Burt Kaliski RSA conference 2007


Published on

Burt Kaliski RSA conference 2007

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Branstad-Smid developed Key Notarization Facility for NBS, c. 1983 X9.17 defines: Triple-DES Three-level symmetric key hierarchy (master, key-encrypting, data)
  • Key derivation needs more explicit support in key management infrastructure, e.g., a way of recording the associations between derived keys and other keys so that it’s not necessary to do a lookup
  • PKI assumes certificates, i.e., a signature algorithm, for identity and attribute management
  • PKI assumes certificates, i.e., a signature algorithm, for identity and attribute management
  • PKI assumes certificates, i.e., a signature algorithm, for identity and attribute management
  • PKI assumes certificates, i.e., a signature algorithm, for identity and attribute management
  • Burt Kaliski RSA conference 2007

    1. 1. Learning to SKI Again: The Renaissance ofSymmetric Key InfrastructuresBurt Kaliski,RSA, The Security Division of EMC,02/06/07 – DEV-208
    2. 2. Learning to Ski … Again• Around 1980, I first learned to ski downhill at the McIntyre Ski Areain Manchester, NH• Over 20 years later, I started skiing again with my family• Skiing has changed a lot in two decades:— Shaped skis offer easier turns— Snowboards provide a single-board alternative• Still, skiing is just as much fun
    3. 3. Symmetric Key Infrastructure• A symmetric key infrastructure or SKI is a coordinated set ofcomponents and services for managing symmetric keys• Symmetric keys include:— Data encryption and integrity-protection keys— Key encryption keys— Device authentication keysPasswords can also be considered a type of symmetric key• “Managing” includes full key lifecycle
    4. 4. Why Symmetric Key Management?• As information becomes more valuable, data protection also growsin importance— Encryption “safe harbor” in breach notification legislation is asignificant driver• But data is stored and processed in many different layers, locations— Databases, files, disks, tapes, virtual images …• Encrypting data is the (relatively) easy part• Managing all the decryption keys is the hard part• Symmetric keys are needed for many other purposes as well
    5. 5. Why SKI?• Typical key management solutions are application-specific• Enterprise IT managers need policy, auditing across the solutions• Keys sometimes have to be shared among multiple applications• A common key management infrastructure enables IT managers tofocus on policy, and applications to focus on security integration— SKI = an infrastructure of key managers – not a single serverHow valid are these points in yourdeployments?
    6. 6. SKI Functions• Application interface (illustrative):— Get Key (keyID)  key, attributes— Get Key (attributes)  key, keyID -- lookup, or generate as needed— Set Key (keyID, attributes, key)• Administrative operations— Policy management— Key lifecycle: create, distribute, archive, retrieve, revoke, destroy• Built on a foundation of identity & access management— A role for PKI within the SKI!
    7. 7. Uber versus Meta Key Managers• Über key manager stores the keys for other key managers• Meta key manager coordinates policies and placement• Probably need some of eachWhich fits better in yourorganization or product?
    8. 8. SKI vs. PKI• Similarities:— Policy and lifecycle administration— Application interfaces•e.g., PKI GetKey (issuer / serial)  public key / certificate•PKI SetKey ~= local generation + certificate registration• Differences in key secrecy, availability:— PKI public keys: Public, available to everyone— PKI private keys: Secret, available to one principal— SKI keys: Secret, available to a group of principals•typically associated with one data classification
    9. 9. SKI over the Years• Even before public-key encryption and PKI, there have alwaysbeen symmetric keys to manage …• Data Encryption Standard published in 1976• IBM’s work leading to Common Cryptographic Architecture datesback to 1978• X9.17 - Financial Institution Key Management (Wholesale),introduced in 1985 for the banking industry.• Kerberos, released in 1987, manages keys for user authentication• Conditional access systems have long delivered symmetric keysfor cable and satellite TV
    10. 10. Towards a Renaissance• In a sense, PKI has been the “dark ages” of SKI• SKIs have continued, but have been out of focus for the lastdecade• Risks of renewal without reflection:— Trying to use an existing SKI as is— Trying to make a new SKI fit the PKI mold— Forgetting about lessons learned from both SKI and PKI• Better: Apply the experiences of three decades from both areasHow do you see the “SKIrenaissance” playing out?
    11. 11. Some Lessons to Consider1. Key hierarchies reduce compromise risk.• Master Key / Key Encrypting Key / Data Encrypting Key• Lower-levels keys wrapped with (next) higher-level key• Time- and context-limited keys• PKI trust hierarchies are similar, but for certification, not secrecy2. Key derivation gives more flexibility and reduces risk, withoutadditional key distribution.• Key2 = KDF (Key1, parameters)• Benefits: key separation; forward security; “subscription” models• PKI counterparts: forward-secure signatures, ID-based encryption
    12. 12. Key Derivation: Example• Verifier-specific keys for one-time password tokens:— KTV = KDF (KT, IDV)• Key manager stores token key KT, distributes KTV to verifier V• Token stores KT, derives KTV given IDV• Token can authenticate to verifier via KTV; verifiers don’t have toshare keys• Another example: KB = KDF (KA, time) – parties can “subscribe” tosupply of keys for a given time interval (Micali ’94 for key escrow)• Also: KB = KDF (KA, “next”) – KA remains secret if KB compromised forward security for non-repudiation
    13. 13. Some Lessons to Consider3. Key wrapping is more than just encryption.• AES-KeyWrap encrypts & integrity-protects key, and can associatewith attributes (usage, etc.)• Various public-key encryption schemes also offer “associated data”3. Keys are security objects, not just sensitive data.• Encrypt at security module layer, not (only) application layer• i.e., key wrapping and SSL5. Key usage restrictions provide better control.• Encryption vs. authentication vs. key transport vs. …• MAC generation separate from verification, though same key
    14. 14. Some Lessons to Consider6. Key classification should be driven by data classification andpolicy. More than just encryption vs. signature.7. Key access control should model “need to know”: more oftengroups of applications than single principals.8. Algorithm agility is essential.• Not just DES and triple-DES anymore …6. Trusted software execution can help provide assurancesrequired for security modules – as well as non-repudiation.7. Side channel attacks continue to be a threat. Short-lived keysare a valuable countermeasure.
    15. 15. Final Thought: What if There Were No PKI?• More accurately: What if there were no PK encryption?• Related question: What if PK encryption hadn’t been invented?• Quantum computing makes this a realistic possibility over a 30-year timeframeIs anybody seriously thinkingabout this?
    16. 16. Typical Cryptographic Security Services TodayUserAuthenticationPasswords / OTPs + PKI encryptionPKI tokensEncryption Symmetric algorithmsNon-Repudiation PKI signaturesSymmetric algorithms w/trusted verifierKeyEstablishment(online case)PKI encryptionSymmetric algorithms w/TTPKeyEstablishment(offline case)PKI encryption
    17. 17. The Picture without Today’s PK Encryption …UserAuthentication----Encryption Symmetric algorithmsNon-Repudiation --Symmetric algorithms w/trusted verifierKeyEstablishment(online case)--Symmetric algorithms w/TTPKeyEstablishment(offline case)--
    18. 18. Next, with a Renaissance of SKIUserAuthenticationPassword/OTP + trusted client w/symmetric cryptoSymmetric crypto tokensEncryption Symmetric algorithmsNon-Repudiation --Symmetric algorithms w/trusted verifierKeyEstablishment(online case)--Symmetric algorithms w/TTPKeyEstablishment(offline case)--
    19. 19. … and Some Other Technologies (Old & New)UserAuthenticationPassword/OTP + trusted client w/symmetric cryptoSymmetric crypto tokensEncryption Symmetric algorithmsNon-Repudiation Merkle hash signaturesSymmetric algorithms w/trusted verifierKeyEstablishment(online case)--Symmetric algorithms w/TTPKeyEstablishment(offline case)Near-Field Communication
    20. 20. Conclusions• Symmetric Key Infrastructures are seeing a renaissance, thanks toincreased interest in data protection• PKI was perhaps the “dark ages” for SKI• Lessons learned from SKI past as well as PKI present can beapplied to SKI future
    21. 21. Questions?• Questions?
    22. 22. Contact Information• Burt KaliskiRSA Laboratoriesburt@rsa.comkaliski_burt@emc.comhttp://www.rsasecurity.com/rsalabs