Key Management CS461/ECE422

Similar documents
Chapter 9: Key Management

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Chapter 10: Key Management

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

Cryptographic Checksums

Spring 2010: CS419 Computer Security

CSC 482/582: Computer Security. Security Protocols

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Information Security & Privacy

INFSCI 2935: Introduction of Computer Security 1. Courtesy of Professors Chris Clifton & Matt Bishop. INFSCI 2935: Introduction to Computer Security 2

Key Escrow. Desirable Properties

L8: Public Key Infrastructure. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Fun with Crypto keys and protocols. some Bishop, some Jim, some RA

What did we talk about last time? Public key cryptography A little number theory

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

T Cryptography and Data Security

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

CSC/ECE 774 Advanced Network Security

UNIT - IV Cryptographic Hash Function 31.1

CSC 774 Network Security

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Cryptographic Protocols 1

Outline Key Management CS 239 Computer Security February 9, 2004

The Kerberos Authentication System Course Outline

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Public Key Algorithms

Lecture 2 Applied Cryptography (Part 2)

CS3235 Seventh set of lecture slides

Elements of Security

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Authentication Handshakes

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Security: Focus of Control

Diffie-Hellman. Part 1 Cryptography 136

Datasäkerhetsmetoder föreläsning 7

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Security Handshake Pitfalls

Kurose & Ross, Chapters (5 th ed.)

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

CSC 474/574 Information Systems Security

T Cryptography and Data Security

Security Handshake Pitfalls

Security: Focus of Control. Authentication

Network Security. Random Number Generation. Chapter 6. Network Security (WS 2003): 06 Random Number Generation 1 Dr.-Ing G.

CS Computer Networks 1: Authentication

CPSC 467: Cryptography and Computer Security

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Security. Communication security. System Security

Cryptography and Network Security Chapter 14

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Grenzen der Kryptographie

Information Security CS 526

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

(2½ hours) Total Marks: 75

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Encryption. INST 346, Section 0201 April 3, 2018

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Authentication in Distributed Systems

Lecture 1: Course Introduction

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Cryptography and Network Security

Network Security Chapter 8

Network Security. Chapter 8. MYcsvtu Notes.

CPSC 467b: Cryptography and Computer Security

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Cryptography (Overview)

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Key Establishment and Authentication Protocols EECE 412

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

2.1 Basic Cryptography Concepts

Verteilte Systeme (Distributed Systems)

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

CS 161 Computer Security

Introduction to Cryptography Lecture 10

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

Computer Networks. Wenzhong Li. Nanjing University

Public Key Algorithms

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Session key establishment protocols

Network Security Essentials

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

David Wetherall, with some slides from Radia Perlman s security lectures.

Session key establishment protocols

CSC 474/574 Information Systems Security

Fall 2010/Lecture 32 1

User Authentication Protocols Week 7

Transcription:

Key Management CS461/ECE422 1

Reading Chapter 10 in Computer Security: Art and Science Handbook of Applied Cryptography http://www.cacr.math.uwaterloo.ca/hac/ Section 11.3.2 attack on RSA signature Section 13.8.3 Key Escrow 2

Key Management Motivation Cryptographic security depends on keys Size Generation Retrieval and Storage Example House security system no good if key or code is under the mat 3

Overview Key Generation Key Exchange and management Classical (symmetric) Public/private Digital Signatures Key Storage 4

Key Management Processes associated with Distribution of keys Binding identities to keys Generation, maintenance, and revoking keys

Notation X Y : { Z W } k X,Y X sends Y the message produced by concatenating Z and W encrypted by key k X,Y, which is shared by users X and Y A T : { Z } k A { W } k A,T A sends T a message consisting of the concatenation of Z encrypted using k A, A s key, and W encrypted using k A,T, the key shared by A and T r 1, r 2 nonces (nonrepeating random numbers) 6

Session and Interchange Keys Long lived Interchange Keys only exist to boot strap Associated with a principal to the communication, e.g. public keys below K b,k a Short lived session keys used for bulk encryption, e.g. K a,b K b,k a K a,b K a,b K a,k b {K a,b }K a {m1}k a,b 7

Session and Interchange Keys Another view---key and message in one shot Alice wants to send a message m to Bob Assume public key encryption Alice generates a random cryptographic key k s and uses it to encrypt m To be used for this message only, not used for authentication Called a session key She encrypts k s with key k B k B encrypts all session keys Alice uses to communicate with Bob : known by Bob, shared with Alice Called an interchange key. Used for authentication Alice sends { m } k s { k s } k B Message m coded with k s Message k s coded with k B 8

Benefits Limits amount of traffic encrypted with single key Standard practice, to decrease the amount of traffic an attacker can obtain Prevents some attacks. e.g., Suppose long lived key (public, or broken) k B Suppose set of possible messages is small, e.g. BUY or SELL Attack can pre-compute possible ciphertexts, observe, compare Example: Alice will send Bob message that is either BUY or SELL. Eve computes possible ciphertexts { BUY } k B and { SELL } k B. Eve intercepts encrypted message, compares, and gets plaintext at once 9

Key Generation Goal: generate keys that are difficult to guess Problem statement: given a set of K potential keys, choose one randomly Equivalent to selecting a random number between 0 and K 1 inclusive Why is this hard: generating random numbers Actually, numbers are usually pseudo-random, that is, generated by an algorithm 10

What is Random? Sequence of cryptographically random numbers: a sequence of numbers n 1, n 2, such that for any integer k > 0, an observer cannot predict n k even if all of n 1,, n k 1 are known Best: physical source of randomness Random pulses Electromagnetic phenomena Characteristics of computing environment such as disk latency Ambient background noise 11

What is Pseudorandom? Sequence of cryptographically pseudorandom numbers: sequence of numbers intended to simulate a sequence of cryptographically random numbers but generated by an algorithm Very difficult to do this well Linear congruential generators [n k = (an k 1 + b) mod n] broken Polynomial congruential generators [n k = (a j n k 1 j + + a 1 n k 1 a 0 ) mod n] broken too Here, broken means next number in sequence can be determined 12

Best Pseudorandom Numbers Strong mixing function: function of 2 or more inputs with each bit of output depending on some nonlinear function of all input bits Examples: DES (mixes key and data), MD5, SHA-1, (multi-stage functions in hashing) avalanche effect Inputs need to be unpredictable 13

Key Exchange Principals to communication need to agree on key to be used. Criteria Key should not be transmitted in the clear Solutions : encrypt when sent, derive from public keys (e.g. Diffie-Hellman) Assume attacker can view EVERYTHING that is transmitted Permissible to use a trusted third party All protocols, mechanisms, algorithms should be assumed known. The only secrets are the keys involved

Separate Channel Ideally you have separate secure channel for exchanging keys Direct secret sharing grows at N 2 Telephone, separate data network, ESP, sneaker net Regular data network 15

Shared Channel Generally separate channel is not practical No trustworthy separate channel Want to scale linearly with additional users K A,K B, K Z K B Key Exchange Regular data network K A 16

Classical Key Exchange Classical means no public key infrastructure Bootstrap problem: how do Alice, Bob begin? Alice can t send it to Bob in the clear! Assume trusted third party, Cathy Alice and Cathy share secret key k A Bob and Cathy share secret key k B Use this to exchange shared key k s 17

Simple Protocol Alice Alice { request for session key with Bob } k A { k s } k A { k s } k B Cathy Cathy Alice { k s } k B Bob Notice : Cathy gives Alice the job of sending key to Bob Eve { k s } k B Bob Notice : Eve might break key, and entice Bob to use it with her or might simply replay the communication Alice had with Bob using that key 18

Problems How does Bob know he is talking to Alice? Replay attack: Eve records message from Alice to Bob, later replays it; Bob may think he s talking to Alice, but he isn t e.g. message is buy 100 shares of GE stock Session key reuse: Eve replays message from Alice to Bob, so Bob re-uses session key If Eve has cracked session key off-line, she can say anything she likes in the communication Protocols must provide authentication and defense against replay 19

Needham-Schroeder Random number Alice Alice Alice Alice Alice Alice Bob r 1 RP Session key { Alice Bob r 1 k s { Alice k s } k B } k A Cathy Cathy { Alice k s } k B Bob Au { r 2 } k s { r 2 1 } k s Au + RP Key Cathy shares with Bob Au Key Cathy shares with Alice Bob Bob 20

Argument: Alice talking to Bob Second message Encrypted using key only she, Cathy knows Implies authentication (Au) : Cathy encrypted it Includes nonce to r 1 thwart replay attack (RP) Response to first message As r 1 in it matches r 1 in first message Third message Alice knows only Bob can read it As only Bob can derive session key from message Any messages encrypted with that key are from Bob 21

Fourth and Fifth messages Fourth message Encrypted using key only he, Cathy know authentication : Bob encrypted it Includes nonce that only Bob knows, to identify session Fifth message Uses uses nonce derived from one Bob provided to show that Alice knows she and Bob will use the key for THIS session k s 22

Denning-Sacco Modification Needham-Schroeder Assumption: all keys are secret Question: suppose Eve can obtain session key by intercepting/cracking Cathy->Alice message in Needham- Schoeder. How does that affect protocol? Attack, Eve can impersonate Alice by using k s Eve { Alice k s } k B Bob Eve Eve { r 2 } k s { r 2 1 } k s Bob Bob 23

Solution In protocol above, Eve impersonates Alice Problem: replay in third step First in previous slide Solution: use time stamp T to detect replay Assumption is that it takes time to crack the Cathy-to- Alice message Weakness: if clocks not synchronized, may either reject valid messages or accept replays Parties with either slow or fast clocks vulnerable to replay 24

Needham-Schroeder with Denning- Sacco Modification time that Cathy responds Alice Alice Alice Alice Alice Alice Bob r 1 { Alice Bob r 1 k s { Alice T k s } k B } k A { Alice T k s } k B { r 2 } k s { r 2 1 } k s Cathy Cathy Bob Bob Bob Bob validates by comparison with his own real-time clock. Responds only if close enough to T 25

Otway-Rees Protocol Corrects problem That is, Eve replaying the third message in the protocol Does not use timestamps Not vulnerable to the problems that Denning-Sacco modification has Clock synchronization Since Bob has T, he can masquerade as Alice until the timestamp expires 26

index The Protocol Key Alice shares with Cathy Alice n Alice Bob { r 1 n Alice Bob } k A Bob Cathy Cathy compares n Alice Bob { r 1 n Alice Bob } k A { r 2 n Alice Bob } k B Bob Key Bob shares with Cathy Cathy n { r 1 k s } k A { r 2 k s } k B Bob Alice n { r 1 k s } k A Bob 27

Argument: Alice talking to Bob Fourth message If n matches first message, Alice knows it is part of this protocol exchange Cathy generated k s because only she and Alice know k A Encrypted part belongs to exchange as r 1 matches r 1 in encrypted part of first message 28

Argument: Bob talking to Alice Third message If n matches second message, Bob knows it is part of this protocol exchange Cathy generated k s because only she, Bob know k B Encrypted part belongs to exchange as r 2 matches r 2 in encrypted part of second message 29

Replay Attack---FAIL Eve acquires old k s, message in third step n { r 1 k s } k A { r 2 k s } k B Eve copies 4th message ( to Alice ) Nonce r 1 was created by Alice, encoded by keys assumed unknown to Eve Nonce r 1 is used up in a session, along with session key Alice rejects 30

Network Authentication with Kerberos KDC User U Login Workstation TGT, TGS Ticket, S AS/ Cathy TGS/ Barnum Service Request (Authenticator, Ticket) Service S Legend: AS = Authentication Server; TGS = Ticket Granting Server KDC = Key Distribution Center; TGT = Ticket Granting Ticket; 31

Kerberos Authentication system Based on Needham-Schroeder with Denning-Sacco modification Central server plays role of trusted third party ( Cathy ) Ticket Issuer vouches for identity of requester of service Authenticator Identifies sender Two Competing Versions: 4 and 5 Version 4 discussed here 32

Idea User u authenticates to Kerberos AS Obtains ticket (TGT) T u,tgs for ticket granting service (TGS) User u wants to use service s: User sends authenticator A u, ticket T u,tgs to TGS asking for ticket for service TGS sends ticket T u,s to user User sends A u, T u,s to server as request to use s Details follow 33

Ticket Credential saying issuer has identified ticket requester Example ticket issued to user u for TGS T u,tgs = TGS { u u s address valid time k u,tgs } k AS,TGS where: k u,tgs is session key for user and TGS k AS,TGS is long-term key shared between AS and TGS Valid time is interval for which ticket valid; e.g., a day u s address may be IP address or something else Note: more fields, but not relevant here 34

Ticket Example ticket issued to user u for service s where: T u,s = s { u u s address valid time k u,s } k s k u,s is session key for user and service k s is long-term key shared between TGS and S Valid time is interval for which ticket valid; e.g., hours/days u s address may be IP address or something else Note: more fields, but not relevant here 35

Authenticator Credential containing identity of sender of ticket Used to confirm sender is entity to which ticket was issued Example: authenticator that user u generates for service s A u,s = { u generation time} k u,s where: Generation time is when authenticator generated Encoded by session key Other fields unimportant here 36

Protocol * Initially, user u registers with KDC and establishes a password - used to derive long-term key k u * User U logs into workstation (WS) using password Labels, not part of message M1: user/ws [AS_REQ]: user TGS AS M2: user/ws [AS_REP]: { k u,tgs } k u T u,tgs AS WS decrypts session key k u,tgs using supplied password this key used in next step. Ticket returned is T u,tgs 37

Protocol [TGS_REQ]: service A u,tgs T u,tgs M3: user/ws TGS Authenticator A u,tgs built from session key u shares with session key given by AS in previous step TGS decrypts ticket using long-term key k AS,TGS [TGS_REP]: user { k u,s } k u,tgs T u,s M4: user/ws TGS TGS returns key k u,s for u to use with service, and ticket T u,s to use requesting service

Protocol [AP_REQ]: A u,s T u,s M5: user/ws service Authenticator A u,s built by WS using session key k u,s obtained from TGS in previous step Ticket T u,s given by TGS in previous is forwarded Service decrypts ticket using long-term key k TGS,s [AP_REP]: { t + 1 } k u,s M6: user/ws service Optional last step, used when u requests confirmation of service rendered 39

Summary of Messages First two messages get user ticket to use TGS User u can obtain session key only if u knows key shared with AS Next four messages show how u gets and uses ticket for service s Service s validates request by checking sender (using A u,s ) is same as entity ticket issued to Step 6 optional; used when u requests confirmation 40

Problems Relies on synchronized clocks Typical clock skew allowed is 5 minutes If not synchronized and old tickets, authenticators not cached, replay is possible Tickets have some fixed fields Dictionary attacks possible Kerberos 4 session keys weak (had much less than 56 bits of randomness); researchers at Purdue found them from tickets in minutes 41

Public Key Key Exchange Here interchange keys known e A, e B Alice and Bob s public keys known to all d A, d B Alice and Bob s private keys known only to owners Simple protocol k s is desired session key Alice { k s } e B Bob 42

Problem and Solution Vulnerable to forgery or replay Because e B known to anyone, Bob has no assurance that Alice sent message Simple fix uses Alice s private key k s is desired session key Alice { { k s } d A } e B Bob 43

Notes Can include message enciphered with k s Assumes Bob has Alice s public key, and vice versa If not, each must get it from public server If keys not bound to identity of owner, attacker Eve can launch a man-in-the-middle attack (next slide; Cathy is public server providing public keys) Solution to this (binding identity to keys) discussed later as public key infrastructure (PKI) 44

Man-in-the-Middle Attack Alice Pls send Bob s public key Eve Alice e E Eve Eve Eve intercepts request send Bob s public key e B Cathy Cathy Cathy Alice believes that e E is Bob s public key. It isn t. Alice { k s } e E Eve intercepts message Bob Eve { k s } e B Bob 45

Cryptographic Key Infrastructure Goal: bind identity to key Classical: not possible as all keys are shared Use protocols to agree on a shared key (see earlier) Public key: bind identity to public key Crucial as people will use key to communicate with principal whose identity is bound to key Erroneous binding means no secrecy between principals Assume principal identified by an acceptable name 46

Certificates Create token (message) containing Identity of principal (here, Alice) Corresponding public key Timestamp (when issued) Other information (perhaps identity of signer) Compute hash (message digest) of token Hash encrypted by trusted authority (here, Cathy) using private key: called a signature C A = e A Alice T {h(e A Alice T )} d C OBSERVE : public key, Alice and T are in the clear; hash is signed. Why? 47

Use Bob gets Alice s certificate If he knows Cathy s public key, he can validate the certificate Decrypt encrypted hash using Cathy s public key Re-compute hash from certificate and compare Check validity Is the principal Alice? Now Bob has Alice s public key Problem: Bob needs Cathy s public key to validate certificate That is, secure distribution of public keys Solution: Public Key Infrastructure (PKI) using trust anchors called Certificate Authorities (CAs) that issue certificates 48

X.509 Certificates Some certificate components in X.509v3: Version Serial number Signature algorithm identifier: hash algorithm Issuer s name; uniquely identifies issuer Interval of validity Subject s name; uniquely identifies subject Subject s public key Signature: encrypted hash 49

Transitive Trust If user U1 has a public-key certificate C issued by certificate authority CA1, then CA1 trusts that the identity on C is user U1 s Some validation used before C is issued U1 also trusts validity of other certs issued by CA1 If CA1 has a certificate D issued by CA2, then CA2 trusts that the identity on D is CA1 s, and that CA1 does due diligence in checking identities on certs that CA1 issues CA1 trusts other certs that CA2 issues to certificate authorities and (possibly) users 50

Transitive Trust Illustrated cert issued Trusts CA1 s identity and trustworthiness of certs issued CA2 Trusts certs signed by CA2 Trusts CA3 s identity and trustworthiness of certs issued Trusts certs signed by CA2 CA3 Trusts certs signed by CA3 Trusts CA4 s identity and trustworthiness of certs issued Trusts Alice s identity Alice CA1 Trusts certs signed by CA1 CA4 Trusts certs signed by CA4 Bob Trusts Bob s identity Suppose Alice has every cert implied in this diagram she trusts the key on Bob s cert--- Why? She trusts CA2, and CA2 trusts Bob

PKI Trust Models A Single Global CA Unmanageable, inflexible There is no universally trusted organization Hierarchical CAs (Tree) Root CA Level I CA Level I CA Level n CA User Offloads burden on multiple CAs Need to verify a chain of certificates Still depends on a single trusted root CA 52

PKI Trust Models Hierarchical CAs with cross-certification Multiple root CAs that are cross-certified Cross-certification at lower levels for efficiency Web Model Browsers come pre-configured with multiple trust anchor certificates New certificates can be added Distributed (e.g., PGP) No CA; instead, users certify each other to build a web of trust 53

Validation and Cross-Certifying Alice s CA is Cathy; Bob s CA is Dan; how can Alice validate Bob s certificate? Have Cathy and Dan cross-certify Each issues certificate for the other Certificates: Cathy<<Alice>> (Cathy issues cert for Alice) Dan<<Bob> (Dan issues cert for Bob) Cathy<<Dan>> (Cathy issues cert for Dan) Dan<<Cathy>> (Dan issues cert for Cathy) Cross-certification 54

Cert binds dest ID to dest PK, signed by src Cross-Certification CA CA CA Cathy Alice gets cert from Bob : is there a common CA ancestor in the directed CA graph? CA CA Dan Alice Cross-certification Bob Alice gets Bob s cert, signed by Dan Sees Dan s cert is signed by Cathy Trusts Cathy as her own CA Alice uses (known) public key of Cathy to validate Dan s cert Alice uses Dan s public key (from cert) to validate Bob s cert

PGP Chains OpenPGP certificates structured into packets One public key packet Zero or more signature packets See http://www.ietf.org/rfc/rfc4880.txt Public key packet: Version (3 or 4; 3 compatible with all versions of PGP, 4 not compatible with older versions of PGP) Creation time Validity period (not present in version 3) Public key algorithm, associated parameters Public key 56

OpenPGP Signature Packet Version 3 signature packet Version (3) Signature type (level of trust) Creation time Signer s key identifier (identifies key to encrypt hash) Public key algorithm (used to encrypt hash) Hash algorithm Part of signed hash (used for quick check) Signature (encrypted hash) Version 4 packet more complex 57

Signing Single certificate may have multiple signatures Notion of trust embedded in each signature Range from untrusted to ultimate trust Signer defines meaning of trust level (no standards!) All version 4 keys signed by subject Called self-signing 58

Validating Certificates Alice needs to validate Bob s OpenPGP cert Does not know Fred, Giselle, or Ellen Alice gets Giselle s cert Knows Henry slightly, but his signature is at casual level of trust Alice gets Ellen s cert Knows Jack, so uses his cert to validate Ellen s, then hers to validate Bob s Arrows show signatures Self signatures not shown Henry Irene Bob Jack Ellen Giselle Fred 59

Key Revocation Certificates invalidated before expiration Usually due to compromised key May be due to change in circumstance (e.g., someone leaving company) Problems Verify that entity revoking certificate authorized to do so Revocation information circulates to everyone fast enough Network delays, infrastructure problems may delay information 60

CRLs Certificate revocation list lists certificates that are revoked X.509: only certificate issuer can revoke certificate Added to CRL PGP: signers can revoke signatures; owners can revoke certificates, or allow others to do so Revocation message placed in PGP packet and signed Flag marks it as revocation message 61

Digital Signature Construct that authenticated origin, contents of message in a manner provable to a disinterested third party ( judge ) Sender cannot deny having sent message (service is non-repudiation ) Limited to technical proofs Inability to deny one s cryptographic key was used to sign One could claim the cryptographic key was stolen or compromised Legal proofs, etc., probably required; not dealt with here 62

Simple Approach Classical: Alice, Bob share key k Alice sends m { m } k to Bob This is a digital signature WRONG This is not a digital signature Why? Third party cannot determine whether Alice or Bob generated message 63

Public Key Digital Signatures Alice s keys are (private) d Alice, (public) e Alice Alice sends Bob m { m } d Alice In case of dispute, judge computes { { m } d Alice } e Alice and if it is m, Alice s private key signed message She s the only one who knows d Alice, so we infer Alice did the signing action 64

RSA Digital Signatures Use private key to encrypt message Protocol for use is critical Key points: Never sign random documents, and when signing, always sign hash and never document Mathematical properties can be turned against signer Sign message first, then encrypt Changing public keys causes forgery 65

Attack #1 Given Bob s signatures on messages m 1 and m 2 Alice can compute his signature on message m = m 1! m 2 so the attack is to create evil message m, find factors (with appropriate modulus) and get Bob to sign them (m 1 x m 2 ) mod n b = m Get Bob to sign m 1 and m 2 m 1 d mod n b x m 2 d mod n b = (m 1 d x m 2 d ) mod n b = (m 1 x m 2 ) d mod n b = m d mod n b 66

Attack #1 example Example: Alice, Bob communicating n A = 95, ea = 59, da = 11 n B = 77, eb = 53, db = 17 note that ops using Alice s key are mod n A,, using Bob s are n B 26 contracts, numbered 00 to 25 Alice has Bob sign 05 and 17: c = m db mod n B = 05 17 mod 77 = 3 c = m db mod n B = 17 17 mod 77 = 19 Alice computes 05 17 mod 77 = 08; corresponding signature is (08) 17 mod 77 = (03 19) mod 77 = 57; claims Bob signed 08 Judge computes c eb mod n B = 57 53 mod 77 = 08 Signature validated; Bob is toast 67

Attack #2: Bob s Revenge Bob, Alice agree to sign contract m but Bob wants it to appear that she signed contract M Alice encrypts with Bob s public key (e.g. for confidentiality), then signs with her private key: c = (m eb mod n B ) da mod n A Bob now changes his public key Computes r such that M r mod n B = m Replace public key with product re B and computes a new matching private key d' B What exactly is the math problem to be solved? Bob claims contract was M. Judge computes: (c ea mod n A ) d'b mod n B = M 68

Attack #2: Bob s Revenge (cont d) Document is c = (m eb mod n B ) da mod n A Bob s new key pair is (r eb, d B) M and r satisfy M r mod n B = m What happens if M is encoded using new public key? (M r eb mod n B ) = (M r ) eb mod n B = m mod n B Bob claims contract was M. Judge computes: (c ea mod n A ) d'b mod n B = M Verify Alice signed Decode using new public key Busted Illustrates dangers of encrypt-then-sign Recipient can pull a fast one on you 69

Attack #2 Example Bob, Alice agree to sign contract 06 Alice encrypts, then signs: (m e B mod 77) d A mod n A = (06 53 mod 77) 11 mod 95 = 63 Bob now changes his public key Computes r such that 13 r mod 77 = 6; say, r = 59 Computes r e B mod φ(n B ) = 59 53 mod 60 = 7 Replace public key e B with 7, private key d B = 43 Bob claims contract was 13. Judge computes: (63 59 mod 95) 43 mod 77 = 13 Verified; now Alice is toast 70

Digital Signature Algorithm (DSA) Is a FIPS standard (186-3) proposed by NIST, 1991 See this link http://www.itl.nist.gov/fipspubs/fip186.htm Is a bit more technical than it is interesting That has never stopped us before. Three phases Key generation Signing Verification

DSA Key Generation Algorithmic parameters Hash function h Key lengths (L, N) 186-3 specifies options (1024,160), (2048,224), (2048,256), and (3072,256). Choose an N-bit prime q. Choose an L-bit prime modulus p such that p 1 is a multiple of q. Choose g, with multiplicative order modulo p equal to q. (p, q, g) may be shared Key generation---public and private keys Choose random x, with 0 < x < q. Calculate y = (g x ) mod p. Public key is (p, q, g, y). Private key is x.

DSA Signature Generate a random per-message value k where 0 < k < q Calculate r = ((g k) mod p) mod q Calculate s = (k (H(m) + x*r)) mod q where k is the multiplicative inverse mod q of k Remember that x is private key Recalculate the signature in the unlikely case that r = 0 or s = 0 The signature is (r, s)

DSA Verification Given legal signature (r, s) Calculate w = (s ) mod q s multiplicative inverse mod q Calculate u1 = (h(m)*w) mod q m is message whose signature we re checking Calculate u2 = (r*w) mod q Calculate v = ((g u1 * y u2 ) mod p) mod q The signature is valid if v = r

Storing Keys Multi-user or networked systems: attackers may defeat access control mechanisms Encrypt file containing key Attacker can monitor keystrokes to decrypt files Key will be resident in memory that attacker may be able to read Use physical devices like smart card Key never enters system Card can be stolen, so have 2 devices combine bits to make single key 75

Key Escrow Key escrow system allows authorized third party to recover key Useful when keys belong to roles, such as system operator, rather than individuals Business: recovery of backup keys Law enforcement: recovery of keys that authorized parties require access to Goal: provide this without weakening cryptosystem Very controversial 76

Desirable Properties Escrow system should not depend on encryption algorithm Privacy protection mechanisms must work from end to end and be part of user interface Requirements must map to key exchange protocol System supporting key escrow must require all parties to authenticate themselves If message to be observable for limited time, key escrow system must ensure keys valid for that period of time only Beth, Knobloch, Otten, Simmons, Wichmann 94 77

Components User security component Does the encryption, decryption Supports the key escrow component Key escrow component Manages storage, use of data recovery keys Data recovery component Does key recovery 78

Example: ESS, Clipper Chip Escrow Encryption Standard FIPS 185 (http://www.itl.nist.gov/fipspubs/fip185.htm) Set of interlocking components Designed to balance need for law enforcement access to enciphered traffic with citizens right to privacy Clipper chip given to user with prepared permessage escrow information Each chip numbered uniquely by UID Special facility programs each chip Key Escrow Decrypt Processor (KEDP) Available to agencies authorized to read messages 79

User Security Component Unique device key k unique Non-unique family key k family Cipher is Skipjack Classical cipher: 80 bit key (k session ), 64 bit input, output blocks Attaches Law Enforcement Access Field (LEAF) of 128 bits: { UID { k session } k unique hash } k family hash: 16 bit authenticator from session key and initialization vector 80

User Security Component message Programmed at initialization 64 bits UID k unique skipjack 64 bits 80 bit session key k session k family Based on session key and Initialization vector Law Enforcement Access Field ciphertext {UID k session }k unique hash}k family (32) (80) (16) Field sizes (in bits)

Initialization of User Security Component Escrow Agent I Seed 1, Key 1, Fam 1 Secure Facility Creates {k u1 }k comp k u1,k u2 Escrow Agent II Seed 2, Key 2, Fam 2 {k u2 }k comp Combine Fam 1, Fam 2 to obtain k family Combine Key1,Key2 to obtain k comp Combine Seed 1, Seed 2 to generate sequence k unique = k u1 k u2 UID, k unique, k family User Clipper Chip Essential points Key that encrypts session key requires both k u1 and k u2 k family depends on input from both Escrow agents Returned encoding of k u1,k u2 uses key derived from both Escrow agents 82

Obtaining Access Alice obtains legal authorization to read message She runs message LEAF through KEDP LEAF is { UID { k session } k unique hash } k family KEDP uses (known) k family to validate LEAF (think hash(uid)), obtain sending device s UID Authorization, LEAF taken to escrow agencies To get session key she needs to get k unique 83

Agencies Role Each validates authorization offered by Alice Each supplies { k ui } k comp and key number Key i KEDP takes these and LEAF: { UID { k session } k unique hash } k family Key numbers produce k comp k comp produces k u1 and k u2 k u1 and k u2 produce k unique k unique and LEAF produce k session 84

Problems Clipper would not decode messages with an invalid hash So naturally the attack is to replace the real LEAF with one that has a valid hash! hash too short LEAF 128 bits, 16-bit checksum (hash) 2 112 LEAFs have a valid hash, e.g., would validate 1 has actual session key, UID Takes about 42 minutes to find a randomly generated LEAF with a valid hash but meaningless session key and UID Turns out deployed devices would prevent this attack Scheme does not meet temporal requirement As k unique fixed for each unit, once message is read, any future messages can be read 85

Yaksha Key Escrow Main ideas: Session keys obtained from a Yaksha server Server escrows generated keys Only messages encoded with the session key are recoverable

Alternate Approaches Tie to time Session key not given as escrow key, but related key is To derive session key, must solve instance of discrete log problem Tie to probability Oblivious transfer: message received with specified probability Idea: translucent cryptography allows fraction f of messages to be read by third party Not key escrow, but similar in spirit 87

Key Points Key management critical to effective use of cryptosystems Different levels of keys (session vs. interchange) Exchange algorithms can be vulnerable to attacks Replay Identity integrity Digital signatures provide integrity of origin and content Much easier with public key cryptosystems than with classical cryptosystems Keys need infrastructure to identify holders, allow revoking and possible escrow 88

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback