Presentation is loading. Please wait.

Presentation is loading. Please wait.

Symmetric Key Infrastructure Karel Masarik, Daniel Cvrcek Faculty of Information Technology Brno University of Technology

Similar presentations


Presentation on theme: "Symmetric Key Infrastructure Karel Masarik, Daniel Cvrcek Faculty of Information Technology Brno University of Technology"— Presentation transcript:

1 Symmetric Key Infrastructure Karel Masarik, Daniel Cvrcek Faculty of Information Technology Brno University of Technology xmasar01@stud.fit.vutbr.cz, cvrcek@fit.vutbr.cz

2 Security and Protection of Information 2003 2 Current State there is no TTP / CA generally trusted large amount of CAs standards for name structure - uniqueness complicated mutual certificate verification is it possible to transfer trust? see Farrell’s presentation from yesterday (XML) commercial pressure to use certificates as often as possible – everywhere certificate structure becomes complicated

3 Security and Protection of Information 2003 3 Certificate Verification signature verification certificate validity verification certificate attributes verification cross-check with list of revoked certificates all the steps several times verification of root-certificate hash

4 Security and Protection of Information 2003 4 PKI - Summary there is a TTP + simple key management - when broken, one can not even verify a signature signature verification + in-site (original idea) - access to actual CRL -> on-line access to TTP unique identification + each CA (certificate service provider) takes care of it - is the recipient able to perform the same (never seen an ID card) non-repudiation the biggest advantage of … not PKI but asymmetric crypto

5 Security and Protection of Information 2003 5 The Facts asymmetric cryptography simple key-agreement non-repudiation when a shared key exists, all the subsequent communication the same as with the symmetric key management X.509-based PKI fails very serious problem is to keep actual information about public keys the assumptions leading to X.509 definition

6 Security and Protection of Information 2003 6 Communication Schemes a) 1:n – server with clients how big problem is to have a shared symmetric key with the server and use for generation of short-term public key certificates b) m:n, m=n, network (equivalent nodes) server – the one running its own key management a) intranet – one server b) e-business –small number of servers c) e-mail - peers >1 server => mutual trust

7 Security and Protection of Information 2003 7 Eliminating PKI Problems Tiny PKI Local Key Infrastructure entry point – X.509 certificate (link to PKI) our own local shared keys symmetric or asymmetric validity of local keys is short / one-time key we do not need CRL revocation is automatic or on peer-to-peer basis

8 Security and Protection of Information 2003 8 Local Scheme CA X. 509 certificates client CA client PKI Lokální KI authentication key SDSI names attributes server client Example AK – certificate and shared secret hash AK is the index into databases of shared keys

9 Security and Protection of Information 2003 9 Properties minimal dependance on PKI (enrollment) complete certificate verification done only once certificate make link name – public key exploring PKI’s unique identification of users CRL is replaced with other mechanisms short-time keys, one-time tickets, direct revocation in n:a communication model client complexity grows categories signer – verifier disappear

10 Security and Protection of Information 2003 10 Symmetric Key Infrastructure 2000 - Christianson, Crispo, Malcolm Proc. of Security Protocols basis for a project solved as M.Sc. thesis forward secrecy K i =H(S i-1 |1) and S i =H(S i-1 |0) S i – shared secret K i – symmetric key valid for just one message S i and K i are updated with each message exchange

11 Security and Protection of Information 2003 11 Non-Repudiation we want to transfer messages secured with symmetric crypto exploiting mutually mistrusting parties for non-repudiation E AT (M), E AB (M) – E TB (M), E AB (M) A, T, B – mutually mistrusting S – e.g. firewalls ATB

12 Security and Protection of Information 2003 12 Trusted Third Party it is needed shared keys with all users or other TTPs key distribution or translation center – very powerful use of DH key agreement protocol DH does not ensure authentication we do trust TTP to ensure authentication TTP does not posses enough information to follows client communication sessions

13 Security and Protection of Information 2003 13 Authentication Protocol just an example of how to do it (Denning-Sacco variant of Needham-Schroeder protocol) Alice, Bob, and TTP a common generator g and modulus N A  B: g Xa mod N B  A: g Xb mod N A  T: ID A, ID B, H 2 (g XaXb ) T  A: {ID A, K AB, H 2 (g XaXb ), {ID A, K AB, H 2 (g XaXb )}K BT }K AT A  B: {ID A, K AB, H 2 (g XaXb )}K BT B  A: {H(g XaXb )}K AB

14 Security and Protection of Information 2003 14 Messages mirrors M Ksm1, M Ksr M Km1m2, M Ksr M Km2m3, M Ksr M Km3r, M Ksr

15 Security and Protection of Information 2003 15 Messages mirrors M Ksm1, M Ksr M Km1m2, M Ksr M Km2m3, M Ksr M Km3r <> M Ksr

16 Security and Protection of Information 2003 16 What We Can Do create new relations between “anonymous” entities decrease importance of TTP into authentication and control (arbiter) functions offer mechanisms for ensuring non-repudiation in the case of any dispute detect unauthorized changes of messages and detect their originator compromise of TTP does not break the whole scheme – users can still work

17 Security and Protection of Information 2003 17 What is the cost each principal needs a hardware security module (smart card at least) PKI expects the same from you each principal generates and keeps logs it is for all principals and all messages they send/receive/transmit there must be a TTP for principal enrolment and dispute solving PKI needs a TTP with much more power

18 Security and Protection of Information 2003 18 Conclusions PKI is not universal and problem-free key management should be designed with taking care of environment we do not need X.509v3, v4 in most applications less options requirements must be made mandatory


Download ppt "Symmetric Key Infrastructure Karel Masarik, Daniel Cvrcek Faculty of Information Technology Brno University of Technology"

Similar presentations


Ads by Google