Upload
rahulmbbs
View
223
Download
0
Embed Size (px)
Citation preview
8/2/2019 06 Key Management
1/14
CEN 448Security and Internet Protocols
Chapter 10
Key Management
Dr. Mostafa Hassan DahshanComputer Engineering Department
College of Computer and Information SciencesKing Saud University
Key Management
Major role in public-key encryption
Key management has two aspects
distribution of public keys
using public-key encryption to distribute
secret keys (for symmetric encryption)
8/2/2019 06 Key Management
2/14
Distribution of Public-Keys
Public announcement Publicly available directory
Public-key authority
Public-key certificates
Public Announcement
Broadcast key to public community
public forums
newsgroups
mailing lists
Convenient
Anyone can forge such an announcement
Pretend to be user A, announce public key
Decrypt all messages sent to A
8/2/2019 06 Key Management
3/14
Publicly Available Directory
Public dynamic directory of public keys Maintained by trusted entity/organization
Greater security than public announcement
Publicly Available Directory
Authority maintains directory with {name,
public key} entry for each participant Participant register key with authority
must be in person or securely authenticated
Participant may replace key with new one
e.g. if private key has been compromised
Participants can access directory securelyauthenticated communication is mandatory
8/2/2019 06 Key Management
4/14
Publicly Available Directory
Still has vulnerabilities If opponent obtain PR key of authority
can pass out counterfeit public keys
impersonate participant
Opponent may tamper with public key
records kept by authority
Public Key Authority
Provide tighter control over PU distribution
Central authority maintains PU directory
All participants reliably know PU of authority
Only authority knows its PR
8/2/2019 06 Key Management
5/14
Public Key Authority
Public Key Authority
1.A sends timestamped message to auth
containing request for current PUB
2.Auth responds with message encrypted
with PRauth containing
PUB
original request, so A can verify its not altered
original timestamp, so A know PUB is current
8/2/2019 06 Key Management
6/14
Public Key Authority
3.A stored PUB, uses it to encrypt message identifier of A, IDA
nonce N1 to identify transaction uniquely
4,5. B retrieves PUA from auth (similar to 1, 2)
Two additional steps are desirable
6. B sends message to A encrypted with PUA N1: to ensure A that only B decrypted message (3)
N2: so that A can verify itself
7.A returns N2, to assure B that correspondent is A
Public-Key Certificates
Certificate contains
public key of certificate holder
ID of certificate holder
Certificate encrypted using PRauthserves as a trusted signature
Users can verify certificate using PUauth
Certificate authoritygovernment agency or financial institution
8/2/2019 06 Key Management
7/14
Public-Key Certificates
Public-Key Certificates
Participant A applies to auth for certificate
supplies PUA and request certificate
in person or by secure communication
Authority provides certificate
CA = E (PRauth, [T||IDA||PUA])
A may pass this certificate to others (B)
B can verify certificateD(PUauth, CA) = (T||IDA||PUA)
8/2/2019 06 Key Management
8/14
Public-Key Certificates
Timestamp serves as expiration date Sufficiently old certificate assumed expired
If PR is compromised
A applies for new certificate
still at risk until other communicants are aware
X.509 is universally accepted standard forcertificate format
Used in IPSec, SSL, S/MIME
Distribution of Secret Keys
Public-key encryption relatively slow
Usually used for distribution of secret keys
Secret keys used for symmetric encryption
8/2/2019 06 Key Management
9/14
Simple Scheme
1. A
B: PUA||IDA B generates secret key Ks
2. BA: E(PUA, Ks)
A decrypts message
A and B can now securly communicate using Ks
Man-in-the-Middle-Attack
Attacker X can intercept message (1)
Replace PUA with PUX, X B: PUX||IDA
B generates Ks, B X: E(PUX, Ks)
X decrypts message, learns Ks
XA: E(PUA, Ks)
A and B know Ks,
A and B dont know that X also knows Ks
X can now decrypt all messages
8/2/2019 06 Key Management
10/14
Confidentiality & Authentication
Confidentiality & Authentication
1. A B: E(PUB, [N1||IDA])
N1 to identify transaction uniquely 2. BA: E(PUA, [N1||N2])decrypted N1 assures A that sender is B
3. A B: E(PUB, N2) decrypted N2 assures B that sender is A
4. A B: E(PUB
, E(PRA
, Ks
))Using PUB: only B can retrieve KsUsing PRA: only A could have sent message
8/2/2019 06 Key Management
11/14
Diffie-Hellman Key Exchange
Two publicly known numbersq: prime number
< q: primitive root of q
User A selects random integer XA < q
A calculates YA = XA mod q
User B selects random integer XB < qA calculates YB =
XB mod q
Diffie-Hellman Key Exchange
A, B keep X private and make Y public
A computes key K = (YB)XA mod q
B computes key K = (YA)XB mod q
Two calculations produce identical results
8/2/2019 06 Key Management
12/14
Diffie-Hellman Key Exchange
K = (YB)XA mod q= (XB mod q)XA mod q
= (XB)XA mod q (rules of modular arithmetic)
= XBXA mod q
= (XA)XB mod q
= (XA mod q)XB mod q
= (YA)XB mod q
Diffie-Hellman Key Exchange
Easy to calculate exponential modulo prime
K = (YA)XB mod q Very difficult to calculate discrete logarithm
To determine private XB, attacker must
calculate XB= dlog,q(YB), then calculate K
For large prime, it is considered infeasible
8/2/2019 06 Key Management
13/14
Example
Prime number q = 353, primitive root = 3A selects XA = 97, B selects XB = 233
A computes YA = 397 mod 353 = 40
B computes YB = 3233 mod 353 = 248
A computes K = 24897 mod 353 = 160
B computes K = 40233 mod 353 = 160
Example
Brute-force attack try to calculate a or b:
3a mod 353 = 40 or 3b mod 353 = 248 Calculate powers of 3 mod 353
Stop when result = 40 or 248
For this case, will stop at a = 97
For large numbers, problem becomes
impractical
8/2/2019 06 Key Management
14/14
Appendix: Discrete Logarithms
Primitive root aof prime numberpnumber whose powers modulo p generate all
possible integers from 1 to p 1
amod p, a2 mod p, , ap1 mod p
are distinct and fall in [1, p]
For any integerband primitive root aof a
prime numberp, there exists unique i:
b ai(mod p) 0 i< (p 1)
iis called discrete logarithm for base a, mod p
Appendix: Discrete Logarithms