Dnssec tutorial-crypto-defs
0 likes341 views
This document provides an overview of key concepts in DNSSEC including public/private keys, message digests or hashes, and digital signatures. It explains that public/private key pairs are used, where the private key is kept secret and the public key can be freely distributed. It also describes how one-way hashing functions work to generate fixed-length hashes from variable-length data, and how digital signatures are created by encrypting a message hash with a private key. These three concepts of public/private keys, hashes, and digital signatures form the basis of cryptographic techniques used in DNSSEC.
Dnssec tutorial-crypto-defs
- 1. DNSSEC Tutorial Public / Private Keys
- 2. DNSSec and Cryptography Three Key Concepts l Public / Private keys l Message digests, checksums, hashes l Digital signatures Are at the core of DNSSEC. If these do not make sense, then DNSSEC will not make sense.
- 3. Ciphertext l We start with plaintext. Something you can read. l We apply a mathematical algorithm to the plaintext. l The algorithm is the cipher. l The plaintext is turned in to ciphertext. l Creating a secure cipher is a difficult process. l The standardization process for AES, the replacement for the aging DES protocol, took 5 years
- 4. Keys l In symmetric cryptography, a plaintext is transformed into a ciphertext, and back into plaintext using a key to the cipher (the algorithm used) on both ends. l Assuming that the cipher method is known, the security of the ciphertext rests with the key. This is a critical point. If someone obtains your key, your plaintext is compromised.
- 5. Symmetric Cipher The quick brown fox jumped over the... Single Key/Symmetric Ciphers The quick brown fox jumped over the... clear text clear text ciphertext K K The same key is used to encrypt the document before sending and to decrypt it once it is received 7&T% $#@! PoViuz-)~ sddaX23 Dqpir
- 6. The Big Question... + Issue: how do you securely distribute the key to the intended receiving party or parties ?
- 7. Public / Private Keys l We generate a cipher key pair. One key is the private key, the other is the public key. l The private key remains secret and should be protected. l The public key is freely distributable. It is related mathematically to the private key, but you cannot (easily) derive the private key from the public key. l Use the public key to encrypt data. Only someone with the private key can decrypt the encrypted data.
- 8. Example Public / Private Key Pair The quick brown fox jumped over the... clear textk1 (public key) k2 (private key) One key is used to encrypt the document, a different key is used to decrypt it. This is an important aspect! The quick brown fox jumped over the... 7&T% $#@! PoViuz-)~ sddaX23 Dqpir clear text clear text ciphertext
- 9. Issues l For larger data transmissions than used in DNSSEC we use hybrid systems. l Symmetric ciphers (single key) are much more efficient than public key algorithms for data transmission! l Attack on the public key is possible via chosen-plaintext attacks. Thus, the public/private key pair need to be large (2048 bits). l For instance, SSH uses public/private cryptography to setup the initial session, and exchange the dynamically calculated symmetric session-key.
- 10. One-Way Hashing Functions l A mathematical function that generates a fixed length result regardless of the amount of data you pass through it. Generally very fast. l You cannot generate the original data from the fixed- length result, thus the term “one-way”. l Hopefully you cannot find two sets of data that produce the same fixed-length result. If you do, this is called a collision. (Example, md5). l The fixed length result is known as a Message Digest or a checksum or a hash.
- 11. One-Way Hashing Functions cont. l The fixed-length result of a hashing function is referred to as a checksum, message digest or hash. l Some popular hashing functions include: è md5: Outputs 128 bit result. Fast. Collisions found. http://www.mscs.dal.ca/~selinger/md5collision/ è sha-1: Outputs 160 bits. Slower. Collisions in 263. è sha-2: Outputs 224-512 bits. Slower. Collisions expected (280 attack). è sha-3: TBA: Currently in development via a new NIST Hash Function Competition: http://csrc.nist.gov/groups/ST/hash/sha-3/
- 12. Hashing another example Note the significant change in the hash sum for minor changes in the input. Note that the hash sum is the same length for varying input sizes. This is extremely useful. *Image courtesy Wikipedia.org.
- 13. What use is this? There are several: l Passwords encryption (in Linux, Unix and Windows), using multiple rounds of hashing (MD5 or other) l You can run many megabytes of data through a hashing function, but only have to check a fixed number of bits of information (160-512 bits). This is used to create a digital signature.
- 14. Digital Signatures Reverse the role of public and private keys. To create a digital signature on a document do: è Hash a document, producing a message digest 1. Encrypt the message digest with your private key. è Send the document plus the encrypted message digest. è On the other end hash the document and decrypt the encrypted message digest with the person's public key. 1. If the results match, the document is authenticated. This process creates a digital signature.
- 15. When Authenticating: Take a hash of the document and encrypt only that. An encrypted hash is called a "digital signature" The quick brown fox jumped over the... The quick brown fox jumped over the... k2 k1 digital signature COMPARE hash hash (public)(private)
- 16. Conclusion l Public / Private keys l Message digests, checksums, hashes l Digital signatures Are at the core of DNSSEC.