1 / 23

Lecture 5.2: Key Distribution: Private Key Setting

Lecture 5.2: Key Distribution: Private Key Setting. CS 436/636/736 Spring 2012 Nitesh Saxena. Course Administration. HW2 due Tuesday, 11am – Feb 28 HW1 to be distributed Please remind if I forget. Course Admin. Mid-Term Exam On March 08 (Thursday) In class, from 11am-12:15pm

irving
Download Presentation

Lecture 5.2: Key Distribution: Private Key Setting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Lecture 5.2: Key Distribution: Private Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena

  2. Course Administration • HW2 due • Tuesday, 11am – Feb 28 • HW1 to be distributed • Please remind if I forget Lecture 5.2: Private Key Distribution

  3. Course Admin • Mid-Term Exam • On March 08 (Thursday) • In class, from 11am-12:15pm • Covers lectures up to Feb 23 (this week) • In-class review on Mar 06 (Tuesday) • Strictly closed-book (no cheat-sheets are allowed) • A sample exam will be provided as we near the exam date Lecture 5.2: Private Key Distribution

  4. Course Admin • Next Lecture will be short • I have to attend our big Security Center event • http://thecenter.uab.edu/ai1ec_event/cyber-summit-2012/?instance_id=21 • Entertain the guests  at the luncheon • We will stop at 11:40am Lecture 5.2: Private Key Distribution

  5. Outline of Today’s lecture • Key Distribution • Introduction • Protocol for private key distribution • Kerberos: Real-world system Lecture 5.2: Private Key Distribution

  6. Some questions from last time • Can OTP make for a good MAC? • Can H(K||m) make for a good MAC? • Does HMAC provide non-repudiation? Lecture 5.2: Private Key Distribution

  7. Key Distribution • Cryptographic primitives seen so far assume • In private key setting: Alice and Bob share a secret key which is unknown to Oscar. • In public key setting: Alice has a “trusted” (or authenticated) copy of Bob’s public key. • But how does this happen in the first place? • Alice and Bob meet and exchange key(s) • Not always practical or possible. • We need key distribution, first and foremost! • Idea: make use of a trusted third party (TTP) Lecture 5.2: Private Key Distribution

  8. “Private Key” Distribution: an attempt • Protocol assumes that Alice and Bob share a session key KA and KB with a Key Distribution Center (KDC). • Alice calls Trent (Trusted KDC) and requests a session key to communicate with Bob. • Trent generates random session key K and sends E KA(K) to Alice and E KB(K) to Bob. • Alice and Bob decrypt with KA and KB respectively to get K. • This is a key distribution protocol. • Susceptible to replay attack!

  9. Session Key Exchange with KDC – Needham-Schroeder Protocol • A -> KDC IDA || IDB || N1 (Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random nonce identifying this request) • KDC -> A E KA( K || IDB || N1 ||E KB(K || IDA)) Encrypted(Here is a key, for you to talk to Bob as per your request N1 and also an envelope to Bob containing the same key) • A -> B E KB(K || IDA) (I would like to talk using key in envelope sent by KDC) • B -> A E K(N2) (OK Alice, But can you prove to me that you are indeed Alice and know the key?) • A -> B E K(f(N2)) (Sure I can!) • Dennig-Sacco (replay) attack on the protocol Lecture 5.2: Private Key Distribution

  10. Session Key Exchange with KDC – Needham-Schroeder Protocol (corrected version with mutual authentication) • A -> KDC: IDA || IDB || N1 (Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random nonce identifying this request) • KDC -> A: E KA( K || IDB || N1 ||E KB(TS1, K || IDA)) Encrypted(Here is a key, for you to talk to Bob as per your request N1 and also an envelope to Bob containing the same key) • A -> B: E K(TS2), E KB(TS1, K || IDA) (I would like to talk using key in envelope sent by KDC; here is an authenticator) • B -> A: E K(TS2+1) (OK Alice, here is a proof that I am really Bob) Lecture 5.2: Private Key Distribution

  11. Kerberos - Goals • Security • Next slide. • Reliability • Transparency • Minimum modification to existing network applications. • Scalability • Modular distributed architecture. Lecture 5.2: Private Key Distribution

  12. Kerberos – Security Goals • No cleartext passwords over network. • No cleartext passwords stored on servers. • Minimum exposure of client and server keys. • Compromise of a session should only affect that session • Require password only at login. Lecture 5.2: Private Key Distribution

  13. Kerberos - Assumptions • Global clock. • There is a way to distribute authorization data. • Kerberos provides authentication and not authorization. Lecture 5.2: Private Key Distribution

  14. Joe KDC I would like to Talk to the File Server Kerberos Key Distribution (1) Step 1 Joe to KDC Session key for service Step 2 KDC Session key for User KDC Lecture 5.2: Private Key Distribution

  15. Box 1 Box 2 Session Key for Joe Session Key for File server Locked With Joe’s key Locked With File Server’s key Dear Joe, This key for File server Dear File server, This key for Use with Joe Kerberos Key Distribution (2) Step 3 KDC Joe KDC Box 1 Box 2 Step 4 KDC to Joe Lecture 5.2: Private Key Distribution

  16. Box 2 Box 2 Session Key for File server Session Key for File server Locked With File Server’s key Locked With File Server’s key Dear File server, This key for Use with Joe Dear File server, This key for Use with Joe Kerberos Key Distribution (3) Opened Box 1 Step 5 Joe Dear Joe, This key for File server Box 3 Step 6 Joe Locked With Session key Dear File server, The time is 3:40 pm Lecture 5.2: Private Key Distribution

  17. Kerberos Key Distribution (4) Joe Box 2 Box 3 File Server Step 7 Joe to File server Unlocked Box 3 Unlocked Box 2 Step 8 File server Dear File server, The time is 3:40 pm Dear File server, This key for Use with Joe Lecture 5.2: Private Key Distribution

  18. Kerberos Key Distribution (5) • For mutual authentication, file server can create box 4 with time stamp and encrypt with session key and send to Joe. • Box 2 is called ticket. • KDC issues ticket only after authenticating password • To avoid entering passwords every time access needed, KDC split into two – authenticating server and ticket granting server. Lecture 5.2: Private Key Distribution

  19. Kerberos– One Slide Overview

  20. Version 4 Summary Lecture 5.2: Private Key Distribution

  21. Kerberos - Limitations • Every network service must be individually modified for use with Kerberos. • Requires a global clock • Requires secure Kerberos server. • Requires continuously available or online server. Lecture 5.2: Private Key Distribution

  22. Further Reading • Stallings Chapter 15 • HAC Chapter 12 Lecture 5.2: Private Key Distribution

  23. Some questions • Can a KDC learn communication between Alice and Bob, to whom it issued keys? • What if the KDC server is down or congested? • What if the KDC server is compromised? Lecture 5.2: Private Key Distribution

More Related