Digital Signature, Digital Certificate

Digital Signature,
Digital Certificate
CSC1720 Introduction to
Internet
Essential Materials
Outline
Introduction
Cryptography
Secret-key algorithms
Public-key algorithms
Message-Digest algorithms
Digital Signature
Digital Certificate
Public Key Infrastructure (PKI)
Secure Electronic Transaction (SET)
Summary
CSC1720
All copyrights reserved by
Introduction
Cryptography and digital certificates are

first appeared in closed commercial,
financial network and military systems.
We can send/receive secure e-mail,
connect to secure website to purchase
goods or obtain services.
Problem: How do we implement them in
this global, open network, Internet?
To what level of encryption is sufficient to
provide safe and trust services on the
Net?
CSC1720
Cryptography
3 cryptographic algorithms:
Message-digest algorithms
Map variable-length plaintext to fixedlength ciphertext.
Secret-key algorithms
Use one single key to encrypt and decrypt.
Public-key algorithms
Use 2 different keys public key and

private key.
CSC1720
Keys
It is a variable value that is used by

cryptographic algorithms to produce
encrypted text, or decrypt encrypted text.
The length of the key reflects the difficulty
to decrypt from the encrypted message.
Key
Plaintext
Encryption
CSC1720
Key
Ciphertext
Decryption
Plaintext
Key length
It is the number of bits (bytes) in the key.

A 2-bit key has four values
00, 01, 10, 11 in its key space
A key of length n has a key space of

2^n distinct values.
E.g. the key is 128 bits
101010101010.10010101111111
There are 2^128 combinations
340 282 366 920 938 463 463 374 607 431 768 211
456
CSC1720
Secret-key Encryption
Use a secret key to encrypt a

message into ciphertext.
Use the same key to decrypt the
ciphertext to the original message.
Also called Symmetric
cryptography.
Secret Key
Plaintext
Encryption
CSC1720
Secret Key
Ciphertext
Decryption
Plaintext
Secret Key How to?

Original Text
Encrypted Text
Secret key
=
Encryption
Encrypted Text
Secret key
Original Text
=
+
Decryption
CSC1720
Secret-Key Problem?
CSC1720
All keys need to be

replaced, if one
key is
compromised.
Not practical for
the Internet
environment.
On the other hand,
the encryption
speed is fast.
Suitable to encrypt
your personal data.
Secret-Key algorithms
Algorithm
Name
Blowfish
DES
IDEA
RC2
RC4
RC5
Triple DES
CSC1720
Key Length
(bits)
Up to 448
56
128
Up to 2048
Up to 2048
Up to 2048
192
10
References:
Blowfish
DES
IDEA
RC2
RC4
RC5
DES-3
Public-key Encryption
Involves 2 distinct keys public, private.

The private key is kept secret and never be divulged,
and it is password protected (Passphase).
The public key is not secret and can be freely
distributed, shared with anyone.
It is also called asymmetric cryptography.
Two keys are mathematically related, it is infeasible to
derive the private key from the public key.
100 to 1000 times slower than secret-key algorithms.
Public Key
Plaintext
Encryption
CSC1720
Private Key
Ciphertext
11
Plaintext
Decryption
How to use 2 different

keys?
Just an example:
Public Key = 4, Private Key = 1/4,
message M = 5
Encryption:
Ciphertext C = M * Public Key
5 * 4 = 20
Decryption:
Plaintext M = C * Private Key
20 * = 5
CSC1720
12
Public-Private
Encryption
Public key
First, create public
and private key
Public key stored in the directo
Public Key Directory
Private key
Public Key
Private key
Private key stored in
your personal computer
CSC1720
13
Message Encryption
(User A sends message to User
B)
Public Key Directory
User Bs Public Key
Encrypted
Text
Text
Encryption
User A
CSC1720
14
Message Encryption
Original Message
CSC1720
Encrypted Message
15
Transfer Encrypted
Data
User A
User B
Encrypted
Text
Encrypted
Text
Insecure Channel
CSC1720
16
Decryption with your

Private key
Private key stored in

your personal compute
Encrypted
Text
User B
User Bs
Private key
Decryption
Original Text
CSC1720
17
Asymmetric algorithms
Algorithm
Name
DSA
El Gamal
RSA
Diffie-Hellman
CSC1720
Key Length
(bits)
Up to 448
56
128
Up to 2048
18
References:
DSA
El Gamal
RSA
Diffie-Hellman
How difficult to crack a

key?
Attacker
Computer Resources
Keys / Second
Individual attacker
One high-performance desktop machine & Software
2^17 2^24
Small group
16 high-end machines & Software
2^21 2^24
Academic Network
256 high-end machines & Software
2^25 2^28
Large company
$1,000,000 hardware budget
2^43
Military Intelligence agency
$1,000,000 hardware budget + advanced technology
2^55
Key
Lengt
h
Individu
al
Attacker
Small
Group
Academic
Network
Large
Company
Military
Inteligence
Agency
40
Weeks
Days
Hours
Milliseconds
Microseconds
56
Centurie Decades
s
Years
Hours
Seconds
64
Millenni
a
Decades
Days
Minutes
Infeasible
Centuries
Centuries
80
Centurie
s
Infeasibl Infeasibl
e
CSC1720
e
19
Crack DES-3 (Secretkey)
Distributed.net connect
100,000 PCs on the Net
to get a record-breaking
22 hr 15 min to crack
the DES algorithm.
Speed: 245 billion keys/

Win $10,000
CSC1720
20
Message-Digest
Algorithms
It maps a variable-length input

message to a fixed-length output
digest.
It is not feasible to determine the
original message based on its digest.
It is impossible to find an arbitrary
message that has a desired digest.
It is infeasible to find two messages
that have the same digest.
CSC1720
21
Message-Digest How
to
A hash function is a
math equation that
create a message
digest from message.
A message digest is
used to create a
unique digital
signature from a
particular document.
MD5 example
CSC1720
22
Original Message
(Document, E-mail)
Hash Function
Digest
Message Digest Demo
CSC1720
23
Message-Digest
Message-Digest
Algorithm
MD2
Digest Length
(bits)
128
MD4
128
MD5
128
Secure Hash
Algorithm (SHA)
160
CSC1720
24
References:
MD2
MD4
MD5
SHA
Break Time 15
minutes
CSC1720
25
Digital Signature
Digital signature can be used in

all electronic communications
Web, e-mail, e-commerce
It is an electronic stamp or seal

that append to the document.
Ensure the document being
unchanged during transmission.
CSC1720
26
How digital Signature

works?
Transmit via the Internet
User A
Use As private key to sign the document
Verify the signature

by As public key stored
at the directory
User B received
the document wit
signature attache
User B
CSC1720
27
Digital Signature
Generation and
Verification
Message Sender
Message
Message
Hash function
Hash function
Digest
Private
Key
Message Receiver
Public
Key
Encryption
Decryption
Signature
Expected Digest
CSC1720
28
Digest
Digital Signature
CSC1720
29
Reference
Key Management
Private key are password-protected.

If someone want your private key:
They need the file contains the key
They need the passphrase for that key
If you have never written down

your passphrase or told anyone
Very hard to crack
Brute-force attack wont work
CSC1720
30
Digital Certificates
Digital Certificate is a data with

digital signature from one trusted
Certification Authority (CA).
This data contains:
Who owns this certificate

Who signed this certificate
The expired date
User name & email address
CSC1720
31
Digital Certificate
CSC1720
32
Reference
Elements of Digital
Cert.
A Digital ID typically contains the following information:
Your public key, Your name and email address

Expiration date of the public key, Name of the CA who issued your Digital
ID
CSC1720
33
Certification Authority
(CA)
A trusted agent who certifies public keys

for general use (Corporation or Bank).
User has to decide which CAs can be trusted.
The model for key certification based on

friends and friends of friends is called Web
of Trust.
The public key is passing from friend to friend.

Works well in small or high connected worlds.
What if you receive a public key from someone
you dont know?
CSC1720
34
CA model (Trust
model)
Root Certificate
CA Certificate
CA Certificate
Browser Cert.
CSC1720
Server Cert.
35
Web of Trust model

B
A
Alice
Bob
D
C
CSC1720
36
Public Key
Infrastructure (PKI)
PKI is a system that uses public-key

encryption and digital certificates
to achieve secure Internet services.
There are 4 major parts in PKI.
Certification Authority (CA)

A directory Service
Services, Banks, Web servers
Business Users
CSC1720
37
Digital 21 . gov .hk
Reference:
An official homepage
which provides lot of
PKI, e-commerce
information
CSC1720
38
PKI Structure
Certification Authority
Directory services
Public/Private Keys
User
CSC1720
39
Services,
Banks,
Webserver
4 key services
Authentication Digital Certificate

To identify a user who claim who he/she is, in order to
access the resource.
Non-repudiation Digital Signature

To make the user becomes unable to deny that he/she
has sent the message, signed the document or
participated in a transaction.
Confidentiality - Encryption
To make the transaction secure, no one else is able to
read/retrieve the ongoing transaction unless the
communicating parties.
Integrity - Encryption
To ensure the information has not been tampered during
transmission.
CSC1720
40
Certificate Signers
CSC1720
41
Certificate Enrollment
and Distribution
CSC1720
42
Secure Web
Communication
Server authentication is necessary for a

web client to identify the web site it is
communicating with.
To use SSL, a special type of digital
certificate Server certificate is used.
Get a server certificate from a CA.
E.g. www.hitrust.com.hk, www.cuhk.edu.hk/ca/
Install a server certificate at the Web

server.
Enable SSL on the Web site.
Client authentication Client certificates
CSC1720
43
Strong and Weak

Encryption
Strong encryption
Encryption methods that cannot be cracked by
brute-force (in a reasonable period of time).
The world fastest computer needs thousands
of years to compute a key.
Weak encryption
A code that can be broken in a practical time
frame.
56-bit encryption was cracked in 1999.
64-bit will be cracked in 2011.
128-bit will be cracked in 2107.
CSC1720
44
Pretty Good Privacy

(PGP)
Release in June 1991 by Philip

Zimmerman (PRZ)
PGP is a hybrid cryptosystem that
allows user to encrypt and decrypt.
Use session key a random
generated number from the mouse
movement or keystrokes
Demo & Tutorial
CSC1720
45
PGP Public Key
Philip R Zimmermann's Public Keys

Current DSS/Diffie-Hellman Key:
Key fingerprint: 055F C78F 1121 9349 2C4F 37AF C746 3639 B2D7 795E
-----BEGIN PGP PUBLIC KEY BLOCK----Version: PGP 7.0.3
mQGiBDpU6CcRBADCT/tGpBu0EHpjd3G11QtkTWYnihZDBdenjYV2EvotgRZAj5h4ewprq1u/zqzGBYpiYL/9j+5XDFcoWF24bzsUmHXsbDSiv+XEy
QND1GUdx4wVcEY5rNjkArX06XuZzObvXFXOvqRj6LskePtw3xLf5uj8jPN0Nf6YKnhfGIHRWQCg/0UAr3hMK6zcA/egvWRGsm9dJecD/18XWekzt5
JJeK3febJO/3Mwe43O6VNOxmMpGWOYTrhivyOb/ZLgLedqX+MeXHGdGroARZ+kxYq/a9y5jNcivD+EyN+IiNDPD64rl00FNZksx7dijD89PbIULDCtU
pps2J0gk5inR+yzinf+jDyFnn5UEHI2rPFLUbXWHJXJcp0UBACBkzDdesPjEVXZdTRTLk0sfiWEdcBM/5GpNswMlK4A7A6iqJoSNJ4pO5Qq6PYOwD
FqGir19WEfoTyHW0kxipnVbvq4q2vAhSIKOqNEJGxg4DTEKecf3xCdJ0kW8dVSogHDH/c+Q4+RFQq/31aev3HDy20YayxAE94BWIsKkhaMyokAYQ
QfEQIAIQUCOlTwWwIHABcMgBE/xzIEHSPp6mbdtQCcnbwh33TcYQAKCRDHRjY5std5Xle4AKCh1dqtFxD/BiZMqdP1eZYG8AZgTACfU7VX8NpIa
GmdyzVdrSDUo49AJae0IlBoaWxpcCBSLiBaaW1tZXJtYW5uIDxwcnpAbWl0LmVkdT6JAFUEEBECABUFAjpU6CcFCwkIBwMCGQEFGwMAAAAA
CgkQx0Y2ObLXeV5WUQCfWWfTDHzSezrDawgN2Z4Qb7dHKooAoJyVnm61utdRsdLr2e6QnV5Z0yjjiQBGBBARAgAGBQI6VOkSAAoJEGPLaR36
69X8JPcAnim4+Hc0oteQZrNUeuMSuirNVUr7AKC1WXJI7gwMq0Agz07hQs+
+POJBMokARgQQEQIABgUCOlcobQAKCRDXjLzlZqdLMVBtAKDa5VPcb6NVH6tVeEDJUv+tBjp6oACeLoNtfbs2rvJkgKDHWEIDmJdgy2GJAD8DB
RA6WP4Y8CBzV/QUlSsRAkmdAKC3TfkSSeh+poPFnMfW+/Y/
+AAEEpGSUYAAQEAAAEAAQAA/9sAQwAKBwcIBwYKCAgICwoKCw4YEA4NDQ4dFRYRGCMfJSQiHyIhJis3LyYpNCkhIjBBMTQ5Oz4+PiUuRElD
PEg3PT47///EALUQAAIBAwMCBAMFB
..
..
QQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6Onq8fLz9P
X29/j5+v/EAB8BAAMBAQEBAQEBAQEAAAAAAAABAgMEBQYHCAkKC//EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAUhMQYSQVEHYX
ETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoKDhIWGh4
iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp6vLz9PX29/j5+v/aAAwDAQACEQMRAD8A9mooooAKK
KKACsjW/Eum6FGTdS7pcfLEv3j/AIfjWV428XHQrf7HY4e/lHXIxEvqfevH7y8lupXmmuJppWOZJC+AD9aly7GkIX1Z3OpfE3Up3K2EUVumcdN7fy/p
WLL4415wPM1GWPJyNpK/0Fc5btG/Pktkfx7yTVhYAGLsAxbryf5c5rNvzNlG3Q6yz8ZaxEyudQkcZ+7JtYH867PRfG9nfIsd7/o8p/iI+U/4V5EI/IGV+XU
GfnHy9iUsiGSa6q6Jew1XpTDJvAAICDACNUV4K2PS6h574Z3NaBsIQe5jkVO48MSohjC6s29CjPhlU79cQIYWmBpuNfwroZ6zltyz6Y2Fm65V0IfvVi
cR7zvFFCOhahMuk1cr+Qp936OMEq9sLZGxTjClgwrHGS7YpMSZrEC7bpOmERjo4F/n5YmCHJCH8QzCOc9+80gjVEsHiJVABrC8yykjKL5x1V/PSA
rE4QtMLbkBPGmQYOw8bx6jCHoO43QjUzbqRfBMHZqWVJyoIIZCp+n13XM4+NO/cDVsZ8bjch0LIOyMrT85n24yfXRlP0s7BFjLm59Jjhf4djuJWikJa
wWETlypAy86OYRRuwCbIyNauBeTKy+avZvF2oLvpwH4UnudpC06/O0jkj2lQpn9EEUw11RwO6sq9zYTwAUyKerN00cbCfyiZl01CIo0btcTO6hQK3c
67PaloJ9lVH8/mH7LuqkMLDH5ugkpzmed/8SorfqVkakne6b4mRySFCBXaVZoKmDHzcH2oSSMhM9exyh6dzi1bGu6JAEwEGBECAAwFAjpU6CcF
GwwAAAAACgkQx0Y2ObLXeV7lbQCg+N+fI3bzqF9+fB50J5sFHVHM7hYAn0+9AfDl5ncnr4D7 ReMDlYoIZwRR =Bgy+
-----END PGP PUBLIC KEY BLOCK-----
CSC1720
46
PGP encryption
CSC1720
Reference
47
PGP decryption
CSC1720
Reference
48
Secure SHell (SSH)
CSC1720
49
Provide an
encrypted
secure channel
between client
and server.
Replacement for
telnet and ftp.
Reference: SSH
Secure Shell & Secure

FTP
Secure Shell
Secure FTP
The Hosts Public Key
CSC1720
50
Secure Electronic
Transaction (SET)
This protocol is developed by Visa and

MasterCard specifically for the secure credit card
transactions on the Internet.
SET encrypts credit card and purchase
information before transmission over the Internet.
SET allows the merchants identify be
authenticated via digital certificates, also allows
the merchant to authenticate users through their
digital certificates (more difficult to someones
stolen credit card).
SET DEMO
CSC1720
51
Secure Electronic
Transaction (SET)
There are four parts in the SET system.

A software wallet on the users computer
Cardholder.
A commerce server that runs on the
merchants web site Merchant.
The payment server that runs at the
merchants bank Acquiring bank.
The Certification Authority Issuing bank.
SET FAQs
CSC1720
52
SET
CSC1720
53
Privacy-Enhanced Email
Encrypted
Signed
CSC1720
54
Summary
Make sure you understand the

relationship between
Encryption
Digital Signature
Digital Certificate
Certificate Authority
Understand which Public/Private key

should be used to encrypt/decrypt
message to/from you?
Discuss PGP, SET, SSH, encrypted email.
CSC1720
55
References
Digital Certificate (Applied Internet Security)

By Feghhi, Feghhi, Williams Addison Wesley
Basic Crytography
Digital Signature
PKI Resources
SET Resources
General Definitions
Digital ID FAQ
The End.
Thank you for your patience!
CSC1720
56

Digital Signature, Digital Certificate

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Digital Signature, Digital Certificate

Hochgeladen von

Copyright:

Verfügbare Formate

Digital Signature,

All copyrights reserved by

Cryptography and digital certificates are

All copyrights reserved by

Map variable-length plaintext to fixedlength ciphertext.

Use one single key to encrypt and decrypt.

Use 2 different keys public key and

All copyrights reserved by

It is a variable value that is used by

All copyrights reserved by

It is the number of bits (bytes) in the key.

A key of length n has a key space of

All copyrights reserved by

Use a secret key to encrypt a

All copyrights reserved by

Secret Key How to?

All copyrights reserved by

All keys need to be

All copyrights reserved by

All copyrights reserved by

Involves 2 distinct keys public, private.

How to use 2 different

All copyrights reserved by

Public key stored in the directo

Public Key Directory

All copyrights reserved by

All copyrights reserved by

All copyrights reserved by

All copyrights reserved by

Decryption with your

Private key stored in

All copyrights reserved by

All copyrights reserved by

How difficult to crack a

One high-performance desktop machine & Software

16 high-end machines & Software

256 high-end machines & Software

$1,000,000 hardware budget

Military Intelligence agency

$1,000,000 hardware budget + advanced technology

All copyrights reserved by

Crack DES-3 (Secretkey)

Speed: 245 billion keys/

All copyrights reserved by

It maps a variable-length input

All copyrights reserved by

All copyrights reserved by

Message Digest Demo

All copyrights reserved by

All copyrights reserved by

All copyrights reserved by

Digital signature can be used in

It is an electronic stamp or seal

All copyrights reserved by

How digital Signature

Use As private key to sign the document

Verify the signature

All copyrights reserved by

All copyrights reserved by

All copyrights reserved by

Private key are password-protected.

If you have never written down

All copyrights reserved by