# Public key cryptography
Asymmetric, or public key cryptography algorithms use two separate keys - one public, one private. The public key can be shared with anyone, trusted or not. 

Public key algorithms *may* be used to guarantee either confidentiality or authentication by using the same general principle in two different ways.

**Confidentiality**: anyone can encrypt a message with the public key; only the holder of the private key can decrypt the message.

**Authentication**: anyone can issue a challenge; only the holder of the private key can sign the challenge with the private key; anyone can verify the signature is correct with the public key.

## RSA cryptosystem

You have seen [RSA](https://en.wikipedia.org/wiki/RSA_(cryptosystem)) during the lectures. Please refer to authoritative sources for the RSA standard; the following is an illustrative example of the fundamental concepts only.

To jog your memory: given a plaintext $p$ and appropriately chosen integers

* exponent $e$
* modulus $m$
* private key $k$

such that

$\begin{align*}
\left(p^e\right)^k \equiv \left(p^k\right)^e \equiv p \mod m,
\end{align*}$

anyone knowing the public key $(e,m)$ can encrypt a message by computing the ciphertext

$\begin{align*}
E(p,m,e): \quad c\equiv p^e \mod m,
\end{align*}$

but only the holder of the private key can easily decrypt by computing

$\begin{align*}
D(c,m,k): \quad c^k\equiv p \mod m.
\end{align*}$

## RSA signature

We have seen that the hash $h$ of a document can be used to guarantee its integrity. To a first approximation, the holder of an RSA private key $k$ can *sign* the document by performing a decryption operation with the private key:

$\begin{align*}
S(h,m,k): \quad s\equiv h^k \mod m,
\end{align*}$

and anyone can verify the correctness of the signature over the hash by performing an operation equivalent to encryption with the public key

$\begin{align*}
V(s,h,m,e): \quad s^e\equiv h \mod m.
\end{align*}$

## Caveats

* **Signature: digital vs legal** A digital signature created with the RSA cryptosystem with Alice's private key does *not* mean that Alice generated the document, and by itself it does not neessarily mean that Alice herself approved the contents of the document or even saw what it was. *A digital signature is not immediately equivalent to a handwritten signature* in this respect. We also need to ensure a long list of other guarantees can be given, such as that the keys can only be used with the active and conscious knowledge and approval of the owner. The [eIDAS](https://en.wikipedia.org/wiki/EIDAS) regulation of the EU establishes rules for the equivalence between handwritten signature and [qualified electronic signature](https://en.wikipedia.org/wiki/Qualified_electronic_signature).

* **Proof: ownership vs identity** Anyone can generate a key pair - you are about to do this in the next exercise. The RSA cryptosystem can be used as part of an authentication protocol to prove ownership of a private key, but a further step is required to associate that key pair with an identity.

* **Purpose** Different uses of the same cryptosystem are associated with different keys. We shall see some of the reasons why that is later on. For now, bear in mind that separate keys will be created for the purposes of authentication and signature.

## Blind signature attack

There are many attacks on versions of the RSA cryptosystem; see e.g. this [survey](https://crypto.stanford.edu/~dabo/abstracts/RSAattack-survey.html).

The [blind signature attack](https://en.wikipedia.org/wiki/Blind_signature#Dangers_of_blind_signing) is illustrative of the danger of using keys for unintended purposes.

Suppose Eve wants Alice to sign a document $d$, without revealing its contents to Alice. Suppose Alice is using vanilla RSA with the same key for authentication and non-repudiation. Eve can compose a seemingly random challenge as

$t=r^e d \mod m$

and if Alice signs the challenge to prove her identity, Eve will receive

$s = t^k \mod m$

Applying the public key, Eve can compute a quantity $sr^{-1}$ that passes the vanilla signature verification:

$\begin{align*}
    \left(sr^{-1}\right)^e \mod m & = \left( r^e d \right)^{ek}\left(r^{-1}\right)^e \mod m \\
                    & \equiv  r^e d  \left(r^{-1}\right)^e \mod m
\end{align*}$

In particular, since there is no restriction on $d$ and Alice has no way to distinguish $r^e d$ from random, Eve can also use a message that Bob had previously sent to Alice using RSA encryption, if Alice was using the same key.

## Generating and serializing key pairs

Choosing the right algorithm and parameters for a given use case is tough - but our hands are usually tied by standards and availability. For these exercises we assume that choice has been made for us; a number of practical issues still arise, related to displaying, storing, and transporting critical information. In particular:

1. **Format**: the syntax with which the key and metadata are composed.
2. **Encoding**: the alphabet in which the information is written for storage and transport.

### Format

Private/public keys have associated metadata to assist in their usage. For example, storing some large number on its own is no very informative; on the other hand, following [RFC 5208: Public-Key Cryptography Standards (PKCS) \#8: Private-Key Information Syntax](https://tools.ietf.org/html/rfc5208), we can store a private key in ASN.1 syntax as the following structure:
```
    PrivateKeyInfo ::= SEQUENCE {
        version                   Version,
        privateKeyAlgorithm       PrivateKeyAlgorithmIdentifier,
        privateKey                PrivateKey,
        attributes           [0]  IMPLICIT Attributes OPTIONAL }

      Version ::= INTEGER

      PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier

      PrivateKey ::= OCTET STRING

      Attributes ::= SET OF Attribute
```

The 

Note that serialization formats are different for [private](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/#cryptography.hazmat.primitives.serialization.PrivateFormat) and [public](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/#cryptography.hazmat.primitives.serialization.PublicFormat) keys.

### Encoding

Serialization encodings can be a form of binary for storage, or base64 for display and transmission. The most common formats are DER (binary) and PEM (mostly base64). For PEM, refer to [RFC 7468: Textual Encodings of PKIX, PKCS, and CMS Structures](https://tools.ietf.org/html/rfc7468) for a summary of the main options. For illustrative purposes, consider PEM to be the base64 encoding of the DER data, with lines of maximum length 64 characters, delimited by
```
-----BEGIN {label}-----

-----END {label}-----
```

It can be quite useful to have a text representation of cryptographic material for a number of reasons, for example when transmitting or receiving as part of a message that is expected to be text only, such as a QR code or a JSON message. The alternative is to have to manually write your own encoder and decoder - a task that is tedious at best and treacherous at worst, particularly when it comes to cryptography.

### Summary

To summarize, when generating cryptographic material such as keys and certificates, the de facto standards are:

0. [ASN.1](https://en.wikipedia.org/wiki/Abstract_Syntax_Notation_One) syntax for a cross-platform human-readable representation of the data structure
1. [DER](https://en.wikipedia.org/wiki/X.690#DER_encoding) encoding for unambiguous binary serialization
2. [PEM](https://en.wikipedia.org/wiki/Base64#Variants_summary_table) encoding (of the DER binary) for unambiguous text serialization

There are other options, but these are the main ones you should be aware of at the moment.

**Exercise**: generate an RSA key pair, and display the private key with PEM encoding and PKCS8 format.

In [6]:
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa

key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
    backend=default_backend()
    )

print(key.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.TraditionalOpenSSL,
        encryption_algorithm=serialization.NoEncryption(),
    ))

b'-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAopmNcIPlmyZjGhWTKHuoUyib7cdvx3sNac5/l30JhES/af7e\ns6unaJyMwCp9oZ2dqdtp479BasTKi4zHfzhiX0mHW2qo26bwtP5WtNxcs0pYUsdB\nItTLs1dCKL5aBJlJcmftEgG7C/f2H4r4R30eEgawkjj1k6teETBFkMq1gnRR1zvP\nKUApB01Myusu79gqP0VNzdwtaWgjYLrV07AXfygwdZ/6zSVhwc3fJiwK1f/Q34m+\n9sHHS8vTvzWQ3ccq0aR43WvPohbUIGQTsvo8vORngnRIsgOzwupdY3Yhh/e0SSfE\nWKMHUaoD7q3irjB91HCrx3HcSHzw0I/fSI13uQIDAQABAoIBABJvIi/tZCyQz493\nfrWKP20eH393qt6MvtqOBL0h+eA7AxB7SrhH77TWesaWiqO2ANfu/jRJzJrUMLpd\nfYiY1d5DscrVbstoQ8XhR+c9TG0vMpA/8syGH4n3jJKd8gqvbjpAOgpek9wpgofU\n84z3TF9yzrXlK0JQnVuJg3mE4csmQpV60t5YsYGjtPcTBlke5Q+IoNloaEf1H7rB\n+8OPNXqleAJZUvFKsJYhYc2GagGJVsvJ8fbk+xLMuZj7UMSiEU6uLJFleCIed37f\nWuRMndbh+RQfzsdb+EPHovBoRoZtWNSPzi1A+1inVSLfy76mQ6Gr2hUcwAr8R4ps\nF1W9C2ECgYEAzidGFVX9xK9dLMwFmMBsj67cEYBDtCK4o6PovMXH3HsH87YCZ4CO\npyjG0b176sDoAkxQII3NHm9xn2jMcWixowy3kdN9yXApTyUs4KJlzUG8RSXv3ONk\nMdTHunb1/OwebQ7/R1663aYrDktDPtgbG3rbtzSmd2NA1zUhgJlNZcUCgYEAyepY\nzmOSVRpcFfoSz7hNI64NkoIPxHG0rZESpf2cZNlwJ

**Exercise**: above, change the encoding format from PEM to DER. Note the difference between base64 and binary.

**Exercise**: generate an [elliptic curve](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/) key pair, with PEM encoding and PKCS\#8 format.

In [5]:
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import ec
key = ec.generate_private_key(
    ec.SECP384R1(), default_backend()
)
print(key.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.PKCS8,
        encryption_algorithm=serialization.NoEncryption(),
    ))

b'-----BEGIN PRIVATE KEY-----\nMIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCoKLVwlA0eMFcPFC/Z\nwTlhlY7ByD5spHNPmxGf7UtFFyJckkOt9z5LfOh298Vo3ZyhZANiAARmWuGQGdvL\nqQKfNT0MrdeiE5P6TJ2VcjS+dk8J4pKyRdyvgyJHgK4dpZN8hoSuF6QriFFcsZiF\nLrLhB8pgbaP5yr61mKH5XLJkPG2wwbX9e0DaCwwAuFoNb0D2cJhd7dE=\n-----END PRIVATE KEY-----\n'


## Digital signature

NIST [FIPS 186-4 Digital Signature Standard (DSS)](https://csrc.nist.gov/publications/detail/fips/186/4/final), specifies three NIST-approved digital signature algorithms: [DSA](https://en.wikipedia.org/wiki/Digital_Signature_Algorithm), [RSA](https://en.wikipedia.org/wiki/RSA_(cryptosystem)#Signing_messages), and [ECDSA](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) (see [NIST digital signatures project](https://csrc.nist.gov/Projects/Digital-Signatures)).

The full details of each scheme can be quite involved. For reference, the current standard for RSA signatures is RSASSA-PSS, in PKCS \#1 v2.2 - see [RFC 8017](https://tools.ietf.org/html/rfc8017). Signatures are parametrized by a choice of
* hash function,
* mask generation function, and
* salt length.

To quote:
>                                      +-----------+
                                     |     M     |
                                     +-----------+
                                           |
                                           V
                                         Hash
                                           |
                                           V
                             +--------+----------+----------+
                        M' = |Padding1|  mHash   |   salt   |
                             +--------+----------+----------+
                                            |
                  +--------+----------+     V
            DB =  |Padding2|   salt   |   Hash
                  +--------+----------+     |
                            |               |
                            V               |
                           xor <--- MGF <---|
                            |               |
                            |               |
                            V               V
                  +-------------------+----------+--+
            EM =  |    maskedDB       |     H    |bc|
                  +-------------------+----------+--+

**Exercise**: sign a message with RSA-SHA256.

In [18]:
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding

key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
    backend=default_backend()
    )

message = b"To sign"
signature = key.sign(
    message,
    padding.PSS(
        mgf=padding.MGF1(hashes.SHA256()),
        salt_length=padding.PSS.MAX_LENGTH
    ),
    hashes.SHA256()
)

print(signature)


b'\x18\xd4\xad\x9f \xa0\x1b\x93g:\xae\xdb\x10\xb9\xc4\xf0\xd4|@\x83\xd5X\xe7o\x9d\xb4\x155J\xb4\x93=\xd2\x0b\x89\xea\xd0\xd6\x1crr\xe0Y\x89\\\xea\xa9\xad\xd8\xd3ff\xcd\x91j\x91\x0c\xac\x90r\x92\xef\x8e`S\xba"p\xd5\xc9\xc7\xb6\xb3U{JJQ\x18\xc8W\xa6\x98\x7f>1\x86\xa5`T\xfb\x1e\x0b\xca\x14\xde\xadrh&\x9b%\xa2\x04\xe2\xce\xecy\x7f\x1fL:\xe9\xbb\xa2v\x8c\xecK]\xe8\xc8\xa2q2(\xc3\xfcG(\x87H\xf0\x1dO\xeb\xb7\x17f-C\xfb\xdb\xa1\xb0\xb3 \xd3\xc8"\xdb\xa0\xfd\xe1\xb4\xf4;\xf8!\xa1\xdb C\x17\x9e\xc3\xb3\x03\xab\x03\x9ev\x98_\x8b\x130\xd3\x99\xf4\xa0\xbfD\xcf\xd4b\x11[\x80K\xe0ov\xbb\xae\xd2\xebs\x02zt\x06\xb8\xaey\xb9\x87\xb8\x8dqm\x9d\xcf\xa7\xeb\xa7\xea\xde\xa9/u\x05\xd88\x04q\x8f\xd2\xe1\x8f\x0b\xee\xab\x8c(&\xa2m\\\xd0@o\xf2\xfa,vx\x81Y\x17P\x8f\x98\xfd\xa1|'
b'\x00\x99\xc4\x1a\xf9\xfc{7"\x9c\xaa:!\xad]\x90\x11\xd7]\xa4XR\x16&\xa1\xdcEv\x99{\xa5w\xaa-%\xc8\x111m\xc3\xa2V\xaa[\xa5\xb5\xe0\n\xe3J\xf0*\xfa\xfc\xa0e\x89\xc4z<\xbe\x95%\xba[\xaf\x14\xe5\xf8\x94~\'\x8f\x1e\t\xb0\xd7\xe28\xf4\xd8\xcb

**Exercise**: generate the SHA-256 hash of a message or document. Sign the hash with RSA. Verify the correctness of the signature.

In [11]:
from cryptography.hazmat.primitives.asymmetric import utils

hasher = hashes.Hash(hashes.SHA256(), default_backend())
hasher.update(message)
digest = hasher.finalize()
signature = key.sign(
    digest,
    padding.PSS(
        mgf=padding.MGF1(hashes.SHA256()),
        salt_length=padding.PSS.MAX_LENGTH
    ),
    utils.Prehashed(hashes.SHA256())
)
print(signature)

b'\x9c\'\x1af}\xf9\xb6\x98\xef\xa9\x12/\x92jS\xf6x\x99\xdf"\xc1\x99{\xff\x9bNQ\x7f\x1f\x0f\x9d\x12%\xb1q,I\xf3\x07\xe4\xb7\xbe\xf8\x01$#aM\xa1\xd9\x90\x9as\x8a\x12`v\x15&\xbbn\xa9\n\xe3w\t\xaf\xee\xfb\xdf\x00$\xdes\xba\xcftU\xb82\x83\xdePZof\x8e\xaf{"Xn\x81n\n\x1ce\xb8\xa94\xfd\xdd\x15\xfa\xdc\x01\xe9!\xea0\xcd\x1f\x86\n\x9cx\x07\xe7\xd0\x0b\xfcge@\xb6\xd9\x94t\r\xc2=\xc7\x15\xef\x04+\xd0>\xcez&\xd5\xf4\xd2\xf6\x01\x87\xdd\xc4\xec\xeb}&}\x12\xc9\x0f\xdat\xfd\t\x8b%\x81\xd7\'\xd7\x9a\xb0\xc2\xfb\x1c\xa3\x9c\x12\xcf\x84\xf2\xcc\xe8\xe5iRE\xa2\x10\x8dF\xb5cW\xd4\xdf7\x80\x82=\xc7\xbe\xdc\xa3\x92\x89\xa9\x11d\xb5\xd4\xf7\x08\xcf\\\xc3\xb1<\xb2G\x8b*\xe6<\x80\x10\x0eq\xf9Q\x92\xe9\xf8Z\xc86\xa3\xb2u&\xe0\xb3\xed>\x9c<\xc7\xd0\xb4\tvl\xd7\x8c"\xb3`D\xf9'


# Digital certificates

A certificate is a structure that associates a public key with an identity. The X.509 standard specifies the structure of certificates for various purposes, e.g. online authentication.

## Requesting and issuing certificates

In order to obtain a certificate, a website prepares a Certificate signing request (CSR) with its own information, then requests a signature by its chosen CA. This is usually a paid service.

In order for a CA to decide whether to sign the CSR and therefore issue a certificate, it has to establish whether the entity requesting the certificate really does control the website. There is a currently proposed standard for this procedure in [RFC 8555](https://tools.ietf.org/html/rfc8555).

**Exercise**: create a CSR with Subject information of your choice.

In [4]:
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes

csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
    # Provide various details about the subject.
    x509.NameAttribute(NameOID.COUNTRY_NAME, u"IT"),
    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Italy"),
    x509.NameAttribute(NameOID.LOCALITY_NAME, u"Rome"),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Org"),
    x509.NameAttribute(NameOID.COMMON_NAME, u"site.it"),
])).add_extension(
    x509.SubjectAlternativeName([
        # List domains for which the certificate is valid.
        x509.DNSName(u"site.it"),
        x509.DNSName(u"www.site.it"),
        x509.DNSName(u"subdomain.site.it"),
    ]),
    critical=False,
# Sign the CSR with your private key.
).sign(key, hashes.SHA256(), default_backend())

b'K\x06K\x01\xc9\xcc\x16\xcbM\xe9L\xc6\xa7\x94\xa3\xc8K\x12x\xed\x99\x8aKV\xc0\x12o\xebj%\xc67'


## PKI and certificate verification

**Exercise**: Visit https://www.google.com. Through your browser (or otherwise) inspect their certificate. Make a note of the algorithms used for signature. Verify that the signature on their certificate is correct. Note the Issuer field.
Visit https://pki.goog/ to see the certificate authorities they use. Find the issuer of the certificate you were looking at, download their certificate, verify that the SHA1 signature published on the website matches, and repeat the process.

If you prefer, you can visit a different site (https) and verify a different certificate. Sooner or later you will reach a root CA, which should be included e.g. in the [mozilla CA certificate store](https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/), packaged with the Firefox browser.

## Standards
[NIST digital signatures project](https://csrc.nist.gov/Projects/Digital-Signatures)

# Theme
You can run the following cell to change the appearance of this notebook to suit your taste. Check for available themes on [github.com/dunovank/jupyter-themes](https://github.com/dunovank/jupyter-themes).

In [8]:
from jupyterthemes.stylefx import set_nb_theme
set_nb_theme('solarizedd')