SlideShare une entreprise Scribd logo

CPK Cryptosystem In Solaris

Z
Zhi Guan
Technologie
1  sur  33
Télécharger pour lire hors ligne
CPK Cryptosystem in OpenSolaris Zhi Guan China ERI, Sun Microsystems, March, 2008
Outline • CPK cryptosystem overview • CPK Message Syntax • CPK in Solaris Cryptographic Framework • CPK in Solaris Key Management Framework • CPK Code Signing in Solaris • Other Applications
CPK Cryptosystem • CPK: Combined Public Key • What is CPK? ❖ At first, it is a key management scheme ❖ Second, it provides identity based encryption and and signature scheme. • Comparison with PKI
Map an Identity to Key Pair h1 , h2 , . . . , hn ← H(ID) Private Key Matrix   Userʼs Private Key ··· s11 s12 s1n   n−1 ··· s21 s22 s2n   H(ID) dID = shi ,i (mod p) . . . ..   . . . .   . . . i=0 ··· sm1 sm2 smn Public Key Matrix   Userʼs Public Key ··· s11 G s12 G s1n G   ··· s21 G s22 G s2n G n−1   H(ID) . . . QID = ..   shi i G . . . .   . . . i=0 ··· sm1 G sm2 G smn G
Identity Based Encryption CPK_Encrypt(Plaintext, ID, PublicMatrix) { Indexes = H(ID); ECPublicKey = Map(Indexes, PublicMatrix); Ciphertext = ECEncrypt(Plaintext, ECPublicKey); return Ciphertext; } CPK_Decrypt(Plaintext, ECPrivateKey) { Plaintext = ECEncrypt(Plaintext, ECPublicKey); return Ciphertext; }
CPK Message Syntax
CPK Objects • Public system parameters public matrix • Master secret : private matrix • User’s private key • User’s user’s identifier Object Private Public Private Identifier Matrix Matrix Key
CPK Cryptographic Messages • Signature • Public key encrypted session key. • Signed data • Public key encrypted data. • Signed and public key encrypted data.
PKCS #7 General Syntax: ContentInfo specified by an Object Identifier, ContentInfo which is a global unique identifier. content type content the format of content is explicitly defined by the “content type”. The content type options include: •data •signedData •encryptedData •envelopedData •signedAndEnvelopedData
PKCS #7 Raw Data ContentInfo Data content type EncryptedData SignedData EnvelopedData SignedAndEnvelopedData
PKCS #7 EncryptedData EncryptedData version EncryptedContentInfo content type encryption algor encrypted content
PKCS #7 EnvelopedData EnvelopedData version recipientInfos EncryptedContentInfo content type encryption algor encrypted content
PKCS #7 RecipientInfo RecipientInfo version recipient’s id ECIES (Elliptic Curve Integrated Encryption Scheme) key encryption algor encrypted key Encrypted symmetric key
PKCS #7 SignedData SignedData version Data digest algorithms EncryptedData ContentInfo ...... certificates CRLs no useful attributes SignerInfos for CPK
PKCS #7 SignerInfo SignerInfo Specify the signer. In PKI this field version specify signer’s certificate, in CPK this field specify signer’s CPK signer’s id Identity. digest algorithm for example, the date and time of the signing. signed attributes sign algorithm for exampel, ECDSA with SHA1 signature signing algorithm unsigned attributes
PKCS #7 SignedAndEnvelopedData SignedAndEnvelopedData version recipientInfos digest algorithms encryptedConentInfo certificates CRLs signerInfos
Data Types Presentation and Encoding • ASN.1 • BER • DER
CPK Interfaces
Identity Based Cryptography Interface
CPK in Solaris Cryptographic Framework CPK Java Applications JCE (Java Crypto Extension) CPK C/C++ Applications JNI Service Consumer Interface (PKCS#11) Solaris User-space Cryptographic Framework Service Provider Interface (PKCS#11) pkcs11_ pkcs11_ pkcs11_ pkcs11_ cpk.so cpktoken.so softtoken.so kernel.so !libcpk !libcpk
PKCS #11: Crypto Token Interface Standard !quot;# $%&'#(!!#)*+*,-#&./$012.3$45&#01%67#5706.83&6#'03793.9# /001*(-quot;*23&4 /001*(-quot;*23&5 !quot;#$%&'$()%*quot;+&,-+$%. !quot;#$%&'$()%*quot;+&,-+$%. !quot;#$%&'( !quot;#$%&'( 6$7*($&823quot;$3quot;*239'+3(#%23*:-quot;*23 '12quot;&4 '12quot;&3 ;25$3&4 ;25$3&3 <6$7*($&4= <6$7*($&3= # !quot;#$%&'()'*&+&%,-'.%/0123quot;'425&-' &=<;A:H>#;=:I>JCK#LF#>FAC=MLDC#A:#:FC#:=#N:=C#D=<;A:?=L;@>D#JCI>DCK#A@LA#L=C#LDA>IC#>F#A@C#
PKCS #11 Functions • Slot and token management functions • Session management functions • Cryptographic functions ❖ Encryption and decryption ❖ Message digesting ❖ MAC generation and verification ❖ Signing and Verification ❖ Key management
PKCS #11 Objects PKCS#11 Object Data Key Certificate Public Key Private Key Secret Key CPK CPK CPK CPK IdentityInfo PublicMatrix PrivMatrix PrivateKey ECC ECC PublicKey PrivateKey
PKCS #11 Functions • Generate system parameters ❖ C_CreateObject ❖ C_GenerateKey ❖ C_GenerateKeyPair • Extract private key or public key from matrixes ❖ C_DeriveKey
Identity Based Encryption
Identity Based Signing
PKCS #7 Data Types • SignerInfo
CPK in Solaris Key Management Framework
Solaris Key Management Framework • Centralized key storage and management framework. • Support PKI programing interfaces
OS without Centralized Key Management • Every applications must have there own cryptography implementations and key management and storage mechanisms. App App App Key Key Key Store Store Store
!quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*- 25,8006-5* quot;'6* I40&A4*&85 (,8=&A-,? !quot;# (,8=&A-,? (,8=&A-,? D-=-08G6-5* #+*+,-$ (!@.MM L@.( @F; #&0-? N.. (!1O 15*-',4*&85$7&*/ !quot;# !quot;#$%&$'()*+(),,- this picture is from Solaris Key Management Framework sliders by Wyllys Ingersoll
!quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*- 25,8006-5* quot;'6* I40&A4*&85 (,8=&A-,? !quot;# (,8=&A-,? (,8=&A-,? D-=-08G6-5* #+*+,-$ (!@.MM L@.( @F; #&0-? N.. (!1O 15*-',4*&85$7&*/ !quot;# !quot;#$%&$'()*+(),,- this picture is from Solaris Key Management Framework sliders by Wyllys Ingersoll
!quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*-

Recommandé

CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCloudIDSummit
 
perl_objects
perl_objectsperl_objects
perl_objectstutorialsruby
 
Blockchain privacy approaches in hyperledger indy
Blockchain privacy approaches in hyperledger indyBlockchain privacy approaches in hyperledger indy
Blockchain privacy approaches in hyperledger indyManishKumarGiri2
 
Tutorial s crypto api session keys
Tutorial s crypto api session keysTutorial s crypto api session keys
Tutorial s crypto api session keysDr. Edwin Hernandez
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations Torsten Lodderstedt
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIISylvain Maret
 
Braga Blockchain - Ethereum Smart Contracts programming
Braga Blockchain - Ethereum Smart Contracts programmingBraga Blockchain - Ethereum Smart Contracts programming
Braga Blockchain - Ethereum Smart Contracts programmingEmanuel Mota
 

Recommandé

CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCloudIDSummit
 
perl_objects
perl_objectsperl_objects
perl_objectstutorialsruby
 
Blockchain privacy approaches in hyperledger indy
Blockchain privacy approaches in hyperledger indyBlockchain privacy approaches in hyperledger indy
Blockchain privacy approaches in hyperledger indyManishKumarGiri2
 
Tutorial s crypto api session keys
Tutorial s crypto api session keysTutorial s crypto api session keys
Tutorial s crypto api session keysDr. Edwin Hernandez
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations Torsten Lodderstedt
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIISylvain Maret
 
Braga Blockchain - Ethereum Smart Contracts programming
Braga Blockchain - Ethereum Smart Contracts programmingBraga Blockchain - Ethereum Smart Contracts programming
Braga Blockchain - Ethereum Smart Contracts programmingEmanuel Mota
 
USB Token Design and Implementation
USB Token Design and ImplementationUSB Token Design and Implementation
USB Token Design and ImplementationZhi Guan
 
Code Signing with CPK
Code Signing with CPKCode Signing with CPK
Code Signing with CPKZhi Guan
 
A Survey of Identity-Based Encryption
A Survey of Identity-Based EncryptionA Survey of Identity-Based Encryption
A Survey of Identity-Based EncryptionZhi Guan
 
Crypto With OpenSSL
Crypto With OpenSSLCrypto With OpenSSL
Crypto With OpenSSLZhi Guan
 
Easy CPK
Easy CPKEasy CPK
Easy CPKZhi Guan
 
CPK Theory And Parctice
CPK Theory And ParcticeCPK Theory And Parctice
CPK Theory And ParcticeZhi Guan
 
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHackito Ergo Sum
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyBharat Kumar Katur
 
The Belgian E Id Hacker Vs Developer
The Belgian E Id Hacker Vs DeveloperThe Belgian E Id Hacker Vs Developer
The Belgian E Id Hacker Vs Developerbeires
 
ICPC11b.ppt
ICPC11b.pptICPC11b.ppt
ICPC11b.pptPtidej Team
 
ICPC11c.ppt
ICPC11c.pptICPC11c.ppt
ICPC11c.pptPtidej Team
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkNisheed KM
 
Overview of Cryptography in pantanagr .pdf
Overview of Cryptography in pantanagr .pdfOverview of Cryptography in pantanagr .pdf
Overview of Cryptography in pantanagr .pdfthukralyash256
 
MongoDB Live Hacking
MongoDB Live HackingMongoDB Live Hacking
MongoDB Live HackingTobias Trelle
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI InteroperabilityConferencias FIST
 
Cryptography with Zend Framework
Cryptography with Zend FrameworkCryptography with Zend Framework
Cryptography with Zend FrameworkEnrico Zimuel
 
Pgsodium's Features: those not provided by pgcrypto and integration with rem...
Pgsodium's Features: those not provided by pgcrypto and integration with rem... Pgsodium's Features: those not provided by pgcrypto and integration with rem...
Pgsodium's Features: those not provided by pgcrypto and integration with rem...EDB
 
Icpc11b.ppt
Icpc11b.pptIcpc11b.ppt
Icpc11b.pptYann-Gaël Guéhéneuc
 
661 665
661 665661 665
661 665Editor IJARCET
 
Information security programming in ruby
Information security programming in rubyInformation security programming in ruby
Information security programming in rubyHiroshi Nakamura
 
Cryptography
CryptographyCryptography
Cryptographypuja singh
 
Cryptography
CryptographyCryptography
Cryptographypuja singh
 

Contenu connexe

En vedette

USB Token Design and Implementation
USB Token Design and ImplementationUSB Token Design and Implementation
USB Token Design and ImplementationZhi Guan
 
Code Signing with CPK
Code Signing with CPKCode Signing with CPK
Code Signing with CPKZhi Guan
 
A Survey of Identity-Based Encryption
A Survey of Identity-Based EncryptionA Survey of Identity-Based Encryption
A Survey of Identity-Based EncryptionZhi Guan
 
Crypto With OpenSSL
Crypto With OpenSSLCrypto With OpenSSL
Crypto With OpenSSLZhi Guan
 
CPK Theory And Parctice
CPK Theory And ParcticeCPK Theory And Parctice
CPK Theory And ParcticeZhi Guan
 

En vedette (6)

USB Token Design and Implementation
USB Token Design and ImplementationUSB Token Design and Implementation
USB Token Design and Implementation
 
Code Signing with CPK
Code Signing with CPKCode Signing with CPK
Code Signing with CPK
 
A Survey of Identity-Based Encryption
A Survey of Identity-Based EncryptionA Survey of Identity-Based Encryption
A Survey of Identity-Based Encryption
 
Crypto With OpenSSL
Crypto With OpenSSLCrypto With OpenSSL
Crypto With OpenSSL
 
Easy CPK
Easy CPKEasy CPK
Easy CPK
 
CPK Theory And Parctice
CPK Theory And ParcticeCPK Theory And Parctice
CPK Theory And Parctice
 

Similaire à CPK Cryptosystem In Solaris

HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHackito Ergo Sum
 
The Belgian E Id Hacker Vs Developer
The Belgian E Id Hacker Vs DeveloperThe Belgian E Id Hacker Vs Developer
The Belgian E Id Hacker Vs Developerbeires
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkNisheed KM
 
Overview of Cryptography in pantanagr .pdf
Overview of Cryptography in pantanagr .pdfOverview of Cryptography in pantanagr .pdf
Overview of Cryptography in pantanagr .pdfthukralyash256
 
MongoDB Live Hacking
MongoDB Live HackingMongoDB Live Hacking
MongoDB Live HackingTobias Trelle
 
Cryptography with Zend Framework
Cryptography with Zend FrameworkCryptography with Zend Framework
Cryptography with Zend FrameworkEnrico Zimuel
 
Pgsodium's Features: those not provided by pgcrypto and integration with rem...
Pgsodium's Features: those not provided by pgcrypto and integration with rem... Pgsodium's Features: those not provided by pgcrypto and integration with rem...
Pgsodium's Features: those not provided by pgcrypto and integration with rem...EDB
 
Information security programming in ruby
Information security programming in rubyInformation security programming in ruby
Information security programming in rubyHiroshi Nakamura
 
Anonymous Credentials on Java Card - SIT Smartcard 2011
Anonymous Credentials on Java Card - SIT Smartcard 2011Anonymous Credentials on Java Card - SIT Smartcard 2011
Anonymous Credentials on Java Card - SIT Smartcard 2011Thomas Gross
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEELinaro
 
Strong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOStrong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOSylvain Maret
 
Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...
Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...
Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...SSIMeetup
 

Similaire à CPK Cryptosystem In Solaris (20)

HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
The Belgian E Id Hacker Vs Developer
The Belgian E Id Hacker Vs DeveloperThe Belgian E Id Hacker Vs Developer
The Belgian E Id Hacker Vs Developer
 
ICPC11b.ppt
ICPC11b.pptICPC11b.ppt
ICPC11b.ppt
 
ICPC11c.ppt
ICPC11c.pptICPC11c.ppt
ICPC11c.ppt
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security Talk
 
Overview of Cryptography in pantanagr .pdf
Overview of Cryptography in pantanagr .pdfOverview of Cryptography in pantanagr .pdf
Overview of Cryptography in pantanagr .pdf
 
MongoDB Live Hacking
MongoDB Live HackingMongoDB Live Hacking
MongoDB Live Hacking
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
Cryptography with Zend Framework
Cryptography with Zend FrameworkCryptography with Zend Framework
Cryptography with Zend Framework
 
Pgsodium's Features: those not provided by pgcrypto and integration with rem...
Pgsodium's Features: those not provided by pgcrypto and integration with rem... Pgsodium's Features: those not provided by pgcrypto and integration with rem...
Pgsodium's Features: those not provided by pgcrypto and integration with rem...
 
Icpc11b.ppt
Icpc11b.pptIcpc11b.ppt
Icpc11b.ppt
 
661 665
661 665661 665
661 665
 
Information security programming in ruby
Information security programming in rubyInformation security programming in ruby
Information security programming in ruby
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography
CryptographyCryptography
Cryptography
 
Anonymous Credentials on Java Card - SIT Smartcard 2011
Anonymous Credentials on Java Card - SIT Smartcard 2011Anonymous Credentials on Java Card - SIT Smartcard 2011
Anonymous Credentials on Java Card - SIT Smartcard 2011
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEE
 
Strong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOStrong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSO
 
Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...
Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...
Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...
 

Dernier

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 

Dernier (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

CPK Cryptosystem In Solaris

  • 1. CPK Cryptosystem in OpenSolaris Zhi Guan China ERI, Sun Microsystems, March, 2008
  • 2. Outline • CPK cryptosystem overview • CPK Message Syntax • CPK in Solaris Cryptographic Framework • CPK in Solaris Key Management Framework • CPK Code Signing in Solaris • Other Applications
  • 3. CPK Cryptosystem • CPK: Combined Public Key • What is CPK? ❖ At first, it is a key management scheme ❖ Second, it provides identity based encryption and and signature scheme. • Comparison with PKI
  • 4. Map an Identity to Key Pair h1 , h2 , . . . , hn ← H(ID) Private Key Matrix   Userʼs Private Key ··· s11 s12 s1n   n−1 ··· s21 s22 s2n   H(ID) dID = shi ,i (mod p) . . . ..   . . . .   . . . i=0 ··· sm1 sm2 smn Public Key Matrix   Userʼs Public Key ··· s11 G s12 G s1n G   ··· s21 G s22 G s2n G n−1   H(ID) . . . QID = ..   shi i G . . . .   . . . i=0 ··· sm1 G sm2 G smn G
  • 5. Identity Based Encryption CPK_Encrypt(Plaintext, ID, PublicMatrix) { Indexes = H(ID); ECPublicKey = Map(Indexes, PublicMatrix); Ciphertext = ECEncrypt(Plaintext, ECPublicKey); return Ciphertext; } CPK_Decrypt(Plaintext, ECPrivateKey) { Plaintext = ECEncrypt(Plaintext, ECPublicKey); return Ciphertext; }
  • 7. CPK Objects • Public system parameters public matrix • Master secret : private matrix • User’s private key • User’s user’s identifier Object Private Public Private Identifier Matrix Matrix Key
  • 8. CPK Cryptographic Messages • Signature • Public key encrypted session key. • Signed data • Public key encrypted data. • Signed and public key encrypted data.
  • 9. PKCS #7 General Syntax: ContentInfo specified by an Object Identifier, ContentInfo which is a global unique identifier. content type content the format of content is explicitly defined by the “content type”. The content type options include: •data •signedData •encryptedData •envelopedData •signedAndEnvelopedData
  • 10. PKCS #7 Raw Data ContentInfo Data content type EncryptedData SignedData EnvelopedData SignedAndEnvelopedData
  • 11. PKCS #7 EncryptedData EncryptedData version EncryptedContentInfo content type encryption algor encrypted content
  • 12. PKCS #7 EnvelopedData EnvelopedData version recipientInfos EncryptedContentInfo content type encryption algor encrypted content
  • 13. PKCS #7 RecipientInfo RecipientInfo version recipient’s id ECIES (Elliptic Curve Integrated Encryption Scheme) key encryption algor encrypted key Encrypted symmetric key
  • 14. PKCS #7 SignedData SignedData version Data digest algorithms EncryptedData ContentInfo ...... certificates CRLs no useful attributes SignerInfos for CPK
  • 15. PKCS #7 SignerInfo SignerInfo Specify the signer. In PKI this field version specify signer’s certificate, in CPK this field specify signer’s CPK signer’s id Identity. digest algorithm for example, the date and time of the signing. signed attributes sign algorithm for exampel, ECDSA with SHA1 signature signing algorithm unsigned attributes
  • 16. PKCS #7 SignedAndEnvelopedData SignedAndEnvelopedData version recipientInfos digest algorithms encryptedConentInfo certificates CRLs signerInfos
  • 17. Data Types Presentation and Encoding • ASN.1 • BER • DER
  • 20. CPK in Solaris Cryptographic Framework CPK Java Applications JCE (Java Crypto Extension) CPK C/C++ Applications JNI Service Consumer Interface (PKCS#11) Solaris User-space Cryptographic Framework Service Provider Interface (PKCS#11) pkcs11_ pkcs11_ pkcs11_ pkcs11_ cpk.so cpktoken.so softtoken.so kernel.so !libcpk !libcpk
  • 21. PKCS #11: Crypto Token Interface Standard !quot;# $%&'#(!!#)*+*,-#&./$012.3$45&#01%67#5706.83&6#'03793.9# /001*(-quot;*23&4 /001*(-quot;*23&5 !quot;#$%&'$()%*quot;+&,-+$%. !quot;#$%&'$()%*quot;+&,-+$%. !quot;#$%&'( !quot;#$%&'( 6$7*($&823quot;$3quot;*239'+3(#%23*:-quot;*23 '12quot;&4 '12quot;&3 ;25$3&4 ;25$3&3 <6$7*($&4= <6$7*($&3= # !quot;#$%&'()'*&+&%,-'.%/0123quot;'425&-' &=<;A:H>#;=:I>JCK#LF#>FAC=MLDC#A:#:FC#:=#N:=C#D=<;A:?=L;@>D#JCI>DCK#A@LA#L=C#LDA>IC#>F#A@C#
  • 22. PKCS #11 Functions • Slot and token management functions • Session management functions • Cryptographic functions ❖ Encryption and decryption ❖ Message digesting ❖ MAC generation and verification ❖ Signing and Verification ❖ Key management
  • 23. PKCS #11 Objects PKCS#11 Object Data Key Certificate Public Key Private Key Secret Key CPK CPK CPK CPK IdentityInfo PublicMatrix PrivMatrix PrivateKey ECC ECC PublicKey PrivateKey
  • 24. PKCS #11 Functions • Generate system parameters ❖ C_CreateObject ❖ C_GenerateKey ❖ C_GenerateKeyPair • Extract private key or public key from matrixes ❖ C_DeriveKey
  • 27. PKCS #7 Data Types • SignerInfo
  • 28. CPK in Solaris Key Management Framework
  • 29. Solaris Key Management Framework • Centralized key storage and management framework. • Support PKI programing interfaces
  • 30. OS without Centralized Key Management • Every applications must have there own cryptography implementations and key management and storage mechanisms. App App App Key Key Key Store Store Store
  • 31. !quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*- 25,8006-5* quot;'6* I40&A4*&85 (,8=&A-,? !quot;# (,8=&A-,? (,8=&A-,? D-=-08G6-5* #+*+,-$ (!@.MM L@.( @F; #&0-? N.. (!1O 15*-',4*&85$7&*/ !quot;# !quot;#$%&$'()*+(),,- this picture is from Solaris Key Management Framework sliders by Wyllys Ingersoll
  • 32. !quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*- 25,8006-5* quot;'6* I40&A4*&85 (,8=&A-,? !quot;# (,8=&A-,? (,8=&A-,? D-=-08G6-5* #+*+,-$ (!@.MM L@.( @F; #&0-? N.. (!1O 15*-',4*&85$7&*/ !quot;# !quot;#$%&$'()*+(),,- this picture is from Solaris Key Management Framework sliders by Wyllys Ingersoll
  • 33. !quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*-