Strong Cryptographic Infrastructureand its Applications

Dr Lucas Hui

Center for Information Security & Cryptography

Department of Computer Science & Information Systems

The University of Hong Kong

Tel: 2859-2190

Fax: 2559-8447

hui@csis.hku.hk

Workshop on Strong Cryptographic Infrastructure

December 17, 1998

Content

1. Use of Cryptography (in electronic commerce activities, Internet services)

2. Cryptographic Library

3. Public Key Infrastructure

4. Applications

5. Cryptographic Infrastructure

6. Relations of 2,3,4,5

7. The SCI project in HKUCSIS

Use of Cryptography (in E.C. etc)

• Hash functions (SHA, MD5)

• Symmetric key crypto-system (DES, DES3)

• Public Key Crypto-system– Digital signature– Data Encryption– Advanced usage : double hashing, group

signature

• In real usage, techniques are combined

Public Key Crypto-system• A has public key Apub, & private key Aprv

• From Apub, almost impossible to find Aprv

• Apub is known to all; Aprv is secret to A

A : Aprv

Aprv

Apub

M MC

Apub

ApubAprv

MC'M

Digital Signature using Public Key Crypto-systems

• A sends a signed message M to B– A sends Aprv(M) to B, B decrypts with Apub

A : M BC

Apub

Aprv

MCB :

Data Encryption using Public Key Crypto-systems

• A sends a confidential message M to B– A sends Bpub(M) to B, B decrypts with Bprv

A : M BC

Bprv

Bpub

MCB :

Cryptographic Library• Provide cryptographic algorithms such as

RSA

• Provide interface to add new cryptographic algorithms easily

• Provide other functions

• Q : How to set up/manage the private/public keys?

• A : Using a Public Key Infrastructure

Problem with Pub Key distribution• A talks to B, Hacker H attacks as follows:

– To A, H pretends B. To B, H pretends A– H sees secrets between A and B, and can

modify the messages

A

B

Hpub "B' public key"

H

HH'pub"A's public key"

Solution to Pub Key distribution• Need : when B gives Bpub to A, a trusted

third party (Certification Authority, CA) is needed to endorse Bpub is correct

A

H

"B's public key"

B

A Hpub

CAprv

CAprv

Bpub Bcert: B'sPublic KeyCertificate

"B's public key"

Certification Authority• A wants to get B’s public key Bpub. How?

• Method 1 : use a repository

• Method 2 : B gives Bpub to A, which is endorsed by a trusted-third-party, the CA (Certification Authority). This is B’s public key certificate BCert, which is Bpub signed by CA’s private key CAprv

• CA’s public key, CApub, is known to all

• A use CApub to verify that BCert is correct

X.509 Public Key Infrastructure (PKIX)

• Set up, manage, and terminate usage of keys (private/public), & public key certificates– Registration & Initialization– Certification (signing of a certificate)– Key pair recovery– Key Generation, Update– Cross-certification– Key Revocation (managing CRLs)

Note: Make use of Cryptographic functions

Cross Certification

CA1

BA"B's public key"

CA2pub

CA1prv CA2prv

Bpub

XCert: CA1issues to

CA2

CA2BCert: CA2issues to B

Cross-Certification

• 2 CAs: CA1, CA2, & 2 persons: A, B.

• CA2 issues a public key Cert BCert to B (Bpub signed by CA2’s private key)

• CA1 issues a Cross-Cert, XCert, to CA2 (CA2’s public key signed by CA1’s private key)

• A trusts CA1 (A knows CA1’s public key)

• B sends BCert and XCert to A

• A can now verify B’s public key in 2 steps.

Applications• Examples: E. Commerce, E. Banking,

Secure Email, Secure Workflow (in schools, etc)

• Using a transaction protocol which makes use of cryptographic algorithms from a Cryptographic Library

• Use PKIX for subject (customers, etc) identity and encryption key management

Cryptographic InfrastructureApplication

CryptographicInfrastructure

Interface toDatabase/TransactionSystems

NetworkCommunicationInterface

Public KeyCertificateAuthority SCL

AdvancedCryptographicModules

(Application Part)

Security Protocol

(Basic Part)

Strong Cryptographic Infrastructure Project (SCI) in HKUCSIS

• What does Strong mean?– Algorithms are “Strong” (e.g. RSA-1024)– “Strong” in implementation (e.g. Random No.)– New encryption paradigm (elliptic curves)

• supported by ISF

• available to users in HK

• Start with Strong Cryptographic Library (SCL)

• Beta version expected in March 1999

SCI project team• Dr Lucas Hui (Chief Designer)

• Dr K.P. Chow (Project Manager)

• Dr W.W. Tsang, Prof Francis Chin, Prof G. Marsaglia

• Dr C.F. Chong, Dr H.W. Chan

• Ms Vivien Chan, Mr Marcus Lee, Mr K.M. Chan

• Mr Doug Kwan, Mr Luke Lam, Mr Henry Fung, Ms Taellus Lo