Cryptographic Key Management - Royal Holloway - Free Download PDF

1m ago
2 Views
0 Downloads
816.42 KB
95 Pages
Transcription

Cryptographic KeyManagementDr Keith MartinInformation Security GroupRoyal Holloway, University of LondonUnited [email protected]

Aims of presentation Explain the importance of key management within acryptographic system Explore the various stages of a cryptographic keylifecycle Identify many of the challenges involved in providingeffective key management Demonstrate a number of different techniques forcryptographic key distribution Comment on some of the challenges ahead forresearch on key managementInformation Security Summer School, TWISC, 20062

Sections1.2.3.4.5.6.Basic cryptography (revision!!)Importance of key managementManagement of a cryptographic keyKey establishmentPublic key managementResearch challengesInformation Security Summer School, TWISC, 20063

1. Basic Cryptography(Revision!!)

Essence of information securityLet’s imagine first an old “computer free” office, whereeverything is done by telephone and paperwork.What are the basic security processes inthe physical world that help us to makesecurity decisions about information thatwe receive?Information Security Summer School, TWISC, 20065

Essence of information securityNow imagine a modern fully networked officeenvironment. Let’s suppose that nobody has implementedany information security controls.How do you identify the sender of a file?Can anyone else read an email that yousend to a colleague?How do you sign a contract?Is this a more secure environment than theold office?Information Security Summer School, TWISC, 20066

CryptographyCryptography is .“the art of secret writing”“the miraculous cure that will solve all computersecurity problems”“the recognised means of providing integrity,authentication and confidentiality services in anelectronic environment ”“A toolkit of primitives that can be assembledas essential components of a security system”Information Security Summer School, TWISC, 20067

A cipher systemSenderReceiverencryption keyplaintextEncryptionalgorithmdecryption orInformation Security Summer School, TWISC, 20068

Three important questions1. Can cryptography prevent a communication frombeing intercepted?2. Which of the following need to be kept secret?a)Encryption algorithmb)Decryption algorithmc)Encryption keyd)Decryption key3. Does using good encryption guarantee theconfidentiality of a message?Information Security Summer School, TWISC, 20069

Symmetric systemsIn symmetric cipher systems the decryption key is easilyobtained from the encryption key.We will thus assume that in a symmetric cipher systemthe encryption key and the decryption key are exactly thesame.All practical cipher systems prior to the 1980’s weresymmetric cipher systems. Indeed symmetric systemsare still heavily use today and there is no sign that theirpopularity is fading.Information Security Summer School, TWISC, 200610

Symmetric systemsLocking Information Security Summer School, TWISC, 2006Unlocking11

Public key systemsIn public key cipher systems it is computationallyinfeasible (in other words, practically impossible) todetermine the decryption key from the encryption key.In this case the encryption key and the decryption keymust be different.For this reason, public key cipher systems aresometimes referred to as asymmetric cipher systems.Information Security Summer School, TWISC, 200612

Public key systemsAnyone can lockInformation Security Summer School, TWISC, 2006Only a key holdercan unlock13

Role of the encryption keyWhat is the critical implication for thesecurity of the encryption key that differsbetween symmetric and public key ciphersystems?Information Security Summer School, TWISC, 200614

Which is better?The ability to make encryption keys public makes theconcept of public key cryptography seem extremelyattractive for a number of different applications.However public key cryptography comes with its ownset of problems.Symmetric and public key cipher systems are oftenboth implemented and used together in real systems.Information Security Summer School, TWISC, 200615

Other types of service Entity authentication– the assurance that a given entity is involved and currentlyactive in a communication session (sometimes referred to asidentification). Data integrity– the assurance that data has not been altered in anunauthorised (or accidental) manner since the time that thedata was last created, transmitted or stored by an authoriseduser. Data origin authentication– the assurance that a given entity was the original source ofsome data (sometimes referred to as message authentication). Non-repudiation– the assurance that an entity cannot deny any previouscommitments or actions (normally with respect to origin ofdata).Information Security Summer School, TWISC, 200616

ressedStreocamnciphiotersBitacHac omtinshmitehmetfununtactieongO rahscolsterceSInformation Security Summer School, TWISC, 200617

2. Importance of KeyManagement

Security is like a jigsaw puzzle Security Systems include:– Physical Security– Access Control– Auditability– Accountability– Network Security– Security Management– Policies, Standards and Procedures– Cryptography– Disaster RecoveryInformation Security Summer School, TWISC, 200619

Management of Cryptographic SystemsA cryptographic security system is a form of insurance and may costa considerable amount to purchase and to operate. Part of this costis the management of the system, which includes:Procedures and StandardsAudit Trail ManagementUser ManagementToken Management (e.g. smart cards)Key ManagementAccess ControlSecurity Violations InvestigationContingency PlanningMost organisations will have a dedicated Security Department,although all employees must take security seriously.Information Security Summer School, TWISC, 2006

Key Management“A chain is only as strong as its weakest link”The security of the system is dependent on the security of thekeys - regardless of algorithms, a security system withoutstrong management procedures and processes has no securityInformation Security Summer School, TWISC, 200621

What is Key Management?ANSI X9.17 (Financial Institutions Key Management –Wholesale, 1985):“.this standard establishes methods (including theprotocol) for the generation, exchange, use, storageand destruction of these secret keys. This standardnot only permits interoperability among financialinstitutions, but also permits interoperability betweenfinancial institutions and their wholesale customers.”Information Security Summer School, TWISC, 2006

Choice of Key Management System Usually determined by a combination of: Network topology (e.g. point-to-point, many-to-many) Cryptographic services (e.g. confidentiality, nonrepudiation) Cryptographic mechanisms (e.g. encryption, digitalsignature) Government restrictions may need to be taken intoaccount. Royalty and license payments may also be relevant. There is usually no “right” answer!Information Security Summer School, TWISC, 2006

Key Management StandardsThere are many international and national standards relating to keymanagement. For example:ANSI X9.17 / ISO 8732ANSI X9.24ETEBACS (France)AS2805.6.xx (Australia)APACS 40 & APACS 70 (UK)ISO 11166ISO 11568In addition, there are many proprietary key management systems, someclosely related to standards, some loosely related to standards andothers completely non-standard.NOTE: adherence to standards does not guarantee security!!!Information Security Summer School, TWISC, 2006

3. Management of acryptographic key

Stages in key managementKey generationKey establishmentKey destructionKey storageKey changeInformation Security Summer School, TWISC, 2006Key usage26

Key generationSymmetric keys: random or pseudo-random functions of passwords and PINs standard (ANSI X9.17) way to generate pseudorandom DES keys exclude weak and semi-weak keys some keys may need to be in component formAsymmetric keys: typically must meet some number-theoreticrequirements usually met by searching (so may take some timeto generate key set) may not be practical to generate own key setInformation Security Summer School, TWISC, 2006

Pseudorandom number generators should possess the properties:– Uncorrelated sequences– Long period– Uniformity– Efficiency For example:– Blum-Blum-ShubInformation Security Summer School, TWISC, 200628

Generation from passwords/PINs PKCS#5 Password Based CryptographyStandard Derived key f(P,S,C,L), where:– F key derivation function– P password or PIN– S salt (64 pseudorandom data bits)– C iteration counter ( 1000)– L length of derived key (bytes)Information Security Summer School, TWISC, 200629

Key lengthHow often should a key be changed? Single length DES key - frequently?Double or triple length DES key / AES key - occasionally/never?RSA key - ?RSA modulus (bits)512102420483072Exhaustive Key Search (bits)5680112128The “strength” of a key should be commensurate with the lifetime andimportance of the information that is being protected. In practice, thisrequirement may be impossible to achieve!Information Security Summer School, TWISC, 2006

Key storageSecret keys need to be stored securely: inside a tamper-resistant hardware security moduleon a smart card or other tokenencrypted with another key and stored on a databaseNotes: The third method above simply transfers the problem to theencrypting key. Storing plaintext keys in software is usually regarded asproviding a lower level of security than storing them in tamperprotected hardware. Keys may need to be archived for long periods of time (e.g. 7years in the case of the London Stock Exchange).Information Security Summer School, TWISC, 2006

Hardware security modules Secure key storage usually requires the use of a tamper-resistanthardware security device, such as a host security module or PCsecurity module. Usually some form of local master key (LMK) is stored inside thedevice and other keys, encrypted under the LMK, can be heldoutside the device, but submitted to the module when required tobe used. In some cases, all the keys may be held inside the securitymodule. The tamper-resistant features mean that all keys held inside themodule will be deleted from memory in the event of an attack onthe device. Back-up procedures for all keys held inside the security modulemust be in place!Information Security Summer School, TWISC, 2006

Hardware security modules Tamper-resistant features that may be used include:Micro-switchesElectronic meshPotting sensitive components in resinTemperature detectorsLight-sensitive diodesMovement / tilt detectorsVoltage / current detectorsSecure components (“security chips”) Note that many security modules are in physically secureenvironments (such as a computer centre) and so some of the abovefeatures may be regarded as unnecessary. However, devices (say)in a retail environment may need a high level of protection.Information Security Summer School, TWISC, 2006

Hardware security modules There are companies (such as TNO in Holland and T-Systems inGermany) that carry out evaluations of the physical protectionoffered by security modules. The ITSEC scheme (a joint initiative to evaluate security products)has not really taken off - it is expensive and time-consuming to geta product evaluated. The FIPS 140-2 standard provides four levels of approval forsecurity devices, including physical security - level 4 is extremelyhard to achieve.Remark:A paper published by Bond and Clayton (Cambridge) in 2002 showed how toextract keys from a FIPS level 4 certified device (an IBM 4758 security module),but this was really an attack on the device API rather than a physical attack onthe module.Information Security Summer School, TWISC, 2006

Local master keys Often generated and held in component form Components are combined inside the HSM Outside the HSM, the components should be storedseparately in physically secure locations The LMK is usually a strong key (for exampledouble-length DES or AES key) All other keys are encrypted with the LMK These other keys, encrypted with the LMK, can bestored safely outside the HSM on a databaseInformation Security Summer School, TWISC, 200635

Key change In all cryptographic systems there should be the facility to change keys.For instance: regular updates (planned) key compromise (unplanned) Many systems are designed so that it is extremely difficult andexpensive to change certain keys. In the case of compromise of sucha key, losses may include: cost of distributing new keycost of distributing new cardscost of investigation into the compromisecost of changing system and proceduresnon-quantifiable costs e.g. damage to reputation, loss of customer confidenceInformation Security Summer School, TWISC, 2006

Key destructionKeys, when no longer needed, must be destroyed in a securemanner. Simply deleting a key file is not sufficient.ANSI X9.17 (Section 3.6.1):“Paper-based keying materials shall be destroyed bycrosscut, shredding, burning or pulping. Keying materialstored on other media shall be destroyed so that it isimpossible to recover by physical or electronic means.”Information Security Summer School, TWISC, 2006

Key usageKeys must only be used for their intended purpose. Separation of keys istherefore required. Separation is enforced using a hardware securitymodule. For example: Storage-store key under a specified variantof a Master Key Distribution -use variant of key or variant of keyencrypting key for encryptionOther techniques: IBM Control Vectors Tagging of DES keys (uses the parity bits)Note: No universally accepted standards to achieve key separation.Information Security Summer School, TWISC, 2006

Example of key misuseFunction 1: Generate a 4 digit PIN by encrypting the accountnumber with a PIN Key, scanning the output forthe PIN and return the resulting PIN in encryptedform.Function 2: Generate an 8-character MAC using a MAC Key andreturn the resultant value.Misuse:Use Function 2 to generate a MAC over the accountnumber, using the PIN Key. The result is an 8character MAC, which will, with a probability ofabout 0.9, yield the PIN.Solution:Prevent a PIN Key from masquerading as a MAC key.Information Security Summer School, TWISC, 2006

Example of key masquerade In many systems different key types are stored encrypted underdifferent variants of a Storage Master Key (SMK), which (in theory)prevents a key from being misused. Such systems also tend to have export and import functions, to permita key to be exported (encrypted under a Transport Key (TK)) toanother system or imported (encrypted under a TK) from anothersystem. In order to allow interoperability between different vendors’ solutions,variants are not usually applied to the TK. Hence, the “bad guy” can simply export a key of one type fromencryption under a variant of the SMK to encryption under the TK andthen import the same key from encryption under the TK to encryptionunder a different SMK variant. This situation is permitted by the ANSI X9.17 standard!Information Security Summer School, TWISC, 2006

Example revisitedESMK(v1)(PIN Key)Export PIN KeyETK(PIN Key)Import PIN KeyESMK(v2)(PIN Key)ESMK(v2)(MAC Key)PIN Key now masquerading as aMAC keyInformation Security Summer School, TWISC, 2006

TR-31 Key block An ANSI sub-committee is currently defining a new key block, toensure that a key can only be used for its intended purpose. The key block should be usable for either key storage or keydistribution.Header(clear)OptionalHeader (clear)Key(encrypted)Authenticator(MAC) Header includes key usage, mode of use, exportability, algorithm. Key encrypted using a variant of the storage or distribution key, inCBC mode. Authenticator calculated using a different variant of thestorage/distribution key. Currently, only 3-DES supported (but extensions planned).Information Security Summer School, TWISC, 2006

4. Key establishment

Key establishment Key predistribution– All keying material issued in advance oninitialisation of the system Key distribution– “Trusted” entity involved in establishment ofkeys Key agreement– Communicating parties jointly establish keysInformation Security Summer School, TWISC, 200644

Manual key establishmentIn many situations top level keys need to be handledmanually. Such keys only exist outside HSMs in the formof at least two, usually three, components.Rules: Each bit of the key should depend on eachcomponent No person is ever in possession of more than onecomponent Components should be stored in separate locationsInformation Security Summer School, TWISC, 200645

Master/Session key scheme (I)Local Master Key (LMK)Key Encrypting Key (KEK)Data Key (DK)LMK:double length DES keymanual exchange, in component forminfrequent changeused to encrypt KEK(s) or DK(s) (but not both)KEK:optional keyelectronic distributiondouble length DES keyused to encrypt DK(s)DK:single or double length DES key“working key” - e.g. Encryption, MACing, etc.frequent changeelectronic distributionInformation Security Summer School, TWISC, 2006

Master/Session key scheme (2) For a simple point-to-point system, the Master/Sessionkey scheme is fine, but becomes unmanageable forlarge many-to-many systems. In such cases a Key Distribution Centre or KeyTranslation Centre may be used, so that each partyonly has a permanent keying relation with the Centreand yet can still communicate with other parties.The Centre must be trusted!Information Security Summer School, TWISC, 2006

Master/Session key scheme (3)Key KEKBC(DK)Key BGenerate DKInformation Security Summer School, TWISC, 2006EKEKBC(DK)

Key establishment requirementsSecurity requirementExplanationMutual entity authenticationDuring the key agreement process Alice and Bob are ableto verify each other’s identity to make sure that they knewwho they were agreeing a key withMutual data originauthenticationAt all times during the process Alice and Bob are able to besure that information being exchanges has come from theother party and not an attackerMutual key agreementAt the end of the process Alice and Bob should have agreedupon a symmetric keyKey confidentialityKey freshnessMutual key confirmationJoint key controlThe symmetric key that is finally agreed upon should at notime have been accessible to any other party than Alice andBobAt the end of the process Alice and Bob should be happythat the key that they have agreed upon is a fresh one, andnot one used beforeAt the end of the process Alice and Bob should have someevidence that they have both ended up with the same keyand that there have been no mistakes made at either endAt the end of the process Alice and Bob should be happy that theyboth had approximately equal involvement in the choice of key, andthat neither of them could have deliberately chosen a particular keyInformation Security Summer School, TWISC, 200649

ISO 9798-2 Example 8AliceTTPBob1M1 RB Text12M2 RA RB IDB Text2M3 Text5 EKAT( RA KAB IDB Text4 )3EKBT( RB KAB IDA Text3 )4M4 Text7 EKBT( RB KAB IDA Text3 ) EKAB( R'A RB Text6 )5M5 Text9 EKAB( RB R'A IDA Text8 )6Information Security Summer School, TWISC, 200650

Hybrid schemePublic KeyKK (optional)Use Public keyfor encrypting asymmetric KKor KDKD Particularly useful for many-to-many systems (e.g. SSL). Only RSA Public Keys need to be distributed - no need forsecrecy, but integrity is required. This is provided via the use of aPublic Key Certification Authority (CA).Information Security Summer School, TWISC, 2006

Kerberos / Single sign on (1)Principle: Alice uses

Basic cryptography (revision!!) 2. Importance of key management 3. Management of a cryptographic key 4. Key establishment ... lic K ey In fras truc ture s M e s s a g e a u t h e n t i c a t i o n c o d e s H a s h f u n cti o ns Block ciphe rs ... –Cryptography –Disaster Recovery. Information Security Summer School, TWISC, 2006