ECE 646 Lecture 3. Key management

Transcription

1 ECE 646 Lecture 3 Key management

2 Required Reading Stallings, Cryptography and Network Security: Principles and Practice, 5/E or 6/E Chapter 14 Key Management and Distribution

3 Using the same key for multiple messages M 1 M 2 M 3 M 4 M 5 time E K time C 1 C 2 C 3 C 4 C 5

4 Using Session Keys & Key Encryption Keys K 1 K 2 K 3 time E KEK time E KEK (K 1 ) E KEK (K 2 ) E KEK (K 3 ) M 1 M 2 M 3 M 4 M 5 time E K1 E K2 E K3 time C 1 C 2 C 3 C 4 C 5

5 Control Vector Master Key Session Key Control Vector Master Key Encrypted Session Key Hashing Function Hashing Function Key input Plaintext input Key input Ciphertext input Encryption Function Decryption Function Encrypted Session Key Session Key (a) Control Vector Encryption (b) Control Vector Decryption Figure 14.6 Control Vector Decryption Control Vector Encryption and Decryption

6 Key Distribution Center (KDC) B K B-KDC K A-KDC A C K C-KDC K A-KDC K B-KDC K C-KDC K D-KDC KDC E K E-KDC D K D-KDC

7 Simple key establishment protocol based on KDC KDC K A-KDC K B-KDC K C-KDC K D-KDC... (1) let me talk with Bob (2b) K B-KDC ( Alice, K AB ) (2a) K A-KDC ( Bob, K AB ) Alice A K A-KDC K B-KDC B Bob

8 Key establishment protocol based on KDC KDC K A-KDC K B-KDC K C-KDC K D-KDC... (1) let me talk with Bob (2) K A-KDC ( Bob, K AB, ticket Bob ) Alice (3) ticket Bob = K B-KDC ( Alice, K AB ) A B K A-KDC K B-KDC Bob

9 Alice A s private key Key agreement Bob B s private key A s public key B s public key Secret derivation Secret derivation Key derivation Key of A and B Key derivation Key of A and B

10 x A Diffie-Hellman key agreement scheme Alice α, q - global public elements Bob x B y A = α x A mod q y B = α x B mod q x A S AB = y B mod q x B S AB = y A mod q Key derivation Key derivation Key K AB Key K AB

11 Man-in-the-middle attack Alice Bob A s private key B s private key A s public key B s public key Charlie Secret derivation C s public key C s public key Secret derivation Key derivation Key derivation Key of A and C Key of B and C

12 Does public key cryptography have an Achilles heel? Alice Bob, send me your public key, Alice Bob Bob s public key, Bob message encrypted using Bob s public key Charlie

13 Does public key cryptography have an Achilles heel? Alice Bob, send me your public key, Alice Bob Bob s public key, Bob Charlie s public key message encrypted using Bob s public key Charlie Charlie s public key

14 Does public key cryptography have an Achilles heel? Alice Bob, send me your public key, Alice Bob Bob s public key, Bob Charlie s public key message encrypted using Charlies s public key Charlie message reencrypted using Bob s public key

15 Directory of public keys (1) Bob, Bob s public key Alice, Alice s public key Bob, Bob s public key Charlie, Charlie s public key Dave, Dave s public key Eve, Eve s public key. On-line database Alice message encrypted using Bob s public key Bob Charlie

16 Directory of public keys (2) On-line database Bob, Bob s public key Charlie s public key Alice, Alice s public key Bob, Bob s public key Charlie, Charlie s public key Dave, Dave s public key Eve, Eve s public key. Alice message encrypted using Bob s public key Charlie Charlie s public key Bob

17 Directory of public keys (3) On-line database Bob, Bob s public key Charlie s public key Alice, Alice s public key Bob, Bob s public key Charlie, Charlie s public key Dave, Dave s public key Eve, Eve s public key. Alice Bob message encrypted using Charlie s public key Charlie message reencrypted using Bob s public key

18 PGP: Flow of trust Manual exchange of public keys: Las Vegas Bob David Edinburgh David Betty Bob (Washington) David (New York) Betty (London) David, send me Betty s public key Betty s public key signed by David message encrypted using Betty s public key

19 Certification Authority Loren Kohnfelder, Towards a Practical Public-Key Cryptosystem, Bachelor s Thesis, MIT, May Proof of identity Public key of Bob Certification Authority Certificate Public key of Certification Authority

20 Certificate Subject name Subject s public key Subject s Credentials Serial number Issuer (CA) name Period of validity Signature algorithm identifier CA s signature

21 The exact X.509 Certificate Format [Stallings, 2010]

22 Distinguished Name (DN) according to X.500 Example: Common name (CN) = Kris Gaj Country name (C) = US State or province name (ST) = VA Locality name (L) = Fairfax Organization name (O) = George Mason University Organizational unit name (OU) = ECE Other fields permitted: Street address (SA) Post office box (PO Box) Postal code (PC) Title (T) Description (D) Telephone number (TN) Serial number (SN)

23

24 Examples of X.509 version extensions Key usage: Restrictions on the use of a given key, e.g., digital signature, key encryption, data encryption, key agreement. Subject key identifier: A subject may have different key pairs for different purposes (e.g., digital signature, key agreement). Private key usage period: Period of use of the corresponding private key. Subject alternative name: Application specific name, e.g. address. Basic constraints: Identifies if the subject may act as a CA.

25 Non-repudiation only Alice Bob M, SGN A (M), Cert CA (A, KU A ) Alice s private key - KR A CA s public key - KU CA Notation: KU X - public key of X KR X - private key of X SGN X (M) - signature of X for the message M Cert Y (X, KU X ) - certificate issued by Y for the user X

26 Cert CA (B, KU B ) Confidentiality only Cert CA (A, KU A ) Cert CA (B, KU B ) Cert CA (C, KU C ) Cert CA (D, KU D ). On-line database Alice K AB (M), KU B (K AB ) Bob CA s public key - KU CA Bob s private key - KR B

27 Confidentiality and Non-repudiation Cert CA (B, KU B ) Cert CA (A, KU A ) Cert CA (B, KU B ) Cert CA (C, KU C ) Cert CA (D, KU D ). On-line database Alice SGN A (M), Cert CA (A, KU A ), K AB (M), KU B (K AB ) Bob Alice s private key - KR A CA s public key - KU CA Bob s private key - KR B CA s public key - KU CA

28 Public Key Infrastructure with Reverse Certificates US VA MA CA Fairfax Herndon Worcester Boston Santa Clara San Jose GMU MIT A A knows KU GMU M, SGN A (M), Cert GMU (A, KU A ), Cert Fairfax (GMU, KU GMU ), Cert VA (Fairfax, KU Fairfax ), Cert US (VA, KU VA ), Cert MA (US, KU US ), Cert Boston (MA, KU MA ), Cert MIT (Boston, KU Boston ) B B knows KU MIT

29 Public Key Infrastructure with Strict Hierarchy US VA MA CA Fairfax Herndon Worcester Boston Santa Clara San Jose GMU MIT A M, SGN A (M), All users know KU US Cert GMU (A, KU A ), Cert Fairfax (GMU, KU GMU ), Cert VA (Fairfax, KU Fairfax ), Cert US (VA, KU VA ), B

30 Public Key Infrastructure with Cross-Certificates Cert GMU (MIT, KU MIT ) Cert MIT (GMU, KU GMU ) GMU MIT A A knows KU GMU B B knows KU MIT M, SGN A (M), Cert GMU (A, KU A ), Cert MIT (GMU, KU GMU )

31 Certificate Revocation Lists (CRLs) This update date Next update date Issuer (CA) name List of revoked certificates (serial number + revocation date) Signature algorithm CA s signature Certificate is valid if it has a valid signature of CA did not expire is not listed in the CA s most recent CRL

32 The exact X.509 CRL Format [Stallings, 2006]

33 Advantages of Certification Authorities over Key Distribution Centers CA does not need to be on-line CA is relatively easy to implement CA crash = no new users in the network but all old users operate normally certificates are not security sensitive, they can be stored in a public database, and transmitted over a public network compromised CA cannot decrypt messages (without first impersonating one of the users) only active attacks can be mounted using CAs private key

34 Authenticated key agreement A s static private key A s ephemeral private key A s ephemeral public key Secret derivation Key derivation key A s static public key certificates B s static public key B s ephemeral public key Secret derivation Key derivation key B s static private key B s ephemeral private key

35 Authenticated key agreement A s static private key x A A s ephemeral private key r A A s ephemeral public key A s static public key y A p A certificates B s static public key p B y B r B x B B s ephemeral public key B s static private key B s ephemeral private key Secret derivation Key derivation key x A Z = y B p B r A x Z = y B r A p B A Secret derivation Key derivation key

36 1 2 3 Station-to-Station (STS) Protocol Authenticated key agreement with key confirmation Alice Bob KU Z static public key of Z KR Z static private key of Z x Z ephemeral private key of Z y Z ephemeral public key of Z y A y B, K AB (SGN B (y B, y A )), Cert CA (B, KU B )) K AB (SGN A (y A, y B )), Cert CA (A, KU A )) KR A static private key of A KU CA static public key of CA Cert CA (A, KU A )) certificate of A issued by CA Notation: KR B static private key of B KU CA static public key of CA Cert CA (B, KU B )) certificate of B issued by CA SGN Z (M) - signature of Z for the message M Cert CA (Z, KU Z ) certificate of Z issued by CA