You can do anything with a public key crypto algorithm that you can do with a symmetric key crypto algorithm, only slower. This includes confidentiality, in the form of transmit- ting data over an insecure channel or securely storing data on an insecure media. It also includes integrity, where public key signing plays the role of a symmetric key MAC.
But public key crypto offers two major advantages over symmetric key crypto. The first is that with public key crypto, we don’t need to established a shared key in advance. The second major advantage is that digital signatures offer not only integrity but also non-repudiation. We’ll look closer at these two advantages below.
4.7.1
Confidentiality in the Real World
The primary advantage of symmetric key cryptography is efficiency.4 In the realm of confidentiality, the primary advantage of public key cryptography is the fact that no shared key is required.
Is there any way that we can get the best of both worlds? That is, can we have the efficiency of symmetric key crypto and yet not have to share a key in advance, as with public key crypto? The answer is an emphatic yes. The way to achieve this highly desirable result is with ahybrid cryptosystem, where public key crypto is used to establish a symmetric key, and the resulting symmetric key is then used to encrypt the data. A hybrid cryptosystem is illustrated in Figure 4.4.
The hybrid cryptosystem in Figure 4.4 is only for illustrative purposes. In fact, Bob has no way to know that he’s talking to Alice—since anyone can do public key operations—so he would be foolish to encrypt sensitive data and send it to “Alice” following this protocol. We’ll have much more to say about secure authentication and key establishment protocols in a later chapter.
4.7.2
Signatures and Non-repudiation
Public key crypto can be used for integrity. Recall that, with symmetric key crypto, a MAC provides for integrity. Public key signatures provide integrity, but they also provide
Figure 4.4. Hybrid cryptosystem.
USES FOR PUBLIC KEY CRYPTO 77
non-repudiation, which is something that symmetric keys by their very nature cannot provide.
To understandnon-repudiation, let’s first consider integrity in the symmetric key case. Suppose Alice orders 100 shares of stock from her favorite stockbroker, Bob. To ensure the integrity of her order, Alice computes a MAC using a shared symmetric keyKAB. Suppose that shortly after Alice places the order—and before she has paid any money to Bob—the stock loses 80% of its value. At this point Alice claims that she did not place the order, that is, sherepudiatesthe transaction.
Can Bob prove that Alice placed the order? No, he cannot. Since Bob also knows the symmetric keyKAB, he could have forged the message in which Alice placed the order. So even though Bob knows that Alice placed the order, he can’t prove it.
Now consider the same scenario, but with Alice using a digital signature in place of the MAC computation. As with the MAC computation, the signature provides integrity. Now suppose that Alice tries to repudiate the transaction. Can Bob prove that the order came from Alice? Yes he can, since only Alice has access to her private key. Digital signatures therefore provide integrity and non-repudiation. We’ll have more to say about signatures and integrity in the next chapter.
4.7.3
Confidentiality and Non-repudiation
Suppose Alice wants to send a message M to Bob. For confidentiality, Alice can encryptMwith Bob’s public key, and for integrity and non-repudiation, she can signM with her private key. But suppose that Alice, who is very security conscious, wants both confidentiality and non-repudiation. Then she can’t simply signMas that will not pro- vide confidentiality, and she can’t simply encryptMas that won’t provide integrity. The solution seems straightforward enough—Alice can sign the messageMand encrypt the result before sending it to Bob, that is,
{[M]Alice}Bob.
Or is it better for Alice to encrypt Mfirst and then sign the result? In this case, Alice would compute
[{M}Bob]Alice.
Can the order possibly matter?
Let’s consider a couple of different scenarios, similar to those in [56]. First, suppose that Alice and Bob are romantically involved. Alice decides to send the message
M=“I love you” to Bob. So using sign and encrypt, she sends Bob
Figure 4.5.Pitfall of sign and encrypt.
Subsequently, Alice and Bob have a lovers tiff and Bob, in an act of spite, decrypts the signed message to obtain[M]Aliceand re-encrypts it as
{[M]Alice}Charlie.
Bob then sends this message to Charlie, as illustrated in Figure 4.5. Charlie thinks that Alice is in love with him, which causes a great deal of embarrassment for both Alice and Charlie, much to Bob’s delight.
Alice, having learned her lesson from this bitter experience, vows to never sign and encrypt again. When she wants confidentiality and non-repudiation, Alice will always encrypt then sign.
Some time later, after Alice and Bob have resolved their earlier dispute, Alice develops a great new theory that she wants to send to Bob. This time her message is [41]
M=“Brontosauruses are thin at one end, much much thicker in the middle, then thin again at the other end”
which she dutifully encrypts then signs
[{M}Bob]Alice
before sending to Bob.
However, Charlie, who is still angry with both Bob and Alice, has set himself up as a man-in-the-middle who is able to intercept all traffic between Alice and Bob. Charlie has heard that Alice is working on a great new theory, and he suspects that this particular encrypted and signed message has something to do with it. So Charlie uses Alice’s public key to compute{M}Bob, which he signs before sending it on to Bob,
[{M}Bob]Charlie.
This scenario is illustrated in Figure 4.6.
When Bob receives the message from Charlie, he assumes that this great new the- ory is Charlie’s, and he immediately gives Charlie a bonus. When Alice learns that Charlie has taken credit for her great new theory, she swears never to encrypt and sign again!
What is the problem here? In the first scenario, Charlie assumed that{[M]Alice}Charlie
PUBLIC KEY INFRASTRUCTURE 79
Figure 4.6. Pitfall of encrypt and sign.
public key is public. The problem in this case is that Charlie does not understand public key crypto.
In the second scenario, Bob assumed that[{M}Bob]Charliemust have originated with
Charlie, which is not the case, since Alice’s public key—which was used by Charlie to effectively remove Alice’s signature from the original message—is public. In this case, it is Bob who does not understand the limitations of public key crypto. In public key crypto, anyone can do the public key operations. That is, anyone can encrypt a message and anyone can verify a signature.