140 likes | 275 Views
Key Mangement. Marjan Causevski Sanja Zakovska. Contents. Introduction Key Management Improving Key Management End-To-End Scheme Vspace Scheme Conclusion. Cryptography in the past Unreliable Primitive Methods Gained reputation in the early 1970’s Political and Technical areas
E N D
Key Mangement Marjan Causevski Sanja Zakovska
Contents • Introduction • Key Management • Improving Key Management • End-To-End Scheme • Vspace Scheme • Conclusion
Cryptography in the past Unreliable Primitive Methods Gained reputation in the early 1970’s Political and Technical areas DES (the federal Data Encryption Standard) Public key cryptography Cryptography today A large field of research Standardized part of information security Research for future improvements Introduction
Key Management • Main branch in cryptography • Generating, exchanging, storing, and using keys • Key: a piece of data used to generate ciphertext from a given plaintext • Plaintext: a piece of information which the user is trying to send securely • Ciphertext: an incomprehensible version of the plaintext • Most difficult practice in developing cryptosystems
The Past Public key cryptography Using two different keys for encrypting-decrypting Eliminating needs of secure transport of keys Enabling digital signatures Digital Signatures Within messages that encrypted with a secret key The identity of the sender can be verified by anyone holding the public key The Present Information security methods have limited effectiveness Research on developing new, innovative schemes for key management End-To-End Scheme Vspace Scheme Improving Key Management
Protecting digital content from attacks Content is sent by a first package server Only a DRM (Digital Rights Management) client can decrypt the content DRM components Package server Distribution server License server DRM user Expanding the functionality of the DRM package server Existing functionalities of the package server Encrypt content Generate encryption keys Description and identification Providing the package content to the distribution server Providing the license information to the license server New functionalities of the package server Verify and redistribute content Repackage content with additional meta data End-To-End Scheme
End-To-End Scheme (cont) • The first package server and the DRM client are the only ones who can decrypt the ciphertext Key encryption and distribution • CEK (Content Encryption Keys) used to encrypt the data • CEK are encrypted with public keys for further security • The package, distribution and license servers create separate public and secret keys • These keys obtain a certificate by the CA (Certificate Authority) for further use
End-To-End Scheme (cont) Delivering the Key • Delivery separated into 3 phases • Packaging the content into DRM content • Repackaging the content • Providing the content service to purchasers
Phase 1 First package server verifies the license server. Encrypts content with CEK and public key of license server DRM content is generated by the first package server (encrypted content, encrypted CEK, metadata) Phase 2 Current package server extracts the CEK. Sends it with a certificate to the previous package server Previous package server verifies the certificate, decrypts the CEK Previous package server sends message to the license server (CEK and certificate) License server verifies certificate, encrypts CEK with public key of current server License server issues license containing CEK Current package server repackages DRM containing modified CEK and metadata End-To-End Scheme (cont) Phase 3 • DRM client extracts CEK from the last package server. Sends certificate to the last package server • Last package server verifies certificate, decrypts the CEK with the secret key • Last package server sends message to license server (CEK, client certificate) • License server verifies certificate of first package server and client. CEK is decrypted and encrypted with client public key • License server issues license (CEK encrypted with client public key) • Client decrypts CEK and content
Vspace Scheme • Achieve flexibility in program packaging • No need for additional headers • N-bit cryptographic identifier added to the transmission (CID – cryptographic identifier) • CIDs are generated according to a specific structure • Encryption Keys are specialized functions
Generating Encryption Keys Encryption key length – k CID length – n Master Matrix M = k x n matrix K-bit columns of M = master keys Master keys are linearly independent k-dimensional vectors If program = p, than Key(p) = Mp Method used for creating pseudo-random generators Linear Space Paradigm Possibility of user to compute the key for the program p1 p2 according to keys of p1 and p2 Scheme flexibility states that in order to decrypt both p1 and p2, user must have bough the subspace of keys including both programs Vspace Scheme (cont)
Entitlements and Decryption Entitlement – keys and access control data stored by the user If user has bought a package of programs, they are characterized by and r-dimentional linear subspace S This space allows the user to decrypt any program p belonging to S exclusively Decryption Procedure The master matrix M and S generate decryption data S is represented by an n x r matrix B If p S, there is an r-dimentional vector x such that Bx = p The Decrypt-V procedure decrypts any program p S The Check Matrix Improves the functionality of the STT (Set-Top Terminal) Acts as a parity check matrix Vspace Scheme (cont)
Conclusion • Advancement of company infrastructures (Web Services) • Performing computations at high speeds • Cryptography might begin to fail • Further research in cryptography is essential for the future of information security • The End-To-End and Vspace Scheme have proven to be successful in completing this task
Thank You! • Feel free to ask any questions at this point