Prepared by: [Link].N.G., Asst Prof Senior, School of Computer Science and Engineering, VIT, Vellore.
Module 5 - Basic Applied Cryptography
CSI3002
Applied Cryptography and Network Security Key management and distribution, digital certificates, identity-based
encryption, Identification and authentication, zero knowledge
protocols
By, (3 Hours)
[Link].N.G.,
Assistant Professor Senior,
Department of Analytics,
School of Computer Science and Engineering,
Vellore Institute of Technology, Vellore.
Email: [Link]@[Link] Mobile: 8903580808 Cabin: PRP 217-16
Prepared by: [Link].N.G., Asst Prof Senior, Dept of Prepared by: [Link].N.G., Asst Prof Senior, Dept of
Analytics, SCOPE, VIT, Vellore. Analytics, SCOPE, VIT, Vellore.
Symmetric Key Distribution Using Symmetric
Key management and distribution
Encryption
• Symmetric Key Distribution Key Distribution Options
• Using Symmetric Encryption • Key Distribution Technique - a term that refers to the means of
• Using Asymmetric Encryption delivering a key to two parties who wish to exchange data, without
• Session Key allowing others to see the key.
• Key exchange Protocols • key Distribution can be achieved in a number of ways,
• Symmetric Key Agreement 1. A can select a key and physically deliver it to B.
• Diffie Hellman 2. A third party can select the key and physically deliver it to A and B.
• Station to Station 3. If A and B have previously and recently used a key, one party can transmit
the new key to the other, encrypted using the old key.
• Public Key Distribution 4. If A and B each has an encrypted connection to a third party C, C can
deliver a key on the encrypted links to A and B.
Prepared by: [Link].N.G., Asst Prof Senior, Dept of Prepared by: [Link].N.G., Asst Prof Senior, Dept of
Analytics, SCOPE, VIT, Vellore. Analytics, SCOPE, VIT, Vellore.
Prepared by: [Link].N.G., Asst Prof Senior, School of Computer Science and Engineering, VIT, Vellore. Page 1 of 9
� Prepared by: [Link].N.G., Asst Prof Senior, School of Computer Science and Engineering, VIT, Vellore.
Third-Party Key Distribution Options
Key-Distribution Center: KDC
• Parties that exchange
keys need to authenticate
themselves to each other.
• Timestamps are often
used to limit the time in
which a key exchange can
take place and/or the
lifetime of an exchanged
key.
Prepared by: [Link].N.G., Asst Prof Senior, Dept of Prepared by: [Link].N.G., Asst Prof Senior, Dept of
Analytics, SCOPE, VIT, Vellore. Analytics, SCOPE, VIT, Vellore.
[Link] Multiple KDCs [Link] Multiple KDCs
Prepared by: [Link].N.G., Asst Prof Senior, Dept of Prepared by: [Link].N.G., Asst Prof Senior, Dept of
Analytics, SCOPE, VIT, Vellore. Analytics, SCOPE, VIT, Vellore.
Prepared by: [Link].N.G., Asst Prof Senior, School of Computer Science and Engineering, VIT, Vellore. Page 2 of 9
� Prepared by: [Link].N.G., Asst Prof Senior, School of Computer Science and Engineering, VIT, Vellore.
Symmetric Key Distribution Using Asymmetric
Key Hierarchy
Encryption
• Keys lower on the hierarchy • One of the most important uses of a public-key cryptosystem is to
used more frequently, and
changed more frequently. encrypt secret keys for distribution.
• A higher-level key, which is used • Simple Secret Key Distribution
infrequently and therefore more • Proposed by Merkle
resistant to cryptanalysis, is
used to encrypt a newly created
lower-level key so that it can be
exchanged between parties that
share the higher-level key.
• The term ephemeral key refers
to a key that is used only once or
at most is very short-lived.
Prepared by: [Link].N.G., Asst Prof Senior, Dept of Prepared by: [Link].N.G., Asst Prof Senior, Dept of
Analytics, SCOPE, VIT, Vellore. Analytics, SCOPE, VIT, Vellore.
Secret Key Distribution with Confidentiality & Authentication
Man in the Middle Attack
Prepared by: [Link].N.G., Asst Prof Senior, Dept of Prepared by: [Link].N.G., Asst Prof Senior, Dept of
Analytics, SCOPE, VIT, Vellore. Analytics, SCOPE, VIT, Vellore.
Prepared by: [Link].N.G., Asst Prof Senior, School of Computer Science and Engineering, VIT, Vellore. Page 3 of 9
� Prepared by: [Link].N.G., Asst Prof Senior, School of Computer Science and Engineering, VIT, Vellore.
Needham-
Simple Protocol Using a KDC Schroeder Protocol
Prepared by: [Link].N.G., Asst Prof Senior, Dept of Prepared by: [Link].N.G., Asst Prof Senior, Dept of
Analytics, SCOPE, VIT, Vellore. Analytics, SCOPE, VIT, Vellore.
Otway-Rees
Public Key Distribution
Protocol
• If Alice wants to send a message to Bob, she only needs to know
Bob’s public key, which is open to the public and available to
everyone.
• If Bob needs to send a message to Alice, he only needs to know
Alice’s public key, which is also known to everyone.
• In public-key cryptography, everyone shields a private key and
advertises a public key.
• The following are the methods to share the public key,
• Public Announcement
• Trusted Center
• Controlled Trusted Center
• Certificate Authority
Prepared by: [Link].N.G., Asst Prof Senior, Dept of Prepared by: [Link].N.G., Asst Prof Senior, Dept of
Analytics, SCOPE, VIT, Vellore. Analytics, SCOPE, VIT, Vellore.
Prepared by: [Link].N.G., Asst Prof Senior, School of Computer Science and Engineering, VIT, Vellore. Page 4 of 9
� Prepared by: [Link].N.G., Asst Prof Senior, School of Computer Science and Engineering, VIT, Vellore.
1. Public Announcement 2. Trusted Center
• The naive approach is to announce public keys • A more secure approach is to have a trusted
publicly. center retain a directory of public keys.
• Bob can put his public key on his website or • The directory, like the one used in a
announce it in a local or national newspaper. telephone system, is dynamically updated.
• When Alice needs to send a confidential • The center requires that each user register
message to Bob, she can obtain Bob’s public in the center and prove his or her identity.
key from his site or from the newspaper, or • The directory can be publicly advertised by
even send a message to ask for it. the trusted center.
• This approach, however, is not secure; it is • The center can also respond to any inquiry
subject to forgery. about a public key.
Prepared by: [Link].N.G., Asst Prof Senior, Dept of Prepared by: [Link].N.G., Asst Prof Senior, Dept of
Analytics, SCOPE, VIT, Vellore. Analytics, SCOPE, VIT, Vellore.
3. Controlled Trusted Center 4. Certification Authority
• The alternative approach is to create public-key certificates.
• Bob wants two things;
• He wants people to know his public key.
• He wants no one to accept a forged public key as his.
• Bob can go to a certification authority (CA), a federal or state
organization that binds a public key to an entity and issues a
certificate.
Prepared by: [Link].N.G., Asst Prof Senior, Dept of Prepared by: [Link].N.G., Asst Prof Senior, Dept of
Analytics, SCOPE, VIT, Vellore. Analytics, SCOPE, VIT, Vellore.
Prepared by: [Link].N.G., Asst Prof Senior, School of Computer Science and Engineering, VIT, Vellore. Page 5 of 9
� Prepared by: [Link].N.G., Asst Prof Senior, School of Computer Science and Engineering, VIT, Vellore.
4. Certification Authority
Introduction to Digital Certificate
• Kohnfelder first introduced the concept of using a signed data
structure or certificate to convey the public key to a relying party.
• Public-key certificates are used to bind an entity's name (and possibly
additional attributes associated with that entity) with the
corresponding public key.
• Different types of certificates
• X.509 public-key certificates
• Simple Public Key Infrastructure (SPKI) certificates
• Pretty Good Privacy (PGP) certificates
• Attribute certificates
Prepared by: [Link].N.G., Asst Prof Senior, Dept of Prepared by: [Link].N.G., Asst Prof Senior, Dept of
Analytics, SCOPE, VIT, Vellore. Analytics, SCOPE, VIT, Vellore.
Digital Certificate Certificates
• The term digital certificate is sometimes used to denote a certificate • Public-key certificate
in electronic form. • These user certificates are assumed to be created by some trusted
• Birth certificate issued by government in electronic form. certification authority (CA) and placed in the directory by the CA or
• Public Key Certificate issued by CA by the user.
• In accordance with common practice in the PKI industry, we will • The directory server itself is not responsible for the creation of
simply use the term certificate as a shorthand notation for an X.509 public keys or for the certification function; it merely provides an
Version 3 public-key certificate. easily accessible location for users to obtain certificates.
Prepared by: [Link].N.G., Asst Prof Senior, Dept of Prepared by: [Link].N.G., Asst Prof Senior, Dept of
Analytics, SCOPE, VIT, Vellore. Analytics, SCOPE, VIT, Vellore.
Prepared by: [Link].N.G., Asst Prof Senior, School of Computer Science and Engineering, VIT, Vellore. Page 6 of 9
� Prepared by: [Link].N.G., Asst Prof Senior, School of Computer Science and Engineering, VIT, Vellore.
X.509 Public Key Certificates 1. X.509 (Contd…)
• X.509 defines a framework for the provision of authentication services to • X.509 is based on
its users. the use of public-
• The directory may serve as a repository of public-key certificates. key cryptography
and digital
• Each certificate contains the public key of a user and is signed with the signatures.
private key of a trusted certification authority.
• The standard does
• In addition, X.509 defines alternative authentication protocols based on not dictate the
the use of public-key certificates. use of a specific
• X.509 are used in a variety of contexts digital signature
• S/MIME algorithm nor a
• IP Security specific hash
• SSL/TLS function.
Prepared by: [Link].N.G., Asst Prof Senior, Dept of Prepared by: [Link].N.G., Asst Prof Senior, Dept of
Analytics, SCOPE, VIT, Vellore. Analytics, SCOPE, VIT, Vellore.
Certificates Obtaining a User’s Certificate
• User certificates generated by a CA have the following characteristics:
• Any user with access to the public key of the CA can verify the user public key
that was certified.
• No party other than the certification authority can modify the certificate
without this being detected.
• If both the sender and the receiver have registered to the same CA,
the process of obtaining the certificate is straight forward.
• If the sender is registered with CA1 and the receiver is registered
with CA2, the process of verifying the certificate becomes tedious.
Prepared by: [Link].N.G., Asst Prof Senior, Dept of
Analytics, SCOPE, VIT, Vellore.
Prepared by: [Link].N.G., Asst Prof Senior, School of Computer Science and Engineering, VIT, Vellore. Page 7 of 9
� Prepared by: [Link].N.G., Asst Prof Senior, School of Computer Science and Engineering, VIT, Vellore.
Obtaining a User’s
Obtaining a User’s Certificate
Certificate
• Now suppose that A has obtained a certificate from certification authority • Forward certificates:
X1 and B has obtained a certificate from CA X2.
• Certificates of X generated by other
• If A does not securely know the public key of X2, then B’s certificate, issued CAs
by X2, is useless to A.
• A can read B’s certificate, but A cannot verify the signature. • Reverse certificates:
• However, if the two CAs have securely exchanged their own public keys, the • Certificates generated by X that are
following procedure will enable A to obtain B’s public key. the certificates of other CAs
• A obtains from the directory the certificate of X2 signed by X1. Because A securely
knows X1 public key, A can obtain X2 public key from its certificate and verify it by
means of X1 signature on the certificate.
• A then goes back to the directory and obtains the certificate of B signed by X2.
Because A now has a trusted copy of X2>s public key, A can verify the signature and
securely obtain B’s public key.
X.509 Version 3 Certificate Extensions
• Setbacks of Version 2 • Key and Policy Information
• The subject field is inadequate to convey the identity of a key owner to a public- key user. • Authority key identifier
X.509 names may be relatively short and lacking in obvious identification details that may be • Subject key identifier
needed by the user. • Key usage
• The subject field is also inadequate for many applications, which typically recognize entities • Private-key usage period
by an Internet email address, a URL, or some other Internet related identification. • Certificate policies
• There is a need to indicate security policy information. This enables a security application or • Policy mappings
function, such as IPSec, to relate an X.509 certificate to a given policy. • Certificate Subject and Issuer Attributes
• There is a need to limit the damage that can result from a faulty or malicious CA by setting • Subject alternative name
constraints on the applicability of a particular certificate. • Issuer alternative name
• It is important to be able to identify different keys used by the same owner at different • Subject directory attributes
times. This feature supports key lifecycle management: in particular, the ability to update key • Certification Path Constraints
pairs for users and CAs on a regular basis or under exceptional circumstances. • Basic constraints
• Version 3 - Certificate Extensions • Name constraints
• Policy constraints
Prepared by: [Link].N.G., Asst Prof Senior, Dept of Prepared by: [Link].N.G., Asst Prof Senior, Dept of
Analytics, SCOPE, VIT, Vellore. Analytics, SCOPE, VIT, Vellore.
Prepared by: [Link].N.G., Asst Prof Senior, School of Computer Science and Engineering, VIT, Vellore. Page 8 of 9
� Prepared by: [Link].N.G., Asst Prof Senior, School of Computer Science and Engineering, VIT, Vellore.
Revocation of Certificates Attribute Certificates (Optional)
• Each certificate includes a period of validity, • The X.509 attribute certificate (AC) binds attributes [role, security
much like a credit card.
clearance, group membership and others] to an AC holder.
• Typically, a new certificate is issued just before
the expiration of the old one. • AC is used in conjunction with a public key certificate.
• In addition, it may be desirable on occasion to • An access control function may make use of the attributes in an AC
revoke a certificate before it expires, for one of for authorization, but it is not a replacement for authentication.
the following reasons. • The public key certificate must first be used to perform
• The user’s private key is assumed to be authentication, then the AC is used to associate attributes with the
compromised.
• The user is no longer certified by this CA. Reasons for
authenticated identity.
this include that the subject’s name has changed, the • Fields
certificate is superseded, or the certificate was not • Version, holder, issuer, signature algorithm identifier, serial number, validity
issued in conformance with the CA’s policies.
period, attributes, issuer unique identifier, and extensions.
• The CA’s certificate is assumed to be compromised.
Prepared by: [Link].N.G., Asst Prof Senior, Dept of Prepared by: [Link].N.G., Asst Prof Senior, Dept of
Analytics, SCOPE, VIT, Vellore. Analytics, SCOPE, VIT, Vellore.
Prepared by: [Link].N.G., Asst Prof Senior, School of Computer Science and Engineering, VIT, Vellore. Page 9 of 9
