Keywords
Encryption - process of turning plain text into cipher text
Plaintext - the original data to be transmitted as a message
Cipher text - the encrypted data to be transmitted as a message
Digital certificate - electronic documents used to prove ownership of a public key, issued by CA. Digital
signature - electronic way to validate authenticity of digital document, also use to proof that document
is sent by known user
Public key – encryption/decryption key known to all users. Only can be decrypted by owner of private
key thereby confirming originator of msg
Private key – encryption/decryption key which is known only to a single user/computer. Decrypt msg that
was encrypted with its matching public key, thereby ensuring only user can read msg, encrypt msg to
confirm originator of msg, has matching public key
Symmetric encryption - encryption in which the same secret key is used to encrypt and decryptmessages.
Asymmetric encryption – that uses public keys (known to everyone) and private keys (secret keys).
Process of organisation obtaining its digital certificate (DC)
- organisation applied to CA
- With some proof of identity
- E.g name of organisation/ address of organisation
- Their identity checked by organisation registration authority
- So that a digital certificates will only be issued to a trusted organisation
- CA creates a digital document containing all necessary data items and signs it with its private key
- CA send DC to the organisation
Digital certificate includes:
- hashing algorithm (produce message digest)
- Public key (encrypt/ decrypt data)
- Serial number
- Valid date
- CA digital signature
- Issuer name
How digital signature(DS) is produced
- The msg is hashed with the agreed hash algorithm to produce a message digest
- Msg digest is encrypted with sender’s private key so the DS can be decrypted with sender’s public key.
Purpose of DS/asymmetric key cryptography
- Authenticity : ensure msg come from trusted source
- Confidentiality: Ensure only intended receiver can understand the msg
- Integrity : Ensure msg has not been altered during transmission
- Non-repudiation : neither sender nor receiver should be able to deny involvement in the transmission.
How the keys can be used to send a verified message to the public
- Msg is encrypted with receiver’s public key
- DS and encrypted msg are sent to receiver
- Receiver decrypt msg with its private key
- Receiver use sender’s public key to decrypt encrypted msg digest
- Receiver use the same hash algorithm on the msg to produce digest
- If both the digest are same, message is verified
Symmetric encryption drawback
- Key distribution problem
- key has to be exchange securely
- Once compromised, key can be used to encrypt and decrypt message
- Cannot ensure no-repudiation (proof of identity & origin of data)
Similarities (public & private key)
- used in asymmetric encryption
- As a pair of keys is required
- One used to encrypt data
- The other used to decrypt data
Differences (public & private key)
- private key only known for owner of key pairs
- Public key can be distributed to anyone
- When msg is sent to owner of public key, they are encrypted with owner of public key, so that they can
only be decrypted with owner’s private key - Msg digest is encrypted with sender’s private key to form digital signature, msg are encrypted with
receiver’s public key
Similarities (DS & DC)
- used for authentication
- Unique to user
- Use hashing algorithm
- Use owner’s public key
Differences (DS & DC)
- DC obtained from CA, DS obtained from msg
- DC provides authentication of owner, DS authenticates msg came from trusted source - DC
remains while it is valid, DS is created for every msg
How receiver can be sure intended sender sent its public key
- sender send DC
- DC contains sender’s public key
- Successful decryption of DC with CA’s public key
- Provides legitimacy
How CA produce DS
- CA use hash algorithm
- Produce digest from DC
- Encrypted with CA private key
Why DC includes DS
- DC content not altered
- Authenticate DC came from CA
Encryption protocol
- TLS
- SSL
- HTTPS
How SSL (secure socket layer) work
- client ask server identify itself
- Server send client a copy of its DC
- Client checks DS
- Against a list of trusted CA
- If client trust the DS
- Symmetric session key is created
- using the public key in DC
- The key is encrypted using server’s public key and sent to server
- Server decrypt the symmetric session key
- Using its private key
- Client and server can now encrypt all transmitted data with the session key
- Client (and server) send back digitally signed acknowledgement to start an encrypted session.
Purpose of TLS (transport layer security)
- Protect information by using encryption
- Enable 2 parties to identify and authenticate each other
- provide secure communication
- Additional layer of security
- Maintain data integrity
- TLS provides improved security over SSL
- 2 layers : record & handshake
Quantum cryptography
- cryptography based on the laws of quantum mechanics
- protect the security of data being transmitted over fibre optic cables.
Quantum cryptography benefits
- any eavesdropping can be detected (as state will change)
- Integrity of the key once transferred is guaranteed
- More secure keys can be exchanged
Quantum cryptography drawbacks
- limited range
- Require dedicated fibre optic line and specialised hardware
- Cost of dedicated fibre optic line and specialised hardware
- Polarisation of light may alter while travelling down the fibre optic line.
The way TLS provides communication security over a computer network
- Protocol with 2 layers
- Record protocol and handshake protocol
- DC is used for authentication
- Server send DC to client
- Client verify server’s DC
- Client send server its DC (if needed)
- Handshake uses asymmetric cryptography
- Client sends an encrypted msg to server
- Server decrypt using its private key
- To generate agreed parameters
- Establish a shared session key
- The shared session key provides symmetric cryptography for
- Sending and receiving of data (record layer)
- Client sends back a digitally signed acknowledgement to start an encryption
- Server sends back a digitally signed acknowledgement to start an encryption
Agree the security parameters to be used is part of handshake process.
Parameters are:
- encryption method: symmetric, asymmetric
- Authentication method: use DS/DC
- Compression method to be used
- Session type: reusable or not
- Session ID: uniquely identified series of msg between servers and clients
