Your SlideShare is downloading. ×
0
CPK
Cryptosystem
in OpenSolaris
Zhi Guan
China ERI, Sun Microsystems,
March, 2008
Outline

 • CPK cryptosystem overview
 • CPK Message Syntax
 • CPK in Solaris Cryptographic Framework
 • CPK in Solaris Ke...
CPK Cryptosystem

 • CPK: Combined Public Key
 • What is CPK?
  ❖ At first, it is a key management scheme
  ❖ Second, it pr...
Map an Identity to Key Pair

                                      h1 , h2 , . . . , hn ← H(ID)

  Private Key Matrix
   ...
Identity Based Encryption

 CPK_Encrypt(Plaintext, ID, PublicMatrix) {
     Indexes = H(ID);
     ECPublicKey = Map(Indexe...
CPK Message Syntax
CPK Objects

 • Public system parameters public matrix
 • Master secret : private matrix
 • User’s private key
 • User’s u...
CPK Cryptographic Messages

 • Signature
 • Public key encrypted session key.
 • Signed data
 • Public key encrypted data....
PKCS #7 General Syntax: ContentInfo


                      specified by an Object Identifier,
     ContentInfo
            ...
PKCS #7 Raw Data


     ContentInfo
                             Data
     content type
                        EncryptedD...
PKCS #7 EncryptedData

     EncryptedData

        version
                        EncryptedContentInfo

                 ...
PKCS #7 EnvelopedData


    EnvelopedData

       version

    recipientInfos
                     EncryptedContentInfo

 ...
PKCS #7 RecipientInfo


      RecipientInfo

         version

      recipient’s id      ECIES (Elliptic Curve Integrated
...
PKCS #7 SignedData


     SignedData

       version                 Data

   digest algorithms
                        En...
PKCS #7 SignerInfo

       SignerInfo
                         Specify the signer. In PKI this field
        version       ...
PKCS #7 SignedAndEnvelopedData

           SignedAndEnvelopedData

                   version

                recipientIn...
Data Types Presentation and Encoding

 • ASN.1
 • BER
 • DER
CPK Interfaces
Identity Based Cryptography Interface
CPK in Solaris Cryptographic Framework
                                               CPK Java Applications



           ...
PKCS #11: Crypto Token Interface Standard
      !quot;#                     $%&'#(!!#)*+*,-#&./$012.3$45&#01%67#5706.83&6#...
PKCS #11 Functions

 • Slot and token management functions
 • Session management functions
 • Cryptographic functions
  ❖ ...
PKCS #11 Objects
                                       PKCS#11
                                        Object




       ...
PKCS #11 Functions

 • Generate system parameters
   ❖ C_CreateObject
   ❖ C_GenerateKey
   ❖ C_GenerateKeyPair

 • Extrac...
Identity Based Encryption
Identity Based Signing
PKCS #7 Data Types

 • SignerInfo
CPK in Solaris Key Management Framework
Solaris Key Management Framework

 • Centralized key storage and management
   framework.

 • Support PKI programing inter...
OS without Centralized Key Management

 • Every applications must have there own
   cryptography implementations and key
 ...
!quot;#$%&'$(&)*+,-
Solaris with Key Management Framework
                                                                ...
!quot;#$%&'$(&)*+,-
Solaris with Key Management Framework
                                                                ...
!quot;#$%&'$(&)*+,-
Solaris with Key Management Framework
                                                                ...
Upcoming SlideShare
Loading in...5
×

CPK Cryptosystem In Solaris

1,877

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,877
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
28
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "CPK Cryptosystem In Solaris"

  1. 1. CPK Cryptosystem in OpenSolaris Zhi Guan China ERI, Sun Microsystems, March, 2008
  2. 2. Outline • CPK cryptosystem overview • CPK Message Syntax • CPK in Solaris Cryptographic Framework • CPK in Solaris Key Management Framework • CPK Code Signing in Solaris • Other Applications
  3. 3. CPK Cryptosystem • CPK: Combined Public Key • What is CPK? ❖ At first, it is a key management scheme ❖ Second, it provides identity based encryption and and signature scheme. • Comparison with PKI
  4. 4. Map an Identity to Key Pair h1 , h2 , . . . , hn ← H(ID) Private Key Matrix   Userʼs Private Key ··· s11 s12 s1n   n−1 ··· s21 s22 s2n   H(ID) dID = shi ,i (mod p) . . . ..   . . . .   . . . i=0 ··· sm1 sm2 smn Public Key Matrix   Userʼs Public Key ··· s11 G s12 G s1n G   ··· s21 G s22 G s2n G n−1   H(ID) . . . QID = ..   shi i G . . . .   . . . i=0 ··· sm1 G sm2 G smn G
  5. 5. Identity Based Encryption CPK_Encrypt(Plaintext, ID, PublicMatrix) { Indexes = H(ID); ECPublicKey = Map(Indexes, PublicMatrix); Ciphertext = ECEncrypt(Plaintext, ECPublicKey); return Ciphertext; } CPK_Decrypt(Plaintext, ECPrivateKey) { Plaintext = ECEncrypt(Plaintext, ECPublicKey); return Ciphertext; }
  6. 6. CPK Message Syntax
  7. 7. CPK Objects • Public system parameters public matrix • Master secret : private matrix • User’s private key • User’s user’s identifier Object Private Public Private Identifier Matrix Matrix Key
  8. 8. CPK Cryptographic Messages • Signature • Public key encrypted session key. • Signed data • Public key encrypted data. • Signed and public key encrypted data.
  9. 9. PKCS #7 General Syntax: ContentInfo specified by an Object Identifier, ContentInfo which is a global unique identifier. content type content the format of content is explicitly defined by the “content type”. The content type options include: •data •signedData •encryptedData •envelopedData •signedAndEnvelopedData
  10. 10. PKCS #7 Raw Data ContentInfo Data content type EncryptedData SignedData EnvelopedData SignedAndEnvelopedData
  11. 11. PKCS #7 EncryptedData EncryptedData version EncryptedContentInfo content type encryption algor encrypted content
  12. 12. PKCS #7 EnvelopedData EnvelopedData version recipientInfos EncryptedContentInfo content type encryption algor encrypted content
  13. 13. PKCS #7 RecipientInfo RecipientInfo version recipient’s id ECIES (Elliptic Curve Integrated Encryption Scheme) key encryption algor encrypted key Encrypted symmetric key
  14. 14. PKCS #7 SignedData SignedData version Data digest algorithms EncryptedData ContentInfo ...... certificates CRLs no useful attributes SignerInfos for CPK
  15. 15. PKCS #7 SignerInfo SignerInfo Specify the signer. In PKI this field version specify signer’s certificate, in CPK this field specify signer’s CPK signer’s id Identity. digest algorithm for example, the date and time of the signing. signed attributes sign algorithm for exampel, ECDSA with SHA1 signature signing algorithm unsigned attributes
  16. 16. PKCS #7 SignedAndEnvelopedData SignedAndEnvelopedData version recipientInfos digest algorithms encryptedConentInfo certificates CRLs signerInfos
  17. 17. Data Types Presentation and Encoding • ASN.1 • BER • DER
  18. 18. CPK Interfaces
  19. 19. Identity Based Cryptography Interface
  20. 20. CPK in Solaris Cryptographic Framework CPK Java Applications JCE (Java Crypto Extension) CPK C/C++ Applications JNI Service Consumer Interface (PKCS#11) Solaris User-space Cryptographic Framework Service Provider Interface (PKCS#11) pkcs11_ pkcs11_ pkcs11_ pkcs11_ cpk.so cpktoken.so softtoken.so kernel.so !libcpk !libcpk
  21. 21. PKCS #11: Crypto Token Interface Standard !quot;# $%&'#(!!#)*+*,-#&./$012.3$45&#01%67#5706.83&6#'03793.9# /001*(-quot;*23&4 /001*(-quot;*23&5 !quot;#$%&'$()%*quot;+&,-+$%. !quot;#$%&'$()%*quot;+&,-+$%. !quot;#$%&'( !quot;#$%&'( 6$7*($&823quot;$3quot;*239'+3(#%23*:-quot;*23 '12quot;&4 '12quot;&3 ;25$3&4 ;25$3&3 <6$7*($&4= <6$7*($&3= # !quot;#$%&'()'*&+&%,-'.%/0123quot;'425&-' &=<;A:H>#;=:I>JCK#LF#>FAC=MLDC#A:#:FC#:=#N:=C#D=<;A:?=L;@>D#JCI>DCK#A@LA#L=C#LDA>IC#>F#A@C#
  22. 22. PKCS #11 Functions • Slot and token management functions • Session management functions • Cryptographic functions ❖ Encryption and decryption ❖ Message digesting ❖ MAC generation and verification ❖ Signing and Verification ❖ Key management
  23. 23. PKCS #11 Objects PKCS#11 Object Data Key Certificate Public Key Private Key Secret Key CPK CPK CPK CPK IdentityInfo PublicMatrix PrivMatrix PrivateKey ECC ECC PublicKey PrivateKey
  24. 24. PKCS #11 Functions • Generate system parameters ❖ C_CreateObject ❖ C_GenerateKey ❖ C_GenerateKeyPair • Extract private key or public key from matrixes ❖ C_DeriveKey
  25. 25. Identity Based Encryption
  26. 26. Identity Based Signing
  27. 27. PKCS #7 Data Types • SignerInfo
  28. 28. CPK in Solaris Key Management Framework
  29. 29. Solaris Key Management Framework • Centralized key storage and management framework. • Support PKI programing interfaces
  30. 30. OS without Centralized Key Management • Every applications must have there own cryptography implementations and key management and storage mechanisms. App App App Key Key Key Store Store Store
  31. 31. !quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*- 25,8006-5* quot;'6* I40&A4*&85 (,8=&A-,? !quot;# (,8=&A-,? (,8=&A-,? D-=-08G6-5* #+*+,-$ (!@.MM L@.( @F; #&0-? N.. (!1O 15*-',4*&85$7&*/ !quot;# !quot;#$%&$'()*+(),,- this picture is from Solaris Key Management Framework sliders by Wyllys Ingersoll
  32. 32. !quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*- 25,8006-5* quot;'6* I40&A4*&85 (,8=&A-,? !quot;# (,8=&A-,? (,8=&A-,? D-=-08G6-5* #+*+,-$ (!@.MM L@.( @F; #&0-? N.. (!1O 15*-',4*&85$7&*/ !quot;# !quot;#$%&$'()*+(),,- this picture is from Solaris Key Management Framework sliders by Wyllys Ingersoll
  33. 33. !quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*-
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×