Lecture 4 Key Management and Distribution Modified version
Lecture 4 Key Management and Distribution (Modified version based on lecture slides by Lawrie Brown)
Chapter 4 – Key Management and Distribution No Singhalese, whether man or woman, would venture out of the house without a bunch of keys in his hand, for without such a talisman he would fear that some devil might take advantage of his weak state to slip into his body. —The Golden Bough, Sir James George Frazer
Outline • Key distribution (Ref. Chap. 14) • User authentication: Kerberos (Ref. Chap. 15) • Public-key certificate (Ref. Chap. 14) • Public-key infrastructure (Ref. Chap. 14)
Key Management and Distribution • Topics of cryptographic key management / key distribution are complex • Cryptographic, protocol, & management issues • Symmetric schemes require both parties to share a common secret key • Public key schemes require parties to acquire valid public keys • Have concerns with doing both
Key Distribution • Symmetric schemes require both parties to share a common secret key • Issue is how to securely distribute this key whilst protecting it from others • Frequent key changes can be desirable • Often secure system failure due to a break in the key distribution scheme
Key Distribution • Given parties A and B have various key distribution alternatives: 1. 2. 3. 4. A can select key and physically deliver to B Third party can select & deliver key to A & B Uf A & B have communicated previously can use previous key to encrypt a new key If A & B have secure communications with a third party C, C can relay key between A & B
Option 4 • Elements in option 4 • Key distribution center (KDC) • Session key: valid for the duration of a logical connection • Permanent key: for distributing session keys • Steps • Connection request: A -> KDC • Connection approval: KDC generates unique one-time session key, and send to A and B • Data exchange using session key: A <-> B
Kerberos ØTrusted key server system from MIT ØProvides centralised private-key third-party authentication in a distributed network l. Allows users access to services distributed through network l. Without needing to trust all workstations l. Rather all trust a central authentication server ØTwo versions in use: 4 & 5 (RFC 4120)
Kerberos Requirements • Its first report identified requirements as: • • Secure Reliable Transparent Scalable • Implemented using an authentication protocol based on Needham. Schroeder
A Simple Authentication Dialogue • To prevent impersonation • C V: IDC||PC • Burden on each server • Authentication server (AS) 1. C AS: IDC||PC||IDV 2. AS C: Ticket 3. C V: IDC||Ticket • Ticket=E(Kv, [IDC||ADC||IDV])
A More Secure Authentication Dialogue • Problems with the previous scenario • A user has to enter a password many times • Once for every different service • Plaintext transmission of the password
• Ticket-granting server (TGS) • Once per user logon session 1. C AS: IDC||IDtgs 2. AS C: E(KC, Tickettgs) • Once per type of service 3. C->TGS: IDC||IDV||Tickettgs 4. TGS C: Ticketv • Once per server session 5. C V: IDC||Ticketv • Tickettgs=E(Ktgs, [IDC||ADC||IDtgs||TS 1||Lifetime 1]) • Ticketv=E(Kv, [IDC||ADC||IDV||TS 2||Lifetime 2])
• Problems • Lifetime of the tickets • A network service must be able to prove that the person using the ticket is the same person to whom the ticket was issued • Session key in Kerberos • Servers need to authenticate themselves to users • Mutual authentication
Kerberos v 4 Overview • A basic third-party authentication scheme • Have an Authentication Server (AS) • Users initially negotiate with AS to identify self • AS provides a non-corruptible authentication credential (ticket granting ticket TGT) • Have a Ticket Granting server (TGS) • Users subsequently request access to other services from TGS on basis of users TGT • Using a complex protocol using DES
Kerberos v 4 Dialogue
• Authentication service exchange to obtain ticket-granting ticket 1. 2. • C AS: IDC||IDtgs||TS 1 AS C: E(KC, [KC, tgs||IDtgs||TS 2||Lifetime 2||Tickettgs]) Tickettgs=E(Ktgs, [KC, tgs|| IDC||ADC||IDtgs||TS 2||Lifetime 2]) • [Session key: KC, tgs]
• Ticket-granting service exchange to obtain ticket-granting ticket 3. 4. • • • C->TGS: IDV||Tickettgs||Authenticator. C TGS C: E(KC, tgs , [Kc, v||IDv||TS 4||Ticketv]) Tickettgs=E(Ktgs, [KC, tgs|| IDC||ADC||IDtgs||TS 2||Lifetime 2]) Ticketv=E(Kv, [Kc, v|| IDC||ADC||IDV||TS 4||Lifetime 4]) Authenticator. C = E(KC, tgs, [IDC||ADC||TS 3]) • [Session key: KC, v]
• Client/Server Authentication Exchange to obtain service 5. 6. • • C V: Ticketv||Authenticator. C V C: E(Kc, v, [TS 5+1]) (for mutual authentication) Ticketv=E(Kv, [Kc, v || IDC||ADC||IDV||TS 4||Lifetime 4]) Authenticator. C = E(KC, v, [IDC||ADC||TS 5])
Kerberos 4 Overview
Kerberos Realms • A Kerberos environment consists of: • A Kerberos server • A number of clients, all registered with server • Application servers, sharing keys with server • This is termed a realm • Typically a single administrative domain • In multiple realms, their Kerberos servers must share keys and trust
Kerberos Realms
![• • C AS: IDC||IDtgs||TS 1 AS C: E(KC, [KC, tgs||IDtgs||TS 2||Lifetime 2||Tickettgs])](http://slidetodoc.com/presentation_image_h2/7475e34a13047ee02fa916d3929f481f/image-22.jpg "• • C AS: IDC||IDtgs||TS 1 AS C: E(KC, [KC, tgs||IDtgs||TS 2||Lifetime 2||Tickettgs])")
• • C AS: IDC||IDtgs||TS 1 AS C: E(KC, [KC, tgs||IDtgs||TS 2||Lifetime 2||Tickettgs]) C->TGS: IDtgsrem||Tickettgs||Authenticator. C TGS C: E(KC, tgs , [Kc, tgsrem||IDtgsrem||TS 4||Tickettgsrem]) C->TGSrem: IDVrem||Tickettgsrem||Authenticator. C TGSrem C: E(KC, tgsrem, [Kc, vrem||IDvrem||TS 6||Ticketvrem]) C Vrem: Ticketvrem||Authenticator. C
Kerberos Version 5 • Developed in mid 1990’s (RFC 1510) • Specified as Internet standard (RFC 4120) • Provides improvements over v 4 • Addresses environmental shortcomings • Encryption alg, network protocol, byte order, ticket lifetime, authentication forwarding, interrealm auth • And technical deficiencies • Double encryption, non-std mode of use, session keys, password attacks
Kerberos v 5 Dialogue
Key distribution using asymmetric encryption • Distribution of public keys • Use of public-key encryption to distribute secret keys
Public-Key Certificates • To send or broadcast public keys to the community is convenient, but • Anyone can forge such announcement • Public-key certificate • CA: certificate authority • Certificate: (public key + user ID) signed by CA
X. 509 Certificate Use
Public-key distribution of secret keys • How to distribute the secret key between Alice and Bob? • Diffie-Hellman key exchange • No authentication of the two communicating partners • Public-key certificate • Encrypt the message with one-time session key • Encrypt the session key using public-key encryption with Alice’s public key • Attach the encrypted session key to the message
X. 509 Certificates • ITU-T X. 509 • A part of X. 500 directory service • Database of information about users • A framework for providing authentication services by X. 500 directory to its users • A repository of public-key certificates • Used in S/MIME (Chap. 7), IP security (Chap. 8), SSL/TLS (Chap. 5) • First issued in 1988, revised recommendation in 1993, third version in 1995 and revised in 2000 • Does not dictate the use of a specific alg but recommends RSA
X. 509 Certificates • Issued by a Certification Authority (CA), containing: • • • version V (1, 2, or 3) serial number SN (unique within CA) identifying certificate signature algorithm identifier AI issuer X. 500 name CA period of validity TA (from - to dates) subject X. 500 name A (name of owner) subject public-key info Ap (algorithm, parameters, key) issuer unique identifier (v 2+) subject unique identifier (v 2+) extension fields (v 3) signature (of hash of all fields in certificate) • Notation CA<<A>> denotes certificate for A signed by CA
X. 509 Certificates
Obtaining a Certificate ØAny user with access to CA can get any certificate from it ØOnly the CA can modify a certificate ØBecause cannot be forged, certificates can be placed in a public directory
CA Hierarchy ØIf both users share a common CA then they are assumed to know its public key ØOtherwise CA's must form a hierarchy ØUse certificates linking members of hierarchy to validate other CA's l. Each CA has certificates for clients (forward) and parent (backward) ØEach client trusts parents certificates ØEnable verification of any certificate from one CA by users of all other CAs in hierarchy
CA Hierarchy Use
Certificate Revocation Certificates have a period of validity May need to revoke before expiry, eg: • • 1. User's private key is compromised 2. User is no longer certified by this CA 3. CA's certificate is compromised CA’s maintain list of revoked certificates • • • The Certificate Revocation List (CRL) Users should check certificates with CA’s CRL
X. 509 Version 3 • Has been recognised that additional information is needed in a certificate • Email/URL, policy details, usage constraints • Rather than explicitly naming new fields defined a general extension method • Extensions consist of: • Extension identifier • Criticality indicator • Extension value
Certificate Extensions • Key and policy information • Convey info about subject & issuer keys, plus indicators of certificate policy • Certificate subject and issuer attributes • Support alternative names, in alternative formats for certificate subject and/or issuer • Certificate path constraints • Allow constraints on use of certificates by other CA’s
Public Key Infrastructure
PKIX Management ØFunctions: l. Registration l. Initialization l. Certification l. Key pair recovery l. Key pair update l. Revocation request l. Cross certification ØProtocols: CMP (RFC 2510), CMC (RFC 2797)
Federated Identity Management ØUse of common identity management scheme l. Across multiple enterprises & numerous applications l. Supporting many thousands, even millions of users ØPrincipal elements are: l. Authentication, authorization, accounting, provisioning, workflow automation, delegated administration, password synchronization, self-service password reset, federation ØKerberos contains many of these elements
Identity Management
Identity Federation
Standards Used ØSecurity Assertion Markup Language (SAML) l. XML-based language for exchange of security information between online business partners ØPart of OASIS (Organization for the Advancement of Structured Information Standards) standards for federated identity management le. g. WS-Federation for browser-based federation ØNeed a few mature industry standards
Federated Identity Examples
- Slides: 44