© 2003 Wonder Software Technologies Private Limted. All rights reserved.
|
|
|
|
|
|
|
|
|
| |
|
| |||||||||
|
||||||||||
|
| |||||||||
|
||||||||||
|
© 2003 Wonder Software Technologies Private Limted. All rights reserved. |
||||||||||
WonderCrypt
PKI - Technology
What is PKI (Public Key
Infrastructure)?
PKI is a
“comprehensive system of technologies” working to enable users of the Internet
to exchange information securely, authenticated and confidentially. PKI brings
to the electronic world the security and confidentiality features provided by
the physical documents, hand-written signatures, sealed envelopes and
established trust relationships of traditional, paper-based transactions. The
features are:
Confidentiality: Ensures
that only the intended recipients can read message or
files.
Data Integrity: Ensures
that the messages or files cannot be changed without
detection.
Authentication: Ensures
that participants in an electronic transaction are who they claim to
be.
Non-repudiation: Prevents participants
from denying involvement in an electronic transaction.
PKI uses cryptography i.e. encryption and digital signatures to achieve the above goals.
What constitutes
PKI?
1. User’s Key
pair: Mathematically related key pairs,
for each entity, an individual or an organization, a different key pair,
each
comprising
a private key and a public key.
2. Digital
certificates: Public Key of an entity signed by a
certificate authority. The IETF (Internet Engineering Task Force)
standard
for
this certificate is named X.509.
3. A
Certificate Authority: A party that is trusted by the
public to verify the public keys of others. The Certificate Authority may
further
delegate
its responsibilities to some sub-authorities such as Registration Authority and
Verifying Authority etc.
What's Inside an X.509
Certificate?
X.509
defines what information can go into a certificate, and describes how to write
it down (the data format). All X.509 certificates
have
the following data:
Version
This
identifies which version of the X.509 standard applies to this certificate,
which affects what information can be specified
in
it.
Subject
Name
The
name of the entity whose public key the certificate identifies. This name uses
the X.500 standard, so it is intended to be
unique
across the Internet. This is the Distinguished Name (DN) of the entity, for
example,
CN=Paul
Reuben, OU=Marketing, O=Wonder Software Tech., L=Atlanta, S=GA,
C=US
(These
refer to the subject's common name, organizational unit, organization, and
country etc.)
Public
Key
This
is the public key of the entity being named.
Issuer
Name
The
X.500 name of the entity that signed the certificate. This is normally a
Certificate Authority (CA). Using this certificate
implies
trusting the entity that signed this certificate. (Note that in some cases, such
as root or top-level CA certificates, the
issuer
signs its own certificate.)
Serial
Number
The
entity that created the certificate is responsible for assigning it a serial
number to distinguish it from other certificates it
generates.
Validity
Period
Each
certificate is valid only for a limited amount of time. This period is described
by a start date and time and an end date
and
time, and can be as short as a few seconds or almost as long as a century. The
validity period depends on a number of
factors,
such as the strength of the private key used to sign the certificate or the
amount one is willing to pay for a certificate.
What is Digital
Signature?
Not to be
confused with a digitized signature (a scan of a hand-written signature), a
digital signature can be used with either encrypted or plain text messages to
confirm the sender's identity and ensure the recipient that the message content
has not been changed in transmission. Digital signatures incorporate the
characteristics of hand-written signatures in that they can only be generated by
the signer, are verifiable, and cannot easily be imitated or repudiated. Digital
signature can also be applied to a file. The sender uses his or her private key
to digitally sign.
How does a
digital signature work?
Sender: Software
applies a mathematical formula known as a hash function to the message,
converting it to a fixed-length
string
of characters called a message digest. The digest acts as a "digital
fingerprint" of the original message. If the original
message
is changed in any way, it will not produce the same message digest when the hash
function is applied. Software
then
encrypts the message digest with sender’s private key, producing a digital
signature of the message.
Recipient: Recipient
uses sender's public key to decrypt the digital signature, revealing the message
digest. Since only
sender's
public key can decrypt the digital signature, recipient is able to verify the
authenticity of the sender of the message.
To
verify the message content, the recipient end software applies the same hash
function to the message that was received.
The
message digests should be identical. If they are, recipient knows the message
has not been changed and is assured of
its
integrity. The recipient uses sender’s public key to verify sender’s digital
signature.
Encryption
What is
Encryption? Encryption is the process of using
a mathematical formula and a key to scramble information so that
is
unintelligible
to unauthorized persons. In messaging two different types of encryptions are
used:
Symmetric-Key
Encryption: One Key
Public-Key
Encryption: Two Keys
Hybrid:
Symmetric And Public Key Used by one application for single
purpose.
What is
Decryption? Decryption is the process of
converting the scrambled information back to its original, plain text
form
using
the same mathematical formula and a decryption key related to the encryption key
so an authorized person can
understand
it.
How does it
provide message confidentiality? Message confidentiality is achieved
by using Public-Key encryption. A person
wishing
to send an encrypted message uses the recipient's public key to scramble the
information in the message. Only the
recipient's
private key can decrypt the message. In the picture below, until Alice applies
her private key the message contents
are
visible only as rubbish.
What is Symmetric Key
Encryption?
Symmetric-key
encryption is also called shared-key encryption or secret-key cryptography. It
uses a single key, called a Secret Key,
that
both the sender and recipient possess.
This
secret key is used for both encryption and decryption. (In
PKI: this is also referred to as a
session key, a document
or
message
is encrypted using this session key and the session key is encrypted using the
public key of the recipient).
Why
is the symmetric key used , why not use the public key straight away to encrypt
the document?
Symmetric-key
encryption is an efficient method for encrypting large amounts of data. Public
Key encryption is not a very efficient,
related
to speed of encryption, method for encrypting large amount of
data.
Many
algorithms exist for symmetric-key encryption, but all have the same purpose—the
reversible transformation of plaintext
(unencrypted
data, also called cleartext) into ciphertext. Ciphertext is scrambled using an
encryption key and is meaningless to
anyone
who does not have the decryption key. Because symmetric key cryptography uses
the same key for both encryption and
decryption,
the security of this process depends on no unauthorized person obtaining the
symmetric key. This is why it is also
called
secret key cryptography.
What is Public Key
Encryption?
Two
keys—a public key and a private key, which are mathematically related—are used
in public-key encryption, also called
asymmetric-key
encryption.
In
public-key encryption, the public key can be passed openly between the parties
or published in a public directory, but the
related
private key remains private. Data encrypted with the public key can be decrypted
only using the private key. Data
encrypted
with the private key can be decrypted only using the public key. Sender
encrypts a message using the receiver's
public
key and only the receiver has the related private key used to decrypt the
message.
What is
Hybrid?
Hybrid
encryption uses the two encryption technologies that have been described above
i.e. Symmetric Encryption as well as
Assymetric
Encryption.
Before
a text message or a file is encrypted a secret key is generated, also called a
Session Key, and the message or the file
is
encrypted using this secret key. Now this secret key also must be sent to the
recipient and this cannot be sent as it is on an
un-secured
medium such as the Intenet. This secret key is further encrypted using the
public key of the recipient and then
sent.
Thus before the recipient can access the message or the file, the encrypted
secret key is decrypted then used to decrypt
the
received message.
One
message can be secured for many recipients, however the secret key must be
encrypted using the public keys of all the
recipients
and sent. This adds very little overhead to the final message as attached
encrypted secret keys constitute a very
small
part of the final message.
Algorithms
WonderCrypt
provides choice of AES and DES algorithms for file encryption. The default
algorithm used for file encryption is AES. While using AES, the files are zipped
during encryption.
AES - The Advanced
Encryption Standard
Federal
Information Processing Standards Publications (FIPS PUBS) are issued by the
National Institute of Standards and Technology (NIST) of USA, that announced AES
as standard in FIPS PUB 197 on Nov 26, 2001.
AES is
a symmetric block cipher that can process data
blocks of 128
bits, using cipher
keys with lengths
of 128,
192, and
256 bits.
The basic unit for
processing in the AES algorithm is a
byte, a sequence of eight bits treated as
a single entity. The input, output and Cipher Key bit sequences are processed as
arrays of bytes that are formed by dividing these sequences into groups of eight
contiguous bits to form arrays of bytes.
DES - The Data
Encryption Standard
DES became
effective as standard of the U.S. Federal organization as FIPS PUB 46 in July
1977 and was reaffirmed 1983,1988,1993 and 1999. It is a symmetric key block
cipher with a block length of 64 and a key length of 64. Of this key 56 bits are
randomly generated and used directly by the algorithm. The other 8 bits, which
are not used by the algorithm, are used for error detection. They are set to
make the parity (number of "1"s) of each 8-bit byte of the key
odd.