Cryptography, Digital Signatures, and Public Key Certificates

CS4244 - WWW: The Underlying Technology - Prof. Abrams

Reference:

RSA Laboratories, Frequently Asked Questions about Today's Cryptography
L. Stein, How to Set up and Maintain a Web Server, 2nd. ed., 1997, pp. 228-240.

Overview

Example

Bob has asked Alice out for a date via the Internet.
Alice wants to accept.
Meanwhile, Alice's parents are curious what Alice is saying to Bob.
So Alice wants to send a secret message to Bob, accepting the date, so parents don't know what's up...

PARENTS

ALICE =============> BOB

Alice starts with a cleartext or plaintext message: "Yes, I'm free tonight!"
To assure message secrecy, Alice encrypts cleartext into an encrypted message: "aslu38198314h, b.q,mb4kj4q5"
Upon receipt, Bob decrypts message to retrieve cleartext.
Even if the parents hear encrypted message (e.g., by eavesdropping on transmission channel), they cannot learn cleartext.

So Alice and Bob use cryptography to achieve confidentiality of their message.

In addition to confidentiality, cryptography can be used for:

authentication --

Bob gets a message saying "No, I'm not free tonight!"

Did Alice really send it, or did the parents spoof Alice's host?

integrity --

Maybe Alice sent "Yes, I'm free tonight!" but the parents modified the message during transmission to say "No, I'm not free tonight!"

non-repudiation --

Something happens that gets Alice mad at Bob. So Alice sends a nasty note to Bob. Bob is incensed!
Alice later forgives Bob, and claims that she never sent the note. Alice explains that her parents must have either modified the note or spoofed her host! How can Bob tell if Alice or her parents sent it?

Algorithms We'll Look At:

Encryption Algorithms

Lets Alice encode the information so that the original message can not be retrieved by the parents.
Two forms:

secret-key
public-key

Key-Exchange Algorithms

Lets Alice and Bob agree on a secret keys over an insecure channel

One-Way Hashing Algorithms

Guard against someone changing a message.
Solves the integrity problem: If parents try to modify Alice's message, Bob will know
How it works: Alice create a digest of her message. If "Yes I'm free" is modified, the digest won't match the modified text.

Secret-Key Encryption

The communicating partners (Alice and Bob) share a secret (the key) used to encrypt and decrypt messages.

Simple Example -- the XOR algorithm

Encryption:

characters in message are XORed with the key

Decryption:

characters of the encrypted message are XORed with the same key

This simple-XOR algorithm is a polyalphabetic substitution cipher.

Analysis of XOR algorithm:

Very easy to break -- there are methods to derive key and cleartext from encrypted text.
It's the algorithm used in cellular phones (160 bit key).

Real examples:

DES (Digital Encryption Standard)

Adopted by U.S. government in 1977 as federal standard for encryption of commercial and sensitive-yet-unclassified government computer data.
DES is a block cipher (encrypts data in blocks of 64 bits) and relies on a key of 56 bits.
Modified DES is used to authenticate users on standard UNIX machines.
Some cryptographers consider that key too short; a brute force attack (i.e., attacker tries all possible keys) can break message.
A more secure variant which applies DES three times with different keys is called Triple DES (TDES).
U.S. National Security Agency (NSA) has proposed Skipjack to replace DES in the future.

Not much information about the algorithm
Will be implemented only in hardware (the Clipper chip).
Algorithm is considered strong
Has raised controversy because of Clipper chip. Implementation of Skipjack, contains key-escrow mechanism that allows governmental agencies to decrypt messages.

RC2, RC4

Developed at RSA Data Security Inc.
Algorithms have not been published but are considered strong.
RSA has made agreement with U.S. Government to have a special export status for RC2 and RC4 when key is 40 bits or less. This algorithm is used in Netscape Navigator and other software products for the U.S. and abroad.

IDEA (International Data Encryption Algorithm)

Block cipher algorithm with blocks of 64 bits and key of 128 bits.
Used in Pretty Good Privacy (PGP) program.

AES (Advanced Encryption Standard)

Successor to DES
Objective: protect government information
Goal: mandatory use by U.S. government, voluntary use by private sector
128-bit key to be "secure" for next 30 years, given pace of Moore's law
National Institute of Standards and Technology (NIST) is evaluating submitted proposals for what AES should be
Requirements:

"unclassified,
publicly disclosed encryption algorithm(s),
available royalty-free, worldwide
must

implement symmetric key cryptography as a block cipher
support (at a minimum) block sizes of 128-bits and key sizes of 128-, 192-, and 256-bits"

NIST selected 15 candidate algorithms in August 1998; narrowed to five in Aril 1999, selected winner in Fall 2000
Winner:

Rihndael (pronounced "Rhine-doll")
By Joan Daemen of Proton World International & Vincent Rijmen of Catholic Univ. in Leuven, Belgium
Had best comination of security, performance, efficiency, ease of implementation, flexibility
Expected to become a standard in Feb. 2001
Likely that U.S. financial institutions will adopt

Key-Exchange Protocols

How can Bob and Alice use plaintext over the Internet itself to agree on a secret key to ues in the encryption algorithm?

Suppose they choose the key "1997".
If Bob sends Alice "1997", and the parents eavesdrop, the parents could decode any subsequent encrypted messages!

Example Protocol -- Diffie-Hellman Key Exchange Protocol:

Alice and Bob agree on a large prime number nand another number g; these numbers are not necessarily secret.

e.g., n=31 and g=2

Alice generates a random number xand sends to Bob the value: X = g^xmod n.

x=1 and X=2¹ mod 31=2

Bob generates a random number yand sends to Alice the value: Y = g^y mod n.

y=3 and Y=2³ mod 31=8

Alice receives the value of Y and computes: K_x= Y^xmod n.

K_x = 8¹ mod 31 = 8

Bob receives the value of X and computes K_y= X^ymod n.

K_y = 2³ mod 31 = 8

Algorithm ensures that K_x=K_y, so they can be used as secret key.

A third party (Eve) cannot determine value of secret key by eavesdropping. The reason is that it is difficult to determine K_x (= K_y) given the values X and Y.

Public-Key Encryption Algorithms

It turns out that Bob and Alice haven't yet studied exponentials in school, so they don't believe that secret key encryption works. Do they have an alternative?

Yes! Use public keys!

It uses two different keys, one for encryption and one for decryption.

Bob has two keys:

one private known only to Bob
one public known by any other party (e.g., Alice) that wants to communicate with Bob

Anyone that wants to send secure message to Bob must know the public key, and uses it to encrypt the message. Bob receives the message and decrypts it with private key.

Even the parents can know the public key! But Alice never needs to know the secret key!

Example:

If Alice wants to send a secure message to Bob:

Alice encrypts message with Bob's public key and sends message to Bob.
Bob decrypts message with his private key.

The parents (and even Alice) cannot decode Alice's message, since only Bob has the secret private key. The private key's sort of like a secret decoder ring!

Advantage of public key encryption:

Alice and Bob don't have to share a secret or use a secure channel (e.g., the telephone) to exchange a key.

Disadvantage:

1) Bob must distribute his public key to Alice, so Alice can send encrypted messages.

(But how does Alice know the public key came from Bob, and not from the parents? Alice could wind up encrypting messages that only the parents can decrypt! More on this problem later...)

2) Alice must wait longer to get her messages encrypted with a public key algorithm compared to a secret key algorithm.

3) Alice could get the best of both worlds by using a hybrid protocol:

Alice and Bob use public-key protocol to exchange a secret key.

Then they use the secret key to send encrypted messages!

Example Algorithm -- RSA (Ron Rivest, Adi Shamir, Leonard Adleman):

The "de facto" standard in public key encryption.

Algorithm has two phases.

In first, Bob generates keys and makes public the public-key.

Choose "two large primes, p and q.
Compute n = pq

Choose a number, e, less than n and relatively prime to (p-1)(q-1).

Find another number d such that (ed - 1) is divisible by (p-1)(q-1).
The values e and d are called the public and private exponents, respectively.
The public key is the pair (n,e); the private key is (n,d)." [From RSA FAQ.]
Bob sends the public key to Alice.

In second, Alice encrypts message and Bob decrypts it:

Alice encrypts the message m with Bob's private key: c = m^emod n and sends the message to Bob.
Bob decrypts the message with the private key: m = c^dmod n.

See http://www.rsa.com/rsalabs/newfaq/q8.html for the actual algorithm.

Comments:

RSA gets its security from the difficulty of factoring large numbers:

"If one could factor n into p and q, however, then one could obtain the private key d. Thus the security of RSA is related to the assumption that factoring is difficult." [From RSA FAQ.]

Patent until 20 Sept. 2000 held by RSA Data Security, Inc. (but most non-US countries don't recognize patent, and use public key encryption anyway)

Licensed to many companies

One-Way Hash Functions

The algorithms presented so far are used to prevent a 3rd party from viewing a message.

But that won't stop someone from corrupting or otherwise changing a message.

So how can we guard against someone changing a message? Use a One-Way Hash Function!

The purpose is to generate a digest of a message that has the following properties:

It's relatively short (between 128 and 256 bits).
Given a message it is easy to generate the digest.
Given the message digest it is difficult to reconstruct the message.
Given a hash value it is difficult to find a message which has the same hash value.

Example Algorithm: SHA (Secure Hash Algorithm):

"The algorithm takes a message of less than 2⁶⁴ bits in length and produces a 160-bit message digest. [From RSA FAQ]"

Alice computes digest of the message and encrypts digest with her private key. Encrypted digest is called digital signature of message.
Alice sends message and digital signature to Bob.
Bob receives message and digital signature. He decrypts digital signature using Alice's public key. After that, he computes digest and compares it with value decrypted. If the two digests are the same, Bob is sure that message was not altered during transmission.

Other Algorithms:

MD5 (Message Digest 5, developed by RSA)
Use both SHA and MD5 (used in Netscape's Secure Sockets Layer)

How Can Bob Be Sure Who Sent a Message and When it Was Sent?

If Alice sends a message to Bob on 2/21/97:

Alice adds to the end of her message identity text such as "Love, Alice (2/21/2000)" encrypted with her private key.
Alice encrypts whole thing (message + encrypted identity text) with Bob's public key.
Alice sends whole thing to Bob.
Bob decrypts whole thing with his private key, and decrypts encrypted identity text with Alice's public key to retrieve "Love, Alice (2/21/2000)".

Public Key Certificates

Problem:

How does Alice know Bob's public key?

Solutions:

Alice and Bob use a secure channel to get the public key.
Bob sends to Alice his Public-Key Certificate. Other names for certificates are: digital IDs, digital passports, digital certificates.

A certificate binds a public key to an individual:

[Certificates] allow verification of the claim that a specific public key does in fact belong to a specific individual.
Certificates help prevent someone from using a phony key to impersonate someone else. [from RSA FAQ]

Bob's X.509 certificate consists of the following fields:

subject (Bob's) name
subject (Bob's) public-key information
version
serial number
signature algorithm ID
issuer name (whomever gave Alice the certificate)
validity period
issuer unique identifier (version 2 and 3 only)
subject unique identifier (version 2 and 3 only)
extensions (version 3 only)
digital signature on the above fields

How does Alice verify the certificate?

When Alice wants to send a message, she asks Bob for his certificate. Bob sends the certificate. Alice verifies the validity of the certificate (see below) and extracts the public key.

She computes hash function of the certificate (less the signature)
She decrypts digital signature using the public key of the issuer
She compares the computed hash value with the decrypted value; they must be the same, or else the certificate is invalid.

How does Alice know the public key of the issuer?

Issuer (e.g., Bob) uses a well-publicized public key (e.g., published in a newspaper ad), or
Alice uses another Certificates Authority that can certify the public key of the issuer (e.g., Bob) with a public key certificate.

certificate chain

public key infrastructure.

Examples of Security Settings in Web Browsers

Image of the Security Info menu item in Netscape Navigator 4.7

Conclusions

Cryptography is controversial because:

Theoretically, it is not possible to prove correctness, and thus there is suspicion surrounding cryptographic algorithms.
Patents and licensing procedures slow the spread of commercial applications.
There are still some export regulations on encryption (e.g., FBI looks at them as munitions), but foreign programmers can easily add them because many algorithms are published (e.g., Ecryption was added back to Netscape's browser within 24 hours of the source being published on the Internet).

U.S. export controls on cryptography are also controversial:

Due to international terrorism, U.S. government in the past forbid export of strong crypographic algorithms (classified as a type of munitions), even though similar software is available abroad.

Cryptograpic-enabled Web software is available free on non-U.S. servers, but U.S. citizens cannot download it without violating patent law!

However, export regulations are changing. As of November 1999 the Clinton administration issued this draft rule:

"You may export and re-export to any end-user retail encryption commodities, software and components... Encryption products exported under this paragraph can be used to provide products and services to any end-user."
However, the meaning of "retail" is ambiguous.
Things are improving: In spring '96 National Science Foundation recommended loosening U.S. export regulations, and RSA has begun licensing for free to noncommercial organizations.

Last modified on 30 Nov 99 by abrams@vt.edu.