Digital Signature, Digital Certificate - PowerPoint PPT Presentation

1 / 56
About This Presentation
Title:

Digital Signature, Digital Certificate

Description:

Public Key Infrastructure (PKI) Secure Electronic Transaction (SET) Summary ... Up to 448. Blowfish. Key Length (bits) Algorithm Name. References: Blowfish. DES. IDEA ... – PowerPoint PPT presentation

Number of Views:15759
Avg rating:3.0/5.0
Slides: 57
Provided by: ccch1
Category:

less

Transcript and Presenter's Notes

Title: Digital Signature, Digital Certificate


1
Digital Signature,Digital Certificate
  • CSC1720 Introduction to Internet
  • Essential Materials

2
Outline
  • Introduction
  • Cryptography
  • Secret-key algorithms
  • Public-key algorithms
  • Message-Digest algorithms
  • Digital Signature
  • Digital Certificate
  • Public Key Infrastructure (PKI)
  • Secure Electronic Transaction (SET)
  • Summary

3
Introduction
  • Cryptography and digital certificates are first
    appeared in closed commercial, financial network
    and military systems.
  • We can send/receive secure e-mail, connect to
    secure website to purchase goods or obtain
    services.
  • Problem How do we implement them in this global,
    open network, Internet?
  • To what level of encryption is sufficient to
    provide safe and trust services on the Net?

4
Cryptography
  • 3 cryptographic algorithms
  • Message-digest algorithms
  • Map variable-length plaintext to fixed-length
    ciphertext.
  • Secret-key algorithms
  • Use one single key to encrypt and decrypt.
  • Public-key algorithms
  • Use 2 different keys public key and private key.

5
Keys
  • It is a variable value that is used by
    cryptographic algorithms to produce encrypted
    text, or decrypt encrypted text.
  • The length of the key reflects the difficulty to
    decrypt from the encrypted message.

6
Key length
  • It is the number of bits (bytes) in the key.
  • A 2-bit key has four values
  • 00, 01, 10, 11 in its key space
  • A key of length n has a key space of 2n
    distinct values.
  • E.g. the key is 128 bits
  • 101010101010.10010101111111
  • There are 2128 combinations
  • 340 282 366 920 938 463 463 374 607 431 768 211
    456

7
Secret-key Encryption
  • Use a secret key to encrypt a message into
    ciphertext.
  • Use the same key to decrypt the ciphertext to the
    original message.
  • Also called Symmetric cryptography.

8
Secret Key How to?


Encryption


Decryption
9
Secret-Key Problem?
  • All keys need to be replaced, if one key is
    compromised.
  • Not practical for the Internet environment.
  • On the other hand, the encryption speed is fast.
  • Suitable to encrypt your personal data.

10
Secret-Key algorithms
Algorithm Name Key Length (bits)
Blowfish Up to 448
DES 56
IDEA 128
RC2 Up to 2048
RC4 Up to 2048
RC5 Up to 2048
Triple DES 192
References Blowfish DES IDEA RC2 RC4 RC5 DES-3
11
Public-key Encryption
  • Involves 2 distinct keys public, private.
  • The private key is kept secret and never be
    divulged, and it is password protected
    (Passphase).
  • The public key is not secret and can be freely
    distributed, shared with anyone.
  • It is also called asymmetric cryptography.
  • Two keys are mathematically related, it is
    infeasible to derive the private key from the
    public key.
  • 100 to 1000 times slower than secret-key
    algorithms.

12
How to use 2 different keys?
  • Just an example
  • Public Key 4, Private Key 1/4, message M 5
  • Encryption
  • Ciphertext C M Public Key
  • 5 4 20
  • Decryption
  • Plaintext M C Private Key
  • 20 ¼ 5

13
Public-Private Encryption
14
Message Encryption(User A sends message to User
B)
Public Key Directory
Encryption
15
Message Encryption
Encrypted Message
Original Message
16
Transfer Encrypted Data
17
Decryption with your Private key
Decryption
18
Asymmetric algorithms
Algorithm Name Key Length (bits)
DSA Up to 448
El Gamal 56
RSA 128
Diffie-Hellman Up to 2048
References DSA El Gamal RSA Diffie-Hellman
19
How difficult to crack a key?
Attacker Computer Resources Keys / Second
Individual attacker One high-performance desktop machine Software 217 224
Small group 16 high-end machines Software 221 224
Academic Network 256 high-end machines Software 225 228
Large company 1,000,000 hardware budget 243
Military Intelligence agency 1,000,000 hardware budget advanced technology 255
Key Length Individual Attacker Small Group Academic Network Large Company Military Inteligence Agency
40 Weeks Days Hours Milliseconds Microseconds
56 Centuries Decades Years Hours Seconds
64 Millennia Centuries Decades Days Minutes
80 Infeasible Infeasible Infeasible Centuries Centuries
128 Infeasible Infeasible Infeasible Infeasible Millennia
20
Crack DES-3 (Secret-key)
Distributed.net connects 100,000 PCs on the Net,
to get a record-breaking 22 hr 15 min to
crack the DES algorithm. Speed 245 billion
keys/s Win 10,000
21
Message-Digest Algorithms
  • It maps a variable-length input message to a
    fixed-length output digest.
  • It is not feasible to determine the original
    message based on its digest.
  • It is impossible to find an arbitrary message
    that has a desired digest.
  • It is infeasible to find two messages that have
    the same digest.

22
Message-Digest How to
  • A hash function is a math equation that create a
    message digest from message.
  • A message digest is used to create a unique
    digital signature from a particular document.
  • MD5 example

Original Message (Document, E-mail)
Hash Function
Digest
23
Message Digest Demo
24
Message-Digest
Message-Digest Algorithm Digest Length (bits)
MD2 128
MD4 128
MD5 128
Secure Hash Algorithm (SHA) 160
References MD2 MD4 MD5 SHA
25
Break Time 15 minutes
26
Digital Signature
  • Digital signature can be used in all electronic
    communications
  • Web, e-mail, e-commerce
  • It is an electronic stamp or seal that append to
    the document.
  • Ensure the document being unchanged during
    transmission.

27
How digital Signature works?
28
Digital Signature Generation and Verification
Message Sender
Message Receiver
Message
Message
Hash function
Hash function
Public Key
Digest
Private Key
Encryption
Decryption
Signature
Expected Digest
Digest
29
Digital Signature
  • Reference

30
Key Management
  • Private key are password-protected.
  • If someone want your private key
  • They need the file contains the key
  • They need the passphrase for that key
  • If you have never written down your passphrase or
    told anyone
  • Very hard to crack
  • Brute-force attack wont work

31
Digital Certificates
  • Digital Certificate is a data with digital
    signature from one trusted Certification
    Authority (CA).
  • This data contains
  • Who owns this certificate
  • Who signed this certificate
  • The expired date
  • User name email address

32
Digital Certificate
  • Reference

33
Elements of Digital Cert.
  • A Digital ID typically contains the following
    information
  • Your public key, Your name and email address
  • Expiration date of the public key, Name of the CA
    who issued your Digital ID

34
Certification Authority (CA)
  • A trusted agent who certifies public keys for
    general use (Corporation or Bank).
  • User has to decide which CAs can be trusted.
  • The model for key certification based on friends
    and friends of friends is called Web of Trust.
  • The public key is passing from friend to friend.
  • Works well in small or high connected worlds.
  • What if you receive a public key from someone you
    dont know?

35
CA model (Trust model)
Root Certificate
CA Certificate
CA Certificate
Browser Cert.
Server Cert.
36
Web of Trust model
37
Public Key Infrastructure (PKI)
  • PKI is a system that uses public-key encryption
    and digital certificates to achieve secure
    Internet services.
  • There are 4 major parts in PKI.
  • Certification Authority (CA)
  • A directory Service
  • Services, Banks, Web servers
  • Business Users

38
Digital 21 . gov .hk
Reference An official homepage which provides
lot of PKI, e-commerce information
39
PKI Structure
Certification Authority
Directory services
Public/Private Keys
Services, Banks, Webservers
User
40
4 key services
  • Authentication Digital Certificate
  • To identify a user who claim who he/she is, in
    order to access the resource.
  • Non-repudiation Digital Signature
  • To make the user becomes unable to deny that
    he/she has sent the message, signed the document
    or participated in a transaction.
  • Confidentiality - Encryption
  • To make the transaction secure, no one else is
    able to read/retrieve the ongoing transaction
    unless the communicating parties.
  • Integrity - Encryption
  • To ensure the information has not been tampered
    during transmission.

41
Certificate Signers
42
Certificate Enrollment and Distribution
43
Secure Web Communication
  • Server authentication is necessary for a web
    client to identify the web site it is
    communicating with.
  • To use SSL, a special type of digital certificate
    Server certificate is used.
  • Get a server certificate from a CA.
  • E.g. www.hitrust.com.hk, www.cuhk.edu.hk/ca/
  • Install a server certificate at the Web server.
  • Enable SSL on the Web site.
  • Client authentication Client certificates

44
Strong and Weak Encryption
  • Strong encryption
  • Encryption methods that cannot be cracked by
    brute-force (in a reasonable period of time).
  • The world fastest computer needs thousands of
    years to compute a key.
  • Weak encryption
  • A code that can be broken in a practical time
    frame.
  • 56-bit encryption was cracked in 1999.
  • 64-bit will be cracked in 2011.
  • 128-bit will be cracked in 2107.

45
Pretty Good Privacy (PGP)
  • Release in June 1991 by Philip Zimmerman (PRZ)
  • PGP is a hybrid cryptosystem that allows user to
    encrypt and decrypt.
  • Use session key a random generated number from
    the mouse movement or keystrokes
  • Demo Tutorial

46
PGP Public Key
  • Philip R Zimmermann's Public Keys
  • Current DSS/Diffie-Hellman Key
  • Key fingerprint 055F C78F 1121 9349 2C4F 37AF
    C746 3639 B2D7 795E
  • -----BEGIN PGP PUBLIC KEY BLOCK-----
  • Version PGP 7.0.3
  • mQGiBDpU6CcRBADCT/tGpBu0EHpjd3G11QtkTWYnihZDBdenjY
    V2EvotgRZAj5h4ewprq1u/zqzGBYpiYL/9j5XDFcoWF24bzsU
    mHXsbDSivXEyQND1GUdx4wVcEY5rNjkArX06XuZzObvXFXOvq
    Rj6LskePtw3xLf5uj8jPN0Nf6YKnhfGIHRWQCg/0UAr3hMK6zc
    A/egvWRGsm9dJecD/18XWekzt5JJeK3febJO/3Mwe43O6VNOxm
    MpGWOYTrhivyOb/ZLgLedqXMeXHGdGroARZkxYq/a9y5jNci
    vDEyNIiNDPD64rl00FNZksx7dijD89PbIULDCtUpps2J0gk5
    inRyzinfjDyFnn5UEHI2rPFLUbXWHJXJcp0UBACBkzDdesPj
    EVXZdTRTLk0sfiWEdcBM/5GpNswMlK4A7A6iqJoSNJ4pO5Qq6P
    YOwDFqGir19WEfoTyHW0kxipnVbvq4q2vAhSIKOqNEJGxg4DTE
    Kecf3xCdJ0kW8dVSogHDH/cQ4RFQq/31aev3HDy20YayxAE9
    4BWIsKkhaMyokAYQQfEQIAIQUCOlTwWwIHABcMgBE/xzIEHSPp
    6mbdtQCcnbwh33TcYQAKCRDHRjY5std5Xle4AKCh1dqtFxD/Bi
    ZMqdP1eZYG8AZgTACfU7VX8NpIaGmdyzVdrSDUo49AJae0IlBo
    aWxpcCBSLiBaaW1tZXJtYW5uIDxwcnpAbWl0LmVkdT6JAFUEEB
    ECABUFAjpU6CcFCwkIBwMCGQEFGwMAAAAACgkQx0Y2ObLXeV5W
    UQCfWWfTDHzSezrDawgN2Z4Qb7dHKooAoJyVnm61utdRsdLr2e
    6QnV5Z0yjjiQBGBBARAgAGBQI6VOkSAAoJEGPLaR3669X8JPcA
    nim4Hc0oteQZrNUeuMSuirNVUr7AKC1WXJI7gwMq0Agz07hQs
    POJBMokARgQQEQIABgUCOlcobQAKCRDXjLzlZqdLMVBtAKDa
    5VPcb6NVH6tVeEDJUvtBjp6oACeLoNtfbs2rvJkgKDHWEIDmJ
    dgy2GJAD8DBRA6WP4Y8CBzV/QUlSsRAkmdAKC3TfkSSehpoPF
    nMfW/Y/AAEEpGSUYAAQEAAAEAAQAA/9sAQwAKBwcIBwYKCAg
    ICwoKCw4YEA4NDQ4dFRYRGCMfJSQiHyIhJis3LyYpNCkhIjBBM
    TQ5Oz4PiUuRElDPEg3PT47///EALUQAAIBAwMCBAMFB
  • ..
  • QQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZk5SVlpeYmZqio
    6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uP
    k5ebn6Onq8fLz9PX29/j5v/EAB8BAAMBAQEBAQEBAQEAAAAAA
    AABAgMEBQYHCAkKC//EALURAAIBAgQEAwQHBQQEAAECdwABAgM
    RBAUhMQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJ
    fEXGBkaJicoKSo1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmd
    oaWpzdHV2d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipq
    rKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5jp6vL
    z9PX29/j5v/aAAwDAQACEQMRAD8A9mooooAKKKKACsjW/Eum6
    FGTdS7pcfLEv3j/AIfjWV428XHQrf7HY4e/lHXIxEvqfevH7y8
    lupXmmuJppWOZJCAD9aly7GkIX1Z3OpfE3Up3K2EUVumcdN7f
    y/pWLL4415wPM1GWPJyNpK/0Fc5btG/Pktkfx7yTVhYAGLsAxb
    ryf5c5rNvzNlG3Q6yz8ZaxEyudQkcZ7JtYH867PRfG9nfIsd7
    /o8p/iIU/4V5EI/IGVXUGfnHy9iUsiGSa6q6Jew1XpTDJvAA
    ICDACNUV4K2PS6h574Z3NaBsIQe5jkVO48MSohjC6s29CjPhlU
    79cQIYWmBpuNfwroZ6zltyz6Y2Fm65V0IfvVicR7zvFFCOhahM
    uk1crQp936OMEq9sLZGxTjClgwrHGS7YpMSZrEC7bpOmERjo4
    F/n5YmCHJCH8QzCOc980gjVEsHiJVABrC8yykjKL5x1V/PSAr
    E4QtMLbkBPGmQYOw8bx6jCHoO43QjUzbqRfBMHZqWVJyoIIZCp
    n13XM4NO/cDVsZ8bjch0LIOyMrT85n24yfXRlP0s7BFjLm59
    Jjhf4djuJWikJawWETlypAy86OYRRuwCbIyNauBeTKyavZvF2
    oLvpwH4UnudpC06/O0jkj2lQpn9EEUw11RwO6sq9zYTwAUyKer
    N00cbCfyiZl01CIo0btcTO6hQK3c67PaloJ9lVH8/mH7LuqkML
    DH5ugkpzmed/8SorfqVkakne6b4mRySFCBXaVZoKmDHzcH2oSS
    MhM9exyh6dzi1bGu6JAEwEGBECAAwFAjpU6CcFGwwAAAAACgkQ
    x0Y2ObLXeV7lbQCgNfI3bzqF9fB50J5sFHVHM7hYAn09Af
    Dl5ncnr4D7 ReMDlYoIZwRR Bgy
  • -----END PGP PUBLIC KEY BLOCK-----

47
PGP encryption
  • Reference

48
PGP decryption
  • Reference

49
Secure SHell (SSH)
  • Provide an encrypted secure channel between
    client and server.
  • Replacement for telnet and ftp.
  • Reference SSH

50
Secure Shell Secure FTP
Secure Shell
Secure FTP
The Hosts Public Key
51
Secure Electronic Transaction (SET)
  • This protocol is developed by Visa and MasterCard
    specifically for the secure credit card
    transactions on the Internet.
  • SET encrypts credit card and purchase information
    before transmission over the Internet.
  • SET allows the merchants identify be
    authenticated via digital certificates, also
    allows the merchant to authenticate users through
    their digital certificates (more difficult to
    someones stolen credit card).
  • SET DEMO

52
Secure Electronic Transaction (SET)
  • There are four parts in the SET system.
  • A software wallet on the users computer
    Cardholder.
  • A commerce server that runs on the merchants web
    site Merchant.
  • The payment server that runs at the merchants
    bank Acquiring bank.
  • The Certification Authority Issuing bank.
  • SET FAQs

53
SET
54
Privacy-Enhanced E-mail
Encrypted
Signed
55
Summary
  • Make sure you understand the relationship between
  • Encryption
  • Digital Signature
  • Digital Certificate
  • Certificate Authority
  • Understand which Public/Private key should be
    used to encrypt/decrypt message to/from you?
  • Discuss PGP, SET, SSH, encrypted email.

56
References
  • Digital Certificate (Applied Internet Security)
    By Feghhi, Feghhi, Williams Addison Wesley
  • Basic Crytography
  • Digital Signature
  • PKI Resources
  • SET Resources
  • General Definitions
  • Digital ID FAQ
  • The End.
  • Thank you for your patience!
Write a Comment
User Comments (0)
About PowerShow.com