Datasäkerhetsmetoder föreläsning 7

Transcription

1 Datasäkerhetsmetoder föreläsning 7 Nyckelhantering Jan-Åke Larsson

2 Cryptography A security tool, not a general solution Cryptography usually converts a communication security problem into a key management problem So now you must take care of the key security problem, which becomes a problem of computer security

3 Key management Cliff Serge Grant The problem is to generate distribute store use revoke the key in a secure way

4 Key generation The key size decides how many different keys you can have, the search space for exhaustive key search If keys are not chosen at random, the attacker can first try more likely keys If all bit combinations are not used, security is given by the number of possible keys, not the size in bits If keys are generated from a known random seed, the size of that seed decides the security

5 Key length

6 Key length Table 7.1: Minimum symmetric key-size in bits for various attackers Attacker Budget Hardware Min security (1996) Hacker 0 PC < $400 PC(s)/FPGA Malware 73 Small organization $10k PC(s)/FPGA Medium organization $300k FPGA/ASIC Large organization $10M FPGA/ASIC Intelligence agency $300M ASIC From ECRYPT II Yearly Report on Algorithms and Keysizes ( )

7 Key length Table 7.1: Minimum symmetric key-size in bits for various attackers Attacker Budget Hardware Min security (1996) Hacker 0 PC < $400 PC(s)/FPGA Malware 77 Small organization $10k PC(s)/FPGA Medium organization $300k FPGA/ASIC Large organization $10M FPGA/ASIC Intelligence agency $300M ASIC From ECRYPT II Yearly Report on Algorithms and Keysizes ( )

8 Key establishment and authentication Cliff Serge Grant Once upon a time, protocols establishing a session key was called authentication protocols This is no longer the case Kerberos (to the left) is known mainly as an authentication protocol The end result is an authorization ticket that contains a session key

9 Key Management The first key in a new connection or association is always delivered via a courier Once you have a key, you can use that to send new keys If Alice shares a key with and shares a key with Bob, then Alice and Bob can exchange a key via (provided they both trust )

10 Key distribution center If Alice shares a key with and shares a key with Bob, then Alice and Bob can exchange a key via (provided they both trust ) Key distribution center K AT, K BT Alice, K AT Bob, K BT

11 Key distribution center If Alice shares a key with and shares a key with Bob, then Alice and Bob can exchange a key via (provided they both trust ) 1: E KAT (ID B K AB ) Key distribution center K AT, K BT Alice, K AT Bob, K BT

12 Key distribution center If Alice shares a key with and shares a key with Bob, then Alice and Bob can exchange a key via (provided they both trust ) 1: E KAT (ID B K AB ) Key distribution center K AT, K BT 2: E KBT (ID A K AB ) Alice, K AT Bob, K BT

13 Key distribution center, key server If Alice shares a key with and shares a key with Bob, then Alice and Bob can receive a key from (provided they both trust ) 1: E KAT (ID B ) Key distribution center K AT, K BT Alice, K AT Bob, K BT

14 Key distribution center, key server If Alice shares a key with and shares a key with Bob, then Alice and Bob can receive a key from (provided they both trust ) Alice, K AT 1: E KAT (ID B ) Key distribution center K AT, K BT 2: E KAT (ID B K AB ) 2: E KBT (ID A K AB ) Bob, K BT

15 Key distribution center If Alice shares a key with and shares a key with Bob, then Alice and Bob can exchange a key via (provided they both trust ) 1: E KAT (ID B K AB ) Key distribution center K AT, K BT 2: E KBT (ID A K AB ) Alice, K AT Bob, K BT

16 Key distribution center, replay attacks But perhaps Eve has broken a previously used key, and intercepts Alice s request Key distribution center K AT, K BT 1: E KAT (ID B K AB ) Eve Alice, K AT Bob, K BT

17 Key distribution center, replay attacks But perhaps Eve has broken a previously used key, and intercepts Alice s request Then she can fool Bob into communicating with her Key distribution center K AT, K BT Alice, K AT 1: E KAT (ID B K AB ) Eve 2: old E KBT (ID A K AB ) Bob, K BT

18 Key distribution center, wide-mouthed frog Alice and add time stamps to prohibit the attack 1: E KAT (t A ID B K AB ) Key distribution center K AT, K BT Alice, K AT Bob, K BT

19 Key distribution center, wide-mouthed frog Alice and add time stamps to prohibit the attack 1: E KAT (t A ID B K AB ) Key distribution center K AT, K BT 2: E KBT (t T ID A K AB ) Alice, K AT Bob, K BT

20 Key distribution center, wide-mouthed frog Alice and add time stamps to prohibit the attack But now, Eve can pretend to be Bob and make a request to 1: E KAT (t A ID B K AB ) Key distribution center K AT, K BT 3: E KBT (t T ID A K AB ) 2: E KBT (t T ID A K AB ) Eve Alice, K AT Bob, K BT

21 Key distribution center, wide-mouthed frog Alice and add time stamps to prohibit the attack But now, Eve can pretend to be Bob and make a request to, who will forward the key to Alice Key distribution center K AT, K BT Eve Alice, K AT Bob, K BT 1: E KAT (t A ID B K AB ) 4: E KAT (t T ID B K AB ) 3: E KBT (t T ID A K AB ) 2: E KBT (t T ID A K AB )

22 Key distribution center, Needham-Schroeder key agreement Another variation is to use nonces to prohibit the replay attack Key distribution center K AT, K BT 1: ID A ID B r 1 Alice, K AT Bob, K BT

23 Key distribution center, Needham-Schroeder key agreement Another variation is to use nonces to prohibit the replay attack Key distribution center K AT, K BT 1: ID A ID B r 1 2: E KAT (K S ID B r 1 E KBT (K S ID A )) Alice, K AT Bob, K BT

24 Key distribution center, Needham-Schroeder key agreement Another variation is to use nonces to prohibit the replay attack Key distribution center K AT, K BT 1: ID A ID B r 1 2: E KAT (K S ID B r 1 E KBT (K S ID A )) 3: E KBT (K S ID A ) Alice, K AT Bob, K BT

25 Key distribution center, Needham-Schroeder key agreement Another variation is to use nonces to prohibit the replay attack Key distribution center K AT, K BT 1: ID A ID B r 1 2: E KAT (K S ID B r 1 E KBT (K S ID A )) 3: E KBT (K S ID A ) Alice, K AT 4: E KS (r 2 ) Bob, K BT

26 Key distribution center, Needham-Schroeder key agreement Another variation is to use nonces to prohibit the replay attack Key distribution center K AT, K BT 1: ID A ID B r 1 2: E KAT (K S ID B r 1 E KBT (K S ID A )) 3: E KBT (K S ID A ) Alice, K AT 4: E KS (r 2 ) 5: E KS (r 2 1) Bob, K BT

27 Key distribution center, Needham-Schroeder key agreement Another variation is to use nonces to prohibit the replay attack If Eve ever breaks one session key, she can get Bob to reuse it Key distribution center K AT, K BT 1: E KBT (K S ID A ) Alice, K AT Eve 2: E KS (r 2 ) 3: E KS (r 2 1) Bob, K BT

28 Kerberos K C, K G Grant K G, K S Cliff K C Serge K S

29 Kerberos K C, K G Grant K G, K S 1 1. Cliff sends ID C ID G Cliff K C Serge K S

30 Kerberos K C, K G Grant K G, K S 2 1 Cliff K C 1. Cliff sends ID C ID G 2. responds width E KC (K CG ) TGT where TGT = ID G E KG (ID C t 1 K GC ) Serge K S

31 Kerberos K C, K G Grant K G, K S Cliff K C 1. Cliff sends ID C ID G 2. responds width E KC (K CG ) TGT where TGT = ID G E KG (ID C t 1 K GC ) 3. Cliff sends Grant E KCG (ID C t 2 ) TGT Serge K S

32 Kerberos K C, K G Grant K G, K S Cliff K C Serge K S 4 1. Cliff sends ID C ID G 2. responds width E KC (K CG ) TGT where TGT = ID G E KG (ID C t 1 K GC ) 3. Cliff sends Grant E KCG (ID C t 2 ) TGT 4. Grant responds with E KCG (K CS ) ST where ST = E KS (ID C t 3 t expir. K CS )

33 Kerberos K C, K G Grant K G, K S Cliff K C 5 Serge K S 4 1. Cliff sends ID C ID G 2. responds width E KC (K CG ) TGT where TGT = ID G E KG (ID C t 1 K GC ) 3. Cliff sends Grant E KCG (ID C t 2 ) TGT 4. Grant responds with E KCG (K CS ) ST where ST = E KS (ID C t 3 t expir. K CS ) 5. Cliff sends Serge E KCS (ID C t 4 ) and can then use Serge s services

34 Kerberos realms K C, K G Grant K G, K S Cliff K C 4 Contains one authentication server (KAS), several authorization servers (TGS), and many services Distributed system, with centralized access control, a single security policy that is easy to check, and change 5 Serge K S A realm often corresponds to a single organization, and several realms can be connected This often is controlled by trust (shared keys), but also other considerations like contractual agreements

35 Controlled invocation in distributed systems K C, K G Grant K G, K S Cliff K C 5 Serge K S 4 The remote program (subject) needs to act on behalf of the user (principal) In Windows AD ( Kerberos), this can be done in two ways Proxy tickets that are limited in the access rights, e.g., to one file for printing it Forwarded TGTs that can be used to apply for new tickets on behalf of the user The latter is like lending out your password for the duration of the ticket

36 Revocation in Kerberos K C, K G Grant K G, K S Cliff K C 4 The access rights of the principal needs to be revoked at the TGS But issued tickets continue to be valid until they expire (TOCTTOU) 5 Typically, KAS tickets is vaild for a day Serge K S There is a tradeoff between convenience (long validity) and fast revocation (short validity)

37 Kerberos, more comments K C, K G Cliff K C 5 Serge K S 4 Grant K G, K S Lots of technical details: Clock sync Timestamp skew window Online servers (Availability) Trusting servers Password security Client machine security DOSing the KAS...

38 Public key distribution, Diffie-Hellmann Diffie-Hellman key exchange is a way to share key Alice and Bob create secrets a and b They send α a mod p and α b mod p to each other Key distribution center K AT, K BT α a mod p Alice, a, K AT Bob, b, K BT α b mod p

39 Public key distribution, Diffie-Hellmann Diffie-Hellman key exchange is a way to share key Alice and Bob create secrets a and b They send α a mod p and α b mod p to each other Both calculate K AB = (α a ) b = (α b ) a mod p Key distribution center K AT, K BT α a mod p K AB = (α b ) a Alice, a, K AT α b mod p Bob, b, K BT K AB = (α a ) b

40 Public key distribution, Diffie-Hellmann Diffie-Hellman key exchange is a way to share key However, Eve can do an intruder-in-the-middle Key distribution center K AT, K BT Alice, a, K AT α a mod p α e mod p Eve α e mod p α b mod p Bob, b, K BT

41 Public key distribution, Station-To-Station (STS) protocol If Alice shares a key with and shares a key with Bob, then Alice and Bob can use to verify that they exchange key with the right person Key distribution center K AT, K BT α a, E KAB (sig A (α a, α b )) Alice, a, K AT Bob, b, K BT α b, E KAB (sig B (α a, α b ))

42 Public key distribution, Station-To-Station (STS) protocol If Alice shares a key with and shares a key with Bob, then Alice and Bob can use to verify that they exchange key with the right person Key distribution center K AT, K BT ver B? α a, E KAB (sig A (α a, α b )) ver A? Alice, a, K AT Bob, b, K BT α b, E KAB (sig B (α a, α b ))

43 Public key distribution, Station-To-Station (STS) protocol If Alice shares a key with and shares a key with Bob, then Alice and Bob can use to verify that they exchange key with the right person Key distribution center K AT, K BT ver B? ver B ver A α a, E KAB (sig A (α a, α b )) ver A? Alice, a, K AT Bob, b, K BT α b, E KAB (sig B (α a, α b ))

44 Public key distribution Public key distribution uses a Public Key Infrastructure (PKI) Certification Authority s T, {e i } Alice, v T, d A Bob, v T, d B

45 Public key distribution, using Certification Authorities Public key distribution uses a Public Key Infrastructure (PKI) Alice sends a request to a Certification Authority (CA) who responds with a certificate, ensuring that Alice uses the correct key to communicate with Bob Certification Authority s T, {e i } 1: ID B Alice, v T, d A 2: e B, sign T (ID B, e B ) Bob, v T, d B

46 Public key distribution, using X.509 certificates The CAs often are commercial companies, that are assumed to be trustworthy Many arrange to have the root certificate packaged with IE, Mozilla, Opera,... They issue certificates for a fee They often use Registration Authorities (RA) as sub-ca for efficiency reasons This creates a certificate chain

47 The content of a X.509 certificate Version (v3) Serial Number Algorithm ID Issuer Validity Period Subject Name Subject Public Key Info (Algorithm, Public Key) Issuer Unique Identifier (optional) Subject Unique Identifier (optional) Extensions (optional) Certificate Signature Algorithm Certificate Signature

48 Revocation Certificate Revocation Lists distributed at regular intervals is the proposed solution in X.509 On-line checks are better, but can be expensive Short-lived certificates are an alternative, but needs frequent certificate changes And the CAs themselves are not the best examples of trustworthy organizations

49 Public key distribution, X.509 (PKIX) certificates in your browser

50 Public key distribution, using web of trust No central CA Fred Alice Bob Users sign each other s public key (hashes) This creates a web of trust Eric Charlie Diana

51 Public key distribution, using web of trust (PGP and GPG) No central CA Fred Alice Bob Users sign each other s public key (hashes) This creates a web of trust Eric Diana Charlie Each user keeps a keyring with the keys (s)he has signed The secret key is stored on a secret keyring, on h{er,is} computer The public key(s) and their signatures are uploaded to key servers

52 Public key distribution, a web-of-trust path

53 Secure Sockets Layer (SSL); Transport Layer Security (TLS) This is a client-server handshake procedure to establish key The server (but not the client) is authenticated (by its certificate) Client Server

54 Secure Sockets Layer (SSL); Transport Layer Security (TLS) ClientHello: highest TLS protocol version, random number, suggested public key systems + symmetric key systems + hash functions + compression algorithms ClientHello Client Server

55 Secure Sockets Layer (SSL); Transport Layer Security (TLS) ClientHello: highest TLS protocol version, random number, suggested public key systems + symmetric key systems + hash functions + compression algorithms ServerHello, Certificate, ServerHelloDone: chosen protocol version, a (different) random number, system choices, public key ClientHello ServerHello,... Client Server

56 Secure Sockets Layer (SSL); Transport Layer Security (TLS) ClientHello: highest TLS protocol version, random number, suggested public key systems + symmetric key systems + hash functions + compression algorithms ServerHello, Certificate, ServerHelloDone: chosen protocol version, a (different) random number, system choices, public key ClientKeyExchange: PreMasterSecret, encrypted with the server s public key ClientHello ServerHello,... Client ClientKeyExchange Server

57 Secure Sockets Layer (SSL); Transport Layer Security (TLS) ClientHello: highest TLS protocol version, random number, suggested public key systems + symmetric key systems + hash functions + compression algorithms ServerHello, Certificate, ServerHelloDone: chosen protocol version, a (different) random number, system choices, public key ClientKeyExchange: PreMasterSecret, encrypted with the server s public key (Master secret): creation of master secret using a pseudorandom function, with the PreMasterSecret as seed (Session keys): session keys are created using the master secret, different keys for the two directions of communication ClientHello ServerHello,... Client ClientKeyExchange Server

58 Secure Sockets Layer (SSL); Transport Layer Security (TLS) ClientHello: highest TLS protocol version, random number, suggested public key systems + symmetric key systems + hash functions + compression algorithms ServerHello, Certificate, ServerHelloDone: chosen protocol version, a (different) random number, system choices, public key ClientKeyExchange: PreMasterSecret, encrypted with the server s public key (Master secret): creation of master secret using a pseudorandom function, with the PreMasterSecret as seed (Session keys): session keys are created using the master secret, different keys for the two directions of communication ChangeCipherSpec, Finished authenticated and encrypted, containing a MAC for the previous handshake messages ClientHello ServerHello,... Client ClientKeyExchange...,Finished Server

59 Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Client ClientHello ServerHello,... ClientKeyExchange...,Finished Server SSL 1.0 (no public release), 2.0 (1995), 3.0 (1996), originally by Netscape TLS 1.0 (1999), TLS 1.1 (2006), TLS 1.2 (2008), and some later changes Current problem: TLS 1.0 is fallback if either end does not support higher versions

60 Key management Cliff Serge Grant The problem is to generate distribute store use revoke the key in a secure way