Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practices in Security Bruhadeshwar Bezawada. Key Management Set of techniques and procedures supporting the establishment and maintenance of keying relationships.

Similar presentations


Presentation on theme: "Practices in Security Bruhadeshwar Bezawada. Key Management Set of techniques and procedures supporting the establishment and maintenance of keying relationships."— Presentation transcript:

1 Practices in Security Bruhadeshwar Bezawada

2 Key Management Set of techniques and procedures supporting the establishment and maintenance of keying relationships between authorized parties Set of techniques and procedures supporting the establishment and maintenance of keying relationships between authorized parties Initialization of system users within a domain Initialization of system users within a domain Generation, distribution, and installation of keying material Generation, distribution, and installation of keying material Controlling the use of keying material Controlling the use of keying material Update, revocation and destruction of keying material Update, revocation and destruction of keying material Storage, backup/recovery, and archival of keying material Storage, backup/recovery, and archival of keying material

3 Types Key Management Automated Key Management Automated Key Management More than N^2 Keys More than N^2 Keys Stream cipher Stream cipher Initialization vectors are used Initialization vectors are used Large amount of data needs to be encrypted in short amount of time Large amount of data needs to be encrypted in short amount of time Long term session keys are used in multicast sessions Long term session keys are used in multicast sessions Frequent change in session key is expected Frequent change in session key is expected Manual key management Manual key management Environment has limited bandwidth or high RTT Environment has limited bandwidth or high RTT Information has low value Information has low value Total volume of traffic is very low Total volume of traffic is very low Scale of each deployment is very limited Scale of each deployment is very limited

4 Cryptographic Primitives Hash Functions Hash Functions Symmetric key algorithms Symmetric key algorithms Asymmetric key algorithms Asymmetric key algorithms

5 Cryptographic primitives Hash functions do not require keys, provide Hash functions do not require keys, provide data authentication and integrity services data authentication and integrity services compression of messages for digital signature and verification compression of messages for digital signature and verification derivation of keys in key establishment algorithms derivation of keys in key establishment algorithms generate deterministic random numbers generate deterministic random numbers

6 Cryptographic primitives Symmetric key algorithms require the same key across all operations, provide Symmetric key algorithms require the same key across all operations, provide data confidentiality data confidentiality authentication and integrity in the form of MACs authentication and integrity in the form of MACs key establishment key establishment generation of deterministic random numbers generation of deterministic random numbers

7 Cryptographic primitives Asymmetric key, public key algorithms, enable Asymmetric key, public key algorithms, enable digital signatures digital signatures establish cryptographic keying material establish cryptographic keying material generate random numbers generate random numbers Exercise : Enumerate all hash functions, all symmetric key ciphers and all public-key crypto systems available currently. Differentiate between commercially available and non- commercial algorithms Exercise : Enumerate all hash functions, all symmetric key ciphers and all public-key crypto systems available currently. Differentiate between commercially available and non- commercial algorithms

8 Types of keys Private signature key (public-private keys) Private signature key (public-private keys) Public signature verification keys Public signature verification keys Symmetric authentication key Symmetric authentication key Private authentication key Private authentication key Public authentication keys Public authentication keys Symmetric data encryption key Symmetric data encryption key

9 Types Symmetric and asymmetric random number generation keys Symmetric and asymmetric random number generation keys Symmetric master key Symmetric master key Private key transport key Private key transport key Public key transport key Public key transport key Symmetric key agreement key (also, key wrapping key) Symmetric key agreement key (also, key wrapping key)

10 Types Private ephemeral key agreement key Private ephemeral key agreement key Public ephemeral key agreement key Public ephemeral key agreement key Symmetric authorization keys Symmetric authorization keys Private authorization key Private authorization key Public authorization key Public authorization key

11 General Terms in Key Management Key registration Key registration Key revocation Key revocation Key transport Key transport Key update Key update Key derivation Key derivation Key confirmation Key confirmation Key establishment Key establishment Key agreement Key agreement

12 Terms Registration authority Registration authority Security domain Security domain Self-signed certificate Self-signed certificate

13 Valuable Information in Addition to Cryptographic Keys Domain parameters Domain parameters Initialization vectors, shared secrets, RNG seeds, nonces, random numbers Initialization vectors, shared secrets, RNG seeds, nonces, random numbers Intermediate results Intermediate results Key control information Key control information Passwords Passwords Audit information Audit information

14 Cryptoperiods Time span during which a specific key is authorized for use by legitimate entities, or the keys for a given system will remain in effect. A good cryptoperiod Time span during which a specific key is authorized for use by legitimate entities, or the keys for a given system will remain in effect. A good cryptoperiod Limits amount of information protected by a given key from disclosure Limits amount of information protected by a given key from disclosure Limits amount of exposure if a single key is compromised Limits amount of exposure if a single key is compromised Limits use of particular algorithm to its estimated effective lifetime Limits use of particular algorithm to its estimated effective lifetime limits time available to penetrate physical, procedural, and logical access mechanisms that protect a key limits time available to penetrate physical, procedural, and logical access mechanisms that protect a key

15 Risk Factors to Consider for Cryptoperiods Strength of cryptographic implementations Strength of cryptographic implementations Operating environment, secure limited access, open office or public terminal Operating environment, secure limited access, open office or public terminal Volume of information or transactions Volume of information or transactions Security objective Security objective Re-keying method Re-keying method Number of nodes sharing the key/copies of the key Number of nodes sharing the key/copies of the key Threat to information Threat to information

16 Other Factors Affecting Cryptoperiods Communication vs Storage Communication vs Storage E.g., keys used for online transactions are likely to have smaller cryptoperiods E.g., keys used for online transactions are likely to have smaller cryptoperiods Keys used for storage will have higher, as cost of re- encryption is high Keys used for storage will have higher, as cost of re- encryption is high Cost of Key Revocation and Replacement Cost of Key Revocation and Replacement Changing keys can be an expensive process Changing keys can be an expensive process Encryption of large databases Encryption of large databases Revocation of large number of keys Revocation of large number of keys Expensive security measures are justified for such cases as the cryptoperiod can be made high Expensive security measures are justified for such cases as the cryptoperiod can be made high

17 Factors Affecting Public Keys Private keys may have longer cryptoperiods than public-keys when used for confidentiality Private keys may have longer cryptoperiods than public-keys when used for confidentiality When used for challenge (dynamic) authentication both public and private keys can have the same cryptoperiod When used for challenge (dynamic) authentication both public and private keys can have the same cryptoperiod When used for digital signatures public keys can have longer cryptoperiods than private keys as they will be necessary to verify certificates When used for digital signatures public keys can have longer cryptoperiods than private keys as they will be necessary to verify certificates

18 Cryptoperiods for Different Keys Private signature key (public-private keys) Private signature key (public-private keys) 1-3years 1-3years Public signature verification keys Public signature verification keys Symmetric authentication key Symmetric authentication key 2-3 years 2-3 years Private authentication key Private authentication key 1-2years 1-2years Public authentication keys Public authentication keys 1-2years 1-2years Symmetric data encryption key Symmetric data encryption key 3years 3years

19 Cryptoperiods for Different Keys Symmetric and asymmetric random number generation keys Symmetric and asymmetric random number generation keys Depends on the RNG technique Depends on the RNG technique Symmetric master key Symmetric master key 1 year 1 year Private and Public key transport keys Private and Public key transport keys Private 2years, public 1-2 years Private 2years, public 1-2 years Symmetric key agreement key (also, key wrapping key) Symmetric key agreement key (also, key wrapping key) 1-2years 1-2years

20 Cryptoperiods for Different Keys Private and public ephemeral key agreement key Private and public ephemeral key agreement key Time required to complete the key agreement protocol Time required to complete the key agreement protocol Symmetric authorization keys Symmetric authorization keys 2years 2years Private and Public authorization keys Private and Public authorization keys 2years 2years

21 Other Parameters Domain parameters stay for the cryptoperiod Domain parameters stay for the cryptoperiod IV is associated with the information and stays as long as the information is held IV is associated with the information and stays as long as the information is held Shared secrets are destroyed as soon as the necessary key derivations are complete Shared secrets are destroyed as soon as the necessary key derivations are complete RNG seeds are destroyed immediately RNG seeds are destroyed immediately Intermediate results are destroyed immediately Intermediate results are destroyed immediately

22 Algorithms, Key Sizes and Strengths

23 Factors to be Considered For Design of New System Sensitivity of information and system lifetime Sensitivity of information and system lifetime Algorithm selection Algorithm selection System design wrt performance and security System design wrt performance and security Pre-implementation evaluation Pre-implementation evaluation Testing Testing Training Training System implementation and transition System implementation and transition Post-implementation evaluation Post-implementation evaluation


Download ppt "Practices in Security Bruhadeshwar Bezawada. Key Management Set of techniques and procedures supporting the establishment and maintenance of keying relationships."

Similar presentations


Ads by Google