Introduction to Network Security Key Management and Distribution

Introduction to Network Security Key Management and Distribution Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University of Science and Technology cetinkayae@mst.edu http://web.mst.edu/~cetinkayae/teaching/cpe5420fall2015 28 September 2015 rev. 15.0 2014 2015 Egemen K. Çetinkaya

Key Management and Distribution Outline Symmetric key distribution Public key distribution X.509 certificates PKI 28 September 2015 MST CPE 5420 Key Management and Distribution 2

Key Management and Distribution Symmetric Key Distribution Symmetric key distribution using symmetric key encryption using asymmetric encryption Public key distribution X.509 certificates PKI 28 September 2015 MST CPE 5420 Key Management and Distribution 3

Key Management and Distribution Overview Delivery of a key to two parties Frequent key changes are desirable to limit amount of data compromised if attacker learns key For symmetric encryption to work two parties exchange share the same key key must be protected from access by others 28 September 2015 MST CPE 5420 Key Management and Distribution 4

Symmetric Key Distribution Methods Key exchange between the sender and receiver sender and receiver physically exchange the key sender and receiver use a recent (old) key to decrypt and exchange the new key Key distribution via third party third party selects key and physically deliver to end systems third party delivers the key via encrypted links Scale is an issue how would you distribute many keys physically? Third party against the very basic principle of security 28 September 2015 MST CPE 5420 Key Management and Distribution 5

Symmetric Key Distribution Scale How many keys are needed in n node comm.? Egemen K. Çetinkaya 28 September 2015 MST CPE 5420 Key Management and Distribution 6

Symmetric Key Distribution Scale Egemen K. Çetinkaya Number of keys needed: n (n 1)/2 28 September 2015 MST CPE 5420 Key Management and Distribution 7

Symmetric Key Distribution Key Hierarchy Egemen K. Çetinkaya Hierarchy reduces number of keys exchanged 28 September 2015 MST CPE 5420 Key Management and Distribution 8

Symmetric Key Distribution Centralized Scenario Egemen K. Çetinkaya Key exchange involves distribution and authentication 28 September 2015 MST CPE 5420 Key Management and Distribution 9

Symmetric Key Distribution Centralized Scenario Steps Step 1: initiator requests session key using initiator id, responder id, nonce nonce: random number that prevents masquerading Step 2: KDC responds session key encrypted using initiator's master key Step 3: initiator forwards session key to responder encrypted using responder s master key Step 4: responder sends a nonce validating session key using a different nonce Step 5: initiator responds to nonce validating identity completes authentication between initiator and responder 28 September 2015 MST CPE 5420 Key Management and Distribution 10

Hierarchical Key Distribution Overview What are the issues using one KDC? Egemen K. Çetinkaya 28 September 2015 MST CPE 5420 Key Management and Distribution 11

Hierarchical Key Distribution Architecture Using one KDC does not scale Uses local KDC for local domain communication If two entities in different domains desire shared key corresponding local KDCs communicate through global KDC Scheme minimizes effort in master key distribution most master keys shared by local KDC and its local entities limits range of faulty or subverted KDC to its local area only Hierarchical can be extended to three or more layers 28 September 2015 MST CPE 5420 Key Management and Distribution 12

Symmetric Key Distribution Decentralized Scenario Key exchange does not involve KDC Session key exchanged between initiator & responder This eliminates concern about KDC trustworthiness Not practical for larger networks 28 September 2015 MST CPE 5420 Key Management and Distribution 13

Symmetric Key Distribution Decentralized Scenario Steps Step 1: initiator requests session key from responder using initiator id, nonce nonce: random number that prevents masquerading Step 2: responder responds session key encrypted using master key (between two parties) responder also send a second nonce Step 3: initiator responds to nonce validating identity completes authentication between initiator and responder 28 September 2015 MST CPE 5420 Key Management and Distribution 14

Key Usage Lifetime and Control Session key lifetime has tradeoffs more frequent the session keys, more secure communication more frequent session keys delays start of communication exchange overhead of key exchange reduces network capacity Connection-oriented protocols key length time during session Connectionless protocols key length time for a fixed period of time Keys should be controlled/separated master and session keys should be separate 28 September 2015 MST CPE 5420 Key Management and Distribution 15

Key Management and Distribution Symmetric Key Distribution Symmetric key distribution using symmetric key encryption using asymmetric encryption Public key distribution X.509 certificates PKI 28 September 2015 MST CPE 5420 Key Management and Distribution 16

Symmetric Key Distribution Using Public-key Encryption Step 1: initiator requests session key from responder using initiator id and public-key Step 2: responder responds session key encrypted using public-key only A can decrypt using A s private-key What is the security risk? 28 September 2015 MST CPE 5420 Key Management and Distribution 17

Symmetric Key Distribution Man-in-the-Middle Attack Egemen K. Çetinkaya D can eavesdrop & capture session key, alternative? 28 September 2015 MST CPE 5420 Key Management and Distribution 18

Symmetric Key Distribution Using Public-key Encryption Key exchange does not involve KDC Session key exchanged between initiator & responder Uses two separate public-keys 28 September 2015 MST CPE 5420 Key Management and Distribution 19

Symmetric Key Distribution Using Public-key Encryption Step 1: initiator requests session key from responder using initiator id, nonce A encrypted with B s public key Step 2: responder responds two nonce: nonce A and nonce B encrypted using A s public-key Step 3: initiator responds to nonce B encrypted using B s public-key this step confirms A is intended initiator from B s perspective Step 4: initiator sends session key encrypted with A s private key and B s public-key 28 September 2015 MST CPE 5420 Key Management and Distribution 20

Key Management and Distribution Public Key Distribution Symmetric key distribution Public key distribution X.509 certificates PKI 28 September 2015 MST CPE 5420 Key Management and Distribution 21

Public-Key Distribution Methods Egemen K. Çetinkaya What are the methods for public-key distribution? 28 September 2015 MST CPE 5420 Key Management and Distribution 22

Public-Key Distribution Methods Public announcement Publicly available directory Public-key authority Public-key certificates 28 September 2015 MST CPE 5420 Key Management and Distribution 23

Public-Key Distribution Public Announcement Users broadcast their public-key Disadvantage? 28 September 2015 MST CPE 5420 Key Management and Distribution 24

Public-Key Distribution Public Announcement Users broadcast their public-key User forgery anyone can claim to be A and encrypt/decrypt messages use of network resources for broadcasting 28 September 2015 MST CPE 5420 Key Management and Distribution 25

Public-Key Distribution Publicly Available Directory Authority maintains directory with {name, public-key} Participants register, replace, access directory Disadvantage? 28 September 2015 MST CPE 5420 Key Management and Distribution 26

Public-Key Distribution Publicly Available Directory Authority maintains directory with {name, public-key} Participants register, replace, access directory Single point of attack 28 September 2015 MST CPE 5420 Key Management and Distribution 27

Public-Key Distribution Public-key Authority Authority distributes public-keys using encrypted messages Public-keys can be cached in end-users memory Disadvantage? 28 September 2015 MST CPE 5420 Key Management and Distribution 28

Public-Key Distribution Public-key Authority Authority distributes public-keys using encrypted messages Public-keys can be cached in end-users memory Single point of attack and 7 steps 28 September 2015 MST CPE 5420 Key Management and Distribution 29

Public-Key Distribution Public-key Certificates Public-key authority could be bottleneck in system users contact authority for a public key for every other user Authority is vulnerable to tampering Certificates can be used to exchange keys without contacting a public-key authority without sacrificing security A certificate consists of: a public key an identifier of the key owner the whole block signed by a trusted third party 28 September 2015 MST CPE 5420 Key Management and Distribution 30

Public-Key Distribution Certificate Authority The trusted third party is a certificate authority trusted by the user community a government agency or a financial institution A user presents public key to obtain a certificate The user can then publish the certificate anyone can obtain the certificate and verify its validity Requirements: any participant can read a certificate any participant can verify that the certificate is authentic only certificate authority can create and update certificates any participant can verify the currency of the certificate 28 September 2015 MST CPE 5420 Key Management and Distribution 31

Public-Key Certificates Obtaining Certificates Users supply public-key to obtain certificate Application must be in person or some secure way Certification includes timestamp, id, public-key encrypted using private key of the authority 28 September 2015 MST CPE 5420 Key Management and Distribution 32

Public-Key Certificates Exchanging Certificates Initiator A sends the certificate to responder B Responder B decrypts the message using private-key of the authority Users have id, timestamp, and public-key Timestamp prevents replay attack timestamp serves as an expiration date 28 September 2015 MST CPE 5420 Key Management and Distribution 33

Key Management and Distribution X.509 Certificates Symmetric key distribution Public key distribution X.509 certificates PKI 28 September 2015 MST CPE 5420 Key Management and Distribution 34

X.509 Certificates Overview Recommendation International Standard ITU-T X.509 ISO/IEC 9594-8 Defines a framework for: public-key certificates attribute certificates These frameworks used by applications: Public Key Infrastructures (PKI) Privilege Management Infrastructures (PMI) Defines a framework that defines directory services directory is, in effect, a server or distributed set of servers that maintains a database of information about users 28 September 2015 MST CPE 5420 Key Management and Distribution 35

1988 1993 1997 2000 2005 2008 X.509 Certificates History 2012 http://www.itu.int/rec/t-rec-x.509 Latest version is V3 28 September 2015 MST CPE 5420 Key Management and Distribution 36

X.509 Certificates Usage X.509 defines framework for authentication services based on public-key cryptography and digital signatures does not dictate a specific algorithm but recommends RSA does not dictate a specific hash algorithm Each certificate contains the public key of a user key signed with private key of trusted certification authority Used in S/MIME, IPsec, SSL/TLS protocols 28 September 2015 MST CPE 5420 Key Management and Distribution 37

X.509 Certificates Generation of Public-key Certificate Egemen K. Çetinkaya 28 September 2015 MST CPE 5420 Key Management and Distribution 38

X.509 Certificates Certificate Creation Public-key certificates associated with each user User certificates created by Certification Authority, CA Placed in the directory by the CA or by the user Directory server itself is not responsible for creation of public keys certificate creation Directory provides certificates to users 28 September 2015 MST CPE 5420 Key Management and Distribution 39

X.509 Certificates Certificate Fields 1 CA<<A>> = CA {V, SN, AI, CA, UCA, A, UA, Ap, T A } Version Serial Number Algorithm ID Issuer Validity not before not after 28 September 2015 MST CPE 5420 Key Management and Distribution 40

Subject Subject Public Key Info public key algorithm subject public key X.509 Certificates Certificate Fields 2 Issuer Unique Identifier (optional) Subject Unique Identifier (optional) Extensions (optional)... Certificate Signature Algorithm Certificate Signature 28 September 2015 MST CPE 5420 Key Management and Distribution 41

X.509 Certificates Formats 28 September 2015 MST CPE 5420 Key Management and Distribution 42

X.509 Certificates Obtaining Certificate User certificates have the following characteristics: any user can verify the user public key that was certified with access to the public key of the CA only CA can modify certificate without this being detected Certificates are unforgeable they can be placed in a directory without protection Many CAs serving a fraction of users Chaining possible: suppose X 1 <<A>>, X 2 <<B>> CAs X 1 and X 2 exchanged their public keys; then X 1 <<X 2 >> X 1 <<X 2 >> X 2 <<B>> 28 September 2015 MST CPE 5420 Key Management and Distribution 43

X.509 Certificates Hierarchy Example A can obtain B s public key via the following path: X<<W>> W<<V>> V<<Y>> Y<<Z>> Z<<B>> 28 September 2015 MST CPE 5420 Key Management and Distribution 44

X.509 Certificates Certificate Revocation Each certificate includes a period of validity typically a new certificate is issued before old one expires Certificate revocation reasons: the user s private key is assumed to be compromised the user is no longer certified by this CA the CA s certificate is assumed to be compromised Each CA maintains a list of revoked certificates these lists should be posted on the directory 28 September 2015 MST CPE 5420 Key Management and Distribution 45

X.509 Certificates Certificate Revocation List Users maintain local cache of certificates and CRL 28 September 2015 MST CPE 5420 Key Management and Distribution 46

Certificates Practical Aspects Client browsers include a set of CA certificates Customers of a CA are server administrators e.g. financial institutions Important CAs Symantec bought Verisign Comodo SSL Go Daddy GlobalSign What are the issues in this model? [ref: Symantec.com] 28 September 2015 MST CPE 5420 Key Management and Distribution 47

Example scenario: Certificates Practical Aspects players: realbank, fakebank, user, CA fakebank applies CA obtains a certificate claiming to be realbank fakebank sends user e-mail asking credentials (phishing) Google fraudulent certificates for more cases Certification of CAs www.webtrust.org Certificate Authority Security Council (CASC) Common Computing Security Standards Forum (CCSF) CA/Browser Forum 28 September 2015 MST CPE 5420 Key Management and Distribution 48

Key Management and Distribution PKI Symmetric key distribution Public key distribution X.509 certificates PKI 28 September 2015 MST CPE 5420 Key Management and Distribution 49

Public-key Infrastructure Overview Public-key infrastructure (PKI): set of hardware, software, people, policies, and procedures create, manage, store, distribute, and revoke certificates based on asymmetric cryptography PKI aims to: secure, convenient, and efficient acquisition of public keys PKI based on X.509 is called PKIX by IETF; more on https://tools.ietf.org/html/draft-ietf-pkix-roadmap-09 PKIX key five elements: end entity, CA, RA: registration authority CRL issuer, repository 28 September 2015 MST CPE 5420 Key Management and Distribution 50

PKIX Architecture PKI mgmt. functions: reg, ini, cer, kpr, kpu, rr, cc 28 September 2015 MST CPE 5420 Key Management and Distribution 51

References and Further Reading [S2014] William Stallings, Cryptography and Network Security: Principles and Practice, 6th edition, Prentice Hall, 2014. [KPS2002] Charlie Kaufman, Radia Perlman, and Mike Speciner, Network Security: Private Communication in a Public World, 2nd edition, Prentice Hall, 2002. RFC 5280, RFC 3647 NIST SP 800-57 part 1: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf part 2: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-part2.pdf part 3: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part3_key-management_dec2009.pdf ITU-T X.509 unpublished version: http://www.ietf.org/mail-archive/web/wpkops/current/pdf9ygpivtdwl.pdf 28 September 2015 MST CPE 5420 Key Management and Distribution 52

End of Foils 28 September 2015 MST CPE 5420 Key Management and Distribution 53