Public Key Cryptography: Concepts and Applications

1
Public Key Cryptography Concepts and
Applications
Raval Fichadia John Wiley Sons, Inc. 2007

• Chapter Six
• Prepared by Raval, Fichadia

2
(No Transcript)
3
Chapter Six Objectives

1. Infer various uses of public key cryptography and
   explain the meaning, characteristics, and uses of
   digital signature.
2. Understand the role of trust in the Internet
   business environment.
3. Describe the nature and characteristics of public
   key infrastructure.
4. Interpret the role of public key cryptography in
   achieving security objectives.
5. Describe various applications of the public key
   infrastructure.

4
How do you get the secret key in the hands of the
receiver of the message?

• Key distribution Distributing secret key in a
  secured manner.
• Key agreement Using a key agreement protocol,
  key value is determined by sender and receiver of
  a message.
• Diffie-Hallman protocol is a widely-used protocol
  for this purpose.

5
Digital Signature

• Role of signature A signature
  testifies/acknowledges some content. The signor
  links/binds himself/herself to the content.
• Digital signature A way of electronically
  binding oneself to the content of a message or a
  document.
• The way to do this is by encrypting message
  digest (or the message) using ones private key.

6
Trust in Public Keys

• Need for trust
• Anywhere, anytime, anyone models of doing
  business have surfaced.
• Transactions (orders) may come from a person you
  may never meet.
• It is therefore necessary to authenticate the
  person requesting goods or services.

7
Trust Compared to Security

• Trust means to rely on.
• Trust has to do with the expectation that the
  person or an entity relied on will behave in a
  predictable manner (e.g., pay dues).
• Trusting is an act of the receiver security is
  in the hands of those accountable for information
  assets.
• Trust is viewed in the context of use (e.g.,
  value of transaction) security is a constant,
  regardless of who makes the determination.
• Therefore, levels of trust can be determined and
  used depending on the context of use security
  has two states, either an information asset is
  secured, or is unsecured.

8
Sources and Levels of Trust

• Since context of use will vary, different levels
  of trust can be identified.
• Trust level to be established for a 10
  transaction would be different than for a 50
  million electronic fund transfer.
• This way of looking at establishing trust also
  provides cost effectiveness to systems that help
  determine whether to trust a user (customer, for
  example).
• Different organizations or people may trust the
  same entity to different degrees.

9
Meeting Requirements of Trust

• Digital (public key) certificate
• Certification authority
• Trust levels in digital certificate
• Web trust models

10
Digital (Public Key) Certificate

• A certificate provided by a certification
  authority, certifying owners public key.
• The certificate has a plaintext part and an
  encrypted part.
• The plaintext discloses the certificate holders
  name, the issuer (CA), expiration date, etc.
• The encrypted part is where the CA has stored the
  subjects public key, encrypted using the CAs
  private key.

11
Certification Authority (CA)

• An organization that issues digital certificates.
• The CA performs many tasks
• Receive application for keys.
• Verify applicants identity, conduct due
  diligence appropriate to the trust level, and
  issue key pairs.
• Store public keys and protect them from
  unauthorized modification.
• Keep a register of valid keys.
• Revoke and delete keys that are invalid or
  expired. Maintain a certificate revocation list
  (CRL).
• In doing its work, the CA may appoint agents,
  called registration authorities (RAs).
• A primary responsibility of RAs is to facilitate
  the certificate application process.

12
Trust Levels in Digital Certificate

• Trust levels are implied in digital certificates.
• If anticipated risk is higher in transactions
  with a subject, one might seek a higher level of
  trust in the certificate.
• The higher the trust level to be assigned to a
  subject, the greater the depth of due diligence.
• And greater the cost of issuing the certificate.

13
Web Trust Models

• The process of establishing trust involves a
  trust model.
• A trust model allows users to imply trust based
  on what they already know.
• In a hierarchical trust model (upside down tree),
  the top node (root CA) certifies the next level,
  which in turn certifies the level below, and so
  forth until we reach end entities at the lower
  most level.
• In a distributed trust model, several independent
  hierarchies, each with its own root CA, are
  formed. Root CAs (also called peer CAs)
  coordinate communication across hierarchies.
• A Web model is a specific case of the distributed
  model implemented by storing public keys of root
  CAs in widely used browsers.
• A user-centric trust model (web of trust model)
  relies on the user to act as a de facto CA.
  Example Pretty Good Privacy (PGP).

14
Public Key Infrastructure (PKI)

• An infrastructure is a network that runs behind
  the scene serving a variety of users having
  different needs.
• Public key cryptography permits technical
  authentication of the sender, and allows for
  assurance of nonrepudiation.
• Certification infrastructure, designed using a
  trust model, provides for trust in public key
  necessary in the authentication process.

15
X.509

• Is a standard for PKI.
• Specifies formats for and attributes of public
  key certificates and trust models.
• The standard promotes interoperability and
  consistency, allowing for different software
  vendors and users to work with the same object.
• The binding of the public key with the end entity
  (subject) is usually done using various sources
  (e.g., email address of the entity for basic
  level of trust).

16

• Structure of a X.509 v3 digital certificate
• Certificate
• Version (to identify the version of certificate
  structure)
• Serial Number
• Algorithm ID (to identify the specific
  encryption algorithm used in digitally signing
  (certifying) the public key of the subject (often
  called an end-entity)
• Issuer (Name of the certification authority)
• Validity (period for which the certificate is
  valid)
• Subject (also called end-entity)
• Subject Public Key Info
• Public Key Algorithm used in issuing
  public-private key pair
• Subject Public Key (A string of characters that
  defines the value of the subjects public key)
• Issuer Unique Identifier (The identifying number
  of the certification authority that issued the
  certificate, e.g., Verisign, RSAsecurity)
• Subject Unique Identifier (The identifying
  number of the subject)
• Extensions (Additional information, if any,
  about the subject)
• Certificate Signature Algorithm (Algorithm that
  the certification authority used to append its
  digital signature, e.g., MD5)
• Certificate Signature

17
Company Unique features of PKI
Dresdner Bank Designed and implemented a universal PKI registration system. Followed specific procedures to register its corporate clients.
Deutsche Bank Scalable over several platforms. The bank reduced losses due to fraudulent transactions and increased use of its applications. It provided customers with digital identities. It also provided for and certified legally binding signatures.
Canadian Payments Association The Association is a non-profit, national clearing and settlement operation. Their PKI application is intended to address consumer concerns regarding personal and financial information transmitted via the Internet. The association certifies its members (mostly banks), who in turn issue certificates to their customers.
ABN AMRO Bank A complete security solution for its internal, bank-to-bank, and customer-to-bank applications. ABN AMRO is the trusted root CA.
Australian Health Insurance Commission Processes millions of healthcare payment claims each day and handles sensitive clinical information. The PKI links to disparate applications and systems within the commission.
MEDepass Issues a certificate to subscribers and publishes it to the healthcare community. Maintains a CRL.
Veterans Affairs Certificates will be used for veterans benefits (educational, compensation, pension, vocational rehabilitation, etc.) claims processing.
U.S. Government General Services Administration Digital Signature Trust issues digital certificates to the American public on behalf of federal government agencies.
National Institute of Health Designed to electronically create, distribute, and sign forms within its Committee Management System and also to sign some forms electronically.
18
Assurance Considerations

• Specific issues as related to the certification
  infrastructure include the following
• Is the private key secure? Are the risks of
  private key compromises known to the owner?
• How was the CA authorized to become a CA? Can
  you trust the CA?
• How was trust in implied in the certificate?
  What level of trust is implied? What data were
  used to establish trust?
• How well does the CA protect public keys and the
  certificates?

19
(No Transcript)