Upload
lucinda-watkins
View
217
Download
0
Embed Size (px)
Citation preview
Symmetric Key Infrastructure
Karel Masarik, Daniel Cvrcek
Faculty of Information Technology
Brno University of Technology
Security and Protection of Information 2003 2
Current State
there is no TTP / CA generally trustedlarge amount of CAsstandards for name structure - uniquenesscomplicated mutual certificate verification
is it possible to transfer trust? see Farrell’s presentation from yesterday (XML)
commercial pressure to use certificates as often as possible – everywherecertificate structure becomes complicated
Security and Protection of Information 2003 3
Certificate Verification
signature verificationcertificate validity verificationcertificate attributes verificationcross-check with list of revoked certificates
all the steps several times
verification of root-certificate hash
Security and Protection of Information 2003 4
PKI - Summarythere is a TTP
+ simple key management
- when broken, one can not even verify a signature
signature verification+ in-site (original idea)
- access to actual CRL -> on-line access to TTP
unique identification+ each CA (certificate service provider) takes care of it
- is the recipient able to perform the same (never seen an ID card)
non-repudiation the biggest advantage of … not PKI but asymmetric crypto
Security and Protection of Information 2003 5
The Facts
asymmetric cryptography simple key-agreement non-repudiation
when a shared key exists, all the subsequent communication the same as with the symmetric key management
X.509-based PKI fails very serious problem is to keep actual information
about public keys the assumptions leading to X.509 definition
Security and Protection of Information 2003 6
Communication Schemes
a) 1:n – server with clientshow big problem is to have a shared symmetric key with the server and use for generation of short-term public key certificates
b) m:n, m=n, network (equivalent nodes)
server – the one running its own key management a) intranet – one server b) e-business –small number of servers c) e-mail - peers
>1 server => mutual trust
Security and Protection of Information 2003 7
Eliminating PKI Problems
Tiny PKI
Local Key Infrastructureentry point – X.509 certificate (link to PKI)our own local shared keys
symmetric or asymmetric validity of local keys is short / one-time keywe do not need CRL
revocation is automatic or on peer-to-peer basis
Security and Protection of Information 2003 8
Local Scheme
CA X. 509 certificates
client
CACA
clientclientclient
PKI
Lokální KI
authentication key
SDSI names
attributes
server client
Example AK – certificate and shared secret hashAK is the index into databases of shared keys
Security and Protection of Information 2003 9
Properties
minimal dependance on PKI (enrollment)complete certificate verification done only oncecertificate make link
name – public key
exploring PKI’s unique identification of usersCRL is replaced with other mechanisms
short-time keys, one-time tickets, direct revocation
in n:a communication model client complexity growscategories signer – verifier disappear
Security and Protection of Information 2003 10
Symmetric Key Infrastructure2000 - Christianson, Crispo, Malcolm
Proc. of Security Protocols basis for a project solved as M.Sc. thesis
forward secrecyKi=H(Si-1|1) and Si=H(Si-1|0)
Si – shared secret
Ki – symmetric key valid for just one message
Si and Ki are updated with each message exchange
Security and Protection of Information 2003 11
Non-Repudiation
we want to transfer messages secured with symmetric crypto
exploiting mutually mistrusting parties for non-repudiation
EAT(M), EAB(M) – ETB(M), EAB(M)
A, T, B – mutually mistrustingS – e.g. firewallsA T B
Security and Protection of Information 2003 12
Trusted Third Party
it is needed shared keys with all users or other TTPskey distribution or translation center – very
powerfuluse of DH key agreement protocol
DH does not ensure authenticationwe do trust TTP to ensure authenticationTTP does not posses enough information to
follows client communication sessions
Security and Protection of Information 2003 13
Authentication Protocoljust an example of how to do it (Denning-Sacco variant of Needham-Schroeder protocol)
Alice, Bob, and TTP
a common generator g and modulus N
A B: gXa mod N
B A: gXb mod N
A T: IDA, IDB, H2(gXaXb)
T A: {IDA, KAB, H2(gXaXb), {IDA, KAB, H2(gXaXb)}KBT}KAT
A B: {IDA, KAB, H2(gXaXb)}KBT
B A: {H(gXaXb)}KAB
Security and Protection of Information 2003 14
Messages
mirrorsMKsm1, MKsr
MKm1m2, MKsr
MKm2m3, MKsr
MKm3r, MKsr
Security and Protection of Information 2003 15
Messages
mirrorsMKsm1, MKsr
MKm1m2, MKsr
MKm2m3, MKsr
MKm3r <> MKsr
Security and Protection of Information 2003 16
What We Can Do create new relations between “anonymous”
entities decrease importance of TTP into authentication
and control (arbiter) functions offer mechanisms for ensuring non-repudiation in
the case of any dispute detect unauthorized changes of messages and
detect their originator compromise of TTP does not break the whole
scheme – users can still work
Security and Protection of Information 2003 17
What is the cost
each principal needs a hardware security module (smart card at least)
PKI expects the same from you
each principal generates and keeps logs
it is for all principals and all messages they send/receive/transmit
there must be a TTP for principal enrolment and dispute solving
PKI needs a TTP with much more power
Security and Protection of Information 2003 18
Conclusions
PKI is not universal and problem-free
key management should be designed with taking care of environment
we do not need X.509v3, v4 in most applications
less options requirements must be made mandatory