CT-KIP Magnus Nyström, RSA Security 23 May 2005. Overview A client-server protocol for initialization (and configuration) of cryptographic tokens —Intended.

Slides:



Advertisements
Similar presentations
Chapter 3 Public Key Cryptography and Message authentication.
Advertisements

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.
Dynamic Symmetric Key Provisioning Protocol (DSKPP)
A Profile Of PKCS #11 V2.11 For Mobile Devices Magnus Nyström PKCS Workshop 2002.
AUTHENTICATION AND KEY DISTRIBUTION
The Cryptographic Token Key Initialization Protocol (CT-KIP) OTPS Workshop February 2006.
CT-KIP Magnus Nyström, RSA Security OTPS Workshop, October 2005.
Off-the-Record Communication, or, Why Not To Use PGP
PKCS #15 v1.1 Magnus Nyström RSA Laboratories PKCS Workshop, 1999.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Digital Signatures and Hash Functions. Digital Signatures.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Internet Engineering Task Force Provisioning of Symmetric Keys Working Group Hannes Tschofenig.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) Web Service Description KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.
1 Public-Key Cryptography and Message Authentication Ola Flygt Växjö University, Sweden
Digital Signatures Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
Michal Rapco 05, 2005 Security issues in Wireless LANs.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
TLS 1.2 and NIST SP A Tim Polk November 10, 2006.
PKCS11 Key Protection And the Insider Threat.
Message Authentication Requirements Disclosure Release of message contents to any person or process not possessing the appropriate cryptographic key Traffic.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Dynamic Symmetric Key Provisioning Protocol (DSKPP) Mingliang Pei Salah Machani IETF68 KeyProv WG Prague.
Practices in Security Bruhadeshwar Bezawada. Key Management Set of techniques and procedures supporting the establishment and maintenance of keying relationships.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Chapter 21 Public-Key Cryptography and Message Authentication.
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV BOF IETF-67 San Diego November 2006 Andrea Doherty.
DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning Philip Hoyer Senior Architect – CTO Office.
DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning Philip Hoyer Senior Architect – CTO Office.
WEP Protocol Weaknesses and Vulnerabilities
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
One-Time Password Specifications (OTPS): Overview, Workshop Agenda, and Process DRAFT – 18 May 2005.
Cryptographic Hash Functions and Protocol Analysis
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Modern Cryptography.
EAP-POTP Magnus Nyström, RSA Security 23 May 2005.
Authentication. Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0: Alice says “I am Alice” Failure scenario?? “I am Alice”
1 NIST Key State Models SP Part 1SP (Draft)
March 2006IETF 65 - Dallas1 The Cryptographic Token Key Initialization Protocol (CT-KIP) Dave Mitton, RSA Security for Magnus Nyström IETF SAAG.
November 2005IETF 64, Vancouver, Canada1 EAP-POTP The Protected One-Time Password EAP Method Magnus Nystrom, David Mitton RSA Security, Inc.
TNC Proposals for NEA Protocols Presentation by Steve Hanna to NEA WG meeting at IETF 71 March 11, 2008.
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.
ANSI X9.44 and IETF TLS Russ Housley and Burt Kaliski RSA Laboratories November 2002.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
TLS PRF Considered Harmful Issues with implementing Hardware Security Module Support for TLS.
PKCS #5 v2.0: Password-Based Cryptography Standard
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Secure Instant Messenger in Android Name: Shamik Roy Chowdhury.
@Yuan Xue CS 285 Network Security Key Distribution and Management Yuan Xue Fall 2012.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
Cryptographic Hash Functions
Cryptographic Hash Functions
Chapter -7 CRYPTOGRAPHIC HASH FUNCTIONS
Presentation transcript:

CT-KIP Magnus Nyström, RSA Security 23 May 2005

Overview A client-server protocol for initialization (and configuration) of cryptographic tokens —Intended for general use within computer and communications systems employing connected cryptographic tokens Objectives: —To provide a secure and interoperable method of initializing cryptographic tokens with secret keys —To avoid, as much as possible, any impact on existing cryptographic token manufacturing processes —To provide a solution that is easy to administer and scales well —To provide a solution which does not require private-key capabilities in tokens, nor the existence of a public-key infrastructure

Principles of operation

Key generation Note: The order of the parameters changed in draft 2 (proposal from Laszlo Elteto, Safenet) CT-KIP-PRF —Three inputs: Secret, Variable data, Output length —Output: Pseudorandom string of desired length Defined as “black box”, two example realizations in specification Key generation: K TOKEN = CT-KIP-PRF(R C, “Key generation” || k || R S, 16) R C = Nonce from client k = Server’s public key or a shared secret key R S = Nonce from server

Encryption of client nonce Client may encrypt the nonce with the server key used in the generation of K TOKEN —But should not wrap it with any other key! Client may encrypt the nonce using CT-KIP-PRF when no standard encryption algorithm is available: Enc-R C = CT-KIP-PRF(K, “Encryption” || R S, 16)  R C where K is the shared secret key R S = Nonce from server R C = Nonce from client Note: Changed since draft 1: The string “Encryption” prepended

MAC calculations Any existing MAC algorithm may be used When no MAC algorithm is present on the token, the CT-KIP- PRF primitive may be used: MAC 1 = CT-KIP-PRF(K, [R ||] “MAC 1 computation” || R S, 16) MAC 2 = CT-KIP-PRF(K, “MAC 2 computation” || R C, 16) where K is a shared key (should be used for this purpose only) R is an optional, initial nonce from the client R S is the nonce from server R C is the (secret) nonce from client Note: Changed since draft 1: Use of the strings and their placements. Optional client initial nonce R (protection against certain attacks)

Integration with PKCS #11 Re-designed in draft 2 —Now more low-level, traditional PKCS #11 style Three new mechanisms: —CKM_KIP_PRF —CKM_KIP_DERIVE —CKM_KIP_WRAP CKM_KIP_PRF is the PKCS #11 version of CT-KIP-PRF CKM_KIP_DERIVE derives secret keys using the CT-KIP-PRF construct CKM_KIP_WRAP wraps a key using CT-KIP-PRF Note: Intent here is to stop an application from being able to deduce R C – but this may need further work, e.g. introduce CKM_KIP_MAC and simplify CKM_KIP_PRF (or not make it directly callable at all)

CKM_KIP_DERIVE & CKM_KIP_PRF CKM_KIP_DERIVE derives the token key by using parameters: —Key: Shared secret key or server’s public key (and R C ) —Seed: Server’s nonce —Mechanism: Underlying cryptographic mechanism, e.g. SHA-1 —Internally, will place string before K and R S (which is impossible to do with CKM_KIP_PRF) CKM_KIP_PRF corresponds to CT-KIP-PRF —May be used to produce the MAC messages —Key: Shared secret MAC key —Seed: The string and nonce values —Mechanism: Underlying cryptographic mechanism

CKM_KIP_WRAP CKM_KIP_WRAP is used to wrap the client’s nonce R C —Key: NULL (Wrapping key is through C_WrapKey) —Seed: R S —Mechanism: Underlying, e.g. SHA-1 Note: Token shall use the key that was used in the generation of K TOKEN when wrapping! —This possibly needs to be clarified in next draft —If any key can be used, then the application may be able to extract R C

For discussion Bindings: —HTTP provided, how about SOAP? —Security built-in (but not total confidentiality, e.g. key identifiers) Is the PKCS #11 integration sufficient? —Introduce CKM_KIP_MAC, simplify (no keys) or remove CKM_KIP_PRF? Should there be a corresponding CryptoAPI integration? Agreement and stabilization of document content Possible future contribution of document, to (new) OASIS TC or elsewhere?