06 Key Management

8/2/2019 06 Key Management

1/14

CEN 448Security and Internet Protocols

Chapter 10

Key Management

Dr. Mostafa Hassan DahshanComputer Engineering Department

College of Computer and Information SciencesKing Saud University

[email protected]

Key Management

Major role in public-key encryption

Key management has two aspects

distribution of public keys

using public-key encryption to distribute

secret keys (for symmetric encryption)


2/14

Distribution of Public-Keys

Public announcement Publicly available directory

Public-key authority

Public-key certificates

Public Announcement

Broadcast key to public community

public forums

newsgroups

mailing lists

Convenient

Anyone can forge such an announcement

Pretend to be user A, announce public key

Decrypt all messages sent to A


3/14

Publicly Available Directory

Public dynamic directory of public keys Maintained by trusted entity/organization

Greater security than public announcement


Authority maintains directory with {name,

public key} entry for each participant Participant register key with authority

must be in person or securely authenticated

Participant may replace key with new one

e.g. if private key has been compromised

Participants can access directory securelyauthenticated communication is mandatory


4/14


Still has vulnerabilities If opponent obtain PR key of authority

can pass out counterfeit public keys

impersonate participant

Opponent may tamper with public key

records kept by authority

Public Key Authority

Provide tighter control over PU distribution

Central authority maintains PU directory

All participants reliably know PU of authority

Only authority knows its PR


5/14



1.A sends timestamped message to auth

containing request for current PUB

2.Auth responds with message encrypted

with PRauth containing

PUB

original request, so A can verify its not altered

original timestamp, so A know PUB is current


6/14


3.A stored PUB, uses it to encrypt message identifier of A, IDA

nonce N1 to identify transaction uniquely

4,5. B retrieves PUA from auth (similar to 1, 2)

Two additional steps are desirable

6. B sends message to A encrypted with PUA N1: to ensure A that only B decrypted message (3)

N2: so that A can verify itself

7.A returns N2, to assure B that correspondent is A

Public-Key Certificates

Certificate contains

public key of certificate holder

ID of certificate holder

Certificate encrypted using PRauthserves as a trusted signature

Users can verify certificate using PUauth

Certificate authoritygovernment agency or financial institution


7/14



Participant A applies to auth for certificate

supplies PUA and request certificate

in person or by secure communication

Authority provides certificate

CA = E (PRauth, [T||IDA||PUA])

A may pass this certificate to others (B)

B can verify certificateD(PUauth, CA) = (T||IDA||PUA)


8/14


Timestamp serves as expiration date Sufficiently old certificate assumed expired

If PR is compromised

A applies for new certificate

still at risk until other communicants are aware

X.509 is universally accepted standard forcertificate format

Used in IPSec, SSL, S/MIME

Distribution of Secret Keys

Public-key encryption relatively slow

Usually used for distribution of secret keys

Secret keys used for symmetric encryption


9/14

Simple Scheme

1. A

B: PUA||IDA B generates secret key Ks

2. BA: E(PUA, Ks)

A decrypts message

A and B can now securly communicate using Ks

Man-in-the-Middle-Attack

Attacker X can intercept message (1)

Replace PUA with PUX, X B: PUX||IDA

B generates Ks, B X: E(PUX, Ks)

X decrypts message, learns Ks

XA: E(PUA, Ks)

A and B know Ks,

A and B dont know that X also knows Ks

X can now decrypt all messages


10/14

Confidentiality & Authentication

Confidentiality & Authentication

1. A B: E(PUB, [N1||IDA])

N1 to identify transaction uniquely 2. BA: E(PUA, [N1||N2])decrypted N1 assures A that sender is B

3. A B: E(PUB, N2) decrypted N2 assures B that sender is A

4. A B: E(PUB

, E(PRA

, Ks

))Using PUB: only B can retrieve KsUsing PRA: only A could have sent message


11/14

Diffie-Hellman Key Exchange

Two publicly known numbersq: prime number

< q: primitive root of q

User A selects random integer XA < q

A calculates YA = XA mod q

User B selects random integer XB < qA calculates YB =

XB mod q


A, B keep X private and make Y public

A computes key K = (YB)XA mod q

B computes key K = (YA)XB mod q

Two calculations produce identical results


12/14


K = (YB)XA mod q= (XB mod q)XA mod q

= (XB)XA mod q (rules of modular arithmetic)

= XBXA mod q

= (XA)XB mod q

= (XA mod q)XB mod q

= (YA)XB mod q


Easy to calculate exponential modulo prime

K = (YA)XB mod q Very difficult to calculate discrete logarithm

To determine private XB, attacker must

calculate XB= dlog,q(YB), then calculate K

For large prime, it is considered infeasible


13/14

Example

Prime number q = 353, primitive root = 3A selects XA = 97, B selects XB = 233

A computes YA = 397 mod 353 = 40

B computes YB = 3233 mod 353 = 248

A computes K = 24897 mod 353 = 160

B computes K = 40233 mod 353 = 160

Example

Brute-force attack try to calculate a or b:

3a mod 353 = 40 or 3b mod 353 = 248 Calculate powers of 3 mod 353

Stop when result = 40 or 248

For this case, will stop at a = 97

For large numbers, problem becomes

impractical


14/14

Appendix: Discrete Logarithms

Primitive root aof prime numberpnumber whose powers modulo p generate all

possible integers from 1 to p 1

amod p, a2 mod p, , ap1 mod p

are distinct and fall in [1, p]

For any integerband primitive root aof a

prime numberp, there exists unique i:

b ai(mod p) 0 i< (p 1)

iis called discrete logarithm for base a, mod p

Appendix: Discrete Logarithms

Documents

06 Key Management