pki training v1.5

1

Introduction to PKI TechnologyIntroduction to PKI TechnologyVersion 1.5Version 1.5

Elaborated by Sylvain Maret & Cédric Enzler

October 1999

Rev. 1.5: August 2000

2

Course Map Day OneCourse Map Day One

◆ Introduction◆ Key Terms

◆ Cryptosystems◆ Services, Mechanisms, Algorithms

◆ Cryptography in History◆ Cryptanalysis◆ Secret-Key Cryptography

◆ AES

◆ Lab exercise 1


◆ Public-Key Cryptography◆ RSA◆ Diffie-Hellman

◆ Message Digests◆ Lab exercise 2

◆ Random Numbers◆ Key Length◆ Lab exercise 3

◆ File encryption

3


◆ Message Authentication Code (MAC, HMAC)◆ Digital Signature

◆ RSA, DSS / DSA, ElGamal

◆ Hybrid Cryptosystems◆ RSA Key Wrapping◆ Diffie-Hellman

◆ Lab exercise 4◆ PGP (encryption and signature)


◆ PKCS Standard◆ Smart Card◆ Lab exercise 5

◆ SSH◆ SSH Tunneling

◆ End of day one

4

Course Map Day TwoCourse Map Day Two

◆ Questions to day one ?◆ Revision quiz !◆ PKI introduction

◆ Digital certificates

◆ X.509 certificates (Demo)◆ Certificate Revocation (Demo)◆ Certification Authorities◆ RA, LRA

◆ Data Repositories (LDAP)

◆ S/MIME: How it works ?

Course Map Day twoCourse Map Day two

◆ Lab exercise 6◆ S/MIME and LDAP

◆ SSL: How it works ?◆ Lab exercise 7

◆ Web server SSL

◆ Lab exercise 8◆ Client SSL authentication

◆ End of day two

5

Course Map Day ThreeCourse Map Day Three

◆ Questions to day two ?◆ Lab exercise 9

◆ Smart Card installation (PKCS #11)

◆ Lab exercise 10◆ Playing the security officer with Keon Certificate

Server

◆ Lab exercise 11◆ Revocation with client SSL authentication

◆ IPSEC: How it works ?

Course Map Day ThreeCourse Map Day Three

◆ Lab exercise 12◆ IPSEC (SecuRemote Checkpoint)

◆ Demo◆ IPSEC Cisco with CEP

◆ Cases study◆ VPN RadGuard◆ Secure Gate

◆ Encryption references sites◆ Open discussion◆ End of day three

6

Course ObjectivesCourse Objectives

◆ Understand cryptographic fundamentals and how

cryptographic technology is applied in a Public

Key Infrastructure

◆ Know the elements of Public Key Infrastructure

and how they interact with each other

◆ Understand and be able to describe some of the

practical applications of PKI

◆ Understand why PKI is an attractive technology to

enable e-commerce and enhance security

Lab TopologyLab Topology

LondronLondron RomeRome ParisParis MadridMadrid GeneveGeneve BerlinBerlin Newton: DNS, SSHNewton: DNS, SSH

Cerbere: CA

LDAP, Mail

Cerbere: CA

LDAP, Mail

Ayrton: SSLAyrton: SSL

Router IPsec

Router IPsecCheckpoint fw1Checkpoint fw1

7

Lab TopologyLab Topology

◆ Domain name : pki.datelec.com◆ Password : abc123 for all applications◆ Be careful ! You are an administrator◆ Email : [email protected]

◆ Do not forget to change name site for labs!

For Labs, you will work together with a partner(London and Rome for instance)

Lab applicationsLab applications

◆ E-mail◆ Netscape (example labs)◆ Outlook 98◆ Lotus notes

◆ Internet browsers◆ Netscape fortified (domestic)◆ Microsoft Internet Explorer 5.0 export

◆ SSH Client◆ Ldap Browser◆ etc.

8

PKI, WHY?PKI, WHY?

◆ The rise of public data networks.

◆ Internet is a new platform for business

relationships: E-business

◆ Business rules need to be “translated” into this

new “language”.

◆ Hope behind PKI: to preserve classical business

rules in this new virtual world.

Drawbacks for EDrawbacks for E -- businessbusiness

◆ Let’s say you have an electronic contract which you need to distribute to another party over the Internet…

◆ With existing Internet tools like www and e-mail you lose a lot compared to paper◆ No assurance that the contract has been signed◆ No guarantee that the contract is authentic◆ No assurance of the contract’s source

◆ Basically, it is worth than the paper where everything is printed on!

9

About needs...About needs...

◆ You need to know who you are dealing with (Authentication)

◆ You need to keep private things private (Confidentiality)

◆ You need to make sure that people do not cheat (Non-Repudiation)

◆ You need to be sure that information has not been altered (Integrity)

If PKI is the answer thenIf PKI is the answer then ……

What is the question?

On the Internet no one knows you're a dog!

10

Key TermsKey Terms

◆ A message will be defined as plaintext or cleartext

◆ The process of disguising a message to hide its substance is encryption

◆ The encrypted message is referred to as ciphertext

◆ Decryption is the process turning ciphertext back into plaintext

Key TermsKey Terms

◆ Cryptography is the science allowing messages to be kept secure

◆ Cryptoanalysis is the art and science of breaking ciphertext

◆ Cryptology is the mathematics field

◆ Cryptologist are theoretical mathematicians

11

CryptosystemsCryptosystems

◆ A cryptosystem is a collection of cryptographic algorithms, cryptographic keys, and all possible plaintexts and theirs corresponding ciphertexts.

Security ServicesSecurity Services

◆ Authentication : Provides the assurance of someone’s identity

◆ Confidentiality : Protects against disclosure to unauthorized identities

◆ Non-Repudiation : Protects against communications originator to later deny it

◆ Integrity : Protects from unauthorized data alteration

12

Security MechanismsSecurity Mechanisms

◆ Three basic building blocks are used:◆ Encryption is used to provide confidentiality and

integrity protection◆ Digital Signatures are used to provide

authentication, integrity protection and non-repudiation

◆ Checksums / hash algorithms are used to provide integrity protection and can provide authentication

One or more security mechanisms are combined to provide a security service

Cryptography AlgorithmsCryptography Algorithms

◆ All Cryptosystems are based on only three algorithms:◆ 1 - Secret-Key algorithms◆ 2 - Public-Key algorithms◆ 3 - Message-Digest algorithms

13

Services, Mechanisms, AlgorithmsServices, Mechanisms, Algorithms

A typical security protocol provides one or more services

Services

Mechanisms

Algorithms

Services are built from MechanismsMechanisms are implemented using Algorithms

SSL, IPSEC, TLS, SSH, etc...SSL, IPSEC, TLS, SSH, etc...

SignaturesSignatures EncryptionEncryption HashingHashing

DSADSA RSARSA RSARSA DESDES SHASHA MD5MD5

Security Protocol LayersSecurity Protocol Layers

Application

Presentation

Session

Transport

DataLink

Physical

Application

Presentation

Session

Transport

Network

DataLink

Physical

Network

S/MIME, PGP

SSL, TLS, SSH

IPSEC

Hardware link encryption

The further down you go, the more transparent it isThe further up you go, the easier it is to deploy

14

Cryptography in HistoryCryptography in History

◆ 2000 B.C. Hieroglyphics◆ Cryptography as an Art

◆ Ancient Chinese◆ First to transform messages in Ideographs for privacy

◆ India◆ First “Networks spies” using phonetics encryption

(Javanese or reverse speaking)

◆ Mesopotamia◆ Numbers associate to letters (cuneiform table)


◆ ATBASH cipher: In the Bible ◆ ABCDEFGH… (clear)◆ ZYXWVU…(encrypted)

◆ Skytale Cipher (Greek)◆ key: stick◆ papyrus enrolled

◆ Polybius square (Greek)

15


◆ Runiques Stones by Vikings (Arts)


◆ World War II:◆ Electromechanical cryptography◆ Rotor based machine transforming plaintext into

ciphertext, using electrical signals as encryption key◆ Example: Enigma machine used by Germans◆ Ciphers were not new, but their processing was…

◆ 1970-today:◆ New ciphers: based on numbers properties issued from

Mathematical theories◆ RSA: Prime numbers factorization◆ Diffie-Hellman: discrete logarithm◆ ECDSA: Elliptic curve cryptography

16

CryptanalysisCryptanalysis

◆ Two categories of security levels◆ Computationally secure:

◆ Question of time and money (Brute force attack)◆ (Most of the cryptosystems: DES, 3DES, IDEA,

RSA, DH etc.)

◆ Unconditionally secure:◆ Can “never” be broken independently of the

resources◆ One-time pads

Several Cryptanalytic AttacksSeveral Cryptanalytic Attacks

◆ Ciphertext only◆ Brute force attack and dictionary attacks on keys

◆ Chosen ciphertext◆ Start from a known ciphertext and try to appear as

someone else to get information from others behavior

◆ Known Plain ciphertext◆ Derive the key from knowledge of both plain and

ciphertext

17

SecretSecret --Key CryptographyKey Cryptography

◆ Use a secret key to encrypt a message into a ciphertext

◆ Use the same key to decrypt the ciphertext into the original message

◆ Secret-key cryptography is referred also as symmetric cryptography or conventional cryptography

◆ The secret key is also known as session key or bulk encryption key


◆ Let us imagine Alice and Bob who use Secret-Key to protect their messages

PlaintextPlaintext PlaintextPlaintextCiphertextCiphertext

Secret-KeySecret-Key

18


◆ How to share the Secret-Key ?◆ Alice and Bob can use the phone, fax, a meeting

point, etc.

◆ But!?:◆ Could someone steal the key?◆ How to proceed without partner knowledge?


◆ The Advantages◆ Implementation is efficient to encrypt large volume

of data (100 to 1’000 faster than Public-Key Cryptography)

◆ Simple to implement in either software or hardware◆ Most of the algorithms are well know and secure◆ Seem to be safe to brute force attack◆ Widely used

19


◆ The Disadvantages◆ Hard to share Secret-Keys

◆ Large number of keys◆ No non-repudiation (Signature)◆ Subject to interception (Secret-Key)


◆ Number of needed keys◆ Suppose Alice, Bob and Chris want to use Secret-

Key Cryptography!◆ They need only 3 keys

20


◆ Increase of keys number◆ Suppose they want to add Dawn and Eric

◆ Now they need ten keys


◆ If n persons want to communicates we have this formula:◆ Key’s number = ((n)*(n-1)) / 2

◆ As example: A company of 60’000 people = 1’799’970’000 keys!

21


◆ Block cipher: Encrypts data in predefined block size◆ Most well-known ciphers are block ciphers

◆ Stream cipher: Encrypts data stream, one-bit at the time◆ Only few algorithms use it


◆ Common Secret-Key Ciphers◆ DES◆ Triple DES (3DES)◆ RC2

◆ IDEA◆ Blowfish◆ CAST-128◆ Skipjack

◆ RC4 (Stream cipher)◆ etc.

22


◆ DES◆ Data Encryption Standard (1973) by IBM◆ World Standard for 20 years◆ DES was broken in 22 hours (DES challenge III,

January 18th, 1999)◆ Key size = 56 bits◆ Block cipher

◆ Recommendation: should be replaced by 3DES for high confidentiality requirements !

http://www.rsa.com/rsalabs/challenges/


◆ Triple DES (3DES)◆ Block cipher

◆ Encrypt + decrypt + encrypt with 2 (112 bits) or 3 (168 bits) DES keys

◆ DES’s replacement for Banking (1998)

◆ Recommendation: Use it for high confidentiality!

23


◆ RC2◆ Designed by Ron Rivest from RSA ◆ Block cipher◆ Key size = up to 2048

◆ Encryption speed: independent from the key size◆ Trade secret from RSA, posted on the net in 1996◆ Designed as a DES’ replacement◆ Faster than DES

◆ Recommendation: like DES but faster!


◆ CAST-128◆ Designed by C.Adams and S. Tavares (1993)

◆ Block cipher◆ Key size = 128 bits◆ Used in PGP 5.x

◆ Recommendation: unknown

24


◆ IDEA◆ International Data Encryption Algorithm ◆ Designed by X.Lai and J. Massey (ETH Zurich) in

1990

◆ Block cipher◆ Key size = 128 bits◆ More efficient than DES for software

implementation

◆ Used in PGP

◆ Recommendation: Better than DES


◆ Blowfish◆ Designed by B. Schneier in 1993

◆ Optimized for high-speed execution on 32-bit processors

◆ Block cipher◆ Key size = up to 448 bits key

◆ Recommendation: Use for fast performances and with a maximum key size

25


◆ Skipjack◆ Designed by NSA (National Security Agency)

◆ Block cipher◆ Key size = 80 bits

◆ Recommendation: Inadequate for long term security (key size too short)


◆ GOST◆ Acronym for “GOsudarstvennyi STandard”

◆ Russian answer to DES◆ Key size = 256 bits

◆ Recommendation: Incompletely specified to give an answer...

26


◆ RC4◆ Designed by Ron Rivest from RSA ◆ Stream cipher◆ Key size = up to 2048 bits◆ Optimized for fast software implementation◆ Trade secret from RSA, posted on the net in 1994◆ Very fast◆ Used in SSL, Lotus Note, Windows password

encryption, Oracle etc.

◆ Recommendation: Highly recommended for long keys (>40 bits)


◆ Many, many others◆ There is no good reason not to use one of above

proven algorithms!

27

SecretSecret --Key Relative PerformanceKey Relative Performance

RC4Blowfish, CAST-128SkipjackDES, IDEA, RC23DES, GOST

FAST

SLOW

AESAES

◆ National Institute of Standard and Technology expressed a formal call for algorithm on 09.1997

◆ The aim is to define the “next century’s”symmetric encryption standard or Advanced Encryption Standard

◆ AES1 conf. (08.98): 15 potential candidates ◆ AES2 conf. (03.99): 5 retained candidates◆ Final choice expected for summer 2001

28

AES candidatesAES candidates

◆ MARS (IBM)◆ RC6 (RSA Laboratories)◆ Rijndael (J. Daemen, V. Rijmen)◆ Serpent (R. Anderson, E. Biham, L. Knudsen)◆ Twofish (B. Schneier - Counterpane)

AES requirementsAES requirements

◆ Block cipher of minimum 128 bits◆ Must implement symmetric keys of 128, 192,

256 bits ◆ Must be efficient on software and hardware

basis (high speed encryption)

Http://www.counterpane.com/aes-comparison.html

29


◆ Use a symmetric encryption to encrypt a text file (DES and IDEA)

◆ Time: 15 minutes◆ P.27

PublicPublic --Key CryptographyKey Cryptography

◆ Use two distinct keys, one public and one private◆ The private is kept secret◆ The public can be freely shared◆ Referred as asymmetric cryptography◆ A public-key and its corresponding key are

mathematically related◆ A public-key and its associated private-key are

called a key-pair

30


◆ A message encrypted with a public-key can be only decrypted by the private-key

◆ A message encrypted with a private-key can be only decrypted by the public-key (Signature)


◆ Suppose Alice wants to send a message to Bob using Public-Key Cryptography


Bob’s public keyBob’s public key Bob’s private keyBob’s private key

31


◆ How to obtain the public-key ?◆ Any publishing way can be used to get the public-

key (Directory servers, Phone, Web server, Newspapers etc.)

◆ No more confidentiality issues in key distribution


◆ Advantages◆ No secret sharing◆ Fewer keys◆ No prior relationship needed

◆ Easier to administrate◆ Offers useful mechanisms like digital signature

(offering non repudiation)

32


◆ Disadvantages◆ Not efficient (slow) to encrypt large volume of data

◆ Keys need to be much longer than with secret-key encryption

◆ Impossible to encrypt a plaintext with size > key

Types of publicTypes of public --key algorithmkey algorithm

◆ A public-key algorithm is reversible if encryption and decryption can be processed with either a private or a public-key

◆ A public-key algorithm is irreversible if a private-key is mandatory for encryption

◆ Key exchange algorithm: neither used for encryption nor decryption (Diffie-Hellman)

33

RSARSA

◆ Inventors: R ivest, Shamir, Adleman in 1977◆ Most popular◆ Provide confidentiality, digital signature and

key exchange◆ Key length up to 4096◆ Plaintext length < Key length◆ Ciphertext size = Key size

RSARSA

◆ RSA is protected by a patent. Patent expires on 20th September 2000

◆ Relies on irreversible mathematics functions (Prime numbers)

PDAs, WAPs: RSA Multi-Prime

34

DiffieDiffie --HellmanHellman

◆ Published in 1976 by W. Diffie and M. Hellman◆ Oldest known public-key cryptosystem◆ Key agreement algorithm

◆ Enables secret-key exchange without prior knowledge

◆ Agrees on shared secret used in conjunction with a secret-key Cryptosystem (DES, 3DES, IDEA, etc.)

DiffieDiffie --HellmanHellman : How it works ?: How it works ?

Share Secret KeyShare Secret Key Share Secret KeyShare Secret Key

Alice’sprivate key

Bob’sprivate key

Alice’spublic key

Bob’spublic key

=

35

DSADSA

◆ Compliant to D igital Signature Standard (DSS)◆ Published in 1994◆ Irreversible algorithm (encryption with private

key only)◆ Used in Digital signature only◆ Performance tuned for smart cards

Comparative PublicComparative Public --Key tableKey table

Algorithm Type

DSA Digital Signature

El-Gamal Digital Signature

RSA ConfidentialityDigital SignatureKey exchange

Diffie-Hellman Key exchange

36

MessageMessage --Digest AlgorithmsDigest Algorithms

◆ Take a variable-length message and produce a fixed-length digest as output

◆ The fixed-length output is called the message digest, a digest or a hash

◆ A message-digest algorithm is also called a one-way hash algorithm or a hash algorithm


Hash Function

Input

Message

Input

Message

Fixed-length DigestFixed-length Digest

37


◆ Message-Digest Algorithms properties required to be cryptographically secure◆ It must not be feasible to determine the input

message based on its digest

◆ It must not be possible to find an arbitrary message that has a particular, desired digest

◆ It should be impossible to find two messages that have the same digest (collision)

◆ It should be very sensitive to input message changes


◆ Some Common Message-Digest Algorithms◆ MD2: 128-bit-output, deprecated, by Ronald Rivest◆ MD4: 128-bit-output, broken, by Ronald Rivest◆ MD5: 128-bit-output, weaknesses, by Ronald

Rivest◆ SHA-1: 160-bit-output, NSA-Designed◆ RIPEMD-160: 160-bit-output◆ Haval: 128 to 256 bit-output (3 to 5 Passes)

◆ CRC-32: 32-bit-output

◆ Recommendation: Use SHA-1

38


◆ Message-Digest at work◆ Creation of digital signatures

◆ Creation of MAC, HMAC◆ Creation of secret-key with a passphrase◆ File checksum (FTP server, Patches, etc.)◆ FIA (File Integrity Assessment like Tripwire)

Powerful tool to detect small changes


◆ Use Message-Digest Algorithms to compute a file’s digest (MD5 and SHA-1)

◆ Time: 15 minutes◆ p.31

39

Random NumbersRandom Numbers

◆ Random numbers are usually required to generate cryptographic keys or challenge.

◆ Two main categories◆ (PRNG) Pseudo Random Number Generator uses

a deterministic algorithm to generate a pseudo random number based on a seed (mouse, keyboard, etc..)

◆ A random number generator generates truly unpredictable numbers. Based generally on special hardware (white noise, radioactive-decay, etc…)

Random NumbersRandom Numbers

◆ A very secure cryptosystem can be broken if it relies on random numbers that can be guessed◆ Netscape browser using SSL broken!

◆ Some PRNG◆ Yarrow from B. Schneier◆ CryptPack

◆ etc.

40

Keys LengthKeys Length

◆ To break a secret-key cryptosystem with “no weakness”, an attacker must try each possible key. This is called a brute force attack

◆ To break a public-key cryptosystem an attacker should use “smarter” brute force attack based on mathematics

◆ Key space dimension = 2n (n:keylength)

What is the right key size ?What is the right key size ?

◆ The goals of cryptography are to make the value of encrypted information less than the money spent to decrypt it !

◆ the value of information usually decreases over time

41

RSARSA’’ss Challenge on DES (III)Challenge on DES (III)

◆ Method: splitting the Key space for distributed Brute Force Attack (space dimension = 2n , where n is the key-length)

◆ Starting date: 18.01.99. Ending: 22h15 min. later…

◆ Brute Force Attack frequency: 245 Billions keys/sec.

◆ Platforms: Cray/Sun/SGI/Pentium etc..

RSARSA’’ss Challenge on RSAChallenge on RSA --155155

◆ Key-length: 512 bits = 155 digits◆ Method: Prime number factorization◆ Starting Date: August 99. Ending: 5 months

later◆ Time: 35.7 CPU years◆ Platforms: SGI/Sun/Pentium etc.

◆ 292 computers

42

KeysKeys ’’ time of lifetime of life

◆ Most of the time, session keys are changing (IPSec, etc.)◆ to enforce security

◆ Can be triggered by time or by encrypted data quantity

PublicPublic --Key Key vsvs SecretSecret --keykey

Secret-key (bits) Public-Key (bits)40 274

56 384

64 512

80 768

96 1024

112 1792

120 2048

128 2304

43

Blowfish Advanced CS: How it works ?Blowfish Advanced CS: How it works ?

Blowfish Advanced CSBlowfish Advanced CS

◆ File encryption software using symmetric encryption

◆ Used secret-key from a password or a “key-disk”

◆ Support key splitting◆ Wipes sensitive information◆ Used secret-key ciphers like:

◆ Blowfish◆ 3DES

◆ Twofish

44

Blowfish Advanced CSBlowfish Advanced CS

◆ Use SHA-1 to generate secret-key from a password

◆ Use random (PRNG) to create the key file and to overwrite (wiping) data

File EncryptionFile Encryption

◆ Setup a file’s encryption software to protect sensitive information

◆ Time: 20 min◆ p.38

45

Message Authentication CodeMessage Authentication Code

◆ MAC is a fixed-length data item that is send together with a message to prove integrity and origin

◆ Provide authentication and integrity without confidentiality

◆ Also referred as message integrity code (MIC)◆ Most common form is HMAC ( Hashed Mac)◆ Example: HMAC-MD5

Message Authentication CodeMessage Authentication Code

+Secret-Key

Hash Function

Input

Message

Input

Message

HMACHMAC

46

Digital SignatureDigital Signature

◆ Digital signature is a data item that guarantees the origin and integrity of a message

◆ The signer of the message uses a signing key◆ The recipient uses a verification key to verify

the origin and integrity◆ Signing key = private-key◆ Verification key = public-key


◆ By using his own private key, the signer can not repudiate the fact he has signed the message

◆ This mechanism provide non-repudiation

◆ Think about the difference with MAC …

47

Digital Signature: BasicsDigital Signature: Basics

PlaintextPlaintext PlaintextPlaintextCiphertext

(Signature)

Ciphertext

(Signature)

Alice’s private keyAlice’s private key Alice’s public keyAlice’s public key

Simple signature using PRIVATE-key

Digital Signature: How it works?Digital Signature: How it works?

SignatureSignature

PlaintextPlaintext

Alice’s private key

SignatureSignature

Alice’s Public key

MD1 = MD2 ???MD1 = MD2 ???

PlaintextPlaintext

DigestDigest

48


◆ Why signing a message involves Hashing ?◆ Signature (data item) is too big

◆ Performance (public-key is very slow)◆ Possible attack (known plaintext attack)

Common Signature AlgorithmsCommon Signature Algorithms

◆ RSA◆ Well known◆ Export limitation

◆ DSA◆ Similar to RSA (algebraic properties of numbers)◆ Non-reversible algorithm, suitable for digital

signature only

◆ ElGamal◆ Another cipher for digital signature only

49

Hybrid CryptosystemsHybrid Cryptosystems

◆ A Hybrid Cryptosystem combines the best features of both Secret-Key and Public-Key cryptography

◆ Used to exchange session key to initiate a symmetric encryption

◆ Example : PGP, SSL, IPSEC using Diffie-Hellmanor RSA

Example: Example: DiffieDiffie --HellmanHellman and Secretand Secret --Key Key cryptosystemcryptosystem

Share Secret KeyShare Secret Key Share Secret KeyShare Secret Key=


Asymmetric

Symmetric

50

RSA Key wrapping encryptionRSA Key wrapping encryption

◆ Suppose Alice wants to send an encrypted text to Bob across the Internet , using RSA key wrapping


◆ How it works ?◆ Alice creates a session key, which is a one-time-

only secret-key◆ Alice encrypts the data with the session key◆ Alice encrypts the session key with Bob’s public-

key

◆ Alice sends the ciphertext + the encrypted session key to Bob

51


RSA Key wrapping decryptionRSA Key wrapping decryption

◆ How it works ?◆ Bob receives the message from Alice

◆ Bob uses his private-key to recover the temporary session key

◆ Bob uses the session key to decrypt the ciphertext

52

RSA Key wrapping decryptionRSA Key wrapping decryption

How sure can Alice be about Bob’s presumed public-key ?

RSA Key wrapping question ?RSA Key wrapping question ?

53

Man in the Middle Attack!Man in the Middle Attack!

PGP: How it works ?PGP: How it works ?

54

PGP: introductionPGP: introduction

◆ Stands for Pretty Good Privacy◆ By Phil Zimmerman (1991)◆ Worldwide distributed in 1991◆ Provides mail and file encryption/signature◆ Today: PGP 6.5.2◆ Available on many platforms like:

◆ Unix◆ Windows◆ Linux◆ Atari, Macintosh, OS/2 etc.

PGP IntroductionPGP Introduction

◆ Contains a set of algorithms for◆ Message digest:

◆ MD5, SHA1 and RIPEMD

◆ Public-key:◆ RSA, DSA

◆ Secret-key:◆ DES, 3DES, CAST-128 and IDEA

◆ Data compression: LZH

55

Original PGP signatureOriginal PGP signature

◆ Using RSA and MD5 for example

Quiz!Quiz!

56

Original PGP encryptionOriginal PGP encryption

◆ Encryption based on RSA key wrapping

Original PGP decryptionOriginal PGP decryption

◆ Decryption based on RSA key wrapping

57

Quiz!Quiz!

PGP todayPGP today

◆ To enforce security, PGP offers today DSS

and DH key exchange

◆ Support for x.509 certificate as well

58

PGP Trust modelPGP Trust model

◆ Originally, PGP trust models were:

◆ Direct trust (hosts mutually and directly trusted)

◆ “Web-of-Trust”

◆ If Alice trusts Bob and Bob trusts Charlie, then Alice

will trust Charlie

◆ In other words…friends of my friends are my friends

◆ Today, hierarchical trust is also possible

Other PGP productsOther PGP products

◆ PGP Phone

◆ to transform a desktop into a secure phone via

real-time encryption

◆ PGP disk

◆ offering privacy to file system

◆ PGP SDK

◆ development kit

59

PGPPGP

◆ Use PGP for sending a signed and encrypted

e-mail

◆ Time: 40 min

◆ P.49

SSH: How it works ?SSH: How it works ?

60

SSHSSH

◆ SSH = Secure Shell

◆ Originally developed in 1995 as a secure

replacement for rsh, rlogin,rcp, ftp, telnet

◆ Originally implemented in Finland

◆ Available worldwide

◆ About 3’000’000 users around the world

Http://www.cs.hut.fi/ssh

SSHSSH

◆ Also allows port forwarding (tunneling over SSH)

◆ X11 connection forwarding◆ SSH v2 submitted to IETF◆ Can be run and used in a short space of time◆ Many SSH clients available

◆ Secure CRT◆ F-Secure◆ Java Client

◆ etc.

61

SSH: Why ?SSH: Why ?

Attacker with snifferNetwork

Original TCP Packet

Login: rome

Password: abc123

Unix HostUnix Host

Telnet to Unix HostTelnet to Unix Host

SSHSSH--1 Protocol (Hybrid Crypto)1 Protocol (Hybrid Crypto)

TCP

Auth request

SSH

Client Server

DATA

Client performs TCP handshake with the server at port 22 for SSH standard port

Start authentication process. Client send authentication request

Server decrypt the session key with the two private keys. Begin bulk encrypted data exchange. Client encrypts

Server decrypts request, encrypts and sends response

S

Symmetric Encrypteddata

SSHHandshakePublic Key

S

22

Session

The server responds with two keys. Host key 1024 bit RSA and a Server key 768 bit RSA (Generated hourly)

Client verify host key and generate a secret key that is used for bulk encryption then encrypt this secret key twice with Host and Server public keys and send it to the server SSH

62

SSH CiphersSSH Ciphers

◆ SSH v1◆ RSA

◆ DES, 3DES, Blowfish, IDEA

◆ SSH v2◆ Diffie-Hellman for key exchange algorithm◆ DSA, RSA

◆ 3DES, Blowfish, IDEA, Twofish, Arcfour, Cast-128

SSH AuthenticationSSH Authentication

◆ Multiple Authentication mechanisms◆ Static password (protected by SSH encryption)

◆ RSA or DSA authentication (client decrypts challenge from server)

◆ Plug-in authentication (Securid, Radius, ldap, PAM *)◆ “.rhosts or /etc/hosts.equiv” (Based on IP address)

http://www.bg.kernel.org/pub/linux/libs/pam/index.html*

63

SSH Authentication (RSA/DSA)SSH Authentication (RSA/DSA)

◆ Client decrypts “challenge” from server◆ Provides “strong” authentication (client uses

his private-key plus a PIN code)

Server sends encrypted challenge with client’s public key

Client decrypts challenge and sends it to the server

The challenge is chosen randomly

SSH Tunneling modeSSH Tunneling mode

SSH

Server

SSH

Server

HTTP 127.0.0.1 1999HTTP 127.0.0.1 1999

Encrypted SSH tunnel Clear text

Web serverWeb server

DMZ

Corporate Net

SSH

Client

SSH

Client

64

SSHSSH

◆ Setup a SSH client to replace Telnet. Use two authentication mechanisms.

◆ Setup a SSH tunnel◆ Time: 60 min

◆ p. 64

PKCSPKCS

◆ Public Key Cryptographic Standard (PKCS)◆ Standardization of public-key algorithmic, in order to

maintain interoperability◆ Developed by RSA Laboratories, a consortium of

information technology vendors and academic institutions.

◆ Apple◆ Microsoft◆ Compaq◆ Lotus◆ Sun◆ MIT etc.

65

PKCS listPKCS list

◆ #1: Encrypting and signing using RSA public key cryptosystem◆ #3: Key agreement with Diffie-Hellman key exchange

◆ #5: Encrypting with a secret key derived from a password

◆ #7: Syntax for message with digital signature

◆ #8: Format for private key information

◆ #9: Attribute type for use in other PKCS standard◆ #10: Syntax for certification request

◆ #11: Define a cryptoki programming interface (API for smart cards)

◆ #12: Portable format for storing and transporting private keys

◆ #13: Encrypting and signing data using elliptic curves cryptography

◆ #14: Standard for pseudo number generation◆ #15: Standard to store credentials on tokens

Smart CardSmart Card

◆ Smart Cards consist of a chip (processor or/and memory), a contact plate and a piece of plastic (ISO 7810 - 54x85x0.8 mm)

◆ Smart Cards are used for multi-applications◆ GSM, Banking, Medical, E-Commerce, Pay TV, etc…

66

Smart Card and PKISmart Card and PKI

◆ Storing the private-key and/or X.509 certificate on the Smart Card

◆ Provide Strong Authentication◆ Something you have, Something you know

◆ Access protected by a PIN (like credit card)

◆ Types of Smart Card◆ Memory Cards◆ PKI smart cards using Crypto-processor (RSA, etc.)

◆ Some Smart Card are “brute force” protected

Smart Card Standard (interface)Smart Card Standard (interface)

◆ PKCS #11 also call Cryptoki◆ Interface for the communication to Smart Card

◆ Netscape, RSA

◆ PC/SC and their Crypto API◆ http://www.pcscworkgroup.com/◆ Bull, Gemplus, HP, Intel, Microsoft, Schlumberger

Siemens, SUN, Toshiba

67

Smart Card ReaderSmart Card Reader

◆ Keyboard◆ USB◆ Serial◆ PCMCIA◆ Diskette reader◆ SCSI

TodayToday ’’s Smart Card Drawbackss Smart Card Drawbacks

◆ Hardware...◆ Multi-Services rarely used

◆ Users leave Smart Card on the reader

68

End Day OneEnd Day One

Questions Day One ?Questions Day One ?

69

Quiz!Quiz!

◆ Describe Secret-Key ?◆ Advantages / Disadvantages

◆ Describe Public-Key ?◆ Advantages / Disadvantages

◆ Describe Messages Digest ?◆ Describe Digital Signature and verification ?◆ Differences between MAC and signature?◆ Describe two Hybrid Cryptosystems ?◆ Describe a challenge response based

authentication?

PKI introductionPKI introduction

◆ The aim of PKI is to integrate all the previous mechanisms and algorithms into a coherent and efficient structure.

◆ It will answer the following fundamental security needs:◆ Authentication

◆ Confidentiality◆ Non-Repudiation◆ Integrity

◆ The basis of PKI relies on the concept of certificates

70

PKI basis functionPKI basis function

◆ PKI will include at least:◆ One Certificate Authority who delivers certificates

◆ One Directory who stores active Certificates and/or Revoked Certificates

◆ One Registration Authority who allows certificates’enrollment

◆ One centralized Management

Remember Alice, Bob and Charlie...Remember Alice, Bob and Charlie...

Bob has no proof of the “link” between Alice’s public-keys and her identities

So What ?

71

Third Trusted PartyThird Trusted Party

Implicit Trust

No more Charly

Trusted Authority

Direct Trust Direct Trust

Digital CertificatesDigital Certificates

◆ A public-key certificate is a bond between an entity’s public-key and one entity

◆ The entity can be:◆ A person

◆ A role (Manager Director)◆ An organization◆ A piece of hardware (Router, Server, IPSEC, SSL,

etc.)◆ A software process (JAVA Applet)

◆ A file (Image, Databases, etc.)◆ etc.

72


◆ A Public-key certificate provides assurance that the public-key belongs to the identified entity

◆ A Public-key certificate is also called a digital certificate , digital ID or certificate

◆ The entity identified is referred to as the certificate subject

◆ If the certificate subject is a person, it is referred to as a subscriber


◆ A certificate is like a passport ...

73

How to obtain a certificateHow to obtain a certificate

◆ As with passports, you give proof of your identity to an official (or trusted) authority.

◆ The authority checks this proof.◆ The authority delivers a signed passport .◆ This procedure is defined as an “enrollment”◆ Instead of “enrolling” for a passport we’ll

enroll for digital certificate.


◆ Graphical representation of a certificate

74

Demo: certificate viewDemo: certificate view

X.509 Certificate StandardX.509 Certificate Standard

◆ X.509 is a standard for digital certificate by International Telecommunications Union (ITU)

◆ First published in 1988 (V1.0)◆ Version 2.0 (1993) adds two new fields◆ Current version is v3.0 (1996) and allows

additional extension fields

75

X.509 Basic Certificate FieldsX.509 Basic Certificate Fields

◆ Version : X509 version 1,2 and 3◆ Certificate serial number : Integer assigned by

the CA (unique)◆ Signature algorithm identifier : RSA/MD5 etc.◆ Issuer name : name of CA having signed and

issued the certificate◆ Validity period : time interval◆ Subject name : the entity name (this name must

be unique = distinguished name (DN) )

X.509 Basic Certificate FieldsX.509 Basic Certificate Fields

◆ Subject public-key information : contains the public-key plus the parameters

◆ Issuer unique identifier : optional field◆ Subject unique identifier : optional field◆ Extension s: may provide additional data for

specific applications.

And the Certification Authority's Digital Signature

76

SSL X.509 exampleSSL X.509 example

Data and Signature section in human-readable format!

SSL X.509 exampleSSL X.509 example

Here is the same certificate in the 64-byte-encodedformat interpreted by a software

77

How to build a CertificateHow to build a Certificate

CA’sSignature

X.509Fields

Public keyIdentity

etc.

DigitalSignatureProcess

CA

X.509Certificate

Think of it like a credit cardThink of it like a credit card ……

Digital Credit Union

DCUDCUDCUDCU

Andrew NashAndrew Nash

GOOD THRULAST DAY OF 06/9806/98

5867 9506 3461 19205867 9506 3461 1920

AUTHORIZEDSIGNATURE

Andrew K Nash

Validity

Period

Signature

Issuer Name

Subject Name

Public Key

78

How to verify a certificate ?How to verify a certificate ?

◆ Obtain the Signer’s (CA) public-key◆ Pass the X.509 fields into the message digest

algorithm and keep the digest (= your digest 1)◆ Decrypt the Certificate signature with the

Signer’s (CA) public-key. The decrypting plaintext will be the digest (= your digest 2)

◆ Compare the digest 1 with the digest 2◆ Does this match together?

Verifying a certificate?Verifying a certificate?

MD1 = MD2 ???MD1 = MD2 ???CA’sSignature

X.509Fields

Public keyIdentity

etc.

CA’s public keyCA’s public key

79

A few words about CAsA few words about CAs

◆ Entities that issue and manage digital certificates including◆ maintaining ◆ revoking

◆ publishing status information

◆ CAs’ security policy defined in CPS (Certification Practice Statement)◆ Security measures to guarantee CA’s integrity◆ Security measures to check enrollment’s identity

◆ Trust level relies upon CPS and not technology

Few words about CAsFew words about CAs

◆ PKI security relies on CA’s private-key secrecy◆ Should never be acceded◆ Should be backed-up

◆ Solution: store it inside dedicated tamperproof hardware

80

Type of CAsType of CAs

◆ Private CAs:◆ Hold by a private entity (Company, Administration,

the Military)

◆ Public CAs:◆ Verisign, Swisskey, GTE, Thawte, Global-sign,

Certplus, etc.

A CA can be hybrid as for instance“On-site services” of Verisign

Registration Authority (RA)Registration Authority (RA)

◆ A Registration Authority is the entity receiving the certification requests and managing them before sending them to the CA. RA acts as a front end.

◆ As in hybrid CAs, the registration authority can be separate from the CA itself. In this case we talk about Local Registration Authority (LRA)◆ Multiple sites for big companies◆ Distributed environment

81

(L)RA Front End(L)RA Front End

LDAPLDAP

◆ X.500 Directories required more effort and complexity than most companies were prepared to invest

◆ Lightweight Directory Access Protocol was proposed by the Internet community

◆ LDAP uses the X.500 naming conventions but simplifies the way you interact with a directory

82

LDAPLDAP

◆ LDAP is a “front end” that is used to implement simple directory services

◆ An LDAP Server may be implemented over:◆ a full X.500 Directory

◆ a database◆ a flat file◆ Most of structured data set

◆ CA will use LDAP to publishcertificates and CRLs

Demo: browsing Demo: browsing ldapldap

http://www.iit.edu/~gawojar/ldap/

83

Certificate RevocationCertificate Revocation

◆ Certificate Revocation:◆ Mechanism used by the CA to publish and

disseminate revoked certificates

◆ Revocation is triggered in the following cases:◆ Key compromise◆ CA compromise

◆ Cessation of operation◆ Affiliation change ◆ etc...

Certificate RevocationCertificate Revocation

◆ Several data structures exist to publish revocation◆ CRL (Certificate Revocation List)◆ ARL (Authority Revocation List)◆ CRT (Certificate Revocation Trees) by Valicert

◆ Also Online query mechanisms◆ OCSP (Online Certificate Status Protocol)

84

CRLCRL’’ss publication and retrievalpublication and retrieval

◆ Certificate-using applications must be aware of revoked certificates◆ Get CRL via ldap◆ Get CRL via FTP, Http, Https, etc.◆ Check certificate status via OCSP◆ Etc.

◆ Problem to solve: Revocation delay !◆ Not yet fully standardized (Delta CRLs, OCSP

etc.)

CRL Version 2 structureCRL Version 2 structure

VersionSignaturealgorithm

Issuer DN

UpdateDate

NextUpdate

Date

List of revoked certificatesper-certificates extensions

Extensions

85

CRL Version 1 view (text)CRL Version 1 view (text)

CRL Version 1 view (PEM)CRL Version 1 view (PEM)

86

Demo: get a CRLDemo: get a CRL

OSCPOSCP

OCSPResponder

CA

Backend

LDAP

OCSP

FTP, http

others

OCSP overhttp

PKI enableApplications

Pushing Revocation

87

Distinguish NamesDistinguish Names

◆ X.509 certificates bind a Distinguish Name (DN) to a public-key

◆ A DN is a set of name-value pairs, such as uid=cenzler, that uniquely identify an entity

◆ Example: a typical DN of a Datelec employee:◆ C=CH, O=Datelec, OU=Engineering,

L=Geneva, CN=Cedric Enzler, [email protected]

Distinguish NamesDistinguish Names

◆ DNs may include a variety of other name-value pairs (see X.500 standard)

◆ Most CAs are LDAP compliant. Thus, DNs will be used as entries in Directories that support LDAP

88

Single CASingle CA

◆ Until now, we assumed the presence of a unique CA certifying all users. Thus, there’s a direct relation between users and their CA

X509

X509X509

X509X509

X509

Multiple CAs topMultiple CAs top --downdown

◆ Typical CA implementation for large companies

X509 X509

X509X509

X509

X509X509

X509X509X509

Root CA

Subordinate CAs

Subordinate CAs

Certificates

Trust relation

89

TrustTrust

◆ Because a CA has a certificate itself and represents the highest possible trust level, the CA has its self-signed certificate

◆ A self-signed certificate is a Root Certificate or Meta-Introducer

◆ A certificate-using application (any X.509 holders) must trust the Root certificate

◆ Importing a Root certificate into such an application is called Bootstrapping a CA

Bootstrapping must be considered as a very critical operation!

Trusted Root certificatesTrusted Root certificates

◆ Many applications (as http browsers) have already embedded root certificates

90

Demo: Bootstrap Demo: Bootstrap SwisskeySwisskey

Trust architectureTrust architecture

X509 X509

X509 X509

X509

X509 X509X509X509X509

Root CA

CA1

A C

Assume Alice, Bob and Charly are exchanging e-mails

CA2

B

CA3

91

Simple CaseSimple Case

◆ Alice receives Bob’s e-mail and the X.509 certificate

◆ How can Alice check Bob’s certificate?◆ She looks at Bob’s signer◆ Does she know the signer?

◆ Yes: Is it a self-signed?◆ No: Is the upper level CA trusted?

X509

Bob

2

3

X509

Root

X509

CA3

1

More complicated...More complicated...

◆ Alice receives Charly e-mail and the X.509 certific ate◆ How can Alice check Charly certificate?◆ Charly sent intermediary CAs certificates along wit h

his own certificate. This is the “chain of certific ates”◆ Thus, the validation process will be...

X509

CA2X509

Charly

X509

CA1

X509

Root

12

3

4

92

Cross certificationCross certification

X509 X509

X509 X509

X509

X509 X509X509X509X509

X509 X509

X509 X509

X509

X509 X509X509X509X509

A typical case: merging of Certification Islands:

LetLet ’’s be practical!s be practical!

User enrolls for certificate

http://www...http://www...

User mailed retrieval PIN

User retrieves certificate


Admin Approves request


User mailed acknowledgement

Admin mailed notification

RA

CA

User

SecurityOfficer

LDAP

Certificate installed

93

Some X.509 certificate typesSome X.509 certificate types

◆ CA certificate (Root)◆ S/MIME◆ SSL server/client◆ IPSec gateway/client◆ Object signing certificates

◆ Java script◆ Image signature for copyright◆ File detection intrusion (binary certifications)

◆ etc.

PKI StandardsPKI Standards

◆ Some standard organizations:◆ IETF PKI Working Group (PKIX)

◆ ITU◆ SPKI◆ RSA with PKCS

94

PKI VendorsPKI Vendors

Some Public CASome Public CA

95

PKI SummaryPKI Summary

◆ Based on Certificates (X.509)◆ Trusted third party (CA)◆ (L)RA◆ CRL◆ Data repositories◆ Mechanisms and protocols between all these

elements

S/MIME: How it works ?S/MIME: How it works ?

96

S/MIMES/MIME

◆ Secure Multipurpose Internet Mail Exchange◆ Developed by RSA, Microsoft, Lotus, Banyan, and

Connectsoft in 1995◆ Implemented at application layer◆ Build on top of PKCS #7 and PKCS #10◆ Very strong commercial vendor acceptance

◆ Netscape, Microsoft, Lotus, etc.

◆ IETF developed S/MIME v3 (last version)◆ Use X.509 certificates

S/MIMES/MIME

◆ S/MIME provides four services:

Security Services Security Mechanism

Message origin authentication Digital Signature

Message integrity Digital Signature

Non-repudiation of origin Digital Signature

Message confidentiality Encryption

97

S/MIME CiphersS/MIME Ciphers

◆ Symmetric encryption◆ 3DES 168 bit

◆ DES 56 bit◆ RC2 128, 64 and 40 bit

◆ Public-Key◆ RSA 512 to 1024 bit

S/MIME SignatureS/MIME Signature

Digest

Alice’s PrivateKey

MIMEencodedformat

Mimeformat

Suppose Alice sends a S/MIME signed e-mail to Bob

98

S/MIME EncryptionS/MIME Encryption

RandomSession Key

Suppose Alice sends a S/MIME encrypted e-mail to Bob

Bob’s PublicKey

Encoding

Plaintext

MimeFormat

Ciphertext

MIMEencodedformat

S/MIME dual Key ?S/MIME dual Key ?

◆ Dual Key Pair◆ One key pair for encryption◆ One key pair for signature and non repudiation

◆ CA must support key backup and recovery◆ Key pair for encryption generated on the CA

itself !◆ Draw back:

◆ Not all Email client support Dual Key Pair

99

S/MIMES/MIME

◆ The student will setup an e-mail system using S/MIME. He will use digital signature and encryption. Certificates retrieval done by ldap.

◆ Time: 45 min◆ p.77

SSL: How it works ?SSL: How it works ?

100

SSLSSL

◆ Secure Sockets Layer TCP/IP socket encryption◆ Provides end-to-end protection of

communications sections◆ Confidentiality protection via encryption◆ Integrity protection with MAC’s◆ Usually authenticates server using a digital

signature (option)◆ Can authenticate client (option)

SSL HistorySSL History

◆ SSL v1 designed by Netscape in 1994◆ Netscape internal usage

◆ SSL v2 shipped with Navigator 1.0 and 2.0◆ Microsoft proposed PCT (Private Communications

Technology), which overcame some SSL v2 shortcomings

◆ SSL v3 latest version◆ The progresses of PCT were echoed in SSL v3

◆ TLS v1 developed by IETF

101

SSL ProtocolSSL Protocol

◆ The SSL protocol runs above TCP/IP◆ The SSL protocol runs below higher-level

protocols such as HTTP or IMAP

SSL Ports from IANASSL Ports from IANA

◆ nsiiops 261/tcp # IIOP Name Service over TLS/SSL ◆ https 443/tcp # http protocol over TLS/SSL ◆ smtps 465/tcp # smtp protocol over TLS/SSL (was ssmtp) ◆ nntps 563/tcp # nntp protocol over TLS/SSL (was snntp) ◆ imap4-ssl 585/tcp # IMAP4+SSL (use 993 instead) ◆ sshell 614/tcp # SSLshell◆ ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap) ◆ ftps-data 989/tcp # ftp protocol, data, over TLS/SSL ◆ ftps 990/tcp # ftp protocol, control, over TLS/SSL ◆ telnets 992/tcp # telnet protocol over TLS/SSL ◆ imaps 993/tcp # imap4 protocol over TLS/SSL ◆ ircs 994/tcp # irc protocol over TLS/SSL ◆ pop3s 995/tcp # pop3 protocol over TLS/SSL (was spop3) ◆ msft-gc-ssl 3269/tcp # Microsoft Global Catalog with LDAP

102

SSL CiphersSSL Ciphers

◆ The SSL protocol supports the use of a variety of different cryptographic algorithms or ciphers◆ DES (56)◆ 3DES (168)◆ RC4 (40 or 128)◆ RC2 (40)◆ Fortezza (96)◆ IDEA (128)◆ SHA-1, MD5◆ DSA◆ RSA (Key exchange)

SSL HandshakeSSL Handshake

◆ Negotiate the cipher suite

◆ Establish a shared session key

◆ Authenticate the server (Optional)

◆ Authenticate the client (Optional)

103

SSL HandshakeSSL Handshake

TCP

Hello

GET URL

Client Server

DATA

Client performs TCP handshake with the server at port 443 for HTTPS which is HTTP in SSL

Start Cipher negotiation. Client sends SSL HELLO containing ciphers supported by the client and a random number.

Start pass secret. Server sends it’s CERTIFICATE.

Client and Server exchange CHANGE CIPHER SPEC and FINISH messages.

Begin bulk encrypted data exchange. Client encrypts and sends HTTP GET.

Server decrypts request, encrypts and sends response

Server sends FINISH and closes with TCP handshake

S

Bulk EncryptedHTTP ProtocolSymmetric

A SSL connection consists of an SSL handshake followed by bulk encrypted protocol

SSLHandshakeAsymmetric0.2 - 4 KB

S

443

Cert

The server responds with a HELLO containing the ciphers to use and a random number. Note the server selects the ciphers to be used. RSA, RC4 and MD5 are most common.

Client uses certificate to encrypt the pre-master Secret and sends to Server. Both compute bulk encryption KEYS from secret and random numbers.

Client authenticate serverClient authenticate server

◆ Is today's date within the validity period?

◆ Is the issuing CA a trusted CA?

◆ Does the issuing CA's public-key validate the issuer's digital signature?

◆ Does the domain name in the server's certificate match the domain name of the server itself?

104

Demo: Wrong URL !Demo: Wrong URL !

Server authenticate clientServer authenticate client

◆ Does the client's public-key validate its digital signature ? (challenge)

◆ Is today's date within the validity period?

◆ Is the issuing CA a trusted CA?

◆ Does the issuing CA's public-key validate the issuer's digital signature?

◆ Is the user's certificate listed in a CRL?

105

SSL TunnelingSSL Tunneling

◆ SSL can provide tunneling to transport TCP port over an encrypted channel

◆ Some tunneling software can use client and server authentication using Certificates X.509

◆ Some tunneling programs◆ Webtop (Sun/Netscape)◆ Stunnel◆ bjorb, Jonama◆ SSLProxy◆ Celo Communicationss (SSR)

http://www.openssl.org/related/apps.html

SSL Tunneling modeSSL Tunneling mode

XX

YY

ZZpop3 127.0.0.1 1234pop3 127.0.0.1 1234

Encrypted SSL tunnel Clear text

POP3 serverPOP3 server

DMZ

Corporate Net

106

SSL Hardware acceleratorSSL Hardware accelerator

◆ RSA key exchange is very CPU Intensive◆ 200 Mhz NT box allows about a dozen concurrent SSL

handshakes◆ Use Multiple server◆ Use Hardware encryption (Intel-IPIVOT, Ncipher,

Rainbow, etc.)

SGCSGC

◆ Server Gated Cryptography◆ Allows strong encryption on a server basis◆ Originally available only to “qualified financial

institutions”◆ Requires a special SGC server certificate

from: ◆ Verisign Global-ID◆ Thawte SuperCert◆ GlobalSign HyperSign128

◆ Etc.http://www.modssl.org/related/gid.html

107

SGCSGC

◆ Enables strong encryption for export’s browser◆ Procedure:

◆ Browser is export version: 40 bit cipher only !◆ Browser connect to SGC-enabled server with 40 bits

cipher◆ Server send his SGC-tagged certificate to browser◆ Browser verifies server certificate and detect that is

issued by a CA root certificate which is tagged to enable SGC

◆ Browser enabled 128 bit ciphers and force a SSL/TLS renegotiation with the stronger cipher suite.

TLSTLS

◆ Transport Layer Security◆ IETF standardized evolution of SSL v3

◆ Update Mac layer to HMAC◆ Updated for newer algorithms

◆ Substantially similar to SSL v3◆ Cleanup of SSL v3

◆ Aka SSL v3.1

◆ Standardized by RFC 2246 (Jan 1999)

108

Installing a SSL Web ServerInstalling a SSL Web Server

◆ Create the key-pair: Public and Private-Keys◆ Each server includes programs to generate these

◆ Generate a CSR (Certificate Signing Request)◆ This adds Information about your server and yourself

◆ Send the CSR to a CA (Certificate Authority) and wait for your Certificate◆ For instance Verisign, or a internal CA

◆ Install the Certificate

If you do not hold a Certificate signed by a well k nown CA,your client’s browser will display warning messages that

the Certificate is from and Unknown CA

Demo: unknown certificateDemo: unknown certificate

109

Setup a SSL web serverSetup a SSL web server

◆ The student will setup a SSL web server using Netscape Enterprise Server

◆ Time: 1 hour◆ p.100

Setup a SSL Client AuthenticationSetup a SSL Client Authentication

◆ The student will setup a SSL client authentication to protect the access to Intranet Server

◆ Time: 1 hour ◆ p.121

110

PKCS#11 Smartcard installationPKCS#11 Smartcard installation

◆ The student will connect and install a smartcard on his PC following PKCS#11 standard

◆ Time: 15 min. ◆ p.136

Playing the security officer...Playing the security officer...

◆ The student plays the security officer character

◆ Time: 30 min. ◆ p.138

111

Revocation with client SSL authenticationRevocation with client SSL authentication

◆ The student will revoke himself and interpret the results

◆ Time: 30 min. ◆ p.141

IPSec: How it works ?IPSec: How it works ?

112

IPSecIPSec

Application

Presentation

Session

Transport

DataLink

Physical

Application

Presentation

Session

Transport

Network

DataLink

Physical

Network

S/MIME, PGP

SSL, TLS, SSH

IPSEC

Hardware link encryption

IPSec will integrate PKI at layer 3

Remember!

IPSec introductionIPSec introduction

◆ Stands for IP Security

◆ Provide site-to-site and/or host-to-site encryption and/or authentication

◆ Driven by the IETF

◆ Mandatory for IPv6, optional for IPv4

113

IPSec: two main IPSec: two main ”” BlocksBlocks ””

◆ IPSec deals with two main “blocks”◆ IPSec - Encryption and Authentication

◆ ESP - Encapsulating Security Payload◆ AH - Authentication Header◆ Two modes: Tunnel and transport

◆ IPSec - Key management◆ IKE, Skip, Manual IPSEC

IPSec: ESP and AHIPSec: ESP and AH

◆ The AH (Authentication Header) is a protocol providing authentication only

◆ The ESP (Encapsulation Protocol) is an IPSEC protocol for packet encryption and encapsulation.

◆ Both protocols offer integrity check with authentication

IP PayloadTCP/UDP AHIP PayloadTCP/UDP

IP PayloadTCP/UDP ESPIP PayloadTCP/UDP

IP PayloadTCP/UDP IP PayloadTCP/UDPESP AH

114

IPSecIPSec Tunnel modeTunnel mode

◆ Each datagram is captured by the security gateway, encapsulated inside an IPSEC packet and sent to a remote security gateway, which “decapsulates” it, and sends the original datagram to its original destination

◆ The two security gateways create a ‘tunnel’through which data is passed

◆ The two hosts (and their applications) are unaware of the encapsulation process

IPSec Tunnel modeIPSec Tunnel mode

IP

TCP

Application

UDP

IP

TCP

Application

UDP

IP

AH/ESP

ProtectedData

IP

AH/ESP

ProtectedData

Protected Traffic

HostsIPSec

gateway

115

IPSec Transport modeIPSec Transport mode

◆ In transport mode, the two hosts serve as a security gateway and encrypt their own data

◆ In this case, there is no need for a tunnel, nor for the double IP header

◆ The two hosts are aware of the encapsulation (since they perform it)

Transport modeTransport mode

Protected Traffic IP

TCP

Application

UDP

IP

TCP

Application

UDP

116

Security Associations (SA)Security Associations (SA)

◆ The SA is shared by the two communicating parties - it provides indications on the algorithms, the keys, the lifetimes and other algorithm dependant information

◆ The SPI (Security Parameter Index) is a number and serves as an index to the SA

◆ Each SA has two SPIs: incoming & outgoing

SPI and SA (Basics)SPI and SA (Basics)

SPI: 0x1234567

Encryption (ESP): DES

Authentication (AH): SHA-1

DES Key: 0x1615613651365365326536

SHA-1: 0x32676362736347672672644

SPI:0x1234567

SA

117

IPSec Key managementIPSec Key management

◆ In order to create the SA, the two parties need to exchange all the security parameters, as well as the keys.

◆ Several methods of key management:◆ Manual keying or manual IPSec (statically defining SPI

and SA). ◆ SKIP (Simple Key Interchange Protocol by SUN

Microsystems)◆ ISAKMP/OAKLEY or IKE: automatic key management

using DH◆ Photuris alternative to IKE using DH

Practically IKE and manualIPSec is prevalent

Manual IPSecManual IPSec

◆ On each gateway a specific SA is defined (according S/WAN) for each remote gateway (SPI, Cipher, Keys, Hash etc.)

◆ Drawback:◆ Very heavy management

◆ Static keys: less security

◆ Often used between different IPSec vendors◆ Cisco to Check Point for instance

118

Manual IPSecManual IPSec

SA

SPI

SA

SPI

IKE Key managementIKE Key management

◆ IKE is widely used (OSPF, IPSec etc..)◆ SA proposal and negotiation is done using IKE◆ Peers may be authenticated using X.509

certificate◆ Each IPSec gateway holds a X.509 certificate◆ SA negotiation starts after cross authentication

◆ Alternate method for authentication:◆ Authentication is provided by pre-shared secrets◆ Drawback: heavy key management etc.

119

IKE Key management using PKIIKE Key management using PKI

SA

SPI

SA

SPI

Negotiation with Automatic

Key Management

X509X509

Hardware implementation...Hardware implementation...

◆ Tamper proof design◆ Full integration of IPSec for high/slow

bandwidth encryption◆ Centralized management◆ Vendors

◆ Radguard, Cisco, Checkpoint, etc.

120

Demo IPSEC with SecuRemoteDemo IPSEC with SecuRemote

Checkpoint architectureCheckpoint architecture

InternetInternet

ISP ISP

Corporate

Network

CertificateAuthority

VPN-1 SecuRemote

client

LDAP-based Directory Server

X.509Certificates

CRL

VPN-1 / FireWall-1

Account Management GUI

VPN-1 / FireWall-1

121

Creation of the CA CertificateCreation of the CA Certificate

•Create CA server object in VPN-1 / Firewall-1

•Define where to retrieve CRL’s•Get the CA certificate

Obtain CA certificate from a fileView the CA’s certificateSave it, allow read by another Mgt station

•Create a ldap server for CRL

Creation of Certificate for FirewallCreation of Certificate for Firewall --11

•Define a nickname for the certificate•Generate a PKCS#10 certificate request.•VIEW to display certificate

•Select the text in the window and copy it to the clipboard.

122

Creation of Certificate for FirewallCreation of Certificate for Firewall --11

•GET the certificate from the CA

◆ Importing PKCS#12 Certificates◆ Import from a browser◆ Save it as a P12 format

Creation of Certificate for Secure RemoteCreation of Certificate for Secure Remote

123

Using Certificates with Using Certificates with SecureRemoteSecureRemote

◆ IKE Authentication.◆ Specify a profile file (.EPF file)

or select a hardware token from the drop-down list.

◆ Enter password for accessing the profile.

Using Certificates with Using Certificates with SecureRemoteSecureRemote

◆ View the certificate by clicking on View Certificate◆ User’s certificate◆ CA’s certificate

124

IPSECIPSEC

◆ The student will setup an IPSec link between a client and a GW Checkpoint using X.509 certificates

◆ Time: 1h30◆ p. 155

CEP: How it works ?CEP: How it works ?

125

CEPCEP

◆ Certificate Enrollment Protocol (CEP)

◆ A certificate management protocol jointly

developed by Cisco Systems and VeriSign, Inc.

◆ CEP is an early implementation of Certificate

Request Syntax (CRS), a standard proposed to

the Internet Engineering Task Force (IETF).

CEPCEP

◆ CEP specifies how a device communicates

with a CA including:

◆ how to retrieve the CA's public key

◆ how to enroll a device with the CA

◆ how to retrieve a Certificate revocation list (CRL)

◆ CEP uses RSA's PKCS 7 and 10 as key

component technologies

126

CEP, cont.CEP, cont.

DEMO: CEPDEMO: CEP

127

Cases Studies !Cases Studies !

Encryption references sitesEncryption references sites

◆ SSL

◆ http://www.openssl.org/

◆ http://developer.netscape.com/docs/manuals/security/sslin/

index.htm

◆ http://www.ultranet.com/~fhirsch/Papers/wwwj/article.html

◆ SSH

◆ http://www.ssh.org/

◆ http://www.Datafellows.com/

◆ http://wwwfg.rz.uni-karlsruhe.de/~ig25/ssh-faq/

128


◆ IPSEC

◆ http://web.mit.edu/network/isakmp/

◆ http://www.data.com/tutorials/bullet_online.html

◆ PGP

◆ http://www.pgp.com

◆ http://web.mit.edu/network/pgp.html

◆ S/MIME

◆ http://www.rsasecurity.com/standards/smime


◆ Miscellaneous

◆ Crypto-Gram :

◆ http://www.counterpane.com/crypto-gram.html

◆ CryptoBytes :

◆ http://www.rsasecurity.com/rsalabs/cryptobytes/

◆ Crypto FAQ V.4.0 :

◆ http://www.rsasecurity.com/rsalabs/faq/

◆ http://www.datelec.com/~maret

129

Open discussion...Open discussion...