CEN 448 Security and Internet Protocols

Chapter 10 Key Management

Dr. Mostafa Hassan Dahshan
Computer Engineering Department College of Computer and Information Sciences

King Saud University

mdahshan@ccis.ksu.edu.sa

Key Management
Major role in public-key encryption Key management has two aspects
distribution of public keys using public-key encryption to distribute secret keys (for symmetric encryption)

Distribution of Public-Keys
Public announcement Publicly available directory Public-key authority Public-key certificates

Public Announcement
Broadcast key to public community
public forums newsgroups mailing lists

Convenient Anyone can forge such an announcement

Pretend to be user A, announce public key Decrypt all messages sent to A

Publicly Available Directory

Public dynamic directory of public keys Maintained by trusted entity/organization Greater security than public announcement

Publicly Available Directory

Authority maintains directory with {name, public key} entry for each participant Participant register key with authority
must be in person or securely authenticated

Participant may replace key with new one

e.g. if private key has been compromised

Participants can access directory securely

authenticated communication is mandatory

Publicly Available Directory

Still has vulnerabilities If opponent obtain PR key of authority
can pass out counterfeit public keys impersonate participant

Opponent may tamper with public key records kept by authority

Public Key Authority

Provide tighter control over PU distribution Central authority maintains PU directory All participants reliably know PU of authority Only authority knows its PR

Public Key Authority

Public Key Authority

1. A sends timestamped message to auth
containing request for current PUB

2. Auth responds with message encrypted with PRauth containing

PUB original request, so A can verify its not altered original timestamp, so A know PUB is current

Public Key Authority

3. A stored PUB, uses it to encrypt message
identifier of A, IDA nonce N1 to identify transaction uniquely

4,5. B retrieves PUA from auth (similar to 1, 2) Two additional steps are desirable 6. B sends message to A encrypted with PUA
N1: to ensure A that only B decrypted message (3) N2: so that A can verify itself

7. A returns N2, to assure B that correspondent is A

Public-Key Certificates
Certificate contains
public key of certificate holder ID of certificate holder

Certificate encrypted using PRauth

serves as a trusted signature

Users can verify certificate using PUauth Certificate authority

government agency or financial institution

Public-Key Certificates

Public-Key Certificates
Participant A applies to auth for certificate
supplies PUA and request certificate in person or by secure communication

Authority provides certificate

CA = E (PRauth, [T||IDA||PUA])

A may pass this certificate to others (B) B can verify certificate

D(PUauth, CA) = (T||IDA||PUA)

Public-Key Certificates
Timestamp serves as expiration date Sufficiently old certificate assumed expired If PR is compromised
A applies for new certificate still at risk until other communicants are aware

X.509 is universally accepted standard for certificate format Used in IPSec, SSL, S/MIME

Distribution of Secret Keys

Public-key encryption relatively slow Usually used for distribution of secret keys Secret keys used for symmetric encryption

Simple Scheme
1. A B: PUA||IDA B generates secret key Ks 2. B A: E(PUA, Ks) A decrypts message A and B can now securly communicate using Ks

Man-in-the-Middle-Attack
Attacker X can intercept message (1) Replace PUA with PUX, X B: PUX||IDA B generates Ks, B X: E(PUX, Ks) X decrypts message, learns Ks X A: E(PUA, Ks) A and B know Ks, A and B dont know that X also knows Ks X can now decrypt all messages

Confidentiality & Authentication

Confidentiality & Authentication

1. A 2. B 3. A 4. A
N1 to identify transaction uniquely decrypted N1 assures A that sender is B
decrypted N2 assures B that sender is A

B: E(PUB, [N1||IDA]) A: E(PUA, [N1||N2]) B: E(PUB, N2)

Using PUB: only B can retrieve Ks Using PRA: only A could have sent message

B: E(PUB, E(PRA, Ks))

Diffie-Hellman Key Exchange

Two publicly known numbers
q: prime number < q: primitive root of q

User A selects random integer XA < q A calculates YA = XA mod q User B selects random integer XB < q A calculates YB = XB mod q

Diffie-Hellman Key Exchange

A, B keep X private and make Y public A computes key K = (YB)XA mod q B computes key K = (YA)XB mod q Two calculations produce identical results

Diffie-Hellman Key Exchange

K = (YB)XA mod q = (XB mod q)XA mod q = (XB)XA mod q (rules of modular arithmetic) = XBXA mod q = (XA)XB mod q = (XA mod q)XB mod q = (YA)XB mod q

Diffie-Hellman Key Exchange

Easy to calculate exponential modulo prime K = (YA)XB mod q Very difficult to calculate discrete logarithm To determine private XB, attacker must calculate XB= dlog,q(YB), then calculate K For large prime, it is considered infeasible

Example
Prime number q = 353, primitive root = 3 A selects XA = 97, B selects XB = 233 A computes YA = 397 mod 353 = 40 B computes YB = 3233 mod 353 = 248 A computes K = 24897 mod 353 = 160 B computes K = 40233 mod 353 = 160

Example
Brute-force attack try to calculate a or b: 3a mod 353 = 40 or 3b mod 353 = 248 Calculate powers of 3 mod 353 Stop when result = 40 or 248 For this case, will stop at a = 97 For large numbers, problem becomes impractical

Appendix: Discrete Logarithms

Primitive root a of prime number p
number whose powers modulo p generate all possible integers from 1 to p 1 a mod p, a2 mod p, , ap1 mod p are distinct and fall in [1, p]

For any integer b and primitive root a of a prime number p, there exists unique i:
b ai (mod p) 0 i < (p 1) i is called discrete logarithm for base a, mod p

Appendix: Discrete Logarithms