were discovered

insecure, of the remaining many are not

feasible. Some of the algorithms are:

• Knapsack algorithms (later shown insecure)

• RSA (still considered secure)

• El Gamal (still considered secure)

2001/03/26 r.innocente 9

Knapsack algorithms/1(!!! insecure !!!)

First PKC algorithm proposed by Merckle and Hellmann

in 1978.

• Given n integers M1,M2,M3,..., and a sum S, find a binary sequence b1,b2,b3... such that • S=b1*M1+ b2*M2+b3*M3+ ....

• where:• M1,M2,M3,... is the public key

• b1,b2,b3,... are the bits of the plain message

• S is the ciphertext

In general it is an hard problem,but ...

2001/03/26 r.innocente 10

Knapsack algorithms/2(!!! insecure !!!)

A subclass of the general problem can be easily solved and mapped onto a more general one.

• A superincreasing knapsack is a knapsack in which every number in the ordered sequence is greater than the sum of the preceeding numbers e.g.{ 2,3,6,13,27}

• Solving the problem for a superincreasing knapsack is quite easy. Starting from the greatest number, that will be an addend if it is less than the sum S, and so on ...

• Now, choosing a number m (=55) greater than the sum of all numbers in the sequence, and a number n (=29) prime with m, and taking the remainder module m of the numbers in the sequence multiplied by n e.g. {2*29=58mod 55 =3, 3*29=87mod 55=32,...} we obtain a knapsack that is not superincreasing... if we take this sequence as the public key, and the underlaying superincreasing sequence as the private key ...

2001/03/26 r.innocente 11

RSA/1(Rivest,Shamir,Adleman 1978)

• Choose primes p,q n=p*q• Choose encryption key e prime with (p-1)*(q-1)• Compute the inverse d such that

• now for each message m :

• n,e is the public key• d is the private key

e*d = 1 mod n

c = me mod nm = cd mod n

2001/03/26 r.innocente 12

RSA/2

• Fermat’s little theorem (p prime,(p|a)=1):

• Euler Totient function:

• Euler’s generalization of Fermat’s theorem:

ap-1 ≅ 1 (mod p)

φ(n)= # of integers less than n primes with nFor p,q primes : φ(p) = p-1 φ(p*q) = (p-1)*(q-1)

aφ(n) ≅1 mod naφ(n) –1 ≅ a-1 mod n therefore : e-1 ≅ e(p-1)(q-1)-1 mod n

2001/03/26 r.innocente 13

RSA/3

• Software speedups:• RSA goes faster if you choose e carefully

• 3 (PEM), 65537 (X.509), 17 (PKCS#1) are good choices having only 2 bits set

• in particular 65537 requires only 17 multiplications to exponentiate

• Hardware chips:• it’s about 1000 times slower than DES

• 1 Mb/s using a 512 bits modulus (GEC Marconi)

2001/03/26 r.innocente 14

RSA/4

The RSA patent was valid only for the US because it was requested after publication.

In any case the patent expired on

September,20 2000

and from then on RSA it’s now free everywhere

2001/03/26 r.innocente 15

El Gamal (T.ElGamal 1984)

• Choose a prime p and two random numbers g(<p),x (<p)and compute y = g**x mod p

• public key is y,g,p

• private key is x

• To encrypt a message M choose a random k, (p-1|k)=1 and compute• a= g**k mod p

• b = (y**k)* M mod p

• a,b is the ciphertext, to decrypt :• M = b/a**x mod p

2001/03/26 r.innocente 16

Message digests or Hash or fingerprints

• One way function that maps a file on a fixed length key. As with real fingerprints one hopes that no 2 msgs have the same fingerprint. • collision free

• un-reversible

• e.g :• Unix sum is a bad example (16 bits) (Unix sum,cksum)

• MD5(128 bits) invented by RSA (Unix md5sum)

• SHA1(160 bits) Secure Hash Algorithm-1

2001/03/26 r.innocente 17

Uses of PKCPics from M.Branchaud

Pic fromM.Branchaud

2001/03/26 r.innocente 18

Digital Signature

Message Message DigestMD5

Signature

RSA

with private key

2001/03/26 r.innocente 19

Pitney-Bowes Veritas system

• Uses digital signatures to authenticate info stored on physical documents (including the digital encoding of photographs)

• It’s been used successfully at the Olympic World Games in New Haven in 1995

• On the back of a badge a high density bar code encoded a photograph, biographical data and medical data of the athletes

• A Veritas reader can scan the bar code, verify the digital signature and then display a copy of the photograph

2001/03/26 r.innocente 20

Digital CertificatesL.Kohnfelder (1978)

In an effort to overcome performance

problems related to the use of a single Public

File, Kohnfelder proposed a digitally signed

data record containing a name and a public

key called a CERTIFICATE.

2001/03/26 r.innocente 21

Digital Certificates/2

Name

Public

key

Digital

signature

2001/03/26 r.innocente 22

Certificates/3

• Binary format of certificates is defined using ASN.1 (x.208)

• Binary encoding is defined using DER(Distinguished Encoding Rules) which is based on BER (Basic Encoding Rules)

• Binary format can be translated into ASCII using Base64 encoding, this form is called PEM encoding

2001/03/26 r.innocente 23

ASN.1 (X.208 1988)

Certificate ::=SEQUENCE {tbsCertificate TBSCertificate,

signatureAlgorithm AlgorithmIdentifier,

signature BIT STRING

}

TBSCertificate ::=SEQUENCE {

version [0] EXPLICIT Version DEFAULT v1,

serialNumber CertificateSerialNumber,

signatureAlgorithmIdentifier,

issuer Name,

validity Validity,

subject Name,

subjectPucliKeyInfo,

issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,

subjectUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,

extensions [3] EXPLICIT Extensions OPTIONAL

}

UniqueIdentifier::= BITSTRING

Extensions::=SEQUENCE OF Extension

2001/03/26 r.innocente 24

ASN.1/2Private-Key: (1024 bit)modulus: 00:a0:11:a6:01:c6:d6:55:23:06:12:af:76:04:94: 5d:6a:94:67:f7:02:6e:4c:1b:90:39:b8:6d:a6:02: 01:57:87:0b:57:ed:c9:ad:89:28:bf:71:62:7d:26: 9a:de:2d:d8:15:ed:82:07:cf:07:a5:4d:9c:83:b3: 11:19:1a:f4:c9:68:ac:39:c9:98:be:69:5c:dd:da: f1:44:7e:80:9e:53:c9:7c:ca:3c:60:20:99:ce:b3: 53:be:67:7f:31:06:91:b2:c5:76:04:53:0d:5a:42: b9:26:b1:fe:93:15:f0:04:75:03:1c:e7:a9:3a:cf: 9d:5e:01:01:93:81:23:09:45publicExponent: 65537 (0x10001)privateExponent: 5a:db:a9:af:38:7e:50:b5:20:ad:5a:8b:52:ee:24: 58:6b:04:d8:60:b8:da:da:8a:73:39:0c:84:3e:7f: 24:7f:b3:20:a6:08:e4:48:06:a9:24:63:13:46:e6: 81:56:e4:61:0d:ff:d1:0e:e2:f8:21:a5:c5:db:ce: c8:c1:54:50:58:f4:d5:4c:53:ba:f7:dd:25:9d:a4: 55:25:a1:4b:07:25:38:14:20:0c:a6:c2:07:1d:a6: cd:b0:f0:5b:cc:58:f6:fd:1d:0a:93:01:58:83:79: 46:e4:fc:67:91:f9:36:9c:07:c5:9c:26:12:bd:ab: 1e:86:4c:63:a4:0b:31:c1prime1: 00:d1:d7:69:c9:c5:b0:50:37:9f:2e:2d:21:b5:9f: 96:7e:e8:c1:05:29:b1:62:da:e4:b5:cd:04:03:b1: 27:c7:3e:ca:27:a1:bd:69:4f:33:e2:97:5a:03:d0: 33:6f:41:c8:e0:f9:94:e2:0d:c1:a6:85:e1:09:ac: 31:f5:97:7f:77prime2: 00:c3:47:72:4a:31:ea:e4:e6:0f:79:7f:68:da:c8: 40:7a:96:86:be:69:1c:94:e7:ab:1f:03:66:e0:05: 00:92:4f:e9:ac:ff:0e:51:45:9c:ed:9b:9e:01:ba: e5:00:a2:0f:d4:59:e6:06:d9:24:21:ba:b1:96:79: 51:5b:37:44:23exponent1: 64:1e:98:6d:d9:f1:be:c4:5b:21:a8:0c:ee:60:5f: 68:db:da:c4:80:d9:0e:e6:8b:bb:26:3f:65:17:90: 78:23:40:46:da:87:ca:08:2d:24:4e:bc:77:17:4e: 83:25:eb:17:54:5d:b1:e1:88:64:d0:79:c7:a8:ae: 09:94:a8:0fexponent2: 65:64:77:67:26:bb:fb:d5:a8:3b:41:78:44:00:ad: d9:f8:c6:45:9f:76:03:aa:b6:23:08:35:26:23:f2: c4:05:52:23:4c:db:36:3f:9a:d7:94:71:5a:1c:9c: 42:d3:e2:bc:33:61:48:34:fe:99:b4:c1:f8:8b:4d: 3e:bb:57:59coefficient: 24:c5:7d:c3:22:1b:cf:ae:15:20:97:9c:73:78:4a: d5:98:39:da:be:12:7e:94:1d:81:fa:0e:08:2a:dc: 3d:18:9e:b3:f8:cf:29:66:76:16:22:11:8f:d1:c1: a3:ec:6f:50:d5:e1:0f:66:ba:6a:43:ec:86:20:08: 39:0c:20:9e-----BEGIN RSA PRIVATE KEY-----MIICWwIBAAKBgQCgEaYBxtZVIwYSr3YElF1qlGf3Am5MG5A5uG2mAgFXhwtX7cmtiSi/cWJ9JpreLdgV7YIHzwelTZyDsxEZGvTJaKw5yZi+aVzd2vFEfoCeU8l8yjxgIJnOs1O+Z38xBpGyxXYEUw1aQrkmsf6TFfAEdQMc56k6z51eAQGTgSMJRQIDAQABAoGAWtuprzh+ULUgrVqLUu4kWGsE2GC42tqKczkMhD5/JH+zIKYI5EgGqSRjE0bmgVbkYQ3/0Q7i+CGlxdvOyMFUUFj01UxTuvfdJZ2kVSWhSwclOBQgDKbCBx2mzbDwW8xY9v0dCpMBWIN5RuT8Z5H5NpwHxZwmEr2rHoZMY6QLMcECQQDR12nJxbBQN58uLSG1n5Z+6MEFKbFi2uS1zQQDsSfHPsonob1pTzPil1oD0DNvQcjg+ZTiDcGmheEJrDH1l393AkEAw0dySjHq5OYPeX9o2shAepaGvmkclOerHwNm4AUAkk/prP8OUUWc7ZueAbrlAKIP1FnmBtkkIbqxlnlRWzdEIwJAZB6YbdnxvsRbIagM7mBfaNvaxIDZDuaLuyY/ZReQeCNARtqHyggtJE68dxdOgyXrF1RdseGIZNB5x6iuCZSoDwJAZWR3

2001/03/26 r.innocente 25

ASN.1/3 0:d=0 hl=4 l= 603 cons: SEQUENCE 4:d=1 hl=2 l= 1 prim: INTEGER :00 7:d=1 hl=3 l= 129 prim: INTEGER:A011A601C6D655230612AF7604945D6A9467F7026E4C1B9039B86DA6020157870B57EDC9AD8928BF71627D269ADE2DD815ED8207CF07A54D9C83B311191AF4C968AC39C998BE695CDDDAF1447E809E53C97CCA3C602099CEB353BE677F310691B2C57604530D5A42B926B1FE9315F00475031CE7A93ACF9D5E01019381230945 139:d=1 hl=2 l= 3 prim: INTEGER :010001 144:d=1 hl=3 l= 128 prim: INTEGER :5ADBA9AF387E50B520AD5A8B52EE24586B04D860B8DADA8A73390C843E7F247FB320A608E44806A924631346E68156E4610DFFD10EE2F821A5C5DBCEC8C1545058F4D54C53BAF7DD259DA45525A14B07253814200CA6C2071DA6CDB0F05BCC58F6FD1D0A930158837946E4FC6791F9369C07C59C2612BDAB1E864C63A40B31C1 275:d=1 hl=2 l= 65 prim: INTEGER:D1D769C9C5B050379F2E2D21B59F967EE8C10529B162DAE4B5CD0403B127C73ECA27A1BD694F33E2975A03D0336F41C8E0F994E20DC1A685E109AC31F5977F77 342:d=1 hl=2 l= 65 prim: INTEGER:C347724A31EAE4E60F797F68DAC8407A9686BE691C94E7AB1F0366E00500924FE9ACFF0E51459CED9B9E01BAE500A20FD459E606D92421BAB19679515B374423 409:d=1 hl=2 l= 64 prim: INTEGER :641E986DD9F1BEC45B21A80CEE605F68DBDAC480D90EE68BBB263F65179078234046DA87CA082D244EBC77174E8325EB17545DB1E18864D079C7A8AE0994A80F 475:d=1 hl=2 l= 64 prim: INTEGER :6564776726BBFBD5A83B41784400ADD9F8C6459F7603AAB62308352623F2C40552234CDB363F9AD794715A1C9C42D3E2BC33614834FE99B4C1F88B4D3EBB5759 541:d=1 hl=2 l= 64 prim: INTEGER :24C57DC3221BCFAE1520979C73784AD59839DABE127E941D81FA0E082ADC3D189EB3F8CF2966761622118FD1C1A3EC6F50D5E10F66BA6A43EC862008390C209E

2001/03/26 r.innocente 26

OID (object identifiers)

• Object identifiers are unique numbers assigned to objects. They identify a node in a global tree.

• e.g. 1.2.840.113549.1.7.2 is an OID, it means SignedData which is defined by RSADSI

0

ITU-T

1

ISO

2

joint ISO/ITU

2001/03/26 r.innocente 27

OID global tree

Pic fromM.Branchaud

2001/03/26 r.innocente 28

RSA keys according to PKCS#..Private-Key: (1024 bit)

modulus:

00:a0:11:a6:01:c6:d6:55:23:06:12:af:76:04:94:

5d:6a:94:67:f7:02:6e:4c:1b:90:39:b8:6d:a6:02:

01:57:87:0b:57:ed:c9:ad:89:28:bf:71:62:7d:26:

9a:de:2d:d8:15:ed:82:07:cf:07:a5:4d:9c:83:b3:

11:19:1a:f4:c9:68:ac:39:c9:98:be:69:5c:dd:da:

f1:44:7e:80:9e:53:c9:7c:ca:3c:60:20:99:ce:b3:

53:be:67:7f:31:06:91:b2:c5:76:04:53:0d:5a:42:

b9:26:b1:fe:93:15:f0:04:75:03:1c:e7:a9:3a:cf:

9d:5e:01:01:93:81:23:09:45

publicExponent: 65537 (0x10001)

privateExponent:

5a:db:a9:af:38:7e:50:b5:20:ad:5a:8b:52:ee:24:

58:6b:04:d8:60:b8:da:da:8a:73:39:0c:84:3e:7f:

24:7f:b3:20:a6:08:e4:48:06:a9:24:63:13:46:e6:

81:56:e4:61:0d:ff:d1:0e:e2:f8:21:a5:c5:db:ce:

c8:c1:54:50:58:f4:d5:4c:53:ba:f7:dd:25:9d:a4:

55:25:a1:4b:07:25:38:14:20:0c:a6:c2:07:1d:a6:

cd:b0:f0:5b:cc:58:f6:fd:1d:0a:93:01:58:83:79:

46:e4:fc:67:91:f9:36:9c:07:c5:9c:26:12:bd:ab:

2001/03/26 r.innocente 29

X.500 Directory Services

2001/03/26 r.innocente 30

X.500

Pic fromM.Branchaud

2001/03/26 r.innocente 31

Distinguished Names (DN)fields

• Common name CN e.g. CN=Joe Wells

• Organizational unit OU e.g OU=Sales

• Organization O e.g. O=Heaven,Inc.

• City/Locality L e.g. L=Tampa

• State/Province ST e.g. ST=Florida

• Country C e.g. C=US

• /C=US/ST=Florida/L=Tampa/O=Heaven,Inc./OU=Sales/CN=Joe Wells

2001/03/26 r.innocente 32

Digital Certificates/3

2001/03/26 r.innocente 33

X.509 cert v1-2

Pic fromM.Branchaud

2001/03/26 r.innocente 34

CRL(CertificateRevocationList)

2001/03/26 r.innocente 35

CRLv2

Pic fromM.Branchaud

2001/03/26 r.innocente 36

SSL/1

The SSL (Secure Socket Layer) protocol

was designed by Netscape to be used with its

browser.

• SSL v.1 was used only internally.

• SSL v.2 was incorporated in Navigator v1 and v2.

• Microsoft created a similar protocol called PCT which overcame some problems of SSL

• SSL v.3 incorporated PCT enhancements

2001/03/26 r.innocente 37

SSL/2

• The first implementation of SSL was available only in Netscape browsers and servers

• SSLRef is a reference implementation in C that Netscape made available in source code (does’nt include RC2 or RC4 encryption algorithms)

• SSLeay is an indipendent implementation of SSLv.3 made by Eric A. Young a programmer in Australia

• OpenSSL is based on SSLeay

2001/03/26 r.innocente 38

TLS/SSL Layers

e.g. TCP

TLS

Record protocol

TLS

Handshake protTLS layers

Transport protocol

2001/03/26 r.innocente 39

SSL record protocol

• Each SSL record contains:• content type

• proto version

• length

• payload

• Message auhentication ( Changed in TLS to HMAC), it contains a sequence number to be hashed together with data

2001/03/26 r.innocente 40

SSL/TLS handshake

• ClientHello (version,random,session,ciperhs)– Server hello(version,random,session,cipher)– [server may send its certificate]

– [server may send a KeyExchange]

– [server may send a CertReq]

• [Client sends its certificate]

• client sends a KeyExchange

• [client sends a cert verify]

• both send a Change CIpher

2001/03/26 r.innocente 41

SSL cert accept

PicFromnetscape

2001/03/26 r.innocente 42

Key Exchange

• SSL v.2 uses RSA key exchange only

• SSL v.3 supports:• RSA key exchange when certificates are used

• DH (Diffie-Hellmann) for exchanging keys w/o certificates or prior communication

2001/03/26 r.innocente 43

Diffie-Hellmann Key Exchange

• Given a large prime n and a primitive g• A chooses a random x and sends to B

• X = g^x mod n

• B choses a random y and sends to A• Y = g^y mod n

• A and B can compute• k = Y^x mod n = g^(y*x) mod n = X^y mod n

• The patent held by PKP expired in 1997

2001/03/26 r.innocente 44

PKI (Public Key Infrastructure)

• It is a practical and viable way of publishing public keys on the Internet

• PGP,PEM,PKIX ,SPKI and SDSI are different proposals

2001/03/26 r.innocente 45

PEM CA model

Pic fromM.Branchaud

2001/03/26 r.innocente 46

PKI

Pic fromM.Branchaud

2001/03/26 r.innocente 47

STARTTLS (RFC 2487)

• a server announce its support of TLS• ehlo heaven.org• 250 inferno.org• 250 starttls

• the client then can switch to TLS• starttls• 220 ready to start tls

• STARTTLS is supported in sendmail 8.11

2001/03/26 r.innocente 48

Microsoft Authenticode

• Announced in 1996 by Microsoft as part of IE3.0 and ActiveX (A system for downloading programs from web pages)

• It describes some file formats to sign Microsoft 32bit EXEs, DLLs and OCXs

• The signed file contains:• original file• digital signature• an X.509 certificate for the public key needed to verify the

authenticode signature

• The tools needed are in the ActiveX software developer’s Kit (CSW Code Signing Wizard)

2001/03/26 r.innocente 49

Java signed applets

• Java too can use X.509 certificates to sign the code in a jar file (keytool and jarsign utilities)

• The idea is similar to that of Microsoft, the code signed can obtain better trust according to user chosen confidence in signing publishers

2001/03/26 r.innocente 50

Encrypted services

Note that recently the name of crypted services has changed

from an initial s to a final s (simap to imaps)

• https 443/tcp #http over ssl

• telnets 992/tcp #telnet over ssl

• pop3s 995/tcp

• imaps 993/tcp

• smtps 465/tcp

• sshell 614/tcp #SSLshell

• nsiiops 261/tcp #IIOP name service over ssl