week 8: hashes, digital signatures, certificates, pki
DESCRIPTION
Week 8: Hashes, Digital Signatures, Certificates, PKI. 68-525 Encryption and Authentication Systems Summer 2010. Topics. Hash Algorithms Digital Signatures Certificates Public Key Infrastructure Covers Chapters 12 and 13 and parts of 14 and 17. Hashes in General. - PowerPoint PPT PresentationTRANSCRIPT
Week 8: Hashes, Digital Signatures, Certificates, PKI
68-525Encryption and Authentication SystemsSummer 2010
Topics
Hash Algorithms Digital Signatures Certificates Public Key Infrastructure
Covers Chapters 12 and 13 and parts of 14 and 17
Hashes in General
Take a variable-sized input and produce a fixed-size output
Are one-way functions Are resistant to collisions Are at the heart of digital signatures Schneier – “One-way hash functions
are the workhorses of modern cryptography.”
“At the heart of digital signatures”
Without a hash:
“At the heart of digital signatures”
With a hash:
Properties of One-Way Hash Functions
They are one-way (duh!) easy to take a message and compute the hash
value can’t take a hash value and recreate the
message in reasonable time.
They are collision-free it is not feasible to find two messages that hash
to the same hash value
Breaking a hash means showing that either or both of these properties don’t hold.
This Whole Collision-Free Thing Sounds Fishy
I thought hash functions were many to one??? They are
Then how can they be collision-free? Many messages hash to the same hash
value. Aren’t those collisions?
The Collision-Free Claim Explained Consider SHA-1
produces 160-bit hash. Every message hashes down to a 160-bit
number since there are an infinite number of messages
that hash to each value, there are an infinite number of collisions
But the number of different possible hashes is very large – 2160 for a 160-bit hash
You have to hash 2160/2 = 280 messages to find a collision that’s the brute force way to break a cipher by
finding collisions
General Structure of a Hash Function
A Brief History 1990: Ron Rivest invented MD4. 1992: Rivest improved MD4 to make
MD5 1993: NSA published SHA based on
MD5 1995: NSA found weakness in SHA
and produced SHA-1 Today: SHA-1 is most popular cipher
but ...
Weakness in SHA-1 SHA-1 is 160-bit
Birthday attack ~ 280 attempts 2005: Chinese cryptographers report
technique for finding collisions in SHA-1 after 269 calculations about 2000 times faster than brute force
That kind of computational expense is starting to become manageable Think about 56-bit DES keys broken by brute
force So, it’s time to migrate away from SHA-1 in
favor of SHA-224, 256, 384, and 512
Structure of SHA-512
So what goes on in each round?
Where do we go from SHA-###? SHA and all variants have same structure
just differ in sizes of data that are manipulated
Some argue that a completely new approach is desired
Whirlpool – a different approach
Whirlpool was co-developed by one of the people behind Rijndael.
It uses a block cipher called W that is based on Rijndael to do the compression function
Features performance comparable with SHA-512
We’re not going to go into the details of how Whirlpool or the W function work just let the following overview picture suffice
Whirlpool Structure
HMAC (Hashed MAC):A Hybrid
MAC is like a hash, except with a key So, why not apply a modern hash
algorithm in combination with a key? That idea is called a Hashed MAC
(HMAC)
HMAC uses hash function on the message:
HMACK = Hash[(K+ XOR opad) ||
Hash[(K+ XOR ipad)||M)]]
K+ is the key padded out to size opad = 5C in hex (repeated to be long as block) ipad = 36 in hex (repeated to be long as block)
overhead is just 3 times what a single hash takes
any hash function can be used
HMAC
HMAC used for AH protocol
From http://www.unixwiz.net/techtips/iguide-ipsec.html
Examples:Applications of Hashes
Digital Signatures Application Security
Digital Signatures Provides trust by providing proof of origin
verify author, date & time of signature authenticate message contents be verified by third parties to resolve disputes
Incorporates crypts hashes MACs
Digital Signature Requirements must depend on the message being signed must use information unique to sender
to prevent both forgery and denial must be relatively easy to produce must be relatively easy to recognize/verify must be computationally infeasible to forge must be store-able
Two Categories of Digital Signatures
Direct Arbitrated
Direct Digital Signature involve only sender
and receiver sender encrypts
using his private key
sender may then encrypt again using recipient’s public key
security depends on sender’s private key
Arbitrated Digital Signatures
Requires a trusted third party May use
Symmetric key: somewhat like Needham-Schroeder
PKE
Symmetric Approach:Needham-Schroeder Protocol
PKE Approach use a digital signature with a digital
certificate:A->B: M || EPRa[H(M)] || EPRas[T||IDA||PUa]
Here M message, EPRa[H(M)] signature
EPRas[T||IDA||PUa] certificate
This particular signature is RSA’s approach Alternative: DSS (Digital Signature Standard)
Picture of the Certificate Part of the PKE Approach
Digital Signature Standard (DSS)
the US Government’s approved signature scheme
designed by NIST & NSA in early 90's revised in 1993, 1996 & then 2000 uses the SHA hash algorithm algorithm is called Digital Signature
Algorithm (DSA)
Digital Signature Algorithm (DSA)
creates a 320 bit signature with 512-1024-bit equivalent security smaller and faster than RSA security depends on mathematics
Comparison: RSA vs. DSAwhat we already know
what we are learning now
DSA Key Generation have shared global public key values (p,q,g):
choose q, a 160-bit number choose a large prime p < 2L
where L= 512 to 1024 bits and is a multiple of 64 and q is a factor of (p-1)
choose g = h(p-1)/q where h<p-1, h(p-1)/q (mod p) > 1
users choose private & compute public key: choose x<q compute y = gx (mod p)
DSA Signature Creation to sign a message M the sender:
generates a random signature key k, k<q k must be random, be destroyed after use, and
never be reused
then computes signature pair: r = (gk(mod p))(mod q)
s = (k-1 *(H(M)+ x*r))(mod q)
sends signature (r,s) with message M
DSA Signature Verification having received M & signature (r,s) to verify a signature, recipient computes:
w = s-1(mod q)
u1= (H(M).w)(mod q)
u2= (r.w)(mod q)
v = (gu1.yu2(mod p)) (mod q)
if v=r then signature is verified
Examples:Applications of Hashes
Digital Signatures Application Security
Hash Example: Bookseller
Bookseller:http://www.deadleprechaun.com/Book/
Two security issues: Security of account names / passwords in
the database cure by storing hash of password in db
Transmitting password to server cure by using SSL
What is SSL? Short for Secure Sockets Layer is a protocol developed in 1996 by Netscape purpose:
transmit private documents over http works by using a shared key to encrypt
data over a web connection the shared key is sent from the client to the
server using the server’s public key URLs that require SSL begin with https
The Protocol
Client initiates a connection Hello?
Server responds by sending the client its Digital ID. The server may also request the client’s Digital ID for client
authentication.
Server Digital
ID
Client Digital
ID
Sessionkey
Client verifies the server’s Digital ID. If requested by
the server, the client sends its Digital ID.
When the authentication is complete, the client sends the
server a session key encrypted using the server’s
public key.
Client side Server side
Once a session key is established, secure communicationscommence between client and server
How does SSL work?(Simplified View)
Alice (Client) Bob (Server)
Let’s talk securely.Here are the protocols and ciphers I understand.
--------------------------------
I choose the protocols and ciphers.Here is my public key and some other stuff
to make you believe it’s really my key.---------------------------------
Here is a fresh key encrypted with your public key so that only you can decipher it
--------------------------------
Problem
How does Alice actually know she is talking with Bob?
There could be a man in the middle
WebWebServerServer
ClientClient MIMMIMHTTP with HTTP with SSL/TLSSSL/TLS
HTTP with HTTP with SSL/TLSSSL/TLS
Potential Solutions
Alice and Bob could physically exchange keys impractical
Other choice: take advantage of the “some other stuff to make you believe it’s really my key.”
What’s the “some other stuff”?
Someone Alice trusts could vouch to her for Bob and Bob’s key A third party can certify Bob’s key in a
way that convinces Alice.
That is what’s called a certificate.
What is a certificate?
A certificate is a digitally-signed statement that binds a public key to some identifying information.
It’s the marriage of a name and a key It’s like any other id – driver’s license,
passport, etc. Anything that binds together rights and
identity
What is a certificate? to summarize, a certificate is just a
statement by an issuer about a subject
Issuer
Subject
What’s in a certificate?
This is an incomplete list: The domain for which the certificate was
issued. The legal owner of the certificate. The physical location of the owner. The validity dates of the certificate. The server’s public key.
We’ll look at this in more detail later.
Why are certs believable?
This is the idea of functional equivalence
Just as in the pen-and-paper world, We need to believe it’s hard to forge the
digital signature on a signed document We need to trust the issuer/signer not to
lie to us
So, how does SSL with certs work?
BobBobAliceAlice
Let’s talk securely.Here are the protocols and ciphers I understand.
I choose this protocol and ciphers.Here is my public key and
a certificate to convince you that thekey really belongs to me.
CertCert
CertCert
If Alice trusts the cert, she can send Bob a session key, encrypted with his public key, and the two can start talking.
Getting a certificate How does Bob get a certificate for his key? He goes to a Certificate Authority (CA) that
issues certificates and asks for one by filing a CSR (Certificate Signing Request)
The CA issues Bob a certificate for his public key. CA is the issuer Bob is the subject
OK, so how do I create a CSR?
A CSR and the private key are created simultaneously.
Some web servers (including IIS) have wizards to create them
Alternatively, can use openssl
OK, so how do I create a CSR? Typically, you will be prompted to enter the
following information to generate the Private Key and CSR pair from the web server: Organization Name Organizational unit Country Code State or Province Locality Common Name
Certificate Examples
OpenSSL Microsoft IIS A third-party web host
Example: openssl Generate key pair
openssl genrsa –des3 –out mykey.key 2048 Generate CSR
openssl req –new –key mykey.key –out mykey.csr
Parse it: openssl asn1parse –in mykey.csr Submit mykey.csr to an certificate authority
Example: Microsoft IIS
Example: Microsoft IIS
Example: Microsoft IIS
Example: Microsoft IIS
Example: Microsoft IIS
www.klumpdump.com
Example: Microsoft IIS
Example: Microsoft IIS
Example: Microsoft IISHere’s a Certificate Signing Request-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDcTCCAtoCAQAwgZUxFzAVBgNVBAMTDmtsdW1wcmEtZDYxMHhwMR4wHAYDVQQL
ExVEb21lc3RpYyBTdXJ2ZWlsbGFuY2UxJTAjBgNVBAoTHEtsdW1wIEJhbGwgYW5k
IENoYWluIENvbXBhbnkxEzARBgNVBAcTClBsYWluZmllbGQxETAPBgNVBAgTCEls
bGlub2lzMQswCQYDVQQGEwJVUzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
wwwC4AJKFuGXdx6oO0IHOO672eUEAvEbwrf1rz/3n6otHxsC5PUVFRnDUZoqVjy0
oxbhQYfQv6S3bCWnSeZFTtvsaH511G0m57bv3tcZsjvU4E0R/Z3LPr34JNR5ggjK
OvxFkbSGXipG5DPiu4rjWOIPRw3Mvs1b+0WUTkMJkJMCAwEAAaCCAZkwGgYKKwYB
BAGCNw0CAzEMFgo1LjEuMjYwMC4yMHsGCisGAQQBgjcCAQ4xbTBrMA4GA1UdDwEB
/wQEAwIE8DBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG
9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcNAwcwEwYDVR0lBAwwCgYIKwYBBQUH
AwEwgf0GCisGAQQBgjcNAgIxge4wgesCAQEeWgBNAGkAYwByAG8AcwBvAGYAdAAg
AFIAUwBBACAAUwBDAGgAYQBuAG4AZQBsACAAQwByAHkAcAB0AG8AZwByAGEAcABo
AGkAYwAgAFAAcgBvAHYAaQBkAGUAcgOBiQCTSR8dKSviOwRXJreaBSjJpgw7jnoQ
I1mvgJv5aE+B7F+M47mrA4bWgM5NorJyuRzmkb4g8FCer7hyi1PyFYlDClz6oZvz
FQROnEKiSGuE3nTv28Ver/l2weSa05PCRKpKfP3Ku5WjFh4NDyMjcobcdODHAW2j
yhmeb4T5jiiyFQAAAAAAAAAAMA0GCSqGSIb3DQEBBQUAA4GBAHlvH2rDxFF2hzju
oYqf5tIWSrgl4gUI9zWAq9ocRyrLzmYPxU4++IA0QKxpdI46wuEZYc2zFF5BhM+4
bx31Wf5GL6DsdgZt+l2NE1TUx0iom4eg5t+U5bduq1+mR8cic+t65onSu1SMTPhG
w0b+W6omlPQ0xcUFmT5UxR3LtTz5
-----END NEW CERTIFICATE REQUEST-----
Example: Microsoft IISSubmit the request
Submit the request to a certification authority and get back a response.
Here’s an example CA:
http://www.rapidssl.com/ssl-certificate-products/free-ssl/freessl.htm
Example: Microsoft IISSubmit the request
Example: Microsoft IISSubmitting the request
This is as far as we can take this example, since the common name is not actually a domain name.
However, if we could continue, the next step would be to actually install the cert on the machine ...
Alternative: Self-signed keys
Here’s how you can use openssl to generate a self-signed key:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
This works for openssl cert requests.
Self-signing an IIS Cert Request
Follow the procedure laid out in this document
Example: Microsoft IISInstalling the CERT
Example: Microsoft IISBacking up your private key
It is very important to back up your private key.
Your certificate is no longer valid if it expires your domain (common) name changes you lose your private key
So, it is important to back it up
Example: Microsoft IISBacking up your private key This site provides some good directions:
http://www.thawte.com/ssl-digital-certificates/technical-support/backup.html
Another Example: Bluehost My websites are hosted by Bluehost –
www.bluehost.com I generated a certificate for one of my sites
using the host’s built-in tools
Private-Key: (1024 bit) modulus: 00:d8:78:a8:52:aa:37:9b:54:e7:e8:fa:c6:95:9e: 2d:43:da:bb:b6:99:58:a5:93:d6:d0:67:c8:77:31: 88:11:c8:f8:5e:96:c7:85:53:96:c0:09:19:05:e3: fb:5d:f2:8c:87:5d:86:27:04:5c:4d:34:1d:28:ce: 7d:f9:fd:b9:4d:dd:c2:26:b4:96:01:08:dd:dd:69: de:54:b7:5d:b5:a5:2d:b4:0a:32:00:6f:a8:42:84: cb:1a:67:72:a6:d8:84:47:13:bb:84:9b:37:10:e8: 62:60:eb:6f:5b:0d:42:f6:f5:2f:ce:70:f6:d6:9a: 41:b9:7a:a0:92:de:e2:99:bb publicExponent: 65537 (0x10001) privateExponent: 36:ec:46:28:d3:2f:50:a5:f6:41:52:7f:58:2e:cd: e5:4d:76:1b:1a:45:37:9d:8e:ff:49:95:bf:48:3d: f1:e5:3f:bf:20:1a:77:65:81:f6:2f:58:bd:f9:de: 29:34:05:1b:c3:4a:ea:53:5c:e7:e9:b5:0c:49:78: 05:19:af:0d:ef:1d:47:56:98:1f:ba:20:71:75:98: 41:fa:d0:dd:37:0c:e0:0a:b0:29:95:57:ab:6e:a2: 3f:d9:a3:41:4d:7e:b2:d2:00:14:af:56:11:d7:e8: 17:23:8e:53:a5:9d:d8:18:54:6a:90:25:59:97:9e: ae:25:72:95:1f:a0:da:c1 prime1: 00:f0:c8:31:7e:66:52:fa:dc:35:a7:3d:ac:4c:c7: 7d:b4:e7:7e:00:77:41:19:fd:2b:8b:27:96:0c:72: f4:13:6b:63:2d:0c:98:85:d5:b2:6b:5e:8b:c8:e4: db:9d:d2:14:82:47:47:b4:63:c6:e9:18:3e:69:0a: 66:b7:8d:13:d3 prime2: 00:e6:27:1f:36:90:64:0f:1c:c2:16:1b:85:b2:a8: 13:ba:aa:3c:53:80:ab:aa:a2:25:f7:45:cf:ac:4d: 4f:1e:05:db:35:08:9b:6b:3e:fc:d9:5c:08:af:6b: 88:ac:72:56:11:6a:2c:e0:e8:e1:8d:31:85:59:df: a9:af:e4:f9:79
exponent1: 50:a2:0a:09:15:45:36:a3:26:08:92:9b:af:be:a2: b7:41:4a:ad:e7:41:d2:ed:38:76:ca:53:f2:69:50: 99:6c:3d:f3:29:23:ae:b6:08:a0:f2:31:87:9e:34: 79:9e:8f:a5:ad:2f:33:16:b2:d6:fe:7a:6f:fc:be: b7:3b:34:67 exponent2: 00:a5:fb:50:e7:68:fa:c0:6b:5d:0d:d4:8b:77:6c: ff:cd:7f:38:42:80:69:4d:85:e3:1b:91:9d:54:05: ed:29:19:d0:1d:4f:37:c7:00:86:19:bb:e6:07:9c: e5:d4:78:20:da:2e:58:6f:5b:84:4e:ef:87:dc:69: 11:57:69:2b:01 coefficient: 00:93:a5:99:5b:99:6a:b9:8d:18:44:81:57:ca:79: f3:a9:dd:36:57:29:33:74:a5:b3:c9:0b:5f:86:03: bc:c1:35:83:d4:c6:5e:0c:dc:8a:8b:45:43:0e:5c: 4f:e9:9a:f7:1b:7d:fa:29:a3:51:b2:fd:9f:f4:04: 91:e7:0f:62:ad
Contents of the private key
This is what a certificate request looks likeGenerated Certificate Signing Request -----BEGIN CERTIFICATE REQUEST----- MIIB8DCCAVkCAQAwgYMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJTDETMBEGA1UE BxMKUGxhaW5maWVsZDENMAsGA1UEChMEU01JUDEQMA4GA1UECxMHVGVzdGluZzEZ MBcGA1UEAxMQd3d3LnNtaXB0ZXN0Lm9yZzEWMBQGCSqGSIb3DQEJARYHa2x1bXBy YTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2HioUqo3m1Tn6PrGlZ4tQ9q7 tplYpZPW0GfIdzGIEcj4XpbHhVOWwAkZBeP7XfKMh12GJwRcTTQdKM59+f25Td3C JrSWAQjd3WneVLddtaUttAoyAG+oQoTLGmdyptiERxO7hJs3EOhiYOtvWw1C9vUv znD21ppBuXqgkt7imbsCAwEAAaAsMBMGCSqGSIb3DQEJAjEGEwRTTUlQMBUGCSqG SIb3DQEJBzEIEwZoZXl5b3UwDQYJKoZIhvcNAQEEBQADgYEAzVCtcI+2cdKMzSfd 8OVIbnqB3FwjnMeFtDw180lk/aVL6AXfq+hxSrx+gIQmgzEe/nzCVRxBEvrlkTXQ D9E4BFp+XlzQPwFqXvpti5/PAcOkkhRyTTj44HjkeJWuimpQEf3Vfsh4G8189sKI A9PC4RfYEa5lfz+Hz4TUFqGrCfI=
-----END CERTIFICATE REQUEST-----
After creating this CSR, I pay Bluehost to submit it to RapidSSL
Closer look at CSR
This is what a certificate looks like
Where are we? We learned how SSL works We learned how certificates are
exchanged in SSL We learned how to get a certificateNow ... We will learn how trust is established
by a certificate will discuss the topic of public key
infrastructure
Alternative: Self-signed keys
Here’s how you can use openssl to generate a self-signed key:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
This works only for openssl requests.
Trusting a certificate The following two statements are
equivalent: Alice will believe Bob’s key belongs to Bob if
Alice believes the certificate Bob gives her for his key.
Alice will believe Bob’s key belongs to Bob if Alice trusts the issuer of Bob’s certificate to make key-name binding statements
How can we convince Alice to trust Bob’s CA?
How can we establish Alice’s trust?
Of course, Bob’s CA could sit down with Alice and have a chat dumb
Someone Alice trusts could vouch to her for Bob’s CA and Bob’s CA’s key Where does it stop?
Alice has to implicitly trust some set of keys Once she does that, those keys can introduce
others to her.
Building Trust Through a Hierarchy of Keys
In the model used by SSL/TLS, CAs are arranged in a hierarchy Alice, and everyone else, trusts one or
more “root CA” that live at the top of the tree
This tree structure is an example of a Public Key Infrastructure (PKI)
Certificate Authorities A certificate authority (CA) guarantees the
connection between a key and another CA or an “end entity.”
An end entity is: A person A role (“VP of sales”) An organization A pseudonym A piece of hardware or software An account
CA Hierarchies CAs can certify other CAs or “end entities” Certificates are links in a tree of EEs & CAs
CA
EE
RootCA
CA
EECAEE
Back to the main question:Does Alice trust Bob’s key?
Alice trusts Bob’s key if there is a chain of certificates from Bob’s key to a root CA that Alice implicitly trusts
CA EERootCA
CA
EE
Root CA
CA
Root CA
Root CA
It all comes down to this:
Given an end-entity certificate, Given an end-entity certificate, does there exist a does there exist a cryptographically valid chain of cryptographically valid chain of certificates linking it to a certificates linking it to a trusted root certificate?trusted root certificate?
How do we chain certificates
How do we determine whether two certificates chain together? Match by name, not by key
Specifically, match by distinguished name
Certificates are linked together by distinguished name
What’s in a distinguished name?
The structure of a name is based on the X.509 standard
The X.509 standard is derived from the old X.500 standard for uniquely identifying every telephone entity in the world
In the X.500 model, everything has a single, unique, global, assigned name
The X.500 Model
CountryC=US
SP = IAState or Province
SP = IL
LocalityL=Romeoville
OrganizationO=Lewis University
L=Joliet
O=Joliet Jackhammers
SP = IN
Makeup of a Distinguished Name
Name is unique within the scope of the CA’s list of names
Public CAs (e.g. Verisign) typically set C = CA Country O = CA Name OU = Certificate type/class or
organizational unit CN = web site domain name E= email address
Key Fields in a Certificate The core fields of an X.509 certificate are
The subject public key The subject Distinguished Name The issuer Distinguished Name
What’s missing here? The issuer’s public key is not present in the
certificate. You can’t verify the signature on the cert without
finding a parent cert!
Again: This is how a certificate looks
So, how do you build the chain? Assume you’re a client: something that
received an end-entity certificate and wants to verify it. Our task is to build a cert chain from that end-
entity cert to one of our trusted roots
How do we do that? We start with our EE cert, and
we match Issuer DN in the child to Subject DN in the parent
Issuer Name
Subject Name
Issuer Name
Subject Name
Who is a trusted root? Who do I trust to be roots at the top
of the cert chain? In theory, “anyone you want” In practice, trusted roots come from
two sources They’re baked into your web browser or
operating system They’re pushed onto your enterprise-
managed desktop
Trusted Root Certificates
Can see these in IE by going to Tools >> Internet
Options, switching to the Content tab, and then clicking on Publishers >> Trusted Root Certification Authorities
in Firefox by going to Tools >> Options >> Advanced >> Encryption >> View Certificates >> Authorities
What’s in an X.509 Certificate?
X.509 Extensions
Certificate Revocation: Undoing a certificate A CA revokes a certificate by placing the cert on its
Certificate Revocation List (CRL) Relying parties are expected to check CRLs before
they rely on a certificate This has problems:
Not issued frequently enough to be effective against a serious attack
Expensive to distribute (size & bandwidth) Vulnerable to simple DOS attacks
Better: OCSP (Online Certificate Status Protocol. Query servers for current status of a cert Like PGP key directory
Summary
Hash functions and how they work Digital signature approaches
RSA DSA
Public Key Certificates Public Key Infrastructure