1 Table of Contents

2 Abstract

3 Introduction

4 Cryptography

4.1 Symmetric cryptography

4.2 Asymmetric cryptography

5 Digital signature

5.1 Advantages

5.2 Disadvantages

5.3 Attacks

5.4 Digital signature algorithm: RSA

6 Digital Certificate

7 Public Key Infrastructure

7.1 What is PKI?

7.2 Why we need PKI?

7.3 Components and Roles

8 Conclusion

9 References

10 Appendix A

10.1 Scenario

10.1.1 What is SSH Protocol

10.1.2 What is OpenSSH

10.1.3 Why implementing Certificate Authentication on OpenSSH

10.1.4 Keys

10.1.5 Certificate

10.2 Procedure

10.2.1 Setting up a FQDN domain

10.2.2 Generating Signing Keys

10.2.3 Generating Host Certificate

10.2.4 Configure server to use host certificate

10.2.5 Configure client to verify server certificate

Figure 1. Symmetric Encryption [1]

Figure 2 Asymmetric Encryption [1]

Figure 3 Advantages of Digital Signature

Figure 4 RSA Digital Signature [3]

Figure 5 Signing a document [4]

Figure 6 Signature verification process [4]

Figure 7 Issuing Certificate[14]

Figure 8 Logging in using certificates [14]

Figure 9 PKI uses

  Figure 10 PKI Components and roles [8]

Figure 11 OpenSSH  RSA certificate [12]

Figure 12 OpenSSH server certificate

Figure 13 auth /etc/hosts file

Figure 14 auth /etc/hostname file

Figure 15 Verifying parameters on auth

Figure 16 server /etc/hosts file

Figure 17 server /etc/hostname file

Figure 18 Verifying parameters on server

Figure 19 client /etc/hosts file

Figure 20 client /etc/hostname file

Figure 21 verifying configuration on client

Figure 22 Generating keys for signing host certificates

Figure 23 Show generated keys

Figure 24 copying server public key to CA

Figure 25 signing server public key

Figure 26 Certificate generation output

Figure 27 command to copy  generated certificate to server

Figure 28 Transferring certificate to server

Figure 29 Display sshd_config file on server

Figure 30 modified known_host file on client

Figure 31 Successful connection after certificate validation

This report aims at introducing the concepts and mechanisms behind Digital Signatures and the security framework on which it is based on: Public Key Infrastructure (PKI).

 A brief introduction to other cryptographic concept is also provided in order to provide a wide view of the security features adopted in the last years to recent. The concepts implied by PKI are then applied in relation to Secure Shell (SSH), an industry standard used by administrators for accessing systems remotely in a safe way.

The practical assessment, included in the Appendix A, will introduce step-by-step the actions required in order to create a Certificate Authority and generate signed host certificates, which will then be used to verify identify of servers to remote clients, removing the need of exchanging public keys between parties before communication.

The report will conclude with a brief reflection on the changes implied by the security features adopted nowadays, with an eye towards current researches and future implementations.

The wide distribution of networked systems and the increasing usage of internet have heavily influenced today’s society, including businesses. In fact, several operations such as banking, sale and purchase of products and the exchange of information have emphasized electronic transactions , minimizing operations’ cost while  enhancing  productivity. This has identified information security as the major issue for any business or individual who exchange sensitive information,  or perform operations , over an open environment such as the internet because there is a need to prevent such information from being tampered.  Consequently,  the need of enforcing  the fundamentals of information security (confidentiality , integrity and reliability)  during data transmission between communicating parties led to the creation of security features such as  digital signatures , of which algorithms are based on the security framework called Public Key Infrastructure (PKI) .

Cryptography uses mathematical algorithms and processes to convert intelligible plaintext into unintelligible ciphertext, and vice versa.  Applications of cryptography include:

• Data encryption for confidentiality

• Digital signatures to provide non-repudiation (accountability) and verify data integrity

 • Certificates for authenticating people, applications and services, and for access control (authorization)

There are two main kinds of cryptography: shared secret and public key.

4.1        Symmetric cryptography

In shared secret cryptography, sender and receiver use the same key for both encryption and decryption purposes. Because of this symmetry, it is critical to keep the key secret and to avoid network-based key distribution as an attacker could intercept the shared key and decrypt data sent from communicating parties.

Figure 1. Symmetric Encryption [1]

4.2        Asymmetric cryptography

Also known as Public key Cryptography, it uses a pair of keys: a public key and a private key.

The public key is publicly available, so it can be transmitted over insecure connection while the private key is kept private to the owner.

The pair of keys can be used for both encryption or decryption purposes, depends on usage.

To ensure confidentiality, the data is encrypted using the public key and can only be decrypted by the private key .

To ensure non-repudiation and integrity, the data is encrypted using the private key and can only be decrypted with the public key.

Distribution of keys between parties is greatly simplified using this protocol.

    Figure 2 Asymmetric Encryption [1]

A digital signature is a set of enciphered data created using a cryptographic algorithm, based on the concept of public key cryptography, its main scope is to protect communicating parties against each other in a situation where there is no complete trust, and something more than authentication is required. [2]

The First model of digital signature was first introduced in the paper “New directions for Cryptography” (IEEE Transactions on Information Theory, 1976) where Whitfield Diffie and Martin Hellman presented the idea that a form of digital signature could be made using PKE  in a way that anyone could verify its authenticity but no one else could duplicate it.

Most secure web transactions today are already dependent on digital signatures, which are included as part of the digital certificate a server presents to a client to identify itself and vice versa.

Example of current uses of digital signatures:

Inter-bank payment systems (BACS, SWIFT,CHAPS .)

e-passports and other e-id cards

VPN and Remote host connections

SSL enabled websites

Signing documents (PDFs, Emails, etc)

5.1        Advantages

Figure 3 Advantages of Digital Signature

5.2        Disadvantages

Figure 4 Disadvantages of Digital Signature

5.3        Attacks

It must be mentioned that the digital signature scheme does not offer complete security against data theft or data manipulation. Numerous researchers have identified some of the weaknesses embedded in such security implementation, for example:

Signature verification attack – On windows host it is possible to bypass the certificate verification process on malicious data by modifying windows’ registry values. More details about this technique can be found