AskDeveloper Podcast - 49 - Cryptography - Part 3 - Digital Signaures and Protocols - a podcast by Mohamed Elsherif, Amr Eldib, Yasser Makram, Tamer Zaki & Ahmed Elmalt

? Digital Signatures
§ Goal: verify Authenticity of a message.§ Based on Asymmetric Cryptography.
§ Basic operations1. Public / Private keys generation (using some algorithm like RSA)
2. Signing algorithm using the private key3. Signature verification algorithm using the corresponding public key
i. Extending previous Example• Steps (Order is very important, bold stuff is the difference added to authenticate sender)
® Party 1 (Alice)1. Generates a random AES Session Key (32 bytes / 256 bits)
2. Generates a random Initialization Vector (IV) (16 bytes / 128 bits)3. Encrypt the message to be sent using the AES Session Key&IV
4. Calculate an HMAC of the encrypted message using the AES Session key5. Encrypt the AES Session Key using the Public Key of Party 2 (Bob) The recipient.
6. Calculate Signature using the private signing key on the HMAC7. Sends a packet of (Encrypted Message, Encrypted Session Key, Initialization Vector, HMAC, and Signature) to Bob
® Party 2 (Bob)1. Decrypts Session key using his Private Key
2. Recalculates the HMAC of the encrypted message (Validates message integrity)} If HMAC check pass
– Verify digital signature using Alice Public Keyw If signature verification pass
w Decrypts the message using the decrypted AES Session Key and Initialization Vectorw Otherwise, identity of the sender couldn't not be verified, reject message.
} Otherwise, rejects the message because of integrity check failure.• Why Order matters?
® Timing Side-Channel Attacks® Padding-Oracle Attack? Protocols
§ TLS/SSL• How TLS/SSL Works?
• Mitigates against® Man in the Middle Attacks
® Authentication, so the client can be sure it is talking to the correct destination.§ Public Key Infrastructure (PKI)
• Certificates aka X.509 Certificate (Sha-1 Signature Issues)® A digitally signed file
® Identifies (Computer / User / Device)® Has Public&Private Key, only the certificate owner has the Private Key.
® Has Expiration date® Information about the CA that issued the cert
® X.509 Extension Attributes (like Usage attribute)® Revocation Information.
• Certificate Authority (CA) (CNNIC, WoSign)® Issues, signs and manages certificates.
® Famous certificate authorities (Verisign, GoDaddy, … etc).• Trust Chains
® CA's can delegate the signing job to subordinate CA's? Root CA's signs an intermediate signing certificate to the subordinate CA
® The subordinate CA can then issue certificates® To validate a certificate, the client validates the signatures of all the intermediate stages and make sure all of them are linked to a Trusted CA
• Certificate Revocation Lists (CRL's)® When a certificate is compromised (Private Key leaked) it will be published on the CRL, so each time the cert is validated, the CRL list is checked in case cert is revoked.
3. Takeaways4. Books
a. Understanding Cryptography: A Textbook for Students and Practitionershttps://www.amazon.com/Understanding-Cryptography-Textbook-Students-Practitioners/dp/3642041000Our facebook Page
http://facebook.com/askdeveloperOn Sound Cloud
http://soundcloud.com/askdeveloperPlease Like&Subscribe

Further episodes of AskDeveloper Podcast

Further podcasts by Mohamed Elsherif, Amr Eldib, Yasser Makram, Tamer Zaki & Ahmed Elmalt

Website of Mohamed Elsherif, Amr Eldib, Yasser Makram, Tamer Zaki & Ahmed Elmalt