Key Management; other PKCKey Management; other PKC

Slides based on those developed by Dr.Slides based on those developed by Dr.LawrieLawrie Brown at the AustralianBrown at the Australian DefenceDefenceForce Academy, University College, Force Academy, University College, UNSWUNSW

See See http://www.http://www.williamstallingswilliamstallings.com/Crypto/Cry.com/Crypto/Crypto4e.htmlpto4e.html

Key ManagementKey Management

public-key encryption helps address public-key encryption helps address key key distribution problemsdistribution problems

two aspects of this:two aspects of this: distribution of public keysdistribution of public keys use of public-key encryption to use of public-key encryption to distribute distribute

secret keyssecret keys

Distribution of Public KeysDistribution of Public Keys

can be considered as using one of:can be considered as using one of: public announcementpublic announcement publicly available directorypublicly available directory public-key authoritypublic-key authority public-key certificatespublic-key certificates

Public AnnouncementPublic Announcement

users distribute public keys to recipients or users distribute public keys to recipients or broadcast to community at largebroadcast to community at large eg. append PGP keys to email messages or eg. append PGP keys to email messages or

post to news groups or email listpost to news groups or email list major weakness is forgerymajor weakness is forgery

anyone can create a key claiming to be anyone can create a key claiming to be someone else and broadcast itsomeone else and broadcast it

until forgery is discovered can masquerade as until forgery is discovered can masquerade as claimed userclaimed user

Publicly Available DirectoryPublicly Available Directory

can obtain greater security by registering can obtain greater security by registering keys with a public directorykeys with a public directory

directory must be trusted with properties:directory must be trusted with properties: contains {name,public-key} entriescontains {name,public-key} entries participants register securely with directoryparticipants register securely with directory participants can replace key at any timeparticipants can replace key at any time directory is periodically publisheddirectory is periodically published directory can be accessed electronicallydirectory can be accessed electronically

still vulnerable to tampering or forgerystill vulnerable to tampering or forgery

Public-Key AuthorityPublic-Key Authority

improve security by tightening control over improve security by tightening control over distribution of keys from directorydistribution of keys from directory

has properties of directoryhas properties of directory and requires users to know public key for and requires users to know public key for

the directorythe directory then users interact with directory to obtain then users interact with directory to obtain

any desired public key securelyany desired public key securely does require real-time access to directory does require real-time access to directory

when keys are neededwhen keys are needed

Public-Key AuthorityPublic-Key AuthorityN_1, N_2 – nonces (number used once)N_1, N_2 – nonces (number used once)(3) – Hello I am Alice. I want to talk to you.(3) – Hello I am Alice. I want to talk to you.(6)- Ok. I’m Bob. I confirm that it’s ok to talk.(6)- Ok. I’m Bob. I confirm that it’s ok to talk.(7) – This is to confirm that I’m Alice and I sent (3) to you.(7) – This is to confirm that I’m Alice and I sent (3) to you.

Public-Key CertificatesPublic-Key Certificates

certificates allow key exchange without certificates allow key exchange without real-time access to real-time access to public-key authoritypublic-key authority

a certificate a certificate binds binds identityidentity to to public keypublic key usually with other info such as period of usually with other info such as period of

validity, rights of use, etc.validity, rights of use, etc. with all contents with all contents signedsigned by a trusted by a trusted

Public-Key or Certificate Authority (CA)Public-Key or Certificate Authority (CA) can be verified by anyone who knows the can be verified by anyone who knows the

public-key authorities public-key public-key authorities public-key

Public-Key CertificatesPublic-Key Certificates

Public-Key DPublic-Key Distribution of Secret istribution of Secret KeysKeys

use previous methods to obtain public-keyuse previous methods to obtain public-key can use for secrecy or authenticationcan use for secrecy or authentication but public-key algorithms are slowbut public-key algorithms are slow so usually want to use symmetric-key so usually want to use symmetric-key

encryption for the bulk of communicationencryption for the bulk of communication hence need a session keyhence need a session key have several alternatives for negotiating a have several alternatives for negotiating a

suitable sessionsuitable session

Simple Secret Key Simple Secret Key DistributionDistribution

proposed by Merkle in 1979proposed by Merkle in 1979 A generates a new temporary (public, private) key A generates a new temporary (public, private) key

pairpair A sends B the public key and her identityA sends B the public key and her identity B generates a session key K sends it to A encrypted B generates a session key K sends it to A encrypted

using the supplied public keyusing the supplied public key A decrypts the session key and both use for bulk A decrypts the session key and both use for bulk

communicationcommunication problem is that an opponent can intercept and problem is that an opponent can intercept and

impersonate both halves of protocol – man-in-impersonate both halves of protocol – man-in-the-middle attackthe-middle attack

Public-Key Distribution of Secret Public-Key Distribution of Secret Keys with AuthenticationKeys with Authentication

if parties have already securely exchanged if parties have already securely exchanged public-keys (uses nonces N_1, N_2, and public-keys (uses nonces N_1, N_2, and establishes session key K_S):establishes session key K_S):

Hybrid Key DistributionHybrid Key Distribution

retain use of private-key KDCretain use of private-key KDC shares secret master key with each usershares secret master key with each user distributes session key using master keydistributes session key using master key public-key used to distribute master keyspublic-key used to distribute master keys

especially useful with widely distributed usersespecially useful with widely distributed users

Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange

first public-key type scheme proposed first public-key type scheme proposed by Diffie & Hellman in 1976 along with the by Diffie & Hellman in 1976 along with the

exposition of public key conceptsexposition of public key concepts note: now we know that note: now we know that WilliamsonWilliamson (UK (UK

CESG) secretly proposed the concept in 1970 CESG) secretly proposed the concept in 1970 is a practical method for public exchange is a practical method for public exchange

of a secret keyof a secret key used in a number of commercial productsused in a number of commercial products

Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange

a public-key distribution scheme a public-key distribution scheme cannot be used to exchange an arbitrary message cannot be used to exchange an arbitrary message rather it can establish a common key rather it can establish a common key known only to the two participants known only to the two participants

value of key depends on the participants (and value of key depends on the participants (and their private and public key information) their private and public key information)

based on exponentiation in a finite (Galois) field based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy(modulo a prime or a polynomial) - easy

security relies on the difficulty of computing security relies on the difficulty of computing discrete logarithms (similar to factoring) – harddiscrete logarithms (similar to factoring) – hard

Diffie-Hellman SetupDiffie-Hellman Setup all users agree on global parameters:all users agree on global parameters:

large prime integer or polynomial large prime integer or polynomial qq aa being a primitive root mod being a primitive root mod qq

Alice: generates her keysAlice: generates her keys chooses a secret key (number): chooses a secret key (number): xxAA < q < q computes computes public keypublic key: : yyAA = = aa

xxAA mod q mod q Sends ySends yA A to Bob to Bob

Bob: generates his keysBob: generates his keys chooses a secret key (number): chooses a secret key (number): xxBB < q < q computes computes public keypublic key: : yyBB = = aa

xxBB mod q mod q Sends ySends yB B to Bob to Bob

Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange

shared session key for users A & B is Kshared session key for users A & B is KABAB: :

KKABAB = = aaxxA.A.xxBB mod q mod q

= y= yAA

xxBB mod q (which mod q (which BB can compute) can compute)

= y= yBB

xxAA mod q (which mod q (which AA can compute) can compute)

KKABAB is used as session key in private-key is used as session key in private-key encryption scheme between Alice and Bobencryption scheme between Alice and Bob

if Alice and Bob subsequently communicate, they if Alice and Bob subsequently communicate, they will have the will have the samesame key as before, unless they key as before, unless they choose new public-keys choose new public-keys

attacker needs an x, must solve discrete logattacker needs an x, must solve discrete log

Diffie-Hellman Example Diffie-Hellman Example

users Alice & Bob who wish to swap keys:users Alice & Bob who wish to swap keys: agree on prime agree on prime q=353q=353 and and aa=3 (these are =3 (these are public values).public values).

select random secret keys:select random secret keys: A chooses A chooses xxAA=97, =97, B chooses B chooses xxBB=233=233

compute respective public keys:compute respective public keys: yyAA==33

97 97 mod 353 = 40 mod 353 = 40 (Alice)(Alice)

yyBB==33233233 mod 353 = 248 mod 353 = 248 (Bob)(Bob)

compute shared session key as:compute shared session key as: KKABAB= y= yBB

xxAA mod 353 = mod 353 = 2482489797 = 160 = 160 (Alice)(Alice)

KKABAB= y= yAA

xxBB mod 353 = mod 353 = 4040233233 = 160 = 160 (Bob)(Bob)

Key Exchange ProtocolsKey Exchange Protocols users could create random private/public users could create random private/public

D-H keys each time they communicateD-H keys each time they communicate users could create a known private/public users could create a known private/public

D-H key and publish in a directory, then D-H key and publish in a directory, then consulted and used to securely consulted and used to securely communicate with themcommunicate with them

both of these are vulnerable to a man-in-both of these are vulnerable to a man-in-the-Middle Attackthe-Middle Attack

authentication of the keys is neededauthentication of the keys is needed

Elliptic Curve CryptographyElliptic Curve Cryptography

majority of public-key crypto (RSA, D-H) majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic use either integer or polynomial arithmetic with very large numbers/polynomialswith very large numbers/polynomials

imposes a significant load in storing and imposes a significant load in storing and processing keys and messagesprocessing keys and messages

an alternative is to use elliptic curvesan alternative is to use elliptic curves offers same security with smaller bit sizesoffers same security with smaller bit sizes newer, but not as well analysednewer, but not as well analysed

Real Elliptic CurvesReal Elliptic Curves an an elliptic curve is defined by an elliptic curve is defined by an

equation in two variables x & y, with equation in two variables x & y, with coefficientscoefficients

consider a cubic elliptic curve of formconsider a cubic elliptic curve of form yy22 = = xx33 + + ax ax + + bb where x,y,a,b are elements of some fieldwhere x,y,a,b are elements of some field also define zero point Oalso define zero point O

have addition operation for elliptic curvehave addition operation for elliptic curve geometrically sum of Q+R is reflection of geometrically sum of Q+R is reflection of

intersection Rintersection R

Real Elliptic Curve ExampleReal Elliptic Curve Example

Finite Elliptic CurvesFinite Elliptic Curves

Elliptic curve cryptography uses curves Elliptic curve cryptography uses curves whose variables & coefficients are finitewhose variables & coefficients are finite

have two families commonly used:have two families commonly used: prime curves prime curves EEpp(a,b)(a,b) defined over Z defined over Zpp

• use integers modulo a primeuse integers modulo a prime• best in softwarebest in software

binary curves binary curves EE22nn(a,b)(a,b) defined over GF(2 defined over GF(2nn))• use polynomials with binary coefficientsuse polynomials with binary coefficients• best in hardwarebest in hardware

Elliptic Curve CryptographyElliptic Curve Cryptography

ECC addition is analog of modulo multiplyECC addition is analog of modulo multiply ECC repeated addition is analog of ECC repeated addition is analog of

modulo exponentiationmodulo exponentiation need “hard” problem equiv to discrete logneed “hard” problem equiv to discrete log

Q=kPQ=kP, where Q,P belong to a prime curve, where Q,P belong to a prime curve is “easy” to compute Q given k,Pis “easy” to compute Q given k,P but “hard” to find k given Q,Pbut “hard” to find k given Q,P known as the elliptic curve logarithm problemknown as the elliptic curve logarithm problem

Certicom example: Certicom example: EE2323(9,17)(9,17)

ECC Diffie-HellmanECC Diffie-Hellman

can do key exchange analogous to D-Hcan do key exchange analogous to D-H users select a suitable curve users select a suitable curve EEpp(a,b)(a,b) – public – public

infoinfo select base point select base point G=(xG=(x11,y,y11) – public info) – public info

with large order n (with large order n (nG=O, and n smallest with nG=O, and n smallest with this property).this property).

A & B select private keys A & B select private keys nnAA<n, n<n, nBB<n<n

compute public keys: compute public keys: PPAA=n=nAAG, G, PPBB=n=nBBGG

compute shared key: compute shared key: KK=n=nAAPPBB,, KK=n=nBBPPAA

same since same since KK=n=nAAnnBBGG

ECC Encryption/DecryptionECC Encryption/Decryptionsimilar to El Gamal PKCsimilar to El Gamal PKC

several alternatives, will consider simplestseveral alternatives, will consider simplest must first encode any message M as a point on must first encode any message M as a point on

the elliptic curve Pthe elliptic curve Pmm

select suitable curve & point G as in D-Hselect suitable curve & point G as in D-H each user chooses private key each user chooses private key nnAA<n<n

and computes public key and computes public key PPAA=n=nAAGG

A encrypts PA encrypts Pmm : : CCmm={kG, P={kG, Pmm+kP+kPbb}}, k random, k random

B decrypts CB decrypts Cmm: :

PPmm++kkPPbb––nnBB((kGkG) = ) = PPmm++kk((nnBBGG)–)–nnBB((kGkG) = ) = PPmm

ECC SecurityECC Security

relies on elliptic curve logarithm problemrelies on elliptic curve logarithm problem fastest method is “Pollard rho method”fastest method is “Pollard rho method” compared to factoring, can use much compared to factoring, can use much

smaller key sizes than with RSA etcsmaller key sizes than with RSA etc for equivalent key lengths computations for equivalent key lengths computations

are roughly equivalentare roughly equivalent hence for similar security ECC offers hence for similar security ECC offers

significant computational advantagessignificant computational advantages

Comparable Key Sizes for Comparable Key Sizes for Equivalent SecurityEquivalent Security

Symmetric scheme

(key size in bits)

ECC-based scheme

(size of n in bits)

RSA/DSARSA/DSA

(modulus size in bits)

5656 112 512

80 160 1024

112 224 2048

128 256 3072

192 384 7680

256 512 15360