ECE 646 Lecture 3 Key management Required Reading Stallings, Cryptography and Network Security: Principles and Practice, 5/E or 6/E Chapter 14 Key Management and Distribution 1
Using the same key for multiple messages M 1 M 2 M 3 M 4 M 5 time E K time C 1 C 2 C 3 C 4 C 5 Using Session Keys & Key Encryption Keys K 1 K 2 K 3 time E KEK time E KEK (K 1 ) E KEK (K 2 ) E KEK (K 3 ) M 1 M 2 M 3 M 4 M 5 time E K1 E K2 E K3 time C 1 C 2 C 3 C 4 C 5 2
Control Vector Master Key Session Key Control Vector Master Key Encrypted Session Key Hashing Function Hashing Function Key input Plaintext input Key input Ciphertext input Encryption Function Decryption Function Encrypted Session Key Session Key (a) Control Vector Encryption (b) Control Vector Decryption Figure 14.6 Control Vector Decryption Control Vector Encryption and Decryption Key Distribution Center (KDC) B K B-KDC K A-KDC A C K C-KDC K A-KDC K B-KDC K C-KDC K D-KDC KDC E K E-KDC D K D-KDC 3
Simple key establishment protocol based on KDC KDC K A-KDC K B-KDC K C-KDC K D-KDC... (1) let me talk with (2b) K B-KDC (, K AB ) (2a) K A-KDC (, K AB ) A K A-KDC K B-KDC B Key establishment protocol based on KDC KDC K A-KDC K B-KDC K C-KDC K D-KDC... (1) let me talk with (2) K A-KDC (, K AB, ticket ) (3) ticket = K B-KDC (, K AB ) A B K A-KDC K B-KDC 4
A s private key Key agreement B s private key A s B s Secret derivation Secret derivation Key of A and B Key of A and B x A Diffie-Hellman key agreement scheme a, q - global public elements x B y A = a x A mod q y B = a x B mod q x A x B S AB = y B mod q S AB = y A mod q Key K AB Key K AB 5
Man-in-the-middle attack A s private key B s private key A s B s Charlie Secret derivation C s public key C s public key Secret derivation Key of A and C Key of B and C Does cryptography have an Achilles heel?, send me your, s, message encrypted using s Charlie 6
Does cryptography have an Achilles heel?, send me your, s, Charlie s message encrypted using s Charlie Charlie s Does cryptography have an Achilles heel?, send me your, s, Charlie s message encrypted using Charlies s Charlie message reencrypted using s 7
Directory of s (1) On-line database, s, s, s Charlie, Charlie s Dave, Dave s Eve, Eve s. message encrypted using s Charlie Directory of s (2) On-line database, s Charlie s, s, s Charlie, Charlie s Dave, Dave s Eve, Eve s. message encrypted using s Charlie s Charlie 8
Directory of s (3) On-line database, s Charlie s, s, s Charlie, Charlie s Dave, Dave s Eve, Eve s. message encrypted using Charlie s Charlie message reencrypted using s PGP: Flow of trust Manual exchange of s: Las Vegas Û David Edinburgh David Û Betty (Washington) David (New York) Betty (London) David, send me Betty s Betty s signed by David message encrypted using Betty s 9
Certification Authority Loren Kohnfelder, Towards a Practical Public-Key Cryptosystem, Bachelor s Thesis, MIT, May 1978 http://groups.csail.mit.edu/cis/theses/kohnfelder-bs.pdf Proof of identity Public key of Certification Authority Certificate Public key of Certification Authority Certificate Subject name Subject s Subject s Credentials Serial number Issuer (CA) name Period of validity Signature algorithm identifier CA s signature 10
The exact X.509 Certificate Format [Stallings, 2010] Distinguished Name (DN) according to X.500 Example: Common name (CN) = Kris Gaj Country name (C) = US State or province name (ST) = VA Locality name (L) = Fairfax Organization name (O) = George Mason University Organizational unit name (OU) = ECE Other fields permitted: Street address (SA) Post office box (PO Box) Postal code (PC) Title (T) Description (D) Telephone number (TN) Serial number (SN) 11
Examples of X.509 version extensions Key usage: Restrictions on the use of a given key, e.g., digital signature, key encryption, data encryption, key agreement. Subject key identifier: A subject may have different key pairs for different purposes (e.g., digital signature, key agreement). Private key usage period: Period of use of the corresponding private key. Subject alternative name: Application specific name, e.g. e-mail address. Basic constraints: Identifies if the subject may act as a CA. 12
Non-repudiation only M, SGN A (M), Cert CA (A, KU A ) s private key - KR A CA s - KU CA Notation: KU X - of X KR X - private key of X SGN X (M) - signature of X for the message M Cert Y (X, KU X ) - certificate issued by Y for the user X Cert CA (B, KU B ) Confidentiality only Cert CA (A, KU A ) Cert CA (B, KU B ) Cert CA (C, KU C ) Cert CA (D, KU D ). On-line database K AB (M), KU B (K AB ) CA s - KU CA s private key - KR B 13
Confidentiality and Non-repudiation Cert CA (B, KU B ) Cert CA (A, KU A ) Cert CA (B, KU B ) Cert CA (C, KU C ) Cert CA (D, KU D ). On-line database SGN A (M), Cert CA (A, KU A ), K AB (M), KU B (K AB ) s private key - KR A CA s - KU CA s private key - KR B CA s - KU CA Public Key Infrastructure with Reverse Certificates US VA MA CA Fairfax Herndon Worcester Boston Santa Clara San Jose GMU MIT A knows KU GMU B knows KU B MIT A M, SGN A (M), Cert GMU (A, KU A ), Cert Fairfax (GMU, KU GMU ), Cert VA (Fairfax, KU Fairfax ), Cert US (VA, KU VA ), Cert MA (US, KU US ), Cert Boston (MA, KU MA ), Cert MIT (Boston, KU Boston ) 14
Public Key Infrastructure with Strict Hierarchy US VA MA CA Fairfax Herndon Worcester Boston Santa Clara San Jose GMU MIT A M, SGN A (M), All users know KU US Cert GMU (A, KU A ), Cert Fairfax (GMU, KU GMU ), Cert VA (Fairfax, KU Fairfax ), Cert US (VA, KU VA ), B Public Key Infrastructure with Cross-Certificates Cert GMU (MIT, KU MIT ) Cert MIT (GMU, KU GMU ) GMU MIT A A knows KU GMU B B knows KU MIT M, SGN A (M), Cert GMU (A, KU A ), Cert MIT (GMU, KU GMU ) 15
Certificate Revocation Lists (CRLs) This update date Next update date Issuer (CA) name List of revoked certificates (serial number + revocation date) Signature algorithm CA s signature Certificate is valid if it has a valid signature of CA did not expire is not listed in the CA s most recent CRL The exact X.509 CRL Format [Stallings, 2006] 16
Advantages of Certification Authorities over Key Distribution Centers CA does not need to be on-line CA is relatively easy to implement CA crash = no new users in the network but all old users operate normally certificates are not security sensitive, they can be stored in a public database, and transmitted over a public network compromised CA cannot decrypt messages (without first impersonating one of the users) only active attacks can be mounted using CAs private key A s static private key A s ephemeral private key Authenticated key agreement A s ephemeral A s static certificates B s static B s ephemeral B s static private key B s ephemeral private key Secret derivation key Secret derivation key 17
A s static private key Authenticated key agreement x A A s ephemeral private key r A A s ephemeral A s static y A p A certificates B s static p B y B r B x B B s ephemeral B s static private key B s ephemeral private key Secret derivation key Z = y B x A p B r A x B r B Z = y A p A Secret derivation key Station-to-Station (STS) Protocol Authenticated key agreement with key confirmation y A 1 2 3 y B, K AB (SGN B (y B, y A )), Cert CA (B, KU B )) K AB (SGN A (y A, y B )), Cert CA (A, KU A )) KR A static private key of A KU CA static of CA Cert CA (A, KU A )) certificate of A issued by CA Notation: KU Z static of Z KR Z static private key of Z x Z ephemeral private key of Z y Z ephemeral of Z KR B static private key of B KU CA static of CA Cert CA (B, KU B )) certificate of B issued by CA SGN Z (M) - signature of Z for the message M Cert CA (Z, KU Z ) certificate of Z issued by CA 18