○ Digital Signatures § Goal: verify Authenticity of a message. § Based on Asymmetric Cryptography. § Basic operations 1. Public / Private keys generation (using some algorithm like RSA) 2. Signing algorithm using the private key 3. Signature verification algorithm using the corresponding public key i. Extending previous Example • Steps (Order is very important, bold stuff is the difference added to authenticate sender) ® Party 1 (Alice) 1. Generates a random AES Session Key (32 bytes / 256 bits) 2. Generates a random Initialization Vector (IV) (16 bytes / 128 bits) 3. Encrypt the message to be sent using the AES Session Key & IV 4. Calculate an HMAC of the encrypted message using the AES Session key 5. Encrypt the AES Session Key using the Public Key of Party 2 (Bob) The recipient. 6. Calculate Signature using the private signing key on the HMAC 7. Sends a packet of (Encrypted Message, Encrypted Session Key, Initialization Vector, HMAC, and Signature) to Bob ® Party 2 (Bob) 1. Decrypts Session key using his Private Key 2. Recalculates the HMAC of the encrypted message (Validates message integrity) } If HMAC check pass – Verify digital signature using Alice Public Key w If signature verification pass w Decrypts the message using the decrypted AES Session Key and Initialization Vector w Otherwise, identity of the sender couldn't not be verified, reject message. } Otherwise, rejects the message because of integrity check failure. • Why Order matters? ® Timing Side-Channel Attacks ® Padding-Oracle Attack ○ Protocols § TLS/SSL • How TLS/SSL Works? • Mitigates against ® Man in the Middle Attacks ® Authentication, so the client can be sure it is talking to the correct destination. § Public Key Infrastructure (PKI) • Certificates aka X.509 Certificate (Sha-1 Signature Issues) ® A digitally signed file ® Identifies (Computer / User / Device) ® Has Public & Private Key, only the certificate owner has the Private Key. ® Has Expiration date ® Information about the CA that issued the cert ® X.509 Extension Attributes (like Usage attribute) ® Revocation Information. • Certificate Authority (CA) (CNNIC, WoSign) ® Issues, signs and manages certificates. ® Famous certificate authorities (Verisign, GoDaddy, … etc). • Trust Chains ® CA's can delegate the signing job to subordinate CA's ◊ Root CA's signs an intermediate signing certificate to the subordinate CA ® The subordinate CA can then issue certificates ® To validate a certificate, the client validates the signatures of all the intermediate stages and make sure all of them are linked to a Trusted CA • Certificate Revocation Lists (CRL's) ® When a certificate is compromised (Private Key leaked) it will be published on the CRL, so each time the cert is validated, the CRL list is checked in case cert is revoked. 3. Takeaways 4. Books a. Understanding Cryptography: A Textbook for Students and Practitionershttps://www.amazon.com/Understanding-Cryptography-Textbook-Students-Practitioners/dp/3642041000 Our facebook Page http://facebook.com/askdeveloper On Sound Cloud http://soundcloud.com/askdeveloper Please Like & Subscribe
○ Digital Signatures § Goal: verify Authenticity of a message. § Based on Asymmetric Cryptography. § Basic operations 1. Public / Private keys generation (using some algorithm like RSA) 2. Signing algorithm using the private key 3. Signature verification algorithm using the corresponding public key i. Extending previous Example • Steps (Order is very important, bold stuff is the difference added to authenticate sender) ® Party 1 (Alice) 1. Generates a random AES Session Key (32 bytes / 256 bits) 2. Generates a random Initialization Vector (IV) (16 bytes / 128 bits) 3. Encrypt the message to be sent using the AES Session Key & IV 4. Calculate an HMAC of the encrypted message using the AES Session key 5. Encrypt the AES Session Key using the Public Key of Party 2 (Bob) The recipient. 6. Calculate Signature using the private signing key on the HMAC 7. Sends a packet of (Encrypted Message, Encrypted Session Key, Initialization Vector, HMAC, and Signature) to Bob ® Party 2 (Bob) 1. Decrypts Session key using his Private Key 2. Recalculates the HMAC of the encrypted message (Validates message integrity) } If HMAC check pass – Verify digital signature using Alice Public Key w If signature verification pass w Decrypts the message using the decrypted AES Session Key and Initialization Vector w Otherwise, identity of the sender couldn't not be verified, reject message. } Otherwise, rejects the message because of integrity check failure. • Why Order matters? ® Timing Side-Channel Attacks ® Padding-Oracle Attack ○ Protocols § TLS/SSL • How TLS/SSL Works? • Mitigates against ® Man in the Middle Attacks ® Authentication, so the client can be sure it is talking to the correct destination. § Public Key Infrastructure (PKI) • Certificates aka X.509 Certificate (Sha-1 Signature Issues) ® A digitally signed file ® Identifies (Computer / User / Device) ® Has Public & Private Key, only the certificate owner has the Private Key. ® Has Expiration date ® Information about the CA that issued the cert ® X.509 Extension Attributes (like Usage attribute) ® Revocation Information. • Certificate Authority (CA) (CNNIC, WoSign) ® Issues, signs and manages certificates. ® Famous certificate authorities (Verisign, GoDaddy, … etc). • Trust Chains ® CA's can delegate the signing job to subordinate CA's ◊ Root CA's signs an intermediate signing certificate to the subordinate CA ® The subordinate CA can then issue certificates ® To validate a certificate, the client validates the signatures of all the intermediate stages and make sure all of them are linked to a Trusted CA • Certificate Revocation Lists (CRL's) ® When a certificate is compromised (Private Key leaked) it will be published on the CRL, so each time the cert is validated, the CRL list is checked in case cert is revoked. 3. Takeaways 4. Books a. Understanding Cryptography: A Textbook for Students and Practitionershttps://www.amazon.com/Understanding-Cryptography-Textbook-Students-Practitioners/dp/3642041000 Our facebook Page http://facebook.com/askdeveloper On Sound Cloud http://soundcloud.com/askdeveloper Please Like & Subscribe