1. Public Key Infrastructure
– tell me in plain English AND THEN
deep technical how PKI works
Steve Lamb
stephlam@microsoft.com
http://blogs.technet.com/steve_lamb
IT Pro Security Evangelist
Microsoft Ltd
2. Objectives
Demystify commonly used terminology
Explain how PKI works
Get you playing with PKI in the lab
Make some simple recommendations
3. Agenda
Foundational Concept (level 200)
PKI and Signatures (level 330)
Recommendations (level 310)
Reference material
Common Algorithms (level 360)
4. What can PKI enable?
Secure Email – sign and/or encrypt messages
Secure browsing – SSL – authentication and encryption
Secure code – authenticode
Secure wireless – PEAP & EAP-TLS
Secure documents – Rights Management
Secure networks – segmentation via IPsec
Secure files – Encrypted File System(EFS)
6. Encryption vs. Authentication
Encrypted information cannot be automatically
trusted
You still need authentication
Which we can implement using encryption, of
course
7. Assets
What we are securing?
Data
Services (i.e. business etc. applications or their
individually accessible parts)
This session is not about securing:
People (sorry), cables, carpets, typewriters and
computers (!?)
Some assets are key assets
Passwords, private keys etc…
8. Digital Security as Extension of
Physical Security of Key Assets
Strong Physical
Security of KA
Strong Digital
Security
Good Security
Everywhere
Weak Physical
Security of KA
Strong Digital
Security
Insecure
Environment
Strong Physical
Security of KA
Weak Digital
Security
Insecure
Environment
9. Remember CP and CPS!
“The Certification Practice & Certification
Practice Statement (CP/CPS) is a formal
statement that describes who may have
certificates, how certificates are generated and
what they may be used for.”
http://www.nhsia.nhs.uk/pathology/pages/docum
ents/cp_cps.doc
10. Symmetric Key Cryptography
Encryption
“The quick
brown fox
jumps over
the lazy
dog”
“AxCv;5bmEseTfid3)
fGsmWe#4^,sdgfMwi
r3:dkJeTsY8Rs@!q3
%”
“The quick
brown fox
jumps over
the lazy
dog”
Decryption
Plain-text input Plain-text output
Cipher-text
Same key
(shared secret)
11. Symmetric Pros and Cons
Strength:
Simple and really very fast (order of 1000 to 10000
faster than asymmetric mechanisms)
Super-fast (and somewhat more secure) if done in
hardware (DES, Rijndael)
Weakness:
Must agree the key beforehand
Securely pass the key to the other party
12. Public Key Cryptography
Knowledge of the encryption key doesn’t give
you knowledge of the decryption key
Receiver of information generates a pair of keys
Publish the public key in a directory
Then anyone can send him messages that only
she can read
13. Public Key Encryption
Encryption
“The quick
brown fox
jumps over
the lazy
dog”
“Py75c%bn&*)9|fDe^
bDFaq#xzjFr@g5=&n
mdFg$5knvMd’rkveg
Ms”
“The quick
brown fox
jumps over
the lazy
dog”
Decryption
Clear-text Input Clear-text Output
Cipher-text
Different keys
Recipient’s
public key
Recipient’s
private key
private
public
14. Public Key Pros and Cons
Weakness:
Extremely slow
Susceptible to “known ciphertext” attack
Problem of trusting public key (see later on PKI)
Strength
Solves problem of passing the key
Allows establishment of trust context between
parties
15. Hybrid Encryption (Real World)
As above, repeated
for other recipients
or recovery agents
Digital
Envelope
Other recipient’s or
agent’s public key
(in certificate)
in recovery policy
Launch key
for nuclear
missile
“RedHeat”
is...
Symmetric key
encrypted asymmetrically
(e.g., RSA)
Digital
Envelope
User’s
public key
(in certificate)
RNG
Randomly-
Generated
symmetric
“session” key
Symmetric
encryption
(e.g. DES)
*#$fjda^j
u539!3t
t389E *&@
5e%32^kd
16. *#$fjda^j
u539!3t
t389E *&@
5e%32^kd
Launch key
for nuclear
missile
“RedHeat”
is...
Symmetric
decryption
(e.g. DES)
Digital
Envelope
Asymmetric
decryption of
“session” key (e.g. RSA)
Symmetric
“session” key
Session key must be
decrypted using the
recipient’s private
key
Digital envelope
contains “session”
key encrypted
using recipient’s
public key
Recipient’s
private key
Hybrid Decryption
18. Public Key Distribution Problem
We just solved the problem of symmetric key distribution
by using public/private keys
But…
Scott creates a keypair (private/public) and quickly tells
the world that the public key he published belongs to Bill
People send confidential stuff to Bill
Bill does not have the private key to read them…
Scott reads Bill’s messages
20. Creating a Digital Signature
Hash
Function
(SHA, MD5)
Jrf843kjfgf*
£$&Hdif*7o
Usd*&@:<C
HDFHSD(**
Py75c%bn&*)9|fDe^b
DFaq#xzjFr@g5=&n
mdFg$5knvMd’rkveg
Ms”
This is a
really long
message
about
Bill’s…
Asymmetric
Encryption
Message or File Digital Signature
128 bits
Message Digest
Calculate a short
message digest from
even a long input
using a one-way
message digest
function (hash)
Signatory’s
private key
private
21. Verifying a Digital Signature
Jrf843kjf
gf*£$&Hd
if*7oUsd
*&@:<CHD
FHSD(**
Py75c%bn&*)
9|fDe^bDFaq
#xzjFr@g5=
&nmdFg$5kn
vMd’rkvegMs”
Asymmetric
decryption
(e.g. RSA)
Everyone has
access to trusted
public key of the
signatory
Signatory’s
public key
Digital Signature
This is a
really long
message
about Bill’s…
Same hash function
(e.g. MD5, SHA…)
Original Message
Py75c%bn&*)
9|fDe^bDFaq
#xzjFr@g5=
&nmdFg$5kn
vMd’rkvegMs”
? == ?
Are They Same?
22. Word About Smartcards
Some smartcards are “dumb”, i.e. they are only a
memory chip
Not recommended for storing a private key used in a challenge
test (verifying identity)
Anyway, they are still better than leaving keys on a floppy disk
or on the hard drive
Cryptographically-enabled smartcards are more
expensive but they give much more security
Private key is secure and used as needed
Additional protection (password, biometrics) is possible
Hardware implements some algorithms
Self-destruct is possible
23. Recommendations
Don’t be scared of PKI!
Set up a test environment to enable hyou to
“play”
Minimise the scope of your first implementation
Read up on CP & CPS
Document the purpose and operating
procedures of your PKI
24. Summary
Cryptography is a rich and amazingly mature
field
We all rely on it, everyday, with our lives
Know the basics and make good choices
avoiding common pitfalls
Plan your PKI early
Avoid very new and unknown solutions
Certificate Policy
Certification Practises statement
25. References
Visit www.microsoft.com/security
Read sci.crypt (incl. archives)
Attend SEC499 for “Encryption in Detail” on Friday at
14.45 in Room 1
For more detail, read:
Cryptography: An Introduction, N. Smart, McGraw-Hill, ISBN 0-07-709987-7
Practical Cryptography, N. Ferguson & B. Schneier, Wiley, ISBN 0-471-22357-3
Contemporary Cryptography, R. Oppliger, Artech House, ISBN 1-58053-642-5 (to
be published May 2005, see http://www.esecurity.ch/Books/cryptography.html)
Applied Cryptography, B. Schneier, John Wiley & Sons, ISBN 0-471-11709-9
Handbook of Applied Cryptography, A.J. Menezes, CRC Press, ISBN 0-8493-
8523-7, www.cacr.math.uwaterloo.ca/hac (free PDF)
PKI, A. Nash et al., RSA Press, ISBN 0-07-213123-3
Foundations of Cryptography, O. Goldereich,
www.eccc.uni-trier.de/eccc-local/ECCC-Books/oded_book_readme.html
Cryptography in C and C++, M. Welschenbach, Apress,
ISBN 1-893115-95-X (includes code samples CD)
28. DES, IDEA, RC2, RC5, Twofish
Symmetric
DES (Data Encryption Standard) is still the most popular
Keys very short: 56 bits
Brute-force attack took 3.5 hours on a machine costing US$1m in
1993. Today it is done real-time
Triple DES (3DES) more secure, but better options about
Just say no, unless value of data is minimal
IDEA (International Data Encryption Standard)
Deceptively similar to DES, and “not” from NSA
128 bit keys
RC2 & RC5 (by R. Rivest)
RC2 is older and RC5 newer (1994) - similar to DES and IDEA
Blowfish, Twofish
B. Schneier’s replacement for DES, followed by Twofish, one of the
NIST competition finalists
29. Rijndael (AES)
Standard replacement for DES for US government, and,
probably for all of us as a result…
Winner of the AES (Advanced Encryption Standard)
competition run by NIST (National Institute of Standards and
Technology in US) in 1997-2000
Comes from Europe (Belgium) by Joan Daemen and Vincent
Rijmen. “X-files” stories less likely (unlike DES).
Symmetric block-cipher (128, 192 or 256 bits) with
variable keys (128, 192 or 256 bits, too)
Fast and a lot of good properties, such as good immunity
from timing and power (electric) analysis
Construction, again, deceptively similar to DES (S-
boxes, XORs etc.) but really different
30. CAST and GOST
CAST
Canadians Carlisle Adams & Stafford Tavares
64 bit key and 64 bit of data
Chose your S-boxes
Seems resistant to differential & linear cryptanalysis and only
way to break is brute force (but key is a bit short!)
GOST
Soviet Union’s “version” of DES but with a clearer design and
many more repetitions of the process
256 bit key but really 610 bits of secret, so pretty much “tank
quality”
Backdoor? Who knows…
31. Careful with Streams!
Do NOT use a block cipher in a loop
Use a crypto-correct technique for treating
streams of data, such as CBC (Cipher Block
Chaining)
For developers:
.NET Framework implements it as ICryptoTransform on a
crypto stream with any supported algorithm
32. RC4
Symmetric
Fast, streaming encryption
R. Rivest in 1994
Originally secret, but “published” on sci.crypt
Related to “one-time pad”, theoretically most secure
But!
It relies on a really good random number generator
And that is the problem
Nowadays, we tend to use block ciphers in modes of
operation that work for streams
33. RSA, DSA, ElGamal, ECC
Asymmetric
Very slow and computationally expensive – need a computer
Very secure
Rivest, Shamir, Adleman – 1978
Popular and well researched
Strength in today’s inefficiency to factorise into prime numbers
Some worries about key generation process in some implementations
DSA (Digital Signature Algorithm) – NSA/NIST thing
Only for digital signing, not for encryption
Variant of Schnorr and ElGamal sig algorithm
ElGamal
Relies on complexity of discrete logarithms
ECC (Elliptic Curve Cryptography)
Really hard maths and topology
Improves RSA (and others)
34. Quantum Cryptography
Method for generating and passing a secret key or a random stream
Not for passing the actual data, but that’s irrelevant
Polarisation of light (photons) can be detected only in a way that
destroys the “direction” (basis)
So if someone other than you observes it, you receive nothing useful
and you know you were bugged
Perfectly doable over up-to-120km dedicated long fibre-optic link
Seems pretty perfect, if a bit tedious and slow
Practical implementations still use AES/DES etc. for actual encryption
Magiq QPN: http://www.magiqtech.com/press/qpn.pdf
Don’t confuse it with quantum computing, which won’t be with us for
at least another 50 years or so, or maybe longer…
35. MD5, SHA
Hash functions – not encryption at all!
Goals:
Not reversible: can’t obtain the message from its hash
Hash much shorter than original
Two messages won’t have the same hash
MD5 (R. Rivest)
512 bits hashed into 128
Mathematical model still unknown
But it resisted major attacks
SHA (Secure Hash Algorithm)
US standard based on MD5
36. Diffie-Hellman, “SSL”, Certs
Methods for key generation and exchange
DH is very clever since you always generate a new “key-
pair” for each asymmetric session
STS, MTI, and certs make it even safer
Certs (certificates) are the most common way to
exchange public keys
Foundation of Public Key Infrastructure (PKI)
SSL uses a protocol to exchange keys safely
See later
37. Cryptanalysis
Brute force
Good for guessing passwords, and some 40-bit symmetric keys (in
some cases needed only 27 attempts)
Frequency analysis
For very simple methods only (US mobiles)
Linear cryptanalysis
For stronger DES-like, needs 243 plain-cipher pairs
Differential cryptanalysis
Weaker DES-like, needs from 214 pairs
Power and timing analysis
Fluctuations in response times or power usage by CPU
38. Strong Systems
It is always a mixture! Changes all the time…
Symmetric:
AES, min. 128 bits for RC2 & RC5, 3DES, IDEA, carefully
analysed RC4, 256 bit better
Asymmetric:
RSA, ElGamal, Diffie-Hellman (for keys) with minimum 1024
bits (go for the maximum, typically 4096, if you can afford it)
Hash:
Either MD5 or SHA but with at least 128 bit results, 256 better
39. Weak Systems
Anything with 40-bits (including 128 and 56 bit versions
with the remainder “fixed”)
Most consider DES as fairly weak algorithm
CLIPPER
A5 (GSM mobile phones outside US)
Vigenère (US mobile phones)
Dates from 1585!
Unverified certs with no trust
Weak certs (as in many “class 1” personal certs)