Bài giảng CCNA Security - Chapter 7: Cryptographic Systems

Computer B Computer B uses its private key to decrypt and reveal the message Học viện mạng Bach Khoa - Website: www.bkacad.com Private Key (Encrypt) + Public Key (Decrypt) = Authentication Bob uses the public key to successfully decrypt the message and authenticate that the message did, indeed, come from Alice. Alice’s Private Key 1 Encrypted Text Encryption 4 Alice’s Public Key Alice encrypts a message with her private key Alice transmits the Algorithm Encrypted Text 2 Alice’s Public Key Can I get your Public Key please? Here is my Public Key 3 Encryption Algorithm Encrypted Text Computer A Computer B encrypted message to Bob Bob needs to verify that the message actually came from Alice. He requests and acquires Alice’s public key Học viện mạng Bach Khoa - Website: www.bkacad.com Confidentiality, Integrity and Authentication Học viện mạng Bach Khoa - Website: www.bkacad.com Asymmetric Key Algorithms Key length (in bits) Description DH 512, 1024, 2048 Invented in 1976 by Whitfield Diffie and Martin Hellman. Two parties to agree on a key that they can use to encrypt messages The assumption is that it is easy to raise a number to a certain power, but difficult to compute which power was used given the number and the outcome. Digital Signature Standard (DSS) and Digital Signature 512 - 1024 Created by NIST and specifies DSA as the algorithm for digital signatures. A public key algorithm based on the ElGamal signature scheme. Algorithm (DSA) Signature creation speed is similar with RSA, but is slower for verification. RSA encryption algorithms 512 to 2048 Developed by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT in 1977 Based on the current difficulty of factoring very large numbers Suitable for signing as well as encryption Widely used in electronic commerce protocols EIGamal 512 - 1024 Based on the Diffie-Hellman key agreement. Described by Taher Elgamal in 1984and is used in GNU Privacy Guard software, PGP, and other cryptosystems. The encrypted message becomes about twice the size of the original message and for this reason it is only used for small messages such as secret keys Elliptical curve techniques 160 Invented by Neil Koblitz in 1987 and by Victor Miller in 1986. Can be used to adapt many cryptographic algorithms Keys can be much smaller Học viện mạng Bach Khoa - Website: www.bkacad.com Security Services- Digital Signatures • Specifically, digital signatures provide three basic security services: – Authenticity of digitally signed data: Authenticates a source, proving a certain party has seen, and has signed, the data in question – Integrity of digitally signed data: Guarantees that the data has not changed from the time it was signed – Nonrepudiation of the transaction: Signing party cannot repudiate that it signed the data Authenticity Integrity Nonrepudiation Học viện mạng Bach Khoa - Website: www.bkacad.com Digital Signatures • The signature is authentic and not forgeable: The signature is proof that the signer, and no one else, signed the document. • The signature is not reusable: The signature is a part of the document and cannot be moved to a different document. • The signature is unalterable: After a document is signed, it cannot be altered. • The signature cannot be repudiated: For legal purposes, the signature and the document are considered to be physical things. The signer cannot claim later that they did not sign it. Học viện mạng Bach Khoa - Website: www.bkacad.com The Digital Signature Process Confirm Order Data Signature Verified 0a77b3440Signed Data1 6 Validity of the digital signature is verified hash The sending device creates a hash of the document The receiving device accepts the document with digital signature and obtains the public key Encrypted hash Confirm Order ____________ 0a77b3440 Signature Algorithm Signature Key Verification Key 0a77b3440 2 3 4 5 The sending device encrypts only the hash with the private key of the signer The signature algorithm generates a digital signature and obtains the public key Signature is verified with the verification key Học viện mạng Bach Khoa - Website: www.bkacad.com The Digital Signature Process Học viện mạng Bach Khoa - Website: www.bkacad.com Code Signing with Digital Signatures • The publisher of the software attaches a digital signature to the executable, signed with the signature key of the publisher. • The user of the software needs to obtain the public key of the publisher or the CA certificate of the publisher if PKI is used. Học viện mạng Bach Khoa - Website: www.bkacad.com DSA Scorecard Description Digital Signature Algorithm (DSA) Timeline 1994 Type of Algorithm Provides digital signatures Advantages: Signature generation is fast Disadvantages: Signature verification is slow Học viện mạng Bach Khoa - Website: www.bkacad.com RSA Scorecard Description Ron Rivest, Adi Shamir, and Len Adleman Timeline 1977 Type of Algorithm Asymmetric algorithm Key size (in bits) 512 - 2048 Advantages: Signature verification is fast Disadvantages: Signature generation is slow Học viện mạng Bach Khoa - Website: www.bkacad.com Properties of RSA • One hundred times slower than DES in hardware • One thousand times slower than DES in software • Used to protect small amounts of data • Ensures confidentiality of data thru encryption • Generates digital signatures for authentication and nonrepudiation of data Học viện mạng Bach Khoa - Website: www.bkacad.com Public Key Infrastructure Alice applies for a driver’s license. She receives her driver’s license after her identity is proven. Alice attempts to cash a check. Her identity is accepted after her driver’s license is checked. Học viện mạng Bach Khoa - Website: www.bkacad.com PKI: A service framework (hardware, software, people, policies and procedures) needed to support large- Public Key Infrastructure PKI terminology to remember: scale public key-based technologies. Certificate: A document, which binds together the name of the entity and its public key and has been signed by the CA Certificate authority (CA): The trusted third party that signs the public keys of entities in a PKI-based system Học viện mạng Bach Khoa - Website: www.bkacad.com CA Vendors and Sample Certificates Học viện mạng Bach Khoa - Website: www.bkacad.com Usage Keys • When an encryption certificate is used much more frequently than a signing certificate, the public and private key pair is more exposed due to its frequent usage. In this case, it might be a good idea to shorten the lifetime of the key pair and change it more often, while having a separate signing private and public key pair with a longer lifetime. • When different levels of encryption and digital signing are required because of legal, export, or performance issues, usage keys allow an administrator to assign different key lengths to the two pairs. • When key recovery is desired, such as when a copy of a user’s private key is kept in a central repository for various backup reasons, usage keys allow the user to back up only the private key of the encrypting pair. The signing private key remains with the user, enabling true nonrepudiation. Học viện mạng Bach Khoa - Website: www.bkacad.com The Current State X.509 • Many vendors have proposed and implemented proprietary solutions • Progression towards publishing a common set of standards for PKI protocols and data formats Học viện mạng Bach Khoa - Website: www.bkacad.com X.509v3 • X.509v3 is a standard that describes the certificate structure. • X.509v3 is used with: – Secure web servers: SSL and TLS – Web browsers: SSL and TLS – Email programs: S/MIME – IPsec VPNs: IKE Học viện mạng Bach Khoa - Website: www.bkacad.com X.509v3 Applications Internet Enterprise Network External Web Server Internet Mail Server Cisco Secure ACS CA SSL S/MIME EAP-TLS • Certificates can be used for various purposes. • One CA server can be used for all types of authentication as long as they support the same PKI procedures. Server IPsec VPN Concentrator Học viện mạng Bach Khoa - Website: www.bkacad.com RSA PKCS Standards • PKCS #1: RSA Cryptography Standard • PKCS #3: DH Key Agreement Standard • PKCS #5: Password-Based Cryptography Standard • PKCS #6: Extended-Certificate Syntax Standard • PKCS #7: Cryptographic Message Syntax Standard • PKCS #8: Private-Key Information Syntax Standard • PKCS #10: Certification Request Syntax Standard • PKCS #12: Personal Information Exchange Syntax Standard • PKCS #13: Elliptic Curve Cryptography Standard • PKCS #15: Cryptographic Token Information Format Standard Học viện mạng Bach Khoa - Website: www.bkacad.com Public Key Technology PKCS#7 PKCS#10 Certificate Signed Certificate CA • A PKI communication protocol used for VPN PKI enrollment • Uses the PKCS #7 and PKCS #10 standards PKCS#7 Học viện mạng Bach Khoa - Website: www.bkacad.com Single-Root PKI Topology • Certificates issued by one CA • Centralized trust decisions • Single point of failure Root CA Học viện mạng Bach Khoa - Website: www.bkacad.com Hierarchical CA Topology Root CA Subordinate • Delegation and distribution of trust • Certification paths CA Học viện mạng Bach Khoa - Website: www.bkacad.com Cross-Certified CAs CA2 CA1 • Mutual cross-signing of CA certificates CA3 Học viện mạng Bach Khoa - Website: www.bkacad.com Registration Authorities 2 Completed Enrollment Request Forwarded to CA CA After the Registration Authority adds specific information to the certificate request and the request is approved under the organization’s The CA will sign the certificate request and send it back to the host 1 Enrollment request 3 Certificate Issued RA Hosts will submit certificate requests to the RA policy, it is forwarded on to the Certification Authority Học viện mạng Bach Khoa - Website: www.bkacad.com Retrieving the CA Certificates Alice and Bob telephone the CA administrator and verify the public key and serial number of the certificate CA Admin POTS Out-of-Band Authentication of the CA Certificate POTS Out-of-Band Authentication of the CA Certificate 33 CA CA Certificate CA Certificate Enterprise Network 1 1 2 2 Alice and Bob request the CA certificate that contains the CA public key Each system verifies the validity of the certificate Học viện mạng Bach Khoa - Website: www.bkacad.com Submitting Certificate Requests CA Admin Out-of-Band Authentication of the CA Certificate Out-of-Band Authentication of the CA Certificate 2 The certificate is retrieved and the certificate is installed onto the system The CA administrator telephones to confirm their submittal and the public key and issues the certificate by adding some additional data to the request, and digitally signing it all CA Enterprise Network POTS POTS 1 1 3 Certificate Request Certificate Request 3 Both systems forward a certificate request which includes their public key. All of this information is encrypted using the public key of the CA Học viện mạng Bach Khoa - Website: www.bkacad.com Authenticating Private Key (Alice) Private Key (Bob) Certificate (Alice) 1 2 2 Bob and Alice exchange certificates. The CA is no longer involved Certificate (Alice) CA Certificate Certificate (Bob) CA Certificate Certificate (Bob) Each party verifies the digital signature on the certificate by hashing the plaintext portion of the certificate, decrypting the digital signature using the CA public key, and comparing the results. Học viện mạng Bach Khoa - Website: www.bkacad.com PKI Authentication Characteristics • To authenticate each other, users have to obtain the certificate of the CA and their own certificate. These steps require the out-of-band verification of the processes. • Public-key systems use asymmetric keys where one is public and the other one is private. • Key management is simplified because two users can freely exchange the certificates. The validity of the received certificates is verified using the public key of the CA, which the users have in their possession. • Because of the strength of the algorithms, administrators can set a very long lifetime for the certificates. Học viện mạng Bach Khoa - Website: www.bkacad.com Summary Học viện mạng Bach Khoa - Website: www.bkacad.com Summary Học viện mạng Bach Khoa - Website: www.bkacad.com Summary Học viện mạng Bach Khoa - Website: www.bkacad.com Summary Học viện mạng Bach Khoa - Website: www.bkacad.com Summary Học viện mạng Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com