 Hello, and welcome to this lecture on public key infrastructures. My name is Ralph, and I'm going to guide you through a series of small lectures on this interesting topic. Before we get started, let's get a few preliminaries out of the way. You are going to need prerequisites. You need an elementary understanding of asymmetric photography, sometimes also called public key photography, and one for cryptographic hash functions. Both concepts are actually built on the notion of one-way functions, and these are interesting mathematical functions that we believe to exist and have certain properties. Actually, there is no proof that they really exist and that the functions that our candidate functions really are one-way functions, or in the case of public key photography, an extension of one-way functions, so-called trapdoor functions. However, most mathematicians today believe that we are indeed facing such functions and it is possible to use them for cryptography. We are fairly sure, otherwise we wouldn't be doing it. Now, in the following, I'm going to give you a brief recap. However, if you have no clear understanding of these cryptographic primitives, please do an introductory lecture on cryptography before continuing. What are we talking about? As I mentioned already, public key cryptography, which is also called asymmetric cryptography, is based on mathematical problems that have certain properties that we believe to have certain properties. The difference to symmetric cryptography is in the keys. In symmetric cryptography, every participant has a key that they can share with someone else and with that person or receiver or entity, then they can communicate securely. In public key cryptography, each participant has two keys, a public key and a private key. The public key, as the name implies, may be public knowledge. It can be distributed to anyone. And then there is also a private key, which is really important. It must be kept secret, a secret of the owner. Anyone can use a receiver's public key to encrypt a message for them, but only the receiver, the owner of the private key, can also decrypt it. If you want, think of it as a letterbox. Anyone can drop a letter in a letterbox. However, only the person who has the key to the letterbox can also retrieve it. Cryptographic hash functions are also highly interesting in this regard. And there's a certain similarity. But first, what is a hash function? First of all, a hash function is simply a function that takes an input, which may be of arbitrary lengths, but it produces an output that is always of the same length. We call these functions digest, sometimes at least. Now what makes a hash function a cryptographic hash function? Well, they are hash functions that we believe to fulfill three criteria. That's a similarity to public key cryptography, by the way. It has, again, to do with one way functions. We believe these properties to hold, but we don't actually have proof. But we are still very sure of it. The problem that we're going to face is every hash function has collisions to the fixed length output. And cryptographic hash functions are, of course, no different. So there's always going to be values a and b, where h of a is the same as h of b without h and b being the same. And there are three criteria that we believe to be fulfilled that make cryptographic hash functions so useful. Here they are. Let's assume h is a cryptographic hash function. Three properties are pre-image resistance, sometimes also called first pre-image resistance, second pre-image resistance, and collision resistance. To make a long story short, these imply that it is computationally infeasible to invert the hash function h. And by computationally infeasible, we mean it is not, in theory, impossible if you have enough time. But the scale of time that we are talking about is at the very least millions of years. And by improving the current computational power that you have, you still stand absolutely no chance to get useful results in any kind of acceptable time. This may change if our computing paradigm changes. Some people speak of quantum computers. But I don't want to dive into this because such computers do not exist at this time in any sense that would make them useful to break these functions. Now what are the resistance functions, the resistance properties about? Pre-image resistance says the following. You are given a random value y and it is computationally infeasible to find an x such that h applied on x equals y. Second pre-image resistance is similar, but has a little extra to it. You're now given a random value x and it is computationally infeasible to find any x prime that's different from x such that h of x is the same of h of x prime. And finally, you request collision resistance, which says it is computationally infeasible to find any pair x, x prime, not the same, such that h of x is the same as h of x prime. Note the difference. In pre-image resistance, in second pre-image resistance, you're given a random x. In collision resistance, the statement says it's computationally infeasible to find any pair. As I said, these imply that it is computationally infeasible to invert the hash function. That's going to be useful. Let's have a look at the next few slides. What are the operations in public key cryptography? Well, there is encryption, obviously. Bob can use Alice's public key, which we call pk, to send her an encrypted message that we call c. And c equals ink encryption function using the public key pk applied to m. Alice uses her private key sk to decrypt it. We can also use the decryption function, using sk to the encrypted message, c yields our value m, the message. We can also do signatures. And here is where the cryptographic hash functions come in. Bob computes a hash value, h of m, of the message. And then Bob can use his private key to encrypt that value. We call it s and s equals the encryption function, ink, but this time using the secret key, the private key, applied to the hash value h of m. We sometimes write sik of m for short and put the creator of the signature in the index sik b of m. Now Bob can do both. He can send the encrypted message c, and he can also send s. Alice receives c and s. And can proceed to decrypt c, which gives her m. She can do that because she has a private key that Bob used to encrypt c. From m, she can compute her own version h of m. Now Alice can turn to the signature and decrypt it. She can use Bob's public key and apply it to the signature, which gives you a decryption operation using the public key of Bob. She can apply it to the result of an encryption operation using Bob's secret key applied to the hash function applied to m. The result obviously is the innermost term, which is h of m. And Alice can now compare the value h of m that she has computed herself with the value that was the result of decrypting the signature. If the two are the same, then the signature is correct. And now you can deduce for yourself why it is so important that the hash function is computationally infeasible to invert because otherwise it would be possible to break signatures. But unfortunately, not everything is one with public key cryptography. As public keys are public knowledge and can be publicly distributed, there is nothing that would prevent an evil person, let's call her Eve. To say, this here is Alice's public key and Eve goes around and tells people that Bob now needs a way to find out which public key really belongs to the Alice that he would like to message. Or otherwise, he cannot send encrypted messages to her because he might accidentally use Eve's public key. And that doesn't help. In the same kind of logic, Alice also needs to know which public key belongs to Bob. Otherwise, she cannot verify any signatures that may be from him. The key distribution problem is the one that we're going to tackle with public key infrastructures. This is a very famous underlying theorem. In this lecture, we call it Boyd's theorem after the person who has formulated it for the first time in a nice formal way and proved it correct. It is actually quite intuitive and it's a bit strange that it took so long for someone to write it up. In essence, Boyd tells us the following. In the absence of a secure channel, two entities cannot establish an authenticated session without the existence of an entity that can mediate between the two, and which both parties trust and have a secure channel with. That's a bit of a mouthful. What does it really mean? Let's rephrase it in the context of key distribution. What Boyd really is saying is, two parties, A and B, Alice and Bob, cannot securely exchange keys if they haven't already done this at least once before. If they haven't, then they are in trouble. They need a third party to mediate between them, in essence, one that introduces them to each other and which vouches for the correctness of the respective keys and the correct mapping. Summarize, secure key distribution needs either an existing secure channel or a third party to help our participants establish a secure channel and allow them to be certain who is the owner of a given public key. Now, there are several options. Basically, you don't have a third party, and what you can do in such cases is you can meet in person, hopefully you know each other, and then exchange the keys and then you have your assurance that it is the right key that you're going to use. There are a handful of other methods that I'm not going to describe here, but all of them are useful in more extreme circumstances when further conditions of the environment help you. That's a different lecture. If you do have a third party, things can be a little bit easier. Actually, your key distribution doesn't require public key photography. For example, the famous Kerberos protocol implements a so called key distribution center using symmetric photography exclusively. In the asymmetric case, what we have are public key infrastructures. And these are the topic that we're going to discuss next. Just as a few prominent examples, X519 PKI standing for public key infrastructure and open BGP. These are interesting examples that we are going to have a closer look at soon.