PKI and Identity-Based Encryption Secure IT Conference 2007 Guido Appenzeller Voltage Security
Dec 30, 2015
Secure IT Conference 2007
2
Identity-Based Encryption (IBE)Identity-Based Encryption (IBE)
IBE is a new public key encryption algorithm A number of widely-used encryption algorithms are
already available (AES, RSA, ECC etc.) Why on earth should we care about a new one?
1. IBE results in vastly simplified key management
2. As a result, IBE based solutions have a much lower total cost of ownership and much higher usability
3. It has gained widespread adoption in Industry and has opened up the use of encryption to new use cases
Secure IT Conference 2007
4
Identity-Based EncryptionIdentity-Based Encryption
Basic Idea: Public-key Encryption where Identities are Public Keys
IBE Public Key:
[email protected] RSA Public Key:
Public exponent=0x10001Modulus=135066410865995223349603216278805969938881475605667027524485143851526510604859533833940287150571909441798207282164471551373680419703964191743046496589274256239341020864383202110372958725762358509643110564073501508187510676594629205563685529475213500852879416377328533906109750544334999811150056977236890927563
Secure IT Conference 2007
5
IBE does not need certificatesIBE does not need certificates
Certificates bind Public Keys to Identities e.g. [email protected] has key 0x87F6… Signed by a Certification Authority
In IBE, Identity and Public Key is the same No certificate needed No certificate revocation No certificate servers No pre-enrollment X
Secure IT Conference 2007
6
Identity-Based Encryption (IBE)Identity-Based Encryption (IBE)
IBE is an old idea Originally proposed by Adi Shamir, co-inventor of the RSA
Algorithm, in 1984
First practical implementation Boneh-Franklin Algorithm published at Crypto 2001 Based on well-tested building blocks for encryption
(elliptic curves and pairings)
IBE is having a major impact already Over 200 scientific publications on IBE/Pairings Boneh-Franklin paper cited 450 times so far (Google Scholar) Dan Boneh awarded 2005 RSA Conference Award for
Mathematics for inventing IBE
Secure IT Conference 2007
7
How IBE works in practiceAlice sends a Message to BobHow IBE works in practiceAlice sends a Message to Bob
KeyServer
key request +
authenticate
master secret
publicparams
publicparams
publicparams
Secure IT Conference 2007
8
How IBE works in practiceSecond Message to BobHow IBE works in practiceSecond Message to Bob
KeyServer
publicparams
publicparams
Fully off-line - no connection to server requiredFully off-line - no connection to server required
Secure IT Conference 2007
9
The IBE Key ServerThe IBE Key Server
Master Secret is used to generate keys Each organization has a different secret
Thus different security domains Server does not need to keep state
No storage associated with server Easy load balancing, disaster recovery
Key Server
Master Secrets =
Request for Private Key for Identity [email protected]@b.com
18723619236163781872361923616378
Secure IT Conference 2007
10
User authenticationUser authentication
Authentication needs differs by Application More sensitive data, requires stronger authentication Even for one organization, very different needs for different
groups of users
KeyServer
Auth.Service
External authentication Leverage existing passwords,
directories, portals, etc. One size doesn’t fit all
Secure IT Conference 2007
11
OMB-04-04Level:
Level 1
Level 2
Level 4
Level 3
No Authentication
Email answerback (VeriSign Class 1)
Email answerback w/ passwords
Directory with pre-enrollment
Windows domain controller or SSO
RSA SecurID
PKI Smart Card, USB Token
Three factor auth (Bio+PKI+PIN) Pre-enrollm
entS
elf-provisioning
OOB password with call center reset
The Authentication GradientThe Authentication Gradient
Secure IT Conference 2007
12
Key Revocation, Expiration and PolicyKey Revocation, Expiration and Policy
What happens if I lose my private key? Key validity enables revocation – “key freshness”
Every week public key changes, so every week a new private key is issued revocation can be done on weekly basis
To revoke someone, simply remove him from the authentication mechanism (e.g. corporate directory)
e-mail address key validity
|| week = 252
Secure IT Conference 2007
13
IEEE 1363.3 – Pairing Based IBE StandardIEEE 1363.3 – Pairing Based IBE Standard
IEEE 1363 Standards Group Wrote standard on RSA and Elliptic Curve Cryptography Now taking steps to standardize IBE
IEEE 1363.3 “Identity-Based Cryptographic methods
using Pairings” Main focus is on IBE, but also related
methods (e.g. ID based signatures)
Strong support from Government and Industry Meetings attended by representatives from NIST, NSA,
HP, Microsoft, Gemplus, Motorola and others
Secure IT Conference 2007
14
IETF – IBE based Secure Email StandardIETF – IBE based Secure Email Standard
Internet Engineering Task Force Sets standards for the Internet TCP/IP, IPSec, HTTP, TLS, DNS etc.
Effort through the S/MIME Group S/MIME today implemented in all major email clients IBE as an additional key transport for S/MIME Standard includes IBE Key Request Protocol, IBE
Parameter Lookup Protocol and selected IBE Algorithms Final RFC expected in 2007
Secure IT Conference 2007
15
Standard Textbooks incorporating Identity-Based EncryptionStandard Textbooks incorporating Identity-Based Encryption
Elliptic CurvesbyLawrence C. Washington
Handbook of Elliptic and Hyperelliptic Curve CryptographybyHenri Cohen, Gerhard Frey
Elliptic Curves in CryptographyEdited byIan Blake, Gadiel Seroussi and Nigel Smart
Cryptography: Theory and Practice (3rd Ed.)byDouglas R. Stinson
Secure IT Conference 2007
16
Awards for IBE ProductsAwards for IBE Products
IAPP Privacy Innovation Technology Award - 2006
AlwaysOn Top 100 Companies - July 2005
Red Herring 100 Top Private Companies 2005
Gartner Group – Cool Security Vendor 2005
eWeek Finalist 2005 – Email Management and
Security
RSA 2005 Prize for Mathematics – Dr. Dan Boneh
SC Magazine Finalist 2005 – Best Email Security
Solution and Best Encryption Solution
AlwaysOn “Top new innovator company” – July 2004
InfoWorld Innovators Award - May 2004 Bank
Network World “Tops in Innovation” - February, 2004
Technology News “Top Ten Technology Companies”
- August, 2003
RSA Mathematics Prize 2005
Secure IT Conference 2007
18
Encryption today is a solved problemExample: Encrypting an email messageEncryption today is a solved problemExample: Encrypting an email message
Alice Bob
EncryptionKey
DecryptionKey
How do we make sure Alice and Bob have the right keys?
Secure IT Conference 2007
19
What is hard about managing keys?What is hard about managing keys?
Enrollment Key creation, duplicate keys Distribution
Lookup, Storage and Access Finding the encryption key of a recipient Recovery of decryption keys
• Virus scanning, spam filtering• Archiving emails for compliance
Synchronizing distributed key stores
Key life cycle Revoking keys, expiring keys Backup of keys, disaster recovery
Secure IT Conference 2007
20
Key Management for Symmetric KeysExample: Organization with 8 peopleKey Management for Symmetric KeysExample: Organization with 8 people
Key Store
28 keys
4
3
2
5
6
7
11 2 3 4
5 6 7
1 2 3
4 5 6
7 8 ..
.. .. ..
.. .. ..
.. .. ..
.. .. ..
.. .. ..
.. .. ..
..
8
8
How many keys totalfor 8 people?
KeyServer
Secure IT Conference 2007
21
Key Management with Symmetric KeysKey Management with Symmetric Keys
One key per pair of users Network of 8 parties requires managing 28 keys Network of 1000 users requires 500,000 keys Network of N parties requires N(N+1)/2 keys
Alternative: One key per email Network of 1000 users Assume 50 emails per user per day 18,250,000 keys per year
Key management with symmetric keys doesn’t scale!
Secure IT Conference 2007
22
Public Key Infrastructure (PKI)Public Key Infrastructure (PKI)
Public Key Encryption Users have a Public Key and a Private Key Only need one key per party, total of N keys for N parties Keys are bound to users with Certificates Examples: RSA, Elliptic Curve etc.
Managing PKI has issues of its own How do I create certificates for everyone? How do I revoke a certificate? How do I find the certificate of a recipient? How do I manage certificate distribution What do I do if private keys are lost …
Secure IT Conference 2007
23
Key Management - Public Key InfrastructureCertificate Server binds Identity to Public KeyKey Management - Public Key InfrastructureCertificate Server binds Identity to Public Key
[email protected]@a.com
Send Public Key,
Authenticate
ReceiveCertificate
CA Signing Key
CertificationAuthority
CA Public Key
Certificate Server
StoreCertificate
Look up Bob’s Certificate,Check revocation
CA Public Key Bob’s Private KeyBob’s Public Key
RecoveryServer
Store Bob’s Private Key
Secure IT Conference 2007
24
Key Management - IBEBinding is done by mathematicsKey Management - IBEBinding is done by mathematics
IBE Key Server
Master Secret
SendIdentity,
Authenticate
ReceivePrivate Key
Public Parameters
Public Parameters Bob’s Private Key
Certificate Server
StoreCertificate
Look up Bob’s Certificate,Check revocation
X RecoveryServer
Store Bob’s Private KeyX
Secure IT Conference 2007
26
Secure Email – Deployment Options TodayIt’s not just Alice and BobSecure Email – Deployment Options TodayIt’s not just Alice and Bob
Virus
Audit
Archive
Internet
Normal Client
Gateway
Client with plug-in
Blackberry BES Server
System Generated
Web Mail(via ZDM)
MobileDevices
Client(via ZDM)
Client(via plug-in)
Client with plug-in
Intranet DMZ Internet Recipient’s Network
Secure IT Conference 2007
27
Email GatewaysEmail Gateways
Internal NetworkINTERNET
User receivesdecrypted email
3Encrypted email arrives
1
Gateway decrypts email
2
KeyServer
IBEGateway
Secure IT Conference 2007
28
Inspecting Secured DataIBE allows content inspection for end-to-end encrypted dataInspecting Secured DataIBE allows content inspection for end-to-end encrypted data
DMZ LANINTERNET
IBE Server
Exchange, Domino, etc.
User receivesencrypted email
3
GW
Vir
us
Au
dit
Arc
hiv
e
Email is scanned2Encrypted email arrives
1G
W
Secure IT Conference 2007
29
IBE Key Servers are “stateless” No certificates to store No private keys to store No revocation lists
Easy to load-balance Just put two of them next to each other
Easy backup and disaster recovery Only master secret and policy needs to
be backed up Size: < 100 kByte, fits on floppy disk Master secret is long lived, only need
to back up once Same for 100 or 100,000 users
IBE Systems are extremely ScalableIBE Systems are extremely Scalable
Secure IT Conference 2007
30
IBE Systems have a substantially lower TCO Case Study: For email encryption, IBE costs 30% of PKI
Less infrastructure needed, less additional FTE to manage solution Fewer components to be concerned with Disaster Recovery Easier user experience – less training and help desk support[Source: Ferris Research Case Study on Voltage SecureMail]
Total Cost of OwnershipTotal Cost of Ownership