PublicKeyManagement详解.ppt

Public Key Management Brent Waters Last Time Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation (RSA) Went over RSA-based signatures in detail DSA (Digital Signature Algorithm) Discrete log based signature scheme Similar to El Gamal Signatures 1991 NIST proposed Became first govt. adopted signature scheme Short signatures 2 160-bit components Slow signing and verification Exponentiation Awkward description Security reduces to funny assumption Why DSA standard? RSA Patent (until 2000) Longer sigs ~200 bytes Encryption (Export Controls) DSA Patent Free Short Signatures ~40bytes No encryption Public Key Management Certificates X.509 Standard How do we validate Certificate Auth? Alice must have public key of certificate authority Publish in N.Y. Times Everyone see, adversary cannot forge all Make sure Jayson Blair not on staff Not realistic Ships with Browser or Operating System Done in practice Trust in CA C.A. is trusted If compromised can forge a cert for Bob Attack might be detected CA key should be strongly guarded BBN SafeKeeper: tempest attacks Public Key Generation Algorithm 1) Alice generates pub/priv. key pair sends pub to CA 2) CA verifies Alice knows private key Challenge/response Self-signed certificate 3) CA generates cert and sends to Alice CA doesn’t know Alice’s key Trust models (Symmetric vs Public) Trust models (Symmetric vs Public) Symmetric Online KDC Knows my key If compromised past+future gone (forward security helps—guesses?) Public Offline Knows only public key Harder to do attack Only future messages exposed Cross Domain Certification Hierarchical solution Web of Trust Certificate Revocation Revoke Bob’s certificate Private key is stolen Leaves company, doesn’t own ID Expiration Date in Cert (1 year) CRL Periodically send lists to everyone Long lists, hard to manage OSCP (Online Certificate status protocol) Online authority to answer queries Signing key at