Public Key

Infrastructure
- RAGHAV SHANKAR, 4TH February, 2019
STUXNET and FLAME/SKYWIPER
• Thousands of Diplomatic secrets declassified
• Millions of user activities, voice recordings captured, transmitted
• At least 3 Zero-day vulnerabilities exploited
• Minimal damage to attacker
• Highly accomplished cryptographers involved
• Mathematical vulnerabilities exploited
• Nuclear facility repeatedly destroyed
STUXNET – The Nuclear Facility killer
[Explain]
• Intentions
• Payload Delivery (worm) + Payload (Siemens Controller controller)
• Deletion Logic
• Propagation Logic
• Replication Techniques

Affected Countries
Public Key Infrastructure Attacks
• One of the many Zero Day attacks used in Stuxnet, Flame
• Rogue Certificates issued

• The Certificate War

What is PKI?
• Foundation of a secure Internet
• Infra for secure and trusted business environment for e-commerce
and the Internet of Things
• Used to manage digital certificates and public-keys
What if no PKI?
• No Authentication – Who are you communicating with?
• No Integrity – Information modified?
• No Confidentiality – Who else gets to see the information?
Problems with HTTP
• HTTP – Unsecure, Open communication line
• Classic packet sniffing opportunity

• Myntra network attack [explain]

• Solution?
SSL
• Establish encrypted HTTP communication links
• Providing the CIA triad on the Internet
• Confidentiality
• Integrity
• Authenticity
• [Browser demonstration of SSL Cert]
• Non HTTPS example: MIT
SSL Use cases
• Online banking
• Desktop login
• Citizen identification
• Mass transit
• Device credentialing in the IoT
• E-commerce transactions – FreshMenu Proxy hack
PKI
• PKI Overview
• Types of Encryption
• The Public and Private Key Pair
• Digital Certificates
• Certificate Authorities
• Registration Authorities
• Certification Revocation Lists
• Recovery Agent
• Key Escrow
• Diffie-Hellman Key Exchange
PKI Overview
• A two-key asymmetric encryption system of communication
• A set of rules, guidelines
• Universal infra that works across multiple systems and vendors
• Provides:
• Authentication: Confirms the owner of the keys through Digital Certificates
• Confidentiality: Encrypts data transmissions
Symmetric Encryption vs Asymmetric Encryption
Symmetric Asymmetric

Same key for Encryption & Decryption Different keys for Encryption & Decryption

Faster Encryption & Decryption Slower Encryption & Decryption

Host needs to store large database of keys for Host needs to store only 1 key to operate
different clients (ex: Ecommerce portal)
Public Private Key Pair
• Symmetric Key Encryption: Single Key for Encryption & Decryption
• Asymmetric Key Encryption:
• 2 mathematically related keys created at the same time
• Private key stored securely in the server (host)
• Public key publicly distributed to the entire world

• Public key used to encrypt info destined for server

• Private key used by server to decrypt the encrypted payload
Symmetric Key Example
Python Symmetric Key Example
[symmetric.py]
Asymmetric Key
• [Video Lecture]
Asymmetric Key Example
Question:
• Can’t someone pretend to be Bob to receive Alice’s message using
their own Public Key?

• Introducing Digital Certificates

Digital Certificates
• Helps authenticate the public key
• Associates a public key with an online entity
• Example:
• Public Key: 04 4B F9 47 1B A8 A8 CB A4 C6 C0 2D 45 DE 43 F3 BC F5 D2 98 F4
25 90 6F 13 0D 78 1A AC 05 B4 DF 7B F6 06 5C 80 97 9A 53 06 D0 DB 0E 15 AD
03 DE 14 09 D3 77 54 B1 4E 15 A8 AF E3 FD DC 9D AD E0 C5
• Subject Common Name: www.google.com [open browser certificate]
• Certification standard: x.509 Certificate
• Issued by a Certifying Authority (CA)
Certificate Authorities
• Issue, revoke, distribute Digital Certificates
• Often a trusted third party:
• DigiCert
• VeriSign
• Need not be THIRD PARTY (Example: Google, Microsoft certification)
• Public key stored in a directory for anyone to verify the certificate
Self Certification
• [Linux exercise]
 Set up

1. Make sure Apache has SSL enabled

2. Generate a certificate signing request (CSR)
3. Generate a self-signed certificate
4. Configure Apache
5. Copy the certificate and keys we've generated
6. Modify the VirtualHosts to use the certificate.
7. Restart Apache and test.
1. sudo a2enmod ssl
2. sudo openssl req -new > new.cert.csr
3.
1. sudo openssl rsa -in privkey.pem -out new.cert.key
2. sudo openssl x509 -in new.cert.csr -out new.cert.crt -
req -signkey new.cert.key -days NNN
4.
1. vim /etc/apache2/sites-available/default-ssl.conf
2. Add ‘SSLEngine On’
3. sudo a2ensite default-ssl (enable SSL site)
5.
1. sudo cp new.cert.cert /etc/ssl/certs/server.crt
2. sudo cp new.cert.key /etc/ssl/private/server.key
6.
1. SSLCertificateFile /etc/ssl/certs/server.crt
2. SSLCertificateKeyFile /etc/ssl/private/server.key
7. sudo apache2ctl stop && sudo apache2ctl start
Registration Authorities
• The front end of the Certification process
• Helps CA with:
• Client onboarding
• Identity verification
• Does not sign the certificate itself
Certificate Revocation Lists (CRL)
• CA publishes a list of certificates no longer valid
• Reasons for issuing:
• Certificate expired
• Certificate revoked:
• Compromised private key
• Company names/ details changed
• Rogue Certificate
• Client Request for revocation
• The CA verifies that the revocation request is coming from an
Authenticated user
Recovery Agent (Key got lost?)
• Secure key recovery server and a person with permission to recover
the forgotten key
• For ex: Recovering private key from a server that crashed

• Key Recovery Information:

• Proof that request is from an authorized agent
• Name of the key owner
• Time of key creation
• Issuing CA server
Key Escrow
• A copy (or copies) of private keys in an archival system
• Often, multiple databases contain different parts of the key

• Used for law enforcement (often requires warrant)

Exchanging Secret Keys On Public Internet
The Diffie-Hellman Key Exchange Solution
Diffie-Hellman key exchange exercise
Primitive Roots
• 17, 3
• 11, 2
• 5, 2