App & Data Security using Public

Key Infrastructure
(Digital Signatures, PKI, TLS)

1
 Agenda
✓ What & Why: Digital Signature?
✓ What is Digital Signature Certificate?
✓ Achieving Confidentiality
✓ Certifying Authority & Trust Model
✓ Certificate Issuance, Types, Classes
✓ Certificate Life Cycle Management and Validation Methods
✓ Risks and Precautions with DS
✓ Policy and Legal Aspects of PKI
✓ e-Sign – An Instant & Online way of Digital Signing in India
✓ PKI Applications in India

2
 Understanding Signature
• Hand-written Signature – Definition & Purpose
– A person’s name written in a distinctive way as a
form of identification in authorizing a cheque or
document
– A distinctive pattern, product, or characteristic by
which someone or something can be identified
 Characteristics of Hand Signature
• A Hand Signature on a document is
– a unique pattern dependant on some secret known only to
the signer and
– Independent of the content of the message being signed
 Attacks on Hand-written Signatures
• Attacks on Integrity
– Content Alteration / Corruption !
• Attacks on Identity
– Impersonation
– How is Identity verified?
• Authentication – Process of verifying who somebody is
against his claim
– Identity is established / proved through Authentication!
Attacks on Integrity
Attacks on Integrity - 2
Electronic World
 Attacks on Integrity

Deposit 1,00,000 Deposit 1 in Veeru’s

in Veeru’s Account Account and 99,999 in
Gabbar’s Account

Customer Bank

Breach of Integrity
 Attacks on Identity

I’m Veeru
Gabbar Send Me all Corporate
Correspondence
with ‘abc’.

Jai
Breach of Authenticity
Veeru
 Basic Elements of Trust
• Privacy (Confidentiality): Ensuring that only
authorized persons read the Data/Message/Document
• Authenticity: Ensuring that Data/Message/Document
originated from the claimed signer / sender
• Integrity : Ensuring that Data/Message/Document are
unaltered by any unauthorized person
• Non-Repudiation: Ensuring that one cannot deny
their signature or origination of a message
Digital Signatures
 What is a Digital Signature ?
• A Digital signature of a message is a number (fingerprint)
dependent on
– a secret known only to the signer and
– the content of the message being signed

• Digital Signatures can be

– Verified for Authenticity
– Verified for Integrity
– Verified for Non-Repudiation
 Creating Digital Signature
• Every individual is given a pair of keys
– Public key : known to everyone
– Private key : known only to the owner

• To digitally sign an electronic document the signer uses his/her

Private key
• To verify a digital signature the verifier uses the signer’s Public
key
 Asymmetric Key Cryptography
• Keys in a Key pair are mathematically related to each
other
• If one of the key in a key pair is used for Encryption (or
Decryption) then the other key should be used for decryption
(or Encryption)
• Also known as Public Key Cryptography
• Knowledge of the encryption key doesn’t give you
knowledge of the decryption key
Public Key
X Private Key
KnJGdDzGSIHDZuOE iWLI+4jxMqmqVfAKr2E

X15
Computationally Infeasible
 What is a key pair?
Private Key
3082 010a 0282 0101 00b1 d311 e079 5543 0708 4ccb 0542 00e2 0d83
463d e493 bab6 06d3 0d59 bd3e c1ce 4367 018a 21a8 efbc ccd0 a2cc
b055 9653 8466 0500 da44 4980 d854 0aa5 2586 94ed 6356 ff70 6ca3
a119 d278 be68 2a44 5e2f cfcc 185e 47bc 3ab1 463d 1ef0 b92c 345f
8c7c 4c08 299d 4055 eb3c 7d83 deb5 f0f7 8a83 0ea1 4cb4 3aa5 b35f
5a22 97ec 199b c105 68fd e6b7 a991 942c e478 4824 1a25 193a eb95
9c39 0a8a cf42 b2f0 1cd5 5ffb 6bed 6856 7b39 2c72 38b0 ee93 a9d3
7b77 3ceb 7103 a938 4a16 6c89 2aca da33 1379 c255 8ced 9cbb f2cb
5b10 f82e 6135 c629 4c2a d02a 63d1 6559 b4f8 cdf9 f400 84b6 5742
859d 32a8 f92a 54fb ff78 41bc bd71 28f4 bb90 bcff 9634 04e3 459e
a146 2840 8102 0301 0001
Public Key
3082 01e4 f267 0142 0f61 dd12 e089 5547 0f08 4ccb 0542 00e2 0d83 463d
e493 bab6 0673 0d59 bf3e c1ce 4367 012a 11a8 efbc ccd0 a2cc b055 9653
8466 0500 da44 4980 d8b4 0aa5 2586 94ed 6356 ff70 6ca3 a119 d278 be68
2a44 5e2f cfcc 185e 47bc 3ab1 463d 1df0 b92c 345f 8c7c 4c08 299d 4055
eb3c 7d83 deb5 f0f7 8a83 0ea1 4cb4 3aa5 b35f 5a22 97ec 199b c105 68fd
e6b7 a991 942c e478 4824 1a25 193a eb95 9c39 0a8a cf42 b250 1cd5 5ffb
6bed 6856 7b39 2c72 38b0 ee93 a9d3 7b77 3ceb 7103 a938 4a16 6c89 2aca
da33 1379 c255 8ced 9cbb f2cb 5b10 f82e 6135 c629 4c2a d02a 63d1 6559
b4f8 cdf9 f400 84b6 5742 859d 32a8 f92a 54fb ff78 41bc bd71 28f4 bb90
bcff 9634 04de 45de af46 2240 8410 02f1 0001
 Digital Signing – Step 1

This is an example of
how to create a
message digest and
how to digitally sign a Message
document using Hash
Digest
Public Key
cryptography
 Hash Function

• A hash function is a cryptographic mechanism that

operates as one-way function
➢ Creates a digital representation or "fingerprint“
(Message Digest)
➢ Fixed size output

➢ Change to a message produces different digest

Examples : MD5 , Secure Hashing Algorithm (SHA)

19 19
 Hash - Example
Hi Jai, Message Hi Jai,
I will be in the park at I will be in the park at
3 pm 3 pm.
Veeru Veeru

Hash Algorithm

Message Digest

B5EA1EC376E61DB2680D0312FC26D3773F384E43 86D19C25294FB0D3E4CF8A026823439064598009

Digests are Different

20
 Hash – One-way
B5EA1EC376E61DB2680D0312FC26D3773F384E43

X
Hi Jai,
I will be in the park at
3 pm
Veeru

21
 MD5 and SHA
Message

Hi Jai, Hi Jai, Hi Jai,

I will be in the I will be in the I will be in the

park at 3 pm park at 3 pm park at 3 pm

Veeru Veeru Veeru

MD5 SHA-1 SHA-2

Message Digest

cfa2ce53017030315f 1f695127f210144329ef
2g5487f56r4etert654tr
98e6da4f4adb92c5f18
de705b9382d9f4 c5d5e8d5ex5gttahy55e
2

128 Bits 160 Bits 224/256/384/512

 Digital Signing – Step 2

Message Encrypt with Digital

Digest private key Signature
 Digital Signing – Step 3

This is an example of
how to create a
message digest and
how to digitally sign a
Digital
Append document using
Signature
Public Key
cryptography

Digital
Signature
Digital Signing Process
 Digital Signature Verification

This is an example of
how to create a Message
Hash Digest
message digest and
how to digitally sign a
document using
Public Key
cryptography

Digital
Decrypt with Message
Signature public key Digest
Digital Signature Verification
 Digital Signatures - Examples
I agree
efcc61c1c03db8d8ea8569545c073c814a0ed755
My place of birth is Gwalior.
fe1188eecd44ee23e13c4b6655edc8cd5cdb6f25
I am 62 years old.
0e6d7d56c4520756f59235b6ae981cdb5f9820a0
I am an Engineer.
ea0ae29b3b2c20fc018aaca45c3746a057b893e7
I am a Engineer.
01f1d8abd9c2e6130870842055d97d315dff1ea3
• These are digital signatures of same person on different documents

• Digital Signatures are numbers

• They are content and signer dependent
 Digital Signatures - Recap
• Establishes
– Identity and Authenticity of the Signer
– Integrity of the document
– Non-Repudiation (inability to deny being signed)
to a certain extent
• General Conventions
– Signing – Private Key of the Signer
– Verification – Public Key of the Signer
Digital Signature Certificate
(DSC)
 Why do we need DSC?
• To firmly establish the ownership of public key
• To certify and provide a strong mechanism for
non-repudiation (to inability to deny)
 What is Digital Signature Certificate
(DSC)?
DSC is an electronic document used to prove ownership of
a public key. The certificate includes
• Information about its owner's identity,
• Information about the key,
• The Digital Signature of an entity that has verified the
certificate's contents are correct.
Veeru Info:
Name: Veeru
Department: AMD

Certificate Info:
Serial No: 93 15 H0 Sign
Exp Date: dd mm yy

Veeru’s Public Key

Certifying Authority (CA) ?
 Certifying Authority (CA)
• Certifying authority is an entity which issues Digital Signature Certificate (DSC)

• It is a trusted third party

• CA’s are the important components of Public Key Infrastructure (PKI)

Responsibilities of CA

• Verify the credentials of the person requesting for the certificate (RA’s
responsibility)

• Issue certificates

• Revoke certificate

• Generate and upload CRL

Sample Certificate
Trust Model
 Hierarchical Trust Model
• For a Digital Signature to have legal validity in India, it must
derive its trust from the Root CA certificate

National Root CA – (RCAI)

Licensed CA (Eg. NIC) Licensed CA (Eg. IDRBT) Licensed CA (Eg. nCode) ...

Subscribers Subscribers Subscribers ...

 Licensed CA’s in India
• National Root CA (RCAI) – operated by CCA
– Only issues CA certificates for licensed CAs
• 9 CAs licensed under the National Root CA
– SafeScrypt (www.safescrypt.com)
– IDRBT CA (www.idbrtca.org.in)
– National Informatics Centre (https://nicca.nic.in)
– GNFC - nCode Solutions CA(www.ncodesolutions.com)
– eMudhra (www.e-mudhra.com)
– C-DAC (http://esign.cdac.in) – Only e-Sign
– Capricorn CA
– NSDL e-Gov CA
– Air Force CA
• As of Jan 2018, No. of Digital Certificates issued
– DSC - 1.97 Crore, since 2002
– e-Sign – 4.5 Crore, since 2015
Certificate Issuance Process
Certificate Issuance Process

Issue Crypto
Token

Other
Identity
Make Online Information
Payment

X.509 v3 Cert
Crypto Tokens
• Contain a Cryptographic co-processor
with a USB interface
– Key is generated inside the token.
– Key is highly secured as it doesn’t leave
the token
– Highly portable and Machine-
independent
– FIPS 140-2 compliant; Tamper-resistant;
Certificate Classes
 Classes of Certificates
• Classes define the level of assurance for a
Digital Certificate
• 3 Classes of Certificates
– Class – 1 Certificate
• Issued to Individuals
• Assurance Level: Certificate will confirm User’s name
and Email address
• Suggested Usage: Signing certificate primarily be used
for signing personal emails and encryption certificate is
to be used for encrypting digital emails and
SSL certificate to establish secure communication
through SSL
 Classes of Certificates
– Class – 2 Certificate
• Issued for both business personnel and private
individuals use
• Assurance Level: Conforms the details submitted in
the form including photograph and documentary
proof
• Suggested Usage: Signing certificate may also be used
for digital signing, code signing, authentication for VPN
client, Web form signing, user authentication, Smart Card
Logon, Single sign-on and signing involved in e-
procurement / e-governance applications, in addition to
Class-I usage
 Classes of Certificates

– Class – 3 Certificate
• Issued to Individuals and Organizations
• Assurance Level: Highest level of Assurance; Proves
existence of name of the organization, and assures
applicant’s identity authorized to act on behalf of the
organization.
• Suggested Usage: Signing certificate may also be used for
digital signing for discharging his/her duties as per official
designation and encryption certificate to be used for
encryption requirement as per his/her official capacity
Types of Certificates
 Types of Certificates
• Types define the purpose for which a Digital
Certificate is issued
• Signing Certificate (DSC)
– Issued to a person for signing of electronic
documents
• Encryption Certificate
– Issued to a person for the purpose of Encryption;
• SSL Certificate
– Issued to a Internet domain name (Web Servers,
Email Servers etc…)
Achieving Secrecy
Achieving Secrecy through Asymmetric
Key Encryption

Message Public key Private key Message

Encrypted Message
A Encrypt Decrypt B
Eavesdropper
 General Conventions
• Encryption – Public Key of the Receiver
• Decryption – Private Key of the Receiver
 Achieving PAIN !
• How to achieve Privacy, Authenticity, Integrity
and Non-repudiation all together in a
transaction
 Signcryption
• Why do you need Signcryption ?
– The intended receiver alone should know the
contents of the message
• Secrecy / Confidentiality / Privacy
– The receiver should be sure that
• The message has come from the claimed sender only
– Authentication
• The message has not been tampered
– Integrity
• Signer has used a valid and trustable certificate
– Non-Repudiation
 Certificate Extensions
File Formats with Extensions Description
.CER Contains only Public Key
.CRT Contains only Public Key
.DER Contains only Public Key
.P12 Contains Public and Private Key

.PFX Contains Public and Private Key

.PEM, .KEY, .JKS Contains Public and Private Key
.CSR Certificate Signing Request
.CRL Certificate Revocation List
 Certificate Lifecycle Management
• A Digital Signature Certificate cannot be used for ever!
• Typical Life cycle scenario of Digital Certificates
– Use until renewal
• Certificates are to be reissued regularly on expiry of validity (typically
2 years)
– Use until re-keying
• If keys had to be changed
– Use until revocation
• If Certificate was revoked, typically when keys are compromised or
CA discovers that certificate was issued improperly based on false
documents
 CRL – Certification Revocation List

• A list containing the serial number of those

certificates that have been revoked
• Why they have been revoked?
– If keys are compromised and users reports to the
CA
– If CA discovers, false information being used to
obtain the certificate
• Who maintains CRLs ?
– Typically the CA’s maintain the CRL
 CRL – Certification Revocation List
• How frequently the CRL is updated ?
– Generally twice a day; based on CA’s policies
• Is there any automated system in place for
accessing the CRL?
– OCSP
Obtaining CRL
Sample CRL
 Certificate Validation Methods
• Validating a certificate is typically carried out by PKI
enabled application
• The validation process performs following checks
– Digital signature of the issuer (CA)
– Trust (Public Key verification) till root level
– Time (Validity of the certificate)
– Revocation (CRL verification)
– Format
 A word of Caution!
• Keep your Digital Security Tokens Safe!
– Report loss of tokens immediately and seek for
revocation from the CA
– If you have any doubts that private key has been
compromised, inform the CA
– Remember that risks are inherent in any system!
• Any Security system is only as safe as the weakest link in
the security chain!
Dimensions of PKI
 What is PKI ?
• Public Key Infrastructure (PKI) is an ecosystem
comprising of :
– Algorithms & Protocols
• Key Role Players: Cryptographers, Researchers
– Implementation & Standards
• Key Role Players: Application Developers, Standard developers
– Policy & Law
• Key Role Players: Regulatory bodies, Law Protection Agencies
– Applications
• Key Role Players: Users & Systems
Present Digital Signature
& PKI Implementations
in India
 PKI enabled Applications
1 e-Invoice
(B2C)

2 e-Tax Filing (G2C)

3 e-Customs (G2B)

4 e-Passport (G2C) - Presently in India, the Ministry of External Affairs has

started issuing e-Passports in Karnataka state with the
fingerprints and the digital photo of applicant
5 e-Governance Bhoomi (G2C)
a PKI enabled registration and Land Records Services offered by
Govt. of Karnataka to the people. All the land records and
certificates issued are digitally signed by the respective officer
6 e-Payment (B2B) - In India, currently between banks fund transfers are
done using PKI enabled applications whereas between customers
and vendors such as online shopping vendor the payment is done
through SSL thereby requiring the vendor to hold DSC )
 PKI enabled Applications

7 e-Billing (B2C) -The electronic delivery and presentation of financial

statement, bills, invoices, and related information sent by a
company to its customers)
8 e-Procurement G2B , B2B

9 e-Insurance (B2C) - Presently the users are getting the E-Premium

Service Receipts etc. which is digitally signed by the provider
10 Treasury (G2C) Khajanae – II of Govt. of Karnataka uses Digital
Operations Signatures to automate and speed up the treasury operations
 Other Implementations
• DGFT - Clearance of goods are now initiated
by exporters through push of a button and in
their offices;
– Previously it used to take days; and requests are now
cleared within 6 hours
• Indian Patent office has implemented e-filing of
patents and allows only use of Class-3
Certificates
– Around 30% of e-filing of patents is happening now,
among the total filings.
 Summary
• PKI is an ecosystem comprising of Technology, Policy
and Implementations
– Digital Signatures provide Authenticity, Integrity, and Non-
Repudiation for electronic documents & transactions
– Asymmetric Key system enables Confidentiality
• General Conventions
– Signing – Private Key of the Signer
– Verification – Public Key of the Signer
– Encryption – Public Key of the Receiver
– Decryption – Private Key of the Receiver
TLS – TRANSPORT LAYER SECURITY
 Without TLS

Shopping.co

m
 With TLS
• Servers use TLS (Transport Layer Security)
certificates,
– A certificate issued to a machine/server so as
to establish a secure connection between the
server and a browser using which we access
the server.
– Now all the information that is exchanged is
in encrypted form and won’t make sense to
anyone who tries to tap the information.
 With TLS

Shopping.co

m
 TLS 1.3
▪ Client says Hello to Server, along with a keyshare, that it had
generated
▪ Server receives the keyshare from the client, generates its own
keyshare, and mixes it to derive the secret key.
▪ Server then sends its keyshare, certificate (that contains the
public key of the server) and digitally signs this response.
Additionally it also encrypts the certificate and the signed
response
▪ Client receives it, takes the keyshare and mixes with its own
keyshare to derive the secret key and verifies the signature and
certificate
▪ So both of them have arrived at the shared secret and they can
communicate securely
• Courtesy: Filippo Valsorda, CloudFlare
Sample Certificate
 TLS Certification Issuance

• Key pair gets generated on web server

• Web server admin creates CSR (certificate signing
request) and send it to CA (Certifying Authority)
• In Subject DN (Distinguished name) of CSR,
common name should be same as fully qualified
domain name.
• CA validates the domain and signs the certificate
 Types of TLS Certificates

• Based on Business requirement

– Multi-domain Certificate (SAN/UCC)
– Wild Card Certificate
• Based on Validation
– Domain Validated (DV) Certificates
– Organization Validated (OV) Certificates
– Extended Validation (EV) Certificates
 Multi-Domain Certificates
• Subject Alternative Names
(SANs) Certificate
– Can secure up to 100 different
domain names, subdomains,
and public IP addresses, using
only one SSL Certificate and
requiring only one IP to host
the Certificate.
 Wildcard Certificates
• Wildcard certificate allows
us to secure an unlimited
number of subdomains on a
single certificate.
• A Wildcard Certificate is
issued to eg., *.cdac.in,
where the asterisk represents
all possible subdomains.
 Domain Validated Certificate
• Domain Validated certificates are certificates
that are checked against domain registry.
Organization Validated Certificate
 Organization Validated Certificate

• For organization validation, the CA will

verify the actual business that is attempting
to get the certificate.
• This is usually used by corporations,
governments and others for TLS-enabled
websites.
• It activates the browser padlock and https,
shows the corporate identity
Extended Validation Certificate
 Extended Validated Certificate

• An Extended Validation Certificate (EV) is an

certificate issued according to a specific set of
identity verification criteria.
• These criteria require extensive verification of the
requesting entity's identity by the CA before a
certificate is issued.
• Extended TLS activates the green address bar and
displays the organization name in the browser
interface
Thank you