information security technologyist.ujs.edu.cn/file/jianggao/11 key management.pdf · bootstrap...
TRANSCRIPT
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Information Security TechnologyKey Management
Changda Wang
cs.ujs.edu.cn
May 23, 2016
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
1 Key Exchange Requirements
2 Session Key Exchange ProtocolsSession Key Exchange ProtocolsPublic Key Exchange Protocol
3 Cryptographic Key Infrastructure
4 Key Storing and Revocation
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Notation
X → Y : {Z||W}kX,Y
X sends Y the message produced by concatenating Z andW enciphered by key kX,Y , which is shared by users Xand Y .
A → T : {Z}kA ||{W}kA,T
A sends T a message consisting of the concatenation of Zenciphered using kA, A.s key, and W enciphered usingkA,T , the key shared by A and T .
r1, r2 nonces (nonrepeating random numbers)
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Session, Interchange Keys
Alice wants to send a message m to Bob
Assume public key encryptionAlice generates a random cryptographic key ks (asymmetric encryption key) and uses it to encipher m
To be used for this message onlyCalled a session key
She enciphers ks with Bob’s public key kBkB enciphers all session keys Alice uses to communicatewith BobCalled an interchange key
Alice sends {m}ks{ks}kB
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Benefits
Limits amount of traffic enciphered with single key
Standard practice, to decrease the amount of traffic anattacker can obtain
Prevents some attacks
Example: Alice will send Bob message that is either BUYor SELL. Eve computes possible ciphertexts {BUY }kB
and {SELL}kB. Eve intercepts enciphered message,
compares, and gets plaintext at once
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Key Exchange Algorithms
Goal: Alice, Bob get shared keyKey cannot be sent in clear
Attacker can listen inKey can be sent enciphered, or derived from exchangeddata plus data not known to an eavesdropper
Alice, Bob may trust third partyAll cryptosystems, protocols publicly known
Only secret data is the keys, ancillary information knownonly to Alice and Bob needed to derive keysAnything transmitted is assumed known to attacker
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Classical Key Exchange
Bootstrap problem: how do Alice, Bob begin?
Alice can.t send it to Bob in the clear!
Assume trusted third party, Cathy
Alice and Cathy share secret key kABob and Cathy share secret key kB
Use this to exchange shared key ks
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Simple Protocol
Figure: Simple Protocol for Key Exchange
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Problems
How does Bob know he is talking to Alice?
Replay attack: Eve records message from Alice to Bob,later replays it; Bob may think he is talking to Alice, buthe is notSession key reuse: Eve replays message from Alice to Bob,so Bob re-uses session key
Protocols must provide authentication and defense againstreplay
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Needham-Schroeder
Figure: Needham-Schroeder Protocol
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Denning-Sacco Modification
Assumption: all keys are secret
Question: suppose Eve can obtain session key. How doesthat affect protocol?
In what follows, Eve knows ks
Figure: Denning-Sacco Modification
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Solutions
In protocol above, Eve impersonates Alice,replay in thirdstep
Solution: use time stamp T to detect replay
Weakness: if clocks not synchronized, may either rejectvalid messages or accept replays
Parties with either slow or fast clocks vulnerable to replayResetting clock does not eliminate vulnerability
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Needham-Schroeder with Denning-SaccoModification
Figure: Combination Protocol
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Kerberos
Authentication system
Based on Needham-Schroeder with Denning-SaccomodificationCentral server plays role of trusted third party (/Cathy0)
Ticket
Issuer vouches for identity of requester of service
Authenticator
Identifies sender
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Idea
User u authenticates to Kerberos server
Obtains ticket Tu,TGS for ticket granting service (TGS)
User u wants to use service s:
User sends authenticator Au, ticket Tu,TGS to TGS askingfor ticket for serviceTGS sends ticket Tu,s to userUser sends Au, Tu,s to server as request to use s
Details follow
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Kerbero’s Infrastructure
Figure: Kerbero’s Infrastructure
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Kerbero Protocol
Figure: Kerbero Protocol
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Problems
Relies on synchronized clocks
If not synchronized and old tickets, authenticators notcached, replay is possible
Tickets have some fixed fields
Dictionary attacks possibleKerberos 4 session keys weak (had much less than 56 bitsof randomness); researchers at Purdue found them fromtickets in minutes
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Public Key Key Exchange
Here interchange keys known
eA, eB Alice and Bob.s public keys known to alldA, dB Alice and Bob.s private keys known only to owner
Simple protocol
ks is desired session key
Figure: Simple Protocol
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Problem and Solution
Vulnerable to forgery or replay
Because eB known to anyone, Bob has no assurance thatAlice sent message
Simple fix uses Alice.s private key
ks is desired session key
Figure: Improved Simple Protocol
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Notes
Assumes Bob has Alice.s public key, and vice versa
If not, each must get it from public serverIf keys not bound to identity of owner, attacker Eve canlaunch a man-in-the-middle attack (next slide; Cathy ispublic server providing public keys)
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Bind identity to key
Classical: not possible as all keys are shared. Useprotocols to agree on a shared key (see earlier).
Public key: bind identity to public key
Crucial as people will use key to communicate withprincipal whose identity is bound to keyErroneous binding means no secrecy between principals
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Certificates
Create token (message) containing
Identity of principal (here, Alice)Corresponding public keyTimestamp (when issued)Other information (perhaps identity of signer)
signed by trusted authority (here, Cathy)
CA = {eA||Alice||T}dC
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Use
Bob gets Alice.s certificateIf he knows Cathy.s public key, he can decipher thecertificate
When was certificate issued?Is the principal Alice?
Now Bob has Alice.s public key
Problem: Bob needs Cathy.s public key to validatecertificate
Problem pushed /up0a levelTwo approaches: Merkle.s tree, signature chains
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Key Storing
Multi-user or networked systems: attackers may defeataccess control mechanisms
Encipher file containing key
Attacker can monitor keystrokes to decipher filesKey will be resident in memory that attacker may be ableto read
Use physical devices like /smart card0Key never enters systemCard can be stolen, so have 2 devices combine bits tomake single key
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Key Revocation
Certificates invalidated before expiration
Usually due to compromised keyMay be due to change in circumstance (e.g., someoneleaving company)
Problems
Entity revoking certificate authorized to do soRevocation information circulates to everyone fast enoughNetwork delays, infrastructure problems may delayinformation
InformationSecurity
Technology
ChangdaWang
Key ExchangeRequirements
Session KeyExchangeProtocols
Session KeyExchangeProtocols
Public KeyExchangeProtocol
CryptographicKeyInfrastructure
Key StoringandRevocation
Key Points
Encryption can not be sent in plaintext
Key exchange protocols are used in a distributedenvironment
Public Key Exchange need a trusted third party