13.3 Encryption, Digital Signatures and Certificates

Encryption is a basic technology for enabling secure messaging (O’Neill 2003, Galbraith et al. 2002, Garfinkel 2002). Encryption (or ciphering) means that by use of mathematical functions plain text is transformed into cipher text. Decryption (or deciphering) describes the reverse process, i.e., the transformation of the cipher text back into the original plain text. Most cryptographic algorithms rely on keys as secret items for ciphering and deciphering. Without knowledge of the respective keys, it is computationally infeasible to decrypt messages, though all serious encryption algorithms are publicly available. Cryptanalysis describes the efforts and employed technologies to break an encryption, e.g., for finding ways to crack an encryption based on some cipher text and some corresponding plain text. An algorithm is said to be strong if a brute force search, i.e., the trial of any possible key, is the only known attack possibility. We distinguish between symmetric and asymmetric encryption algorithms.

13.3.1 Symmetric Cryptography Using symmetric encryption, the receiver of a message uses the same key to compute the plain

text from the cipher text as the sender used to encrypt it. In our example scenario, Alice encrypts

a message with the key S that is only known to the bookstore and her, as shown in Figure 13-3. To decrypt the cipher text, book.store.com uses the same key S. Therefore, S is also called

13.3 Encryption, Digital Signatures and Certificates 269

Plain Text

Plain Text Bookorder:

Cipher Text

Web

Web Engineering

2kp30c5.icoe-

Bookorder:

Engineering Encrypt with S

2qwixlsple...

Decrypt with S

Figure 13-3 Symmetric encryption.

the shared secret. Prominent representatives of symmetric encryption algorithms are DES and AES (NIST 1993, NIST 2001, Tanebaum 2002, Peterson and Davie 2003).

DES (Data Encryption Standard), which was the U.S. government’s former recommendation for symmetric encryption, uses keys of 64 bit length. Every eighth bit is a parity check bit used for error detection. Thus, the net key length is 56. DES enciphers one 64 bit data block at a time. Larger data is split into blocks of this length and these blocks are encoded separately.

Figure 13-4 illustrates the encryption process for a 64 bit data block. Cipher data is computed in three phases. First, the 64 input bits are permuted. The permuted block is then the input to

a key-dependent computation which consists of 16 iterations. Finally, the output of the second phase is permuted. Thereby, the final permutation is the inverse of the initial permutation. The permutations bring about data confusion, but encryption quality is determined solely by the key-dependent computation. Deciphering proceeds analogously.

64 Bit block Round 1

Round 2

Round 16 Cipher text

Final permutation Figure 13-4 Illustration of DES encryption.

Initial permutation

Key-dependent computation

As 56 bits determine a DES key, up to 2 56 keys have to be examined for a brute force attack. Nowadays, DES is no longer regarded to provide sufficient security because of the restricted key length and the performance of today’s computers. Triple-DES (3DES) is an enhancement of DES that relies on three keys. With 3DES, three encryption phases take place in a row: the first key is used for an encryption of the plain text; the result is decrypted using the second key and the output is encrypted again using the remaining third key. Using three keys, the effective key length becomes 168 bits. 3DES can also be employed with two keys. Then the first and the third encryption phases use the same key.

AES (Advanced Encryption Standard) – which is also known as the Rijndael algorithm – provides block and key lengths of 128, 192 or 256 bits. Symmetric encryption algorithms like DES and AES provide good performance and can efficiently be realized both in hardware and software.

When using symmetric encryption, the employed keys, i.e., the shared secrets, have to be exchanged between the communicating parties during an initial stage. One possibility is to use

270 Security for Web Applications separate communication channels, like telephone calls. Obviously, this is not very applicable to

e-commerce and especially to Web services which do not rely on human interaction. Asymmetric encryption is helpful to solve the key exchange problem.

13.3.2 Asymmetric Cryptography As the term asymmetric suggests, sender and receiver employ different keys for ciphering and

deciphering. Each participant has a pair of keys consisting of one private key D and one public key E. While the private key is not revealed, the public key is potentially available to everyone. Let (E, D) be the public/private key pair of book.store.com cf. the example in Figure 13-5. If Alice wants to send a message m to the bookstore, she uses E for encryption. The resulting cipher text E(m) can only be decrypted using book.store.com’s private key D, i.e., D(E(m)) = m.

Plain Text

Plain Text Bookorder:

Cipher Text

Bookorder: Engineering

Engineering Encrypt with

Decrypt with public key

private key m

E(m)

D(E(m))=m

Figure 13-5 Asymmetric encryption.

One of the most widespread asymmetric encryption algorithms is RSA, named after its inventors Rivest, Shamir and Adleman (1978). The RSA algorithm is based upon exponentiation and the modulo operation (also called rest or remainder of integer division). Its strength relies upon the complexity to factorise large numbers. To calculate a public/private key pair, first two large prime numbers, p and q, are generated randomly and kept secret. The RSA modulus n is determined as n = p · q which is part of the public as well as the private key. Today, n is typically a 1024 bit number. Other common bit-lengths of n are 512 and 2048. Two more numbers, e and d, are necessary for encryption and decryption. e is part of the public key while

d is part of the private key. Both numbers are chosen such that

1 = (e · d) modulo ((p − 1)(q − 1))

holds. An RSA public key is a tuple E = (n, e). The associated private key consists of D = (n, d). The only known way to break RSA is to recover p and q from n, thus compromising d.

When a message m is encrypted using the public key, the message – typically a text – must be represented as number blocks as illustrated in Figure 13-6. Then, the cipher text c is computed through the operation E, defined as

c = E(m) = m e modulo n

Knowing the private key, m is restored from c according to

m = D(c) = c d modulo n

13.3 Encryption, Digital Signatures and Certificates 271

Plain text:

Encoding

blank→00, A→01, B→02, … , Z→26

Encoded blocks:

Encryption using E 2105 17 modulo 2773 = 747 …

Encrypted message: 0747 1699 1643 0591 2641 1787 2503 0761

Send

Encrypted message: 0747 1699 1643 0591 2641 1787 2503 0761

Decryption using D 747 157 modulo 2773 = 2105 … Encoded blocks:

Decoding

00→blank, 01→A, 02→B, … , 26→Z

Plain text:

Figure 13-6 Securing a message using RSA with p = 47, q = 59, e = 17, and d = 157.

Figure 13-4 shows an example with p = 47 and q = 59. Thus, n = 2773. Choosing e = 17 and d= 157, the condition (17 · 157) modulo (46 · 58) = 1 holds.

The presented procedure is used, when RSA is employed for secure messaging. The sender of a message uses the receiver’s public key for enciphering. Deciphering requires the receiver’s private key. In the following section, we will show that if the roles of e and d are exchanged, we can use RSA for digital signatures and message integrity checks.

In contrast to symmetric cryptography, asymmetric cryptography does not depend on a shared secret. Thus, the question remains, why symmetric cryptography should be used at all. The reason is that symmetric algorithms are much faster than asymmetric ones (about 100 to 1000 times). By using both kinds of encryption algorithms in tandem the advantages are combined, which is further discussed in section 13.4.1.

13.3.3 Digital Signatures When communicating over publicly accessible channels, data modification through third parties

must be prevented, or at least detected. Digital signatures can be used to guarantee data integrity, to provide non-repudiation, and to authenticate identities. Digital signatures rely on hash algorithms and asymmetric cryptography. Well-known hash algorithms are MD5 (Message Digest Algorithm 5, Rivest 1992) and SHA-1 (Secure Hash Algorithm, Eastlake and Jones 2001). Hash algorithms compute a small piece of data out of a possibly much larger data block. SHA-1

produces a 160 bit digest of data blocks that are up to 2 64 bits in size. The resulting digest is comparable to a fingerprint or a checksum of the data block. Any modification to the input data leads to a completely different hash key. Having the hash value of a message m, say h(m), it is computationally very expensive to create a (meaningful) message m ′ with h(m) = h(m ′ ) . Thus, hashing can be used to track tampering with very little extra effort.

However, hashing alone cannot guarantee message integrity. A malicious “man in the middle” still can modify the message and at the same time replace the hash key with a new, appropriate one. This is where encryption comes into play. Let’s assume Alice wants to ensure the integrity of her message m. She first computes the respective hash value, h(m). Subsequently she digitally

272 Security for Web Applications signs the hash value using her private key D A by computing Sig A (m) = D A (h(m)) . Sig A (m) is

then attached to m. The bookstore, which is the intended receiver of the message, can examine if the message was tampered with by first decrypting Sig A (m) using Alice’s public key, thus obtaining h(m). Since only Alice knows her private key, it must have been her who signed the message. Note that, as mentioned before, the usage of public and private key is reversed compared with the asymmetric cryptography for secure message exchange.

For the received contact message m ′ , book.store.com calculates the respective hash key h(m ′ ) . When h(m) = h(m ′ ) , book.store.com can be sure that m = m ′ . Moreover, Alice cannot claim to not have sent the message, as she is the only one who could have signed it. Thus, digital signatures are also useful for non-repudiation and authentication.

13.3.4 Certificates and Public Key Infrastructure When introducing asymmetric cryptography, we mentioned that the prerequisite of (shared) key

distribution is not given. Though not talking about a shared secret, the question remains, how someone can be sure of using the correct public key for encryption. To recap our example, how can Alice be sure to actually use the public key of book.store.com and not of any malicious third party that is pretending to be book.store.com? A solution is offered through Public Key Infrastructures (PKI) like X.509, PGP (Pretty Good Privacy) or SPKI (Simple Public Key Infrastructure).

X.509 digital certificates (Adams et al. 2004) are a widespread technology for providing reliable public key distribution for Web application scenarios. For example, they are used to establish SSL-secured connections as explained in the next section. An X.509 digital certificate binds the public key to the identity of the private key holder.

Certificates are issued by so-called certification authorities (CA) like VeriSign or Entrust. The identities of certificate holders are verified by so-called registration authorities (RA). Therefore, CA and RA work closely together and are often departments of the same organization. CAs assure the integrity of certificates by digitally signing them. Trust can be delegated by CAs vouching for the integrity of other CAs, so that hierarchies of trusted CAs can be established. Then, the identity bound to a given certificate is authenticated if a valid certificate chain can be inferred that ends up in a CA that is trusted.

Typically, a certificate has a validity period. After this period has expired a new certificate has to be issued. In case a certificate is no longer trustworthy, e.g., if the respective private key has been disclosed, the certificate is revoked and listed in so-called certificate revocation lists (CRL).