Security Engineering. Ross Anderson

Читать онлайн книгу.

Security Engineering - Ross  Anderson


Скачать книгу
and also have shorter variables; both are welcome in constrained environments. Elliptic curve cryptography is used in applications from the latest versions of EMV payment cards to Bitcoin.

      5.7.4 Certification authorities

      Now that we can do public-key encryption and digital signature, we need some mechanism to bind users to keys. The approach proposed by Diffie and Hellman when they invented digital signatures was to have a directory of the public keys of a system's authorised users, like a phone book. A more common solution, due to Loren Kohnfelder, is for a certification authority (CA) to sign the users’ public encryption keys or their signature verification keys giving certificates that contain a user's name, one or more of their public keys, and attributes such as authorisations. The CA might be run by the local system administrator; but it is most commonly a third party service such as Verisign whose business is to sign public keys after doing some due diligence about whether they are controlled by the principals named in them.

      A certificate might be described symbolically as

      (5.1)upper C Subscript upper A Baseline equals upper S i g Subscript upper K Sub Subscript upper S Baseline left-parenthesis upper T Subscript upper S Baseline comma upper L comma upper A comma upper K Subscript upper A Baseline comma upper V Subscript upper A Baseline right-parenthesis

      where upper T Subscript upper S is the certificate's starting date and time, upper L is the length of time for which it is valid, A is the user's name, upper K Subscript upper A is her public encryption key, and upper V Subscript upper A is her public signature verification key. In this way, only the administrator's public signature verification key needs to be communicated to all principals in a trustworthy manner.

      Certification is hard, for a whole lot of reasons. Naming is hard, for starters; we discuss this in Chapter 7 on Distributed Systems. But often names aren't really what the protocol has to establish, as in the real world it's often about authorisation rather than authentication. Government systems are often about establishing not just a user's name or role but their security clearance level. In banking systems, it's about your balance, your available credit and your authority to spend it. In commercial systems, it's often about linking remote users to role-based access control. In user-facing systems, there is a tendency to dump on the customer as many of the compliance costs as possible [524]. There are many other things that can go wrong with certification at the level of systems engineering. At the level of politics, there are hundreds of certification authorities in a typical browser, they are all more or less equally trusted, and many nation states can coerce at least one of them10. The revocation of bad certificates is usually flaky, if it works at all. There will be much more on these topics later. With these warnings, it's time to look at the most commonly used public key protocol, TLS.

      I remarked above that a server could publish a public key upper K upper S and any web browser could then send a message upper M containing a credit card number to it encrypted using upper K upper S: StartSet upper M EndSet Subscript upper K upper S. This is in essence what the TLS protocol (then known as SSL) was designed to do, at the start of e-commerce. It was developed by Paul Kocher and Taher ElGamal in 1995 to support encryption and authentication in both directions, so that both http requests and responses can be protected against both eavesdropping and manipulation. It's the protocol that's activated when you see the padlock on your browser toolbar.

      Here is a simplified description of the basic version of the protocol in TLS v1:

      1 the client sends the server a client hello message that contains its name , a transaction serial number , and a random nonce ;

      2 the server replies with a server hello message that contains its name , a transaction serial number , a random nonce , and a certificate containing its public key . The client now checks the certificate , and if need be checks the key that signed it in another certificate, and so on back to a root certificate issued by a company such as Verisign and stored in the browser;

      3 the client sends a key exchange message containing a pre-master-secret key, , encrypted under the server public key . It also sends a finished message with a message authentication code (MAC) computed on all the messages to date. The key for this MAC is the master-secret, . This key is computed by hashing the pre-master-secret key with the nonces sent by the client and server: . From this point onward, all the traffic is encrypted; we'll write this as in the client-server direction and from the server to the client. These keys are generated in turn by hashing the nonces with .

      4 The server also sends a finished message with a MAC computed on all the messages to date. It then finally starts sending the data.

upper C right-arrow upper S colon upper C comma upper C number-sign comma upper N Subscript upper C Baseline
upper S right-arrow upper C colon upper S comma upper S number-sign comma upper N Subscript upper S Baseline comma upper C upper S
upper C right-arrow upper S colon left-brace upper K 0 right-brace Subscript upper K upper S
upper C right-arrow upper S colon
Скачать книгу