PKI: Public Key Infrastructure

– tell me in plain English AND THEN deep technical how PKI works

Mostly borrowed & updated from Steve Lamb in Microsoft Land….

Scott Rea, PKI Architect, Dartmouth College + HEBCA

2

Objectives

• Demystify commonly used terminology• Explain how PKI works• Get you playing with PKI in the lab• Make some simple recommendations

3

Agenda

• Foundational Concept• PKI and Signatures• Recommendations• Reference material

– Common Algorithms

4

What can PKI enable?Secure Email – sign and/or encrypt messages

Secure browsing – SSL – authentication and encryption

Secure code – authenticode

Secure wireless – PEAP & EAP-TLS

Secure documents – Rights Management

Secure networks – segmentation via IPsec

Secure files – Encrypted File System(EFS)

5

Foundational Concepts

6

Encryption vs. Authentication

• Encrypted information cannot be automatically trusted

• You still need authentication– Which we can implement using encryption, of

course

7

Assets

• What we are securing?– Data– Services (i.e. business etc. applications or their

individually accessible parts)• This session is not about securing:

– People (sorry), cables, carpets, typewriters and computers (!?)

• Some assets are key assets– Passwords, private keys etc…

8

Digital Security as Extension of Physical Security of Key Assets

Strong PhysicalStrong PhysicalSecurity of KASecurity of KA

Strong DigitalStrong DigitalSecuritySecurity

Good SecurityGood SecurityEverywhereEverywhere

Weak PhysicalWeak PhysicalSecurity of KASecurity of KA

Strong DigitalStrong DigitalSecuritySecurity

InsecureInsecureEnvironmentEnvironment

Strong PhysicalStrong PhysicalSecurity of KASecurity of KA

Weak DigitalWeak DigitalSecuritySecurity

InsecureInsecureEnvironmentEnvironment

9

Remember CP and CPS!

• “The Certification Practice & Certification Practice Statement (CP/CPS) is a formal statement that describes who may have certificates, how certificates are generated and what they may be used for.”

• http://www.ietf.org/rfc/rfc3647.txt

Symmetric Key Cryptography

EncryptionEncryption

““The quick The quick brown fox brown fox jumps over jumps over the lazy the lazy dog”dog”

““AxCv;5bmEseTfid3)AxCv;5bmEseTfid3)fGsmWe#4^,sdgfMwifGsmWe#4^,sdgfMwir3:dkJeTsY8R\s@!r3:dkJeTsY8R\s@!q3%”q3%”

““The quick The quick brown fox brown fox jumps over jumps over the lazy the lazy dog”dog”

DecryptionDecryption

Plain-text inputPlain-text input Plain-text outputPlain-text outputCipher-textCipher-text

Same keySame key(shared secret)(shared secret)

11

Symmetric Pros and Cons

• Strength:– Simple and really very fast (order of 1000 to

10000 faster than asymmetric mechanisms)• Super-fast (and somewhat more secure) if done in

hardware (DES, Rijndael)

• Weakness:– Must agree the key beforehand– Securely pass the key to the other party

12

Public Key Cryptography

• Knowledge of the encryption key doesn’t give you knowledge of the decryption key

• Receiver of information generates a pair of keys – Publish the public key in a directory

• Then anyone can send him messages that only she can read

Public Key Encryption

EncryptionEncryption

““The quick The quick brown fox brown fox jumps over jumps over the lazy the lazy dog”dog”

““Py75c%bn&*)9|Py75c%bn&*)9|fDe^bDFaq#xzjFr@gfDe^bDFaq#xzjFr@g5=&nmdFg$5knvMd’r5=&nmdFg$5knvMd’rkvegMs”kvegMs”

““The quick The quick brown fox brown fox jumps over jumps over the lazy the lazy dog”dog”

DecryptionDecryption

Clear-text InputClear-text Input Clear-text OutputClear-text OutputCipher-textCipher-text

DifferentDifferent keys keysRecipient’s Recipient’s public keypublic key

Recipient’s Recipient’s private keyprivate key

privatprivatee

publicpublic

14

Public Key Pros and Cons

• Weakness:– Extremely slow– Susceptible to “known ciphertext” attack– Problem of trusting public key (see later on

PKI)• Strength

– Solves problem of passing the key– Allows establishment of trust context between

parties

15

Hybrid Encryption (Real World)

As above, repeated As above, repeated for other recipientsfor other recipientsor recovery agentsor recovery agents

DigitalDigitalEnvelopeEnvelope

Other recipient’s or Other recipient’s or agent’s agent’s publicpublic key key (in certificate)(in certificate)in recovery policyin recovery policy

Launch keyLaunch keyfor nuclearfor nuclear

missile missile ““RedHeat” RedHeat”

is...is...

Symmetric key Symmetric key encrypted asymmetrically encrypted asymmetrically

(e.g., RSA)(e.g., RSA)

Digital Digital EnvelopeEnvelope

User’sUser’spublicpublic key key(in certificate)(in certificate)

RNGRNG

Randomly-Randomly-Generated Generated symmetricsymmetric“session” key “session” key

SymmetricSymmetric encryption encryption(e.g. DES)(e.g. DES)

*#$fjda^j*#$fjda^ju539!3tu539!3t

t389E *&\@t389E *&\@5e%32\^kd5e%32\^kd

16

*#$fjda^j*#$fjda^ju539!3tu539!3t

t389E *&\@t389E *&\@5e%32\^kd5e%32\^kd

Launch keyLaunch keyfor nuclearfor nuclear

missile missile ““RedHeat” RedHeat”

is...is...

SymmetricSymmetricdecryption decryption (e.g. DES)(e.g. DES)

Digital Digital EnvelopeEnvelope

Asymmetric Asymmetric decryption of decryption of

“session” key (e.g. RSA)“session” key (e.g. RSA)

Symmetric Symmetric “session” key“session” key

Session key must be Session key must be decrypted using the decrypted using the recipient’s recipient’s private private keykey

Digital envelope Digital envelope contains “session” contains “session” key encrypted key encrypted using recipient’s using recipient’s public keypublic key

Recipient’s Recipient’s privateprivate keykey

Hybrid Decryption

17

PKI and Signatures

18

Public Key Distribution Problem

• We just solved the problem of symmetric key distribution by using public/private keys

• But…• Scott creates a keypair (private/public) and quickly tells

the world that the public key he published belongs to Bill• People send confidential stuff to Bill• Bill does not have the private key to read them…• Scott reads Bill’s messages

19

Eureka!

• We need PKI to solve that problem• And a few others…

Creating a Digital Signature

Hash Hash Function Function

(SHA, MD5)(SHA, MD5)

Jrf843kjfgf*Jrf843kjfgf*££$&Hdif*7oU$&Hdif*7oUsd*&@:<CHsd*&@:<CHDFHSD(**DFHSD(**

Py75c%bn&*)9|Py75c%bn&*)9|fDe^bDFaq#xzjFr@gfDe^bDFaq#xzjFr@g5=&nmdFg$5knvMd’r5=&nmdFg$5knvMd’rkvegMs”kvegMs”

This is a This is a really long really long message message about about somethingsomething…… AsymmetricAsymmetric

EncryptionEncryption

Message or FileMessage or File Digital SignatureDigital Signature128 bits 128 bits Message DigestMessage Digest

Calculate a short Calculate a short message digest from message digest from even a long input even a long input using a one-way using a one-way message digest message digest function (hash)function (hash)

Signatory’s Signatory’s privateprivate key key

privatprivatee

21

Verifying a Digital SignatureJrf843kjfJrf843kjfgf*£$&Hdgf*£$&Hdif*7oUsdif*7oUsd

*&@:<CHD*&@:<CHDFHSD(**FHSD(**

Py75c%bn&*)Py75c%bn&*)9|fDe^bDFaq9|fDe^bDFaq#xzjFr@g5=#xzjFr@g5=

&nmdFg$5kn&nmdFg$5knvMd’rkvegMs”vMd’rkvegMs”

AsymmetricAsymmetricdecryption decryption (e.g. RSA)(e.g. RSA)

Everyone has Everyone has access to trusted access to trusted public key of the public key of the signatorysignatory

Signatory’s Signatory’s publicpublic keykey

Digital SignatureDigital Signature

This is a This is a really long really long message message

about something…about something…

Same hash functionSame hash function(e.g. MD5, SHA…)(e.g. MD5, SHA…)

Original MessageOriginal Message

Py75c%bn&*)Py75c%bn&*)9|fDe^bDFaq9|fDe^bDFaq#xzjFr@g5=#xzjFr@g5=

&nmdFg$5kn&nmdFg$5knvMd’rkvegMs”vMd’rkvegMs”

? == ?? == ?Are They Same?Are They Same?

22

Word About Smartcards• Some smartcards are “dumb”, i.e. they are only a memory

chip– Not recommended for storing a private key used in a challenge test

(verifying identity)– Anyway, they are still better than leaving keys on a floppy disk or on

the hard drive• Cryptographically-enabled smartcards are more expensive but

they give much more security– Private key is secure and used as needed– Additional protection (password, biometrics) is possible– Hardware implements some algorithms– Self-destruct is possible

23

Recommendations• Don’t be scared of PKI!• Set up a test environment to enable you to “play”• Minimise the scope of your first implementation• Read up on CP & CPS• Document the purpose and operating procedures

of your PKI

24

Summary

• Cryptography is a rich and amazingly mature field

• We all rely on it, everyday, with our lives• Know the basics and make good choices

avoiding common pitfalls• Plan your PKI early• Avoid very new and unknown solutions• Certificate Policy • Certification Practises statement

25

References• Visit http://www.pki-page.org/ • Read sci.crypt (incl. archives)• For more detail, read:

– Cryptography: An Introduction, N. Smart, McGraw-Hill, ISBN 0-07-709987-7– Practical Cryptography, N. Ferguson & B. Schneier, Wiley, ISBN 0-471-

22357-3– Contemporary Cryptography, R. Oppliger, Artech House, ISBN 1-58053-642-

5 (to be published May 2005, see http://www.esecurity.ch/Books/cryptography.html)

– Applied Cryptography, B. Schneier, John Wiley & Sons, ISBN 0-471-11709-9– Handbook of Applied Cryptography, A.J. Menezes, CRC Press, ISBN 0-8493-

8523-7, www.cacr.math.uwaterloo.ca/hac (free PDF)– PKI, A. Nash et al., RSA Press, ISBN 0-07-213123-3– Foundations of Cryptography, O. Goldereich,

www.eccc.uni-trier.de/eccc-local/ECCC-Books/oded_book_readme.html– Cryptography in C and C++, M. Welschenbach, Apress,

ISBN 1-893115-95-X (includes code samples CD)

26

Thanks to Rafal Lukawiecki and Steve Lamb for providing some of the content for this

presentation deck – their contact details are as follows…

rafal@projectbotticelli.co.ukstephlam@microsoft.com

27

Common Algorithms

28

DES, IDEA, RC2, RC5, Twofish• Symmetric• DES (Data Encryption Standard) is still the most popular

– Keys very short: 56 bits– Brute-force attack took 3.5 hours on a machine costing US$1m in

1993. Today it is done real-time– Triple DES (3DES) more secure, but better options about– Just say no, unless value of data is minimal

• IDEA (International Data Encryption Standard)– Deceptively similar to DES, and “not” from NSA– 128 bit keys

• RC2 & RC5 (by R. Rivest)– RC2 is older and RC5 newer (1994) - similar to DES and IDEA

• Blowfish, Twofish– B. Schneier’s replacement for DES, followed by Twofish, one of the

NIST competition finalists

29

Rijndael (AES)

• Standard replacement for DES for US government, and, probably for all of us as a result…– Winner of the AES (Advanced Encryption Standard) competition

run by NIST (National Institute of Standards and Technology in US) in 1997-2000

– Comes from Europe (Belgium) by Joan Daemen and Vincent Rijmen. “X-files” stories less likely (unlike DES).

• Symmetric block-cipher (128, 192 or 256 bits) with variable keys (128, 192 or 256 bits, too)

• Fast and a lot of good properties, such as good immunity from timing and power (electric) analysis

• Construction, again, deceptively similar to DES (S-boxes, XORs etc.) but really different

30

CAST and GOST• CAST

– Canadians Carlisle Adams & Stafford Tavares– 64 bit key and 64 bit of data– Chose your S-boxes– Seems resistant to differential & linear cryptanalysis and only way

to break is brute force (but key is a bit short!)

• GOST– Soviet Union’s “version” of DES but with a clearer design and many

more repetitions of the process– 256 bit key but really 610 bits of secret, so pretty much “tank

quality”– Backdoor? Who knows…

31

Careful with Streams!

• Do NOT use a block cipher in a loop

• Use a crypto-correct technique for treating streams of data, such as CBC (Cipher Block Chaining)– For developers:

• .NET Framework implements it as ICryptoTransform on a crypto stream with any supported algorithm

32

RC4

• Symmetric– Fast, streaming encryption

• R. Rivest in 1994– Originally secret, but “published” on sci.crypt

• Related to “one-time pad”, theoretically most secure• But!• It relies on a really good random number generator

– And that is the problem• Nowadays, we tend to use block ciphers in modes of

operation that work for streams

33

RSA, DSA, ElGamal, ECC• Asymmetric

– Very slow and computationally expensive – need a computer– Very secure

• Rivest, Shamir, Adleman – 1978– Popular and well researched– Strength in today’s inefficiency to factorise into prime numbers– Some worries about key generation process in some implementations

• DSA (Digital Signature Algorithm) – NSA/NIST thing– Only for digital signing, not for encryption– Variant of Schnorr and ElGamal sig algorithm

• ElGamal– Relies on complexity of discrete logarithms

• ECC (Elliptic Curve Cryptography)– Really hard maths and topology– Improves RSA (and others)

34

Quantum Cryptography• Method for generating and passing a secret key or a random

stream– Not for passing the actual data, but that’s irrelevant

• Polarisation of light (photons) can be detected only in a way that destroys the “direction” (basis)– So if someone other than you observes it, you receive nothing useful

and you know you were bugged• Perfectly doable over up-to-120km dedicated long fibre-optic

link– Seems pretty perfect, if a bit tedious and slow– Practical implementations still use AES/DES etc. for actual encryption

• Don’t confuse it with quantum computing, which won’t be with us for at least another 50 years or so, or maybe longer…

35

MD5, SHA

• Hash functions – not encryption at all!• Goals:

– Not reversible: can’t obtain the message from its hash– Hash much shorter than original– Two messages won’t have the same hash

• MD5 (R. Rivest)– 512 bits hashed into 128– Mathematical model still unknown– But it resisted major attacks

• SHA (Secure Hash Algorithm)– US standard based on MD5

36

Diffie-Hellman, “SSL”, Certs

• Methods for key generation and exchange• DH is very clever since you always generate a

new “key-pair” for each asymmetric session– STS, MTI, and certs make it even safer

• Certs (certificates) are the most common way to exchange public keys– Foundation of Public Key Infrastructure (PKI)

• SSL uses a protocol to exchange keys safely– See later

37

Cryptanalysis

• Brute force– Good for guessing passwords, and some 40-bit symmetric keys (in

some cases needed only 27 attempts)• Frequency analysis

– For very simple methods only (US mobiles)• Linear cryptanalysis

– For stronger DES-like, needs 243 plain-cipher pairs• Differential cryptanalysis

– Weaker DES-like, needs from 214 pairs• Power and timing analysis

– Fluctuations in response times or power usage by CPU

38

Strong Systems

• It is always a mixture! Changes all the time…• Symmetric:

– AES, min. 128 bits for RC2 & RC5, 3DES, IDEA, carefully analysed RC4, 256 bit better

• Asymmetric:– RSA, ElGamal, Diffie-Hellman (for keys) with minimum

1024 bits (go for the maximum, typically 4096, if you can afford it)

• Hash:– Either MD5 or SHA but with at least 128 bit results, 256 better

39

Weak Systems

• Anything with 40-bits (including 128 and 56 bit versions with the remainder “fixed”)– Most consider DES as fairly weak algorithm

• CLIPPER• A5 (GSM mobile phones outside US)• Vigenère (US mobile phones)

– Dates from 1585!• Unverified certs with no trust• Weak certs (as in many “class 1” personal certs)