Family name: Chaparro Gonzalez First name: Diego E-mail: dchaparro@acm.org 2002: Homework 1 ---------------------------------------------------------- Background crypto: =+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+= 1.- === A digital signature is a cryptographic method that provides authentication and integrity to a message. It's used for sending messages, and the receiver can verify that the sender is who said to be, and that the message hasn't been modified in the way. When we want to create a digital signature of a document or message, first a one-way hash function is applied to the document, and then the hash result is signed. The one-way hash function is applied because it takes less time to sign the hash result than the original document. [2] 2.- === The session key is encrypted using the public-key cryptography, and the message being sent is encrypted with the symmetric cryptography.[2] Trust: =+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+= 3.- === Yes, because PKI is: "The set of hardware, software, people, policies and procedures needed to create, manage, store, distribute, and revoke Public Key Certificates based on public-key cryptography"[3]. Then, PKI provide an environment which can provide trusted and efficient key and public key certificate management, thus enabling the use of authentication, non-repudiation, and confidentiality. 4.- === It depends. For example, in GnuPG Alice choose how much she trust the key's Bob. If she consider fully trusted the key's Bob, then Alice will trust Carol. But if Alice consider marginally trusted the key's Bob, then Alice will not trust Carol.[2] Certificates: =+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+= 5.- === X.509 is a standard for defining digital certificates. It contains the issuer's name and digital signature as well as information on the certificate holder's identity. X.509 Version 1 has been available since 1988. X.509 Version 2 introduced the concept of subject and issuer unique identifiers. X.509 Version 3 is the most recent (1996) and supports the notion of extensions such as additional subject identification information, key attribute information, policy information, and certification path constraints 6.- === The main difference is are the lack of CAs in SPKI and the explicit use of such CAs in X509v3. PKI structure and functions: =+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+= 7.- === An End-entity (E.g: e-business company) sends its certificate request to the Registration Authority (E.g: Verisign) for aproval. Then it is forwarded to the Certification Authority for signing (E.g: Verisign). The CA verifies the certificate request and if it passes the verification, it is signed and the Certificate is produced. Then the CA sends the Certificate to Certificate Repository. 8.- === * Key creation: PGP certificates are self-generated, and require no interaction with anybody in order to start using the system, wheras with X.509 you need to get your key signed by an authority before you can use it at all. * Hierarchy: X.509 certificates force users into a strict hierarchical model, whereas PGP allows less strict model. * Need of third parties: With X.509 you need a CA which generates the X.509 certificate, and PGP relies on the "Web of trust", in which the user can trust stuff. * Structure: X.509 has a rigid structure and a single issuer (CA), while PGP is flexible, and allows more than one signature. 9.- === An advantage of CRL method is that the certificates revocation list may be distributed via untrusted communications and server systems. And one disadvantage is that the latency is bigger than in online checking, and a revocation will be waiting to be notified until the next periodic CRL issue period. A Delta-CRL is an extension that improves processing time for applications which process CRL structures, because the Delta-CRL shows the changes between the base CRL and the current CRL issued along with the delta-CRL.[4] 10.- === I think that Public Key Infrastructure provides the needed security to the e-business operations. With PKI we can have digital certificates and such certificates can ensure the confidentiality and integrity of data, and this is what is needed to verify identities and ensure security of e-business operations. Feedback: =+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+= 11.- === I have been doing this assignment 15 hours more or less. This assignment has been too much difficult for me. REFERENCES: =+=+=+=+=+=+=+=+=+=+=+=+==+=+=+=+= [1] Anderson, Ross, Security Engineering: A Guide to Building Dependable Distributed Systems, Wiley, 2001 [2] Ashley, Mike, The GNU Privacy Handbook, 8.8.2000 URL: http://www.gnupg.org/gph/en/manual.html [3] draft-ietf-pkix-roadmap-09.txt, July 2002 URL: http://www.ietf.org/internet-drafts/draft-ietf-pkix-roadmap-09.txt [4] Internet X.509 Public Key Infrastructure Certificate and CRL Profile, RFC 2693 URL: http://www.ietf.org/rfc/rfc2693.txt