SlideShare a Scribd company logo

CPK Cryptosystem In Solaris

Z
Zhi Guan
Technology
1 of 33
Download to read offline
CPK Cryptosystem in OpenSolaris Zhi Guan China ERI, Sun Microsystems, March, 2008
Outline • CPK cryptosystem overview • CPK Message Syntax • CPK in Solaris Cryptographic Framework • CPK in Solaris Key Management Framework • CPK Code Signing in Solaris • Other Applications
CPK Cryptosystem • CPK: Combined Public Key • What is CPK? ❖ At first, it is a key management scheme ❖ Second, it provides identity based encryption and and signature scheme. • Comparison with PKI
Map an Identity to Key Pair h1 , h2 , . . . , hn ← H(ID) Private Key Matrix   Userʼs Private Key ··· s11 s12 s1n   n−1 ··· s21 s22 s2n   H(ID) dID = shi ,i (mod p) . . . ..   . . . .   . . . i=0 ··· sm1 sm2 smn Public Key Matrix   Userʼs Public Key ··· s11 G s12 G s1n G   ··· s21 G s22 G s2n G n−1   H(ID) . . . QID = ..   shi i G . . . .   . . . i=0 ··· sm1 G sm2 G smn G
Identity Based Encryption CPK_Encrypt(Plaintext, ID, PublicMatrix) { Indexes = H(ID); ECPublicKey = Map(Indexes, PublicMatrix); Ciphertext = ECEncrypt(Plaintext, ECPublicKey); return Ciphertext; } CPK_Decrypt(Plaintext, ECPrivateKey) { Plaintext = ECEncrypt(Plaintext, ECPublicKey); return Ciphertext; }
CPK Message Syntax
CPK Objects • Public system parameters public matrix • Master secret : private matrix • User’s private key • User’s user’s identifier Object Private Public Private Identifier Matrix Matrix Key
CPK Cryptographic Messages • Signature • Public key encrypted session key. • Signed data • Public key encrypted data. • Signed and public key encrypted data.
PKCS #7 General Syntax: ContentInfo specified by an Object Identifier, ContentInfo which is a global unique identifier. content type content the format of content is explicitly defined by the “content type”. The content type options include: •data •signedData •encryptedData •envelopedData •signedAndEnvelopedData
PKCS #7 Raw Data ContentInfo Data content type EncryptedData SignedData EnvelopedData SignedAndEnvelopedData
PKCS #7 EncryptedData EncryptedData version EncryptedContentInfo content type encryption algor encrypted content
PKCS #7 EnvelopedData EnvelopedData version recipientInfos EncryptedContentInfo content type encryption algor encrypted content
PKCS #7 RecipientInfo RecipientInfo version recipient’s id ECIES (Elliptic Curve Integrated Encryption Scheme) key encryption algor encrypted key Encrypted symmetric key
PKCS #7 SignedData SignedData version Data digest algorithms EncryptedData ContentInfo ...... certificates CRLs no useful attributes SignerInfos for CPK
PKCS #7 SignerInfo SignerInfo Specify the signer. In PKI this field version specify signer’s certificate, in CPK this field specify signer’s CPK signer’s id Identity. digest algorithm for example, the date and time of the signing. signed attributes sign algorithm for exampel, ECDSA with SHA1 signature signing algorithm unsigned attributes
PKCS #7 SignedAndEnvelopedData SignedAndEnvelopedData version recipientInfos digest algorithms encryptedConentInfo certificates CRLs signerInfos
Data Types Presentation and Encoding • ASN.1 • BER • DER
CPK Interfaces
Identity Based Cryptography Interface
CPK in Solaris Cryptographic Framework CPK Java Applications JCE (Java Crypto Extension) CPK C/C++ Applications JNI Service Consumer Interface (PKCS#11) Solaris User-space Cryptographic Framework Service Provider Interface (PKCS#11) pkcs11_ pkcs11_ pkcs11_ pkcs11_ cpk.so cpktoken.so softtoken.so kernel.so !libcpk !libcpk
PKCS #11: Crypto Token Interface Standard !quot;# $%&'#(!!#)*+*,-#&./$012.3$45&#01%67#5706.83&6#'03793.9# /001*(-quot;*23&4 /001*(-quot;*23&5 !quot;#$%&'$()%*quot;+&,-+$%. !quot;#$%&'$()%*quot;+&,-+$%. !quot;#$%&'( !quot;#$%&'( 6$7*($&823quot;$3quot;*239'+3(#%23*:-quot;*23 '12quot;&4 '12quot;&3 ;25$3&4 ;25$3&3 <6$7*($&4= <6$7*($&3= # !quot;#$%&'()'*&+&%,-'.%/0123quot;'425&-' &=<;A:H>#;=:I>JCK#LF#>FAC=MLDC#A:#:FC#:=#N:=C#D=<;A:?=L;@>D#JCI>DCK#A@LA#L=C#LDA>IC#>F#A@C#
PKCS #11 Functions • Slot and token management functions • Session management functions • Cryptographic functions ❖ Encryption and decryption ❖ Message digesting ❖ MAC generation and verification ❖ Signing and Verification ❖ Key management
PKCS #11 Objects PKCS#11 Object Data Key Certificate Public Key Private Key Secret Key CPK CPK CPK CPK IdentityInfo PublicMatrix PrivMatrix PrivateKey ECC ECC PublicKey PrivateKey
PKCS #11 Functions • Generate system parameters ❖ C_CreateObject ❖ C_GenerateKey ❖ C_GenerateKeyPair • Extract private key or public key from matrixes ❖ C_DeriveKey
Identity Based Encryption
Identity Based Signing
PKCS #7 Data Types • SignerInfo
CPK in Solaris Key Management Framework
Solaris Key Management Framework • Centralized key storage and management framework. • Support PKI programing interfaces
OS without Centralized Key Management • Every applications must have there own cryptography implementations and key management and storage mechanisms. App App App Key Key Key Store Store Store
!quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*- 25,8006-5* quot;'6* I40&A4*&85 (,8=&A-,? !quot;# (,8=&A-,? (,8=&A-,? D-=-08G6-5* #+*+,-$ (!@.MM L@.( @F; #&0-? N.. (!1O 15*-',4*&85$7&*/ !quot;# !quot;#$%&$'()*+(),,- this picture is from Solaris Key Management Framework sliders by Wyllys Ingersoll
!quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*- 25,8006-5* quot;'6* I40&A4*&85 (,8=&A-,? !quot;# (,8=&A-,? (,8=&A-,? D-=-08G6-5* #+*+,-$ (!@.MM L@.( @F; #&0-? N.. (!1O 15*-',4*&85$7&*/ !quot;# !quot;#$%&$'()*+(),,- this picture is from Solaris Key Management Framework sliders by Wyllys Ingersoll
!quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*-

Recommended

CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC Connect
CloudIDSummit
 
perl_objects
perl_objectsperl_objects
perl_objects
tutorialsruby
 
Blockchain privacy approaches in hyperledger indy
Blockchain privacy approaches in hyperledger indyBlockchain privacy approaches in hyperledger indy
Blockchain privacy approaches in hyperledger indy
ManishKumarGiri2
 
Tutorial s crypto api session keys
Tutorial s crypto api session keysTutorial s crypto api session keys
Tutorial s crypto api session keys
Dr. Edwin Hernandez
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
Torsten Lodderstedt
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
Sylvain Maret
 
Braga Blockchain - Ethereum Smart Contracts programming
Braga Blockchain - Ethereum Smart Contracts programmingBraga Blockchain - Ethereum Smart Contracts programming
Braga Blockchain - Ethereum Smart Contracts programming
Emanuel Mota
 

Recommended

CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC Connect
CloudIDSummit
 
perl_objects
perl_objectsperl_objects
perl_objects
tutorialsruby
 
Blockchain privacy approaches in hyperledger indy
Blockchain privacy approaches in hyperledger indyBlockchain privacy approaches in hyperledger indy
Blockchain privacy approaches in hyperledger indy
ManishKumarGiri2
 
Tutorial s crypto api session keys
Tutorial s crypto api session keysTutorial s crypto api session keys
Tutorial s crypto api session keys
Dr. Edwin Hernandez
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
Torsten Lodderstedt
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
Sylvain Maret
 
Braga Blockchain - Ethereum Smart Contracts programming
Braga Blockchain - Ethereum Smart Contracts programmingBraga Blockchain - Ethereum Smart Contracts programming
Braga Blockchain - Ethereum Smart Contracts programming
Emanuel Mota
 
USB Token Design and Implementation
USB Token Design and ImplementationUSB Token Design and Implementation
USB Token Design and Implementation
Zhi Guan
 
Code Signing with CPK
Code Signing with CPKCode Signing with CPK
Code Signing with CPK
Zhi Guan
 
A Survey of Identity-Based Encryption
A Survey of Identity-Based EncryptionA Survey of Identity-Based Encryption
A Survey of Identity-Based Encryption
Zhi Guan
 
Crypto With OpenSSL
Crypto With OpenSSLCrypto With OpenSSL
Crypto With OpenSSL
Zhi Guan
 
Easy CPK
Easy CPKEasy CPK
Easy CPK
Zhi Guan
 
CPK Theory And Parctice
CPK Theory And ParcticeCPK Theory And Parctice
CPK Theory And Parctice
Zhi Guan
 
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
Hackito Ergo Sum
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
Bharat Kumar Katur
 
The Belgian E Id Hacker Vs Developer
The Belgian E Id Hacker Vs DeveloperThe Belgian E Id Hacker Vs Developer
The Belgian E Id Hacker Vs Developer
beires
 
ICPC11b.ppt
ICPC11b.pptICPC11b.ppt
ICPC11b.ppt
Ptidej Team
 
ICPC11c.ppt
ICPC11c.pptICPC11c.ppt
ICPC11c.ppt
Ptidej Team
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security Talk
Nisheed KM
 
Overview of Cryptography in pantanagr .pdf
Overview of Cryptography in pantanagr .pdfOverview of Cryptography in pantanagr .pdf
Overview of Cryptography in pantanagr .pdf
thukralyash256
 
MongoDB Live Hacking
MongoDB Live HackingMongoDB Live Hacking
MongoDB Live Hacking
Tobias Trelle
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
Conferencias FIST
 
Cryptography with Zend Framework
Cryptography with Zend FrameworkCryptography with Zend Framework
Cryptography with Zend Framework
Enrico Zimuel
 
Pgsodium's Features: those not provided by pgcrypto and integration with rem...
Pgsodium's Features: those not provided by pgcrypto and integration with rem... Pgsodium's Features: those not provided by pgcrypto and integration with rem...
Pgsodium's Features: those not provided by pgcrypto and integration with rem...
EDB
 
Icpc11b.ppt
Icpc11b.pptIcpc11b.ppt
Icpc11b.ppt
Yann-Gaël Guéhéneuc
 
661 665
661 665661 665
661 665
Editor IJARCET
 
Information security programming in ruby
Information security programming in rubyInformation security programming in ruby
Information security programming in ruby
Hiroshi Nakamura
 
Cryptography
CryptographyCryptography
Cryptography
puja singh
 
Cryptography
CryptographyCryptography
Cryptography
puja singh
 

More Related Content

Viewers also liked

USB Token Design and Implementation
USB Token Design and ImplementationUSB Token Design and Implementation
USB Token Design and Implementation
Zhi Guan
 
Code Signing with CPK
Code Signing with CPKCode Signing with CPK
Code Signing with CPK
Zhi Guan
 
A Survey of Identity-Based Encryption
A Survey of Identity-Based EncryptionA Survey of Identity-Based Encryption
A Survey of Identity-Based Encryption
Zhi Guan
 
Crypto With OpenSSL
Crypto With OpenSSLCrypto With OpenSSL
Crypto With OpenSSL
Zhi Guan
 
CPK Theory And Parctice
CPK Theory And ParcticeCPK Theory And Parctice
CPK Theory And Parctice
Zhi Guan
 

Viewers also liked (6)

USB Token Design and Implementation
USB Token Design and ImplementationUSB Token Design and Implementation
USB Token Design and Implementation
 
Code Signing with CPK
Code Signing with CPKCode Signing with CPK
Code Signing with CPK
 
A Survey of Identity-Based Encryption
A Survey of Identity-Based EncryptionA Survey of Identity-Based Encryption
A Survey of Identity-Based Encryption
 
Crypto With OpenSSL
Crypto With OpenSSLCrypto With OpenSSL
Crypto With OpenSSL
 
Easy CPK
Easy CPKEasy CPK
Easy CPK
 
CPK Theory And Parctice
CPK Theory And ParcticeCPK Theory And Parctice
CPK Theory And Parctice
 

Similar to CPK Cryptosystem In Solaris

HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
Hackito Ergo Sum
 
The Belgian E Id Hacker Vs Developer
The Belgian E Id Hacker Vs DeveloperThe Belgian E Id Hacker Vs Developer
The Belgian E Id Hacker Vs Developer
beires
 
Overview of Cryptography in pantanagr .pdf
Overview of Cryptography in pantanagr .pdfOverview of Cryptography in pantanagr .pdf
Overview of Cryptography in pantanagr .pdf
thukralyash256
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEE
Linaro
 
Strong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOStrong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSO
Sylvain Maret
 
Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...
Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...
Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...
SSIMeetup
 

Similar to CPK Cryptosystem In Solaris (20)

HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
The Belgian E Id Hacker Vs Developer
The Belgian E Id Hacker Vs DeveloperThe Belgian E Id Hacker Vs Developer
The Belgian E Id Hacker Vs Developer
 
ICPC11b.ppt
ICPC11b.pptICPC11b.ppt
ICPC11b.ppt
 
ICPC11c.ppt
ICPC11c.pptICPC11c.ppt
ICPC11c.ppt
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security Talk
 
Overview of Cryptography in pantanagr .pdf
Overview of Cryptography in pantanagr .pdfOverview of Cryptography in pantanagr .pdf
Overview of Cryptography in pantanagr .pdf
 
MongoDB Live Hacking
MongoDB Live HackingMongoDB Live Hacking
MongoDB Live Hacking
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
Cryptography with Zend Framework
Cryptography with Zend FrameworkCryptography with Zend Framework
Cryptography with Zend Framework
 
Pgsodium's Features: those not provided by pgcrypto and integration with rem...
Pgsodium's Features: those not provided by pgcrypto and integration with rem... Pgsodium's Features: those not provided by pgcrypto and integration with rem...
Pgsodium's Features: those not provided by pgcrypto and integration with rem...
 
Icpc11b.ppt
Icpc11b.pptIcpc11b.ppt
Icpc11b.ppt
 
661 665
661 665661 665
661 665
 
Information security programming in ruby
Information security programming in rubyInformation security programming in ruby
Information security programming in ruby
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography
CryptographyCryptography
Cryptography
 
Anonymous Credentials on Java Card - SIT Smartcard 2011
Anonymous Credentials on Java Card - SIT Smartcard 2011Anonymous Credentials on Java Card - SIT Smartcard 2011
Anonymous Credentials on Java Card - SIT Smartcard 2011
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEE
 
Strong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOStrong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSO
 
Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...
Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...
Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...
 

Recently uploaded

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Recently uploaded (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 

CPK Cryptosystem In Solaris

  • 1. CPK Cryptosystem in OpenSolaris Zhi Guan China ERI, Sun Microsystems, March, 2008
  • 2. Outline • CPK cryptosystem overview • CPK Message Syntax • CPK in Solaris Cryptographic Framework • CPK in Solaris Key Management Framework • CPK Code Signing in Solaris • Other Applications
  • 3. CPK Cryptosystem • CPK: Combined Public Key • What is CPK? ❖ At first, it is a key management scheme ❖ Second, it provides identity based encryption and and signature scheme. • Comparison with PKI
  • 4. Map an Identity to Key Pair h1 , h2 , . . . , hn ← H(ID) Private Key Matrix   Userʼs Private Key ··· s11 s12 s1n   n−1 ··· s21 s22 s2n   H(ID) dID = shi ,i (mod p) . . . ..   . . . .   . . . i=0 ··· sm1 sm2 smn Public Key Matrix   Userʼs Public Key ··· s11 G s12 G s1n G   ··· s21 G s22 G s2n G n−1   H(ID) . . . QID = ..   shi i G . . . .   . . . i=0 ··· sm1 G sm2 G smn G
  • 5. Identity Based Encryption CPK_Encrypt(Plaintext, ID, PublicMatrix) { Indexes = H(ID); ECPublicKey = Map(Indexes, PublicMatrix); Ciphertext = ECEncrypt(Plaintext, ECPublicKey); return Ciphertext; } CPK_Decrypt(Plaintext, ECPrivateKey) { Plaintext = ECEncrypt(Plaintext, ECPublicKey); return Ciphertext; }
  • 7. CPK Objects • Public system parameters public matrix • Master secret : private matrix • User’s private key • User’s user’s identifier Object Private Public Private Identifier Matrix Matrix Key
  • 8. CPK Cryptographic Messages • Signature • Public key encrypted session key. • Signed data • Public key encrypted data. • Signed and public key encrypted data.
  • 9. PKCS #7 General Syntax: ContentInfo specified by an Object Identifier, ContentInfo which is a global unique identifier. content type content the format of content is explicitly defined by the “content type”. The content type options include: •data •signedData •encryptedData •envelopedData •signedAndEnvelopedData
  • 10. PKCS #7 Raw Data ContentInfo Data content type EncryptedData SignedData EnvelopedData SignedAndEnvelopedData
  • 11. PKCS #7 EncryptedData EncryptedData version EncryptedContentInfo content type encryption algor encrypted content
  • 12. PKCS #7 EnvelopedData EnvelopedData version recipientInfos EncryptedContentInfo content type encryption algor encrypted content
  • 13. PKCS #7 RecipientInfo RecipientInfo version recipient’s id ECIES (Elliptic Curve Integrated Encryption Scheme) key encryption algor encrypted key Encrypted symmetric key
  • 14. PKCS #7 SignedData SignedData version Data digest algorithms EncryptedData ContentInfo ...... certificates CRLs no useful attributes SignerInfos for CPK
  • 15. PKCS #7 SignerInfo SignerInfo Specify the signer. In PKI this field version specify signer’s certificate, in CPK this field specify signer’s CPK signer’s id Identity. digest algorithm for example, the date and time of the signing. signed attributes sign algorithm for exampel, ECDSA with SHA1 signature signing algorithm unsigned attributes
  • 16. PKCS #7 SignedAndEnvelopedData SignedAndEnvelopedData version recipientInfos digest algorithms encryptedConentInfo certificates CRLs signerInfos
  • 17. Data Types Presentation and Encoding • ASN.1 • BER • DER
  • 20. CPK in Solaris Cryptographic Framework CPK Java Applications JCE (Java Crypto Extension) CPK C/C++ Applications JNI Service Consumer Interface (PKCS#11) Solaris User-space Cryptographic Framework Service Provider Interface (PKCS#11) pkcs11_ pkcs11_ pkcs11_ pkcs11_ cpk.so cpktoken.so softtoken.so kernel.so !libcpk !libcpk
  • 21. PKCS #11: Crypto Token Interface Standard !quot;# $%&'#(!!#)*+*,-#&./$012.3$45&#01%67#5706.83&6#'03793.9# /001*(-quot;*23&4 /001*(-quot;*23&5 !quot;#$%&'$()%*quot;+&,-+$%. !quot;#$%&'$()%*quot;+&,-+$%. !quot;#$%&'( !quot;#$%&'( 6$7*($&823quot;$3quot;*239'+3(#%23*:-quot;*23 '12quot;&4 '12quot;&3 ;25$3&4 ;25$3&3 <6$7*($&4= <6$7*($&3= # !quot;#$%&'()'*&+&%,-'.%/0123quot;'425&-' &=<;A:H>#;=:I>JCK#LF#>FAC=MLDC#A:#:FC#:=#N:=C#D=<;A:?=L;@>D#JCI>DCK#A@LA#L=C#LDA>IC#>F#A@C#
  • 22. PKCS #11 Functions • Slot and token management functions • Session management functions • Cryptographic functions ❖ Encryption and decryption ❖ Message digesting ❖ MAC generation and verification ❖ Signing and Verification ❖ Key management
  • 23. PKCS #11 Objects PKCS#11 Object Data Key Certificate Public Key Private Key Secret Key CPK CPK CPK CPK IdentityInfo PublicMatrix PrivMatrix PrivateKey ECC ECC PublicKey PrivateKey
  • 24. PKCS #11 Functions • Generate system parameters ❖ C_CreateObject ❖ C_GenerateKey ❖ C_GenerateKeyPair • Extract private key or public key from matrixes ❖ C_DeriveKey
  • 27. PKCS #7 Data Types • SignerInfo
  • 28. CPK in Solaris Key Management Framework
  • 29. Solaris Key Management Framework • Centralized key storage and management framework. • Support PKI programing interfaces
  • 30. OS without Centralized Key Management • Every applications must have there own cryptography implementations and key management and storage mechanisms. App App App Key Key Key Store Store Store
  • 31. !quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*- 25,8006-5* quot;'6* I40&A4*&85 (,8=&A-,? !quot;# (,8=&A-,? (,8=&A-,? D-=-08G6-5* #+*+,-$ (!@.MM L@.( @F; #&0-? N.. (!1O 15*-',4*&85$7&*/ !quot;# !quot;#$%&$'()*+(),,- this picture is from Solaris Key Management Framework sliders by Wyllys Ingersoll
  • 32. !quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*- 25,8006-5* quot;'6* I40&A4*&85 (,8=&A-,? !quot;# (,8=&A-,? (,8=&A-,? D-=-08G6-5* #+*+,-$ (!@.MM L@.( @F; #&0-? N.. (!1O 15*-',4*&85$7&*/ !quot;# !quot;#$%&$'()*+(),,- this picture is from Solaris Key Management Framework sliders by Wyllys Ingersoll
  • 33. !quot;#$%&'$(&)*+,- Solaris with Key Management Framework <4=4>? .:.; .-)+,-$ 1!2 B..C:(1 ..; <@: ./-00 D&'-?*Cquot;DE @F:quot;Cquot;DE B..C:(1 $(!$!-,J-,8? (,8=&A-, (+J0&)$!-3 <@: (!KLL; !-3$quot;454'-6-5*$#,46-78,9 !quot;#$%#&'()* (,8',466&5'$:(1 !-3 @-,*&H&)4*-