SlideShare a Scribd company logo

CPK Cryptosystem In Solaris

Z
Zhi Guan

The document discusses the Combined Public Key (CPK) cryptosystem used in OpenSolaris. CPK provides identity-based encryption and signature schemes as an alternative to traditional public key infrastructure. It maps identities to key pairs using a hash function and private/public key matrices. CPK interfaces with the Solaris cryptographic and key management frameworks using standards like PKCS #11 and PKCS #7.

1 of 33
Download to read offline
CPK Cryptosystem in OpenSolaris Zhi Guan China ERI, Sun Microsystems, March, 2008
Outline • CPK cryptosystem overview • CPK Message Syntax • CPK in Solaris Cryptographic Framework • CPK in Solaris Key Management Framework • CPK Code Signing in Solaris • Other Applications
CPK Cryptosystem • CPK: Combined Public Key • What is CPK? ❖ At first, it is a key management scheme ❖ Second, it provides identity based encryption and and signature scheme. • Comparison with PKI
Map an Identity to Key Pair h1 , h2 , . . . , hn ← H(ID) Private Key Matrix   Userʼs Private Key ··· s11 s12 s1n   n−1 ··· s21 s22 s2n   H(ID) dID = shi ,i (mod p) . . . ..   . . . .   . . . i=0 ··· sm1 sm2 smn Public Key Matrix   Userʼs Public Key ··· s11 G s12 G s1n G   ··· s21 G s22 G s2n G n−1   H(ID) . . . QID = ..   shi i G . . . .   . . . i=0 ··· sm1 G sm2 G smn G
Identity Based Encryption CPK_Encrypt(Plaintext, ID, PublicMatrix) { Indexes = H(ID); ECPublicKey = Map(Indexes, PublicMatrix); Ciphertext = ECEncrypt(Plaintext, ECPublicKey); return Ciphertext; } CPK_Decrypt(Plaintext, ECPrivateKey) { Plaintext = ECEncrypt(Plaintext, ECPublicKey); return Ciphertext; }
CPK Message Syntax
CPK Objects • Public system parameters public matrix • Master secret : private matrix • User’s private key • User’s user’s identifier Object Private Public Private Identifier Matrix Matrix Key
CPK Cryptographic Messages • Signature • Public key encrypted session key. • Signed data • Public key encrypted data. • Signed and public key encrypted data.
PKCS #7 General Syntax: ContentInfo specified by an Object Identifier, ContentInfo which is a global unique identifier. content type content the format of content is explicitly defined by the “content type”. The content type options include: •data •signedData •encryptedData •envelopedData •signedAndEnvelopedData
PKCS #7 Raw Data ContentInfo Data content type EncryptedData SignedData EnvelopedData SignedAndEnvelopedData
PKCS #7 EncryptedData EncryptedData version EncryptedContentInfo content type encryption algor encrypted content
PKCS #7 EnvelopedData EnvelopedData version recipientInfos EncryptedContentInfo content type encryption algor encrypted content
PKCS #7 RecipientInfo RecipientInfo version recipient’s id ECIES (Elliptic Curve Integrated Encryption Scheme) key encryption algor encrypted key Encrypted symmetric key
PKCS #7 SignedData SignedData version Data digest algorithms EncryptedData ContentInfo ...... certificates CRLs no useful attributes SignerInfos for CPK
PKCS #7 SignerInfo SignerInfo Specify the signer. In PKI this field version specify signer’s certificate, in CPK this field specify signer’s CPK signer’s id Identity. digest algorithm for example, the date and time of the signing. signed attributes sign algorithm for exampel, ECDSA with SHA1 signature signing algorithm unsigned attributes
PKCS #7 SignedAndEnvelopedData SignedAndEnvelopedData version recipientInfos digest algorithms encryptedConentInfo certificates CRLs signerInfos
Data Types Presentation and Encoding • ASN.1 • BER • DER
CPK Interfaces
Identity Based Cryptography Interface
CPK in Solaris Cryptographic Framework CPK Java Applications JCE (Java Crypto Extension) CPK C/C++ Applications JNI Service Consumer Interface (PKCS#11) Solaris User-space Cryptographic Framework Service Provider Interface (PKCS#11) pkcs11_ pkcs11_ pkcs11_ pkcs11_ cpk.so cpktoken.so softtoken.so kernel.so !libcpk !libcpk
PKCS #11: Crypto Token Interface Standard !quot;# $%&'#(!!#)*+*,-#&./$012.3$45&#01%67#5706.83&6#'03793.9# /001*(-quot;*23&4 /001*(-quot;*23&5 !quot;#$%&'$()%*quot;+&,-+$%. !quot;#$%&'$()%*quot;+&,-+$%. !quot;#$%&'( !quot;#$%&'( 6$7*($&823quot;$3quot;*239'+3(#%23*:-quot;*23 '12quot;&4 '12quot;&3 ;25$3&4 ;25$3&3 <6$7*($&4= <6$7*($&3= # !quot;#$%&'()'*&+&%,-'.%/0123quot;'425&-' &=<;A:H>#;=:I>JCK#LF#>FAC=MLDC#A:#:FC#:=#N:=C#D=<;A:?=L;@>D#JCI>DCK#A@LA#L=C#LDA>IC#>F#A@C#
PKCS #11 Functions • Slot and token management functions • Session management functions • Cryptographic functions ❖ Encryption and decryption ❖ Message digesting ❖ MAC generation and verification ❖ Signing and Verification ❖ Key management
PKCS #11 Objects PKCS#11 Object Data Key Certificate Public Key Private Key Secret Key CPK CPK CPK CPK IdentityInfo PublicMatrix PrivMatrix PrivateKey ECC ECC PublicKey PrivateKey
PKCS #11 Functions • Generate system parameters ❖ C_CreateObject ❖ C_GenerateKey ❖ C_GenerateKeyPair • Extract private key or public key from matrixes ❖ C_DeriveKey
Identity Based Encryption
Identity Based Signing
PKCS #7 Data Types • SignerInfo
CPK in Solaris Key Management Framework
Solaris Key Management Framework • Centralized key storage and management framework. • Support PKI programing interfaces
OS without Centralized Key Management • Every applications must have there own cryptography implementations and key management and storage mechanisms. App App App Key Key Key Store Store Store
!quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*- 25,8006-5* quot;'6* I40&A4*&85 (,8=&A-,? !quot;# (,8=&A-,? (,8=&A-,? D-=-08G6-5* #+*+,-$ (!@.MM L@.( @F; #&0-? N.. (!1O 15*-',4*&85$7&*/ !quot;# !quot;#$%&$'()*+(),,- this picture is from Solaris Key Management Framework sliders by Wyllys Ingersoll
!quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*- 25,8006-5* quot;'6* I40&A4*&85 (,8=&A-,? !quot;# (,8=&A-,? (,8=&A-,? D-=-08G6-5* #+*+,-$ (!@.MM L@.( @F; #&0-? N.. (!1O 15*-',4*&85$7&*/ !quot;# !quot;#$%&$'()*+(),,- this picture is from Solaris Key Management Framework sliders by Wyllys Ingersoll
!quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*-

Recommended

CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC Connect
CloudIDSummit
 
perl_objects
perl_objectsperl_objects
perl_objectstutorialsruby
 
Blockchain privacy approaches in hyperledger indy
Blockchain privacy approaches in hyperledger indyBlockchain privacy approaches in hyperledger indy
Blockchain privacy approaches in hyperledger indy
ManishKumarGiri2
 
Tutorial s crypto api session keys
Tutorial s crypto api session keysTutorial s crypto api session keys
Tutorial s crypto api session keysDr. Edwin Hernandez
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
Torsten Lodderstedt
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
Sylvain Maret
 
Braga Blockchain - Ethereum Smart Contracts programming
Braga Blockchain - Ethereum Smart Contracts programmingBraga Blockchain - Ethereum Smart Contracts programming
Braga Blockchain - Ethereum Smart Contracts programming
Emanuel Mota
 

Recommended

CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC Connect
CloudIDSummit
 
perl_objects
perl_objectsperl_objects
perl_objectstutorialsruby
 
Blockchain privacy approaches in hyperledger indy
Blockchain privacy approaches in hyperledger indyBlockchain privacy approaches in hyperledger indy
Blockchain privacy approaches in hyperledger indy
ManishKumarGiri2
 
Tutorial s crypto api session keys
Tutorial s crypto api session keysTutorial s crypto api session keys
Tutorial s crypto api session keysDr. Edwin Hernandez
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
Torsten Lodderstedt
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
Sylvain Maret
 
Braga Blockchain - Ethereum Smart Contracts programming
Braga Blockchain - Ethereum Smart Contracts programmingBraga Blockchain - Ethereum Smart Contracts programming
Braga Blockchain - Ethereum Smart Contracts programming
Emanuel Mota
 
USB Token Design and Implementation
USB Token Design and ImplementationUSB Token Design and Implementation
USB Token Design and ImplementationZhi Guan
 
Code Signing with CPK
Code Signing with CPKCode Signing with CPK
Code Signing with CPKZhi Guan
 
A Survey of Identity-Based Encryption
A Survey of Identity-Based EncryptionA Survey of Identity-Based Encryption
A Survey of Identity-Based EncryptionZhi Guan
 
Crypto With OpenSSL
Crypto With OpenSSLCrypto With OpenSSL
Crypto With OpenSSLZhi Guan
 
Easy CPK
Easy CPKEasy CPK
Easy CPKZhi Guan
 
CPK Theory And Parctice
CPK Theory And ParcticeCPK Theory And Parctice
CPK Theory And ParcticeZhi Guan
 
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHackito Ergo Sum
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyBharat Kumar Katur
 
The Belgian E Id Hacker Vs Developer
The Belgian E Id Hacker Vs DeveloperThe Belgian E Id Hacker Vs Developer
The Belgian E Id Hacker Vs Developerbeires
 
ICPC11c.ppt
ICPC11c.pptICPC11c.ppt
ICPC11c.pptPtidej Team
 
ICPC11b.ppt
ICPC11b.pptICPC11b.ppt
ICPC11b.pptPtidej Team
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security Talk
Nisheed KM
 
Overview of Cryptography in pantanagr .pdf
Overview of Cryptography in pantanagr .pdfOverview of Cryptography in pantanagr .pdf
Overview of Cryptography in pantanagr .pdf
thukralyash256
 
MongoDB Live Hacking
MongoDB Live HackingMongoDB Live Hacking
MongoDB Live Hacking
Tobias Trelle
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI InteroperabilityConferencias FIST
 
Cryptography with Zend Framework
Cryptography with Zend FrameworkCryptography with Zend Framework
Cryptography with Zend Framework
Enrico Zimuel
 
Pgsodium's Features: those not provided by pgcrypto and integration with rem...
Pgsodium's Features: those not provided by pgcrypto and integration with rem... Pgsodium's Features: those not provided by pgcrypto and integration with rem...
Pgsodium's Features: those not provided by pgcrypto and integration with rem...
EDB
 
Icpc11b.ppt
Icpc11b.pptIcpc11b.ppt
Icpc11b.ppt
Yann-Gaël Guéhéneuc
 
661 665
661 665661 665
661 665Editor IJARCET
 
Information security programming in ruby
Information security programming in rubyInformation security programming in ruby
Information security programming in ruby
Hiroshi Nakamura
 
Cryptography
CryptographyCryptography
Cryptography
puja singh
 
Cryptography
CryptographyCryptography
Cryptography
puja singh
 

More Related Content

Viewers also liked

USB Token Design and Implementation
USB Token Design and ImplementationUSB Token Design and Implementation
USB Token Design and ImplementationZhi Guan
 
Code Signing with CPK
Code Signing with CPKCode Signing with CPK
Code Signing with CPKZhi Guan
 
A Survey of Identity-Based Encryption
A Survey of Identity-Based EncryptionA Survey of Identity-Based Encryption
A Survey of Identity-Based EncryptionZhi Guan
 
Crypto With OpenSSL
Crypto With OpenSSLCrypto With OpenSSL
Crypto With OpenSSLZhi Guan
 
CPK Theory And Parctice
CPK Theory And ParcticeCPK Theory And Parctice
CPK Theory And ParcticeZhi Guan
 

Viewers also liked (6)

USB Token Design and Implementation
USB Token Design and ImplementationUSB Token Design and Implementation
USB Token Design and Implementation
 
Code Signing with CPK
Code Signing with CPKCode Signing with CPK
Code Signing with CPK
 
A Survey of Identity-Based Encryption
A Survey of Identity-Based EncryptionA Survey of Identity-Based Encryption
A Survey of Identity-Based Encryption
 
Crypto With OpenSSL
Crypto With OpenSSLCrypto With OpenSSL
Crypto With OpenSSL
 
Easy CPK
Easy CPKEasy CPK
Easy CPK
 
CPK Theory And Parctice
CPK Theory And ParcticeCPK Theory And Parctice
CPK Theory And Parctice
 

Similar to CPK Cryptosystem In Solaris

HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHackito Ergo Sum
 
The Belgian E Id Hacker Vs Developer
The Belgian E Id Hacker Vs DeveloperThe Belgian E Id Hacker Vs Developer
The Belgian E Id Hacker Vs Developerbeires
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security Talk
Nisheed KM
 
Overview of Cryptography in pantanagr .pdf
Overview of Cryptography in pantanagr .pdfOverview of Cryptography in pantanagr .pdf
Overview of Cryptography in pantanagr .pdf
thukralyash256
 
MongoDB Live Hacking
MongoDB Live HackingMongoDB Live Hacking
MongoDB Live Hacking
Tobias Trelle
 
Cryptography with Zend Framework
Cryptography with Zend FrameworkCryptography with Zend Framework
Cryptography with Zend Framework
Enrico Zimuel
 
Pgsodium's Features: those not provided by pgcrypto and integration with rem...
Pgsodium's Features: those not provided by pgcrypto and integration with rem... Pgsodium's Features: those not provided by pgcrypto and integration with rem...
Pgsodium's Features: those not provided by pgcrypto and integration with rem...
EDB
 
Icpc11b.ppt
Icpc11b.pptIcpc11b.ppt
Icpc11b.ppt
Yann-Gaël Guéhéneuc
 
Information security programming in ruby
Information security programming in rubyInformation security programming in ruby
Information security programming in ruby
Hiroshi Nakamura
 
Cryptography
CryptographyCryptography
Cryptography
puja singh
 
Cryptography
CryptographyCryptography
Cryptography
puja singh
 
Anonymous Credentials on Java Card - SIT Smartcard 2011
Anonymous Credentials on Java Card - SIT Smartcard 2011Anonymous Credentials on Java Card - SIT Smartcard 2011
Anonymous Credentials on Java Card - SIT Smartcard 2011
Thomas Gross
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEE
Linaro
 
Strong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOStrong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOSylvain Maret
 
Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...
Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...
Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...
SSIMeetup
 

Similar to CPK Cryptosystem In Solaris (20)

HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
The Belgian E Id Hacker Vs Developer
The Belgian E Id Hacker Vs DeveloperThe Belgian E Id Hacker Vs Developer
The Belgian E Id Hacker Vs Developer
 
ICPC11c.ppt
ICPC11c.pptICPC11c.ppt
ICPC11c.ppt
 
ICPC11b.ppt
ICPC11b.pptICPC11b.ppt
ICPC11b.ppt
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security Talk
 
Overview of Cryptography in pantanagr .pdf
Overview of Cryptography in pantanagr .pdfOverview of Cryptography in pantanagr .pdf
Overview of Cryptography in pantanagr .pdf
 
MongoDB Live Hacking
MongoDB Live HackingMongoDB Live Hacking
MongoDB Live Hacking
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
Cryptography with Zend Framework
Cryptography with Zend FrameworkCryptography with Zend Framework
Cryptography with Zend Framework
 
Pgsodium's Features: those not provided by pgcrypto and integration with rem...
Pgsodium's Features: those not provided by pgcrypto and integration with rem... Pgsodium's Features: those not provided by pgcrypto and integration with rem...
Pgsodium's Features: those not provided by pgcrypto and integration with rem...
 
Icpc11b.ppt
Icpc11b.pptIcpc11b.ppt
Icpc11b.ppt
 
661 665
661 665661 665
661 665
 
Information security programming in ruby
Information security programming in rubyInformation security programming in ruby
Information security programming in ruby
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography
CryptographyCryptography
Cryptography
 
Anonymous Credentials on Java Card - SIT Smartcard 2011
Anonymous Credentials on Java Card - SIT Smartcard 2011Anonymous Credentials on Java Card - SIT Smartcard 2011
Anonymous Credentials on Java Card - SIT Smartcard 2011
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEE
 
Strong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOStrong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSO
 
Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...
Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...
Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...
 

Recently uploaded

GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 

Recently uploaded (20)

GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 

CPK Cryptosystem In Solaris

  • 1. CPK Cryptosystem in OpenSolaris Zhi Guan China ERI, Sun Microsystems, March, 2008
  • 2. Outline • CPK cryptosystem overview • CPK Message Syntax • CPK in Solaris Cryptographic Framework • CPK in Solaris Key Management Framework • CPK Code Signing in Solaris • Other Applications
  • 3. CPK Cryptosystem • CPK: Combined Public Key • What is CPK? ❖ At first, it is a key management scheme ❖ Second, it provides identity based encryption and and signature scheme. • Comparison with PKI
  • 4. Map an Identity to Key Pair h1 , h2 , . . . , hn ← H(ID) Private Key Matrix   Userʼs Private Key ··· s11 s12 s1n   n−1 ··· s21 s22 s2n   H(ID) dID = shi ,i (mod p) . . . ..   . . . .   . . . i=0 ··· sm1 sm2 smn Public Key Matrix   Userʼs Public Key ··· s11 G s12 G s1n G   ··· s21 G s22 G s2n G n−1   H(ID) . . . QID = ..   shi i G . . . .   . . . i=0 ··· sm1 G sm2 G smn G
  • 5. Identity Based Encryption CPK_Encrypt(Plaintext, ID, PublicMatrix) { Indexes = H(ID); ECPublicKey = Map(Indexes, PublicMatrix); Ciphertext = ECEncrypt(Plaintext, ECPublicKey); return Ciphertext; } CPK_Decrypt(Plaintext, ECPrivateKey) { Plaintext = ECEncrypt(Plaintext, ECPublicKey); return Ciphertext; }
  • 7. CPK Objects • Public system parameters public matrix • Master secret : private matrix • User’s private key • User’s user’s identifier Object Private Public Private Identifier Matrix Matrix Key
  • 8. CPK Cryptographic Messages • Signature • Public key encrypted session key. • Signed data • Public key encrypted data. • Signed and public key encrypted data.
  • 9. PKCS #7 General Syntax: ContentInfo specified by an Object Identifier, ContentInfo which is a global unique identifier. content type content the format of content is explicitly defined by the “content type”. The content type options include: •data •signedData •encryptedData •envelopedData •signedAndEnvelopedData
  • 10. PKCS #7 Raw Data ContentInfo Data content type EncryptedData SignedData EnvelopedData SignedAndEnvelopedData
  • 11. PKCS #7 EncryptedData EncryptedData version EncryptedContentInfo content type encryption algor encrypted content
  • 12. PKCS #7 EnvelopedData EnvelopedData version recipientInfos EncryptedContentInfo content type encryption algor encrypted content
  • 13. PKCS #7 RecipientInfo RecipientInfo version recipient’s id ECIES (Elliptic Curve Integrated Encryption Scheme) key encryption algor encrypted key Encrypted symmetric key
  • 14. PKCS #7 SignedData SignedData version Data digest algorithms EncryptedData ContentInfo ...... certificates CRLs no useful attributes SignerInfos for CPK
  • 15. PKCS #7 SignerInfo SignerInfo Specify the signer. In PKI this field version specify signer’s certificate, in CPK this field specify signer’s CPK signer’s id Identity. digest algorithm for example, the date and time of the signing. signed attributes sign algorithm for exampel, ECDSA with SHA1 signature signing algorithm unsigned attributes
  • 16. PKCS #7 SignedAndEnvelopedData SignedAndEnvelopedData version recipientInfos digest algorithms encryptedConentInfo certificates CRLs signerInfos
  • 17. Data Types Presentation and Encoding • ASN.1 • BER • DER
  • 20. CPK in Solaris Cryptographic Framework CPK Java Applications JCE (Java Crypto Extension) CPK C/C++ Applications JNI Service Consumer Interface (PKCS#11) Solaris User-space Cryptographic Framework Service Provider Interface (PKCS#11) pkcs11_ pkcs11_ pkcs11_ pkcs11_ cpk.so cpktoken.so softtoken.so kernel.so !libcpk !libcpk
  • 21. PKCS #11: Crypto Token Interface Standard !quot;# $%&'#(!!#)*+*,-#&./$012.3$45&#01%67#5706.83&6#'03793.9# /001*(-quot;*23&4 /001*(-quot;*23&5 !quot;#$%&'$()%*quot;+&,-+$%. !quot;#$%&'$()%*quot;+&,-+$%. !quot;#$%&'( !quot;#$%&'( 6$7*($&823quot;$3quot;*239'+3(#%23*:-quot;*23 '12quot;&4 '12quot;&3 ;25$3&4 ;25$3&3 <6$7*($&4= <6$7*($&3= # !quot;#$%&'()'*&+&%,-'.%/0123quot;'425&-' &=<;A:H>#;=:I>JCK#LF#>FAC=MLDC#A:#:FC#:=#N:=C#D=<;A:?=L;@>D#JCI>DCK#A@LA#L=C#LDA>IC#>F#A@C#
  • 22. PKCS #11 Functions • Slot and token management functions • Session management functions • Cryptographic functions ❖ Encryption and decryption ❖ Message digesting ❖ MAC generation and verification ❖ Signing and Verification ❖ Key management
  • 23. PKCS #11 Objects PKCS#11 Object Data Key Certificate Public Key Private Key Secret Key CPK CPK CPK CPK IdentityInfo PublicMatrix PrivMatrix PrivateKey ECC ECC PublicKey PrivateKey
  • 24. PKCS #11 Functions • Generate system parameters ❖ C_CreateObject ❖ C_GenerateKey ❖ C_GenerateKeyPair • Extract private key or public key from matrixes ❖ C_DeriveKey
  • 27. PKCS #7 Data Types • SignerInfo
  • 28. CPK in Solaris Key Management Framework
  • 29. Solaris Key Management Framework • Centralized key storage and management framework. • Support PKI programing interfaces
  • 30. OS without Centralized Key Management • Every applications must have there own cryptography implementations and key management and storage mechanisms. App App App Key Key Key Store Store Store
  • 31. !quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*- 25,8006-5* quot;'6* I40&A4*&85 (,8=&A-,? !quot;# (,8=&A-,? (,8=&A-,? D-=-08G6-5* #+*+,-$ (!@.MM L@.( @F; #&0-? N.. (!1O 15*-',4*&85$7&*/ !quot;# !quot;#$%&$'()*+(),,- this picture is from Solaris Key Management Framework sliders by Wyllys Ingersoll
  • 32. !quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*- 25,8006-5* quot;'6* I40&A4*&85 (,8=&A-,? !quot;# (,8=&A-,? (,8=&A-,? D-=-08G6-5* #+*+,-$ (!@.MM L@.( @F; #&0-? N.. (!1O 15*-',4*&85$7&*/ !quot;# !quot;#$%&$'()*+(),,- this picture is from Solaris Key Management Framework sliders by Wyllys Ingersoll
  • 33. !quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*-