Presentation is loading. Please wait.

Presentation is loading. Please wait.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Storage & Revoking.

Published byMarjory Sherman Modified over 9 years ago

Similar presentations

Presentation on theme: "Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Storage & Revoking."— Presentation transcript:

1 csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Storage & Revoking

2 csci5233 Computer Security2 Topics

3 csci5233 Computer Security3 Storing Keys Multi-user or networked systems: attackers may defeat access control mechanisms –Encipher the file containing keys Attacker can monitor keystrokes to decipher files Key will be resident in memory that attacker may be able to read –Use physical devices like “smart card” Key never enters system Card can be stolen, so have 2 devices combine bits to make a single key

4 csci5233 Computer Security4 Key Escrow Key escrow system allows authorized third party to recover key –Useful when keys belong to roles, such as system operator, rather than individuals –Business: recovery of backup keys –Law enforcement: recovery of keys that authorized parties require access to Goal: provide this without weakening cryptosystem Very controversial. Why?

5 csci5233 Computer Security5 Desirable Properties 1.Escrow system should not depend on encipherment algorithm. That is, no inter-dependence. 2.Privacy protection mechanisms must work from end to end and be part of user interface. That is, only authorized parties with the escrowed keys can access the messages. 3.Requirements must map to key exchange protocol. That is, a person cannot bypass the key escrow system. 4.System supporting key escrow must require all parties to authenticate themselves. That is, only authorized parties may use the escrowed keys. 5.If message to be observable for limited time, key escrow system must ensure keys valid for that period of time only.  violated by the Clipper project

6 csci5233 Computer Security6 Components User security component –Does the encripherment, decipherment –Supports the key escrow component Key escrow component –Manages storage, use of data recovery keys Data recovery component –Does key recovery

7 csci5233 Computer Security7 Example: ESS, Clipper Chip Escrow Encryption Standard –Set of interlocking components –Designed to balance need for law enforcement access to enciphered traffic with citizens’ right to privacy Clipper chip prepares per-message escrow information –Each chip numbered uniquely by UID –Special facility programs chip Key Escrow Decrypt Processor (KEDP) –Available to agencies authorized to read messages

8 csci5233 Computer Security8 User Security Component UID: Unique ID for Device, unique for each chip Unique device key: k unique Nonunique family key: k family, an 80-bit encryption key for the entire family of Clipper chips Cipher is Skipjack –Classical cipher: 80 bit key, 64 bit input, output blocks Each piece of enciphered message is accompanied by a law enforcement agents’ field (LEAF): –{ UID || { k session } k unique || hash } k family –hash: 16 bit authenticator from session key and initialization vector

9 csci5233 Computer Security9 Programming User Components Done in a secure facility Two escrow agencies needed –Agents from each present –Each supplies a random seed and key number –Family key components combined to get k family –Key numbers combined to make key component enciphering key k comp –Random seeds mixed with other data to produce sequence of unique keys k unique Each chip imprinted with UID, k unique, k family

10 csci5233 Computer Security10 The Escrow Components During initialization of user security component, the process creates k u1 and k u2 where k unique = k u1  k u2 –First escrow agency gets { k u1 } k comp –Second escrow agency gets { k u2 } k comp

11 csci5233 Computer Security11 Obtaining Access Alice obtains legal authorization to read message She runs message LEAF through KEDP –LEAF is { UID || { k session } k unique || hash } k family KEDP uses (known) k family to validate LEAF, obtain sending device’s UID Authorization, LEAF taken to escrow agencies

12 csci5233 Computer Security12 Agencies’ Role Each validates authorization Each supplies { k ui } k comp and the corresponding key number KEDP takes these and LEAF: –Key numbers produce k comp –k comp produces k u1 and k u2 –k u1 and k u2 produce k unique –k unique and LEAF produce k session

13 csci5233 Computer Security13 Problems (minor) hash too short –LEAF 128 bits, so given a hash of 16 bits: 2 112 LEAFs show this as a valid hash 1 has actual session key, UID Takes about 42 minutes to generate a LEAF with a valid hash but meaningless session key and UID; in fact, deployed devices would prevent this attack (major) Scheme does not meet temporal requirement As k unique fixed for each unit, once message is read, any future messages can be read.

14 csci5233 Computer Security14 Yaksha Security System Key escrow system meeting all 5 criteria Based on RSA, central server –Central server (Yaksha server) generates session key Each user has 2 private keys –Alice’s modulus n A, public key e A –First private key d AA known only to Alice –Second private key d AY known only to Yaksha central server –d AA d AY = d A mod n A (meaning d AA d AY mod n A = d A mod n A

15 csci5233 Computer Security15 Alice and Bob Alice wants to send message to Bob 1.Alice asks Yaksha server for session key 2.Yaksha server generates k session 3.Yaksha server sends Alice the key as: C A = (k session ) d AY e A mod n A 4.Alice computes (C A ) d AA mod n A = k session Remember: d AA d AY = d A mod n A Questions: –Who knows d A ? –How would Alice determine d AA without knowing d AY ?

16 csci5233 Computer Security16 Analysis Authority can read only one message per escrowed key –Meets requirement 5 (temporal one), because “time” interpreted as “session” Independent of message enciphering key –Meets requirement 1 –Interchange algorithm, keys fixed Others met by supporting infrastructure

17 csci5233 Computer Security17 Alternate Approaches to Escrow Tie to time [Beth, etc. 1994] –The secret key used to generate the session key is not given as escrow key, but a related key is. –To derive the actual key from the related key, the authority must solve an instance of the discrete log problem. Tie to probability: Translucent cryptography [Bellare/Rivest 1999] –Oblivious transfer: message received with specified probability –Idea: translucent cryptography allows fraction f of messages to be read by third party –Not key escrow, but similar in spirit

18 csci5233 Computer Security18 Key Revocation Certificates invalidated before expiration –Usually due to compromised key –May be due to change in circumstance (e.g., someone leaving company) Problems –Entity revoking certificate authorized to do so –Revocation information circulates to everyone fast enough Network delays, infrastructure problems may delay information

19 csci5233 Computer Security19 CRLs Certificate revocation list lists certificates that are revoked X.509: only certificate issuer can revoke certificate –Added to CRL PGP: signers can revoke signatures; owners can revoke certificates, or allow others to do so –Revocation message placed in PGP packet and signed –Flag marks it as revocation message

20 csci5233 Computer Security20 Next  Bishop, Chapter 10 (Cont.): Digital Signatures

Download ppt "Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Storage & Revoking."

Similar presentations

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Chapter 10: Key Management

Chapter 10: Key Management
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Key Escrow System “like leaving your key with a neighbour in case of an emergency” 10-11-2009 SSIN – MIEIC Micael Fernando Fonseca Oliveira.

Key Escrow System “like leaving your key with a neighbour in case of an emergency” SSIN – MIEIC Micael Fernando Fonseca Oliveira.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-1 Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-1 Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.

1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.

Similar presentations

Ads by Google