Key management and
cryptographic protocols
PV018
Vašek Matyáš
Reminder ­ relevant topics...
ˇ User authentication and identification
­ Passwords, replay attacks, challenge-response
ˇ Security in communications and networks
­ Authentication in networks
­ Kerberos
Reduction of the problem
ˇ Knowledge of a secret (key)  identity
ˇ For shared-key crypto based on trust in the party the
key is shared with
­ Ability to en-/de-crypt or MAC
ˇ For public-key crypto based on trust in the
association between the public key and other data
­ Ability to sign or decrypt messages
­ A  B: rB
­ A  B: certA, rA, B, SA(rA , rB , B)
­ A  B: certB, A, SB(rB , rA , A)
Key Management
ˇ Generation
­ Random bit generators (coin tossing, el. noise, etc.)
­ Pseudorandom generators ­ usual in reality
ˇ Importance of (statistical) tests
ˇ Use of good ciphers
ˇ Key storage
ˇ Key distribution
ˇ Key usage
ˇ Key archiving / destroying
...
Key Managements Concepts I.
ˇ Key Certification Center (CA center)
ˇ Key Distribution Center
ˇ Key Escrow
ˇ Key Freshness
ˇ Key Granularity
ˇ Key Material
Key Managements Concepts II.
ˇ Key Notarization
ˇ Key Recovery
ˇ Key Space
ˇ Key Tag
ˇ Trusted Third Party
Classical Fielded Applications
ˇ Symmetric crypto
ˇ Keys at different levels (of security, time of
use, etc.). Example (simplified IBM model):
­ Master key ­ protects terminal keys, in a highly
tamper-resistant module
­ Terminal key ­ protects session keys, stored in
a secure (tamper-evident/resistant) memory
­ Session key ­ protects data in transmission
Use of session (short-term) keys
ˇ To limit volume of ciphertext (under one
key) for cryptanalytic attack
ˇ To limit the window of exposure (time and
data volume) in the event of key compromise
ˇ To avoid storing large number of distinct
keys by creating keys only when actually
needed
ˇ To create independence across sessions
and/or applications
Protocol
ˇ A multi-party algorithm, defined by a
sequence of steps precisely specifying the
actions required of two or more parties in
order to achieve a specified objective
ˇ Security / cryptography protocols objectives
­ Confidentiality (secrecy), authentication of
origin, entity authentication, integrity, key
establishment, non-repudiation...
Protocols
ˇ High-level (SSL, IPSEC) & low-level
­ Security functionality point-of-view
­ Network protocol layer point-of-view
ˇ OSI, TCP/IP
ˇ Single-purpose & multi-purpose
ˇ Standardized & proprietary
Kerberos
ˇ Simplified version of the protocol
­ L ­ ticket lifetime
­ Def.: ticketB = EKBT(k, "A", L), auth = Ek("A", TA)
­ (1) A  T: "A", "B", nA
­ (2) A  T: ticketB, EKAT(k, nA, L, "B")
­ (3) A  B: ticketB, auth
­ (4) A  B: Ek(TA)
(1)
(2)
(3)
A B
¨T
(4)
Key establishment protocols
ˇ Shared secret becomes available to two or
more parties, for subsequent cryptographic
use
ˇ Key transport ­ one party (securely)
transfers a secret value to other(s)
ˇ Key agreement ­ shared secret is derived by
two (or more) parties based on data
contributed by, or associated with, each of
these, and (ideally) that no party can pre-
determine the resulting value
Key establishment concepts
ˇ Key authentication (implicit) ­ assurance to one
party that no-one except the specific other party could
have gained access to a given key
ˇ Key confirmation ­ assurance to one party that
another party actually possess a given key
ˇ Explicit key authentication ­ both above hold
ˇ Entity authentication ­ assurance to one party of the
identity of another party actively involved in a
protocol
Involvement of trusted parties
ˇ For system setup and/or any protocol run
­ Off-line, on-line, in-line
ˇ Key transport and/or generation
ˇ Trust to keep secrets vs. trust to certify data
ˇ Assumptions of following the course of
action prescribed by the protocol, not
knowingly collaborating with attackers, etc.
KDC Use ­ Usual Problems
ˇ Delegation of trust might not be voluntary
ˇ Attacks have to be watched by all parties
­ Key reuse
­ Impersonation of A towards C
­ Impersonation of A towards B
ISO/IEC 9798 ­ Entity Authentication
ˇ Framework (1), Symmetric (2), Asymm. (3)
ˇ Part 3:
­ Unilateral auth.
ˇ One-pass ­ signed sequence number or timestamp
ˇ Two-pass ­ challenge-response (random number)
­ Mutual auth.
ˇ Two-pass ­ signed sequence numbers or timestamps
ˇ Three-pass ­ challenge-response (random number)
ˇ Two-pass parallel ­ two unilateral two-pass protocols
Attacker can...
ˇ Record messages
ˇ Replay them later
­ Possibly in different order
­ Some repeatedly
­ Some not at all
ˇ Modify a part of or whole message
Types of attacks on protocols
ˇ Man-in-the-middle
ˇ Replay
ˇ Reflection
ˇ Interleave
ˇ Oracle (chosen-text)
ˇ Forced delay
ˇ ...
KE protocol characteristics
ˇ Key freshness
ˇ Key control
­ Can any party control or predict the key value?
ˇ Efficiency
­ Number of message exchanges (passes)
­ Volume of data exchanged
­ Complexity of computation
­ Possibility of pre-computation
ˇ Material pre-distribution (system setup,
certificates...)
ˇ Third party involvement
ˇ Non-repudiation
Time-variant parameters (nonces)
ˇ Random numbers (select from a uniform
distribution), challenge-response
­ freshness
ˇ Sequence numbers
­ Greater-by-one or only monotonic increase check
­ Counter maintenance, reset policy
ˇ Timestamps
­ Acceptance window
­ Secure, synchronized & distributed time info
(clocks)
Types of KE protocols
ˇ Key transport based on symmetric techniques
ˇ Key transport based on asymmetric techniques
ˇ Key agreement based on symmetric techniques
ˇ Key agreement based on asymmetric
techniques
ˇ Secret sharing
ˇ Conference keying
Key transport ­ symmetric
techniques
ˇ A  B : EK(rA , TVP* , A* , B*)
ˇ A  B : nB
ˇ A  B : EK(rA , nB , A* , B*)
Shamir's no-key protocol
ˇ A  B : EKA(X)
ˇ A  B : EKB(EKA(X))
ˇ A  B : EKB(X)
ˇ Use of a commutative cipher (not
Vernam's)
Diffie-Hellman protocol
Alice
x
Bob
x mod p
y
y mod p
xy mod p xy mod p
Man-in-the-middle attack
Alice
x
Bobx mod p
y
y mod p
xy' mod p x'y mod p
Eve
x'
x' mod p
y'
y' mod p
x'y mod p
xy' mod p
The building blocks
ˇ Secure primitives necessary, yet not
sufficient
ˇ Playing it safe ­ precise specification of
­ what shall and shall not be done
­ before, during and after the protocol run
­ with restrictions on use of a given protocol
ˇ Assumptions of critical importance!
Example: ISO/IEC 11770
ˇ Information technology ­ Security
techniques ­ Key Management
ˇ Part 1: Key management framework
ˇ Part 2: Mechanisms using symmetric
techniques
ˇ Part 3: Mechanisms using asymmetric
techniques
ISO/IEC 11770-1
1. Scope
2. Normative references
3. Definitions
4. General Disc. of KM
1. Protection of keys
1. Crypt. means
2. Non-crypt. means
3. Physical means
4. Organiz. means
2. Generic Key Life
Cycle Model
1. Transitions between
Key States
2. Transitions, Services
and Keys
ISO/IEC 11770-1
5. Concepts of Key M.
1. Key M. Services
1. Generate-Key
2. Register-Key
3. Create-Key-Certificate
4. Distribute-Key
5. Install-Key
6. Store-Key
7. Derive-Key
8. Archive-Key
9. Revoke-Key
10. Deregister-Key
11. Destroy-Key
2. Support Services
1. Key M. Facility Services
2. User-oriented Services
3. Conceptual Models for
Key Distribution
1. KD between
Communicating Entities
2. KD within One Domain
3. KD between Domains
7. Specific Service
Providers
Annexes (!!!)
ISO/IEC 11770-3
ˇ Secret key agreement (7 mechanisms)
ˇ Secret key transport (6 mechanisms)
ˇ Public key transport
­ Without a TTP (2 mechanisms)
­ Using a CA (1 mechanism  )
Related ISO standards
ˇ 7498 ­ OSI ­ Security Architecture
ˇ 9798 ­ Entity Authentication
ˇ 10181 ­ Security Frameworks for Open
Systems
Asymmetric key transport techniques
ˇ Encrypting signed keys
­ A  B: PB(SA(B , k , t*
A))
­ (* optional) timestamp tA also authenticates A to B
ˇ Separate signature and encryption
­ A  B: PB(k , tA), SA(B , k , tA)
­ Only for signatures without message recovery
ˇ Signing encrypted keys
­ A  B: tA, PB(A , k), SA(B , tA, PB(A , k))
Asymmetric key transport
techniques cont'd
ˇ X.509 mutual authentication with key transport
ˇ Def.: DA = (tA, rA, "B", PB(k1))
DB = (tB, rB, "A", PA(k2))
ˇ Protocol
­ A  B: certA, DA, SA(DA)
­ A  B: certB, DB, SB(DB)
ˇ Three-pass version with random numbers
Suggested reading this week
ˇ Paper "Using encryption for authentication in
large networks of computers", R. Needham & M.
Schroeder, Comm. ACM, vol. 21, no. 12, pp. 993-
999, 1978.
http://lambda.cs.yale.edu/cs422/doc/needham.pdf