1 / 23

Practices in Security

Practices in Security. Bruhadeshwar Bezawada. Key Management. Set of techniques and procedures supporting the establishment and maintenance of keying relationships between authorized parties Initialization of system users within a domain

dennis
Download Presentation

Practices in Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Practices in Security Bruhadeshwar Bezawada

  2. Key Management • Set of techniques and procedures supporting the establishment and maintenance of keying relationships between authorized parties • Initialization of system users within a domain • Generation, distribution, and installation of keying material • Controlling the use of keying material • Update, revocation and destruction of keying material • Storage, backup/recovery, and archival of keying material

  3. Types Key Management • Automated Key Management • More than N^2 Keys • Stream cipher • Initialization vectors are used • Large amount of data needs to be encrypted in short amount of time • Long term session keys are used in multicast sessions • Frequent change in session key is expected • Manual key management • Environment has limited bandwidth or high RTT • Information has low value • Total volume of traffic is very low • Scale of each deployment is very limited

  4. Cryptographic Primitives • Hash Functions • Symmetric key algorithms • Asymmetric key algorithms

  5. Cryptographic primitives • Hash functions do not require keys, provide • data authentication and integrity services • compression of messages for digital signature and verification • derivation of keys in key establishment algorithms • generate deterministic random numbers

  6. Cryptographic primitives • Symmetric key algorithms require the same key across all operations, provide • data confidentiality • authentication and integrity in the form of MACs • key establishment • generation of deterministic random numbers

  7. Cryptographic primitives • Asymmetric key, public key algorithms, enable • digital signatures • establish cryptographic keying material • generate random numbers • Exercise : Enumerate all hash functions, all symmetric key ciphers and all public-key crypto systems available currently. Differentiate between commercially available and non-commercial algorithms

  8. Types of keys • Private signature key (public-private keys) • Public signature verification keys • Symmetric authentication key • Private authentication key • Public authentication keys • Symmetric data encryption key

  9. Types • Symmetric and asymmetric random number generation keys • Symmetric master key • Private key transport key • Public key transport key • Symmetric key agreement key (also, key wrapping key)

  10. Types • Private ephemeral key agreement key • Public ephemeral key agreement key • Symmetric authorization keys • Private authorization key • Public authorization key

  11. General Terms in Key Management • Key registration • Key revocation • Key transport • Key update • Key derivation • Key confirmation • Key establishment • Key agreement

  12. Terms • Registration authority • Security domain • Self-signed certificate

  13. Valuable Information in Addition to Cryptographic Keys • Domain parameters • Initialization vectors, shared secrets, RNG seeds, nonces, random numbers • Intermediate results • Key control information • Passwords • Audit information

  14. Cryptoperiods • Time span during which a specific key is authorized for use by legitimate entities, or the keys for a given system will remain in effect. A good cryptoperiod • Limits amount of information protected by a given key from disclosure • Limits amount of exposure if a single key is compromised • Limits use of particular algorithm to its estimated effective lifetime • limits time available to penetrate physical, procedural, and logical access mechanisms that protect a key

  15. Risk Factors to Consider for Cryptoperiods • Strength of cryptographic implementations • Operating environment, secure limited access, open office or public terminal • Volume of information or transactions • Security objective • Re-keying method • Number of nodes sharing the key/copies of the key • Threat to information

  16. Other Factors Affecting Cryptoperiods • Communication vs Storage • E.g., keys used for online transactions are likely to have smaller cryptoperiods • Keys used for storage will have higher, as cost of re-encryption is high • Cost of Key Revocation and Replacement • Changing keys can be an expensive process • Encryption of large databases • Revocation of large number of keys • Expensive security measures are justified for such cases as the cryptoperiod can be made high

  17. Factors Affecting Public Keys • Private keys may have longer cryptoperiods than public-keys when used for confidentiality • When used for challenge (dynamic) authentication both public and private keys can have the same cryptoperiod • When used for digital signatures public keys can have longer cryptoperiods than private keys as they will be necessary to verify certificates

  18. Cryptoperiods for Different Keys • Private signature key (public-private keys) • 1-3years • Public signature verification keys • Symmetric authentication key • 2-3 years • Private authentication key • 1-2years • Public authentication keys • 1-2years • Symmetric data encryption key • 3years

  19. Cryptoperiods for Different Keys • Symmetric and asymmetric random number generation keys • Depends on the RNG technique • Symmetric master key • 1 year • Private and Public key transport keys • Private 2years, public 1-2 years • Symmetric key agreement key (also, key wrapping key) • 1-2years

  20. Cryptoperiods for Different Keys • Private and public ephemeral key agreement key • Time required to complete the key agreement protocol • Symmetric authorization keys • 2years • Private and Public authorization keys • 2years

  21. Other Parameters • Domain parameters stay for the cryptoperiod • IV is associated with the information and stays as long as the information is held • Shared secrets are destroyed as soon as the necessary key derivations are complete • RNG seeds are destroyed immediately • Intermediate results are destroyed immediately

  22. Algorithms, Key Sizes and Strengths

  23. Factors to be Considered For Design of New System • Sensitivity of information and system lifetime • Algorithm selection • System design wrt performance and security • Pre-implementation evaluation • Testing • Training • System implementation and transition • Post-implementation evaluation

More Related