Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 4.2: Key Distribution

Published byOpal Bishop Modified over 6 years ago

Similar presentations

Presentation on theme: "Lecture 4.2: Key Distribution"— Presentation transcript:

1 Lecture 4.2: Key Distribution
6/16/2018 Lecture 4.2: Key Distribution CS 436/636/736 Spring 2016 Nitesh Saxena

2 Fun/Informative Bit: Brain Study to Measure Security Behavior
Read More 6/16/2018 Lecture 4.2: Key Distribution

3 Course Administration
6/16/2018 Course Administration HW2 due Monday, 11am – March 07 HW1 distributed Please pick if you haven’t already HW1 solution has been ed Accidentally sent to another class earlier 6/16/2018 Lecture 5.2: Private Key Distribution

4 Course Administration
6/16/2018 Course Administration Mid-Term Exam On March 17 (Thursday) In class, from 5-7pm Covers lectures up to lectures 4.* (this week) In-class review on Mar 09. Strictly closed-book (no cheat-sheets are allowed) A sample exam will be provided as we near the exam date 6/16/2018 Lecture 5.2: Private Key Distribution

5 Outline of Today’s lecture
6/16/2018 Outline of Today’s lecture Key Distribution Introduction Protocol for private key distribution Kerberos: Real-world system Public Key distribution 6/16/2018 Lecture 4.2: Key Distribution

6 Some questions from last time
6/16/2018 Some questions from last time Can OTP make for a good MAC? Can H(K||m) make for a good MAC? Does HMAC provide non-repudiation? 6/16/2018 Lecture 4.2: Key Distribution

7 Lecture 4.2: Key Distribution
6/16/2018 Key Distribution Cryptographic primitives seen so far assume In private key setting: Alice and Bob share a secret key which is unknown to Oscar. In public key setting: Alice has a “trusted” (or authenticated) copy of Bob’s public key. But how does this happen in the first place? Alice and Bob meet and exchange key(s) Not always practical or possible. We need key distribution, first and foremost! Idea: make use of a trusted third party (TTP) 6/16/2018 Lecture 4.2: Key Distribution

8 “Private Key” Distribution: an attempt
6/16/2018 “Private Key” Distribution: an attempt Protocol assumes that Alice and Bob share a session key KA and KB with a Key Distribution Center (KDC). Alice calls Trent (Trusted KDC) and requests a session key to communicate with Bob. Trent generates random session key K and sends E KA(K) to Alice and E KB(K) to Bob. Alice and Bob decrypt with KA and KB respectively to get K. This is a key distribution protocol. Susceptible to replay attack!

9 Session Key Exchange with KDC – Needham-Schroeder Protocol
6/16/2018 Session Key Exchange with KDC – Needham-Schroeder Protocol A -> KDC IDA || IDB || N1 (Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random nonce identifying this request) KDC -> A E KA( K || IDB || N1 || E KB(K || IDA)) Encrypted(Here is a key, for you to talk to Bob as per your request N1 and also an envelope to Bob containing the same key) A -> B E KB(K || IDA) (I would like to talk using key in envelope sent by KDC) B -> A E K(N2) (OK Alice, But can you prove to me that you are indeed Alice and know the key?) A -> B E K(f(N2)) (Sure I can!) Dennig-Sacco (replay) attack on the protocol NS protocol only provides one way authentication (A  B). You can provide mutual authentication. Talk about Dennig-Sacco Attack on NS: Since the ticket does not contain any timestamp; Eve can replay it in next session. If the key for first session is somehow leaked to Eve  the next session will be compromised too. 6/16/2018 Lecture 4.2: Key Distribution

10 Lecture 4.2: Key Distribution
6/16/2018 Session Key Exchange with KDC – Needham-Schroeder Protocol (corrected version with mutual authentication) A -> KDC: IDA || IDB || N1 (Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random nonce identifying this request) KDC -> A: E KA( K || IDB || N1 || E KB(TS1, K || IDA)) Encrypted(Here is a key, for you to talk to Bob as per your request N1 and also an envelope to Bob containing the same key) A -> B: E K(TS2), E KB(TS1, K || IDA) (I would like to talk using key in envelope sent by KDC; here is an authenticator) B -> A: E K(TS2+1) (OK Alice, here is a proof that I am really Bob) 6/16/2018 Lecture 4.2: Key Distribution

11 Lecture 4.2: Key Distribution
6/16/2018 Kerberos - Goals Security Next slide. Reliability Transparency Minimum modification to existing network applications. Scalability Modular distributed architecture. 6/16/2018 Lecture 4.2: Key Distribution

12 Kerberos – Security Goals
6/16/2018 Kerberos – Security Goals No cleartext passwords over network. No cleartext passwords stored on servers. Minimum exposure of client and server keys. Compromise of a session should only affect that session Require password only at login. 6/16/2018 Lecture 4.2: Key Distribution

13 Kerberos - Assumptions
6/16/2018 Kerberos - Assumptions Global clock. There is a way to distribute authorization data. Kerberos provides authentication and not authorization. 6/16/2018 Lecture 4.2: Key Distribution

14 Kerberos Key Distribution (1)
6/16/2018 Kerberos Key Distribution (1) Step 1 Joe to KDC Joe KDC I would like to Talk to the File Server Step 2 KDC Session key for service Session key for User KDC 6/16/2018 Lecture 4.2: Key Distribution

15 Kerberos Key Distribution (2)
6/16/2018 Kerberos Key Distribution (2) Session Key for Joe Dear Joe, This key for File server Box 1 Locked With Joe’s key Session Key for File server Dear File server, This key for Use with Joe Box 2 Locked With File Server’s key Step 3 KDC Joe KDC Box 1 Box 2 Step 4 KDC to Joe 6/16/2018 Lecture 4.2: Key Distribution

16 Kerberos Key Distribution (3)
6/16/2018 Kerberos Key Distribution (3) Opened Box 1 Session Key for File server Dear File server, This key for Use with Joe Box 2 Locked With File Server’s key Step 5 Joe Dear Joe, This key for File server Box 3 Session Key for File server Dear File server, This key for Use with Joe Box 2 Locked With File Server’s key Step 6 Joe Locked With Session key Dear File server, The time is 3:40 pm 6/16/2018 Lecture 4.2: Key Distribution

17 Kerberos Key Distribution (4)
6/16/2018 Kerberos Key Distribution (4) Step 7 Joe to File server Joe Box 2 Box 3 File Server Unlocked Box 3 Unlocked Box 2 Step 8 File server Dear File server, The time is 3:40 pm Dear File server, This key for Use with Joe 6/16/2018 Lecture 4.2: Key Distribution

18 Kerberos Key Distribution (5)
6/16/2018 Kerberos Key Distribution (5) For mutual authentication, file server can create box 4 with time stamp and encrypt with session key and send to Joe. Box 2 is called ticket. KDC issues ticket only after authenticating password To avoid entering passwords every time access needed, KDC split into two – authenticating server and ticket granting server. 6/16/2018 Lecture 4.2: Key Distribution

19 Kerberos– One Slide Overview
6/16/2018 Kerberos– One Slide Overview 6/16/2018

20 Lecture 4.2: Key Distribution
6/16/2018 Version 4 Summary This is good: explain each step in detail for clarity 6/16/2018 Lecture 4.2: Key Distribution

21 Kerberos - Limitations
6/16/2018 Kerberos - Limitations Every network service must be individually modified for use with Kerberos. Requires a global clock Requires secure Kerberos server. Requires continuously available or online server. 6/16/2018 Lecture 4.2: Key Distribution

22 Lecture 4.2: Key Distribution
6/16/2018 Further Reading Stallings Chapter 15 HAC Chapter 12 6/16/2018 Lecture 4.2: Key Distribution

23 Lecture 4.2: Key Distribution
6/16/2018 Some questions Can a KDC learn communication between Alice and Bob, to whom it issued keys? What if the KDC server is down or congested? What if the KDC server is compromised? 6/16/2018 Lecture 4.2: Key Distribution

24 Public Key Distribution
6/16/2018 Public Key Distribution Public announcements (such as ) Can be forged Public directory Can be tampered with Public-key certification authority (CA) (such as verisign) This is what we use in practice CA issues certificates to the users 6/16/2018 Lecture 4.2: Key Distribution

25 Naming and Certificates
6/16/2018 Naming and Certificates Certification authority’s vouch for the identity of an entity - Distinguished Names (DN). /O=UAB/OU=CIS/CN=Nitesh Saxena Although CN may be same, DN is different. Policies of certification Authentication policy What level of authentication is required to identify the principal. Issuance policy Given the identity of principal will the CA issue a certificate? 6/16/2018 Lecture 4.2: Key Distribution

26 Lecture 4.2: Key Distribution
6/16/2018 Types of Certificates CA’s vouch at some level the identity of the principal. Example – Verisign: Class 1 – address Class 2 – Name and address verified through database. Class 3- Background check. 6/16/2018 Lecture 4.2: Key Distribution

27 Public Key Certificate
6/16/2018 Public Key Certificate Public Key Certificate – Signed messages specifying a name (identity) and the corresponding public key. Signed by whom – Certification Authority (CA), an organization that issues public key certificates. We assume that everyone is in possession of a trusted copy of the CA’s public key. CA could be Internal CA. Outsourced CA. Trusted Third-Party CA. 6/16/2018 Lecture 4.2: Key Distribution

28 Public Key Certificate
6/16/2018 Public Key Certificate Note: Mechanism of certification and content of certificate, will vary but at the minimum we have verification and contains ID and Public Key. 6/16/2018 Lecture 4.2: Key Distribution

29 Certificate Verification/Validation
6/16/2018 Certificate Verification/Validation 6/16/2018 Lecture 4.2: Key Distribution

30 Certificate Revocation
6/16/2018 Certificate Revocation CA also needs some mechanism to revoke certificates Private key compromised. CA mistake in issuing certificate. Particular service the certificate grants access to may no longer exist. CA compromised. Expiration time solves the problems only partially. Certification Revocation Lists (CRL) – a list of every certificate that has been revoked but not expired. CRL’s quickly grow large! CRL’s distributed periodically. What about time period between revocation and distribution of CRL? Other mechanisms OCSP (online certificate status protocol) 6/16/2018 Lecture 4.2: Key Distribution

31 Lecture 4.2: Key Distribution
6/16/2018 X.509 Clearly, there is a need for standardization – X.509. Originally 1988, revised 93 and 95. X.509 is part of X.500 series that defines a directory service. Defines a framework for authentication services by X.500 directory to its users. Used in S/MIME, IPSEC, SSL etc. Does not dictate use of specific algorithm (recommends RSA). 6/16/2018 Lecture 4.2: Key Distribution

32 Lecture 4.2: Key Distribution
6/16/2018 X.509 Certificate 6/16/2018 Lecture 4.2: Key Distribution

33 Advantages of CA Over KDC
6/16/2018 Advantages of CA Over KDC CA does not need to be on-line all the time! CA can be very simple computing device. If CA crashes, life goes on (except CRL). Certificates can be stored in an insecure manner!! Compromised CA cannot decrypt messages. Scales well. 6/16/2018 Lecture 4.2: Key Distribution

34 Internet Certificate Hierarchy
6/16/2018 Internet Certificate Hierarchy Internet Policy Registration Authority Policy Certification Authorities Certification Authority Individuals/roles/orgs. 6/16/2018 Lecture 4.2: Key Distribution

35 Lecture 4.2: Key Distribution
6/16/2018 Types of certificates Organizational Certificates Principal’s affiliation with an organization Residential certificates Principal’s affiliation with an address Persona Certificates Principal’s Identity Principal need not be a person. It could be a role. 6/16/2018 Lecture 4.2: Key Distribution

36 Public-key Infrastructure (PKI)
6/16/2018 Public-key Infrastructure (PKI) Combination of digital certificates, public-key cryptography, and certificate authorities. A typical enterprise's PKI encompasses issuance of digital certificates to users and servers end-user enrollment software integration with corporate certificate directories tools for managing, renewing, and revoking certificates; and related services and support Verisign, Thawte and Entrust – PKI providers. Your own PKI using Mozilla/Microsoft certificate servers 6/16/2018 Lecture 4.2: Key Distribution

37 Problems with PKI – Private Key
6/16/2018 Problems with PKI – Private Key Where and how is private key stored? Host – encrypted with pass phrase Host – encrypted by OS or application Smart Card Assumes secure host or tamper proof smartcard. 6/16/2018 Lecture 4.2: Key Distribution

38 Problems with PKI - Conflicts
6/16/2018 Problems with PKI - Conflicts X.509, and PGP remain silent on conflicts. They assume CA’s will ensure that no conflicts arise. But in practice conflicts may exist – John A. Smith and John B. Smith may live at the same address. 6/16/2018 Lecture 4.2: Key Distribution

39 Trustworthiness of Issuer
6/16/2018 Trustworthiness of Issuer A certificate is the binding of an external identity to a cryptographic key and a distinguished name. If the issuer can be fooled, all who rely upon the certificate can be fooled  How do you trust CA from country XYZ (your favorite prejudice). 6/16/2018 Lecture 4.2: Key Distribution

40 Lecture 4.2: Key Distribution
6/16/2018 Further Reading Kerberos RFC: RFC-1510 X.509 page Ten Risks of PKI - 6/16/2018 Lecture 4.2: Key Distribution

41 Lecture 4.2: Key Distribution
6/16/2018 Some questions Can a KDC learn communication between Alice and Bob, to whom it issued keys? Can a CA learn communication between Alice and Bob, to whom it issued certificates? What happens if the CA is online all the time? Alice uses her private key, public key pairs and a CA issued certificate. She learnt that Eve might have leaned her key. What should she do? 6/16/2018 Lecture 4.2: Key Distribution

42 Lecture 4.2: Key Distribution
6/16/2018 Some Questions Sometimes when you access an https web-site, you get a security warning. What is that warning for? Sometimes when you connect to an SSH server, you get a security warning. What is that warning for? What is a self-signed certificate? 6/16/2018 Lecture 4.2: Key Distribution

Download ppt "Lecture 4.2: Key Distribution"

Similar presentations

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Lecture 4: Cryptography III; Email Security CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena.

Lecture 4: Cryptography III; Security CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena.
Lecture 4: Hash Functions, Message Authentication and Key Distribution CS 392/6813: Computer Security Fall 2008 Nitesh Saxena *Adopted from Previous Lectures.

Lecture 4: Hash Functions, Message Authentication and Key Distribution CS 392/6813: Computer Security Fall 2008 Nitesh Saxena *Adopted from Previous Lectures.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.

Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
Security Management.

Security Management.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

Similar presentations

Ads by Google