7 - PKI and Cryptographic Applications Flashcards
What is the difference between private and public-key cryptosystems?
- Public Key Cryptosystem: Relies on pairs of keys assigned to each user of the cryptosystem, one public key and one private key. The public key can be used by anyone who is interested in communicating with the private key holder.
- Private Key Cryptosystem: A private key is used by both parties of communication to decrypt the plaintext.
What is RSA?
Named after Ronald Rivest, Adi Shamir, and Leonard Adleman. They patented the algorithm and formed RSA Security. Depends on the computational difficulty inherent in factoring large prime numbers.
- Choose two large prime numbers (~200 digits each), labeled p and q.
- Compute the product of those 2 numbers: n = p * q
- Select a number, e, that satisfies the following two requirements:
- e is less than n
- e and (p-1)(q-1) are relatively prime - that is, the two numbers have no common factors other than 1.
- Find a number, d, such that (ed-1) mod (p-1)(q-1)=1
- Distribute e and n as the public key to all cryptosystem users. Keep d secret as the private key.
What is El Gamal?
The algorithm developed by Dr. T El Gamal in 1985 is based on the premise that the Diffie-Hellman algorithm could be extended to support an entire public-key cryptosystem. It was released straight into the public domain, it was not patented and private.
One of the major disadvantages of this system is that it doubles the length of any message it encrypts which presents a major hardship when encrypting long messages that will be transmitted over a narrow bandwidth comms circuit.
What is the Elliptic Curve algorithm?
Independently proposed by separate mathematicians, Neal Koblitz at the University of Washington and Victor Miller at IBM, that utilizes the application of elliptic curve cryptography (ECC).
Based on the elliptical curve algorithm, where an elliptical curve group is made up of points on the elliptical curve along with the point O located at infinity. Two points within the same elliptic curve group (P and Q) can be added together with an elliptic curve algo: P + Q
The problem can be extended to involve multiplication by assuming that Q is a multiple of P, meaning the following:
Q = xP
Scientists believe it is extremely hard to find x, even if P and Q are already known. The RSA key of 1,024 bits is cryptographically equivalent to a 160-bit elliptic curve cryptosystem key.
What are the 5 requirements of a hash function ?
- The input can be of any length
- The output has a fixed length
- The hash function is relatively easy to compute for any input
- The hash function is one-way (extremely hard to determine the input from the given output)
- The hash function is collision-free (it is hard to find 2 messages that produce the same hash value)
What are hash functions?
They take a potentially long message and generate a unique output value derived from the content of the message. This value is called a message digest. Message digests can be generated by the sender of a message and transmitted to the recipient along with the full message in order for the recipient to recompute the digest and use it to verify the authenticity of the message. Message digests can also be used to implement a digital signature.
What are some common types of Hash Functions?
-
SHA (Secure Hash Algorithm): Government standard hash functions promoted by NIST.
- SHA-1: Produces a 160-bit message digest. Processes a message in 512-bit blocks (it will pad the message if it doesn’t meet this size).
-
SHA-2: Has 4 variants:
- SHA-256 produces a 256-bit message digest using a 512-bit block size.
- SHA-224 uses a truncated version of SHA-256 to produce a 224-bit message digest using the same block size.
- SHA-512 produces a 512-bit message digest using 1,024-bit block size.
- SHA-384 uses a truncated version of 512 to produce a 384-bit digest using 1,024-bit block size.
- MD2 (Message Digest 2): Developed by Ronald Rivest of RSA fame in 1989. It pads the message so that its length is a multiple of 16 bytes. A 16-byte checksum is then computed and appended to the message. A 128-bit digest is then generated from this unit. It was later discovered without the checksum collisions were occurring.
- MD4 (Message Digest 4): Enhanced version of MD2. It pads the message to ensure it is 64 bits less than a multiple of 512.The algorithm then processes 512-bit blocks of the message in 3 rounds of computation resulting in 128-bit digest.
- MD5 (Message Digest 5): Processes 512-bit blocks of message in 4 rounds of computation that produces a 128-bit digest. Also must be 64 bits less than a multiple of 512 bits. This was found to have collisions.
What are Collisions?
Collisions are when message digests are the same for 2 (or more) different messages.
What is a Digital Signature?
It is when a sender generates a message digest of a plaintext message and then encrypts it with their private key. The recipient will then decrypt the message digest with the sender’s public key and confirm the message digest matches the sender’s (both parties need to be using the same hashing algo).
What are the goals of a Digital Signature?
Digital signatures have 2 distinct goals:
- Non-Repudiation: Assures the recipient that the message truly came from the claimed sender.
- Integrity: Assures the recipient the message was not altered while in transit between the sender and recipient. Protects against malicious and accidental modification of messages.
Digital Signatures rely on public cryptography and hashing functions. Digital Signatures ensure integrity, authentication, and nonrepudiation are met.
What is HMAC?
The Hashed Message Authentication Code (HMAC) implements a partial digital signature and uses a shared secret key.
This is faster than digital signatures based in PKI.
What is the Digital Signature Standard?
The Digital Signature Standard (DSS) specifies that all federally approved digital signature algos must use the SHA-3 hashing functions. It also specifies the encryption algos that can be used to support a digital signature infrastructure:
- Digital Signature Algorithm (DSA)
- Rivest-Shamir- Adlemen (RSA)
- Elliptic Curve DSA (ECDSA)
What are Digital Certificates?
Certificates are endorsed copies of an individual’s public key. They are usually signed by a trusted Certificate Authority (CA) to prove that the public key is legitimate. Certificates are usually governed by an international standard: X.509 This means they contain the following data:
- The version of X.509 (current version is 3)
- Serial number
- Signature Algorithm (the technique used by the CA to digitally sign the contents of the cert)
- Issuer name
- Validity period
- Subjects name (contains the Distinguished Name, DN)
- Subjects public key
What is a Certificate Authority?
Neutral organizations that offer notarization services for digital certificates. In order to obtain a digital cert from a reputable CA, you must prove your identity to the satisfaction of the CA. Browser developers preconfigure browsers to trust the major CA’s to avoid placing the burden of setting up trusted CA’s on the users.
What is a Registration Authority?
They assist CAs with the burden of verifying users’ identities prior to issuing digital certificates.