Symmetric Key Infrastructure Karel Masarik, Daniel Cvrcek Faculty of Information Technology Brno University of Technology [email protected], [email protected]

Symmetric Key Infrastructure

Karel Masarik, Daniel Cvrcek

Faculty of Information Technology

Brno University of Technology

[email protected], [email protected]

Security and Protection of Information 2003 2

Current State

there is no TTP / CA generally trustedlarge amount of CAsstandards for name structure - uniquenesscomplicated mutual certificate verification

is it possible to transfer trust? see Farrell’s presentation from yesterday (XML)

commercial pressure to use certificates as often as possible – everywherecertificate structure becomes complicated


Certificate Verification

signature verificationcertificate validity verificationcertificate attributes verificationcross-check with list of revoked certificates

all the steps several times

verification of root-certificate hash


PKI - Summarythere is a TTP

+ simple key management

- when broken, one can not even verify a signature

signature verification+ in-site (original idea)

- access to actual CRL -> on-line access to TTP

unique identification+ each CA (certificate service provider) takes care of it

- is the recipient able to perform the same (never seen an ID card)

non-repudiation the biggest advantage of … not PKI but asymmetric crypto


The Facts

asymmetric cryptography simple key-agreement non-repudiation

when a shared key exists, all the subsequent communication the same as with the symmetric key management

X.509-based PKI fails very serious problem is to keep actual information

about public keys the assumptions leading to X.509 definition


Communication Schemes

a) 1:n – server with clientshow big problem is to have a shared symmetric key with the server and use for generation of short-term public key certificates

b) m:n, m=n, network (equivalent nodes)

server – the one running its own key management a) intranet – one server b) e-business –small number of servers c) e-mail - peers

>1 server => mutual trust


Eliminating PKI Problems

Tiny PKI

Local Key Infrastructureentry point – X.509 certificate (link to PKI)our own local shared keys

symmetric or asymmetric validity of local keys is short / one-time keywe do not need CRL

revocation is automatic or on peer-to-peer basis


Local Scheme

CA X. 509 certificates

client

CACA

clientclientclient

PKI

Lokální KI

authentication key

SDSI names

attributes

server client

Example AK – certificate and shared secret hashAK is the index into databases of shared keys


Properties

minimal dependance on PKI (enrollment)complete certificate verification done only oncecertificate make link

name – public key

exploring PKI’s unique identification of usersCRL is replaced with other mechanisms

short-time keys, one-time tickets, direct revocation

in n:a communication model client complexity growscategories signer – verifier disappear


Symmetric Key Infrastructure2000 - Christianson, Crispo, Malcolm

Proc. of Security Protocols basis for a project solved as M.Sc. thesis

forward secrecyKi=H(Si-1|1) and Si=H(Si-1|0)

Si – shared secret

Ki – symmetric key valid for just one message

Si and Ki are updated with each message exchange


Non-Repudiation

we want to transfer messages secured with symmetric crypto

exploiting mutually mistrusting parties for non-repudiation

EAT(M), EAB(M) – ETB(M), EAB(M)

A, T, B – mutually mistrustingS – e.g. firewallsA T B


Trusted Third Party

it is needed shared keys with all users or other TTPskey distribution or translation center – very

powerfuluse of DH key agreement protocol

DH does not ensure authenticationwe do trust TTP to ensure authenticationTTP does not posses enough information to

follows client communication sessions


Authentication Protocoljust an example of how to do it (Denning-Sacco variant of Needham-Schroeder protocol)

Alice, Bob, and TTP

a common generator g and modulus N

A B: gXa mod N

B A: gXb mod N

A T: IDA, IDB, H2(gXaXb)

T A: {IDA, KAB, H2(gXaXb), {IDA, KAB, H2(gXaXb)}KBT}KAT

A B: {IDA, KAB, H2(gXaXb)}KBT

B A: {H(gXaXb)}KAB


Messages

mirrorsMKsm1, MKsr

MKm1m2, MKsr

MKm2m3, MKsr

MKm3r, MKsr


Messages

mirrorsMKsm1, MKsr

MKm1m2, MKsr

MKm2m3, MKsr

MKm3r <> MKsr


What We Can Do create new relations between “anonymous”

entities decrease importance of TTP into authentication

and control (arbiter) functions offer mechanisms for ensuring non-repudiation in

the case of any dispute detect unauthorized changes of messages and

detect their originator compromise of TTP does not break the whole

scheme – users can still work


What is the cost

each principal needs a hardware security module (smart card at least)

PKI expects the same from you

each principal generates and keeps logs

it is for all principals and all messages they send/receive/transmit

there must be a TTP for principal enrolment and dispute solving

PKI needs a TTP with much more power


Conclusions

PKI is not universal and problem-free

key management should be designed with taking care of environment

we do not need X.509v3, v4 in most applications

less options requirements must be made mandatory

Documents

Symmetric Key Infrastructure Karel Masarik, Daniel Cvrcek Faculty of Information Technology Brno University of Technology [email protected], [email protected]