diff --git a/.jekyll-metadata b/.jekyll-metadata index 9289a3d8b..a9217b56e 100644 Binary files a/.jekyll-metadata and b/.jekyll-metadata differ diff --git a/_posts/2023/2023-08-13-a-prime-on-public-key-infrastructure.md b/_posts/2023/2023-08-13-a-prime-on-public-key-infrastructure.md index d5634f8cf..7a3ec0d91 100644 --- a/_posts/2023/2023-08-13-a-prime-on-public-key-infrastructure.md +++ b/_posts/2023/2023-08-13-a-prime-on-public-key-infrastructure.md @@ -17,36 +17,46 @@ show-avatar: false toc: true date: 2023/08/13 author: cesarsotovalero -published: false +published: true --- -Public Key Infrastructure (PKI) plays a crucial role in ensuring secure electronic information transfer for various network activities such as e-commerce, internet banking, and confidential email. It is particularly essential when simple passwords are insufficient for authentication, requiring stronger proof of identity for secure communication. In essence, PKI binds public keys with the identities of entities, like individuals and organizations, through a process of registration and issuance of digital certificates provided by Certificate Authority (CA). The CA is responsible for digitally signing and publishing the public keys, ensuring the trustworthiness of the binding. In this article, I It discuss the critical role of PKI in ensuring the authenticity and security of digital transactions and communication on the internet. +The internet is driven by the power of cryptography. Each time you visit a website, a cryptographic handshake occurs between your browser and a web server located somewhere on Earth. This is where Public Key Infrastructure (PKI) comes into play, a technology crucial for ensuring secure electronic information transfer between the two entities. PKI is integral to various network activities, including e-commerce, internet banking, and confidential email communications. +PKI becomes particularly vital when simple passwords are inadequate for authentication, necessitating a stronger proof of identity for secure communication. At its core, PKI binds public keys to the identities of entities such as individuals and organizations. This is done through a process of registration and the issuance of digital certificates. These certificates are provided by a Certificate Authority (CA), which is responsible for digitally signing and publishing the public keys to ensure the trustworthiness of this binding. + +In this article, I will delve into the cryptographic backbone of the internet as we know it. My focus is on the pivotal role of PKI in safeguarding the authenticity and security of digital transactions and communications across the internet. Let's dive in!
{% responsive_image path: img/posts/2023/2023-08-13/dark_well.jpg alt:"TODO" %}
- + Do not jump into the dark well without your keys! Photo of a piece of art in the Stockholm's Paradox Museum.
-# The Problem With Trust - -From the ancient times, people have tried to find ways to communicate securely. -The problem is that we need to trust the entity that delivers the message, and that the content of message itself is not modified. +# The Problem of Digital Trust -In essence, there are two fundamental problems to solve to achieve security in communication: +Since ancient times, the quest for secure communication has been a constant human endeavor. +In essence, there are two fundamental challenges that need to be addressed to ensure communication security: -- **Confidentiality:** Only the intended recipient should be able to read the message. -- **Integrity:** The message should not be modified by a third party. +- **Confidentiality:** Ensuring that only the intended recipient can understand the message. +- **Integrity:** Guaranteeing that the message remains unaltered by any third parties during transmission. + +In today's digital era, these challenges are magnified. +The internet demands not only lightning-fast communication channels but also, often, interactions between parties who have never met and may not inherently trust each other. +This raises a critical question: +_**Q:** How to build and maintain trust on a global scale?_ +As we delve deeper into this topic, we explore the mechanisms and technologies that are pivotal in scaling digital trust worldwide. +# Cryptography -# Encryption +https://en.wikipedia.org/wiki/Cryptography ## Symmetric Encryption +An example is the AES (Advanced Encryption Standard) used in the SSL/TLS protocol. + [//]: # (see https://mermaid-js.github.io) {% mermaid %} %%{init: {'theme':'base'}}%% @@ -68,8 +78,61 @@ The `KEY` node represents the symmetric key, and arrows are drawn from this node - Availability is a problem, since establishing trust (key distribution) is complicated + +Here's a simple example of a Java class that illustrates symmetric encryption using the Advanced Encryption Standard (AES). This class includes methods for both encryption and decryption. Java's `javax.crypto` package should suffice for basic needs. +This class demonstrates the basic process of symmetric encryption and decryption using AES. It generates a secret key, uses it to encrypt a string, and then decrypts it back to the original text. The `Base64` encoding and decoding are used to handle the byte array conversion for the encrypted text. + + +```java +import javax.crypto.Cipher; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; +import javax.crypto.spec.SecretKeySpec; +import java.util.Base64; + +public class SymmetricEncryptionExample { + + public static void main(String[] args) throws Exception { + // Generate a symmetric key + KeyGenerator keyGenerator = KeyGenerator.getInstance("AES"); + keyGenerator.init(128); // Key size + SecretKey secretKey = keyGenerator.generateKey(); + + String originalText = "Hello, this is a secret message!"; + System.out.println("Original Text: " + originalText); + + // Encrypt the text + String encryptedText = encrypt(originalText, secretKey); + System.out.println("Encrypted Text: " + encryptedText); + + // Decrypt the text + String decryptedText = decrypt(encryptedText, secretKey); + System.out.println("Decrypted Text: " + decryptedText); + } + + public static String encrypt(String plainText, SecretKey secretKey) throws Exception { + Cipher cipher = Cipher.getInstance("AES"); + cipher.init(Cipher.ENCRYPT_MODE, secretKey); + byte[] encryptedBytes = cipher.doFinal(plainText.getBytes()); + return Base64.getEncoder().encodeToString(encryptedBytes); + } + + public static String decrypt(String encryptedText, SecretKey secretKey) throws Exception { + Cipher cipher = Cipher.getInstance("AES"); + cipher.init(Cipher.DECRYPT_MODE, secretKey); + byte[] decryptedBytes = cipher.doFinal(Base64.getDecoder().decode(encryptedText)); + return new String(decryptedBytes); + } +} +``` + + ## Asymmetric Encryption +Public-key cryptography is also used for implementing digital signature schemes. A digital signature is reminiscent of an ordinary signature; they both have the characteristic of being easy for a user to produce, but difficult for anyone else to forge. Digital signatures can also be permanently tied to the content of the message being signed; they cannot then be 'moved' from one document to another, for any attempt will be detectable. In digital signature schemes, there are two algorithms: one for signing, in which a secret key is used to process the message (or a hash of the message, or both), and one for verification, in which the matching public key is used with the message to check the validity of the signature. RSA and DSA are two of the most popular digital signature schemes. Digital signatures are central to the operation of public key infrastructures and many network security schemes (e.g., SSL/TLS, many VPNs, etc.) + +Public-key algorithms are most often based on the computational complexity of "hard" problems, often from number theory. For example, the hardness of RSA is related to the integer factorization problem, while Diffie–Hellman and DSA are related to the discrete logarithm problem. The security of elliptic curve cryptography is based on number theoretic problems involving elliptic curves. Because of the difficulty of the underlying problems, most public-key algorithms involve operations such as modular multiplication and exponentiation, which are much more computationally expensive than the techniques used in most block ciphers, especially with typical key sizes. As a result, public-key cryptosystems are commonly hybrid cryptosystems, in which a fast high-quality symmetric-key encryption algorithm is used for the message itself, while the relevant symmetric key is sent with the message, but encrypted using a public-key algorithm. Similarly, hybrid signature schemes are often used, in which a cryptographic hash function is computed, and only the resulting hash is digitally signed. + - Based on mathematical problems that are hard to reverse: - Factorization - RSA (Rivest–Shamir–Adleman) - Discrete logarithm - DSA (Diffie-Hellman) @@ -78,6 +141,53 @@ The `KEY` node represents the symmetric key, and arrows are drawn from this node - The sender uses the receiver’s public key, and the receiver (with the private key) is the only one that can read the message. - Slower and (maybe) less secure than symmetric encryption. + +In this example, "ECIES" (Elliptic Curve Integrated Encryption Scheme) is used for encryption and decryption. ECC offers similar levels of security to RSA but with smaller key sizes, which often translates to faster computations and lower power consumption. It combines the ECC algorithm with a symmetric cipher for effective encryption. + +```java +import javax.crypto.Cipher; +import java.security.*; +import java.security.spec.ECGenParameterSpec; +import java.util.Base64; + +public class ECCAsymmetricEncryptionExample { + + public static void main(String[] args) throws Exception { + // Generate an ECC key pair + KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC"); + keyPairGenerator.initialize(new ECGenParameterSpec("secp256r1")); // Specifies the curve standard + KeyPair keyPair = keyPairGenerator.generateKeyPair(); + PublicKey publicKey = keyPair.getPublic(); + PrivateKey privateKey = keyPair.getPrivate(); + + String originalText = "Hello, this is a secret message!"; + System.out.println("Original Text: " + originalText); + + // Encrypt the text + String encryptedText = encrypt(originalText, publicKey); + System.out.println("Encrypted Text: " + encryptedText); + + // Decrypt the text + String decryptedText = decrypt(encryptedText, privateKey); + System.out.println("Decrypted Text: " + decryptedText); + } + + public static String encrypt(String plainText, PublicKey publicKey) throws Exception { + Cipher cipher = Cipher.getInstance("ECIES"); + cipher.init(Cipher.ENCRYPT_MODE, publicKey); + byte[] encryptedBytes = cipher.doFinal(plainText.getBytes()); + return Base64.getEncoder().encodeToString(encryptedBytes); + } + + public static String decrypt(String encryptedText, PrivateKey privateKey) throws Exception { + Cipher cipher = Cipher.getInstance("ECIES"); + cipher.init(Cipher.DECRYPT_MODE, privateKey); + byte[] decryptedBytes = cipher.doFinal(Base64.getDecoder().decode(encryptedText)); + return new String(decryptedBytes); + } +} +``` + # Signing Reversing asymmetric encryption.