Digital Signature

Digital Signature
Not a digital signature

Digital Signature
Digital Signature

-1 Smart Card -2 Digital Certificate -3 Security. .

Digital Certificate Public Key

Private Key

Algorithms and Keys

Encryption and decryption with a key

Encryption and decryption with two different keys

Algorithms and Keys

A cryptosystem is an algorithm,

plus all possible plaintexts, ciphertexts, and keys.

More Definitions
Unconditional security No matter how much computer power is available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext Computational security Given limited computing resources (e.g time needed for calculations is greater than age of universe), the cipher cannot be broken

 2.7 Cryptographic Hash Function

and its requirements

Cryptographic

hash functions are important tools in cryptography for applications such as digital fingerprinting of messages, message authentication, and key derivation. arbitrary finite length into strings of fixed length.

Hash functions can map bit-strings of

 2.7 Cryptographic Hash Function

and its requirements

A hash value is generated by a

function H of the form h=H(M) where M is a variable-length message and H(M) is the fixed-length hash value.
The purpose of a hash function is to

produce a fingerprint of a message, or other block of data.

file,

 2.7 Cryptographic Hash Function

and its requirements

The hash value is intended for digital

signature applications, where a large file must be compressed in a secure manner before being signed (encrypted) with a private secret key under a public-key cryptosystem.
The purpose of a hash function is to

produce a fingerprint of a file, message, or other block of data.

2.7 Cryptographic Hash Function and its requirements A hash function H must have the following properties:
H can be applied to a block of data of any size. H produces a fixed-length output. H(x) is relatively easy to compute for any x, making both hardware and software implementations practical.

2.7 Cryptographic Hash Function and its requirements A hash function H must have the following properties: For any given code m, it is computationally infeasible to find x such that H(x) = m. For any given block x, it is computationally infeasible to find y x with H(y) = H(x). It is computationally infeasible to find any pair (x, y) such that H(x) = H(y).

2.8 Steganography
Steganography serves to hide secret

messages in other messages, such that the secrets very existence is concealed. Generally the sender writes an innocuous message and then conceals a secret message on the same piece of paper.

2.8 Steganography
More

recently, people are hiding secret messages in graphic images. Replace the least significant bit of each byte of the image with the bits of the message. The graphical image wont change appreciablymost graphics standards specify more gradations of color than the human eye can noticeand the message can be stripped out at the receiving end.

2.9 Simple XOR

XOR is exclusive-or operation: ^ in C

or in mathematical notation. Its a standard operation on bits: ^0=0 ^1=1 ^0=1 ^1=0

0 0 1 1

2.9 Simple XOR

Also note that: a ^ a = 0 a ^ b ^ b = a The plaintext is being XORed with a

keyword to generate the ciphertext.

P ^ K = C C ^ K = P

Ongoing Communication

Message-by-Message Authentication Message-by-Message Integrity Message-by-Message Confidentiality

Figure 9.17: Digital Signature

Encrypted for Confidentiality

DS

Plaintext

Sender Add Digital Signature to Each Message Provides Message-by-Message Authentication

Receiver

Figure 9.17: Digital Signature: Sender

To Create the Digital Signature: 1. Hash the plaintext to create a brief message digest; This is NOT the digital signature 2. Sign (encrypt) the message digest with the senders private key to create the digital Signature Plaintext Hash MD Sign (Encrypt) MD with Senders Private Key DS

Figure 9.17: Digital Signature

Send Plaintext plus Digital Signature Encrypted with Symmetric Session Key DS Plaintext

Sender Encrypts

Transmission

Receiver Decrypts

Figure 9.17: Digital Signature: Receiver 1. Hash the received

Received Plaintext DS
2. Decrypt with True Partys Public Key plaintext with the same hashing algorithm the sender used. This gives the message digest 2. Decrypt the digital signature with the senders public key. This also should give the message digest. 3. If the two match, the message is authenticated; The sender has the true Partys private key

1. Hash

MD
3. Are they Equal?

MD

Figure 9.18: Public Key Deception

Impostor I am the True Person. Here is TPs public key. (Sends Impostors public key) Here is authentication based on TPs private key. (Really Impostors private key) Decryption of message from Verifier encrypted with Impostors public key, so Impostor can decrypt it Verifier Must authenticate True Person.

Critical Deception

Believes now has TPs public key

Believes True Person is authenticated based on Impostors public key True Person, here is a message encrypted with your public key.

Digital Certificates
Digital certificates are electronic documents

that give the true partys name and public key Applicants claiming to be the true party have their authentication methods tested by this public key If they are not the true party, they cannot use the true partys private key and so will not be authenticated Digital certificates follow the X.509 Standard

 Public key authentication requires both a

Digital Signatures and Digital Certificates

digital signature and a digital certificate to give the public key needed to test the digital signature
Certificate Authority Digital Certificate: True Partys Public Key

Applicant DS Plaintext
Verifier

Figure 9.19: Public Key Infrastructure (PKI)

Certificate Authority PKI Server Create & Distribute (1) Private Key and (2) Digital Certificate

Verifier (Cheng)

Verifier (Brown)

Applicant (Lee)

Figure 9.19: Public Key Infrastructure (PKI)

Certificate Authority PKI Server

3. Request Certificate for Brown 4. Certificate for Brown Verifier (Brown)

Verifier (Cheng)

Applicant (Lee)

Figure 9.19: Public Key Infrastructure (PKI)

Certificate Authority PKI Server 6. Check Certificate Revocation List (CRL) For Lees Digital Certificate 7. Revoked or OK Verifier (Cheng)

Verifier (Brown)

5. Certificate for Lee Applicant (Lee)

Figure 9.20: Security at Multiple Layers

Layer
Application Transport Internet Data Link Physical

Example
Application-specific (for instance, passwords for a database program); Application (Proxy) Firewalls SSL (TLS), Packet Filter Firewalls IPsec, Packet Filter Firewalls Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP) Physical locks on computers, Notebook Encryption

Figure 9.20: Security at Multiple Layers

Having security at multiple layers provides

protection if one layers security fails Having security at multiple layers also slows processing on the device So provide protection in at least two layers but not in all layers

Figure 9.21: Creating Appropriate Security

Understanding Needs

Need to make security proportional to risks Organizations face different risks Policies bring consistency Must be enforced. Training in the importance of security and in protection techniques Social engineering prevention training

Policies and Enforcement

Figure 9.21: Creating Appropriate Security

Policies and Enforcement Security audits: attack your system proactively

You must really be able to trust your testers

Incident handling

Stopping the attack Restoring the system Prosecution Planning and practicing before the incident
Need to protect employee & customer privacy

Privacy


www.trustcenter.de/products/express/en/en.htm

( )


) (

) (


) (



) (outlook Express

) (Tools )(outlook express

) (signed Digitally )(Tools

) (Send