Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution

Transcription

1 Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University of Science and Technology 23 September 2016 rev Egemen K. Çetinkaya

2 Key Management and Distribution Outline Symmetric key distribution Public key distribution X.509 certificates PKI 23 September 2016 MST CPE 5420 Key Management and Distribution 2

3 Key Management and Distribution Symmetric Key Distribution Symmetric key distribution using symmetric key encryption using asymmetric encryption Public key distribution X.509 certificates PKI 23 September 2016 MST CPE 5420 Key Management and Distribution 3

4 Key Management and Distribution Overview Delivery of a key to two parties Frequent key changes are desirable to limit amount of data compromised if attacker learns key For symmetric encryption to work two parties exchange share the same key key must be protected from access by others 23 September 2016 MST CPE 5420 Key Management and Distribution 4

5 Symmetric Key Distribution Methods Key exchange between the sender and receiver sender and receiver physically exchange the key sender and receiver use a recent (old) key to decrypt and exchange the new key Key distribution via third party third party selects key and physically deliver to end systems third party delivers the key via encrypted links Scale is an issue how would you distribute many keys physically? Third party against the very basic principle of security 23 September 2016 MST CPE 5420 Key Management and Distribution 5

6 Symmetric Key Distribution Scale How many keys are needed in n node comm.? Egemen K. Çetinkaya 23 September 2016 MST CPE 5420 Key Management and Distribution 6

7 Symmetric Key Distribution Scale Egemen K. Çetinkaya Number of keys needed: n (n 1)/2 23 September 2016 MST CPE 5420 Key Management and Distribution 7

8 Symmetric Key Distribution Key Hierarchy Egemen K. Çetinkaya Hierarchy reduces number of keys exchanged 23 September 2016 MST CPE 5420 Key Management and Distribution 8

9 Symmetric Key Distribution Centralized Scenario Egemen K. Çetinkaya Key exchange involves distribution and authentication 23 September 2016 MST CPE 5420 Key Management and Distribution 9

10 Symmetric Key Distribution Centralized Scenario Steps Step 1: initiator requests session key using initiator id, responder id, nonce nonce: random number that prevents masquerading Step 2: KDC responds session key encrypted using initiator's master key Step 3: initiator forwards session key to responder encrypted using responder s master key Step 4: responder sends a nonce validating session key using a different nonce Step 5: initiator responds to nonce validating identity completes authentication between initiator and responder 23 September 2016 MST CPE 5420 Key Management and Distribution 10

11 Hierarchical Key Distribution Overview What are the issues using one KDC? Egemen K. Çetinkaya 23 September 2016 MST CPE 5420 Key Management and Distribution 11

12 Hierarchical Key Distribution Architecture Using one KDC does not scale Uses local KDC for local domain communication If two entities in different domains desire shared key corresponding local KDCs communicate through global KDC Scheme minimizes effort in master key distribution most master keys shared by local KDC and its local entities limits range of faulty or subverted KDC to its local area only Hierarchical can be extended to three or more layers 23 September 2016 MST CPE 5420 Key Management and Distribution 12

13 Symmetric Key Distribution Decentralized Scenario Key exchange does not involve KDC Session key exchanged between initiator & responder This eliminates concern about KDC trustworthiness Not practical for larger networks 23 September 2016 MST CPE 5420 Key Management and Distribution 13

14 Symmetric Key Distribution Decentralized Scenario Steps Step 1: initiator requests session key from responder using initiator id, nonce nonce: random number that prevents masquerading Step 2: responder responds session key encrypted using master key (between two parties) responder also send a second nonce Step 3: initiator responds to nonce validating identity completes authentication between initiator and responder 23 September 2016 MST CPE 5420 Key Management and Distribution 14

15 Key Usage Lifetime and Control Session key lifetime has tradeoffs more frequent the session keys, more secure communication more frequent session keys delays start of communication exchange overhead of key exchange reduces network capacity Connection-oriented protocols key length time during session Connectionless protocols key length time for a fixed period of time Keys should be controlled/separated master and session keys should be separate 23 September 2016 MST CPE 5420 Key Management and Distribution 15

16 Key Management and Distribution Symmetric Key Distribution Symmetric key distribution using symmetric key encryption using asymmetric encryption Public key distribution X.509 certificates PKI 23 September 2016 MST CPE 5420 Key Management and Distribution 16

17 Symmetric Key Distribution Using Public-key Encryption Step 1: initiator requests session key from responder using initiator id and public-key Step 2: responder responds session key encrypted using public-key only A can decrypt using A s private-key What is the security risk? 23 September 2016 MST CPE 5420 Key Management and Distribution 17

18 Symmetric Key Distribution Man-in-the-Middle Attack Egemen K. Çetinkaya D can eavesdrop & capture session key, alternative? 23 September 2016 MST CPE 5420 Key Management and Distribution 18

19 Symmetric Key Distribution Using Public-key Encryption Key exchange does not involve KDC Session key exchanged between initiator & responder Uses two separate public-keys 23 September 2016 MST CPE 5420 Key Management and Distribution 19

20 Symmetric Key Distribution Using Public-key Encryption Step 1: initiator requests session key from responder using initiator id, nonce A encrypted with B s public key Step 2: responder responds two nonce: nonce A and nonce B encrypted using A s public-key Step 3: initiator responds to nonce B encrypted using B s public-key this step confirms A is intended initiator from B s perspective Step 4: initiator sends session key encrypted with A s private key and B s public-key 23 September 2016 MST CPE 5420 Key Management and Distribution 20

21 Key Management and Distribution Public Key Distribution Symmetric key distribution Public key distribution X.509 certificates PKI 23 September 2016 MST CPE 5420 Key Management and Distribution 21

22 Public-Key Distribution Methods Egemen K. Çetinkaya What are the methods for public-key distribution? 23 September 2016 MST CPE 5420 Key Management and Distribution 22

23 Public-Key Distribution Methods Public announcement Publicly available directory Public-key authority Public-key certificates 23 September 2016 MST CPE 5420 Key Management and Distribution 23

24 Public-Key Distribution Public Announcement Users broadcast their public-key Disadvantage? 23 September 2016 MST CPE 5420 Key Management and Distribution 24

25 Public-Key Distribution Public Announcement Users broadcast their public-key User forgery anyone can claim to be A and encrypt/decrypt messages use of network resources for broadcasting 23 September 2016 MST CPE 5420 Key Management and Distribution 25

26 Public-Key Distribution Publicly Available Directory Authority maintains directory with {name, public-key} Participants register, replace, access directory Disadvantage? 23 September 2016 MST CPE 5420 Key Management and Distribution 26

27 Public-Key Distribution Publicly Available Directory Authority maintains directory with {name, public-key} Participants register, replace, access directory Single point of attack 23 September 2016 MST CPE 5420 Key Management and Distribution 27

28 Public-Key Distribution Public-key Authority Authority distributes public-keys using encrypted messages Public-keys can be cached in end-users memory Disadvantage? 23 September 2016 MST CPE 5420 Key Management and Distribution 28

29 Public-Key Distribution Public-key Authority Authority distributes public-keys using encrypted messages Public-keys can be cached in end-users memory Single point of attack and 7 steps 23 September 2016 MST CPE 5420 Key Management and Distribution 29

30 Public-Key Distribution Public-key Certificates Public-key authority could be bottleneck in system users contact authority for a public key for every other user Authority is vulnerable to tampering Certificates can be used to exchange keys without contacting a public-key authority without sacrificing security A certificate consists of: a public key an identifier of the key owner the whole block signed by a trusted third party 23 September 2016 MST CPE 5420 Key Management and Distribution 30

31 Public-Key Distribution Certificate Authority The trusted third party is a certificate authority trusted by the user community a government agency or a financial institution A user presents public key to obtain a certificate The user can then publish the certificate anyone can obtain the certificate and verify its validity Requirements: any participant can read a certificate any participant can verify that the certificate is authentic only certificate authority can create and update certificates any participant can verify the currency of the certificate 23 September 2016 MST CPE 5420 Key Management and Distribution 31

32 Public-Key Certificates Obtaining Certificates Users supply public-key to obtain certificate Application must be in person or some secure way Certification includes timestamp, id, public-key encrypted using private key of the authority 23 September 2016 MST CPE 5420 Key Management and Distribution 32

33 Public-Key Certificates Exchanging Certificates Initiator A sends the certificate to responder B Responder B decrypts the message using private-key of the authority Users have id, timestamp, and public-key Timestamp prevents replay attack timestamp serves as an expiration date 23 September 2016 MST CPE 5420 Key Management and Distribution 33

34 Key Management and Distribution X.509 Certificates Symmetric key distribution Public key distribution X.509 certificates PKI 23 September 2016 MST CPE 5420 Key Management and Distribution 34

35 X.509 Certificates Overview Recommendation International Standard ITU-T X.509 ISO/IEC Defines a framework for: public-key certificates attribute certificates These frameworks used by applications: Public Key Infrastructures (PKI) Privilege Management Infrastructures (PMI) Defines a framework that defines directory services directory is, in effect, a server or distributed set of servers that maintains a database of information about users 23 September 2016 MST CPE 5420 Key Management and Distribution 35

36 X.509 Certificates History Latest version is V3 23 September 2016 MST CPE 5420 Key Management and Distribution 36

37 X.509 Certificates Usage X.509 defines framework for authentication services based on public-key cryptography and digital signatures does not dictate a specific algorithm but recommends RSA does not dictate a specific hash algorithm Each certificate contains the public key of a user key signed with private key of trusted certification authority Used in S/MIME, IPsec, SSL/TLS protocols 23 September 2016 MST CPE 5420 Key Management and Distribution 37

38 X.509 Certificates Generation of Public-key Certificate Egemen K. Çetinkaya 23 September 2016 MST CPE 5420 Key Management and Distribution 38

39 X.509 Certificates Certificate Creation Public-key certificates associated with each user User certificates created by Certification Authority, CA Placed in the directory by the CA or by the user Directory server itself is not responsible for creation of public keys certificate creation Directory provides certificates to users 23 September 2016 MST CPE 5420 Key Management and Distribution 39

40 X.509 Certificates Certificate Fields 1 CA<<A>> = CA {V, SN, AI, CA, UCA, A, UA, Ap, T A } Version Serial Number Algorithm ID Issuer Validity not before not after 23 September 2016 MST CPE 5420 Key Management and Distribution 40

41 Subject Subject Public Key Info public key algorithm subject public key X.509 Certificates Certificate Fields 2 Issuer Unique Identifier (optional) Subject Unique Identifier (optional) Extensions (optional)... Certificate Signature Algorithm Certificate Signature 23 September 2016 MST CPE 5420 Key Management and Distribution 41

42 X.509 Certificates Formats 23 September 2016 MST CPE 5420 Key Management and Distribution 42

43 X.509 Certificates Obtaining Certificate User certificates have the following characteristics: any user can verify the user public key that was certified with access to the public key of the CA only CA can modify certificate without this being detected Certificates are unforgeable they can be placed in a directory without protection Many CAs serving a fraction of users Chaining possible: suppose X 1 <<A>>, X 2 <<B>> CAs X 1 and X 2 exchanged their public keys; then X 1 <<X 2 >> X 1 <<X 2 >> X 2 <<B>> 23 September 2016 MST CPE 5420 Key Management and Distribution 43

44 X.509 Certificates Hierarchy Example A can obtain B s public key via the following path: X<<W>> W<<V>> V<<Y>> Y<<Z>> Z<<B>> 23 September 2016 MST CPE 5420 Key Management and Distribution 44

45 X.509 Certificates Certificate Revocation Each certificate includes a period of validity typically a new certificate is issued before old one expires Certificate revocation reasons: the user s private key is assumed to be compromised the user is no longer certified by this CA the CA s certificate is assumed to be compromised Each CA maintains a list of revoked certificates these lists should be posted on the directory 23 September 2016 MST CPE 5420 Key Management and Distribution 45

46 X.509 Certificates Certificate Revocation List Users maintain local cache of certificates and CRL 23 September 2016 MST CPE 5420 Key Management and Distribution 46

47 Certificates Practical Aspects Client browsers include a set of CA certificates Customers of a CA are server administrators e.g. financial institutions Important CAs Symantec bought Verisign Comodo SSL Go Daddy GlobalSign What are the issues in this model? [ref: Symantec.com] 23 September 2016 MST CPE 5420 Key Management and Distribution 47

48 Example scenario: Certificates Practical Aspects players: realbank, fakebank, user, CA fakebank applies CA obtains a certificate claiming to be realbank fakebank sends user asking credentials (phishing) Google fraudulent certificates for more cases Certification of CAs Certificate Authority Security Council (CASC) Common Computing Security Standards Forum (CCSF) CA/Browser Forum 23 September 2016 MST CPE 5420 Key Management and Distribution 48

49 Key Management and Distribution PKI Symmetric key distribution Public key distribution X.509 certificates PKI 23 September 2016 MST CPE 5420 Key Management and Distribution 49

50 Public-key Infrastructure Overview Public-key infrastructure (PKI): set of hardware, software, people, policies, and procedures create, manage, store, distribute, and revoke certificates based on asymmetric cryptography PKI aims to: secure, convenient, and efficient acquisition of public keys PKI based on X.509 is called PKIX by IETF; more on PKIX key five elements: end entity, CA, RA: registration authority CRL issuer, repository 23 September 2016 MST CPE 5420 Key Management and Distribution 50

51 PKIX Architecture PKI mgmt. functions: reg, ini, cer, kpr, kpu, rr, cc 23 September 2016 MST CPE 5420 Key Management and Distribution 51

52 References and Further Reading [KPS2002] Charlie Kaufman, Radia Perlman, and Mike Speciner, Network Security: Private Communication in a Public World, 2nd edition, Prentice Hall, [S2017] William Stallings, Cryptography and Network Security: Principles and Practice, 7th edition, Prentice Hall, RFC 5280, RFC 3647 NIST SP part 1: part 2: part 3: ITU-T X.509 unpublished version: 23 September 2016 MST CPE 5420 Key Management and Distribution 52

53 End of Foils 23 September 2016 MST CPE 5420 Key Management and Distribution 53