1 / 20

Bishop: Chapter 10 (Cont.) Key Management: Storage & Revoking

Bishop: Chapter 10 (Cont.) Key Management: Storage & Revoking. Topics. Key exchange Session vs interchange keys Classical vs public key methods Key generation Cryptographic key infrastructure Certificates Key storage Key escrow Key revocation Digital signatures. Storing Keys.

raphael-yang
Download Presentation

Bishop: Chapter 10 (Cont.) Key Management: Storage & Revoking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bishop: Chapter 10 (Cont.)Key Management: Storage & Revoking csci5233 Computer Security

  2. Topics • Key exchange • Session vs interchange keys • Classical vs public key methods • Key generation • Cryptographic key infrastructure • Certificates • Key storage • Key escrow • Key revocation • Digital signatures csci5233 Computer Security

  3. Storing Keys • Multi-user or networked systems: attackers may defeat access control mechanisms • Encipher the file containing keys • Attacker can monitor keystrokes to decipher files • Key will be resident in memory that attacker may be able to read • Use physical devices like “smart card” • Key never enters system • Card can be stolen, so have 2 devices combine bits to make a single key csci5233 Computer Security

  4. Key Escrow • Key escrow system allows authorized third party to recover key • Useful when keys belong to roles, such as system operator, rather than individuals • Business: recovery of backup keys • Law enforcement: recovery of keys that authorized parties require access to • Goal: provide this without weakening cryptosystem • Very controversial. Why? csci5233 Computer Security

  5. Desirable Properties • Escrow system should not depend on encipherment algorithm. That is, no inter-dependence. • Privacy protection mechanisms must work from end to end and be part of user interface. That is, only authorized parties with the escrowed keys can access the messages. • Requirements must map to key exchange protocol. That is, a person cannot bypass the key escrow system. • System supporting key escrow must require all parties to authenticate themselves. That is, only authorized parties may use the escrowed keys. • If message to be observable for limited time, key escrow system must ensure keys valid for that period of time only.  violated by the Clipper project csci5233 Computer Security

  6. Components • User security component • Does the encripherment, decipherment • Supports the key escrow component • Key escrow component • Manages storage, use of data recovery keys • Data recovery component • Does key recovery csci5233 Computer Security

  7. Example: ESS, Clipper Chip • Escrow Encryption Standard • Set of interlocking components • Designed to balance need for law enforcement access to enciphered traffic with citizens’ right to privacy • Clipper chip prepares per-message escrow information • Each chip numbered uniquely by UID • Special facility programs chip • Key Escrow Decrypt Processor (KEDP) • Available to agencies authorized to read messages csci5233 Computer Security

  8. User Security Component • UID: Unique ID for Device, unique for each chip • Unique device key:kunique • Nonunique family key: kfamily , an 80-bit encryption key for the entire family of Clipper chips • Cipher is Skipjack • Classical cipher: 80 bit key, 64 bit input, output blocks • Each piece of enciphered message is accompanied by a law enforcement agents’ field (LEAF): • { UID || { ksession } kunique || hash } kfamily • hash: 16 bit authenticator from session key and initialization vector csci5233 Computer Security

  9. Programming User Components • Done in a secure facility • Two escrow agencies needed • Agents from each present • Each supplies a random seed and key number • Family key components combined to get kfamily • Key numbers combined to make key component enciphering keykcomp • Random seeds mixed with other data to produce sequence of unique keys kunique • Each chip imprinted with UID, kunique, kfamily csci5233 Computer Security

  10. The Escrow Components • During initialization of user security component, the process creates ku1 and ku2 where kunique = ku1ku2 • First escrow agency gets { ku1 } kcomp • Second escrow agency gets { ku2 } kcomp csci5233 Computer Security

  11. Obtaining Access • Alice obtains legal authorization to read message • She runs message LEAF through KEDP • LEAF is { UID || { ksession } kunique || hash } kfamily • KEDP uses (known) kfamily to validate LEAF, obtain sending device’s UID • Authorization, LEAF taken to escrow agencies csci5233 Computer Security

  12. Agencies’ Role • Each validates authorization • Each supplies { kui } kcomp and the corresponding key number • KEDP takes these and LEAF: • Key numbers produce kcomp • kcomp produces ku1 and ku2 • ku1 and ku2 produce kunique • kunique and LEAF produce ksession csci5233 Computer Security

  13. Problems • (minor) hash too short • LEAF 128 bits, so given a hash of 16 bits: • 2112 LEAFs show this as a valid hash • 1 has actual session key, UID • Takes about 42 minutes to generate a LEAF with a valid hash but meaningless session key and UID; in fact, deployed devices would prevent this attack • (major) Scheme does not meet temporal requirement • As kunique fixed for each unit, once message is read, any future messages can be read. csci5233 Computer Security

  14. Yaksha Security System • Key escrow system meeting all 5 criteria • Based on RSA, central server • Central server (Yaksha server) generates session key • Each user has 2 private keys • Alice’s modulus nA, public key eA • First private key dAA known only to Alice • Second private key dAY known only to Yaksha central server • dAAdAY = dA mod nA (meaning dAAdAY mod nA = dA mod nA csci5233 Computer Security

  15. Alice and Bob • Alice wants to send message to Bob • Alice asks Yaksha server for session key • Yaksha server generates ksession • Yaksha server sends Alice the key as: CA = (ksession) dAY eA mod nA • Alice computes (CA)dAA mod nA = ksession Remember: dAAdAY = dA mod nA • Questions: • Who knows dA? • How would Alice determine dAA without knowing dAY ? csci5233 Computer Security

  16. Analysis • Authority can read only one message per escrowed key • Meets requirement 5 (temporal one), because “time” interpreted as “session” • Independent of message enciphering key • Meets requirement 1 • Interchange algorithm, keys fixed • Others met by supporting infrastructure csci5233 Computer Security

  17. Alternate Approaches to Escrow • Tie to time [Beth, etc. 1994] • The secret key used to generate the session key is not given as escrow key, but a related key is. • To derive the actual key from the related key, the authority must solve an instance of the discrete log problem. • Tie to probability: Translucent cryptography [Bellare/Rivest 1999] • Oblivious transfer: message received with specified probability • Idea: translucent cryptography allows fraction f of messages to be read by third party • Not key escrow, but similar in spirit csci5233 Computer Security

  18. Key Revocation • Certificates invalidated before expiration • Usually due to compromised key • May be due to change in circumstance (e.g., someone leaving company) • Problems • Entity revoking certificate authorized to do so • Revocation information circulates to everyone fast enough • Network delays, infrastructure problems may delay information csci5233 Computer Security

  19. CRLs • Certificate revocation list lists certificates that are revoked • X.509: only certificate issuer can revoke certificate • Added to CRL • PGP: signers can revoke signatures; owners can revoke certificates, or allow others to do so • Revocation message placed in PGP packet and signed • Flag marks it as revocation message csci5233 Computer Security

  20. Next • Bishop, Chapter 10 (Cont.): • Digital Signatures csci5233 Computer Security

More Related