CPK Theory And Parctice

CPK Cryptosystem
Combined Public Key Cryptosystem
Theory and Practice

May 14, 2008 Network and Information Security Lab, Peking University

Timeline
Public Key Identity Based
Cryptography, Cryptography, X.509 Certificate v1,
Public file the first idea X.500, CA
Diffie, Hellman Shamir ITU-T

1978 1986
1976 1984 1988

Kohnfelder first IBS scheme
Certificate Idea Shamir


Timeline

PGP,
Web of Trust
Zimmerman SPKI,SDSI

No Practical IBE scheme
was founded since
1984
1995

1991 1996 2000

X.509 Certiﬁcate v3,
PKIX


Timeline

First Practical CPK
IBE scheme from Weil Pairing key management, IBE, IBS
Boneh, Franklin Nan, Chen

2001
2004

Cocks
IBE,
not bandwidth efﬁcient


Public File
• Public File (1976)

• Public File ( trusted directory ) is a key
directory that users could consult to ﬁnd other
user’s public key


Certiﬁcate
• Loren Kohnfelder, “Toward a Practical Public-
Key Cryptosystem”

• Separate trust and look-up


X.500, X.509v1


PEM (Privacy Enhanced Mail)
• PEM use ITU’s X.509 Certiﬁcate

• X.509 in PEM VS X.509 in X.500

• Bind name and public key

• Access control

• DN can’t be accepted

• Failed :(


PGP
• Global distinguished name, by email address

• Need no global TTP or CA

• Web of trust


PKIX

Architecture Certiﬁcate


SPKI
• Simple Public Key Infrastructure, by C. Ellison

• Emphasizes on authorization rather than
authentication

• SPKI Certiﬁcates bind attributes to Public Key
directly


PKI Challenges


PKI Challenges

89 PKI in federal agencies of US from 1998 to 2005


Identity Based Cryptography
• Idea from Shamir 1984, the public key can be
arbitrary string.

• The private key is generated by a trusted
authority named PKG (private key generator)
and distributed to users.

• Shamir’s original motivation was to simplify
the certiﬁcate management in email system.

• Identity based encryption (IBE), identity based
signature scheme (IBS).


IBC Schemes
• 1986 ﬁrst IBS scheme

• 2001 ﬁrst practical IBE scheme
❖ Boneh-Franklin IBE from pairing
❖ Cocks IBE
• 2004 CPK (Combined Public Key)
❖ Support IBE and IBS


y Certificates
Certiﬁcate vs Identity

Serial Number: 206
Certificate for: Bob Smith
Company: Fox Consulting
Issued By: Awfully Big Certificate Co.
Email Address: bsmith@home.net
Activation: Jan. 10, 2000
bsmith@home.net
Expiration: Jan. 10, 2002
24219743597430832a2187b6219a
Public Key:
75430d843e432f21e09bc080da43
509843

ABC’s digital signature
0a213fe67de49ac8e9602046fa7de2239316ab233dec
70095762121aef4fg66854392ab02c4


Encryption in PKI

Encryption

Sender Recipient

Recipient’s
Certificate

Certificate
Certificate
Request

Online Certificate
Database

At least 3 steps


Encryption in CPK

Identity Based Encryption

Encryption Public Key is
Sender Recipient’s identity, Recipient
i.e. the phone number

Only 1 step!


Deﬁnition
• Setup run by PKG, with the security
parameter t as input, the public system
params, and the secret master-key which will
be kept inside PKG, as output.

• Extract run by PKG, with the params,
master-key and the user’s identity string ID as
input, the user’s private key dID as output. The
output private key will be sent back to user
through secure channel.


Deﬁnition (cont.)
• Encrypt run by user, with params, recipient’s
ID and message M as input; encrypted cipher
text C as output. Sender should get trusted
copy of params before encrypt.

• Decrypt run by receiver, with params, his
private key dID and the cipher text C as input;
the decrypted plaintext M as output. Receiver
should authenticate himself to the PKG and
retrieve his private key dID before decrypt.


Deﬁnition of IBS
• Also include four algorithms:
❖ Setup, Extract, Sign and Verify
• The signer’s private key is generated from
PKG, PKG can forge a signature.

• So IBS can not be used in “non-negative”
applications.


Applications
• Alternative to PKI, without key and certiﬁcate
management.

• Expiration of public keys

• Delegations of decryption keys


Key Revocation in PKI
• Check the validation of certificate/public key
before apply it.
❖ CRL (Certificate Revocation List)
❖ OCSP (Online Certificate Status Protocol)


Revocation in IBC
• Identity can be revoked, such as hardware
serial number.

• Identity can not be revoked, such as email
address, phone number: Identity’ = Identity ||
time. The private key for identity appended
with time is not valid for a limited period.
❖ Example: alice@gmail.com || MAY2008
• Mechanisms similar to PKI.


CPK (Combined Public Key)
• One of identity based cryptography scheme

• CPK (Combined Public Key)
❖ At ﬁrst, it is a key management scheme
❖ Second, it provides identity based
encryption and and signature scheme.


Elliptic Curve Cryptography

G is a point on elliptic curve,
n is the order of cyclic group
<G>

Private key d is random
selected integer in [1, n-1]

Corresponding public key Q =
dG.

y 2 = x3 + ax + b (mod p)


Private Matrix Generation
In PKG
private matrix
 
···
s11 s12 s1n
Rand integers
 
RNG ···
s21 s22 s2n
 
sij ∈R [1, n − 1] . . .
..
 
. . .
.
 
. . .
···
sm1 sm2 smn

The trusted authority PKG (Private Key Generator) generates a
m×n matrix in which elements are randomly generated ECC
private keys (integers in [1, n-1]). The private matrix should be kept
secretly in PKG.


Public Matrix Generation
In PKG
public matrix
private matrix
 
 
···
s11 G s12 G s1n G
···
s11 s12 s1n
 
  ···
s21 G s22 G s2n G
···
s21 s22 s2n  
 
. . .
. . . ..
 
..
  . . .
. . . .
.  
  . . .
. . .
···
sm1 G sm2 G smn G
···
sm1 sm2 smn

key pair
Public Matrix is generated by PKG from the Private Matrix,
elements in Public Matrix is the public key of corresponding
private key in Private Matrix. The public matrix is publicly available
for all users.


Map Algorithm

h1 , h2 , . . . , hn ← H(ID)

Map algorithm H(ID) is a cryptographic hash algorithm, maps
an arbitrary string ID to column indexes of private matrix and
public matrix.

hi is the index of i-th column of public/private matrix.


Private Key Extraction
ID
In PKG
Input user’s identity ID

Map identity to indexes of matrix
h1 , h2 , . . . , hn ← H(ID)

 
···
s11 s12 s1n Select one element through
 
···
s21 s22 s2n each column of the private
 
. . .
..
  matrix by the index
. . .
.
 
. . .
···
sm1 sm2 smn

Add selected private keys,
the result is user’s private key
n−1
corresponding to his identity
dID = shi ,i (mod p)
ID.
i=0


Public Key Extraction
ID
In User
Input user’s identity ID

Map identity to indexes of matrix
h1 , h2 , . . . , hn ← H(ID)

 
···
s11 G s12 G s1n G Select one element through
 
··· each column of the Public
s21 G s22 G s2n G
 
. . .
..
  matrix by the index
. . .
.
 
. . .
···
sm1 G sm2 G smn G
Add (elliptic curve point add)
selected private keys, the
n−1
result is user’s public key
QID = shi i G corresponding to his identity
i=0
ID.


Identity Based Encryption
CPK-Encrypt (Message, ID, PublicMatrix) {
CPK-ExtractPublicKey (ID, PublicMatrix) -> PublicKey
ECIES-Encrypt (Message, PublicKey) -> Ciphertext
}

CPK-Decrypt (Ciphertext, PrivateKey) {
ECIES-Decrypt (Ciphertext, PrivateKey) -> Plaintext
}

ECIES: Elliptic Curve Integrated Encryption Scheme


Identity Based Signature

CPK-Sign (Message, PrivateKey) {
ECDSA-Sign (Message, PrivateKey) -> Signature
}

CPK-Verify (Message, PublicMatrix, SignerID, Signature) {
CPK-ExtractPublicKey(PublicMatrix, SignerID) -> PublicKey
ECDSA-Verify(Message, Signature, PublicKey);
}

ECDSA: Elliptic Curve Digital Signature Algorithm


Big Picture
h1 , h2 , . . . , hn ← H(ID)

 
···
s11 s12 s1n
  n−1
H(ID)
···
s21 s22 s2n
 
. . .
..
 
. . .
.
 
. . . i=0
···
sm1 sm2 smn

 
···
s11 G s12 G s1n G
  H(ID) n−1
···
s21 G s22 G s2n G
 
QID =
. . . shi i G
..
 
. . .
.
 
. . . i=0
···
sm1 G sm2 G smn G


Security
• Collisions
❖ 32×32 require map algorithm provides
32×5 = 160 bits
❖ Birthday after 280 accounts
• Collusion
❖ 32×32 require 1024 non-linear related
collusion private keys.


Collusion Resistance
• Veriﬁcation only applications, small matrix

• Without the threat of large scale collusion:
matrix size compatible to collusion scale.

• With the threat of large scale collusion:
❖ extend matrix size
❖ protect private key by hardware
❖ revoke the matrix periodically


CPK USB Token
CPK USB Token

AES,
CPK ECC
SHA1

32-Bit PubKey
USB
Secure Crypto
Interface
CPU Engine

0.6s per ECDSA signature
Tamper Resistant Key Storage
generation or ECDH
computation


Collision Resistance
• Expand matrix size.
❖ matrix size larger than MAX collusion
amount.

• Tamper resistant module for the protection of
private keys.
❖ Smart Card,
❖ USB Secure Token,
❖ TPM, etc.


Original Scheme
h1 , h2 , . . . , hn ← H(ID)

 
···
s11 s12 s1n
  n−1
H(ID)
···
s21 s22 s2n
 
. . .
..
 
. . .
.
 
. . . i=0
···
sm1 sm2 smn

 
···
s11 G s12 G s1n G
  H(ID) n−1
···
s21 G s22 G s2n G
 
QID =
. . . shi i G
..
 
. . .
.
 
. . . i=0
···
sm1 G sm2 G smn G


Generalized Scheme
General DH group ❮g❯, private key is s, public key is gs.

Map
H(ID) → a1 , a2 , . . . , an , ai ∈ Z∗
p
Algorithm

n
H(ID)
Extract
dID =
{s1 , s2 , . . . , sn } ai si
Public Key
i=1

Private Key Set User’s Private Key
n
H(ID)
Extract
{g s1 , g s2 , . . . , g sn } QID = (g si )ai
Private Key
i=1
Public Key Set User’s Public Key


Extensions
• CPK can be established on any cryptosystems
with the property that the combination of key
pairs are still valid keypair.

• For example:
❖ Cryptosystems based on Difﬁe-Hellman
Group, in which private key is integer d, the
corresponding public key is gd

❖ Cryptosystems based on elliptic curve
cryptography.


Extensions
• The CPK scheme can convert any
cryptosystem with key combination property
into identity based cryptosystem, not only IBE
and IBS, but also:
❖ Identity based Signcryption by converting
signcryption schemes based on DH group.
❖ Identity based short signature, convert BLS
short signature to identity based short
signature (160 bits signature compare to
320 bit DSA or ECDSA signature).


Advantage of CPK
• Simple

• Efﬁcient, especially for resource constrained
environment, such as embedded device.

• Support different cryptosystems, ElGamal
(ElGamal Encryption, DSA, ...), Elliptic Curve
Cryptography, Pairing Based Cryptography
and others.


Key Length

Bits of ECC Pairing
RSA
Security (CPK) (BF-IBE)
80 160 512 1024
112 224 1024 2048
128 256 1536 3072
192 384 3840 7680

256 512 7680 15360


Performance
• CPK (on Core 2 1.83GHz CPU)
❖ ~ 400 times/s CPK-ECIES encryption,
decryption CPK-ECDSA signature
veriﬁcation. ~1900 times/s CPK-ECDSA
signature generation

• Pairing (P3 1GHz CPU)
❖ ~ 30 to 90 times of pairing computation
• CPK is faster and require less codes.


Real-world Applications

Secure Email


CPK Secure Mail

Original mail Enveloped mail

To: alice@pku.edu.cn
To: alice@pku.edu.cn
Encryption From: bob@pku.edu.cn
From: bob@pku.edu.cn
key ID Title: xxxxxx
Title: hello
CPK
Contents:
Contents:
xxxxxxxxxxxxxxxxxxxx
this is the plaintext To be
message to be signed encrypted
and encrypted by CPK. Data
xxx

Signature:
xxxxxxxxxxxxxxxxx



WebIBC:
Identity Based Cryptography
for Client Side Security
in Web Applications


Target
• Web based applications like Gmail or Google
Doc can do harm to user security and privacy.

• Our solution: bring public key cryptography to
Web browsers, include public key encryption
and signature generation.

• All the cryptography operations and key usage
are inside the browser and implemented in
JavaScript and HTML only, require no plug-ins
and provider “open source” guarantee.


Challenges
• Private key: JavaScript can not read keys in
local ﬁle system.

• Public key: acquire other’s public key or
certiﬁcate is not easy for JavaScript programs
in Web browser.


Solution
• Private key: utilize fragment identifier in
bookmark URL as the private key storage. The
fragment identifier in URL will never be
transfered through the Internet.
http://www.domain.com/#skey=sdfBksLdfljksDjfls=
fragment identifier
fragment identifier starts from #

• Public key: in CPK, i.e. identity based
cryptosystem, the email address and other
meaningful string is the public key.


Workﬂow
% setup
PKG

ID
!
y
ske
quot;

# mpk.js
& save
Browser
) do
$U Secure
( RL
we Channel
bib
c.js Public
,m
'm pk Channel
.js
ess
age

WebApp
* forward


Workﬂow
1. The authority trusted by Alice and Bob
establishes a PKG, which will generate the
system parameters including the public matrix.
2. Web application embeds WebIBC into these
systems together with the public system
parameters released by the PKG.
3. Alice registers to the PKG with her ID.
4. PKG returns Alice’s private key.


Workflow
5. Alice can append the private key as an
fragment identifier to the Web application’s
URL, then save it as a bookmark into the
browser.
6. Now Alice can use this bookmark to log into
the web application. It should be noted that
the browser will send the URL without the
fragment identifier, so the private key is
secure.


Workﬂow
7. The WebIBC JavaScript ﬁles will also be
downloaded from the server, including the
public matrix of system.
8. Alice uses this web application as normal,
entering Bob’s email address and message
content into the form. When Alice presses the
send button, WebIBC JavaScript programs will
get the email address from the form as public
key and get private key from URL, encrypt and
sign the message.


Workﬂow
9. Then message will be sent to the server.
10. Because the message has been protected, the
Web application can do no evil to the message
but only forward it to Bob. Bob can also login
into his web application and decrypt the
message by his private key in the fragment
identiﬁer and verify the message through the
public matrix, similar to Alice.


Performance
0.5KB 2KB 10KB
Safari 1383.7 1,492 2,071
Firefox 1,523 1,661 2,401
IE 1,459 1,698 2,791
Opera 2,110 2,349 3,628

4000 ms
0.5 KB
2 KB
10 KB
3000 ms

2000 ms

1000 ms

0
Safari Firefox IE Opera



Code Signing


CPK Code Signing
• Code signing is the process of digitally signing
executables and scripts to conﬁrm the
software author and guarantee that the code
has not been altered.

• All sorts of code should be signed, including
tools, applications, scripts, libraries, plug-ins,
and other “code-like” data.


Code Signing Overview
• A unique identifier, used to identify the code or
to determine to which groups or categories
the code belongs.

• A collection of checksums of the various parts
of the program, such as the identifier, the main
executable, the resource files.

• A digital signature, which signs the seal to
guarantee its integrity.


What it can do
• Content Source: End users can conﬁrm that
the software really comes from the publisher
who signed it.

• Content Integrity: End users can verify that the
software has not been altered or corrupted
since it was signed.


What it can NOT do
• It can’t guarantee that the code is free of
security vulnerabilities.

• It can’t guarantee that a program will not load
unsafe or altered code—such as untrusted
plug-ins—during execution.

• It can’t determine how much to “trust” the
code.

• Attacks from administrator.


Other Disadvantages
• The user is likely to be bothered with
additional dialog boxes and prompts for
unsigned code that they don’t see with signed
code, and unsigned code might not work as
expected with some system components.

• Computation and storage overhead.


Code Signing Applications
• Anti-virus, anti-rootkit

• Parent control

• Trusted computing.


Code Signing on Linux

Codesign
User-space
Daemon
exec()

Netlink Socket
sys_execve()

LSM Hook
Codesign
Kernel Module
True/False

mmap()


Code Signing on Linux
• Codesign Tool: used to create, check, and
display code signatures.

• Kernel Module: Implement LSM (Linux
Security Module) hook to check the signature
in ELF.

• User-space Daemon: Do the checking, called
by kernel module through Netlink socket.


Code Signing Extension

Check
Policy DB
Engine
enterprise admin
Intranet

Host Host Host

Daemon Daemon Daemon

Kernel Module Kernel Module Kernel Module

host root host root host root


CPK Code Signing in Solaris
• Support signing on ELF binary, Java byte code
and shell scripts.

• Based on Solaris kernel level cryptographic
framework
❖ MPI (multi-precision integer library)
❖ ECC (elliptic curve cryptography library)
❖ Block cipher, Digest algorithms ...


User Space

execl( ) execle() execv()

execve ( )
execve()

_syscall( SYS_execve )

Kernel Space


Kernel Space
uts/common/os/exec.c

exece()

exec_common()

gexec()

switch (exectype)
elf a.out script java

elfexec() aoutexec() intpexec() javaexec()

functions in kernel modules: uts/common/exec/*


Kernel Space (with CPK)
uts/common/os/exec.c

exece()

exec_common()

gexec()

switch (exectype)
elf a.out script java

elfexec() intpexec() javaexec()

with CPK with CPK
signature signature
checking checking


CPK Kernel Modules

uts/common/exec/elf uts/common/exec/intp
(with CPK checking) (with CPK checking)

common/crypto/cpk
Policy Pub Matrix

common/ common/
common/
crypto/ crypto/
mpi
ecc sha1,sha2



CPK in Solaris


CPK Crypto Library
• A module of libcrypto

• Support error stack

• Support Id based cryptography

• Support ASN.1 encoding

• Support PKCS #7 cryptography message
syntax


Compatible to Standards
• SECG (Standards for Efﬁcient Cryptography
Group) SEC 1: Elliptic Curve Cryptography,
version 1.7 (current working draft).

• IBCS (Identity Based Cryptography Standard),
the identity syntax (draft).

• PKCS #7: Cryptography Message Syntax

• PKCS #11:Cryptographic Token Interface

• ASN.1/DER encoding


Supported Platforms
• Solaris, loadable module

• POSIX, CPK library

• Win32, CPK library, require pthread Win32

• Java, on Solaris with Cryptographic
Framework supported.


CPK Soft Token
CPK Software Stack
!/B/,F;;

!$E
2F?,
$G$HH,F;;
)%C(8* !quot;#
$%&'()*+,#&-*+./0*,123$45667
4%8/+9',$+:;-%,<+/)*=%+>
?*-/,48%-,189@;>0'66A'%7

2+%B9C*+,#&-*+./0*,123$45667
$%))/&C, 2F?, ;>0'66D ;>0'66D ;>0'66D
I9&*,J%%8>9- )%C(8* 0;>A'% >*+&*8A'% '%.--%>*&A'%

89@0;>


CPK Hard Token
CPK Hard Token (current)
7quot;3'1-.%(839.%:$5.(;<=7!>??@

7<=(A$%B9quot;0.3

#&4560

#&41'4

)'.%(D.E.#
12.3
=.%3.#(D.E.#

!quot;#$%&'()!*+(,%$-./quot;%0

Cquot;0.3(A$%B/$%.


OpenSolaris cryptoadm
# cryptoadm list -vm
Provider: /SunStudioProjects/p11/dist/Debug/Sun12-Solaris-x86/libcpkp11.so
Number of slots: 1
Slot #1
Description: CPK Crypto Softtoken
Manufacturer: Guan Zhi
PKCS#11 Version: 2.20
Hardware Version: 0.0
Firmware Version: 0.0
Token Present: True
Slot Flags: CKF_TOKEN_PRESENT
Token Label: CPK PKCS#11 Software token
Manufacturer ID: Guan Zhi
Model: 1.0
Serial Number:
Hardware Version: 0.0
Firmware Version: 0.0
UTC Time:
PIN Length: 0-0
Flags:


Key Management Framework
!quot;#$%&'$(&)*+,-
<4=4>?
.:.;
.-)+,-$
1!2 B..C:(1
..; <@:
./-00

D&'-?*Cquot;DE

@F:quot;Cquot;DE
B..C:(1
$(!$!-,J-,8?

(,8=&A-,
(+J0&)$!-3

<@:
(!KLL;

!-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()*

(,8',466&5'$:(1
!-3 @-,*&H&)4*-
25,8006-5*
quot;'6* I40&A4*&85
(,8=&A-,? !quot;#
(,8=&A-,? (,8=&A-,?
D-=-08G6-5*
#+*+,-$
(!@.MM L@.( @F;
#&0-?
N.. (!1O 15*-',4*&85$7&*/
!quot;#
!quot;#$%&$'()*+(),,-


CPK in Solaris KMF
!quot;#$%&'$(&)*+,-
<4=4>?
.:.;
.-)+,-$
1!2 B..C:(1
..; <@:
./-00

D&'-?*Cquot;DE

@F:quot;Cquot;DE
B..C:(1
$(!$!-,J-,8?

(,8=&A-,
(+J0&)$!-3

<@:
(!KLL;

!-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()*

(,8',466&5'$:(1
!-3 @-,*&H&)4*-
25,8006-5*
quot;'6* I40&A4*&85
(,8=&A-,? !quot;#
(,8=&A-,? (,8=&A-,?
D-=-08G6-5*
#+*+,-$
(!@.MM L@.( @F;
#&0-?
N.. (!1O 15*-',4*&85$7&*/
!quot;#
!quot;#$%&$'()*+(),,-


CPK in Solaris KMF
!quot;#$%&'$(&)*+,-
<4=4>?
.:.;
.-)+,-$
1!2 B..C:(1
..; <@:
./-00

D&'-?*Cquot;DE

@F:quot;Cquot;DE
B..C:(1

CPK Theory And Parctice

Recomendados

Recomendados

Mais conteúdo relacionado

Semelhante a CPK Theory And Parctice

Semelhante a CPK Theory And Parctice (20)

Mais de Zhi Guan

Mais de Zhi Guan (10)

Último

Último (20)

CPK Theory And Parctice