Bishop: Chapter 10 (Cont.) Key Management: Storage & Revoking
Topics <ul><li>Key exchange </li></ul><ul><ul><li>Session vs interchange keys </li></ul></ul><ul><ul><li>Classical vs publ...
Storing Keys <ul><li>Multi-user or networked systems: attackers may defeat access control mechanisms </li></ul><ul><ul><li...
Key Escrow <ul><li>Key escrow system  allows authorized third party to recover key </li></ul><ul><ul><li>Useful when keys ...
Desirable Properties <ul><li>Escrow system should not depend on encipherment algorithm.  That is, no inter-dependence. </l...
Components <ul><li>User security component </li></ul><ul><ul><li>Does the encripherment, decipherment </li></ul></ul><ul><...
Example: ESS, Clipper Chip <ul><li>Escrow Encryption Standard </li></ul><ul><ul><li>Set of interlocking components </li></...
User Security Component <ul><li>UID:  Unique ID for Device , unique for each chip </li></ul><ul><li>Unique  device key:   ...
Programming User Components <ul><li>Done in a secure facility </li></ul><ul><li>Two escrow agencies needed </li></ul><ul><...
The Escrow Components <ul><li>During initialization of user security component, the process creates  k u 1  and  k u 2  wh...
Obtaining Access <ul><li>Alice obtains legal authorization to read message </li></ul><ul><li>She runs message LEAF through...
Agencies’ Role <ul><li>Each validates authorization </li></ul><ul><li>Each supplies {  k ui  }  k comp  and the correspond...
Problems <ul><li>(minor) hash  too short </li></ul><ul><ul><li>LEAF 128 bits, so given a hash of 16 bits: </li></ul></ul><...
Yaksha Security System <ul><li>Key escrow system meeting all 5 criteria </li></ul><ul><li>Based on RSA, central server </l...
Alice and Bob <ul><li>Alice wants to send message to Bob </li></ul><ul><ul><li>Alice asks Yaksha server for session key </...
Analysis <ul><li>Authority can read only one message per escrowed key </li></ul><ul><ul><li>Meets requirement 5 (temporal ...
Alternate Approaches to Escrow <ul><li>Tie to time [Beth, etc. 1994] </li></ul><ul><ul><li>The secret key used to generate...
Key Revocation <ul><li>Certificates invalidated  before  expiration </li></ul><ul><ul><li>Usually due to compromised key <...
CRLs <ul><li>Certificate revocation list  lists certificates that are revoked </li></ul><ul><li>X.509: only certificate is...
Next <ul><li>Bishop, Chapter 10 (Cont.):  </li></ul><ul><ul><li>Digital Signatures </li></ul></ul>
Upcoming SlideShare
Loading in …5
×

Key Storage

820 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
820
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Key Storage

  1. 1. Bishop: Chapter 10 (Cont.) Key Management: Storage & Revoking
  2. 2. Topics <ul><li>Key exchange </li></ul><ul><ul><li>Session vs interchange keys </li></ul></ul><ul><ul><li>Classical vs public key methods </li></ul></ul><ul><ul><li>Key generation </li></ul></ul><ul><li>Cryptographic key infrastructure </li></ul><ul><ul><li>Certificates </li></ul></ul><ul><li>Key storage </li></ul><ul><ul><li>Key escrow </li></ul></ul><ul><ul><li>Key revocation </li></ul></ul><ul><li>Digital signatures </li></ul>
  3. 3. Storing Keys <ul><li>Multi-user or networked systems: attackers may defeat access control mechanisms </li></ul><ul><ul><li>Encipher the file containing keys </li></ul></ul><ul><ul><ul><li>Attacker can monitor keystrokes to decipher files </li></ul></ul></ul><ul><ul><ul><li>Key will be resident in memory that attacker may be able to read </li></ul></ul></ul><ul><ul><li>Use physical devices like “smart card” </li></ul></ul><ul><ul><ul><li>Key never enters system </li></ul></ul></ul><ul><ul><ul><li>Card can be stolen, so have 2 devices combine bits to make a single key </li></ul></ul></ul>
  4. 4. Key Escrow <ul><li>Key escrow system allows authorized third party to recover key </li></ul><ul><ul><li>Useful when keys belong to roles, such as system operator, rather than individuals </li></ul></ul><ul><ul><li>Business: recovery of backup keys </li></ul></ul><ul><ul><li>Law enforcement: recovery of keys that authorized parties require access to </li></ul></ul><ul><li>Goal: provide this without weakening cryptosystem </li></ul><ul><li>Very controversial. Why? </li></ul>
  5. 5. Desirable Properties <ul><li>Escrow system should not depend on encipherment algorithm. That is, no inter-dependence. </li></ul><ul><li>Privacy protection mechanisms must work from end to end and be part of user interface. That is, only authorized parties with the escrowed keys can access the messages. </li></ul><ul><li>Requirements must map to key exchange protocol. That is, a person cannot bypass the key escrow system. </li></ul><ul><li>System supporting key escrow must require all parties to authenticate themselves. That is, only authorized parties may use the escrowed keys. </li></ul><ul><li>If message to be observable for limited time, key escrow system must ensure keys valid for that period of time only.  violated by the Clipper project </li></ul>
  6. 6. Components <ul><li>User security component </li></ul><ul><ul><li>Does the encripherment, decipherment </li></ul></ul><ul><ul><li>Supports the key escrow component </li></ul></ul><ul><li>Key escrow component </li></ul><ul><ul><li>Manages storage, use of data recovery keys </li></ul></ul><ul><li>Data recovery component </li></ul><ul><ul><li>Does key recovery </li></ul></ul>
  7. 7. Example: ESS, Clipper Chip <ul><li>Escrow Encryption Standard </li></ul><ul><ul><li>Set of interlocking components </li></ul></ul><ul><ul><li>Designed to balance need for law enforcement access to enciphered traffic with citizens’ right to privacy </li></ul></ul><ul><li>Clipper chip prepares per-message escrow information </li></ul><ul><ul><li>Each chip numbered uniquely by UID </li></ul></ul><ul><ul><li>Special facility programs chip </li></ul></ul><ul><li>Key Escrow Decrypt Processor (KEDP) </li></ul><ul><ul><li>Available to agencies authorized to read messages </li></ul></ul>
  8. 8. User Security Component <ul><li>UID: Unique ID for Device , unique for each chip </li></ul><ul><li>Unique device key: k unique </li></ul><ul><li>Nonunique family key : k family , an 80-bit encryption key for the entire family of Clipper chips </li></ul><ul><li>Cipher is Skipjack </li></ul><ul><ul><li>Classical cipher: 80 bit key, 64 bit input, output blocks </li></ul></ul><ul><li>Each piece of enciphered message is accompanied by a law enforcement agents’ field (LEAF): </li></ul><ul><ul><li>{ UID || { k session } k unique || hash } k family </li></ul></ul><ul><ul><li>hash : 16 bit authenticator from session key and initialization vector </li></ul></ul>
  9. 9. Programming User Components <ul><li>Done in a secure facility </li></ul><ul><li>Two escrow agencies needed </li></ul><ul><ul><li>Agents from each present </li></ul></ul><ul><ul><li>Each supplies a random seed and key number </li></ul></ul><ul><ul><li>Family key components combined to get k family </li></ul></ul><ul><ul><li>Key numbers combined to make key component enciphering key k comp </li></ul></ul><ul><ul><li>Random seeds mixed with other data to produce sequence of unique keys k unique </li></ul></ul><ul><li>Each chip imprinted with UID, k unique , k family </li></ul>
  10. 10. The Escrow Components <ul><li>During initialization of user security component, the process creates k u 1 and k u 2 where k unique = k u 1  k u 2 </li></ul><ul><ul><li>First escrow agency gets { k u 1 } k comp </li></ul></ul><ul><ul><li>Second escrow agency gets { k u 2 } k comp </li></ul></ul>
  11. 11. Obtaining Access <ul><li>Alice obtains legal authorization to read message </li></ul><ul><li>She runs message LEAF through KEDP </li></ul><ul><ul><li>LEAF is { UID || { k session } k unique || hash } k family </li></ul></ul><ul><li>KEDP uses (known) k family to validate LEAF, obtain sending device’s UID </li></ul><ul><li>Authorization, LEAF taken to escrow agencies </li></ul>
  12. 12. Agencies’ Role <ul><li>Each validates authorization </li></ul><ul><li>Each supplies { k ui } k comp and the corresponding key number </li></ul><ul><li>KEDP takes these and LEAF: </li></ul><ul><ul><li>Key numbers produce k comp </li></ul></ul><ul><ul><li>k comp produces k u 1 and k u 2 </li></ul></ul><ul><ul><li>k u 1 and k u 2 produce k unique </li></ul></ul><ul><ul><li>k unique and LEAF produce k session </li></ul></ul>
  13. 13. Problems <ul><li>(minor) hash too short </li></ul><ul><ul><li>LEAF 128 bits, so given a hash of 16 bits: </li></ul></ul><ul><ul><ul><li>2 112 LEAFs show this as a valid hash </li></ul></ul></ul><ul><ul><ul><li>1 has actual session key, UID </li></ul></ul></ul><ul><ul><ul><li>Takes about 42 minutes to generate a LEAF with a valid hash but meaningless session key and UID; in fact, deployed devices would prevent this attack </li></ul></ul></ul><ul><li>(major) Scheme does not meet temporal requirement </li></ul><ul><ul><ul><li>As k unique fixed for each unit, once message is read, any future messages can be read. </li></ul></ul></ul>
  14. 14. Yaksha Security System <ul><li>Key escrow system meeting all 5 criteria </li></ul><ul><li>Based on RSA, central server </li></ul><ul><ul><li>Central server (Yaksha server) generates session key </li></ul></ul><ul><li>Each user has 2 private keys </li></ul><ul><ul><li>Alice’s modulus n A , public key e A </li></ul></ul><ul><ul><li>First private key d AA known only to Alice </li></ul></ul><ul><ul><li>Second private key d AY known only to Yaksha central server </li></ul></ul><ul><ul><li>d AA d AY = d A mod n A </li></ul></ul><ul><ul><ul><li>(meaning d AA d AY mod n A = d A mod n A </li></ul></ul></ul>
  15. 15. Alice and Bob <ul><li>Alice wants to send message to Bob </li></ul><ul><ul><li>Alice asks Yaksha server for session key </li></ul></ul><ul><ul><li>Yaksha server generates k session </li></ul></ul><ul><ul><li>Yaksha server sends Alice the key as: </li></ul></ul><ul><ul><ul><li>C A = ( k session ) d AY e A mod n A </li></ul></ul></ul><ul><ul><li>Alice computes ( C A ) d AA mod n A = k session </li></ul></ul><ul><ul><ul><li>Remember: d AA d AY = d A mod n A </li></ul></ul></ul><ul><li>Questions: </li></ul><ul><ul><li>Who knows d A ? </li></ul></ul><ul><ul><li>How would Alice determine d AA without knowing d AY ? </li></ul></ul>
  16. 16. Analysis <ul><li>Authority can read only one message per escrowed key </li></ul><ul><ul><li>Meets requirement 5 (temporal one), because “time” interpreted as “session” </li></ul></ul><ul><li>Independent of message enciphering key </li></ul><ul><ul><li>Meets requirement 1 </li></ul></ul><ul><ul><li>Interchange algorithm, keys fixed </li></ul></ul><ul><li>Others met by supporting infrastructure </li></ul>
  17. 17. Alternate Approaches to Escrow <ul><li>Tie to time [Beth, etc. 1994] </li></ul><ul><ul><li>The secret key used to generate the session key is not given as escrow key, but a related key is. </li></ul></ul><ul><ul><li>To derive the actual key from the related key, the authority must solve an instance of the discrete log problem. </li></ul></ul><ul><li>Tie to probability: Translucent cryptography [Bellare/Rivest 1999] </li></ul><ul><ul><li>Oblivious transfer: message received with specified probability </li></ul></ul><ul><ul><li>Idea: translucent cryptography allows fraction f of messages to be read by third party </li></ul></ul><ul><ul><li>Not key escrow, but similar in spirit </li></ul></ul>
  18. 18. Key Revocation <ul><li>Certificates invalidated before expiration </li></ul><ul><ul><li>Usually due to compromised key </li></ul></ul><ul><ul><li>May be due to change in circumstance ( e.g., someone leaving company) </li></ul></ul><ul><li>Problems </li></ul><ul><ul><li>Entity revoking certificate authorized to do so </li></ul></ul><ul><ul><li>Revocation information circulates to everyone fast enough </li></ul></ul><ul><ul><ul><li>Network delays, infrastructure problems may delay information </li></ul></ul></ul>
  19. 19. CRLs <ul><li>Certificate revocation list lists certificates that are revoked </li></ul><ul><li>X.509: only certificate issuer can revoke certificate </li></ul><ul><ul><li>Added to CRL </li></ul></ul><ul><li>PGP: signers can revoke signatures; owners can revoke certificates, or allow others to do so </li></ul><ul><ul><li>Revocation message placed in PGP packet and signed </li></ul></ul><ul><ul><li>Flag marks it as revocation message </li></ul></ul>
  20. 20. Next <ul><li>Bishop, Chapter 10 (Cont.): </li></ul><ul><ul><li>Digital Signatures </li></ul></ul>

×