Intro to PKI and authentication (PowerPoint) by dffhrtcv3


									HIMA 4160
Fall 2009
   Privacy, Confidentiality and Security
   Cryptography
   Public Key Infrastructure
   PKI application

Security             Confidentiality
 Authentication

 Authorization

 Access   Control

 Audit
 Authentication
 Authorization
 Audit
 Access   Control
 Authentication
 Authorization
 Audit
 Access   Control
   Privacy Rules
    ◦ Rules for protecting patients privacy

   Security Rules
    ◦ Measures for enforce security of patients information
    ◦ Only for electronic health information
Source: HIPAA Academy
Cryptology: the science concerned with data
communication and storage in secure and
usually secret form. It encompasses both
cryptography and cryptanalysis

Cryptography: the science of transforming
information into a form that is impossible or
infeasible le to duplicate or undo without
knowledge of a secret key

Cryptanalysis: the science (and art) of
recovering or forging cryptographically
secured information without knowledge of the


Plain Text   m using    Ciphertext

   IBM          1        HAL
Plain Text     using     Ciphertext
   IBM          1          HAL
   Keys are just mathematically large number

   Symmetric -- use the same key for both
    encryption and decryption
Algorithm – computing methods to combine keys
   and plain text to make it indecipherable for
              people without the key

        Substitution     Transposition


            and encryption algorithm
         The adventure of the dancing men
                   On a computer…
    Example using the Data Encryption
     Standard (DES)
     $> des -e “Mary had a little lamb” output.des
     Enter key: oucskey
     Enter key again: oucskey

The result:
     $> cat output.des
     !¢ðuýåćßÞf 謶‫׀ ע‬жТφẸỆ≈∞▪‫ﲑ‬
   Example using the Data Encryption Standard
    (DES) continued…
    To decrypt:

     $> des -d output.des text.des
     Enter key: oucskey
     Enter key again: oucskey
     $>cat text.des
     Mary had a little lamb
   Example using the Data Encryption Standard
    (DES) continued…

    Trying to decrypt with the wrong key:

     $> des -d output.des text.des
     Enter key: oucsquay
     Enter key again: oucsquay

     Corrupted file or wrong key
     $>cat text.des
     uýåćß#¬`謶‫ ׀‬φẸỆ‫ע‬жТ ‫ע‬жТ
                 Attacking a cipher
   How safe are encryption algorithms
   Example using (DES) continued…

What about a ‘brute force’ attack?
i.e. ‘guessing’ at the key “oucskey”
DES algorithm has a 56-bit key. Therefore, there
256 = 72,057,594,037,900,000 different keys
834 days at a billion keys per second
But for a typed key, effectively 83 days
                Attacking a cipher
   How safe are encryption algorithms anyway?
    ◦ Established algorithms should remain sound
    ◦ Safety is dependent on key length, the longer, the
                  Some issues
   So you have to have the same key as your
    correspondent – is that a problem?
    ◦ How do you send the key safely?
    ◦ Do I try to exchange keys before I communicate?

   How many keys will I need to communicate with
    ◦ You need a key for everyone!
   Whitfield Diffie and Martin Hellman (1975)
   Ellis and Cox (1973)
   A key pair is constructed using some
    complicated maths (the keys are not the
   Each party has two keys (public and
   Anything encrypted with key1 can only be
    decrypted with key2

                 Key 1 and


            encryption algorithm

                      Key 1 and


                 encryption algorithm
                      Key 2 and
                 encryption algorithm

If Key 1 = private, Key2 must be corresponding public
If Key 1 = public, Key2 must be corresponding private
   Keys exist in pairs
    ◦ Keep one private (very secret) and 'publish' one
    ◦ Public keys can exist on certificates
   Encryption can be done by either key
    ◦ If it is your key pair, you can use the private key
    ◦ Anyone else can use the public key to encrypt something

                          Public key


                          Private key

   Extremely secret!
   If you send something encrypted by a private
    key, it can be read by everyone, but they know
    it came from you.
    ◦ Authentication
   Not at all secret!
    ◦ Widely available, but must be trusted
    ◦ May be supplied as part of a certificate
   If you send something using a public key, it
    can only be read by the entity to which it is
    ◦ Secure communications
        e.g. SSL
   Someone can use a public key to prove their
    identity to me
    ◦ but only if I trust that public key
   So if someone I trusted endorsed (signed) that
    public key
    ◦ hold that thought for a moment - we’ll come back to
   Asymmetric keys can be used to sign things
    ◦ encrypt a bit of text with your private key (can be
      attached 'securely' to the 'document')
    ◦ people can de-crypt it with the public key and
      know that it was signed by you

   What?…
   You need to know something about
     Message digests or one way hash functions distil
     the information contained in a file (very small or
     very large) into a single large number (usually
     between 128 and 256 bits in length)
   So, you can actually add the hash value to
    the file somehow and then sign (or
    encrypt) that hash value with your
    private key.

   Put that public key on a certificate

   Get someone you trust to sign the certificate
    ◦ If the certificate is tampered with, the signature is

   Organizations who sign public keys/certificates
    are called Certification Authorities (CA)
   You create a key pair
   Put one key of the pair on a certificate (which
   Send the certificate (request) to the CA
   Present yourself or identify yourself to the
    Registration Authority (RA)
   The RA tells the CA that you are OK
   The CA sends you the signed certificate
   Now you have a signed certificate, people and
    services can trust that you are who you say you are

   Present your certificate to a service

   Tell them something encrypted by your private

   They like your certificate and know it is you
   You keep your private key very secret
    ◦ Obey the rules for this!
   Your public key is on the certificate

   Services must trust the CA

   Your certificate will have an expiry date
    ◦ after which you may have to re-visit the RA
   Your certificate can be revoked at any time
   Asymmetric encryption = public/private keys
   Symmetric encryption is faster
    ◦ but how do you deliver the keys
   Asymmetric encryption is used widely in internet
    ◦ Secure Sockets Layer, very common
   Also used in client authentication
    (less common, at the moment)
Use PGP to Send Encrypted

To top