Slide 1Using RSA to EncryptAlternativesRSA PaperKey ManagementApproach 1: Public AnnouncementApproach 2: Public DirectoryCan we avoid needing an on-line directory?CertificatesSlide 10Slide 11Slide 12SSL (Secure Sockets Layer) Simplified TLS Handshake ProtocolSlide 14Verifying IdentitiesSlide 16VeriSign’s Certificate ClassesSlide 18“Secure Site Pro” CertificateSlide 20Limiting The DamageSlide 22Revoking CertificatesRevoked!Certificate QuestionsProblems with CertificatesPGP (Pretty Good Privacy)Avoiding CertificatesIdentity Based EncryptionKey-Generating ServiceShamir’s IBE Signature SchemeShamir’s SignaturesVerifying a SignatureIdentity-Based EncryptionIssues in IBEChargeDavid Evanshttp://www.cs.virginia.edu/evansCS588: Security and PrivacyUniversity of VirginiaComputer ScienceLecture 14:Public Key InfrastructureCS588 Spring 2005 2Using RSA to Encrypt•Use 1024-bit modulus (RSA recommends >= 768)•Encrypt 1M file–1024 1024-bit messages–To calculate Me requires log2e 1024-bit modular multiplies•Why does no one use RSA like this?–About 100-1000 times slower than DES–Need to be careful not to encrypt particular Ms–Can speed up encryption by choosing e that is an easy number to multiply by (e.g., 3 or 216 + 1)–But, decryption must use non-easy d (~1024 bits)CS588 Spring 2005 3Alternatives•Use RSA to establish a shared secret key for symmetric cipher (DES, RC6, ...)–Lose external authentication, non-repudiation properties of public-key cryptosystems•Sign (encrypt with private key) a hash of the message–A short block that is associated with the messageCS588 Spring 2005 4RSA Paper“The need for a courier between every pair of users has thus been replaced by the requirement for a single secure meeting between each user and the public file manager when the user joins the system.”CS588 Spring 2005 5Key ManagementPublic keys only useful if you know:1. The public key matches the entity you think it does (and no one else).2. The entity is trustworthy.CS588 Spring 2005 6Approach 1: Public Announcement•Publish public keys in a public forum–USENET groups–Append to email messages–New York Time classifieds•Easy for rogue to pretend to be someone elseCS588 Spring 2005 7Approach 2: Public Directory•Trusted authority maintains directory mapping names to public keys•Entities register public keys with authority in some secure way•Authority publishes directory–Print using watermarked paper, special fonts, etc.–Allow secure electronic accessCS588 Spring 2005 8Can we avoid needing an on-line directory?CS588 Spring 2005 9CertificatesLoren Kohnfelder, MIT 4th year thesis project, 1978: Towards a Practical Public-key Cryptosystem“Public-key communication works best when the encryption functions can reliably be shared among the communicants (by direct contact if possible). Yet when such a reliable exchange of functions is impossible the next best thing is to trust a third party. Diffie and Hellman introduce a central authority known as the Public File… Each individual has a name in the system by which he is referenced in the Public File. Once two communicants have gotten each other’s keys from the Public File then can securely communicate. The Public File digitally signs all of its transmission so that enemy impersonation of the Public File is precluded.”CS588 Spring 2005 10CertificatesTrustMe.comAliceBob{ [email protected], KUA }CA = EKRTrustMe[“[email protected]”, KUA]{ [email protected], KUB}CB = EKRTrustMe[“[email protected]”, KUB]CBCAUse anything like this?CS588 Spring 2005 11Data encrypted using secret key exchanged using some public keyassociated with some certificate.CS588 Spring 2005 12CS588 Spring 2005 13SSL (Secure Sockets Layer)Simplified TLS Handshake ProtocolClientServerHelloKRCA[Server Identity, KUS]Check Certificate using KUCA Pick random KKUS[K]Find K using KRSSecure channel using KTextbook, Section 12.5CS588 Spring 2005 14CertificatesVarySignAliceBob{ [email protected], KUA }CA = EKRTrustMe[“[email protected]”, KUA]{ [email protected], KUB}CB = EKRTrustMe[“[email protected]”, KUB]CBCAHow does TrustMe.com decide whether to provide Certificate?CS588 Spring 2005 15VarySignAliceBob{ [email protected], KUA }CA = EKRTrustMe[“[email protected]”, KUA]{ [email protected], KUB}CB = EKRTrustMe[“[email protected]”, KUB]CBCAVerifying Identities$$$$CS588 Spring 2005 16With over half a million businesses authenticated, VeriSign follows a rigorous and independently audited authentication process. All involved VeriSign employees pass stringent background checks, and each authentication is split between multiple individuals. We maintain physically secure facilities, including biometric screening on entry.CS588 Spring 2005 17VeriSign’s Certificate Classes •“Secure Site” SSL Certificate–Supports 40-bit session key–Proves: you are communicating with someone willing to pay VeriSign $598 (or with ~$1000 to break a 40-bit key)–Except they have a free 14-day trial (but it uses a different Trial CA key)CS588 Spring 2005 18CS588 Spring 2005 19“Secure Site Pro” Certificate •$995 per year•“true 128-bit key”“128-bit encryption offers 288 times as many possible combinations as 40-bit encryption. That’s over a trillion times a trillion times stronger.”trillion = 1012 trillion * trillion = 1024 Verisign’s marketing claim could be: “trillion times a trillion times a trillion times a trillion times a trillion times a trillion times a trillion times ten thousand (in Britain it is a trillions time a trillion times a trillion times a trillion times a billion times a thousand) times stronger” (but that would sound even sillier!)•Businesses authentication: “out-of-band” communication, recordsCS588 Spring 2005 20CS588 Spring 2005 21VarySign.comAliceBob{ [email protected], KUA }CA = EKRTrustMe[“[email protected]”, cert id, expiration time, KUA]CALimiting The DamageChecks expiration time > nowCS588 Spring 2005 22CS588 Spring 2005 23Revoking CertificatesVarySign.comAliceBob{ [email protected], KUA }CACASend me the CRL<certid, Date Revoked><certid, Date Revoked><certid, Date Revoked>…EKRTrustMe[CRL]CS588 Spring 2005 24Revoked!CS588 Spring 2005 25Certificate Questions•How do participants acquire the authority’s public key?•If authority’s private key is compromised, everything is vulnerable!–Keep the key locked up wellCS588 Spring 2005 26Problems with Certificates•Depends on a certificate authority–Needs to be a big, trusted