Cryptography

Cryptosystem consists of:

CryptographySystems

Symmetric Cryptosystem
Asymmetric Cryptosystem
Public Key System

Winston Mendis
1

Digital Signature &

Symmetric System

Asymmetric Cryptosystem
A send a signed message (M) to B

Only One person will produce the Digital

Signature (like some ones signature), but
anybody else can recognize it.
In Symmetric System

A signs M

S = DA (M)

B verifies the Signature

M = EA (S)

Only A could have generated S as he is the only

one knows DA

Sender and the Receiver have the same

Key.
Receiver can produce the same ciphertext
as the sender and vice-versa.

KEY Encryption

PKI.. !
PKI is "the set of hardware, software,
people, policies and procedures
needed to create, manage, store,
distribute, and revoke PKCs based on
public-key cryptography... A failure in
any one of [many security] areas can
cause the entire system security to
fail" (Arsenault & Turner 1999-2001).

There are TWO primary types of encryption:

Private Key where all parties who

are authorized to send or read to
have the same key.

Public Key where TWO keys will

be used, while one used to encrypt a
separate key is used to decrypt.

PKI(PublicKey
Infrastructure)

TheAnatomyofPKI
PKI is based on a mechanism called a digital certificate.
Digital certificates are sometimes also referred to as X.509
certificates or simply as certificates.

PKI is a set of standards, procedures,

software, and people for implementing
authentication
using
public
key
cryptography. PKI is used to request,
install, configure, manage and revoke
digital certificates.

Think of a certificate as a virtual ID card.

In the real world, people use ID cards such as a driver's
license, passport, or an employee ID badge to prove their
identity.
A certificate does the same basic thing in the electronic
world, but with one big difference. Certificates are not just
issued to people (users, administrators, etc.). Certificates can
also be issued to computers, software packages, or to just
about anything else that you may need to prove the identity
of.

PKI offers authentication via digital

certificates, and these digital certificates
are signed and provided by certificate
authorities.
7

HowPKIworks

PKI(PublicKeyInfrastructure)

PKI uses public key cryptography and works with

x509 standard certificates.
It also provides other things such as authenticating
users, producing and distributing certificates,
maintaining, managing and revoking certificates.
PKI is an infrastructure in which many things
happen and is not a process or algorithm itself, so
PKI consists of a number of aspects to enable the
infrastructure to work.

1. A requestor generates a CSR and submits it to the CA.

2. The CA issues a certificate based on the CSR and
returns it to the requestor.
3. Should the certificate at some point be revoked, the CA
adds it to its CRL.

As well as authentication, PKI also enables the use

of
providing
integrity,
non-repudiation
and
encryption.
10

How Public and Private

Keys Work

What are the security

services PKI provides?
PKI brings to the electronic world the
security and confidentiality features
provided by the physical documents,
hand-written signatures, sealed envelopes
and established trust relationships of
traditional, paper-based transactions.

11

12

What are the security services PKI

provides?

DigitalCertificate

These features are:

Confidentiality: Ensures than only intended recipients
can read files.
Data Integrity:

Ensures that files cannot be changed

without detection.

Authentication: Ensures that participants in an

electronic transaction are who they
claim to be.
Non-repudiation: Prevents participants from denying
involvement in an electronic
transaction.

Certificate is similar to a Passport.

If a company wanted a public key they would
require a digital certificate.
They will have to request this certificate from a
certificate authority or a registration authority.
The certificate authority is someone who everyone
should trust as a centralised authority for managing
and maintaining certificates.

13

14

TwomainPKImodels

CertificationAuthority(CA)

The TWO models are:

Certification Authority is a trusted third party issuing
digital certificates (like Passport issuing office).

Central and
Hierarchical

The CA will require the company to fill in a number

of details and validate their request before they can
hand out a certificate.

Central
Used for small to medium sized companies or flat
network design. A single authority assigns all their
certificates.

This certificate is a proof that the company is who

they say they are in the digital world (like a
passport in the real world).

15

16

TwomainPKImodels
Hierarchical
Hierarchical is used in medium to large organisations.
You have a root CA, such as Microsoft in house
solution, or it can be a public trusted company such as
Verisign.
Then you have separate sub ordinate CA's assigning
separate
security
domains
digital
certificates.
Hierarchical is a multi tiered approach suited for
enterprise networks.
Subordinate CA's hand out certificates to employees
and other people (systems and individual users).
17

Certificaterequest
A company requests for a digital certificate.
The CA would require some information back from
this company. Usually some proof they are who they
claim to be, and require their registration
information.
After the CA is happy with the companys request, it
would generate a public key for the company with
the identity information attached to the certificate.
18

Howtwopartiescommunicateasecure
channelbetweeneachotherviapublickey.

Certificaterequest
This public key along with its related private key can be
generated by the CA or by the system the company will
be installing this certificate on. If it is produced by the
company then on the device a public and private key
pair would be generated and sent to the CA.

Pete wants to communicate with Sam and so sends his

certificate to Sam. Sam checks out this certificate's CA
signature with his CA, Verisign for example.
He will look at the CA public key with Verisign to ensure
the CA signature is on the certificate.

The CA will sign and issue the company with a digital

certificate, and this will be their identification proving
they are who they claim to be.

If the certificate is valid then Sam can assume Pete is

who he says he is, and the connection would be
accepted.

The company can now use this information to

participate in the PKI system.

Then Pete checks Sams certificate, and if the certificate

is fine and valid, the VPN process can be progressed.
19

Howasecurekeyisagreedupon
bytwopeers

20

Public Key Infrastructure (PKI)

The process works by two peers exchanging their public

keys.
Pete would send his public key to Sam and Sam would send
his public key to Pete. Pete would then use the public key
got from Sam and its own private key to generate a
symmetric key using the Diffie-Hellman algorithm.
Sam would also take the same process as Pete and in turn
produce the exact same symmetric key as Pete, though
enabling them to communicate securely over the in-secure
internet.
Both peers can now encrypt, transmit and decrypt data using
their symmetric keys.
21

22