Public key cryptography

2001/03/26 r.innocente 1
Public Key Cryptography,
Digital Certificates,
Transport Layer Security
and
Internet encrypted services
Roberto Innocente
inno@sissa.it

Summary
• PKC (Public Key Cryptography)
Introduction
• Digital Certificates
• SSL/TLS
• Use of SSL/TLS over Internet
• Encrypted services: pop, imap, smtp

Cryptographic systems
taxonomy
• Symmetric key cryptography
• same key for encryption and decryption
• relatively fast
• RC2, RC4, DES, triple DES
• Asymmetric key cryptography
• different keys for encryption/decryption
• slow
• RSA, ElGamal, Elliptic curves

Symmetric Key Cryptography
Encryption Decryption
Plain
text
Cipher
text
Plain
text
m c=K(m) m=K(c)
m message
c cipher text
K key
key K
K.K=1

Asymmetric Key Cryptography
Encryption Decryption
Plain
text
Cipher
text
Plain
text
Encryption
key E
Decryption
key D
m c=E(m) m=D(c)
m message
c cipher text
E encryption key
D decryption key
D.E=1

Another classification
• Secret Key Cryptography
• the key is kept secret
• it requires a secure channel to be transmitted
• Public Key Crytpography
• one key (the deciphering key) is kept secret
• the other key is made public

Public-Key Cryptography
Diffie – Hellmann (1976)
• Each user generates a pair of inverse
transformation E and D.
• The deciphering key D must be kept secret but
need never be communicated on a channel
• The enciphering key E can be made public by
placing it in a public directory (Public File)
The original idea here is that keys can be produced in pairs
and that it can be very hard to generate a key from the other

PKC algorithms
Since DH idea in 1976 many algorithms have
been proposed, most were discovered
insecure, of the remaining many are not
feasible. Some of the algorithms are:
• Knapsack algorithms (later shown insecure)
• RSA (still considered secure)
• El Gamal (still considered secure)

Knapsack algorithms/1
(!!! insecure !!!)
First PKC algorithm proposed by Merckle and Hellmann
in 1978.
• Given n integers M1,M2,M3,..., and a sum S, find a binary
sequence b1,b2,b3... such that
• S=b1*M1+ b2*M2+b3*M3+ ....
• where:
• M1,M2,M3,... is the public key
• b1,b2,b3,... are the bits of the plain message
• S is the ciphertext
In general it is an hard problem,
but ...

Knapsack algorithms/2
(!!! insecure !!!)
A subclass of the general problem can be easily solved and
mapped onto a more general one.
• A superincreasing knapsack is a knapsack in which every number in the ordered
sequence is greater than the sum of the preceeding numbers e.g.{ 2,3,6,13,27}
• Solving the problem for a superincreasing knapsack is quite easy. Starting from the
greatest number, that will be an addend if it is less than the sum S, and so on ...
• Now, choosing a number m (=55) greater than the sum of all numbers in the
sequence, and a number n (=29) prime with m, and taking the remainder module m
of the numbers in the sequence multiplied by n e.g. {2*29=58mod 55 =3,
3*29=87mod 55=32,...} we obtain a knapsack that is not superincreasing... if we
take this sequence as the public key, and the underlaying superincreasing sequence
as the private key ...

RSA/1
(Rivest,Shamir,Adleman 1978)
• Choose primes p,q n=p*q
• Choose encryption key e prime with (p-1)*(q-1)
• Compute the inverse d such that
• now for each message m :
• n,e is the public key
• d is the private key
e*d = 1 mod n
c = me
mod n
m = cd
mod n

RSA/2
• Fermat’s little theorem (p prime,(p|a)=1):
• Euler Totient function:
• Euler’s generalization of Fermat’s theorem:
ap-1
≅ 1 (mod p)
φ(n)= # of integers less than n primes with n
For p,q primes : φ(p) = p-1
φ(p*q) = (p-1)*(q-1)
aφ(n)
≅1 mod n
aφ(n) –1
≅ a-1
mod n therefore : e-1
≅ e(p-1)(q-1)-1
mod n

RSA/3
• Software speedups:
• RSA goes faster if you choose e carefully
• 3 (PEM), 65537 (X.509), 17 (PKCS#1) are good choices
having only 2 bits set
• in particular 65537 requires only 17 multiplications to
exponentiate
• Hardware chips:
• it’s about 1000 times slower than DES
• 1 Mb/s using a 512 bits modulus (GEC Marconi)

RSA/4
The RSA patent was valid only for the US
because it was requested after publication.
In any case the patent expired on
September,20 2000
and from then on RSA it’s now free everywhere

El Gamal (T.ElGamal 1984)
• Choose a prime p and two random numbers g(<p),x (<p)and compute
y = g**x mod p
• public key is y,g,p
• private key is x
• To encrypt a message M choose a random k, (p-1|k)=1 and compute
• a= g**k mod p
• b = (y**k)* M mod p
• a,b is the ciphertext, to decrypt :
• M = b/a**x mod p

Message digests or Hash or
fingerprints
• One way function that maps a file on a fixed
length key. As with real fingerprints one hopes
that no 2 msgs have the same fingerprint.
• collision free
• un-reversible
• e.g :
• Unix sum is a bad example (16 bits) (Unix sum,cksum)
• MD5(128 bits) invented by RSA (Unix md5sum)
• SHA1(160 bits) Secure Hash Algorithm-1

Uses of PKC
Pics from M.Branchaud
Pic from
M.Branchaud

Digital Signature
Message Message Digest
MD5
Signature
RSA
with private key

Pitney-Bowes Veritas system
• Uses digital signatures to authenticate info stored on physical
documents (including the digital encoding of photographs)
• It’s been used successfully at the Olympic World Games in
New Haven in 1995
• On the back of a badge a high density bar code encoded a
photograph, biographical data and medical data of the athletes
• A Veritas reader can scan the bar code, verify the digital
signature and then display a copy of the photograph

Digital Certificates
L.Kohnfelder (1978)
In an effort to overcome performance
problems related to the use of a single Public
File, Kohnfelder proposed a digitally signed
data record containing a name and a public
key called a CERTIFICATE.

Digital Certificates/2
Name
Public
key
Digital
signature

Certificates/3
• Binary format of certificates is defined
using ASN.1 (x.208)
• Binary encoding is defined using
DER(Distinguished Encoding Rules) which
is based on BER (Basic Encoding Rules)
• Binary format can be translated into ASCII
using Base64 encoding, this form is called
PEM encoding

ASN.1 (X.208 1988)
Certificate ::=SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING
}
TBSCertificate ::=SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signatureAlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPucliKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
subjectUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
extensions [3] EXPLICIT Extensions OPTIONAL
}
UniqueIdentifier::= BITSTRING
Extensions::=SEQUENCE OF Extension

ASN.1/2Private-Key: (1024 bit)
modulus:
00:a0:11:a6:01:c6:d6:55:23:06:12:af:76:04:94:
5d:6a:94:67:f7:02:6e:4c:1b:90:39:b8:6d:a6:02:
01:57:87:0b:57:ed:c9:ad:89:28:bf:71:62:7d:26:
9a:de:2d:d8:15:ed:82:07:cf:07:a5:4d:9c:83:b3:
11:19:1a:f4:c9:68:ac:39:c9:98:be:69:5c:dd:da:
f1:44:7e:80:9e:53:c9:7c:ca:3c:60:20:99:ce:b3:
53:be:67:7f:31:06:91:b2:c5:76:04:53:0d:5a:42:
b9:26:b1:fe:93:15:f0:04:75:03:1c:e7:a9:3a:cf:
9d:5e:01:01:93:81:23:09:45
publicExponent: 65537 (0x10001)
privateExponent:
5a:db:a9:af:38:7e:50:b5:20:ad:5a:8b:52:ee:24:
58:6b:04:d8:60:b8:da:da:8a:73:39:0c:84:3e:7f:
24:7f:b3:20:a6:08:e4:48:06:a9:24:63:13:46:e6:
81:56:e4:61:0d:ff:d1:0e:e2:f8:21:a5:c5:db:ce:
c8:c1:54:50:58:f4:d5:4c:53:ba:f7:dd:25:9d:a4:
55:25:a1:4b:07:25:38:14:20:0c:a6:c2:07:1d:a6:
cd:b0:f0:5b:cc:58:f6:fd:1d:0a:93:01:58:83:79:
46:e4:fc:67:91:f9:36:9c:07:c5:9c:26:12:bd:ab:
1e:86:4c:63:a4:0b:31:c1
prime1:
00:d1:d7:69:c9:c5:b0:50:37:9f:2e:2d:21:b5:9f:
96:7e:e8:c1:05:29:b1:62:da:e4:b5:cd:04:03:b1:
27:c7:3e:ca:27:a1:bd:69:4f:33:e2:97:5a:03:d0:
33:6f:41:c8:e0:f9:94:e2:0d:c1:a6:85:e1:09:ac:
31:f5:97:7f:77
prime2:
00:c3:47:72:4a:31:ea:e4:e6:0f:79:7f:68:da:c8:
40:7a:96:86:be:69:1c:94:e7:ab:1f:03:66:e0:05:
00:92:4f:e9:ac:ff:0e:51:45:9c:ed:9b:9e:01:ba:
e5:00:a2:0f:d4:59:e6:06:d9:24:21:ba:b1:96:79:
51:5b:37:44:23
exponent1:
64:1e:98:6d:d9:f1:be:c4:5b:21:a8:0c:ee:60:5f:
68:db:da:c4:80:d9:0e:e6:8b:bb:26:3f:65:17:90:
78:23:40:46:da:87:ca:08:2d:24:4e:bc:77:17:4e:
83:25:eb:17:54:5d:b1:e1:88:64:d0:79:c7:a8:ae:
09:94:a8:0f
exponent2:
65:64:77:67:26:bb:fb:d5:a8:3b:41:78:44:00:ad:
d9:f8:c6:45:9f:76:03:aa:b6:23:08:35:26:23:f2:
c4:05:52:23:4c:db:36:3f:9a:d7:94:71:5a:1c:9c:
42:d3:e2:bc:33:61:48:34:fe:99:b4:c1:f8:8b:4d:
3e:bb:57:59
coefficient:
24:c5:7d:c3:22:1b:cf:ae:15:20:97:9c:73:78:4a:
d5:98:39:da:be:12:7e:94:1d:81:fa:0e:08:2a:dc:
3d:18:9e:b3:f8:cf:29:66:76:16:22:11:8f:d1:c1:
a3:ec:6f:50:d5:e1:0f:66:ba:6a:43:ec:86:20:08:
39:0c:20:9e
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQCgEaYBxtZVIwYSr3YElF1qlGf3Am5MG5A5uG2mAgFXhwtX7cmt
iSi/cWJ9JpreLdgV7YIHzwelTZyDsxEZGvTJaKw5yZi+aVzd2vFEfoCeU8l8yjxg
IJnOs1O+Z38xBpGyxXYEUw1aQrkmsf6TFfAEdQMc56k6z51eAQGTgSMJRQIDAQAB
AoGAWtuprzh+ULUgrVqLUu4kWGsE2GC42tqKczkMhD5/JH+zIKYI5EgGqSRjE0bm
gVbkYQ3/0Q7i+CGlxdvOyMFUUFj01UxTuvfdJZ2kVSWhSwclOBQgDKbCBx2mzbDw
W8xY9v0dCpMBWIN5RuT8Z5H5NpwHxZwmEr2rHoZMY6QLMcECQQDR12nJxbBQN58u
LSG1n5Z+6MEFKbFi2uS1zQQDsSfHPsonob1pTzPil1oD0DNvQcjg+ZTiDcGmheEJ
rDH1l393AkEAw0dySjHq5OYPeX9o2shAepaGvmkclOerHwNm4AUAkk/prP8OUUWc
7ZueAbrlAKIP1FnmBtkkIbqxlnlRWzdEIwJAZB6YbdnxvsRbIagM7mBfaNvaxIDZ
DuaLuyY/ZReQeCNARtqHyggtJE68dxdOgyXrF1RdseGIZNB5x6iuCZSoDwJAZWR3

ASN.1/3
0:d=0 hl=4 l= 603 cons: SEQUENCE
4:d=1 hl=2 l= 1 prim: INTEGER :00
7:d=1 hl=3 l= 129 prim: INTEGER
:A011A601C6D655230612AF7604945D6A9467F7026E4C1B9039B86DA6020157870B57EDC9AD8928B
F71627D269ADE2DD815ED8207CF07A54D9C83B311191AF4C968AC39C998BE695CDDDAF1447E809E5
3C97CCA3C602099CEB353BE677F310691B2C57604530D5A42B926B1FE9315F00475031CE7A93ACF9
D5E01019381230945
139:d=1 hl=2 l= 3 prim: INTEGER :010001
144:d=1 hl=3 l= 128 prim: INTEGER :
5ADBA9AF387E50B520AD5A8B52EE24586B04D860B8DADA8A73390C843E7F247FB320A608E44806A9
24631346E68156E4610DFFD10EE2F821A5C5DBCEC8C1545058F4D54C53BAF7DD259DA45525A14B07
253814200CA6C2071DA6CDB0F05BCC58F6FD1D0A930158837946E4FC6791F9369C07C59C2612BDAB
1E864C63A40B31C1
:D1D769C9C5B050379F2E2D21B59F967EE8C10529B162DAE4B5CD0403B127C73ECA27A1BD694F33E
2975A03D0336F41C8E0F994E20DC1A685E109AC31F5977F77
:C347724A31EAE4E60F797F68DAC8407A9686BE691C94E7AB1F0366E00500924FE9ACFF0E51459CE
D9B9E01BAE500A20FD459E606D92421BAB19679515B374423
641E986DD9F1BEC45B21A80CEE605F68DBDAC480D90EE68BBB263F65179078234046DA87CA082D24
4EBC77174E8325EB17545DB1E18864D079C7A8AE0994A80F
6564776726BBFBD5A83B41784400ADD9F8C6459F7603AAB62308352623F2C40552234CDB363F9AD7
94715A1C9C42D3E2BC33614834FE99B4C1F88B4D3EBB5759
24C57DC3221BCFAE1520979C73784AD59839DABE127E941D81FA0E082ADC3D189EB3F8CF29667616
22118FD1C1A3EC6F50D5E10F66BA6A43EC862008390C209E

OID (object identifiers)
• Object identifiers are unique numbers assigned to
objects. They identify a node in a global tree.
• e.g. 1.2.840.113549.1.7.2 is an OID, it means
SignedData which is defined by RSADSI
0
ITU-T
1
ISO
2
joint ISO/ITU

OID global tree
Pic from
M.Branchaud

RSA keys according to PKCS#..
Private-Key: (1024 bit)
modulus:
00:a0:11:a6:01:c6:d6:55:23:06:12:af:76:04:94:
5d:6a:94:67:f7:02:6e:4c:1b:90:39:b8:6d:a6:02:
01:57:87:0b:57:ed:c9:ad:89:28:bf:71:62:7d:26:
9a:de:2d:d8:15:ed:82:07:cf:07:a5:4d:9c:83:b3:
11:19:1a:f4:c9:68:ac:39:c9:98:be:69:5c:dd:da:
f1:44:7e:80:9e:53:c9:7c:ca:3c:60:20:99:ce:b3:
53:be:67:7f:31:06:91:b2:c5:76:04:53:0d:5a:42:
b9:26:b1:fe:93:15:f0:04:75:03:1c:e7:a9:3a:cf:
9d:5e:01:01:93:81:23:09:45
publicExponent: 65537 (0x10001)
privateExponent:
5a:db:a9:af:38:7e:50:b5:20:ad:5a:8b:52:ee:24:
58:6b:04:d8:60:b8:da:da:8a:73:39:0c:84:3e:7f:
24:7f:b3:20:a6:08:e4:48:06:a9:24:63:13:46:e6:
81:56:e4:61:0d:ff:d1:0e:e2:f8:21:a5:c5:db:ce:
c8:c1:54:50:58:f4:d5:4c:53:ba:f7:dd:25:9d:a4:
55:25:a1:4b:07:25:38:14:20:0c:a6:c2:07:1d:a6:
cd:b0:f0:5b:cc:58:f6:fd:1d:0a:93:01:58:83:79:
46:e4:fc:67:91:f9:36:9c:07:c5:9c:26:12:bd:ab:

X.500 Directory Services

X.500
Pic from
M.Branchaud

Distinguished Names (DN)
fields
• Common name CN e.g. CN=Joe Wells
• Organizational unit OU e.g OU=Sales
• Organization O e.g. O=Heaven,Inc.
• City/Locality L e.g. L=Tampa
• State/Province ST e.g. ST=Florida
• Country C e.g. C=US
• /
C=US/ST=Florida/L=Tampa/O=Heaven,Inc./OU=Sale
s/CN=Joe Wells

Digital Certificates/3

X.509 cert v1-2
Pic from
M.Branchaud

CRL(CertificateRevocationList)

CRLv2
Pic from
M.Branchaud

SSL/1
The SSL (Secure Socket Layer) protocol
was designed by Netscape to be used with its
browser.
• SSL v.1 was used only internally.
• SSL v.2 was incorporated in Navigator v1 and v2.
• Microsoft created a similar protocol called PCT
which overcame some problems of SSL
• SSL v.3 incorporated PCT enhancements

SSL/2
• The first implementation of SSL was available
only in Netscape browsers and servers
• SSLRef is a reference implementation in C that
Netscape made available in source code (does’nt
include RC2 or RC4 encryption algorithms)
• SSLeay is an indipendent implementation of
SSLv.3 made by Eric A. Young a programmer in
Australia
• OpenSSL is based on SSLeay

TLS/SSL Layers
e.g. TCP
TLS
Record protocol
TLS
Handshake prot
TLS layers
Transport protocol

SSL record protocol
• Each SSL record contains:
• content type
• proto version
• length
• payload
• Message auhentication ( Changed in TLS to
HMAC), it contains a sequence number to be
hashed together with data

SSL/TLS handshake
• ClientHello (version,random,session,ciperhs)
– Server hello(version,random,session,cipher)
– [server may send its certificate]
– [server may send a KeyExchange]
– [server may send a CertReq]
• [Client sends its certificate]
• client sends a KeyExchange
• [client sends a cert verify]
• both send a Change CIpher

SSL cert accept
Pic
From
netscape

Key Exchange
• SSL v.2 uses RSA key exchange only
• SSL v.3 supports:
• RSA key exchange when certificates are used
• DH (Diffie-Hellmann) for exchanging keys w/o
certificates or prior communication

Diffie-Hellmann Key Exchange
• Given a large prime n and a primitive g
• A chooses a random x and sends to B
• X = g^x mod n
• B choses a random y and sends to A
• Y = g^y mod n
• A and B can compute
• k = Y^x mod n = g^(y*x) mod n = X^y mod n
• The patent held by PKP expired in 1997

PKI (Public Key Infrastructure)
• It is a practical and viable way of publishing
public keys on the Internet
• PGP,PEM,PKIX ,SPKI and SDSI are
different proposals

PEM CA model
Pic from
M.Branchaud

PKI
Pic from
M.Branchaud

STARTTLS (RFC 2487)
• a server announce its support of TLS
• ehlo heaven.org
• 250 inferno.org
• 250 starttls
• the client then can switch to TLS
• starttls
• 220 ready to start tls
• STARTTLS is supported in sendmail 8.11

Microsoft Authenticode
• Announced in 1996 by Microsoft as part of IE3.0 and
ActiveX (A system for downloading programs from web
pages)
• It describes some file formats to sign Microsoft 32bit EXEs,
DLLs and OCXs
• The signed file contains:
• original file
• digital signature
• an X.509 certificate for the public key needed to verify the
authenticode signature
• The tools needed are in the ActiveX software developer’s
Kit (CSW Code Signing Wizard)

Java signed applets
• Java too can use X.509 certificates to sign
the code in a jar file (keytool and jarsign
utilities)
• The idea is similar to that of Microsoft, the
code signed can obtain better trust
according to user chosen confidence in
signing publishers

Encrypted services
Note that recently the name of crypted services has changed
from an initial s to a final s (simap to imaps)
• https 443/tcp #http over ssl
• telnets 992/tcp #telnet over ssl
• pop3s 995/tcp
• imaps 993/tcp
• smtps 465/tcp
• sshell 614/tcp #SSLshell
• nsiiops 261/tcp #IIOP name service over ssl

Public key cryptography

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (17)

Similar to Public key cryptography

Similar to Public key cryptography (20)

More from rinnocente

More from rinnocente (16)

Recently uploaded

Recently uploaded (20)

Public key cryptography