Public Key Management Brent Waters
Last Time Ø Ø Saw multiple one-way function candidates for sigs. • OWP (AES) • Discrete Log • Trapdoor Permutation (RSA) Went over RSA-based signatures in detail 2
DSA (Digital Signature Algorithm) Ø Ø Ø Discrete log based signature scheme • Similar to El Gamal Signatures 1991 NIST proposed • Became first govt. adopted signature scheme Short signatures • 2 160 -bit components Slow signing and verification • Exponentiation Awkward description • Security reduces to funny assumption 3
Why DSA standard? RSA DSA Ø Patent (until 2000) Ø Patent Free Ø Longer sigs ~200 bytes Ø Short Signatures ~40 bytes Ø No encryption Ø Encryption (Export Controls) 4
Public Key Management How does Alice obtain Bob’s public key Answer: Certificate Authority signs other keys Ø Ø I @s am tan ford. e bob Pub lic K Ce rti fic a te ey Certificate du CA Encrypted Message master-key 5
Certificates Ø X. 509 Standard cert= name, org, address | public key |expiration |. . . + signature of certificate by C. A. Extensions (Version 3) Sign certs only. . . Bob obtains certificate offline 6
How do we validate Certificate Auth? Ø Ø Ø Alice must have public key of certificate authority Publish in N. Y. Times • Everyone see, adversary cannot forge all • Make sure Jayson Blair not on staff • Not realistic Ships with Browser or Operating System • Done in practice 7
Trust in CA Ø Ø Ø C. A. is trusted If compromised can forge a cert for Bob • Attack might be detected CA key should be strongly guarded • BBN Safe. Keeper: tempest attacks 8
Public Key Generation Algorithm Ø Ø 1) Alice generates pub/priv. key pair sends pub to CA 2) CA verifies Alice knows private key • Challenge/response • Self-signed certificate Ø 3) CA generates cert and sends to Alice Ø CA doesn’t know Alice’s key 9
Trust models (Symmetric vs Public) Symmetric A 1 Public Key A 1 A 2 Pub/cert CA KDC A 2 A 3 Pub/cert A 4 10
Trust models (Symmetric vs Public) Symmetric Public Ø Online KDC Ø Ø Knows my key Ø Ø If compromised past+future gone (forward security helps —guesses? ) Ø Offline Knows only public key • Harder to do attack Only future messages exposed 11
Cross Domain Certification CA 2 CA 1 A A Many domains, can’t load them all How does Bob verify if doesn’t even have CA key? 12
Hierarchical solution root Stanford cs Amazon Cert chain: Check cert all way to root Hierarchies are pretty flat in practice 13
Web of Trust No authority: I trust A who trusts B. . Which model do you like better? A B C 14
Certificate Revocation Ø I. II. III. Revoke Bob’s certificate • Private key is stolen • Leaves company, doesn’t own ID Expiration Date in Cert (1 year) CRL Periodically send lists to everyone Long lists, hard to manage OSCP (Online Certificate status protocol) Online authority to answer queries Signing key at risk if distribute authorities 15
Certificate Revocation A Is B revoked VA 1 Proof of Y/N Secure VA VA 2 Order revoked certs and build hash tree Secure VA signs root Either show path of revoked or prove by neighbors 16
A bit disappointing. . . Ø , but now have an on-line party again 17
Price of Security ØHow much for 1 year certificate? Ø$349 Ø 40 bit security on some browsers Ø$995 (Pro Version) 18
Certificates in Practice 19
Certificates in Practice 20
Certificates in Practice 21
How many “root” certs on your browser? I Counted 105 22
Скачать презентацию Public Key Management Brent Waters Last Time
ae1872070e22f721829ea0dfaefdc57c.ppt