information security technologyist.ujs.edu.cn/file/jianggao/11 key management.pdf · bootstrap...

InformationSecurity

Technology

ChangdaWang

Key ExchangeRequirements

Session KeyExchangeProtocols


Public KeyExchangeProtocol

CryptographicKeyInfrastructure

Key StoringandRevocation

Information Security TechnologyKey Management

Changda Wang

cs.ujs.edu.cn

May 23, 2016

InformationSecurity

Technology

ChangdaWang







1 Key Exchange Requirements

2 Session Key Exchange ProtocolsSession Key Exchange ProtocolsPublic Key Exchange Protocol

3 Cryptographic Key Infrastructure

4 Key Storing and Revocation

InformationSecurity

Technology

ChangdaWang







Notation

X → Y : {Z||W}kX,Y

X sends Y the message produced by concatenating Z andW enciphered by key kX,Y , which is shared by users Xand Y .

A → T : {Z}kA ||{W}kA,T

A sends T a message consisting of the concatenation of Zenciphered using kA, A.s key, and W enciphered usingkA,T , the key shared by A and T .

r1, r2 nonces (nonrepeating random numbers)

InformationSecurity

Technology

ChangdaWang







Session, Interchange Keys

Alice wants to send a message m to Bob

Assume public key encryptionAlice generates a random cryptographic key ks (asymmetric encryption key) and uses it to encipher m

To be used for this message onlyCalled a session key

She enciphers ks with Bob’s public key kBkB enciphers all session keys Alice uses to communicatewith BobCalled an interchange key

Alice sends {m}ks{ks}kB

InformationSecurity

Technology

ChangdaWang







Benefits

Limits amount of traffic enciphered with single key

Standard practice, to decrease the amount of traffic anattacker can obtain

Prevents some attacks

Example: Alice will send Bob message that is either BUYor SELL. Eve computes possible ciphertexts {BUY }kB

and {SELL}kB. Eve intercepts enciphered message,

compares, and gets plaintext at once

InformationSecurity

Technology

ChangdaWang







Key Exchange Algorithms

Goal: Alice, Bob get shared keyKey cannot be sent in clear

Attacker can listen inKey can be sent enciphered, or derived from exchangeddata plus data not known to an eavesdropper

Alice, Bob may trust third partyAll cryptosystems, protocols publicly known

Only secret data is the keys, ancillary information knownonly to Alice and Bob needed to derive keysAnything transmitted is assumed known to attacker

InformationSecurity

Technology

ChangdaWang







Classical Key Exchange

Bootstrap problem: how do Alice, Bob begin?

Alice can.t send it to Bob in the clear!

Assume trusted third party, Cathy

Alice and Cathy share secret key kABob and Cathy share secret key kB

Use this to exchange shared key ks

InformationSecurity

Technology

ChangdaWang







Simple Protocol

Figure: Simple Protocol for Key Exchange

InformationSecurity

Technology

ChangdaWang







Problems

How does Bob know he is talking to Alice?

Replay attack: Eve records message from Alice to Bob,later replays it; Bob may think he is talking to Alice, buthe is notSession key reuse: Eve replays message from Alice to Bob,so Bob re-uses session key

Protocols must provide authentication and defense againstreplay

InformationSecurity

Technology

ChangdaWang







Needham-Schroeder

Figure: Needham-Schroeder Protocol

InformationSecurity

Technology

ChangdaWang







Denning-Sacco Modification

Assumption: all keys are secret

Question: suppose Eve can obtain session key. How doesthat affect protocol?

In what follows, Eve knows ks

Figure: Denning-Sacco Modification

InformationSecurity

Technology

ChangdaWang







Solutions

In protocol above, Eve impersonates Alice,replay in thirdstep

Solution: use time stamp T to detect replay

Weakness: if clocks not synchronized, may either rejectvalid messages or accept replays

Parties with either slow or fast clocks vulnerable to replayResetting clock does not eliminate vulnerability

InformationSecurity

Technology

ChangdaWang







Needham-Schroeder with Denning-SaccoModification

Figure: Combination Protocol

InformationSecurity

Technology

ChangdaWang







Kerberos

Authentication system

Based on Needham-Schroeder with Denning-SaccomodificationCentral server plays role of trusted third party (/Cathy0)

Ticket

Issuer vouches for identity of requester of service

Authenticator

Identifies sender

InformationSecurity

Technology

ChangdaWang







Idea

User u authenticates to Kerberos server

Obtains ticket Tu,TGS for ticket granting service (TGS)

User u wants to use service s:

User sends authenticator Au, ticket Tu,TGS to TGS askingfor ticket for serviceTGS sends ticket Tu,s to userUser sends Au, Tu,s to server as request to use s

Details follow

InformationSecurity

Technology

ChangdaWang







Kerbero’s Infrastructure

Figure: Kerbero’s Infrastructure

InformationSecurity

Technology

ChangdaWang







Kerbero Protocol

Figure: Kerbero Protocol

InformationSecurity

Technology

ChangdaWang







Problems

Relies on synchronized clocks

If not synchronized and old tickets, authenticators notcached, replay is possible

Tickets have some fixed fields

Dictionary attacks possibleKerberos 4 session keys weak (had much less than 56 bitsof randomness); researchers at Purdue found them fromtickets in minutes

InformationSecurity

Technology

ChangdaWang







Public Key Key Exchange

Here interchange keys known

eA, eB Alice and Bob.s public keys known to alldA, dB Alice and Bob.s private keys known only to owner

Simple protocol

ks is desired session key

Figure: Simple Protocol

InformationSecurity

Technology

ChangdaWang







Problem and Solution

Vulnerable to forgery or replay

Because eB known to anyone, Bob has no assurance thatAlice sent message

Simple fix uses Alice.s private key

ks is desired session key

Figure: Improved Simple Protocol

InformationSecurity

Technology

ChangdaWang







Notes

Assumes Bob has Alice.s public key, and vice versa

If not, each must get it from public serverIf keys not bound to identity of owner, attacker Eve canlaunch a man-in-the-middle attack (next slide; Cathy ispublic server providing public keys)

InformationSecurity

Technology

ChangdaWang







Bind identity to key

Classical: not possible as all keys are shared. Useprotocols to agree on a shared key (see earlier).

Public key: bind identity to public key

Crucial as people will use key to communicate withprincipal whose identity is bound to keyErroneous binding means no secrecy between principals

InformationSecurity

Technology

ChangdaWang







Certificates

Create token (message) containing

Identity of principal (here, Alice)Corresponding public keyTimestamp (when issued)Other information (perhaps identity of signer)

signed by trusted authority (here, Cathy)

CA = {eA||Alice||T}dC

InformationSecurity

Technology

ChangdaWang







Use

Bob gets Alice.s certificateIf he knows Cathy.s public key, he can decipher thecertificate

When was certificate issued?Is the principal Alice?

Now Bob has Alice.s public key

Problem: Bob needs Cathy.s public key to validatecertificate

Problem pushed /up0a levelTwo approaches: Merkle.s tree, signature chains

InformationSecurity

Technology

ChangdaWang







Key Storing

Multi-user or networked systems: attackers may defeataccess control mechanisms

Encipher file containing key

Attacker can monitor keystrokes to decipher filesKey will be resident in memory that attacker may be ableto read

Use physical devices like /smart card0Key never enters systemCard can be stolen, so have 2 devices combine bits tomake single key

InformationSecurity

Technology

ChangdaWang







Key Revocation

Certificates invalidated before expiration

Usually due to compromised keyMay be due to change in circumstance (e.g., someoneleaving company)

Problems

Entity revoking certificate authorized to do soRevocation information circulates to everyone fast enoughNetwork delays, infrastructure problems may delayinformation

InformationSecurity

Technology

ChangdaWang







Key Points

Encryption can not be sent in plaintext

Key exchange protocols are used in a distributedenvironment

Public Key Exchange need a trusted third party

information security technologyist.ujs.edu.cn/file/jianggao/11 key management.pdf · bootstrap...

Documents