Notes - MCS
Applied Cryptography
Notes - MCS
Applied Cryptography
  • Applied Cryptography
  • Classical (Symmetric) Cryptography
    • Terminology
    • The Players
    • Use Cases
    • Information-Theoretic Security
    • Computational Security
    • Cryptanalysis
    • Practical Approaches
    • Cryptographic Robustness
    • Ciphers
      • Mono-Alphabetic
      • Polylphabetic
    • Rotor Machines
    • Stream Ciphers
  • Modern Symmetric Cryptography
    • Types
    • Symmetric Ciphers
    • Symmetric Block Ciphers
    • Feistel Networks
    • DES (Data Encryption Standard)
    • AES (Advanced Encryption Standard)
    • Stream Ciphers
    • Uniform Random Access
    • Linear Feedback Shift Register (LFSR)
  • Cipher Modes
    • Deployment of (Symmetric) Block Ciphers
    • Stream Cipher Modes
    • Security Reinforcement
  • Cryptographic Hashing
    • Digest functions
    • Rainbow Tables
    • Message Authentication Codes (MAC)
    • Authenticated Encryption
    • Encryption + Authentication
  • RSA & Related Subjects
    • Modular Arithmetic
    • Fast Modular Multiplication
    • The Extended Euclid's Algorithm
    • Linear Maps
    • Fermat's Little Theorem
    • Chinese Remainder Theorem
    • Fermat's Little Theorem
    • Modular Exponentiation
    • Multiplicative Order
    • The Discrete Logarithm Problem
    • Primality tests
    • The Diffie-Hellman Key Exchange Protocol
    • ElGamal Public Key Cryptosystem
    • The Rivest-Shamir-Adleman Cryptosystem
    • Finite Fields
    • Elliptic Curves
    • Diffie-Hellman using elliptic curves
    • Can we do RSA-like things with elliptic curves?
    • The discrete logarithm problem for elliptic curves
    • Secret sharing
    • Quadratic Residues
    • Zero-Knowledge proofs
      • One of two oblivious transfer
      • Coin flipping
      • Zero-knowledge proofs of identity
    • Homomorphic encryption
  • Asymmetric Key Management
    • Design Principles
    • Exploitation of private keys
    • Distribution of public keys
    • Public key (digital) certificates
    • Key pair usage
    • Certification Authorities (CA)
    • Certification Hierarchies
    • Refreshing of asymmetric key pairs
    • Certificate revocation lists (CRL)
    • Validity of signatures
    • Distribution of public key certificates
    • Time Stamping Authority (TSA)
    • PKI (Public Key Infrastructure)
  • Digital Signatures
    • Fundamental Approach
    • Signature Schemes
    • Key Elements
    • The document to sign
    • The signature date
    • The identity of the signatory
    • Optional elements of a digital signature
    • Algorithms
    • RSA signatures
    • ASN.1 digest algorithm prefixes
    • Digital Signature Standard (DSS)
    • Blind Signatures
    • Chaum Blind Signatures
    • Qualified electronic signature
      • Signature devices
    • PKCS #11
    • Microsoft Cryptographic API (CAPI)
    • Long-Term Validation (LTV)
    • LTV Advanced Electronic Signatures (AdES)
Powered by GitBook
On this page
  • PKI Entities
  • Registration Authority (RA)
  • Validation Authority (VA)
  • Example: Cartão de Cidadão policies
  • Trust relationships
  • Hierarchical and crossed certifications
  • Cross- Cross-certification of PKIs
  1. Asymmetric Key Management

PKI (Public Key Infrastructure)

Infrastructure for enabling the use of key pairs and certificates.

  • Creation of asymmetric key pairs for each enrolled entity.

    • Enrolment policies.

    • Key pair generation policies

  • Creation and distribution of public key certificates.

    • Enrolment policies.

    • Definition of certificate attributes.

  • Definition and use of certification chains (or paths).

    • Insertion in a certification hierarchy.

    • Certification of other CAs.

  • Update, publication, and consultation of CRLs.

    • Policies for revoking certificates.

    • Online CRL distribution services.

    • Online OCSP services.

  • Use of data structures and protocols enabling inter-operation among components/services/people.

PKI Entities

Registration Authority (RA)

The actual interface with certificate owners.

  • Identification and authentication of certificate applicants.

  • Approval or rejection of certificate applications.

  • Initiating certificate revocations or suspensions under certain circumstances.

  • Processing subscriber requests to revoke or suspend their certificates.

  • Approving or rejecting requests by subscribers to renew or re-key their certificates.

Validation Authority (VA)

A service that helps to validate certificates.

  • OCSP service.

Example: Cartão de Cidadão policies

Enrollment.

  • In loco, personal enrolment.

Multiple key pairs per person.

  • One for authentication.

  • One for signing data.

  • Generated in the smartcard, not exportable.

  • Require a PIN in each operation.

Certificate usage (authorized).

  • Authentication.

    • SSL Client Certificate, Email (Netscape cert. type).

    • Signing, Key Agreement (key usage).

  • Signature.

    • Email (Netscape cert. type).

    • Non-repudiation (key usage).

Certification path.

  • PT root CA below the global root (before 2020).

  • PT root CA (after 2020).

  • CC root CA below PT root CA.

  • CC Authentication CA and CC signature CA below CC root CA.

CRLs.

  • The signature certificate was revoked by default.

    • Removed if the owner explicitly requires the usage of signatures.

  • Certificates are revoked upon an owner's request.

    • Requires a revocation PIN.

  • CRL distribution points are explicitly mentioned in each certificate.

Trust relationships

A PKI defines trust relationships in two different ways.

  • By issuing certificates for the public keys of other CAs.

    • Hierarchically below; or

    • Not hierarchically related.

  • By requiring the certification of its public key by another CA.

    • Above in the hierarchy; or

    • Not hierarchically related.

Usual trust relationships.

  • Hierarchical.

  • Crossed (A certifies B and vice-versa).

  • Ad-hoc (mesh).

    • More or less complex certification graphs.

Hierarchical and crossed certifications

Cross- Cross-certification of PKIs

Last updated 1 year ago