CITS3002ComputerNetworks
1 next→ CITS3002 help3002 CITS3002schedule
TheISO/OSISecurityArchitecture
Aswellasdefiningtheirseven-layeredmodel,theISO/OSIgroupalsodefinedarangeofterminologiesformingtheirISO/OSISecurityArchitecture.Itincludestherequirements:
dataconfidentiality-protectsdataasittraversesthenetworkfrombeingdisclosedtoincorrectparties.Eventhepresenceofparticularcommunicationsequencesbetweenpartiesshouldnotbeidentified.
dataintegrity-protectsthedatafrommodificationorremovalwhileinthenetwork,
dataoriginauthentication-validatesthesenderofthedata,
datareceiverauthentication-validatesthereceiverofthedata,
peer-entityauthentication-validatesallnetworkcomponents,suchashardwareroutersandpeersoftwarecomponentsthroughwhichadatastreammusttravel,and
non-repudiation-createsandverifiesevidencethattheclaimedsendersentthedata,thattheintendedreceiverdidreceiveit,andthatneithercandenythatthisoccurred.
NOTE:thecoreTCP/IPinternetworkingsuitemeetsnoneoftherequirementsoftheISO/OSISecurityArchitecture.Supportforadditionalservicesisevolving,primarilyattheApplicationLayer,butchangescannotbeeasilymadetolowerlayers.
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p1,27thMay2020.
"Remoteexploit+localrootexploit⇒remoterootexploit."— Oldesayinghandeddownthroughtheages.“
CITS3002ComputerNetworks
←prev 2 next→ CITS3002 help3002 CITS3002schedule
Cryptography'sRoleinNetworking
Theneedforcryptographytoprovidesecurityariseswiththepossibilityofstolenhardware,wiretapping,thebroadcastmechanismsofLANsandWLANs,andnetworktrafficpassingthroughforeignnetworks.
Weassumethatanadversaryisableto:
Copydatafromdiskstorageforremoteanalysis,Passivelylisten(only)onbroadcastchannels(suchaswired-EthernetandWiFi),Aggressivelymonitortrafficthoughintermediateroutersorworkstations(situatedanywhereonamessage'spath),Activelyreplay,modifyorinserttheirownmessagesintothemessagestream.
Cryptographyprovidessolutionstomostoftheseproblems.
Sowhereshouldtheencryptionbeperformed?
Usersencryptingindividualfilesstoredinastandardfile-system,File-systemsencryptingalldatabeforewritingittodisk,DatalinkandNetworklayers:inswitchesandrouters(e.g.VPNs),SessionLayer:withend-to-enddataconversion(e.g.SSL),ApplicationLayer:inprogramssuchasemailagents(e.g.PGP).
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p2,27thMay2020.
"Cryptographyisthescienceofmakingthecostofimproperlyacquiringoralteringdatagreaterthanthepotentialvaluegained.Thevalueofinformationusuallydropswithtime,andcryptographymakesthetimerequiredtoobtaindatainunauthorizedwayslongenoughtodecreaseitsvaluewellbelowthemoneyspentonobtainingit."— JalahFeghhi,DigitalCertificates
“
CITS3002ComputerNetworks
←prev 3 next→ CITS3002 help3002 CITS3002schedule
BasicCryptographicTerminologyWeuseanencryptionfunctionandakeytoconverttheplaintext(theinput)intotheciphertext(theoutput).
Theintendedreceiverhopestoquicklyandcorrectlyreversetheprocess-somethingthatadversariesshouldbeunabletodo.
Weassumethattheadversaryknowstheencryptionfunction(process)beingused,andthatthekeyissecretandchangedfrequently.Thekeylengthisexpressedinbits:
Technology Keylengths Possiblekeys Keylength
ATMPIN 4decimaldigits 10,000 14bits
old-styleUnixpasswords 8characters 1268=6.3x1016 56bits
UnixpasswordswithMD5
anynumberofcharacters
unlimited,thoughduplicates 128bits
Thefollowingattacksagainstcryptographyarecommon.Eachhasthegoalofdeterminingthecryptographickey(s),sothatexistingdatamaybeexposed,orfuturemessagesdecryptedwithouttherepeatedeffort:
Knownplaintextattack-thecryptanalyst(fancynameforanadversarywithaMathsdegree)has(ordetermines)ablockofplaintextanditscorrespondingblockofciphertext.Thismayseemunlikely,butregularlyexchangedencryptedmessageshavefixedorpredictablepayloads(e.g.emailheaders,VPN-sessionestablishment).
Chosenplaintextattack-thecryptanalystcanhavetheirintendedvictimunknowinglyencryptfixed,knownblocksofdata.
Differentialanalysis-akindofplaintextattackinvolvingmanyverysimilarplaintextsbeingencrypted,andtheirresultingciphertextsbeingcompared.
Ifthereisnoseparateintegritycheckontheencrypteddata-anattackermaybeabletoalteritsothatitdecryptstodataoftheattacker'schoice.
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p3,27thMay2020.
CITS3002ComputerNetworks
←prev 4 next→ CITS3002 help3002 CITS3002schedule
SimpleSubstitution:
CaesarCipher:ch = (char)((ch + K) % 26);
PT : abcdefghijklmnopqrstuvwxyz CT : DEFGHIJKLMNOPQRSTUVWXYZABC
HereK = 3.
MonoalphabeticSubstitution:Eachsymbolmapstosomeothersymbol.Thekeyissimplya26letterstringfromthealphabet.
PT : abcdefghijklmnopqrstuvwxyz CT : QWERTYUIOPASDFGHJKLZXCVBNM
Herethereare26!=4x1026possiblekeys.
At1msecpersolution,abruteforceapproachwouldtake1013years.
However,inEnglishandmanyothernaturallanguages,textstatisticsareavailableonthemostfrequentlyusedletters,(262)digraphs,(263)trigraphsandwords.Tobreaksimplecodeswe:
countfrequenciesofeachletterandmatche's,t's,etc.countdigraphs(th,er,on,an,re,he,in,ed,nd,ha,at,en,es,of,or...)andtrigraphs(he,and,tha,ent,ion,tio,for,nde,has,nce...)matchth,the,in,and,...
ThemovieWindtalkersfocusesontheuseofthenaturallanguageofNavajoIndiansasacodeinWWII.SpeakersofKlingonclaimthattheirlanguageis,forotherreasons,indecipherable(inpractice).
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p4,27thMay2020.
CITS3002ComputerNetworks
←prev 5 next→ CITS3002 help3002 CITS3002schedule
TheInfluenceofComputersonCryptographyThefirstroleofcomputerswastogatherstatisticsandperform'brute-force'searchesofciphertextusingsomeheuristics.
Traditionally,convoluted,obscure,andundisclosedalgorithmsrequiringlongkeyswereusedtoencrypttext.Morerecentlythefocushaschangedtosupportsimple,openalgorithms,butwithcomplex'solutions'.
Thealgorithmicinversesthemselvesareintendedtobesocomplexthatbrute-forcetechniquestakemillionsofyearstosucceed.
Analgorithm'sstrengthisnotsimplyderivedfromitskeys'length,butfromitspeerevaluationandpublicreview.
Aweakalgorithmisonewhosealgorithmandimplementationarenotavailable,andwhosestrengthwouldbecompromisediftheseweremadepublic.
In1883AugusteKerckhoffstatedasoneofhissixaxiomsofcryptography:
"Ifthemethodofenciphermentbecomesknowntoone'sadversary,thisshouldnotpreventonefromcontinuingtousethecipheraslongasthekeyremainsunknown."
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p5,27thMay2020.
CITS3002ComputerNetworks
←prev 6 next→ CITS3002 help3002 CITS3002schedule
SymmetricCiphersTheDataEncryptionStandard(DES,1976)isknownasasymmetriccipher,oftenaprivatekeyalgorithm-inwhichthesenderandreceiverusethesamekeythatmustbekeptprivate.
Ingeneral,longerkeysprovidestrongerencryption,butitisamistaketoimplythestrengthofanencryptionalgorithmintermsofbitsalone.Bruteforceattacksarethemostsuccessful.
Somepopularexamplesofsymmetricciphers:
DES:ablockbasedcipherof64bitblocksin,64bitblocksout,56bitkeyfilledto64bits(8odd-paritybits).
Triple-DES:encryptsthesameplaintextwithDESthreetimes.Threeortwokeysareprovided,theplaintextisencryptedwiththe1stkey,decryptedwiththesecond,andfinallyencryptedwiththethird(or1stagain).
Adouble-DESscheme(withonly2keys)doesnotrequire22nbrute-forcetestsbut2n+1testswithameet-in-the-middleattack.
RonRivest'sRC2blockcipheremployskeysupto1024bits,andexecutesataspeedindependentofkeylength.
RonRivest'sRC4streamcipher(asusedinWiFi'sWEPencryption)employskeysof40to256bits,buthasthepropertythatiftwomessagesareencryptedwiththesameRC4key,theirencryptionsarerelatedinaknownway.
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p6,27thMay2020.
CITS3002ComputerNetworks
←prev 7 next→ CITS3002 help3002 CITS3002schedule
TheDESAlgorithmAsanexampleofthefirstofficialdeploymentofencryption,we'llconsidertheDataEncryptionStandard,DES.
In1977theUSGovernmentadoptedaproductcipherfromIBMandlaterthatyearwasdefinedasastheofficialencryptionstandardbytheUSStandardsBureau.
DESsoftwareispubliclyavailable(seeDES-crypt.c),butismoreefficientlyimplementedinhardware.Usersareconfidentofitssecurity(theywillopenlysaywhenitisinuse-forexample,Unixpasswords).
Dataisencryptedin64bitblocks.Ciphertextisoutputin64bitblocks.A56bitkeyisused.Thesamekeyisusedforbothencryptionanddecryption.
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p7,27thMay2020.
CITS3002ComputerNetworks
←prev 8 next→ CITS3002 help3002 CITS3002schedule
ProductandSubstitutionCipherBoxesEach'box'isparameterizedbythepairingsofinput->outputwires,andeachinput->outputmappingininvertible.Analgorithmis,then,furtherparameterizedbythearrangementofP-andS-boxes,andisalsoinvertible.
TheSubstitutionStages
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p8,27thMay2020.
CITS3002ComputerNetworks
←prev 9 next→ CITS3002 help3002 CITS3002schedule
TheStepsoftheDESAlgorithmThealgorithmhas19stepsforencryption;decryptionsimplyperformsthestepsinthereverseorder.
Step1.Transpositionofplaintext,independentofkey.Step19.InverseofStep1.Step18.Exchangeleft32bitswithright32bits.Steps2-17.Useafunctionofthekeyforeachstage,whichweshallcallKi.
Left out := Right inRight out := XOR(left in, f(Right in, Ki)) where f is a 4 step function.
Whatarethestepsofthismagicfunctionf?
1. E:=R1(whichis32bits)expandedto48bits.2. D:=XOR(E,Ki).3. DivideDinto8x6bits;
feedeachofthese6bitsintoadifferentSboxeachproducing4bits.
4. Feedthese8x4bits(=32bits)throughaPbox.
HowistheDESkeyused?K0:=56transpositioncipherofK.DivideK0into2x28bits.ROLefteachpart.Ki:=56bittransitionofthenumberformed.
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p9,27thMay2020.
CITS3002ComputerNetworks
←prev 10 next→ CITS3002 help3002 CITS3002schedule
TripleDESDESisstillinusetoday,inanextendedformcalledtriple-DES,or3DES.WhereastheoriginalDESusedonlyone56-bitkey,3DESusesuptothree56bitkeys(plusoneparitybyte)inordertoincreasethedifficultyofbreakingthecipher:
3DES_encrypt(key1, key2, key3, message) =
DES_encrypt(key1, DES_decrypt(key2, DES_encrypt(key3, message)))
Theencrypt-decrypt-encryptapproachisusedtomakethealgorithmcompatiblewithsingleDES,inthespecialcasewhenkey1 = key2 = key3.
DESunderUnixinsoftwareAnumberofroutinesareprovidedwhicharetypicallyusedforencryptingpasswordsandfiles.
char *crypt(char *key, char *salt);
setkey(char *key);
encrypt(char *buf, int edflag);
ImplementationsofUnixsupportingremotefile-systemsandremote-loginsoftensupportDESencryptionoftransfers(suchaswithRPC/XDRauthentication)usingtheuser'sloginpasswordasthekeyfortheencryption.
AttheCrypto'94conference,M.MatsuipresentedaDES-breakingtechniquetermed'linear-cryptanalysis'.Using243knownciphertexts,hewasabletodetermineasingleDESkeyin50daysona100MHzdesktopmachine.
Asthecrackingprocessislinear,comparabletimesoncontemporarymachinesaremeasuredinhours.
In1998EFF's(then)US$250,000DEScrackingmachinecontained1,856customchipsandcouldbruteforceall256DESkeysin9days.
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p10,27thMay2020.
CITS3002ComputerNetworks
←prev 11 next→ CITS3002 help3002 CITS3002schedule
DESModes-ElectronicCodeBook(ECB)Traditionally,eachblockofciphertextisindependentofotherblocksandismostfrequentlyusedforthecodingofdataonsomestoragemedium(suchasadiskortransmittedviaanetwork).
DESModes-CipherBlockChaining(CBC)Thenotionofchainingensuresthateachblockisdependentonearlierblocks:
Now,anintrudercanneitherinsertnordeleteanyblockwithoutdetection.Cipherblockchainingishencetypicallyusedinnetworkingapplications.
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p11,27thMay2020.
CITS3002ComputerNetworks
←prev 12 next→ CITS3002 help3002 CITS3002schedule
ExchangingEncryptionKeysDespitecenturiesofevolutionofsymmetrickeycryptography,thefundamentalproblemofsecurekeydistributionremains:
"Howcantwopeople(ormachines)encryptanddecryptmessagesusingakeyiftheyarenotsurethatthekeyitselfissecure?"
Diffie-Merkle-HellmanKeyexchangeIn1976DiffieandHellman,fromStanfordUniversity,wrotethepaperMulti-UserCryptographicTechniques,proposingamethodofexchangingkeys.
TheDiffie-Hellmankeyexchangetechniqueenablestwoactiveparticipants(whomayneverhavemet)toagreeonanew,temporary,sessionkeywithwhichtheywillexchangeamessage.
Moreover,anyoneeavesdroppingontheiragreementdiscussion,willnotbeabletofurthereavesdroponthemessageexchange.
Asimple(physical)analogyofhowkeyscanbeexchanged:
AwantstosendakeytoB.AputsthekeyinasecureboxandlocksitwithA'spadlock.BdoesnothavethekeytoA'spadlock,soinstead,BreceivestheboxandaddsB'sownpadlocktotheboxandreturnsittoA.AremovesA'spadlockwithA'sownkeyandsendstheboxbacktoB.BcannowremoveB'sownpadlockandremovethekeywhichisnowsharedbyAandB.
TheworkofDiffieandHellmanwasrevolutionaryinthewaywethinkaboutcryptography.Previouslyitwas'intuitivelyobvious'thatthekeyneededtoencodeanddecodeamessageneededtobethesame(ortriviallyrelated).
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p12,27thMay2020.
CITS3002ComputerNetworks
←prev 13 next→ CITS3002 help3002 CITS3002schedule
PublicKeyCryptographyUsingpublickeyencryptionweusetwokeysratherthanjustone.
Thepublickey,E,maybeopenlypublished.
Theprivatekey,D,isknownonlybytheintendedrecipient.
Theplanistochoosekeyssuchthatevenknowingthepublickeydoesnotrevealtheprivatekey:
AandBopenlypublishtheirpublickeys(viewedasalgorithms)EAandEB.
AsendsEB(Plaintextmessage)toB.
BcalculatesDB(EB(Plaintextmessage))=Plaintextmessage.
BcanthenreplywithEA(Plaintextreply)forAtoread.
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p13,27thMay2020.
CITS3002ComputerNetworks
←prev 14 next→ CITS3002 help3002 CITS3002schedule
TheMIT/RSAAlgorithmIn1978,RonRivest,AdiShamir,andLeonardAdleman,allofMIT,publishedtheimaginativelynamedRSAalgorithmforthegenerationofencryption/decryptionfunctionsfromnumbertheory.
ThedifficultyariseswhenchosingthealgorithmsEAandDAsuchthattheyareinversesofoneanotherandyetdifficulttocrack.
Keylength Factorizationtimes With107x1GHzmachines429-bits(RSA-129) 4,600MIPS-years 14.5secs
512-bits 420,000MIPS-years 22minutes
700-bits 4.2x109MIPS-years 153days
1024-bits 2.8x1015MIPS-years
280,000years
Wechoosetwoverylargeprimenumbers,pandq,eachover100digits.WedefineEAtobethepair(e,n)wheren=pxq(forp,qbeing100digitprimes,nwilltypicallyatleast200decimaldigits).WedefineDAtobethepair(d,n)where(exd)mod((p-1)x(q-1))=1
Wethenuse:
Encryptionfunction:C:=PemodnDecryptionfunction:P:=Cdmodn
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p14,27thMay2020.
CITS3002ComputerNetworks
←prev 15 next→ CITS3002 help3002 CITS3002schedule
AsymmetricciphersRSAisanexampleofanasymmetriccipher,employingdifferentkeysforencryptionanddecryption.Therelationshipbetweenkeyssimplifiesanattack.
RSAhasbecomeubiquitous.ItiscommonlyusedinapplicationssuchasMicrosoftInternetExplorerandFirefoxforimplementingsecurity(SSL),withinmailclientsforsigningandencryptingemails(S/MIME),withinpaymentsystems,andforencryptingtrafficbetweenVPNgateways.
Keysforasymmetricciphersneedtobelongerthankeysforsymmetriccipherstoachievesimilarresistancetobrute-forceattacks:
SymmetricKeyLength
AsymmetricKeyLength
56bits 384bits
64bits 512bits
80bits 768bits
112bits 1792bits
128bits 2304bits
The17-yearpatentonRSAwasduetoexpireonSeptember20,2000,butwasreleasedintothepublicdomaintwoweeksearlyonSeptember6,2000.
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p15,27thMay2020.
"BecausetheRSAalgorithmremainsoneofthemostwidelyusedmethodsofimplementingpublickeycryptography,theexpirationoftheRSApatentisgoodnewsforsoftwarecompanies,e-commerce,andusersofprivateorsecurecommunications.Thefundamentalpatentsonpublickeycryptographyhaveallnowexpired,andweshouldexpectanexplosionofnewandpowerfulimplementationsofthistechnology.IexpecttherewillbeexpirationpartiesfromPaloAltotoPerthastechnologycompaniesrolloutnewapplicationsofthisimportanttechnology!"— PatFinn,"HandbookofIntellectualPropertyClaimsandRemedies"
“
CITS3002ComputerNetworks
←prev 16 next→ CITS3002 help3002 CITS3002schedule
StrongEncryptionisnotenough-theneedforDigitalSignaturesThepushforeCommercehasdemonstratedtheneed,notforgreaterbandwidth,nor(strictly)forgreaterend-to-endsecurity,butforauthenticationandauthorizationoftheendplayers.
DigitalsignatureswerefirstdiscussedbyDiffieandHellmanintheir1976'NewDirectionsinCryptography',buteCommerceisonlyrecentlydemonstratingtheirworthtoawideraudience(andtheirpatenthasexpired!).
Unliketraditionalsignatures,adigitalsignaturecannotbeaconstant;itmustbeafunctionofthedocumentthatitsigns.
Adigitalsignaturepreventstwotypesoffraud-
theforgingofasignaturebythereceiver(oranythirdparty),andtherepudiationofthetransmissionofamessagebythesender.
Twocategoriesofdigitalsignatureareidentified:
Truesignatures,signedbythesender,verifiedbythereceiver.Arbitratedsignaturemayonlybesentandverifiedthroughatrustedthirdparty.Therecipientisunabletoverifythesender'ssignaturedirectly,butisassuredofitsvaliditythroughthemediationofthearbitrator.
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p16,27thMay2020.
CITS3002ComputerNetworks
←prev 17 next→ CITS3002 help3002 CITS3002schedule
MessageDigests-basicbuildingblocksAmessagedigestisa16-,20-,32-byte'fingerprint'ofamessage.
Messagedigestsarecentraltodigitalsignatures.Whenamessageissigned,itscontentsarefirsthashedtogiveamessagedigest.Thedigestisthenencryptedwiththesender'ssecretkey,givingaproofofthesender'sidentity.
Agooddigestmusthavetheproperties:
Anabsenceofcollisions.Unlikesimplerfilechecksums,whichquicklydemonstratefileordataintegrity,itmustbehardtofindtwomessageswiththesamedigest.Mustnotbeinvertible.Digestsaredeterministicmany-to-onefunctions.Auniformdistributionofresults.Achangeinjustoneinputbitshouldaffectatleasthalftheoutputbits.
Simplechangestoevenasinglebyte(evenasinglebit)shouldresultindramaticchangestothedigest:
ThewinnerisSydney2f8eff80630eb401b0038d8df420719b
ThewinnerisSydeyf2b91cf6f8ad805a127182e8a46d450f
Somepopularmessagedigests:
MD2andMD5:developedbyRSA,producing16-bytehashes.Researchin1994foundweaknessesincollisionfrequencies.RIPEMD-160:TheEuropeanstandardproducing20-bytehashes.SHA-1,SHA-2andSHA-256arespecifiedbytheUSgovernmentfortheirDSA,outputting20-bytehashes.
From2004:MD5ToBeConsideredHarmfulSomeday.
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p17,27thMay2020.
CITS3002ComputerNetworks
←prev 18 next→ CITS3002 help3002 CITS3002schedule
(Old)performanceofthebasicbuildingblocksMessagedigestalgorithms(on233MHzPentium-II,butspeedscaleslinearly):
Algorithms Calculation(KB/sec)MD5 36,250
SHA-1 20,428
Symmetrickeyalgorithms(233MHzPentium-II):
Algorithms Setup(ms) Encryption(KB/sec) Decryption(KB/sec)DES(56bit) 6.3 4,386 4,557
Triple-DES(112bit) 22 1,596 1,620
RC4(128bits) 29.8 27,325 28,132
RC5(128bit) 352 4,576 4,691
Asymmetrickeyalgorithms(233MHzPentium-II):
512bits(KB/s)
1024bits(KB/s)
2048bits(KB/s)
RSAencryption 10.5 4.23 0.436
RSAdecryption 5.28 2.87 1.4
Thecommand-lineopensslprogramprovidesspeedsoncontemporarymachines:
linux> openssl OpenSSL> speed md5 To get the most accurate results, try to run this program when this computer is idle. Doing md5 for 3s on 16 size blocks: 1722968 md5's in 2.80s Doing md5 for 3s on 64 size blocks: 1469874 md5's in 2.80s .... type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes md5 9833.40k 33603.65k 92756.49k 167532.74k 217651.97k
Forlargeamountsofdata,wefirstencryptthedatawithasymmetricalgorithmandthenencryptthesymmetrickeywithanasymmetricalgorithm.Hybridprotocolsareusedinmostcurrentcryptographicarchitectures,suchasSSL.
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p18,27thMay2020.
CITS3002ComputerNetworks
←prev 19 next→ CITS3002 help3002 CITS3002schedule
DigitalsignaturegenerationDigitalcertificatesareoftenconfusedwithdigitalsignatures.
Likeamessagedigest,adigitalsignatureisa'summary'oftheoriginalmessage,butalsoprovidesanassurancethattheoriginalcreatorofthesignaturehastheprivatekeymatchingthepublickeyusedtogeneratethesignature.
Butwhoholdsthepublicandprivatekeys?
Whatifthepublickeyhadbeenreplacedwithanother?
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p19,27thMay2020.
CITS3002ComputerNetworks
←prev 20 next→ CITS3002 help3002 CITS3002schedule
DigitalcertificatesDigitalcertificateshavebeenlooselydescribedasthedriver'slicensefortheInternet.
Adigitalcertificateprovidesabindingbetweenanentity'spublickey,andoneormoreattributestoitsidentity.
Anentitymaybeaperson,aexecutingpieceofsoftware,oradevicesuchasarouterorasmart-card.Acertificationauthority(CA)atteststotheauthenticityoftheentity'spublickeybydigitallysigningamessagewithitsownprivatekey.The'quality'ofthecertificatedependsonthedetailofinformationprovidedtotheCA(morelater).Either,publicandprivatekeysmaybeissuedbytheCA,ortheCAmaychallengetheentity'spublickey.
Thesuccessfuluseofdigitalcertificatesappearswithinalargecommunity-littleisgainedbyissuingone'sown.
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p20,27thMay2020.
CITS3002ComputerNetworks
←prev 21 next→ CITS3002 help3002 CITS3002schedule
DigitalcertificateencodingToday,certificatesaredefinedbytheISOX.509protocolandappearsasanapplication/x-x509-user-certMIMEtype.
ThedataisencodedusingAbstractSyntaxNotation(ASN.1),encodingandtransmittedinASCIIusingbase64encoding.
(18bitdata->24bitrepresentation).
Earlydebatecentredonwhetherthecertificateitselfneededtobeencrypted(nownot).
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p21,27thMay2020.
CITS3002ComputerNetworks
←prev 22 next→ CITS3002 help3002 CITS3002schedule
BrowsersupportfordigitalcertificatesDigitalcertificatesaremanagedbyallcommonbrowsers:Firefox,Safari,Opera,NetscapeNavigator,MicrosoftInternetExplorer...
IfvisitingasitewiththesecureHypertextTransportProtocol,aswithhttps://secure.csse.uwa.edu.au/wecanviewdigitalcertificateinformationviathe'padlocked'icon.
Unfortunately,thereareoftenfewCAsfromAustraliainmostcommonbrowsers.
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p22,27thMay2020.
CITS3002ComputerNetworks
←prev 23 next→ CITS3002 help3002 CITS3002schedule
Browsersupportfordigitalcertificates
Thebrowserwilldisplaythedigitalcertificatefromthecurrentpage-hereshowing:
Thesubjectofthecertificate,Theissuer(CA)ofthecertificate,Theserialnumberofthecertificate,Theperiodofvalidityofthecertificate,andThemessagedigestofcertificate.
Iftheissuerofasite'sdigitalcertificateisalreadyknownbythebrowser(either'hard-wired'ormanuallyadded),theissuer'scertificatemaybeviewedandverified.
Version3ofX.509introducedextensionfields-theassociationofadditionalinformationwithacertificate.Eachextensionhas:
anextensiontypeprovidingsemanticsandtypingoftheextension(e.g.astring),anextensionvalue",suchasanemailorIPaddress,andacriticalityindicatorindicatingifthewholecertificateshouldbeignoredifanextensionisnotrecognized.
Standardextensions(?)nowdescribethe'strength'andpurposeofthecertificate-digitalsignature,non-repudiation,keyencipherment,dataencipherment,certificatesigning,etc.
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p23,27thMay2020.
CITS3002ComputerNetworks
←prev 24 next→ CITS3002 help3002 CITS3002schedule
CertificatePathvalidationCAsareorganizedinhierarchies-eachparentCAsignsacertificatevouchingforasubordinateCA'spublickey.
Whenvalidatingachainofcertificates,thecertificatepath,thepathisfolloweduntilthetopofthechainisreached(when?).
Thereisnoautomatedwayofverifyingthetopofacertificatechainotherthanverifyingthatitisoneofalistofdirectlyknown(andimplicitlytrusted)certificates(suchasinabrowser).
Severalcompanies,suchasVeriSign,Thwaite,Baltimore,AT&T,andagrowingbandofgovernmentdepartmentshavepositionedthemselves'atthetop'.
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p24,27thMay2020.
CITS3002ComputerNetworks
←prev 25 CITS3002 help3002 CITS3002schedule
CertificateRevocationListsAcertificaterevocationlist(CRL)allowsclientsandserverstocheckwhethertheentitytheyaredealingwithhasavalidcertificate.
Trustbreaksdown,andCRLsarerequired,when:
asubject'sprivatekeyisexposed,aCA'sprivatekeyisexposed,andtherelationshipbetweenthesubjectandCAchanges(e.g.thesubjectisnolongeremployedbytheCA,orstopspayingmoneytotheCA).
Certificaterevocationplaysacrucialpartintheauthenticationprocess:
Obtainthesubject'sdigitalcertificateandverifyitsvalidity.Extracttheserialnumberofthecertificate.FetchthecurrentCRLfromtheCA.VerifytheCRL'sdigitalsignature,andrecorditspublicationtimeandwhenthenextCRListobepublished.ExaminetheCRLtodetermineiftheintendedcertificatebeenrevokedorsuspended(basedonthecertificateserialnumber).Alerttheuserifthecertificateisrevoked.
LimitationsofCertificateRevocationInalargepublickeyinfrastructurecommunity,CRLsarebothlargeandmustbedownloaded
frequently.
ApplicationscanbesignificantlyslowedbytheneedtoretrievethelatestCRLfromaheavilytaxeddirectoryserver(orotherdistributionpoint).
Thereexistsacompromisebetweenalwaysbeingup-to-date,versustheriskoffalsecertificateacceptance.
CITS3002ComputerNetworks,Lecture12,Cryptography'sroleinnetworking,p25,27thMay2020.