Dartmouth Authentication Factors
Download
Report
Transcript Dartmouth Authentication Factors
PKI: Public Key Infrastructure
– tell me in plain English AND THEN
deep technical how PKI works
Mostly borrowed & updated from Steve Lamb in Microsoft Land….
Scott Rea, PKI Architect, Dartmouth College + HEBCA
Objectives
•
•
•
•
Demystify commonly used terminology
Explain how PKI works
Get you playing with PKI in the lab
Make some simple recommendations
2
Agenda
•
•
•
•
Foundational Concept
PKI and Signatures
Recommendations
Reference material
– Common Algorithms
3
What can PKI enable?
Secure Email – sign and/or encrypt messages
Secure browsing – SSL – authentication and encryption
Secure code – authenticode
Secure wireless – PEAP & EAP-TLS
Secure documents – Rights Management
Secure networks – segmentation via IPsec
Secure files – Encrypted File System(EFS)
4
Foundational Concepts
5
Encryption vs. Authentication
• Encrypted information cannot be
automatically trusted
• You still need authentication
– Which we can implement using encryption, of
course
6
Assets
• What we are securing?
– Data
– Services (i.e. business etc. applications or their
individually accessible parts)
• This session is not about securing:
– People (sorry), cables, carpets, typewriters and
computers (!?)
• Some assets are key assets
– Passwords, private keys etc…
7
Digital Security as Extension of
Physical Security of Key Assets
Strong Physical
Security of KA
Weak Physical
Security of KA
Strong Physical
Security of KA
Strong Digital
Security
Strong Digital
Security
Weak Digital
Security
Good Security
Everywhere
Insecure
Environment
Insecure
Environment
8
Remember CP and CPS!
• “The Certification Practice & Certification
Practice Statement (CP/CPS) is a formal
statement that describes who may have
certificates, how certificates are generated
and what they may be used for.”
• http://www.ietf.org/rfc/rfc3647.txt
9
Symmetric Key Cryptography
Plain-text input
“The quick
brown fox
jumps over
the lazy
dog”
Cipher-text
Plain-text output
“AxCv;5bmEseTfid3)
fGsmWe#4^,sdgfMwi
r3:dkJeTsY8R\s@!q3
%”
“The quick
brown fox
jumps over
the lazy
dog”
Encryption
Decryption
Same key
(shared secret)
Symmetric Pros and Cons
• Strength:
– Simple and really very fast (order of 1000 to
10000 faster than asymmetric mechanisms)
• Super-fast (and somewhat more secure) if done in
hardware (DES, Rijndael)
• Weakness:
– Must agree the key beforehand
– Securely pass the key to the other party
11
Public Key Cryptography
• Knowledge of the encryption key doesn’t
give you knowledge of the decryption key
• Receiver of information generates a pair of
keys
– Publish the public key in a directory
• Then anyone can send him messages that
only she can read
12
Public Key Encryption
Clear-text Input
“The quick
brown fox
jumps over
the lazy
dog”
Cipher-text
Clear-text Output
“Py75c%bn&*)9|fDe^
bDFaq#xzjFr@g5=&n
mdFg$5knvMd’rkveg
Ms”
“The quick
brown fox
jumps over
the lazy
dog”
Encryption
public
Recipient’s
public key
Decryption
Different keys
private
Recipient’s
private key
Public Key Pros and Cons
• Weakness:
– Extremely slow
– Susceptible to “known ciphertext” attack
– Problem of trusting public key (see later on
PKI)
• Strength
– Solves problem of passing the key
– Allows establishment of trust context between
parties
14
Hybrid Encryption (Real World)
Launch key
for nuclear
missile
“RedHeat”
is...
Symmetric
encryption
(e.g. DES)
User’s
public key
(in certificate)
RandomlyGenerated
symmetric
“session” key
*#$fjda^j
u539!3t
t389E *&\@
5e%32\^kd
Symmetric key
encrypted asymmetrically
(e.g., RSA)
Digital
Envelope
As above, repeated
for other recipients
or recovery agents
Digital
Envelope
Other recipient’s or
agent’s public key
(in certificate)
in recovery policy
RNG
15
Hybrid Decryption
*#$fjda^j
u539!3t
t389E *&\@
5e%32\^kd
Launch key
for nuclear
missile
“RedHeat”
is...
Symmetric
decryption
(e.g. DES)
Symmetric
“session” key
Recipient’s
private key
Asymmetric
decryption of
“session” key (e.g. RSA)
Digital envelope
contains “session”
key encrypted
using recipient’s
public key
Digital
Envelope
16
Session key must be
decrypted using the
recipient’s private
key
PKI and Signatures
17
Public Key Distribution Problem
• We just solved the problem of symmetric key
distribution by using public/private keys
• But…
• Scott creates a keypair (private/public) and
quickly tells the world that the public key he
published belongs to Bill
• People send confidential stuff to Bill
• Bill does not have the private key to read them…
• Scott reads Bill’s messages
18
Eureka!
• We need PKI to solve that problem
• And a few others…
19
Creating a Digital Signature
Message or File
This is a
really long
message
about
something
…
128 bits
Message Digest
Digital Signature
Jrf843kjfgf*
£$&Hdif*7o
Usd*&@:<C
HDFHSD(**
Py75c%bn&*)9|fDe^b
DFaq#xzjFr@g5=&n
mdFg$5knvMd’rkveg
Ms”
Hash
Function
(SHA, MD5)
Calculate a short
message digest from
even a long input
using a one-way
message digest
function (hash)
Asymmetric
Encryption
private
Signatory’s
private key
Verifying a Digital Signature
Digital Signature
Jrf843kjf
gf*£$&Hd
if*7oUsd
*&@:<CHD
FHSD(**
Asymmetric
decryption
(e.g. RSA)
Py75c%bn&*)
9|fDe^bDFaq
#xzjFr@g5=
&nmdFg$5kn
vMd’rkvegMs”
? == ?
Signatory’s
public key
Everyone has
access to trusted
public key of the
signatory
Are They Same?
Same hash function
(e.g. MD5, SHA…)
This is a
really long
message
about something…
21
Py75c%bn&*)
9|fDe^bDFaq
#xzjFr@g5=
&nmdFg$5kn
vMd’rkvegMs”
Original Message
Word About Smartcards
• Some smartcards are “dumb”, i.e. they are only a
memory chip
– Not recommended for storing a private key used in a
challenge test (verifying identity)
– Anyway, they are still better than leaving keys on a
floppy disk or on the hard drive
• Cryptographically-enabled smartcards are more
expensive but they give much more security
–
–
–
–
Private key is secure and used as needed
Additional protection (password, biometrics) is possible
Hardware implements some algorithms
Self-destruct is possible 22
Recommendations
• Don’t be scared of PKI!
• Set up a test environment to enable you to
“play”
• Minimise the scope of your first
implementation
• Read up on CP & CPS
• Document the purpose and operating
procedures of your PKI
23
Summary
• Cryptography is a rich and amazingly
mature field
• We all rely on it, everyday, with our lives
• Know the basics and make good choices
avoiding common pitfalls
• Plan your PKI early
• Avoid very new and unknown solutions
• Certificate Policy
• Certification Practises statement
24
References
• Visit http://www.pki-page.org/
• Read sci.crypt (incl. archives)
• For more detail, read:
–
–
–
–
–
–
–
–
Cryptography: An Introduction, N. Smart, McGraw-Hill, ISBN 0-07-709987-7
Practical Cryptography, N. Ferguson & B. Schneier, Wiley, ISBN 0-47122357-3
Contemporary Cryptography, R. Oppliger, Artech House, ISBN 1-58053-642-5
(to be published May 2005, see
http://www.esecurity.ch/Books/cryptography.html)
Applied Cryptography, B. Schneier, John Wiley & Sons, ISBN 0-471-11709-9
Handbook of Applied Cryptography, A.J. Menezes, CRC Press, ISBN 0-84938523-7, www.cacr.math.uwaterloo.ca/hac (free PDF)
PKI, A. Nash et al., RSA Press, ISBN 0-07-213123-3
Foundations of Cryptography, O. Goldereich,
www.eccc.uni-trier.de/eccc-local/ECCC-Books/oded_book_readme.html
Cryptography in C and C++, M. Welschenbach, Apress,
ISBN 1-893115-95-X (includes code samples CD)
25
Thanks to Rafal Lukawiecki and Steve Lamb for
providing some of the content for this
presentation deck – their contact details are as
follows…
[email protected]
[email protected]
26
Common Algorithms
27
DES, IDEA, RC2, RC5, Twofish
• Symmetric
• DES (Data Encryption Standard) is still the most popular
– Keys very short: 56 bits
– Brute-force attack took 3.5 hours on a machine costing US$1m in
1993. Today it is done real-time
– Triple DES (3DES) more secure, but better options about
– Just say no, unless value of data is minimal
• IDEA (International Data Encryption Standard)
– Deceptively similar to DES, and “not” from NSA
– 128 bit keys
• RC2 & RC5 (by R. Rivest)
– RC2 is older and RC5 newer (1994) - similar to DES and IDEA
• Blowfish, Twofish
– B. Schneier’s replacement for DES, followed by Twofish, one of the
NIST competition finalists
28
Rijndael (AES)
• Standard replacement for DES for US government, and,
probably for all of us as a result…
– Winner of the AES (Advanced Encryption Standard) competition
run by NIST (National Institute of Standards and Technology in
US) in 1997-2000
– Comes from Europe (Belgium) by Joan Daemen and Vincent
Rijmen. “X-files” stories less likely (unlike DES).
• Symmetric block-cipher (128, 192 or 256 bits) with
variable keys (128, 192 or 256 bits, too)
• Fast and a lot of good properties, such as good immunity
from timing and power (electric) analysis
• Construction, again, deceptively similar to DES (S-boxes,
XORs etc.) but really different
29
CAST and GOST
• CAST
–
–
–
–
Canadians Carlisle Adams & Stafford Tavares
64 bit key and 64 bit of data
Chose your S-boxes
Seems resistant to differential & linear cryptanalysis and only way
to break is brute force (but key is a bit short!)
• GOST
– Soviet Union’s “version” of DES but with a clearer design and
many more repetitions of the process
– 256 bit key but really 610 bits of secret, so pretty much “tank
quality”
– Backdoor? Who knows…
30
Careful with Streams!
• Do NOT use a block cipher in a loop
• Use a crypto-correct technique for treating
streams of data, such as CBC (Cipher Block
Chaining)
– For developers:
• .NET Framework implements it as
ICryptoTransform on a crypto stream with any
supported algorithm
31
RC4
• Symmetric
– Fast, streaming encryption
• R. Rivest in 1994
– Originally secret, but “published” on sci.crypt
• Related to “one-time pad”, theoretically most
secure
• But!
• It relies on a really good random number generator
– And that is the problem
• Nowadays, we tend to use block ciphers in modes
of operation that work for streams
32
RSA, DSA, ElGamal, ECC
• Asymmetric
– Very slow and computationally expensive – need a computer
– Very secure
• Rivest, Shamir, Adleman – 1978
– Popular and well researched
– Strength in today’s inefficiency to factorise into prime numbers
– Some worries about key generation process in some implementations
• DSA (Digital Signature Algorithm) – NSA/NIST thing
– Only for digital signing, not for encryption
– Variant of Schnorr and ElGamal sig algorithm
• ElGamal
– Relies on complexity of discrete logarithms
• ECC (Elliptic Curve Cryptography)
– Really hard maths and topology
– Improves RSA (and others)
33
Quantum Cryptography
• Method for generating and passing a secret key or a
random stream
– Not for passing the actual data, but that’s irrelevant
• Polarisation of light (photons) can be detected only in a
way that destroys the “direction” (basis)
– So if someone other than you observes it, you receive nothing
useful and you know you were bugged
• Perfectly doable over up-to-120km dedicated long fibreoptic link
– Seems pretty perfect, if a bit tedious and slow
– Practical implementations still use AES/DES etc. for actual
encryption
• Don’t confuse it with quantum computing, which won’t be
with us for at least another 50 years or so, or maybe
longer…
34
MD5, SHA
• Hash functions – not encryption at all!
• Goals:
– Not reversible: can’t obtain the message from its hash
– Hash much shorter than original
– Two messages won’t have the same hash
• MD5 (R. Rivest)
– 512 bits hashed into 128
– Mathematical model still unknown
– But it resisted major attacks
• SHA (Secure Hash Algorithm)
– US standard based on MD535
Diffie-Hellman, “SSL”, Certs
• Methods for key generation and exchange
• DH is very clever since you always generate a
new “key-pair” for each asymmetric session
– STS, MTI, and certs make it even safer
• Certs (certificates) are the most common way to
exchange public keys
– Foundation of Public Key Infrastructure (PKI)
• SSL uses a protocol to exchange keys safely
– See later
36
Cryptanalysis
• Brute force
– Good for guessing passwords, and some 40-bit symmetric keys (in
some cases needed only 27 attempts)
• Frequency analysis
– For very simple methods only (US mobiles)
• Linear cryptanalysis
– For stronger DES-like, needs 243 plain-cipher pairs
• Differential cryptanalysis
– Weaker DES-like, needs from 214 pairs
• Power and timing analysis
– Fluctuations in response times or power usage by CPU
37
Strong Systems
• It is always a mixture! Changes all the time…
• Symmetric:
– AES, min. 128 bits for RC2 & RC5, 3DES, IDEA,
carefully analysed RC4, 256 bit better
• Asymmetric:
– RSA, ElGamal, Diffie-Hellman (for keys) with
minimum 1024 bits (go for the maximum, typically
4096, if you can afford it)
• Hash:
– Either MD5 or SHA but with at least 128 bit results,
256 better
38
Weak Systems
• Anything with 40-bits (including 128 and 56 bit
versions with the remainder “fixed”)
– Most consider DES as fairly weak algorithm
• CLIPPER
• A5 (GSM mobile phones outside US)
• Vigenère (US mobile phones)
– Dates from 1585!
• Unverified certs with no trust
• Weak certs (as in many “class 1” personal certs)
39