Cyber Security :

AIMS AND OBJECTIVES: PKI

HOW CAN SUE BE SURE PUBLIC KEY IS JOE'S?

Chadwick, the international hacker, is sniffing the communications over the internet between Joe and
Sue. What mischief could Chadwick get up to?

Sue sends a message

to Joe asking for his
Chadwick Public Key.
Joe sends his Chadwick pretends to
pretends to be Joe
Public key to Sue be Sue Sue sends encrypted
message to Joe

DIGITAL CERTIFICATE : Shows who is the owner of a public key::

We are rarely certain of the real identity of the sender, only that they have sent us a public key. If you
want to buy over the web and to encrypt your credit card details you need to know the public key you
are sent really belongs to who you think you are sending to. The authenticity of a public key can be
proved by a digital certificate. The certificate gives the public key of a particular party and verifies they
own it through the digital signature of the Issuing Authority.
VERISIGN CLASS1 DIGITAL CERTIFICATE

OWNER:
)
Certified Details for : Fred Bloggs Email: bf02@gre.ac.uk Certificate Serial No: A2:EO:89:B1:E5 …
)
Public Key: 9D:4F:16:3D:1A:87:F1:A2:EO:7D:B9:B1:D5:83:B3:62
)
PartA
. CERTIFICATE DETAILS
)
Certificate Validity: 4/1/2012 – 3/1/2013 Certificate Type: Class 1 Checked: 20/12/2011
Issuing Certificate Authority: Verisign Class1 CA : 62 Axford Street, London Message Digest Type: MD5
)
PartB
Issuing Authority’s Digital Signature: BD:44:15:3D:2A:57:F1:72:EO:5D:89:B1:E5:8D:B3:ED …

To Verify This Certificate the Receiver Must:

Part A :
Calculate message digest for part A using the Message Digest type specified:

Part B:
Decrypt the Issuing Authority’s Digital Signature using what key?
And, when decrypted, we now have what?

What do we now compare?

Certificate Authorities and Certificate Types

Many Certificate Authorities (CA’s), most known are Verisign, Microsoft, Thawte.
Some do exhaustive checks - others do few

Verisign Class1: Individual subscriber – persona non-validated:

first and last names, email

Verisign Class2 : Individual subscriber – persona validated:

name, spouses name, email, dob ,employer, drivers lic. no., soc. sec. no.

Verisign Class3: Secure Server: thorough identity checks

Certificate Issue from CA (Certificate Authority)

There are TWO processes : registration and certification.

Registration performs various checking operations on the owner of the key to verify their identity.
Certification produces the certificate; on approval the CA creates an X.509 certificate for the user and
signs it with its own private key.

SUE VERISIGN

I want a digital certificate

Class2 to verify my public key

Here is our CA(Pu) key. Encrypt your

details with this and send to us.
CA(Pu)
For Class2 Please Send ID :
Name, address, email, dob, drivers
license no, employer
.

Here is my ID and S(Pu)

encrypted with your public key
CA(Pu)
S(Pu)

Check ID.
Please give a ‘challenge phrase’
encrypted with our public key.

Here is my Challenge phrase

Encrypted with your Public Key
CA(Pu)

Here is your signed certificate containing:

S(Pu) and your personal details
authenticated and authorised with our
digital Signature
Digital Certificate
 Trusted Root Certification Authority
CA CHAINING
(ROOT)
Intermediate Certification
Authorities

Verisign Class1 CA Verisign Class2 CA Verisign Class3 CA

Issue this certificate

If John Mitchell sent this certificate to the

Verisign Cert : Serial No: 34567 Digest: MD5 university so we could use his Public Key,
Class:1 Owner: John Mitchell how would we know it wasn’t altered?
Public key: A3:47:6F: …

Verisign Class1 CA’s Dig Sig: C4:5D:83:A7 …

Validate John’s certificate

Verisign Cert : Serial No: 00001 Digest: MD5
using Public key from
Class:3 Owner: Verisign Class1 CA
Verisign Class1 CA certificate
Public key: A7:B7:6F: …

ROOT’s Dig Sig: A4:5D:83:A7 …

Validate Verisign Class 1

certificate with ROOT public
key

In XP to see the university’s certificates go to Settings\Control Panel\Security Center\

Internet Options\Content\Certificates ROOT

PUBLIC KEY INFRASTRUCTURE (PKI)

A PKI can be internal to an organisation as well as national/international.

Root issues Digital

What does this Certifcates for CA’s.
arrow denote?

Certificate Authority CA What does this

issues Digital Certifcates. arrow denote?

JOE SUE
J(Pr) S(Pr)
Encrypted
JCert
Message SCert

validate Sue's certificate What do they

exchange? So, what does Sue do
encrypt message with Sue's pub key S(Pu) to read Joes
message?
 COMPARISON OF SYMMETRIC AND ASYMMETRIC ENCRYPTION

CRITERIA SYMMETRIC ( one key) ASYMMETRIC (2 keys)

Speed

Distributing
key
Authentication

Secure

MAKING CONFIDENTIAL , TRUSTABLE MESSAGES AVAILABLE

SECURE SOCKETS LAYER (SSL) with ONE certificate exchange

Note that the symmetric
JOE AMAZON key is only created for
Send: one transaction. Each
transaction has a
I have written my order and different symmetric key
want to send order/credit card Send Amazon Certificate Amaz(Cert)
called a SESSION key.
details.
Send:
1. I want to use DES symmetric
encryption. 1. Decrypt 128bit symmetric session key Joe(Sym).
2. I will send 128bit symmetric
session key Joe(Sym). 2. Please send encrypted order+ credit card details.
3. Here is session key Joe(Sym)
encrypted.

Here are my credit card details 1. Decrypt order/credit card details.

encrypted with the 128bit
symmetric session key Joe(Sym)..

1. Here is the message digest for the Check out message digest.
order/credit card details encrypted Send transaction over message.
with Joe(Sym).
2. Encrypted session over.

Joe is using a 128bit symmetric session key: how many choices of key does he have for
one session?
With what key does Joe encrypt the DES key for Amazon?
With what key does Amazon decrypt the DES key from Joe?
With what key does Amazon decrypt the order/credit card details from Joe?