Unit – 4 Cryptography

Topics:

Digital Certificates and Public Key Infrastructure (PKI): Introduction, Digital Certificates, Private Key
Management, The PKIX Model, Public Key Cryptography Standards (PKCS), XML,PKI and Security, Creating
Digital Certificate.

Que 1. What is Digital Certificates? Explain steps for creating digital certificate

digital certificate is a way to confirm the identity of a public key owner. Normally, a third party organization, known as CA (certification authority), is responsible for confirming or binding the identity of a digital certificate owner. It is used to establish secure communication between two parties who are unknown to each other or have lack of trust. Digital certificate can assure that the person who you can want to establish communication is actually the person who he claims to be.

So, the main reason of using digital certificate is building trust between two parties who want to communicate securely.

We can verify an unknown person’s identify when a well-known organized endorse the identity of that person. In case of digital certificate, the CA or certificate authority endorses the identity of the certificate owner, in simple words, a CA offers notarization server to give reasonable assurance that the owner of the certificate is authentic.

Steps for Digital Certificate Creation:

• Step-1: Key generation is done by either user or registration authority. The public key which is generated is sent to the registration authority and private key is kept secret by user.
• Step-2: In the next step the registration authority registers the user.
• Step-3: Next step is verification which is done by registration authority in which the user’s credentials are being verified by registration authority. It also checks that the user who send the public key have corresponding private key or not.
• Step-4: In this step the details and sent to certificate authority by registration authority who creates the digital certificate and give it to users and also keeps a copy to itself.

Que 2. What is purpose of PKI? Explain role of PKI?

Public Key Infrastructure (PKI) is a system that allows for secure communication over the internet by using public key cryptography. The purpose of PKI is to provide a way for people to securely exchange information, such as sensitive data or confidential documents, without fear of interception or eavesdropping.

PKI accomplishes this by using digital certificates, which are essentially electronic documents that serve as proof of identity for a particular user or entity. These certificates are issued by trusted third-party organizations, called Certificate Authorities (CAs), who verify the identity of the certificate holder and vouch for their authenticity. By using PKI, users can be confident that their communications are secure and that they are communicating with the intended recipient.

The role of Public Key Infrastructure (PKI) in cryptography is to provide a framework for securely transmitting and verifying cryptographic keys. PKI uses public key cryptography to encrypt and decrypt messages, and it relies on a network of trusted entities to manage and validate the digital certificates that are used to identify users and devices. Some of the key roles that PKI plays in cryptography include:

1. Authentication: PKI provides a way to authenticate the identity of users and devices, which helps to prevent unauthorized access and ensure the integrity of communications.
2. Encryption and decryption: PKI allows for secure transmission of messages by using public key cryptography to encrypt messages and decrypt them with the corresponding private key.
3. Integrity and non-repudiation: PKI ensures the integrity of messages by providing a digital signature that verifies that the message has not been tampered with, and it provides non-repudiation by making it difficult for users to deny that they sent a message.
4. Key management: PKI provides a framework for managing and distributing cryptographic keys, which helps to ensure that keys are used securely and that they remain confidential.

Overall, PKI plays a critical role in cryptography by providing a secure and trusted framework for managing cryptographic keys and protecting communications.

Also Check : Unit-3-cryptography

Que 3. Explain PKIX Model.

As we know, the X.509 standard defines the digital-certificate structure, format and fields.

It also specifies the procedure for distributing the public keys.

In order to extend such standards and make them universal, the Internet Engineering Task Force (IETF) formed the Public Key Infrastructure X.509(PKIX) working group.

This extends the basic philosophy of the X.509 standard, and specifies how the digital certificates can be deployed in the world of the Internet.

Services of PKIX :

PKIX identifies the primary goals of a PKI infrastructure in the form of the following broad level services:
Registration -It is the process where an end-entity (subject) makes itself known to a CA. Usually, this is via an RA.

Initialization– This deals with the basic problems, such as the methodology of verifying that the end-entity is talking to the right CA.

Certification-In this step, the CA creates a digital certificate for the end-entity and returns it to the end-entity, maintains a copy for its own records, and also copies it in public directories, if required.

Key-Pair Recovery Keys– used for encryption may be required to be recovered at a later date for decrypting some old documents. Key archival and recovery services can be provided by a CA or by an independent key-recovery system.

Key Generation PKIX specifies that the end-entity should be able to generate private-and public-key pairs, or the CA/RA should be able to do this for the end-entity (and then distribute these keys securely to the end-entity).

Key Update
This allows a smooth transition from one expiring key pair to a fresh one, by the automatic renewal of digital certificates. However, there is a provision for manual digital certificate renewal request and response.

Cross-certification
Helps in establishing trust models, so that end-entities that are certified by different CAs can cross-verify each other.

Revocation PKIX provides support for the checking of the certificate status in two modes: online (using OCSP) or offline (using CRL).

Que 4. Explain Public Key Cryptography Standards (PKCS).

The PKCS model was initially developed by RSA Laboratories with help from representatives of the government, industry, and academia.

The main purpose of PKCS is to standardize Public Key Infrastructure(PKI).

The standardization is in many respects, such as formatting, algorithms and APIs.

This would help organizations develop and implement inter-operable PKI solutions, rather than everyone choosing their own standard.

PKCS standard :

• PKCS#5—Password Based Encryption (PBE) Standard
• PKCS#11—Cryptographic Token Interface Standard
• PKCS#12—Personal Information Exchange Syntax
• PKCS#8—Private Key Information Syntax Standard
• PKCS#10—Certificate Request Syntax Standard
• PKCS#14—Psuedo-Random Number Generation Standard

Important PCKS standard :

PKCS#5—Password Based Encryption (PBE) Standard

• we first encrypt the plain-text message with the symmetric key, and
• then encrypt the symmetric key with a Key Encryption Key (KEK).
• This protects the symmetric key from an unauthorized access

PKCS#11—Cryptographic Token Interface Standard :

• This standard specifies the operations performed using a hardware token, such as a smart card.
• A smart card is similar to a credit card or an ATM card in terms of its look and feel. However, a smart card is smart in the sense that it has its own cryptographic processor and memory on the card itself.
• In simple terms, a smart card is a small microprocessor with its own memory, inside a plastic cover.

PKCS#12—Personal Information Exchange Syntax :

• The PKCS#12 standard was developed to solve the problem of certificate and private-key storage and transfer.
• More specifically, how does one store/transfer one’s certificate and private key securely, without worrying about their tampering? This is especially true in the case of Web-browser users.

PKCS#8—Private Key Information Syntax Standard :

• This standard describes the syntax for storing the private key of a user securely.
• This standard also describes how to store a few other attributes along with the private key.
• The standard also describes the syntax for encrypting private keys, so that they cannot be attacked.
• A Password Based Encryption algorithm (using PKCS #5) could be used to encrypt the private-key information.

PKCS#10—Certificate Request Syntax Standard :

• A certification request consists of three aspects: certification-request information, signature-algorithm identifier, and a digital signature on the certification-request information.
• The certification-request information consists of the entity’s distinguished name, the entity’s public key, and a set of attributes providing other information about the entity
• The entity requesting for the certificate then signs these values together with his/her private key and sends the certificate-request information, the signed request and the signature algorithm used to the CA.
• The CA verifies the signature and other aspects regarding the entity, and if
  they are found alright, issues a certificate.

PKCS#14—Psuedo-Random Number Generation Standard :

• A Random Number Generator (often abbreviated as RNG) is a device that is very specifically designed to generate a series of numbers or symbols that do not exhibit any specific pattern. Programming language may be use to generate random number.

Que 5. Discuss the XML, PKI and Security.

The EXtensible Markup Language (XML) is at the centerstage of the modern world of technology. XML forms the backbone of the upcoming technologies, such as Web services. Almost every aspect of Internet programming is concerned with XML. We request the reader to study XML through another resource, as it is not the purpose of the current text. However, we shall discuss the key elements of XML security and its relation to PKI. The overall technology related to XML and security can be summarized as shown in Fig.

XML Encryption

The most interesting part about XML encryption is that we can encrypt an entire document, or its selected portions. This is very difficult to achieve in the non-XML world. We can encrypt one or all of the following portions of an XML document:

● The entire XML document
● An element and all its sub-elements
● The content portion of an XML document
● A reference to a resource outside of an XML document

The steps involved in XML encryption are quite simple, and are as follows:

1. Select the XML to be encrypted (one of the items listed earlier, i.e. all or part of an XML document).
2. Convert the data to be encrypted in a canonical form (optional).
3. Encrypt the result using public key encryption.
4. Send the encrypted XML document to the intended recipient.

Figure shows a sample XML document, containing the details of a credit card user.

XML Digital Signature

As we can see, a digital signature is calculated over the complete message. It cannot be calculated only for specific portions of a message. The simple reason for this is that the first step in a digital signature creation is the calculation of the message digest over the whole message. Many practical situations demand that users be able to sign only specific portions of a message. For instance, in a purchase request, the purchase manager may want to authorize only the quantity portion, whereas the accounting manager may want to sign only the rate portion. In such cases, XML digital signatures can be used.

They are also useful from the perspective of new technologies such as XML digital signature. This technology treats a message or a document as consisting of many elements, and provides for the signing of one or more such elements. This makes the signature process flexible and more practical in nature.

The steps in performing XML digital signatures are as follows.

1. Create a SignedInfo elementwith SignatureMethod, CanonicalizationMethod and References.
2. Canonicalize the XML document.
3. Calculate the SignatureValue, depending on the algorithms specified in the SignedInfo element.
4. Create the digital signature (i.e. Signature element), which also includes the SignedInfo, KeyInfo, and SignatureValue elements.

A simplistic example of an XML digital signature is shown in Fig. 5.47. We shall also explain the
important aspects of the signature.

PKI

Public Key Infrastructure (PKI) is a system that allows for secure communication over the internet by using public key cryptography. The purpose of PKI is to provide a way for people to securely exchange information, such as sensitive data or confidential documents, without fear of interception or eavesdropping.

PKI accomplishes this by using digital certificates, which are essentially electronic documents that serve as proof of identity for a particular user or entity. These certificates are issued by trusted third-party organizations, called Certificate Authorities (CAs), who verify the identity of the certificate holder and vouch for their authenticity. By using PKI, users can be confident that their communications are secure and that they are communicating with the intended recipient.

The role of Public Key Infrastructure (PKI) in cryptography is to provide a framework for securely transmitting and verifying cryptographic keys. PKI uses public key cryptography to encrypt and decrypt messages, and it relies on a network of trusted entities to manage and validate the digital certificates that are used to identify users and devices. Some of the key roles that PKI plays in cryptography include:

1. Authentication: PKI provides a way to authenticate the identity of users and devices, which helps to prevent unauthorized access and ensure the integrity of communications.
2. Encryption and decryption: PKI allows for secure transmission of messages by using public key cryptography to encrypt messages and decrypt them with the corresponding private key.
3. Integrity and non-repudiation: PKI ensures the integrity of messages by providing a digital signature that verifies that the message has not been tampered with, and it provides non-repudiation by making it difficult for users to deny that they sent a message.
4. Key management: PKI provides a framework for managing and distributing cryptographic keys, which helps to ensure that keys are used securely and that they remain confidential.

Overall, PKI plays a critical role in cryptography by providing a secure and trusted framework for managing cryptographic keys and protecting communications.

Security:

Security is a critical aspect of cryptography as it ensures that digital communication is protected from unauthorized access, interception, modification, or deletion. Cryptography provides several security measures to safeguard digital communication, including:

1. Confidentiality: Cryptography ensures that data is kept confidential by encrypting it so that only authorized users can access it.
2. Integrity: Cryptography provides data integrity by using hashing algorithms to ensure that the data has not been modified during transmission.
3. Authentication: Cryptography provides authentication by using digital signatures to verify the identity of the sender and receiver of data.
4. Non-repudiation: Cryptography provides non-repudiation by using digital signatures to ensure that a sender cannot deny having sent a message.
5. Key Management: Cryptography provides secure key management to ensure that encryption keys are kept secure and are only accessible by authorized users.

Cryptography plays a critical role in ensuring the security of digital communication. It provides several security measures, including confidentiality, integrity, authentication, non-repudiation, and secure key management. By using these measures, digital communication can be protected from unauthorized access, interception, modification, or deletion.

Que 6: Explain Private Key Management.

Private key management is a critical aspect of cryptography, as it ensures the security and confidentiality of digital communications. It involves the secure generation, storage, backup, transfer, and revocation of private keys used for encryption and decryption.

Here are the key components of private key management:

1. Generation: The first step in private key management is to generate a private key. This is done using a cryptographic algorithm that generates a random sequence of numbers, which forms the private key. It is important to use a secure algorithm to generate the key, and to ensure that the key is long enough to be secure.
2. Storage: Once the private key is generated, it must be stored securely to prevent unauthorized access. There are several options for storing private keys, including on a hardware security module (HSM), a smart card, or in a secure file on a computer. The storage location should be chosen based on the level of security required and the ease of access needed.
3. Backup: It is essential to backup the private key in case it is lost or damaged. The backup should be stored securely in a separate location from the original key. The backup key should be encrypted using a different key and should be kept in a secure location.
4. Transfer: If the private key needs to be transferred to another user or entity, it should be done securely using encryption and authentication protocols. The transfer should be done over a secure communication channel, and the recipient should be authenticated to ensure that they are authorized to receive the key.
5. Revocation: If the private key is lost or compromised, it must be revoked to prevent unauthorized access. This is typically done by updating a certificate revocation list (CRL) or using an online certificate status protocol (OCSP).

Private key management is essential for ensuring the security and confidentiality of digital communications. It involves generating, storing, backing up, transferring, and revoking private keys in a secure manner to prevent unauthorized access and maintain data confidentiality.