.ppt

597 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
597
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Branstad-Smid developed Key Notarization Facility for NBS, c. 1983 X9.17 defines: Triple-DES Three-level symmetric key hierarchy (master, key-encrypting, data)
  • Key derivation needs more explicit support in key management infrastructure, e.g., a way of recording the associations between derived keys and other keys so that it’s not necessary to do a lookup
  • PKI assumes certificates, i.e., a signature algorithm, for identity and attribute management
  • PKI assumes certificates, i.e., a signature algorithm, for identity and attribute management
  • PKI assumes certificates, i.e., a signature algorithm, for identity and attribute management
  • PKI assumes certificates, i.e., a signature algorithm, for identity and attribute management
  • .ppt

    1. 1. Learning to SKI Again: The Renaissance of Symmetric Key Infrastructures Burt Kaliski, RSA, The Security Division of EMC, 02/06/07 – DEV-208
    2. 2. Learning to Ski … Again <ul><li>Around 1980, I first learned to ski downhill at the McIntyre Ski Area in Manchester, NH </li></ul><ul><li>Over 20 years later, I started skiing again with my family </li></ul><ul><li>Skiing has changed a lot in two decades: </li></ul><ul><ul><li>Shaped skis offer easier turns </li></ul></ul><ul><ul><li>Snowboards provide a single-board alternative </li></ul></ul><ul><li>Still, skiing is just as much fun </li></ul>
    3. 3. Symmetric Key Infrastructure <ul><li>A symmetric key infrastructure or SKI is a coordinated set of components and services for managing symmetric keys </li></ul><ul><li>Symmetric keys include: </li></ul><ul><ul><li>Data encryption and integrity-protection keys </li></ul></ul><ul><ul><li>Key encryption keys </li></ul></ul><ul><ul><li>Device authentication keys </li></ul></ul><ul><ul><li>Passwords can also be considered a type of symmetric key </li></ul></ul><ul><li>“Managing” includes full key lifecycle </li></ul>
    4. 4. Why Symmetric Key Management? <ul><li>As information becomes more valuable, data protection also grows in importance </li></ul><ul><ul><li>Encryption “safe harbor” in breach notification legislation is a significant driver </li></ul></ul><ul><li>But data is stored and processed in many different layers, locations </li></ul><ul><ul><li>Databases, files, disks, tapes, virtual images … </li></ul></ul><ul><li>Encrypting data is the (relatively) easy part </li></ul><ul><li>Managing all the decryption keys is the hard part </li></ul><ul><li>Symmetric keys are needed for many other purposes as well </li></ul>
    5. 5. Why SKI? <ul><li>Typical key management solutions are application-specific </li></ul><ul><li>Enterprise IT managers need policy, auditing across the solutions </li></ul><ul><li>Keys sometimes have to be shared among multiple applications </li></ul><ul><li>A common key management infrastructure enables IT managers to focus on policy, and applications to focus on security integration </li></ul><ul><ul><li>SKI = an infrastructure of key managers – not a single server </li></ul></ul>How valid are these points in your deployments?
    6. 6. SKI Functions <ul><li>Application interface ( illustrative ): </li></ul><ul><ul><li>Get Key (keyID)  key, attributes </li></ul></ul><ul><ul><li>Get Key (attributes)  key, keyID -- lookup, or generate as needed </li></ul></ul><ul><ul><li>Set Key (keyID, attributes, key) </li></ul></ul><ul><li>Administrative operations </li></ul><ul><ul><li>Policy management </li></ul></ul><ul><ul><li>Key lifecycle: create, distribute, archive, retrieve, revoke, destroy </li></ul></ul><ul><li>Built on a foundation of identity & access management </li></ul><ul><ul><li>A role for PKI within the SKI! </li></ul></ul>
    7. 7. Uber versus Meta Key Managers <ul><li>Über key manager stores the keys for other key managers </li></ul><ul><li>Meta key manager coordinates policies and placement </li></ul><ul><li>Probably need some of each </li></ul>Which fits better in your organization or product?
    8. 8. SKI vs. PKI <ul><li>Similarities: </li></ul><ul><ul><li>Policy and lifecycle administration </li></ul></ul><ul><ul><li>Application interfaces </li></ul></ul><ul><ul><ul><li>e.g., PKI GetKey (issuer / serial)  public key / certificate </li></ul></ul></ul><ul><ul><ul><li>PKI SetKey ~= local generation + certificate registration </li></ul></ul></ul><ul><li>Differences in key secrecy, availability: </li></ul><ul><ul><li>PKI public keys: Public, available to everyone </li></ul></ul><ul><ul><li>PKI private keys: Secret, available to one principal </li></ul></ul><ul><ul><li>SKI keys: Secret, available to a group of principals </li></ul></ul><ul><ul><ul><li>typically associated with one data classification </li></ul></ul></ul>
    9. 9. SKI over the Years <ul><li>Even before public-key encryption and PKI, there have always been symmetric keys to manage … </li></ul><ul><li>Data Encryption Standard published in 1976 </li></ul><ul><li>IBM’s work leading to Common Cryptographic Architecture dates back to 1978 </li></ul><ul><li>X9.17 - Financial Institution Key Management (Wholesale) , introduced in 1985 for the banking industry. </li></ul><ul><li>Kerberos, released in 1987, manages keys for user authentication </li></ul><ul><li>Conditional access systems have long delivered symmetric keys for cable and satellite TV </li></ul>
    10. 10. Towards a Renaissance <ul><li>In a sense, PKI has been the “dark ages” of SKI </li></ul><ul><li>SKIs have continued, but have been out of focus for the last decade </li></ul><ul><li>Risks of renewal without reflection: </li></ul><ul><ul><li>Trying to use an existing SKI as is </li></ul></ul><ul><ul><li>Trying to make a new SKI fit the PKI mold </li></ul></ul><ul><ul><li>Forgetting about lessons learned from both SKI and PKI </li></ul></ul><ul><li>Better: Apply the experiences of three decades from both areas </li></ul>How do you see the “SKI renaissance” playing out?
    11. 11. Some Lessons to Consider <ul><li>Key hierarchies reduce compromise risk . </li></ul><ul><ul><li>Master Key / Key Encrypting Key / Data Encrypting Key </li></ul></ul><ul><ul><ul><li>Lower-levels keys wrapped with (next) higher-level key </li></ul></ul></ul><ul><ul><li>Time- and context-limited keys </li></ul></ul><ul><ul><li>PKI trust hierarchies are similar, but for certification, not secrecy </li></ul></ul><ul><li>Key derivation gives more flexibility and reduces risk, without additional key distribution. </li></ul><ul><ul><li>Key 2 = KDF (Key 1 , parameters) </li></ul></ul><ul><ul><li>Benefits: key separation; forward security; “subscription” models </li></ul></ul><ul><ul><li>PKI counterparts: forward-secure signatures, ID-based encryption </li></ul></ul>
    12. 12. Key Derivation: Example <ul><li>Verifier-specific keys for one-time password tokens: </li></ul><ul><ul><li>K TV = KDF (K T , ID V ) </li></ul></ul><ul><li>Key manager stores token key K T , distributes K TV to verifier V </li></ul><ul><li>Token stores K T , derives K TV given ID V </li></ul><ul><li>Token can authenticate to verifier via K TV ; verifiers don’t have to share keys </li></ul><ul><li>Another example: K B = KDF (K A , time) – parties can “subscribe” to supply of keys for a given time interval (Micali ’94 for key escrow) </li></ul><ul><li>Also: K B = KDF (K A , “next”) – K A remains secret if K B compromised  forward security for non-repudiation </li></ul>
    13. 13. Some Lessons to Consider <ul><li>Key wrapping is more than just encryption . </li></ul><ul><ul><li>AES-KeyWrap encrypts & integrity-protects key, and can associate with attributes (usage, etc.) </li></ul></ul><ul><ul><li>Various public-key encryption schemes also offer “associated data” </li></ul></ul><ul><li>Keys are security objects , not just sensitive data . </li></ul><ul><ul><li>Encrypt at security module layer, not (only) application layer </li></ul></ul><ul><ul><ul><li>i.e., key wrapping and SSL </li></ul></ul></ul><ul><li>Key usage restrictions provide better control. </li></ul><ul><ul><li>Encryption vs. authentication vs. key transport vs. … </li></ul></ul><ul><ul><li>MAC generation separate from verification , though same key </li></ul></ul>
    14. 14. Some Lessons to Consider <ul><li>Key classification should be driven by data classification and policy. More than just encryption vs. signature. </li></ul><ul><li>Key access control should model “need to know”: more often groups of applications than single principals. </li></ul><ul><li>Algorithm agility is essential . </li></ul><ul><ul><li>Not just DES and triple-DES anymore … </li></ul></ul><ul><li>Trusted software execution can help provide assurances required for security modules – as well as non-repudiation. </li></ul><ul><li>Side channel attacks continue to be a threat. Short-lived keys are a valuable countermeasure. </li></ul>
    15. 15. Final Thought: What if There Were No PKI? <ul><li>More accurately: What if there were no PK encryption? </li></ul><ul><li>Related question: What if PK encryption hadn’t been invented? </li></ul><ul><li>Quantum computing makes this a realistic possibility over a 30-year timeframe </li></ul>Is anybody seriously thinking about this?
    16. 16. Typical Cryptographic Security Services Today PKI encryption Key E s t a b l i s h m e n t (offline case) PKI encryption Symmetric algorithms w/TTP Key Establishment (online case) PKI signatures Symmetric algorithms w/trusted verifier Non-Repudiation Symmetric algorithms Encryption Passwords / OTPs + PKI encryption PKI tokens User Authentication
    17. 17. The Picture without Today’s PK Encryption … -- Key Establishment (offline case) -- Symmetric algorithms w/TTP Key Establishment (online case) -- Symmetric algorithms w/trusted verifier Non-Repudiation Symmetric algorithms Encryption -- -- User Authentication
    18. 18. Next, with a Renaissance of SKI -- Key Establishment (offline case) -- Symmetric algorithms w/TTP Key Establishment (online case) -- Symmetric algorithms w/trusted verifier Non-Repudiation Symmetric algorithms Encryption Password/OTP + trusted client w/symmetric crypto Symmetric crypto tokens User Authentication
    19. 19. … and Some Other Technologies (Old & New) Near-Field Communication Key Establishment (offline case) -- Symmetric algorithms w/TTP Key Establishment (online case) Merkle hash signatures Symmetric algorithms w/trusted verifier Non-Repudiation Symmetric algorithms Encryption Password/OTP + trusted client w/symmetric crypto Symmetric crypto tokens User Authentication
    20. 20. Conclusions <ul><li>Symmetric Key Infrastructures are seeing a renaissance, thanks to increased interest in data protection </li></ul><ul><li>PKI was perhaps the “dark ages” for SKI </li></ul><ul><li>Lessons learned from SKI past as well as PKI present can be applied to SKI future </li></ul>
    21. 21. Questions? <ul><li>Questions? </li></ul>
    22. 22. Contact Information <ul><li>Burt Kaliski RSA Laboratories [email_address] [email_address] http:// www.rsasecurity.com/rsalabs </li></ul>

    ×