Key Management Network Systems Security

Key Management Network Systems Security

Mort Anvari

9/16/2004 2

Key Management

Asymmetric encryption helps address key distribution problems

Two aspects distribution of public keys use of public-key encryption to

distribute secret keys

9/16/2004 3

Distribution of Public Keys

Four alternatives of public key distribution Public announcement Publicly available directory Public-key authority Public-key certificates

9/16/2004 4

Public Announcement Users distribute public keys to

recipients or broadcast to community at large E.g. append PGP keys to email messages

or post to news groups or email list Major weakness is forgery

anyone can create a key claiming to be someone else and broadcast it

can masquerade as claimed user before forgery is discovered

9/16/2004 5

Publicly Available Directory Achieve greater security by registering

keys with a public directory Directory must be trusted with

properties: contains {name, public-key} entries participants register securely with directory participants can replace key at any time directory is periodically published directory can be accessed electronically

Still vulnerable to tampering or forgery

9/16/2004 6

Public-Key Authority Improve security by tightening control

over distribution of keys from directory Has properties of directory Require users to know public key for the

directory Users can interact with directory to

obtain any desired public key securely require real-time access to directory when

keys are needed

9/16/2004 7

Public-Key Authority

9/16/2004 8

Public-Key Certificates Certificates allow key exchange without

real-time access to public-key authority A certificate binds identity to public

key usually with other info such as period of

validity, authorized rights, etc With all contents signed by a trusted

Public-Key or Certificate Authority (CA) Can be verified by anyone who knows

the CA’s public key

9/16/2004 9

Public-Key Certificates

9/16/2004 10

Distribute Secret KeysUsing Asymmetric Encryption

Can use previous methods to obtain public key of other party

Although public key can be used for confidentiality or authentication, asymmetric encryption algorithms are too slow

So usually want to use symmetric encryption to protect message contents

Can use asymmetric encryption to set up a session key

9/16/2004 11

Simple Secret Key Distribution Proposed by Merkle in 1979

A generates a new temporary public key pair A sends B the public key and A’s identity B generates a session key Ks and sends

encrypted Ks (using A’s public key) to A A decrypts message to recover Ks and both use

9/16/2004 12

Problem with Simple Secret Key Distribution

An adversary can intercept and impersonate both parties of protocol

A generates a new temporary public key pair {KUa, KRa} and sends KUa || IDa to B

Adversary E intercepts this message and sends KUe || IDa to B

B generates a session key Ks and sends encrypted Ks (using E’s public key)

E intercepts message, recovers Ks and sends encrypted Ks (using A’s public key) to A

A decrypts message to recover Ks and both A and B unaware of existence of E

9/16/2004 13

Distribute Secret KeysUsing Asymmetric Encryption if A and B have securely exchanged public-keys

?

9/16/2004 14

Problem with Previous Scenario

Message (4) is not protected by N2

An adversary can intercept message (4) and replay an old message or insert a fabricated message

9/16/2004 15

Order of Encryption Matters

What can be wrong with the following protocol?

AB: NBA: EKUa[EKRb[Ks||N]]

An adversary sitting between A and B can get a copy of secret key Ks without being caught by A and B!

9/16/2004 16

Diffie-Hellman Key Exchange

First public-key type scheme proposed

By Diffie and Hellman in 1976 along with advent of public key concepts

A practical method for public exchange of secret key

Used in a number of commercial products

9/16/2004 17

Diffie-Hellman Key Exchange Use to set up a secret key that can be used for

symmetric encryption cannot be used to exchange an arbitrary message

Value of key depends on the participants (and their private and public key information)

Based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy

Security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard

9/16/2004 18

Primitive Roots From Euler’s theorem: aø(n) mod n=1 Consider am mod n=1, GCD(a,n)=1

must exist for m= ø(n) but may be smaller once powers reach m, cycle will repeat

If smallest is m= ø(n) then a is called a primitive root

if p is prime, then successive powers of a “generate” the group mod p

Not every integer has primitive roots

9/16/2004 19

Primitive Root Example: Power of Integers Modulo 19

9/16/2004 20

Discrete Logarithms Inverse problem to exponentiation is to find the

discrete logarithm of a number modulo p Namely find x where ax = b mod p Written as x=loga b mod p or x=inda,p(b) If a is a primitive root then discrete logarithm

always exists, otherwise may not 3x = 4 mod 13 has no answer 2x = 3 mod 13 has an answer 4

While exponentiation is relatively easy, finding discrete logarithms is generally a hard problem

9/16/2004 21

Diffie-Hellman Setup

All users agree on global parameters large prime integer or polynomial q α which is a primitive root mod q

Each user (e.g. A) generates its key choose a secret key (number): xA < q

compute its public key: yA = αxA mod q

Each user publishes its public key

9/16/2004 22

Diffie-Hellman Key Exchange Shared session key for users A and B is

KAB: KAB = α

xA.xB mod q

= yA

xB mod q (which B can compute)

= yB

xA mod q (which A can compute) KAB is used as session key in symmetric

encryption scheme between A and B Attacker needs xA or xB, which requires

solving discrete log

9/16/2004 23

Diffie-Hellman Example Given Alice and Bob who wish to swap keys Agree on prime q=353 and α=3 Select random secret keys:

A chooses xA=97, B chooses xB=233 Compute public keys:

yA=397 mod 353 = 40 (Alice)

yB=3233 mod 353 = 248 (Bob)

Compute shared session key as:KAB= yB

xA mod 353 = 24897 = 160 (Alice)

KAB= yA

xB mod 353 = 40233 = 160 (Bob)

9/16/2004 24

Next Class

Hashing functions Message digests