Digital Signature,

Digital Certificate
Outline
Introduction
Cryptography
Secret-key algorithms
Public-key algorithms
Message-Digest algorithms
Digital Signature
Digital Certificate
Public Key Infrastructure (PKI)
Secure Electronic Transaction (SET)
Summary
Introduction
Cryptography and digital certificates are first
appeared in closed commercial, financial
network and military systems.
We can send/receive secure e-mail, connect
to secure website to purchase goods or
obtain services.
Problem: How do we implement them in this
global, open network, Internet?
To what level of encryption is sufficient to
provide safe and trust services on the Net?
Cryptography
3 cryptographic algorithms:
Message-digest algorithms
Map variable-length plaintext to fixed-length
ciphertext.
Secret-key algorithms
Use one single key to encrypt and decrypt.
Public-key algorithms
Use 2 different keys public key and private
key.
Keys
It is a variable value that is used by
cryptographic algorithms to produce
encrypted text, or decrypt encrypted text.
The length of the key reflects the difficulty
to decrypt from the encrypted message.
Encryption Decryption Plaintext
Plaintext
Ciphertext
Key Key
Key length
It is the number of bits (bytes) in the key.
A 2-bit key has four values
00, 01, 10, 11 in its key space
A key of length n has a key space of 2^n
distinct values.
E.g. the key is 128 bits
101010101010.10010101111111
There are 2^128 combinations
340 282 366 920 938 463 463 374 607 431 768 211 456
Secret-key Encryption
Use a secret key to encrypt a message
into ciphertext.
Use the same key to decrypt the
ciphertext to the original message.
Also called Symmetric cryptography.
Encryption Decryption Plaintext
Plaintext
Ciphertext
Secret Key Secret Key
Secret Key How to?
Encrypted Text Original Text
+
Secret key
=
Encrypted Text
Original Text Secret key
+
=
Encryption
Decryption
Secret-Key Problem?
All keys need to be
replaced, if one key
is compromised.
Not practical for
the Internet
environment.
On the other hand,
the encryption
speed is fast.
Suitable to encrypt
your personal data.
Secret-Key algorithms
Algorithm Name Key Length (bits)
Blowfish Up to 448
DES 56
IDEA 128
RC2 Up to 2048
RC4 Up to 2048
RC5 Up to 2048
Triple DES 192
References:

Blowfish
DES
IDEA
RC2
RC4
RC5
DES-3
Public-key Encryption
Involves 2 distinct keys public, private.
The private key is kept secret and never be divulged, and it is
password protected (Passphase).
The public key is not secret and can be freely distributed,
shared with anyone.
It is also called asymmetric cryptography.
Two keys are mathematically related, it is infeasible to derive
the private key from the public key.
100 to 1000 times slower than secret-key algorithms.
Encryption Decryption Plaintext
Plaintext
Ciphertext
Public Key Private Key
How to use 2 different keys?
Just an example:
Public Key = 4, Private Key = 1/4,
message M = 5
Encryption:
Ciphertext C = M * Public Key
5 * 4 = 20
Decryption:
Plaintext M = C * Private Key
20 * = 5
Public-Private Encryption
First, create public
and private key
Public key
Private key
Private key
Private key stored in
your personal computer
Public Key Directory
Public Key
Public key stored in the directory
Message Encryption
(User A sends message to User B)
Public Key Directory
Text
User A
User Bs Public Key
Encryption
Encrypted
Text
Message Encryption
Original Message
Encrypted Message
Transfer Encrypted Data
User A
Encrypted
Text
Encrypted
Text
Insecure Channel
User B
Decryption with your
Private key
Encrypted
Text
User Bs
Private key
Private key stored in
your personal computer
Decryption
Original Text
User B
Asymmetric algorithms
Algorithm Name Key Length (bits)
DSA Up to 448
El Gamal 56
RSA 128
Diffie-Hellman Up to 2048
References:

DSA
El Gamal
RSA
Diffie-Hellman
How difficult to crack a key?
Key
Length
Individual
Attacker
Small
Group
Academic
Network
Large Company Military Inteligence
Agency
40 Weeks Days Hours Milliseconds Microseconds
56 Centuries Decades Years Hours Seconds
64 Millennia Centuries Decades Days Minutes
80 Infeasible Infeasible Infeasible Centuries Centuries
128 Infeasible Infeasible Infeasible Infeasible Millennia
Attacker Computer Resources Keys / Second
Individual attacker One high-performance desktop machine & Software 2^17 2^24
Small group 16 high-end machines & Software 2^21 2^24
Academic Network 256 high-end machines & Software 2^25 2^28
Large company $1,000,000 hardware budget 2^43
Military Intelligence agency $1,000,000 hardware budget + advanced technology 2^55
Crack DES-3 (Secret-key)
Distributed.net connects
100,000 PCs on the Net,
to get a record-breaking
22 hr 15 min to crack
the DES algorithm.

Speed: 245 billion keys/s

Win $10,000
Message-Digest
Algorithms
It maps a variable-length input
message to a fixed-length output
digest.
It is not feasible to determine the
original message based on its digest.
It is impossible to find an arbitrary
message that has a desired digest.
It is infeasible to find two messages
that have the same digest.
Message-Digest How to
A hash function is a
math equation that
create a message
digest from message.
A message digest is
used to create a
unique digital
signature from a
particular document.
MD5 example
Hash Function
Original Message
(Document, E-mail)
Digest
Message Digest Demo
Message-Digest
Message-Digest
Algorithm
Digest Length
(bits)
MD2 128
MD4 128
MD5 128
Secure Hash
Algorithm (SHA)
160
References:

MD2
MD4
MD5
SHA
Digital Signature
Digital signature can be used in all
electronic communications
Web, e-mail, e-commerce
It is an electronic stamp or seal that
append to the document.
Ensure the document being
unchanged during transmission.
How digital Signature
works?
User A
User B
Use As private key to sign the document
Transmit via the Internet
User B received
the document with
signature attached
Verify the signature
by As public key stored
at the directory
Digital Signature Generation
and Verification
Message Sender Message Receiver
Message Message
Hash function
Digest
Encryption
Signature
Hash function
Digest
Decryption
Expected Digest
Private
Key
Public
Key
Digital Signature

Key Management
Private key are password-protected.
If someone want your private key:
They need the file contains the key
They need the passphrase for that key
If you have never written down your
passphrase or told anyone
Very hard to crack
Brute-force attack wont work
Digital Certificates
Digital Certificate is a data with digital
signature from one trusted
Certification Authority (CA).
This data contains:
Who owns this certificate
Who signed this certificate
The expired date
User name & email address

Digital Certificate
Reference
Elements of Digital Cert.
A Digital ID typically contains the following information:
Your public key, Your name and email address
Expiration date of the public key, Name of the CA who issued your Digital ID
Certification Authority
(CA)
A trusted agent who certifies public keys for
general use (Corporation or Bank).
User has to decide which CAs can be trusted.
The model for key certification based on
friends and friends of friends is called Web
of Trust.
The public key is passing from friend to friend.
Works well in small or high connected worlds.
What if you receive a public key from someone
you dont know?
Web of Trust model
Bob
A
B
Alice
D
C
Public Key Infrastructure
(PKI)
PKI is a system that uses public-key
encryption and digital certificates to
achieve secure Internet services.
There are 4 major parts in PKI.
Certification Authority (CA)
A directory Service
Services, Banks, Web servers
Business Users
PKI Structure
Certification Authority
Directory services
User
Services,
Banks,
Webservers
Public/Private Keys
4 key services
Authentication Digital Certificate
To identify a user who claim who he/she is, in order to access
the resource.
Non-repudiation Digital Signature
To make the user becomes unable to deny that he/she has sent
the message, signed the document or participated in a
transaction.
Confidentiality - Encryption
To make the transaction secure, no one else is able to
read/retrieve the ongoing transaction unless the communicating
parties.
Integrity - Encryption
To ensure the information has not been tampered during
transmission.
Certificate Signers
Certificate Enrollment
and Distribution
Secure Web
Communication
Server authentication is necessary for a web
client to identify the web site it is
communicating with.
To use SSL, a special type of digital
certificate Server certificate is used.
Get a server certificate from a CA.
Install a server certificate at the Web server.
Enable SSL on the Web site.
Client authentication Client certificates

Strong and Weak
Encryption
Strong encryption
Encryption methods that cannot be cracked by
brute-force (in a reasonable period of time).
The world fastest computer needs thousands of
years to compute a key.
Weak encryption
A code that can be broken in a practical time
frame.
56-bit encryption was cracked in 1999.
64-bit will be cracked in 2011.
128-bit will be cracked in 2107.
Pretty Good Privacy
(PGP)
Release in June 1991 by Philip
Zimmerman (PRZ)
PGP is a hybrid cryptosystem that
allows user to encrypt and decrypt.
Use session key a random generated
number from the mouse movement or
keystrokes
Demo & Tutorial
PGP Public Key
Philip R Zimmermann's Public Keys
Current DSS/Diffie-Hellman Key:
Key fingerprint: 055F C78F 1121 9349 2C4F 37AF C746 3639 B2D7 795E
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 7.0.3

mQGiBDpU6CcRBADCT/tGpBu0EHpjd3G11QtkTWYnihZDBdenjYV2EvotgRZAj5h4ewprq1u/zqzGBYpiYL/9j+5XDFcoWF24bzsUmHXsbD
Siv+XEyQND1GUdx4wVcEY5rNjkArX06XuZzObvXFXOvqRj6LskePtw3xLf5uj8jPN0Nf6YKnhfGIHRWQCg/0UAr3hMK6zcA/egvWRGsm9d
JecD/18XWekzt5JJeK3febJO/3Mwe43O6VNOxmMpGWOYTrhivyOb/ZLgLedqX+MeXHGdGroARZ+kxYq/a9y5jNcivD+EyN+IiNDPD64rl00
FNZksx7dijD89PbIULDCtUpps2J0gk5inR+yzinf+jDyFnn5UEHI2rPFLUbXWHJXJcp0UBACBkzDdesPjEVXZdTRTLk0sfiWEdcBM/5GpNsw
MlK4A7A6iqJoSNJ4pO5Qq6PYOwDFqGir19WEfoTyHW0kxipnVbvq4q2vAhSIKOqNEJGxg4DTEKecf3xCdJ0kW8dVSogHDH/c+Q4+RFQ
q/31aev3HDy20YayxAE94BWIsKkhaMyokAYQQfEQIAIQUCOlTwWwIHABcMgBE/xzIEHSPp6mbdtQCcnbwh33TcYQAKCRDHRjY5std5Xl
e4AKCh1dqtFxD/BiZMqdP1eZYG8AZgTACfU7VX8NpIaGmdyzVdrSDUo49AJae0IlBoaWxpcCBSLiBaaW1tZXJtYW5uIDxwcnpAbWl0LmV
kdT6JAFUEEBECABUFAjpU6CcFCwkIBwMCGQEFGwMAAAAACgkQx0Y2ObLXeV5WUQCfWWfTDHzSezrDawgN2Z4Qb7dHKooAoJyV
nm61utdRsdLr2e6QnV5Z0yjjiQBGBBARAgAGBQI6VOkSAAoJEGPLaR3669X8JPcAnim4+Hc0oteQZrNUeuMSuirNVUr7AKC1WXJI7gwM
q0Agz07hQs++POJBMokARgQQEQIABgUCOlcobQAKCRDXjLzlZqdLMVBtAKDa5VPcb6NVH6tVeEDJUv+tBjp6oACeLoNtfbs2rvJkgKDH
WEIDmJdgy2GJAD8DBRA6WP4Y8CBzV/QUlSsRAkmdAKC3TfkSSeh+poPFnMfW+/Y/+AAEEpGSUYAAQEAAAEAAQAA/9sAQwAKBwc
IBwYKCAgICwoKCw4YEA4NDQ4dFRYRGCMfJSQiHyIhJis3LyYpNCkhIjBBMTQ5Oz4+PiUuRElDPEg3PT47///EALUQAAIBAwMCBAMFB
..
QQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6On
q8fLz9PX29/j5+v/EAB8BAAMBAQEBAQEBAQEAAAAAAAABAgMEBQYHCAkKC//EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAU
hMQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWp
zdHV2d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp6vLz9PX29/j5+v/aAA
wDAQACEQMRAD8A9mooooAKKKKACsjW/Eum6FGTdS7pcfLEv3j/AIfjWV428XHQrf7HY4e/lHXIxEvqfevH7y8lupXmmuJppWOZJC+AD9
aly7GkIX1Z3OpfE3Up3K2EUVumcdN7fy/pWLL4415wPM1GWPJyNpK/0Fc5btG/Pktkfx7yTVhYAGLsAxbryf5c5rNvzNlG3Q6yz8ZaxEyudQ
kcZ+7JtYH867PRfG9nfIsd7/o8p/iI+U/4V5EI/IGV+XUGfnHy9iUsiGSa6q6Jew1XpTDJvAAICDACNUV4K2PS6h574Z3NaBsIQe5jkVO48MS
ohjC6s29CjPhlU79cQIYWmBpuNfwroZ6zltyz6Y2Fm65V0IfvVicR7zvFFCOhahMuk1cr+Qp936OMEq9sLZGxTjClgwrHGS7YpMSZrEC7bp
OmERjo4F/n5YmCHJCH8QzCOc9+80gjVEsHiJVABrC8yykjKL5x1V/PSArE4QtMLbkBPGmQYOw8bx6jCHoO43QjUzbqRfBMHZqWVJyoII
ZCp+n13XM4+NO/cDVsZ8bjch0LIOyMrT85n24yfXRlP0s7BFjLm59Jjhf4djuJWikJawWETlypAy86OYRRuwCbIyNauBeTKy+avZvF2oLvpw
H4UnudpC06/O0jkj2lQpn9EEUw11RwO6sq9zYTwAUyKerN00cbCfyiZl01CIo0btcTO6hQK3c67PaloJ9lVH8/mH7LuqkMLDH5ugkpzmed/8
SorfqVkakne6b4mRySFCBXaVZoKmDHzcH2oSSMhM9exyh6dzi1bGu6JAEwEGBECAAwFAjpU6CcFGwwAAAAACgkQx0Y2ObLXeV7lb
QCg+N+fI3bzqF9+fB50J5sFHVHM7hYAn0+9AfDl5ncnr4D7 ReMDlYoIZwRR =Bgy+
-----END PGP PUBLIC KEY BLOCK-----
PGP encryption
Reference
PGP decryption
Reference
Secure SHell (SSH)
Provide an
encrypted
secure channel
between client
and server.
Replacement for
telnet and ftp.
Reference: SSH
Secure Shell & Secure FTP
Secure Shell Secure FTP
The Hosts Public Key
Secure Electronic
Transaction (SET)
This protocol is developed by Visa and MasterCard
specifically for the secure credit card transactions
on the Internet.
SET encrypts credit card and purchase information
before transmission over the Internet.
SET allows the merchants identify be authenticated
via digital certificates, also allows the merchant to
authenticate users through their digital certificates
(more difficult to someones stolen credit card).


Secure Electronic
Transaction (SET)
There are four parts in the SET system.
A software wallet on the users computer
Cardholder.
A commerce server that runs on the merchants
web site Merchant.
The payment server that runs at the merchants
bank Acquiring bank.
The Certification Authority Issuing bank.

SET FAQs
SET
Privacy-Enhanced E-mail
Encrypted
Signed