2. Outline
• CPK cryptosystem overview
• CPK Message Syntax
• CPK in Solaris Cryptographic Framework
• CPK in Solaris Key Management Framework
• CPK Code Signing in Solaris
• Other Applications
3. CPK Cryptosystem
• CPK: Combined Public Key
• What is CPK?
❖ At first, it is a key management scheme
❖ Second, it provides identity based encryption
and and signature scheme.
• Comparison with PKI
4. Map an Identity to Key Pair
h1 , h2 , . . . , hn ← H(ID)
Private Key Matrix
Userʼs Private Key
···
s11 s12 s1n
n−1
···
s21 s22 s2n
H(ID)
dID = shi ,i (mod p)
. . .
..
. . .
.
. . . i=0
···
sm1 sm2 smn
Public Key Matrix
Userʼs Public Key
···
s11 G s12 G s1n G
···
s21 G s22 G s2n G n−1
H(ID)
. . . QID =
..
shi i G
. . .
.
. . . i=0
···
sm1 G sm2 G smn G
7. CPK Objects
• Public system parameters public matrix
• Master secret : private matrix
• User’s private key
• User’s user’s identifier Object
Private Public Private
Identifier
Matrix Matrix Key
8. CPK Cryptographic Messages
• Signature
• Public key encrypted session key.
• Signed data
• Public key encrypted data.
• Signed and public key encrypted data.
9. PKCS #7 General Syntax: ContentInfo
specified by an Object Identifier,
ContentInfo
which is a global unique identifier.
content type
content the format of content is explicitly
defined by the “content type”.
The content type options include:
•data
•signedData
•encryptedData
•envelopedData
•signedAndEnvelopedData
10. PKCS #7 Raw Data
ContentInfo
Data
content type
EncryptedData
SignedData
EnvelopedData
SignedAndEnvelopedData
11. PKCS #7 EncryptedData
EncryptedData
version
EncryptedContentInfo
content type
encryption algor
encrypted content
12. PKCS #7 EnvelopedData
EnvelopedData
version
recipientInfos
EncryptedContentInfo
content type
encryption algor
encrypted content
14. PKCS #7 SignedData
SignedData
version Data
digest algorithms
EncryptedData
ContentInfo
......
certificates
CRLs
no useful attributes
SignerInfos
for CPK
15. PKCS #7 SignerInfo
SignerInfo
Specify the signer. In PKI this field
version specify signer’s certificate, in CPK
this field specify signer’s CPK
signer’s id Identity.
digest algorithm
for example, the date and time of
the signing.
signed attributes
sign algorithm
for exampel, ECDSA with SHA1
signature signing algorithm
unsigned attributes
29. Solaris Key Management Framework
• Centralized key storage and management
framework.
• Support PKI programing interfaces
30. OS without Centralized Key Management
• Every applications must have there own
cryptography implementations and key
management and storage mechanisms.
App
App App
Key
Key Key
Store
Store Store
31. !quot;#$%&'$(&)*+,-
Solaris with Key Management Framework
<4=4>?
.:.;
.-)+,-$
1!2 B..C:(1
..; <@:
./-00
D&'-?*Cquot;DE
@F:quot;Cquot;DE
B..C:(1
$(!$!-,J-,8?
(,8=&A-,
(+J0&)$!-3
<@:
(!KLL;
!-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()*
(,8',466&5'$:(1
!-3 @-,*&H&)4*-
25,8006-5*
quot;'6* I40&A4*&85
(,8=&A-,? !quot;#
(,8=&A-,? (,8=&A-,?
D-=-08G6-5*
#+*+,-$
(!@.MM L@.( @F;
#&0-?
N.. (!1O 15*-',4*&85$7&*/
!quot;#
!quot;#$%&$'()*+(),,-
this picture is from Solaris Key Management Framework sliders by Wyllys Ingersoll
32. !quot;#$%&'$(&)*+,-
Solaris with Key Management Framework
<4=4>?
.:.;
.-)+,-$
1!2 B..C:(1
..; <@:
./-00
D&'-?*Cquot;DE
@F:quot;Cquot;DE
B..C:(1
$(!$!-,J-,8?
(,8=&A-,
(+J0&)$!-3
<@:
(!KLL;
!-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()*
(,8',466&5'$:(1
!-3 @-,*&H&)4*-
25,8006-5*
quot;'6* I40&A4*&85
(,8=&A-,? !quot;#
(,8=&A-,? (,8=&A-,?
D-=-08G6-5*
#+*+,-$
(!@.MM L@.( @F;
#&0-?
N.. (!1O 15*-',4*&85$7&*/
!quot;#
!quot;#$%&$'()*+(),,-
this picture is from Solaris Key Management Framework sliders by Wyllys Ingersoll