310 likes | 458 Views
PKI and Identity-Based Encryption Secure IT Conference 2007. Guido Appenzeller Voltage Security. Identity-Based Encryption (IBE). IBE is a new public key encryption algorithm A number of widely-used encryption algorithms are already available (AES, RSA, ECC etc.)
E N D
PKI and Identity-Based EncryptionSecure IT Conference 2007 Guido AppenzellerVoltage Security
Identity-Based Encryption (IBE) IBE is a new public key encryption algorithm • A number of widely-used encryption algorithms are already available (AES, RSA, ECC etc.) • Why on earth should we care about a new one? • IBE results in vastly simplified key management • As a result, IBE based solutions have a much lower total cost of ownership and much higher usability • It has gained widespread adoption in Industry and has opened up the use of encryption to new use cases Secure IT Conference 2007
Identity-Based Encryption Basic Idea: Public-key Encryption where Identities are Public Keys • IBE Public Key: alice@gmail.com • RSA Public Key: Public exponent=0x10001 Modulus=13506641086599522334960321627880596993888147 560566702752448514385152651060485953383394028715 057190944179820728216447155137368041970396419174 304649658927425623934102086438320211037295872576 235850964311056407350150818751067659462920556368 552947521350085287941637732853390610975054433499 9811150056977236890927563 Secure IT Conference 2007
IBE does not need certificates • Certificates bind Public Keys to Identities • e.g. bob@b.com has key 0x87F6… • Signed by a Certification Authority • In IBE, Identity and Public Key is the same • No certificate needed • No certificate revocation • No certificate servers • No pre-enrollment X Secure IT Conference 2007
Identity-Based Encryption (IBE) • IBE is an old idea • Originally proposed by Adi Shamir, co-inventor of the RSA Algorithm, in 1984 • First practical implementation • Boneh-Franklin Algorithm published at Crypto 2001 • Based on well-tested building blocks for encryption(elliptic curves and pairings) • IBE is having a major impact already • Over 200 scientific publications on IBE/Pairings • Boneh-Franklin paper cited 450 times so far (Google Scholar) • Dan Boneh awarded 2005 RSA Conference Award for Mathematics for inventing IBE Secure IT Conference 2007
publicparams key request + authenticate publicparams publicparams How IBE works in practiceAlice sends a Message to Bob master secret KeyServer bob@b.com bob@b.com alice@a.com Secure IT Conference 2007
publicparams publicparams How IBE works in practiceSecond Message to Bob KeyServer Fully off-line - no connection to server required bob@b.com bob@b.com charlie@c.com Secure IT Conference 2007
Master Secret is used to generate keys Each organization has a different secret Thus different security domains Server does not need to keep state No storage associated with server Easy load balancing, disaster recovery The IBE Key Server Master Secret s = 1872361923616378 1872361923616378 Key Server Request for Private Key for Identity bob@b.com bob@b.com Secure IT Conference 2007
User authentication Authentication needs differs by Application • More sensitive data, requires stronger authentication • Even for one organization, very different needs for different groups of users External authentication • Leverage existing passwords, directories, portals, etc. • One size doesn’t fit all Auth. Service Key Server Secure IT Conference 2007
Email answerback w/ passwords Email answerback (VeriSign Class 1) No Authentication Directory with pre-enrollment OOB password with call center reset RSA SecurID PKI Smart Card, USB Token Three factor auth (Bio+PKI+PIN) Windows domain controller or SSO The Authentication Gradient OMB-04-04 Level: Level 4 Level 3 Pre-enrollment Level 2 Self-provisioning Level 1 Secure IT Conference 2007
|| week = 252 key validity Key Revocation, Expiration and Policy bob@b.com • What happens if I lose my private key? • Key validity enables revocation – “key freshness” • Every week public key changes, so every week a new private key is issued revocation can be done on weekly basis • To revoke someone, simply remove him from the authentication mechanism (e.g. corporate directory) e-mail address Secure IT Conference 2007
IEEE 1363.3 – Pairing Based IBE Standard • IEEE 1363 Standards Group • Wrote standard on RSA and Elliptic Curve Cryptography • Now taking steps to standardize IBE • IEEE 1363.3 • “Identity-Based Cryptographic methods using Pairings” • Main focus is on IBE, but also related methods (e.g. ID based signatures) • Strong support from Government and Industry • Meetings attended by representatives from NIST, NSA, HP, Microsoft, Gemplus, Motorola and others Secure IT Conference 2007
IETF – IBE based Secure Email Standard • Internet Engineering Task Force • Sets standards for the Internet • TCP/IP, IPSec, HTTP, TLS, DNS etc. • Effort through the S/MIME Group • S/MIME today implemented in all major email clients • IBE as an additional key transport for S/MIME • Standard includes IBE Key Request Protocol, IBE Parameter Lookup Protocol and selected IBE Algorithms • Final RFC expected in 2007 Secure IT Conference 2007
Standard Textbooks incorporating Identity-Based Encryption Elliptic CurvesbyLawrence C. Washington Cryptography: Theory and Practice (3rd Ed.)byDouglas R. Stinson Handbook of Elliptic and Hyperelliptic Curve CryptographybyHenri Cohen, Gerhard Frey Elliptic Curves in CryptographyEdited byIan Blake, Gadiel Seroussi and Nigel Smart Secure IT Conference 2007
RSA Mathematics Prize 2005 Awards for IBE Products • IAPP Privacy Innovation Technology Award - 2006 • AlwaysOn Top 100 Companies - July 2005 • Red Herring 100 Top Private Companies 2005 • Gartner Group – Cool Security Vendor 2005 • eWeek Finalist 2005 – Email Management and Security • RSA 2005 Prize for Mathematics – Dr. Dan Boneh • SC Magazine Finalist 2005 – Best Email Security Solution and Best Encryption Solution • AlwaysOn “Top new innovator company” – July 2004 • InfoWorld Innovators Award - May 2004 Bank • Network World “Tops in Innovation” - February, 2004 • Technology News “Top Ten Technology Companies” - August, 2003 Secure IT Conference 2007
How do we make sure Alice and Bob have the right keys? Alice Bob Encryption today is a solved problemExample: Encrypting an email message Encryption Key Decryption Key Secure IT Conference 2007
What is hard about managing keys? • Enrollment • Key creation, duplicate keys • Distribution • Lookup, Storage and Access • Finding the encryption key of a recipient • Recovery of decryption keys • Virus scanning, spam filtering • Archiving emails for compliance • Synchronizing distributed key stores • Key life cycle • Revoking keys, expiring keys • Backup of keys, disaster recovery Secure IT Conference 2007
7 8 8 3 2 5 6 7 3 1 2 3 4 5 6 7 1 1 2 5 4 6 8 .. .. .. 4 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. Key Management for Symmetric KeysExample: Organization with 8 people Key Server Key Store How many keys totalfor 8 people? 28 keys Secure IT Conference 2007
Key Management with Symmetric Keys • One key per pair of users • Network of 8 parties requires managing 28 keys • Network of 1000 users requires 500,000 keys • Network of N parties requires N(N+1)/2 keys • Alternative: One key per email • Network of 1000 users • Assume 50 emails per user per day • 18,250,000 keys per year • Key management with symmetric keys doesn’t scale! Secure IT Conference 2007
Public Key Infrastructure (PKI) • Public Key Encryption • Users have a Public Key and a Private Key • Only need one key per party, total of N keys for N parties • Keys are bound to users with Certificates • Examples: RSA, Elliptic Curve etc. • Managing PKI has issues of its own • How do I create certificates for everyone? • How do I revoke a certificate? • How do I find the certificate of a recipient? • How do I manage certificate distribution • What do I do if private keys are lost • … Secure IT Conference 2007
Certification Authority Certificate Server StoreCertificate CA Signing Key CA Public Key RecoveryServer Send Public Key, Authenticate ReceiveCertificate Look up Bob’s Certificate, Check revocation Store Bob’s Private Key Key Management - Public Key InfrastructureCertificate Server binds Identity to Public Key CA Public Key Bob’s Private Key Bob’s Public Key alice@a.com bob@b.com Secure IT Conference 2007
X Certificate Server StoreCertificate X RecoveryServer Look up Bob’s Certificate, Check revocation Store Bob’s Private Key Key Management - IBEBinding is done by mathematics IBE Key Server Master Secret Public Parameters SendIdentity, Authenticate ReceivePrivate Key Public Parameters Bob’s Private Key alice@a.com bob@b.com Secure IT Conference 2007
Web Mail(via ZDM) Client with plug-in Client(via ZDM) Client with plug-in Client(via plug-in) BES Server Blackberry MobileDevices System Generated Email Secure Email – Deployment Options TodayIt’s not just Alice and Bob Intranet DMZ Internet Recipient’s Network Normal Client Gateway Virus Audit Archive Internet Secure IT Conference 2007
3 1 2 User receives decrypted email Encrypted email arrives Gateway decrypts email Email Gateways INTERNET Internal Network KeyServer IBE Gateway Secure IT Conference 2007
3 1 2 User receives encrypted email Email is scanned Encrypted email arrives Inspecting Secured DataIBE allows content inspection for end-to-end encrypted data INTERNET DMZ LAN IBE Server Exchange, Domino, etc. GW Virus Audit Archive GW Secure IT Conference 2007
IBE Systems are extremely Scalable • IBE Key Servers are “stateless” • No certificates to store • No private keys to store • No revocation lists • Easy to load-balance • Just put two of them next to each other • Easy backup and disaster recovery • Only master secret and policy needs to be backed up • Size: < 100 kByte, fits on floppy disk • Master secret is long lived, only need to back up once • Same for 100 or 100,000 users Secure IT Conference 2007
Total Cost of Ownership • IBE Systems have a substantially lower TCO • Case Study: For email encryption, IBE costs 30% of PKI • Less infrastructure needed, less additional FTE to manage solution • Fewer components to be concerned with Disaster Recovery • Easier user experience – less training and help desk support [Source: Ferris Research Case Study on Voltage SecureMail] Secure IT Conference 2007
Summary • IBE is a major breakthrough in Key Management • Much lower total cost of ownership than PKI • Better usability and deployment characteristics • Highly Scalable • Where to learn more • IEEE 1363.3, IETF S/Mime Standards • www.voltage.com Secure IT Conference 2007