Embed Size (px)
Citation preview
CPKCryptosystemin OpenSolarisZhi GuanChina ERI, Sun Microsystems,March, 2008
Outline
• CPK cryptosystem overview
• CPK Message Syntax
• CPK in Solaris Cryptographic Framework
• CPK in Solaris Key Management Framework
• CPK Code Signing in Solaris
• Other Applications
CPK Cryptosystem
• CPK: Combined Public Key
• What is CPK?
❖ At first, it is a key management scheme
❖ Second, it provides identity based encryption and and signature scheme.
• Comparison with PKI
Map an Identity to Key Pair
!
"""#
s11 s12 · · · s1n
s21 s22 · · · s2n...
.... . .
...sm1 sm2 · · · smn
$
%%%&
Private Key Matrix
!
"""#
s11G s12G · · · s1nGs21G s22G · · · s2nG
......
. . ....
sm1G sm2G · · · smnG
$
%%%&
Public Key Matrix
dID =n!1!
i=0
shi,i (mod p)
Userʼs Private Key
QID =n!1!
i=0
shiiG
Userʼs Public Key
!h1, h2, . . . , hn" # H(ID)
H(ID)
H(ID)
Identity Based Encryption
CPK_Encrypt(Plaintext, ID, PublicMatrix) { Indexes = H(ID); ECPublicKey = Map(Indexes, PublicMatrix); Ciphertext = ECEncrypt(Plaintext, ECPublicKey); return Ciphertext;}
CPK_Decrypt(Plaintext, ECPrivateKey) { Plaintext = ECEncrypt(Plaintext, ECPublicKey); return Ciphertext;}
CPK Message Syntax
CPK Objects
• Public system parameters public matrix
• Master secret : private matrix
• User’s private key
• User’s user’s identifierObject
Private Matrix
PublicMatrix
IdentifierPrivate
Key
CPK Cryptographic Messages
• Signature
• Public key encrypted session key.
• Signed data
• Public key encrypted data.
• Signed and public key encrypted data.
PKCS #7 General Syntax: ContentInfo
the format of content is explicitly defined by the “content type”.
The content type options include:•data•signedData•encryptedData•envelopedData•signedAndEnvelopedData
specified by an Object Identifier, which is a global unique identifier.
content type
ContentInfo
content
PKCS #7 Raw Data
content type
ContentInfoData
EncryptedData
SignedData
EnvelopedData
SignedAndEnvelopedData
PKCS #7 EncryptedData
version
EncryptedData
content type
EncryptedContentInfo
encryption algor
encrypted content
PKCS #7 EnvelopedData
content type
EncryptedContentInfo
encryption algor
encrypted content
version
EnvelopedData
recipientInfos
PKCS #7 RecipientInfo
encrypted key
key encryption algor
recipient’s id
version
RecipientInfo
ECIES (Elliptic Curve Integrated Encryption Scheme)
Encrypted symmetric key
PKCS #7 SignedData
SignerInfos
CRLs
certificates
ContentInfo
digest algorithms
version
SignedData
Data
EncryptedData
......
no useful attributes for CPK
PKCS #7 SignerInfo
signature
sign algorithm
signed attributes
digest algorithm
signer’s id
version
SignerInfo
unsigned attributes
Specify the signer. In PKI this field specify signer’s certificate, in CPK this field specify signer’s CPK Identity.
for example, the date and time of the signing.
for exampel, ECDSA with SHA1 signing algorithm
PKCS #7 SignedAndEnvelopedData
CRLs
certificates
encryptedConentInfo
digest algorithms
recipientInfos
version
SignedAndEnvelopedData
signerInfos
Data Types Presentation and Encoding
• ASN.1
• BER
• DER
CPK Interfaces
Identity Based Cryptography Interface
CPK in Solaris Cryptographic Framework
Solaris User-space Cryptographic Framework
Service Consumer Interface (PKCS#11)
Service Provider Interface (PKCS#11)
CPK Java Applications
JCE
(Java Crypto Extension)
JNI
CPK C/C++ Applications
pkcs11_
cpk.sopkcs11_
softtoken.so
pkcs11_
kernel.so
!libcpk
pkcs11_
cpktoken.so
!libcpk
PKCS #11: Crypto Token Interface Standard!"# $%&'#(!!#)*+*,-#&./$012.3$45%67#5706.83&6#'03793.9#
&:;<=>?@A#B#*,,"#.'3#'CDE=>A<#5FD+# # GEFC#*,,"#
!"#$%&'$()%*"+&,-+$%.
/001*(-"*23&4
!"#$%&'(
!"#$%&'$()%*"+&,-+$%.
/001*(-"*23&5
!"#$%&'(
6$7*($&823"$3"*239'+3(#%23*:-"*23
'12"&4
;25$3&4
<6$7*($&4=
'12"&3
;25$3&3
<6$7*($&3=
#
!"#$%&'()'*&+&%,-'.%/0123"'425&-'
&=<;A:H>#;=:I>JCK#LF#>FAC=MLDC#A:#:FC#:=#N:=C#D=<;A:?=L;@>D#JCI>DCK#A@LA#L=C#LDA>IC#>F#A@C#
K<KACN#A@=:E?@#L#FENOC=#:M#PKQ:AKR+##6LD@#KQ:AS#T@>D@#D:==CK;:FJK#A:#L#;@<K>DLQ#=CLJC=#:=#
:A@C=# JCI>DC# >FAC=MLDCS#NL<# D:FAL>F# L# A:HCF+# #3# A:HCF# >K# A<;>DLQQ<# P;=CKCFA# >F# A@C# KQ:AR#
T@CF#L#D=<;A:?=L;@>D#JCI>DC#>K#;=CKCFA#>F#A@C#=CLJC=+##1M#D:E=KCS#K>FDC#&=<;A:H>#;=:I>JCK#
L# Q:?>DLQ# I>CT# :M# KQ:AK# LFJ# A:HCFKS# A@C=C# NL<# OC# :A@C=# ;@<K>DLQ# >FAC=;=CALA>:FK+# # 5A# >K#
;:KK>OQC# A@LA# NEQA>;QC# KQ:AK# NL<# K@L=C# A@C# KLNC# ;@<K>DLQ# =CLJC=+# # 0@C# ;:>FA# >K# A@LA# L#
K<KACN#@LK#K:NC#FENOC=#:M#KQ:AKS#LFJ#L;;Q>DLA>:FK#DLF#D:FFCDA#A:#A:HCFK#>F#LF<#:=#LQQ#:M#
A@:KC#KQ:AK+#
3#D=<;A:?=L;@>D#JCI>DC#DLF#;C=M:=N#K:NC#D=<;A:?=L;@>D#:;C=LA>:FKS#M:QQ:T>F?#L#DC=AL>F#
D:NNLFJ#KCAU#A@CKC#D:NNLFJK#L=C#A<;>DLQQ<#;LKKCJ#A@=:E?@#KALFJL=J#JCI>DC#J=>IC=KS#M:=#
>FKALFDC#$&V&53#DL=J#KC=I>DCK#:=#K:DHCA#KC=I>DCK+##&=<;A:H>#NLHCK#CLD@#D=<;A:?=L;@>D#
JCI>DC# Q::H# Q:?>DLQQ<# Q>HC# CIC=<# :A@C=# JCI>DCS# =C?L=JQCKK# :M# A@C# >N;QCNCFALA>:F#
ACD@F:Q:?<+# # 0@EK# A@C# L;;Q>DLA>:F# FCCJ# F:A# >FAC=MLDC# J>=CDAQ<# A:# A@C# JCI>DC# J=>IC=K# W:=#
CICF# HF:T# T@>D@# :FCK# L=C# >FI:QICJXU# &=<;A:H># @>JCK# A@CKC# JCAL>QK+# # 5FJCCJS# A@C#
EFJC=Q<>F?#PJCI>DCR#NL<#OC#>N;QCNCFACJ#CFA>=CQ<#>F#K:MATL=C#WM:=#>FKALFDCS#LK#L#;=:DCKK#
=EFF>F?#:F#L#KC=IC=XYF:#K;CD>LQ#@L=JTL=C#>K#FCDCKKL=<+#
&=<;A:H>#>K#Q>HCQ<#A:#OC#>N;QCNCFACJ#LK#L#Q>O=L=<#KE;;:=A>F?#A@C#MEFDA>:FK#>F#A@C#>FAC=MLDCS#
LFJ#L;;Q>DLA>:FK#T>QQ#OC#Q>FHCJ#A:#A@C#Q>O=L=<+##3F#L;;Q>DLA>:F#NL<#OC#Q>FHCJ#A:#&=<;A:H>#
J>=CDAQ<U# LQAC=FLA>ICQ<S# &=<;A:H># DLF# OC# L# K:ZDLQQCJ# PK@L=CJR# Q>O=L=<# W:=# J<FLN>D# Q>FH#
PKCS #11 Functions
• Slot and token management functions
• Session management functions
• Cryptographic functions
❖ Encryption and decryption
❖ Message digesting
❖ MAC generation and verification
❖ Signing and Verification
❖ Key management
PKCS #11 ObjectsPKCS#11
Object
CertificateKeyData
Secret KeyPrivate KeyPublic Key
ECC PublicKey
CPK IdentityInfo
CPK PublicMatrix
ECC PrivateKey
CPK PrivateKey
CPK PrivMatrix
PKCS #11 Functions
• Generate system parameters
❖ C_CreateObject
❖ C_GenerateKey
❖ C_GenerateKeyPair
• Extract private key or public key from matrixes
❖ C_DeriveKey
Identity Based Encryption
Identity Based Signing
PKCS #7 Data Types
• SignerInfo
CPK in Solaris Key Management Framework
Solaris Key Management Framework
• Centralized key storage and management framework.
• Support PKI programing interfaces
OS without Centralized Key Management
• Every applications must have there own cryptography implementations and key management and storage mechanisms.
App
KeyStore
App
KeyStore
App
KeyStore
Solaris with Key Management Framework
!"#$%&$'()*+(),,-
!"#$%&'$(&)*+,-
.-)+,-$.-)+,-$
./-00./-001!21!2
!-3$"454'-6-5*$#,46-78,9!-3$"454'-6-5*$#,46-78,9
.:.;.:.;
..;..;
<4=4>?<4=4>?
<@:<@:
<@:
<@:
(,8=&A-,
(,8=&A-,
B..C:(1
B..C:(1
D&'-?*C"DE
D& '-?*C"DE
@F:"C"DE
@F:"C"DE
!"#!"#
D-=-08G6-5*D-=-08G6-5*
@-,*&H&)4*-@-,*&H&)4*-
I40&A4*&85I40&A4*&85
(,8=&A-,?(,8=&A-,?
!-3!-3
"'6*"'6*
(,8=&A-,?(,8=&A-,?
B..C:(1B..C:(1
$$ (!$!-,J-,8?
(!$!-,J-,8?
(+J0&)$!-3
(+J0&)$!-3
(!KLL;(!KLL;
([email protected]([email protected] N..N.. #&0-?#&0-? L@.(L@.( @F;@F; (!1O(!1O
25,8006-5*25,8006-5*
(,8=&A-,?(,8=&A-,?
!"#$%#&'()*
(,8',466&5'$:(1
#+*+,-$#+*+,-$
15*-',4*&85$7&*/15*-',4*&85$7&*/
!"#!"#
this picture is from Solaris Key Management Framework sliders by Wyllys Ingersoll
Solaris with Key Management Framework
!"#$%&$'()*+(),,-
!"#$%&'$(&)*+,-
.-)+,-$.-)+,-$
./-00./-001!21!2
!-3$"454'-6-5*$#,46-78,9!-3$"454'-6-5*$#,46-78,9
.:.;.:.;
..;..;
<4=4>?<4=4>?
<@:<@:
<@:
<@:
(,8=&A-,
(,8=&A-,
B..C:(1
B..C:(1
D&'-?*C"DE
D& '-?*C"DE
@F:"C"DE
@F:"C"DE
!"#!"#
D-=-08G6-5*D-=-08G6-5*
@-,*&H&)4*-@-,*&H&)4*-
I40&A4*&85I40&A4*&85
(,8=&A-,?(,8=&A-,?
!-3!-3
"'6*"'6*
(,8=&A-,?(,8=&A-,?
B..C:(1B..C:(1
$$ (!$!-,J-,8?
(!$!-,J-,8?
(+J0&)$!-3
(+J0&)$!-3
(!KLL;(!KLL;
([email protected]([email protected] N..N.. #&0-?#&0-? L@.(L@.( @F;@F; (!1O(!1O
25,8006-5*25,8006-5*
(,8=&A-,?(,8=&A-,?
!"#$%#&'()*
(,8',466&5'$:(1
#+*+,-$#+*+,-$
15*-',4*&85$7&*/15*-',4*&85$7&*/
!"#!"#
this picture is from Solaris Key Management Framework sliders by Wyllys Ingersoll
Solaris with Key Management Framework
!"#$%&$'()*+(),,-
!"#$%&'$(&)*+,-
.-)+,-$.-)+,-$
./-00./-001!21!2
!-3$"454'-6-5*$#,46-78,9!-3$"454'-6-5*$#,46-78,9
.:.;.:.;
..;..;
<4=4>?<4=4>?
<@:<@:
<@:
<@:
(,8=&A-,
(,8=&A-,
B..C:(1
B..C:(1
D&'-?*C"DE
D& '-?*C"DE
@F:"C"DE
@F:"C"DE
!"#!"#
D-=-08G6-5*D-=-08G6-5*
@-,*&H&)4*-@-,*&H&)4*-
I40&A4*&85I40&A4*&85
(,8=&A-,?(,8=&A-,?
!-3!-3
"'6*"'6*
(,8=&A-,?(,8=&A-,?
B..C:(1B..C:(1
$$ (!$!-,J-,8?
(!$!-,J-,8?
(+J0&)$!-3
(+J0&)$!-3
(!KLL;(!KLL;
([email protected]([email protected] N..N.. #&0-?#&0-? L@.(L@.( @F;@F; (!1O(!1O
25,8006-5*25,8006-5*
(,8=&A-,?(,8=&A-,?
!"#$%#&'()*
(,8',466&5'$:(1
#+*+,-$#+*+,-$
15*-',4*&85$7&*/15*-',4*&85$7&*/
!"#!"#
this picture is from Solaris Key Management Framework sliders by Wyllys Ingersoll
CPK
CPK Functions in KMF
• KMF_FindKey()
• CPK keystore handle will be inputed
• An CPK Identity will be inputed
• The ECC public key will be outputed
• KMF_SignDataWithKey
• KMF_VerifyDataWithKey
CPK Code Signing in Solaris
• Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered.
• All sorts of code should be signed, including tools, applications, scripts, libraries, plug-ins, and other “code-like” data.
Code Signing Overview
• A unique identifier, used to identify the code or to determine to which groups or categories the code belongs.
• A collection of checksums of the various parts of the program, such as the identifier, the main executable, the resource files.
• A digital signature, which signs the seal to guarantee its integrity.
Add a Signature into Executable Binary
.text
Executable
.data
.bss}
signature
Sign
• The signing tool will generate a signature of the executable binary, and insert the signature into the binary.
• When loading the binary, the kernel will check if the signature.
• The kernel will also check if the signer will be right.
Other Disadvantages
• The user is likely to be bothered with additional dialog boxes and prompts for unsigned code that they don’t see with signed code, and unsigned code might not work as expected with some system components.
• Computation and storage overhead.
What it can do
• Content Source: End users can confirm that the software really comes from the publisher who signed it.
• Content Integrity: End users can verify that the software has not been altered or corrupted since it was signed.
What it can NOT do
• It can’t guarantee that the code is free of security vulnerabilities.
• It can’t guarantee that a program will not load unsafe or altered code—such as untrusted plug-ins—during execution.
• It can’t determine how much to “trust” the code.
• Attacks from administrator.
Other Disadvantages
• The user is likely to be bothered with additional dialog boxes and prompts for unsigned code that they don’t see with signed code, and unsigned code might not work as expected with some system components.
• Computation and storage overhead.
Code Signing Applications
• Anti-virus, anti-rootkit
• Parent control
Executables on Solaris
• Solaris supports three types of executables through 4 loadable kernel modules.
Ref: uts/common/sys/exec.h, uts/common/exec/
ELF
A.OUT
Binary
INTP
Scripts
JAVA
Bytecode
Code Signing for these Executables
• ELF supports application defined sections. A CPK signature can be inserted into a ELF file. The details of how to sign an ELF will be described in the following sliders.
• A.out is very old, we can simply forbid the loading of the a.out execution module.
• Scripts are text files that start with “#!/bin/bash” like instructions. Signatures can be base64 encoded and inserted into comments.
• Java bytecode should be handled by JVM.
Now Look at the Code
• The root of the source code tree is
❖ http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/
• When a executable file is loaded, the procedure is
User Space Functions
Kernel Space
execl( ) execle() execv()
execve ( )
_syscall( SYS_execve )
execve()
Kernel Space Functions (Original)
exece()
exec_common()
gexec()
elfexec() aoutexec() intpexec() javaexec()
uts/common/os/exec.c
functions in kernel modules: uts/common/exec/*
switch (exectype)
elf a.out script java
Kernel Space Functions (with CPK)
exece()
exec_common()
gexec()
elfexec()
with CPKsignaturechecking
uts/common/os/exec.c
switch (exectype)
elf a.out script java
intpexec()
with CPKsignaturechecking
javaexec()
Attribute Meaning
execv
execl
execve
_syscall lib/libc/i386/sys/syscall.s
syscall
exece uts/common/os/exec.c
ELF (Executable and Linking Format) Details
OBJECT FILES 1-1
Introduction
This chapter describes the object file format, called ELF (Executable and Linking Format).
There are three main types of object files.
• A relocatable file holds code and data suitable for linking with other object files to create an
executable or a shared object file.
• An executable file holds a program suitable for execution.
• A shared object file holds code and data suitable for linking in two contexts. First, the link
editor may process it with other relocatable and shared object files to create another object file.
Second, the dynamic linker combines it with an executable file and other shared objects to
create a process image.
Created by the assembler and link editor, object files are binary representations of programs
intended to execute directly on a processor. Programs that require other abstract machines are
excluded.
After the introductory material, this chapter focuses on the file format and how it pertains to
building programs. Chapter 2 also describes parts of the object file, concentrating on the
information necessary to execute a program.
File Format
Object files participate in program linking (building a program) and program execution
(running a program). For convenience and efficiency, the object file format provides parallel
views of a file's contents, reflecting the differing needs of these activities. Figure 1-1 shows
an object file's organization.
Figure 1-1. Object File Format
OSD1980
ELF Header
Program Header Table
Section 1
Section Header Table
. . .
Section n
. . .
Linking View
. . .
optional
ELF Header
Program Header Table
Segment 1
Section Header Table
. . .
Execution View
Segment 2
optional
ELF Header
• An ELF header resides at the beginning and holds a "road map'' describing the file's organization. Sections hold the bulk of object file information for the linking view: instructions, data, symbol table, relocation information, and so on. Descriptions of special sections appear later in this section. Chapter 2 also describes segments and the program execution view of the file.
Program Header Table
• A program header table, if present, tells the system how to create a process image. Files used to build a process image (execute a program) must have a program header table; relocatable files do not need one. A section header table contains information describing the file's sections. Every section has an entry in the table; each entry gives information such as the section name, the section size, and so on. Files used during linking must have a section header table; other object files may or may not have one.
Looking Inside ELF File
ELF Header
ProgramHeader Item
ProgramHeader Item
Section
Section
SectionHeader Item
SectionHeader Item
Section(Optional)
ELF Header
Attribute Meaning
p_type type of segment
p_offset segment offset in the file
p_vaddr segment vertual address in the memory
p_filesz
p_memsz
p_flags
p_align
/onnv/onnv-gate/usr/src/uts/common/sys/elf.h
ELF Program Header
Attribute Meaning
p_type type of segment
p_offset segment offset in the file
p_vaddr segment vertual address in the memory
p_filesz
p_memsz
p_flags
p_align
ELF32_Phdr
ELF Section Header
Attribute Meaning
sh_name type of segment
sh_type segment offset in the file
sh_flags segment vertual address in the memory
sh_addr
sh_offset
sh_size
sh_link
sh_info
sh_addralign
sh_entsize
Sections
• An object file's section header table lets one locate all the file's sections. The section header table is an array of Elf32_Shdr structures as described below. A section header table index is a subscript into this array.
• The ELF header's e_shoff member gives the byte offset from the beginning of the file to the section header table; e_shnum tells how many entries the section header table contains; e_shentsize gives the size in bytes of each entry.
System Sections
• Section names with a dot (.) prefix are reserved for the system, although applications may use these sections if their existing meanings are satisfactory. Applications may use names without the prefix to avoid conflicts with system sections. The object file format lets one define sections not in the list above. An object file may have more than one section with the same name.
System SectionsAttribute Meaning
.bss type of segment
.comment segment offset in the file
.data, .data1
.debug
.dynamic
.hash
.line
.note
.rodata, .rodata1
.shstrtab
.symtab
.text
CPK Signature Section Content
SignerInfos
CRLs: null
certificates: null
ContentInfo = Data
digest algors = sha1
version: >current
SignedDatacontent type
ContentInfo
content
CPK Signature Section Example
CPK Kernel Modules
common/crypto/
ecc
common/crypto/cpk
common/mpi
common/crypto/
sha1,sha2
uts/common/exec/elf(with CPK checking)
Pub MatrixPolicy
uts/common/exec/intp(with CPK checking)
CPK Signature Checking Procedure
• Prepare: load and parse public matrix from file
• Check:
1. Extract signature section from ELF
2. Extract signer’s ID from signature section
3. Extract ECDSA signature from signature section
4. Generate signer’s public key from public matrix with signer’s ID
5. Verify the ECDSA signature with ELF and signer’s public key by kCF ECC mod.
Checking Policies
• signer’s identifier
• Program’s identifier
• Domain
Other Applications
• CPK command line tool
• CPK GUI front end
• CPK PAM module
End :)
Last modified: Mar. 16, 2008
![Improved Cryptanalysis of the KMOV Elliptic Curve Cryptosystem · Both attacks improve the existing attacks on the KMOV cryptosystem. 1 Introduction The RSA cryptosystem [21], invented](https://img.dokumen.tips/doc/110x75/5f0265ed7e708231d4041456/improved-cryptanalysis-of-the-kmov-elliptic-curve-cryptosystem-both-attacks-improve.jpg)
