CPK Cryptosystem In Solaris

2,259 views
2,039 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,259
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
33
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

CPK Cryptosystem In Solaris

  1. 1. CPK Cryptosystem in OpenSolaris Zhi Guan China ERI, Sun Microsystems, March, 2008
  2. 2. Outline • CPK cryptosystem overview • CPK Message Syntax • CPK in Solaris Cryptographic Framework • CPK in Solaris Key Management Framework • CPK Code Signing in Solaris • Other Applications
  3. 3. CPK Cryptosystem • CPK: Combined Public Key • What is CPK? ❖ At first, it is a key management scheme ❖ Second, it provides identity based encryption and and signature scheme. • Comparison with PKI
  4. 4. Map an Identity to Key Pair h1 , h2 , . . . , hn ← H(ID) Private Key Matrix   Userʼs Private Key ··· s11 s12 s1n   n−1 ··· s21 s22 s2n   H(ID) dID = shi ,i (mod p) . . . ..   . . . .   . . . i=0 ··· sm1 sm2 smn Public Key Matrix   Userʼs Public Key ··· s11 G s12 G s1n G   ··· s21 G s22 G s2n G n−1   H(ID) . . . QID = ..   shi i G . . . .   . . . i=0 ··· sm1 G sm2 G smn G
  5. 5. Identity Based Encryption CPK_Encrypt(Plaintext, ID, PublicMatrix) { Indexes = H(ID); ECPublicKey = Map(Indexes, PublicMatrix); Ciphertext = ECEncrypt(Plaintext, ECPublicKey); return Ciphertext; } CPK_Decrypt(Plaintext, ECPrivateKey) { Plaintext = ECEncrypt(Plaintext, ECPublicKey); return Ciphertext; }
  6. 6. CPK Message Syntax
  7. 7. CPK Objects • Public system parameters public matrix • Master secret : private matrix • User’s private key • User’s user’s identifier Object Private Public Private Identifier Matrix Matrix Key
  8. 8. CPK Cryptographic Messages • Signature • Public key encrypted session key. • Signed data • Public key encrypted data. • Signed and public key encrypted data.
  9. 9. PKCS #7 General Syntax: ContentInfo specified by an Object Identifier, ContentInfo which is a global unique identifier. content type content the format of content is explicitly defined by the “content type”. The content type options include: •data •signedData •encryptedData •envelopedData •signedAndEnvelopedData
  10. 10. PKCS #7 Raw Data ContentInfo Data content type EncryptedData SignedData EnvelopedData SignedAndEnvelopedData
  11. 11. PKCS #7 EncryptedData EncryptedData version EncryptedContentInfo content type encryption algor encrypted content
  12. 12. PKCS #7 EnvelopedData EnvelopedData version recipientInfos EncryptedContentInfo content type encryption algor encrypted content
  13. 13. PKCS #7 RecipientInfo RecipientInfo version recipient’s id ECIES (Elliptic Curve Integrated Encryption Scheme) key encryption algor encrypted key Encrypted symmetric key
  14. 14. PKCS #7 SignedData SignedData version Data digest algorithms EncryptedData ContentInfo ...... certificates CRLs no useful attributes SignerInfos for CPK
  15. 15. PKCS #7 SignerInfo SignerInfo Specify the signer. In PKI this field version specify signer’s certificate, in CPK this field specify signer’s CPK signer’s id Identity. digest algorithm for example, the date and time of the signing. signed attributes sign algorithm for exampel, ECDSA with SHA1 signature signing algorithm unsigned attributes
  16. 16. PKCS #7 SignedAndEnvelopedData SignedAndEnvelopedData version recipientInfos digest algorithms encryptedConentInfo certificates CRLs signerInfos
  17. 17. Data Types Presentation and Encoding • ASN.1 • BER • DER
  18. 18. CPK Interfaces
  19. 19. Identity Based Cryptography Interface
  20. 20. CPK in Solaris Cryptographic Framework CPK Java Applications JCE (Java Crypto Extension) CPK C/C++ Applications JNI Service Consumer Interface (PKCS#11) Solaris User-space Cryptographic Framework Service Provider Interface (PKCS#11) pkcs11_ pkcs11_ pkcs11_ pkcs11_ cpk.so cpktoken.so softtoken.so kernel.so !libcpk !libcpk
  21. 21. PKCS #11: Crypto Token Interface Standard !quot;# $%&'#(!!#)*+*,-#&./$012.3$45&#01%67#5706.83&6#'03793.9# /001*(-quot;*23&4 /001*(-quot;*23&5 !quot;#$%&'$()%*quot;+&,-+$%. !quot;#$%&'$()%*quot;+&,-+$%. !quot;#$%&'( !quot;#$%&'( 6$7*($&823quot;$3quot;*239'+3(#%23*:-quot;*23 '12quot;&4 '12quot;&3 ;25$3&4 ;25$3&3 <6$7*($&4= <6$7*($&3= # !quot;#$%&'()'*&+&%,-'.%/0123quot;'425&-' &=<;A:H>#;=:I>JCK#LF#>FAC=MLDC#A:#:FC#:=#N:=C#D=<;A:?=L;@>D#JCI>DCK#A@LA#L=C#LDA>IC#>F#A@C#
  22. 22. PKCS #11 Functions • Slot and token management functions • Session management functions • Cryptographic functions ❖ Encryption and decryption ❖ Message digesting ❖ MAC generation and verification ❖ Signing and Verification ❖ Key management
  23. 23. PKCS #11 Objects PKCS#11 Object Data Key Certificate Public Key Private Key Secret Key CPK CPK CPK CPK IdentityInfo PublicMatrix PrivMatrix PrivateKey ECC ECC PublicKey PrivateKey
  24. 24. PKCS #11 Functions • Generate system parameters ❖ C_CreateObject ❖ C_GenerateKey ❖ C_GenerateKeyPair • Extract private key or public key from matrixes ❖ C_DeriveKey
  25. 25. Identity Based Encryption
  26. 26. Identity Based Signing
  27. 27. PKCS #7 Data Types • SignerInfo
  28. 28. CPK in Solaris Key Management Framework
  29. 29. Solaris Key Management Framework • Centralized key storage and management framework. • Support PKI programing interfaces
  30. 30. OS without Centralized Key Management • Every applications must have there own cryptography implementations and key management and storage mechanisms. App App App Key Key Key Store Store Store
  31. 31. !quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*- 25,8006-5* quot;'6* I40&A4*&85 (,8=&A-,? !quot;# (,8=&A-,? (,8=&A-,? D-=-08G6-5* #+*+,-$ (!@.MM L@.( @F; #&0-? N.. (!1O 15*-',4*&85$7&*/ !quot;# !quot;#$%&$'()*+(),,- this picture is from Solaris Key Management Framework sliders by Wyllys Ingersoll
  32. 32. !quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*- 25,8006-5* quot;'6* I40&A4*&85 (,8=&A-,? !quot;# (,8=&A-,? (,8=&A-,? D-=-08G6-5* #+*+,-$ (!@.MM L@.( @F; #&0-? N.. (!1O 15*-',4*&85$7&*/ !quot;# !quot;#$%&$'()*+(),,- this picture is from Solaris Key Management Framework sliders by Wyllys Ingersoll
  33. 33. !quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*-

×