National Aeronautics and Space Administration Jet Propulsion Laboratory, California Institute of Technology Delay-Tolerant Security Key Administration.

Slides:

Advertisements

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Advertisements

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

AUTHENTICATION AND KEY DISTRIBUTION

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

Cryptographic Security Presented by: Josh Baker October 9 th, CS5204 – Operating Systems.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Cryptographic Technologies

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

Security Management.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Cryptography 101 Frank Hecker

Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)

Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.

Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

Secure r How do you do it? m Need to worry about sniffing, modifying, end- user masquerading, replaying. m If sender and receiver have shared secret.

Masud Hasan Secue VS Hushmail Project 2.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

每时每刻可信安全 1The DES algorithm is an example of what type of cryptography? A Secret Key B Two-key C Asymmetric Key D Public Key A.

Key Management Workshop November 1-2, Cryptographic Algorithms, Keys, and other Keying Material  Approved cryptographic algorithms  Security.

COEN 351 E-Commerce Security Essentials of Cryptography.

Cryptography  Why Cryptography  Symmetric Encryption  Key exchange  Public-Key Cryptography  Key exchange  Certification.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Cryptography and Network Security (CS435) Part Fourteen (Web Security)

Web Security : Secure Socket Layer Secure Electronic Transaction.

Key Management. Session and Interchange Keys  Key management – distribution of cryptographic keys, mechanisms used to bind an identity to a key, and.

Cryptography (2) University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Encryption. What is Encryption? Encryption is the process of converting plain text into cipher text, with the goal of making the text unreadable.

Byzantine fault-tolerance COMP 413 Fall Overview Models –Synchronous vs. asynchronous systems –Byzantine failure model Secure storage with self-certifying.

Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.

Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

COEN 351 E-Commerce Security

Security fundamentals Topic 5 Using a Public Key Infrastructure.

COMP 424 Computer Security Lecture 09 & 10. Protocol ● An orderly sequence of steps agreed upon by two or more parties in order to accomplish a task ●

Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.

Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.

Delay Tolerant Network (DTN) Security Key Management Design Alternatives IETF94 DTN Working Group November 3, 2015 Fred L. Templin

Delay-Tolerant Security Key Administration (DTKA)

DTN Bundle Protocol on the IETF Standards Track

Using SSL – Secure Socket Layer

CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9

CDK: Chapter 7 TvS: Chapter 9

Proposed DTN WG Charter Items

Presentation transcript:

National Aeronautics and Space Administration Jet Propulsion Laboratory, California Institute of Technology Delay-Tolerant Security Key Administration (DTKA) Scott Burleigh Jet Propulsion Laboratory California Institute of Technology 18 February 2014 This research was carried out at the Jet Propulsion Laboratory, California Institute of Technology, under a contract with the National Aeronautics and Space Administration. (c) 2014 California Institute of Technology. Government sponsorship acknowledged.

National Aeronautics and Space Administration Jet Propulsion Laboratory, California Institute of Technology Security and Key Exchange In the Internet: – Security keys can be – and are – established by negotiation. Internet Key Exchange (IKE): a 4-message initialization exchange (2 round trips) in IKEv2. Transport Layer Security (TLS): 13 messages (2 round trips) to initialize a session. – A public key and its authenticating certificate can be obtained by querying the owner of the key (e.g., a server) before beginning secured communication. In DTN: – Security keys can’t be negotiated: the communication opportunity might end before initialization has completed. – Public keys and certificates can’t be obtained by query: the communication opportunity might end before the key is disclosed. 18 February 20142

National Aeronautics and Space Administration Jet Propulsion Laboratory, California Institute of Technology Key Management in DTN (1 of 5) All nodes can generate their own public/private key pairs. A single-use symmetric key – generated by the sender, encrypted in the receiver’s public key, and used to encrypt the payload – can be attached to each bundle. – Receiver uses its own private key to decrypt the symmetric key. – Receiver uses the symmetric key to decrypt the payload. Ephemeral symmetric keys can also be used for computing and verifying payload integrity signatures: – The symmetric key – in plain text – is attached to the bundle. – The symmetric key is itself signed in the sender’s private key. – The signature on the symmetric key is verified using the sender’s public key, proving authenticity. 18 February 20143

National Aeronautics and Space Administration Jet Propulsion Laboratory, California Institute of Technology Key Management in DTN (2 of 5) Public keys can be asynchronously asserted by their owners, e.g., by multicast, with associated effective times. No need to query for them. But nodes can’t simply assert public keys to one another: there would be no assurance that a public key asserted for a given node was authentic. Suppose a node is physically compromised, to the point at which its current private key is exposed to the attacker. – The attacker can now decrypt all confidential information transmitted to this node. – The attacker can also induce the node to announce a new public key – paired with a private key that is known to the attacker, and certified in the node’s current private key – to the network at any time. 18 February 20144

National Aeronautics and Space Administration Jet Propulsion Laboratory, California Institute of Technology Key Management in DTN (3 of 5) The network’s only defense against such an assault is to “revoke” the current public key of the compromised node. But: – Which node can be trusted to issue such a revocation? (Inauthentic key revocations could seriously damage the network.) – In order to reinstate the compromised node following its recovery, it would be necessary to once again issue a new public key for that node. But which node can be trusted to issue that reinstatement key? (If the node itself were authorized to issue such a key then the node could reinstate itself while still under the control of the attacker.) 18 February 20145

National Aeronautics and Space Administration Jet Propulsion Laboratory, California Institute of Technology Key Management in DTN (4 of 5) Moreover, when new nodes are instantiated, if their initial public keys are self-generated and self-certified then the nodes receiving those keys have no way of knowing whether or not they are authentic and whether the nodes themselves are trustworthy. In short, the missing component to DTN security key administration is a central key authority that can be trusted to issue and revoke the public keys of all nodes in the network. But the design of such a central key authority must be approached with care… 18 February 20146

National Aeronautics and Space Administration Jet Propulsion Laboratory, California Institute of Technology Key Management in DTN (5 of 5) The key authority must not be a single point of failure: loss of the trusted authority would cripple the network. But redundancy is not enough, because a key authority node might itself be compromised by an attacker: the distribution of bogus keys to all nodes, or the revocation of all keys, would likewise cripple the network. – No single key authority node can be granted unilateral key distribution authority. Key administration proclamations must be issued by agreement among multiple key authority nodes. Nor may any single key authority (potentially compromised) be permitted to sabotage key distribution by simply refusing to agree. What’s required is consensus, not unanimity. 18 February 20147

National Aeronautics and Space Administration Jet Propulsion Laboratory, California Institute of Technology KA 1 KA 2 KA 3 KA 4 KA 5 KA 6 KA 7 KA 8 AB Out-of-band public key assertions and revocations Assume N key authority (KA) nodes in the network (here N=8). All KA nodes have all current key information for the network, as far as possible. All credible assertions of key revocation and reinstatement are provided to KAs by an out- of-band mechanism, such as a human network security analyst. A Key Management System for DTN 18 February 20148

National Aeronautics and Space Administration Jet Propulsion Laboratory, California Institute of Technology KA 1 KA 2 KA 3 KA 4 KA 5 KA 6 KA 7 KA 8 AB Out-of-band public key assertions and revocations Each node generates its own public/private key pairs periodically and multicasts its public keys to all KA nodes in advance of effective time. 18 February Assertion of Public Key by Node B

National Aeronautics and Space Administration Jet Propulsion Laboratory, California Institute of Technology Sign in current private key of B Message from B: effective time, public key Assertion of Public Key by Node B 18 February

National Aeronautics and Space Administration Jet Propulsion Laboratory, California Institute of Technology Erasure-Coded Messages from KA 18 February KA xxx 2 xxx 3 xxx 4 xxX 5 xxx 6 xxx 7x xx 8x x x So 24 blocks are multicast. Receiving any 7 distinct blocks will deliver the bulletin (because Q = 7). Identical bulletins (list of public key assertions and revocations) are generated simultaneously by all KAs, and hashes are computed for the generated bulletins. At each KA, the bulletin is erasure-coded: Q + k code blocks (Q primary blocks plus k parity blocks) are generated such that the reception of any Q different blocks will enable acquisition of the original bulletin. At each KA, only a subset of the generated code blocks are transmitted. The distribution of key information relies on the acquisition of code blocks from multiple collaborating key authorities. Suppose Q=7 and k=1, for a total of 8 blocks. Each KA is then authorized to multicast only 3 blocks:

National Aeronautics and Space Administration Jet Propulsion Laboratory, California Institute of Technology Key information message: node number, effective time, public key Bulletin hash Bulletin from KAx Key information message … 18 February

National Aeronautics and Space Administration Jet Propulsion Laboratory, California Institute of Technology Sign in private key of KAx Code block number Code Block of Bulletin from KAx Bulletin hash Code block text 18 February

National Aeronautics and Space Administration Jet Propulsion Laboratory, California Institute of Technology KA 1 KA 2 KA 3 KA 4 KA 5 KA 6 KA 7 KA 8 AB Out-of-band public key assertions and revocations Only blocks with the same hash will be reassembled into the bulletin, so if any KA is inadvertently out of agreement its bulletin will be ignored. 18 February Publication of Code Blocks from KAs

National Aeronautics and Space Administration Jet Propulsion Laboratory, California Institute of Technology KA 1 KA 2 KA 3 KA 4 KA 5 KA 6 KA 7 KA 8 AB Out-of-band public key assertions and revocations Asserted key information is used for all bundles whose creation time is greater than the asserted effective time. 18 February Use of New Public Key by Node A

National Aeronautics and Space Administration Jet Propulsion Laboratory, California Institute of Technology Key Effective Time The start time of a key's validity is a "DTN time“ (seconds since 1/1/2000, count within second). The selection of a key for operation on a given bundle is based on bundle creation time: the system selects the most recently effective key whose start time is before the bundle's creation time. Solves the problem of synchronizing transmission and reception key selection. – No matter how long the bundle takes to arrive, its creation time is the same as when it was transmitted. 18 February

National Aeronautics and Space Administration Jet Propulsion Laboratory, California Institute of Technology It’s All Public Information Nothing managed by the key authorities or communicated to or from the key authorities is secret. None of the key agreement interchange needs to be encrypted – just authenticated. – This distinguishes DTKA from, for example, threshold cryptography and other distributed shared secret technologies: rather than combining encrypted fragments of a secret data item, DTKA relies on combining signed fragments of a clear-text data item. 18 February

National Aeronautics and Space Administration Jet Propulsion Laboratory, California Institute of Technology Notes All keys required for Bundle Security Protocol are distributed securely. Human intervention in key management (e.g., revocation) is supported, but routine key management is automated. No key negotiation/querying over long-latency links. No session keys; no management of shared secrets over long-latency links. No single point of failure, yet no single point of authority that can be compromised. 18 February

National Aeronautics and Space Administration Jet Propulsion Laboratory, California Institute of Technology Status A prototype of this key distribution mechanism has been developed, passes regression test. – Uses polarssl for cryptography, zfec for erasure coding. – Designed for integration with ION. Waiting for CalTech intellectual property authority to decide on licensing. 18 February

National Aeronautics and Space Administration Jet Propulsion Laboratory, California Institute of Technology 18 February Questions?