Cryptographic Key Management - Royal Holloway
Cryptographic KeyManagementDr Keith MartinInformation Security GroupRoyal Holloway, University of LondonUnited Kingdomkeith.martin@rhul.ac.uk
Aims of presentation Explain the importance of key management within acryptographic system Explore the various stages of a cryptographic keylifecycle Identify many of the challenges involved in providingeffective key management Demonstrate a number of different techniques forcryptographic key distribution Comment on some of the challenges ahead forresearch on key managementInformation Security Summer School, TWISC, 20062
Sections1.2.3.4.5.6.Basic cryptography (revision!!)Importance of key managementManagement of a cryptographic keyKey establishmentPublic key managementResearch challengesInformation Security Summer School, TWISC, 20063
1. Basic Cryptography(Revision!!)
Essence of information securityLet’s imagine first an old “computer free” office, whereeverything is done by telephone and paperwork.What are the basic security processes inthe physical world that help us to makesecurity decisions about information thatwe receive?Information Security Summer School, TWISC, 20065
Essence of information securityNow imagine a modern fully networked officeenvironment. Let’s suppose that nobody has implementedany information security controls.How do you identify the sender of a file?Can anyone else read an email that yousend to a colleague?How do you sign a contract?Is this a more secure environment than theold office?Information Security Summer School, TWISC, 20066
CryptographyCryptography is .“the art of secret writing”“the miraculous cure that will solve all computersecurity problems”“the recognised means of providing integrity,authentication and confidentiality services in anelectronic environment ”“A toolkit of primitives that can be assembledas essential components of a security system”Information Security Summer School, TWISC, 20067
A cipher systemSenderReceiverencryption keyplaintextEncryptionalgorithmdecryption orInformation Security Summer School, TWISC, 20068
Three important questions1. Can cryptography prevent a communication frombeing intercepted?2. Which of the following need to be kept secret?a)Encryption algorithmb)Decryption algorithmc)Encryption keyd)Decryption key3. Does using good encryption guarantee theconfidentiality of a message?Information Security Summer School, TWISC, 20069
Symmetric systemsIn symmetric cipher systems the decryption key is easilyobtained from the encryption key.We will thus assume that in a symmetric cipher systemthe encryption key and the decryption key are exactly thesame.All practical cipher systems prior to the 1980’s weresymmetric cipher systems. Indeed symmetric systemsare still heavily use today and there is no sign that theirpopularity is fading.Information Security Summer School, TWISC, 200610
Symmetric systemsLocking Information Security Summer School, TWISC, 2006Unlocking11
Public key systemsIn public key cipher systems it is computationallyinfeasible (in other words, practically impossible) todetermine the decryption key from the encryption key.In this case the encryption key and the decryption keymust be different.For this reason, public key cipher systems aresometimes referred to as asymmetric cipher systems.Information Security Summer School, TWISC, 200612
Public key systemsAnyone can lockInformation Security Summer School, TWISC, 2006Only a key holdercan unlock13
Role of the encryption keyWhat is the critical implication for thesecurity of the encryption key that differsbetween symmetric and public key ciphersystems?Information Security Summer School, TWISC, 200614
Which is better?The ability to make encryption keys public makes theconcept of public key cryptography seem extremelyattractive for a number of different applications.However public key cryptography comes with its ownset of problems.Symmetric and public key cipher systems are oftenboth implemented and used together in real systems.Information Security Summer School, TWISC, 200615
Other types of service Entity authentication– the assurance that a given entity is involved and currentlyactive in a communication session (sometimes referred to asidentification). Data integrity– the assurance that data has not been altered in anunauthorised (or accidental) manner since the time that thedata was last created, transmitted or stored by an authoriseduser. Data origin authentication– the assurance that a given entity was the original source ofsome data (sometimes referred to as message authentication). Non-repudiation– the assurance that an entity cannot deny any previouscommitments or actions (normally with respect to origin ofdata).Information Security Summer School, TWISC, 200616
ressedStreocamnciphiotersBitacHac omtinshmitehmetfununtactieongO rahscolsterceSInformation Security Summer School, TWISC, 200617
2. Importance of KeyManagement
Security is like a jigsaw puzzle Security Systems include:– Physical Security– Access Control– Auditability– Accountability– Network Security– Security Management– Policies, Standards and Procedures– Cryptography– Disaster RecoveryInformation Security Summer School, TWISC, 200619
Management of Cryptographic SystemsA cryptographic security system is a form of insurance and may costa considerable amount to purchase and to operate. Part of this costis the management of the system, which includes:Procedures and StandardsAudit Trail ManagementUser ManagementToken Management (e.g. smart cards)Key ManagementAccess ControlSecurity Violations InvestigationContingency PlanningMost organisations will have a dedicated Security Department,although all employees must take security seriously.Information Security Summer School, TWISC, 2006
Key Management“A chain is only as strong as its weakest link”The security of the system is dependent on the security of thekeys - regardless of algorithms, a security system withoutstrong management procedures and processes has no securityInformation Security Summer School, TWISC, 200621
What is Key Management?ANSI X9.17 (Financial Institutions Key Management –Wholesale, 1985):“.this standard establishes methods (including theprotocol) for the generation, exchange, use, storageand destruction of these secret keys. This standardnot only permits interoperability among financialinstitutions, but also permits interoperability betweenfinancial institutions and their wholesale customers.”Information Security Summer School, TWISC, 2006
Choice of Key Management System Usually determined by a combination of: Network topology (e.g. point-to-point, many-to-many) Cryptographic services (e.g. confidentiality, nonrepudiation) Cryptographic mechanisms (e.g. encryption, digitalsignature) Government restrictions may need to be taken intoaccount. Royalty and license payments may also be relevant. There is usually no “right” answer!Information Security Summer School, TWISC, 2006
Key Management StandardsThere are many international and national standards relating to keymanagement. For example:ANSI X9.17 / ISO 8732ANSI X9.24ETEBACS (France)AS2805.6.xx (Australia)APACS 40 & APACS 70 (UK)ISO 11166ISO 11568In addition, there are many proprietary key management systems, someclosely related to standards, some loosely related to standards andothers completely non-standard.NOTE: adherence to standards does not guarantee security!!!Information Security Summer School, TWISC, 2006
3. Management of acryptographic key
Stages in key managementKey generationKey establishmentKey destructionKey storageKey changeInformation Security Summer School, TWISC, 2006Key usage26
Key generationSymmetric keys: random or pseudo-random functions of passwords and PINs standard (ANSI X9.17) way to generate pseudorandom DES keys exclude weak and semi-weak keys some keys may need to be in component formAsymmetric keys: typically must meet some number-theoreticrequirements usually met by searching (so may take some timeto generate key set) may not be practical to generate own key setInformation Security Summer School, TWISC, 2006
Pseudorandom number generators should possess the properties:– Uncorrelated sequences– Long period– Uniformity– Efficiency For example:– Blum-Blum-ShubInformation Security Summer School, TWISC, 200628
Generation from passwords/PINs PKCS#5 Password Based CryptographyStandard Derived key f(P,S,C,L), where:– F key derivation function– P password or PIN– S salt (64 pseudorandom data bits)– C iteration counter ( 1000)– L length of derived key (bytes)Information Security Summer School, TWISC, 200629
Key lengthHow often should a key be changed? Single length DES key - frequently?Double or triple length DES key / AES key - occasionally/never?RSA key - ?RSA modulus (bits)512102420483072Exhaustive Key Search (bits)5680112128The “strength” of a key should be commensurate with the lifetime andimportance of the information that is being protected. In practice, thisrequirement may be impossible to achieve!Information Security Summer School, TWISC, 2006
Key storageSecret keys need to be stored securely: inside a tamper-resistant hardware security moduleon a smart card or other tokenencrypted with another key and stored on a databaseNotes: The third method above simply transfers the problem to theencrypting key. Storing plaintext keys in software is usually regarded asproviding a lower level of security than storing them in tamperprotected hardware. Keys may need to be archived for long periods of time (e.g. 7years in the case of the London Stock Exchange).Information Security Summer School, TWISC, 2006
Hardware security modules Secure key storage usually requires the use of a tamper-resistanthardware security device, such as a host security module or PCsecurity module. Usually some form of local master key (LMK) is stored inside thedevice and other keys, encrypted under the LMK, can be heldoutside the device, but submitted to the module when required tobe used. In some cases, all the keys may be held inside the securitymodule. The tamper-resistant features mean that all keys held inside themodule will be deleted from memory in the event of an attack onthe device. Back-up procedures for all keys held inside the security modulemust be in place!Information Security Summer School, TWISC, 2006
Hardware security modules Tamper-resistant features that may be used include:Micro-switchesElectronic meshPotting sensitive components in resinTemperature detectorsLight-sensitive diodesMovement / tilt detectorsVoltage / current detectorsSecure components (“security chips”) Note that many security modules are in physically secureenvironments (such as a computer centre) and so some of the abovefeatures may be regarded as unnecessary. However, devices (say)in a retail environment may need a high level of protection.Information Security Summer School, TWISC, 2006
Hardware security modules There are companies (such as TNO in Holland and T-Systems inGermany) that carry out evaluations of the physical protectionoffered by security modules. The ITSEC scheme (a joint initiative to evaluate security products)has not really taken off - it is expensive and time-consuming to geta product evaluated. The FIPS 140-2 standard provides four levels of approval forsecurity devices, including physical security - level 4 is extremelyhard to achieve.Remark:A paper published by Bond and Clayton (Cambridge) in 2002 showed how toextract keys from a FIPS level 4 certified device (an IBM 4758 security module),but this was really an attack on the device API rather than a physical attack onthe module.Information Security Summer School, TWISC, 2006
Local master keys Often generated and held in component form Components are combined inside the HSM Outside the HSM, the components should be storedseparately in physically secure locations The LMK is usually a strong key (for exampledouble-length DES or AES key) All other keys are encrypted with the LMK These other keys, encrypted with the LMK, can bestored safely outside the HSM on a databaseInformation Security Summer School, TWISC, 200635
Key change In all cryptographic systems there should be the facility to change keys.For instance: regular updates (planned) key compromise (unplanned) Many systems are designed so that it is extremely difficult andexpensive to change certain keys. In the case of compromise of sucha key, losses may include: cost of distributing new keycost of distributing new cardscost of investigation into the compromisecost of changing system and proceduresnon-quantifiable costs e.g. damage to reputation, loss of customer confidenceInformation Security Summer School, TWISC, 2006
Key destructionKeys, when no longer needed, must be destroyed in a securemanner. Simply deleting a key file is not sufficient.ANSI X9.17 (Section 3.6.1):“Paper-based keying materials shall be destroyed bycrosscut, shredding, burning or pulping. Keying materialstored on other media shall be destroyed so that it isimpossible to recover by physical or electronic means.”Information Security Summer School, TWISC, 2006
Key usageKeys must only be used for their intended purpose. Separation of keys istherefore required. Separation is enforced using a hardware securitymodule. For example: Storage-store key under a specified variantof a Master Key Distribution -use variant of key or variant of keyencrypting key for encryptionOther techniques: IBM Control Vectors Tagging of DES keys (uses the parity bits)Note: No universally accepted standards to achieve key separation.Information Security Summer School, TWISC, 2006
Example of key misuseFunction 1: Generate a 4 digit PIN by encrypting the accountnumber with a PIN Key, scanning the output forthe PIN and return the resulting PIN in encryptedform.Function 2: Generate an 8-character MAC using a MAC Key andreturn the resultant value.Misuse:Use Function 2 to generate a MAC over the accountnumber, using the PIN Key. The result is an 8character MAC, which will, with a probability ofabout 0.9, yield the PIN.Solution:Prevent a PIN Key from masquerading as a MAC key.Information Security Summer School, TWISC, 2006
Example of key masquerade In many systems different key types are stored encrypted underdifferent variants of a Storage Master Key (SMK), which (in theory)prevents a key from being misused. Such systems also tend to have export and import functions, to permita key to be exported (encrypted under a Transport Key (TK)) toanother system or imported (encrypted under a TK) from anothersystem. In order to allow interoperability between different vendors’ solutions,variants are not usually applied to the TK. Hence, the “bad guy” can simply export a key of one type fromencryption under a variant of the SMK to encryption under the TK andthen import the same key from encryption under the TK to encryptionunder a different SMK variant. This situation is permitted by the ANSI X9.17 standard!Information Security Summer School, TWISC, 2006
Example revisitedESMK(v1)(PIN Key)Export PIN KeyETK(PIN Key)Import PIN KeyESMK(v2)(PIN Key)ESMK(v2)(MAC Key)PIN Key now masquerading as aMAC keyInformation Security Summer School, TWISC, 2006
TR-31 Key block An ANSI sub-committee is currently defining a new key block, toensure that a key can only be used for its intended purpose. The key block should be usable for either key storage or keydistribution.Header(clear)OptionalHeader (clear)Key(encrypted)Authenticator(MAC) Header includes key usage, mode of use, exportability, algorithm. Key encrypted using a variant of the storage or distribution key, inCBC mode. Authenticator calculated using a different variant of thestorage/distribution key. Currently, only 3-DES supported (but extensions planned).Information Security Summer School, TWISC, 2006
4. Key establishment
Key establishment Key predistribution– All keying material issued in advance oninitialisation of the system Key distribution– “Trusted” entity involved in establishment ofkeys Key agreement– Communicating parties jointly establish keysInformation Security Summer School, TWISC, 200644
Manual key establishmentIn many situations top level keys need to be handledmanually. Such keys only exist outside HSMs in the formof at least two, usually three, components.Rules: Each bit of the key should depend on eachcomponent No person is ever in possession of more than onecomponent Components should be stored in separate locationsInformation Security Summer School, TWISC, 200645
Master/Session key scheme (I)Local Master Key (LMK)Key Encrypting Key (KEK)Data Key (DK)LMK:double length DES keymanual exchange, in component forminfrequent changeused to encrypt KEK(s) or DK(s) (but not both)KEK:optional keyelectronic distributiondouble length DES keyused to encrypt DK(s)DK:single or double length DES key“working key” - e.g. Encryption, MACing, etc.frequent changeelectronic distributionInformation Security Summer School, TWISC, 2006
Master/Session key scheme (2) For a simple point-to-point system, the Master/Sessionkey scheme is fine, but becomes unmanageable forlarge many-to-many systems. In such cases a Key Distribution Centre or KeyTranslation Centre may be used, so that each partyonly has a permanent keying relation with the Centreand yet can still communicate with other parties.The Centre must be trusted!Information Security Summer School, TWISC, 2006
Master/Session key scheme (3)Key KEKBC(DK)Key BGenerate DKInformation Security Summer School, TWISC, 2006EKEKBC(DK)
Key establishment requirementsSecurity requirementExplanationMutual entity authenticationDuring the key agreement process Alice and Bob are ableto verify each other’s identity to make sure that they knewwho they were agreeing a key withMutual data originauthenticationAt all times during the process Alice and Bob are able to besure that information being exchanges has come from theother party and not an attackerMutual key agreementAt the end of the process Alice and Bob should have agreedupon a symmetric keyKey confidentialityKey freshnessMutual key confirmationJoint key controlThe symmetric key that is finally agreed upon should at notime have been accessible to any other party than Alice andBobAt the end of the process Alice and Bob should be happythat the key that they have agreed upon is a fresh one, andnot one used beforeAt the end of the process Alice and Bob should have someevidence that they have both ended up with the same keyand that there have been no mistakes made at either endAt the end of the process Alice and Bob should be happy that theyboth had approximately equal involvement in the choice of key, andthat neither of them could have deliberately chosen a particular keyInformation Security Summer School, TWISC, 200649
ISO 9798-2 Example 8AliceTTPBob1M1 RB Text12M2 RA RB IDB Text2M3 Text5 EKAT( RA KAB IDB Text4 )3EKBT( RB KAB IDA Text3 )4M4 Text7 EKBT( RB KAB IDA Text3 ) EKAB( R'A RB Text6 )5M5 Text9 EKAB( RB R'A IDA Text8 )6Information Security Summer School, TWISC, 200650
Hybrid schemePublic KeyKK (optional)Use Public keyfor encrypting asymmetric KKor KDKD Particularly useful for many-to-many systems (e.g. SSL). Only RSA Public Keys need to be distributed - no need forsecrecy, but integrity is required. This is provided via the use of aPublic Key Certification Authority (CA).Information Security Summer School, TWISC, 2006
Kerberos / Single sign on (1)Principle: Alice uses
Basic cryptography (revision!!) 2. Importance of key management 3. Management of a cryptographic key 4. Key establishment . lic K ey In fras truc ture s M e s s a g e a u t h e n t i c a t i o n c o d e s H a s h f u n cti o ns Block ciphe rs . –Cryptography –Disaster Recovery. Information Security Summer School, TWISC, 2006
The Barracuda Cryptographic Software Module is a cryptographic software library that provides fundamental cryptographic functions for applications in Barracuda security products that use Barracuda OS v2.3.4 and require FIPS 140-2 approved cryptographic functions. The FIPS 140-2 validation of the Barracuda Cryptographic Software
Clyde Holloway's Nursery, LLC Established 1968 Holloway's Nursery is a wholesale and retail nursery providing quality plants nationwide. We are a mid-sized nursery with millions of plants in stock. Our nursery is open to the public if you would like to place your order for pick-up or delivery (where available). We ship full and partial loads.
these applications also support Kerberized connections. For the purposes of FIPS- 140- 2 validation the Module is classified as a multi-chip stand-alone Module. 2.2 Cryptographic Boundary The logical cryptographic boundary for the Module is the library itself. An in-core memory cryptographic digest (HMAC-SHA-1) is computed on the Cryptographic
Key Exchange (KE) is a fundamental cryptographic primitive, allowing two parties to securely generate a common secret key over an insecure network. Because symmetric cryptographic tools (e.g. AES) are reliant on both parties having a shared key in order to securely transmit data, KE is one of the most used cryptographic tools in building
University of Oslo Spring 2016 Lecture 6 Key Management and PKI Audun Jøsang Key Management The strength of cryptographic security depends on: 1. The size of the keys 2. The robustness of cryptographic algorithms/protocols 3. The protection and management afforded to the keys Key management provides the foundation for the secure
Security Requirements Specification Level Cryptographic Module Specification 1 Module Ports and Interfaces 1 Roles, Services, and Authentication 1 Finite State Model 1 Physical Security N/A Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self-T
the Royal Regiment of scotland Colonel in Chief Her Majesty The Queen Royal Colonels: The Royal Scots Borderers HRH The Princess Royal The Royal Highland Fusiliers HRH The Prince Andrew The Black Watch HRH The Duke of Rothesay The Highlanders HRH The Duke of Edinburgh The Argyll and Sutherland Highlanders, HM The Queen 52nd Lowland, 6th Battalion
The purpose of this tutorial is to familiarize the beginner to MATLAB, by introducing the basic features and commands of the program. It is in no way a complete reference and the reader is encouraged to further enhance his or her knowledge of MATLAB by reading some of the suggested references at the end of this guide. 1.1 MATLAB at Loyola College MATLAB runs from ANY networked computer (e.g .
