Hugo Fruehauf
hxf@zyfer.com
October 2001
Securing Data through a Cryptographic Process
Encryption Key
Encryption Key 101001010010010100101001001010010100100 (i.e. 128 bits)
Packet chopped
Encrypted Data 000110001001001000010010000100000100000 into Key length
sections
6-01
Symmetric (Secret-Key) Cryptography
Sender
Unencrypted Encrypted
Encryptor
Data Data
Key
Must Be Given To
Receiver (RF, Wire,
Fiber, Physical, etc.) Communications
Media
Receiver Key
Red
Unencrypted Encrypted
Data Decryptor
Data Data
6-01
Symmetric Key Pros and Cons
6-01
Hierarchical PKI Model
Point of authentication
Secure Root and
Infrastructure
Certificate created
Secure communications
with other CAs
Customer
CA
CA - Certification Authority
Point of authentication
RA - Registration Authority
Point of verification
Customer
RA
Network
Secure Transactions
6-01
Registration and Certification Process
Complete 2
Application
Generate Key 3
Pair
Deliver
Applicant 1 Certificate
4 Send to RA Application
5 Review
Create Application
6
Certificate
Request
Registration
Authority
7 Send to CA
Send 9
Certificate to 8 Generate
Certificate
Applicant
Name
Org
Key
Signature
Certificate
Date
Issuer
6-01
Basics of Asymmetric (Public-Key) Cryptography
• PKI (simplified)
Public Key Data Base
Public Key (B)
Receiver’s
Public Key (B)
Decrypt
Data to be
Encrypted Decrypted
Data
Decrypt Symmetric
Key Rcv’d
Encrypt
Decrypt
Data to be
Encrypted
Decrypted
Sender (A) Data Receiver (B)
Decrypt Symmetric
Key Rcv’d
Encrypt Data
Decrypt
Data
n2 − n
n
2
102 − 10 100 − 10 90
10 = = = 45
2 2 2
100 − 100
2
10,000 − 100 9,900
100 = = = 4,950
2 2 2
200 − 200
2
40,000 − 200 39,800
200 = = = 19,900
2 2 2
10-01
Key Exchange Logistics
35000
Amy
30000 KAB n2 - n
No. of Symmetric Keys (Kn)
K(n)=
KAH Barry 2
25000 KBH KBC
KCH
Henry Cathy
20000 KGH
KDH
KCD
KEH
Gina KFH Don
15000
KFG KDE
Earl
10000 Frank KEF
5000
0
50 100 150 200 250
Certification
Authority
Receiver’s Receiver’s
(CA)
Public Key Private Key
Public Key for a person is
mathematically associated with the
Private Key for that person.
Encrypted Encrypted
Decrypted (Black (Black Decrypted
(Red Data) + = Data) Data)
+ = (Red Data)
Black
Data
HASH Sent HASH
Network
Sender’s Data
Encrypt Decrypt
Private Key Authentication
Sender’s
Public Key
Sender Receiver
6-01
Diffie-Hellman Infrastructure
Generate Generate
Symmetric Encrypt Network Decrypt Symmetric
Key Key
6-01
Today’s Cryptography Systems (Simplified)
1 Request
“Setup” Phase
Get Get
2 Receive
User #1
Keys CA Keys
User #2
5
3 Look up User #2 Public Key
Store Keys Public Data
in Terminal 4 Receive User #2 Public Key Base
6
Private
Symmetric Key
Key Data 9
“Use”-Phase
Decrypt
7
Keys
Or
Store in
19
Generate Terminal
New Keys
Via CA
Etc.
6-01
“Setup” Phase StealthKeyTM Cryptography Infrastructure
Get Get
Setup 1 Receive Authorized Receive Setup
User #1 Agency
Setup Setup User #2
2
Store In
Store In Secured Data Chip
Chip Base
Symmetric Symmetric
3 Key Seq’s 3 Key Seq’s
“Use”-Phase
6 7
Symmetric Transfer
5 Encrypt Decrypt
4 Data In Data
8
Out
Network
Setup” Phase
“Repeat
6-01
RSA - Public Key Infrastructure Details
4 3 1
RSA RSA RSA
Sender 5 Receiver Public Key 2 Public &
Receiver
Symmetric Public Key Database Private Key
RSA Generation
(Secret) Key Receiver
Generation (Receiver)
Private Key
11 6 7 9 10 21
13 14 18 20
Timestamped 16 Timestamped
Encrypt Decrypt
Message Message
12 19
Network
Message 15 Message
Timestamp Digest Digest Timestamp
Generation 17 Generation
(HASH) (HASH)
Data Transfer
29 Message
25 Digest Authentication (Y/N)
Authentication
- Sender Compare
- Receiver RSA 26
- Data Integrity Encrypt 28
RSA
22 Decrypt
RSA
RSA Public
Sender 24
& Private
23 Private Key 27 RSA
Key RSA
Generation Public Key Sender
(Sender) Database Public Key
6-01
Asymmetric Keys Pros and Cons
6-01
Role of Certification Authority
• Certification Authorities
– Validate identity of certificate subject (to various degrees)
– Certify certificates with CA digital signature
– Enforce certificate validity
– Maintain a certificate revocation list (CRL)
– Generate Key Pairs
Source: Chokhani, S., Ford, W., “Internet Public Key Infrastructure: Certificate Policy and Certification Practices Framework,” IETF
6-01
Internet Draft, draft-ietf-pkix-ipki-part4-02.txt, 30 September 1997.
Digital Signatures
• Creation: • Verification
– Hash the data object to be – Hash the data object
signed. received.
– Encrypt the hash with your – Decrypt the encrypted
private key. hash with senders
– Transmit both the data public key.
object, public key and the – Compare the
encrypted hash.
computed hash with
the decrypted hash.
6-01
Spoofing Attacks
6-01
Cost and Time to Break DES Keys
(Source: “Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security.”
Blaze, et.al. 1/96; Schneier B. “Applied Cryptography, Second Edition” John Wiley & Sons, Inc. 1996)
* IPSec, Naganand Doraswamy, Prentice-Hall, 1999
6-01
StealthKey™
StealthKey Encryption Layer Options
OSI Internet
Application DATA
7 (Payload)
Application
Layer
4 Packet
(Payload)
6 Presentation 32 Bit OH needed 128 128 OH+P
5 Session Host to
3 Host
(Transport OH may not be needed TCP 128 128 Pad
4 Transport
Layer)
A B
TRANSPORT MODE
IPSec
Encrypt Internet- IP ESP TCP DATA
Shim 3 Network 2 Working
Options Layer C D A B TUNNEL MODE
6-01
Packet Loss
15%
5%
10%
25%
30%
35%
40%
20%
45%
0%
AM
Noon
PM
Midnight
Early
AM
AM
Noon
PM
Midnight
Internet Performance
Early
AM
AM
0
500
1000
1500
2000
2500