Digital Signature, Digital Certificate

1
Digital Signature,Digital Certificate

• CSC1720 Introduction to Internet
• Essential Materials

2
Outline

• Introduction
• Cryptography
• Secret-key algorithms
• Public-key algorithms
• Message-Digest algorithms
• Digital Signature
• Digital Certificate
• Public Key Infrastructure (PKI)
• Secure Electronic Transaction (SET)
• Summary

3
Introduction

• Cryptography and digital certificates are first
  appeared in closed commercial, financial network
  and military systems.
• We can send/receive secure e-mail, connect to
  secure website to purchase goods or obtain
  services.
• Problem How do we implement them in this global,
  open network, Internet?
• To what level of encryption is sufficient to
  provide safe and trust services on the Net?

4
Cryptography

• 3 cryptographic algorithms
• Message-digest algorithms
• Map variable-length plaintext to fixed-length
  ciphertext.
• Secret-key algorithms
• Use one single key to encrypt and decrypt.
• Public-key algorithms
• Use 2 different keys public key and private key.

5
Keys

• It is a variable value that is used by
  cryptographic algorithms to produce encrypted
  text, or decrypt encrypted text.
• The length of the key reflects the difficulty to
  decrypt from the encrypted message.

6
Key length

• It is the number of bits (bytes) in the key.
• A 2-bit key has four values
• 00, 01, 10, 11 in its key space
• A key of length n has a key space of 2n
  distinct values.
• E.g. the key is 128 bits
• 101010101010.10010101111111
• There are 2128 combinations
• 340 282 366 920 938 463 463 374 607 431 768 211
  456

7
Secret-key Encryption

• Use a secret key to encrypt a message into
  ciphertext.
• Use the same key to decrypt the ciphertext to the
  original message.
• Also called Symmetric cryptography.

8
Secret Key How to?


Encryption


Decryption
9
Secret-Key Problem?

• All keys need to be replaced, if one key is
  compromised.
• Not practical for the Internet environment.
• On the other hand, the encryption speed is fast.
• Suitable to encrypt your personal data.

10
Secret-Key algorithms
Algorithm Name Key Length (bits)
Blowfish Up to 448
DES 56
IDEA 128
RC2 Up to 2048
RC4 Up to 2048
RC5 Up to 2048
Triple DES 192
References Blowfish DES IDEA RC2 RC4 RC5 DES-3
11
Public-key Encryption

• Involves 2 distinct keys public, private.
• The private key is kept secret and never be
  divulged, and it is password protected
  (Passphase).
• The public key is not secret and can be freely
  distributed, shared with anyone.
• It is also called asymmetric cryptography.
• Two keys are mathematically related, it is
  infeasible to derive the private key from the
  public key.
• 100 to 1000 times slower than secret-key
  algorithms.

12
How to use 2 different keys?

• Just an example
• Public Key 4, Private Key 1/4, message M 5
• Encryption
• Ciphertext C M Public Key
• 5 4 20
• Decryption
• Plaintext M C Private Key
• 20 ¼ 5

13
Public-Private Encryption
14
Message Encryption(User A sends message to User
B)
Public Key Directory
Encryption
15
Message Encryption
Encrypted Message
Original Message
16
Transfer Encrypted Data
17
Decryption with your Private key
Decryption
18
Asymmetric algorithms
Algorithm Name Key Length (bits)
DSA Up to 448
El Gamal 56
RSA 128
Diffie-Hellman Up to 2048
References DSA El Gamal RSA Diffie-Hellman
19
How difficult to crack a key?
Attacker Computer Resources Keys / Second
Individual attacker One high-performance desktop machine Software 217 224
Small group 16 high-end machines Software 221 224
Academic Network 256 high-end machines Software 225 228
Large company 1,000,000 hardware budget 243
Military Intelligence agency 1,000,000 hardware budget advanced technology 255
Key Length Individual Attacker Small Group Academic Network Large Company Military Inteligence Agency
40 Weeks Days Hours Milliseconds Microseconds
56 Centuries Decades Years Hours Seconds
64 Millennia Centuries Decades Days Minutes
80 Infeasible Infeasible Infeasible Centuries Centuries
128 Infeasible Infeasible Infeasible Infeasible Millennia
20
Crack DES-3 (Secret-key)
Distributed.net connects 100,000 PCs on the Net,
to get a record-breaking 22 hr 15 min to
crack the DES algorithm. Speed 245 billion
keys/s Win 10,000
21
Message-Digest Algorithms

• It maps a variable-length input message to a
  fixed-length output digest.
• It is not feasible to determine the original
  message based on its digest.
• It is impossible to find an arbitrary message
  that has a desired digest.
• It is infeasible to find two messages that have
  the same digest.

22
Message-Digest How to

• A hash function is a math equation that create a
  message digest from message.
• A message digest is used to create a unique
  digital signature from a particular document.
• MD5 example

Original Message (Document, E-mail)
Hash Function
Digest
23
Message Digest Demo
24
Message-Digest
Message-Digest Algorithm Digest Length (bits)
MD2 128
MD4 128
MD5 128
Secure Hash Algorithm (SHA) 160
References MD2 MD4 MD5 SHA
25
Break Time 15 minutes
26
Digital Signature

• Digital signature can be used in all electronic
  communications
• Web, e-mail, e-commerce
• It is an electronic stamp or seal that append to
  the document.
• Ensure the document being unchanged during
  transmission.

27
How digital Signature works?
28
Digital Signature Generation and Verification
Message Sender
Message Receiver
Message
Message
Hash function
Hash function
Public Key
Digest
Private Key
Encryption
Decryption
Signature
Expected Digest
Digest
29
Digital Signature

• Reference

30
Key Management

• Private key are password-protected.
• If someone want your private key
• They need the file contains the key
• They need the passphrase for that key
• If you have never written down your passphrase or
  told anyone
• Very hard to crack
• Brute-force attack wont work

31
Digital Certificates

• Digital Certificate is a data with digital
  signature from one trusted Certification
  Authority (CA).
• This data contains
• Who owns this certificate
• Who signed this certificate
• The expired date
• User name email address

32
Digital Certificate

• Reference

33
Elements of Digital Cert.

• A Digital ID typically contains the following
  information
• Your public key, Your name and email address
• Expiration date of the public key, Name of the CA
  who issued your Digital ID

34
Certification Authority (CA)

• A trusted agent who certifies public keys for
  general use (Corporation or Bank).
• User has to decide which CAs can be trusted.
• The model for key certification based on friends
  and friends of friends is called Web of Trust.
• The public key is passing from friend to friend.
• Works well in small or high connected worlds.
• What if you receive a public key from someone you
  dont know?

35
CA model (Trust model)
Root Certificate
CA Certificate
CA Certificate
Browser Cert.
Server Cert.
36
Web of Trust model
37
Public Key Infrastructure (PKI)

• PKI is a system that uses public-key encryption
  and digital certificates to achieve secure
  Internet services.
• There are 4 major parts in PKI.
• Certification Authority (CA)
• A directory Service
• Services, Banks, Web servers
• Business Users

38
Digital 21 . gov .hk
Reference An official homepage which provides
lot of PKI, e-commerce information
39
PKI Structure
Certification Authority
Directory services
Public/Private Keys
Services, Banks, Webservers
User
40
4 key services

• Authentication Digital Certificate
• To identify a user who claim who he/she is, in
  order to access the resource.
• Non-repudiation Digital Signature
• To make the user becomes unable to deny that
  he/she has sent the message, signed the document
  or participated in a transaction.
• Confidentiality - Encryption
• To make the transaction secure, no one else is
  able to read/retrieve the ongoing transaction
  unless the communicating parties.
• Integrity - Encryption
• To ensure the information has not been tampered
  during transmission.

41
Certificate Signers
42
Certificate Enrollment and Distribution
43
Secure Web Communication

• Server authentication is necessary for a web
  client to identify the web site it is
  communicating with.
• To use SSL, a special type of digital certificate
  Server certificate is used.
• Get a server certificate from a CA.
• E.g. www.hitrust.com.hk, www.cuhk.edu.hk/ca/
• Install a server certificate at the Web server.
• Enable SSL on the Web site.
• Client authentication Client certificates

44
Strong and Weak Encryption

• Strong encryption
• Encryption methods that cannot be cracked by
  brute-force (in a reasonable period of time).
• The world fastest computer needs thousands of
  years to compute a key.
• Weak encryption
• A code that can be broken in a practical time
  frame.
• 56-bit encryption was cracked in 1999.
• 64-bit will be cracked in 2011.
• 128-bit will be cracked in 2107.

45
Pretty Good Privacy (PGP)

• Release in June 1991 by Philip Zimmerman (PRZ)
• PGP is a hybrid cryptosystem that allows user to
  encrypt and decrypt.
• Use session key a random generated number from
  the mouse movement or keystrokes
• Demo Tutorial

46
PGP Public Key

• Philip R Zimmermann's Public Keys
• Current DSS/Diffie-Hellman Key
• Key fingerprint 055F C78F 1121 9349 2C4F 37AF
  C746 3639 B2D7 795E
• -----BEGIN PGP PUBLIC KEY BLOCK-----
• Version PGP 7.0.3
• mQGiBDpU6CcRBADCT/tGpBu0EHpjd3G11QtkTWYnihZDBdenjY
  V2EvotgRZAj5h4ewprq1u/zqzGBYpiYL/9j5XDFcoWF24bzsU
  mHXsbDSivXEyQND1GUdx4wVcEY5rNjkArX06XuZzObvXFXOvq
  Rj6LskePtw3xLf5uj8jPN0Nf6YKnhfGIHRWQCg/0UAr3hMK6zc
  A/egvWRGsm9dJecD/18XWekzt5JJeK3febJO/3Mwe43O6VNOxm
  MpGWOYTrhivyOb/ZLgLedqXMeXHGdGroARZkxYq/a9y5jNci
  vDEyNIiNDPD64rl00FNZksx7dijD89PbIULDCtUpps2J0gk5
  inRyzinfjDyFnn5UEHI2rPFLUbXWHJXJcp0UBACBkzDdesPj
  EVXZdTRTLk0sfiWEdcBM/5GpNswMlK4A7A6iqJoSNJ4pO5Qq6P
  YOwDFqGir19WEfoTyHW0kxipnVbvq4q2vAhSIKOqNEJGxg4DTE
  Kecf3xCdJ0kW8dVSogHDH/cQ4RFQq/31aev3HDy20YayxAE9
  4BWIsKkhaMyokAYQQfEQIAIQUCOlTwWwIHABcMgBE/xzIEHSPp
  6mbdtQCcnbwh33TcYQAKCRDHRjY5std5Xle4AKCh1dqtFxD/Bi
  ZMqdP1eZYG8AZgTACfU7VX8NpIaGmdyzVdrSDUo49AJae0IlBo
  aWxpcCBSLiBaaW1tZXJtYW5uIDxwcnpAbWl0LmVkdT6JAFUEEB
  ECABUFAjpU6CcFCwkIBwMCGQEFGwMAAAAACgkQx0Y2ObLXeV5W
  UQCfWWfTDHzSezrDawgN2Z4Qb7dHKooAoJyVnm61utdRsdLr2e
  6QnV5Z0yjjiQBGBBARAgAGBQI6VOkSAAoJEGPLaR3669X8JPcA
  nim4Hc0oteQZrNUeuMSuirNVUr7AKC1WXJI7gwMq0Agz07hQs
  POJBMokARgQQEQIABgUCOlcobQAKCRDXjLzlZqdLMVBtAKDa
  5VPcb6NVH6tVeEDJUvtBjp6oACeLoNtfbs2rvJkgKDHWEIDmJ
  dgy2GJAD8DBRA6WP4Y8CBzV/QUlSsRAkmdAKC3TfkSSehpoPF
  nMfW/Y/AAEEpGSUYAAQEAAAEAAQAA/9sAQwAKBwcIBwYKCAg
  ICwoKCw4YEA4NDQ4dFRYRGCMfJSQiHyIhJis3LyYpNCkhIjBBM
  TQ5Oz4PiUuRElDPEg3PT47///EALUQAAIBAwMCBAMFB
• ..
• QQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZk5SVlpeYmZqio
  6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uP
  k5ebn6Onq8fLz9PX29/j5v/EAB8BAAMBAQEBAQEBAQEAAAAAA
  AABAgMEBQYHCAkKC//EALURAAIBAgQEAwQHBQQEAAECdwABAgM
  RBAUhMQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJ
  fEXGBkaJicoKSo1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmd
  oaWpzdHV2d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipq
  rKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5jp6vL
  z9PX29/j5v/aAAwDAQACEQMRAD8A9mooooAKKKKACsjW/Eum6
  FGTdS7pcfLEv3j/AIfjWV428XHQrf7HY4e/lHXIxEvqfevH7y8
  lupXmmuJppWOZJCAD9aly7GkIX1Z3OpfE3Up3K2EUVumcdN7f
  y/pWLL4415wPM1GWPJyNpK/0Fc5btG/Pktkfx7yTVhYAGLsAxb
  ryf5c5rNvzNlG3Q6yz8ZaxEyudQkcZ7JtYH867PRfG9nfIsd7
  /o8p/iIU/4V5EI/IGVXUGfnHy9iUsiGSa6q6Jew1XpTDJvAA
  ICDACNUV4K2PS6h574Z3NaBsIQe5jkVO48MSohjC6s29CjPhlU
  79cQIYWmBpuNfwroZ6zltyz6Y2Fm65V0IfvVicR7zvFFCOhahM
  uk1crQp936OMEq9sLZGxTjClgwrHGS7YpMSZrEC7bpOmERjo4
  F/n5YmCHJCH8QzCOc980gjVEsHiJVABrC8yykjKL5x1V/PSAr
  E4QtMLbkBPGmQYOw8bx6jCHoO43QjUzbqRfBMHZqWVJyoIIZCp
  n13XM4NO/cDVsZ8bjch0LIOyMrT85n24yfXRlP0s7BFjLm59
  Jjhf4djuJWikJawWETlypAy86OYRRuwCbIyNauBeTKyavZvF2
  oLvpwH4UnudpC06/O0jkj2lQpn9EEUw11RwO6sq9zYTwAUyKer
  N00cbCfyiZl01CIo0btcTO6hQK3c67PaloJ9lVH8/mH7LuqkML
  DH5ugkpzmed/8SorfqVkakne6b4mRySFCBXaVZoKmDHzcH2oSS
  MhM9exyh6dzi1bGu6JAEwEGBECAAwFAjpU6CcFGwwAAAAACgkQ
  x0Y2ObLXeV7lbQCgNfI3bzqF9fB50J5sFHVHM7hYAn09Af
  Dl5ncnr4D7 ReMDlYoIZwRR Bgy
• -----END PGP PUBLIC KEY BLOCK-----

47
PGP encryption

• Reference

48
PGP decryption

• Reference

49
Secure SHell (SSH)

• Provide an encrypted secure channel between
  client and server.
• Replacement for telnet and ftp.
• Reference SSH

50
Secure Shell Secure FTP
Secure Shell
Secure FTP
The Hosts Public Key
51
Secure Electronic Transaction (SET)

• This protocol is developed by Visa and MasterCard
  specifically for the secure credit card
  transactions on the Internet.
• SET encrypts credit card and purchase information
  before transmission over the Internet.
• SET allows the merchants identify be
  authenticated via digital certificates, also
  allows the merchant to authenticate users through
  their digital certificates (more difficult to
  someones stolen credit card).
• SET DEMO

52
Secure Electronic Transaction (SET)

• There are four parts in the SET system.
• A software wallet on the users computer
  Cardholder.
• A commerce server that runs on the merchants web
  site Merchant.
• The payment server that runs at the merchants
  bank Acquiring bank.
• The Certification Authority Issuing bank.
• SET FAQs

53
SET
54
Privacy-Enhanced E-mail
Encrypted
Signed
55
Summary

• Make sure you understand the relationship between
• Encryption
• Digital Signature
• Digital Certificate
• Certificate Authority
• Understand which Public/Private key should be
  used to encrypt/decrypt message to/from you?
• Discuss PGP, SET, SSH, encrypted email.

56
References

• Digital Certificate (Applied Internet Security)
  By Feghhi, Feghhi, Williams Addison Wesley
• Basic Crytography
• Digital Signature
• PKI Resources
• SET Resources
• General Definitions
• Digital ID FAQ
• The End.
• Thank you for your patience!