Identity-Based Encryption Technology Overview Public Key Cryptography Without

Identity-Based Encryption Technology Overview Public Key Cryptography Without Certificates Mark J. Schertler

Identity-Based Encryption (IBE) } IBE is an old idea § § } Originally proposed by Adi Shamir, S in RSA, in 1984 Not possible to build an IBE system based on RSA First practical implementation § § Boneh-Franklin Algorithm published at Crypto 2001 Bilinear Maps (Pairings) on Elliptic Curves • § } Based on well-tested mathematical building blocks Public Key Algorithm used for Key Transport The IBE breakthrough is having major impact Now over 400 scientific publications on IBE and Pairing Based Cryptography § Major deployments in industry § } Standardization Efforts § § 2 IBE mathematics is being standardized in IEEE 1363. 3 IETF S/MIME Informational RFC

IBE Public Keys … Introduce This Elegance Public-key Encryption where Identities are used as Public Keys } IBE Public Key: alice@gmail. com } RSA Public Key: X Public exponent=0 x 10001 Modulus=13506641086599522334960321627880596993888147 560566702752448514385152651060485953383394028715 057190944179820728216447155137368041970396419174 304649658927425623934102086438320211037295872576 235850964311056407350150818751067659462920556368 552947521350085287941637732853390610975054433499 9811150056977236890927563 3

How IBE works in practice Alice sends a Message to Bob Key Server • Master Secret • Public Parameters 2 Receives 3 Private Key for bob@b. com Requests private key, authenticates bob@b. com alice@a. com 1 Alice encrypts with bob@b. com 4 Bob decrypts with Private Key 4

How IBE works in practice Alice sends a Message to Bob Key Server Fully off-line - no connection to server required bob@b. com charlie@c. com bob@b. com 1 Charlie encrypts with bob@b. com 5 Bob decrypts with Private Key 2

IBE Public Key Composition v 2 || public key definition version ibe-server. acme. com#1234 || server location and public parameter version week = 252 || key validity period bob@acme. com e-mail address 6

IBE Benefits Dynamic “As Needed” Public and Private Key Generation } } No pre-generation or distribution of certificates Built-in Key Recovery – No ADKs Allows content, SPAM, and virus scanning at enterprise boundary Facilitates archiving in the clear per SEC regulations Policy in the Public Key } } e. g. Key Validity Period No CRLs Dynamic Groups } Identities can be groups and roles; no re-issuing keys when group or role changes Minimal System State } } } Master Secret / Public Parameters (~50 KB) all you need for disaster recovery End user keys and message not stored on server Server scalability not limited by number of messages Benefits lead to: High system usability Highly scalable architecture Low operational impact Fully stateless operation 7

Public Key Infrastructure Certificate Server binds Identity to Public Key Certification Authority Certificate Server Store Certificate CA Signing Key CA Public Key Look up Bob’s Certificate, Check revocation Send Public Key, Authenticate Receive Certificate Recovery Server Store Bob’s Private Key CA Public Key alice@a. com 8 Bob’s Private Key Bob’s Public Key bob@b. com

Identity Based Encryption Binding of Identity to Key is implicit IBE Key Server Certificate Server X Look up Bob’s Certificate, Check revocation Store Certificate Master Secret Public Parameters Send Identity, Authenticate Receive Private Key X Recovery Server Store Bob’s Private Key Public Parameters alice@a. com 9 Bob’s Private Key bob@b. com

Adding IBE to CMSv 3 } Define Other. Recipient. Info Type for Recipient. Info in Enveloped Data § Based on CMSv 3 - RFC 3852 } Add IBE per RFC 3370 – CMS Algorithms } Create IBE algorithm Informational RFC similar to RFC 2313 - PKCS #1: RSA Encryption Version 1. 5 § 10 Could be IEEE 1363. 3 spec

CMSv 3 Recipient. Info : : = CHOICE { ktri Key. Trans. Recipient. Info, … ori [4] Other. Recipient. Info } Other. Recipient. Info : : = SEQUENCE { ori. Type OBJECT IDENTIFIER, ori. Value ANY DEFINED BY ori. Type } ori. Value ANY DEFINED BY ori. Type § § § Version Domain and Parameter Version (Server Location) Schema • • § 11 Validity Period Identity (RFC 822) Public Parameters

12

IBE Public Keys - Revocation and Expiration IBE Public Key: bob@wellsfargo. com || week = 252 e-mail address } key validity IBE Systems use short lived keys § § Every week public key changes, so every week a new private key must be retrieved by the client § } Public key contains key validity Refresh period is configurable This simplifies key revocation § § 13 Users removed from the directory, no longer get keys Above system is identical to a weekly CRL

User authentication Voltage can support any type of authentication Authentication needs differs by Application } } More sensitive data, requires stronger authentication Identity-Based Encryption scales across all levels Authentication Adapters } } } 14 PKI Smart Cards RSA Secur. ID LDAP, Active Directory Login/Password Email Answerback Username and password Voltage VSPS Auth. Service

The IBE Key Server Master Secret s = 1872361923616 378 Voltage Server Request for Private Key for Identity bob@b. com } Key Server has “Master Secret” to generate keys § § § 15 A random secret is picked when the server is set up Each organization has a different Master Secret Private key is generated from Master Secret and Identity

The IBE Security Model Master Secret and Public Parameters When the key server is set up: } Generate a random Master Secret } Derive Public Parameters from the master secret } Distribute Public Parameters to all clients (one time setup only) } Public Parameters are similar to a CA root certificate (long lived, bundled with software) During Operation: } Client uses Public Parameters in the encryption operation } Server uses Master Secret to generate private keys for users 16 IBE Key Server Master Secret 1238715613581 Public Parameters alice@a. com bob@b. com

Voltage Enables Perimeter Content Scanning Filtering Spam and Viruses with End-to-End Encryption INTERNET DMZ LAN Voltage IBE Gateway Server Encrypted email arrives } 17 1 Email is scanned 2 GW Archive Audit Virus GW Exchange, Domino, etc. User receives 3 encrypted email IBE’s on-the-fly key generation capability enables end-to-end encryption with content scanning § Filter for Viruses, Trojans, Spam, etc. § Allows archiving email for compliance, audit

IBE: Setting A New Standard In Security Current Efforts IBCS-1 Standard Other IBE Technology Study Group Working Group IEEE Study Group • Set structure of standard • Write Po. A Feb/2005 Post IEEE Standards • PBC/IBE Standard • Submit for ratification Mid 2005 > 2007 } Current efforts are supported by Bell Canada, CESG, Gemplus, HP Labs, Microsoft, NTT Do. Co. Mo, Nore. Tech, NSA, Siemens, STMicroelectronics } IEEE and NIST fast-tracking IBE for standardization § 18 } No other cryptographic algorithms have begun this process so quickly Voltage IBE Toolkit FIPS 140 -2 certified

Voltage: Proven Ease of Use } The easiest-to-use secure email: Seamless integration with leading mail clients § No-download send/receive through Zero Download Messenger § • No Java. Script, Active. X, or browser plugins Policy-based encryption at network edge § No change in user behavior § } Only secure messaging solution rated “Excellent” in usability by e. Week Labs “During my test of the system, it worked great. All a provider needed to do was send me an email encrypted based on my email address… It was simple and easy to operate. ” 19

Voltage: “Stateless” Architecture } Keys and messages are never stored on Voltage server § } Only one backup required for life of system § } Mail delivered using existing infrastructure Entire system can be recovered from single piece of data in minutes, whether 20 users or 20 million Messages can never be lost § § Administrator can decrypt messages at any point in future § } No separate message store to backup No ADKs required Full support for cleartext or encrypted archiving § 20 Easily meet message retention policies

Voltage: “Stateless” Architecture } Highly scalable New servers can be replicated from single backup § Servers never need to be synchronized § Can be load balanced using DNS § Built for enterprise- and carrier-class environments § } Strongest integration with network edge content scanning § 21 Only solution with end-to-end encryption with anti-virus, antispam, archiving

Voltage: Lowest Overhead } Leverages existing mail infrastructure Messages delivered using normal mail flow § No new webmail/parallel mail infrastructure to manage, scale § Other solutions are equivalent to running an entirely new Exchange/Notes system § } Self-provisioning authentication § } No need to select delivery methods § } Same messages can be viewed with client or Zero Download Messenger No additional headcount required § 22 No IT/administrative action required to enroll new users Voltage customers report 0. 1 FTE required

Identity-Based Encryption (IBE) } IBE is an old idea § } First practical implementation § § § } § Over 200 scientific publications on IBE/Pairings Dan Boneh awarded 2005 RSA Conference Award for Mathematics Standardization Efforts § § 23 Research funded by DARPA Boneh-Franklin Algorithm published at Crypto 2001 Based on well-tested building blocks for encryption: PKCS #7, S/MIME(CMS), 3 DES, AES, SHA-256, DSS, SSL Industry acceptance § } Originally proposed by Adi Shamir, co-inventor of the RSA Algorithm, in 1984 IBE being standardized by NIST and IEEE 1363. 3 IETF S/MIME?

Voltage IBE breakthrough Highest system usability } No certificates – no CRLs: ease of use for administrators and end users Lowest operational impact } No new directories or resources required to manage system Fully stateless operation } Keys dynamically generated – no storage required - simplifies disaster recovery, retention and backup Most flexible mobility architecture } Architected for “occasionally-connected” users: full online and offline usage Most scalable architecture } 24 Server scalability not limited by number of messages

25

IBE and PKI 1. Voltage Security 2. Identity-Based Encryption 3. IBE and PKI 1. Comparing IBE and PKI 2. Combining the Two 4. 5. 26 The future of IBE Voltage and the Do. D/DHS

Public Key Infrastructure } Working client side PKI Deployments are few Mainly government and defense § A few large companies § } These deployments have major issues Deployment Cost § Certificate Revocation § Content scanning is still an unsolved issue (e. g. for filtering mail for viruses, spam or audits) § Difficult to use § } Can IBE help? Ø 27 Yes, IBE solves many of the issues of PKI

Public Key Infrastructure Certificate Server binds Identity to Public Key Certification Authority Certificate Server Store Certificate CA Signing Key CA Public Key Look up Bob’s Certificate, Check revocation Send Public Key, Authenticate Receive Certificate Recovery Server Store Bob’s Private Key CA Public Key alice@a. com 28 Bob’s Private Key Bob’s Public Key bob@b. com

Identity Based Encryption Binding of Identity to Key is implicit IBE Key Server Certificate Server X Look up Bob’s Certificate, Check revocation Store Certificate Master Secret Public Parameters Send Identity, Authenticate Receive Private Key X Recovery Server Store Bob’s Private Key Public Parameters alice@a. com 29 Bob’s Private Key bob@b. com

IBE vs. PKI – Practical Implications } IBE has no Certificates and Certificate management § § § No certificate server No certificate lookups for the client No certificate (or key) revocation, CRLs, OCSP etc. • } Instead, IBE uses short-lived keys. PKI can’t do this because this would compound lookup problem PKI requires pre-enrollment In PKI, recipient must generate key pair before sender can encrypt message § IBE is Ad-Hoc capable, a sender can send message at any time § } IBE eliminates encryption key recovery/escrow server Most PKI applications require access to private keys (e. g. Lost keys, Financial Audit, Virus Filtering etc. ) § Key server can generate any key on the fly § 30

IBE and PKI – Strengths and Weaknesses Public Key Infrastructure (PKI) } } Expensive to deploy and run Requires pre-enrollment § } } Issuing certificates Works well for authentication Can be made highly secure through smart cards Identity-Based Encryption } Ad-hoc capable § § } Powerful for encryption § § } 31 requires no pre-enrollment software only no key-lookup revocation is easy Content scanning easy Where to use PKI } Inside the organization } For maximum security/high cost deployments } Mainly authentication and signing Where to use IBE } Inside or outside the organization } For any level of security } Where encryption/ privacy is important

Policy-Driven Encryption Who is it from? What company is it to? Who is it to? Does the sender want to encrypt? What does it say? 32

Policy-Based Encryption } Policy-based encryption Controlled by administrators § Automatically enforced based on message flow and/or content § Can also allow users to opt-in, or opt-out based on keywords (no client s/w) § } At the network edge § } 33 Encryption decision occurs at the boundary to minimize exposure and maximize transparency A powerful tool for compliance Sample Policies • Encrypt all traffic to xyz. com • Encrypt from john@co. com • Encrypt all e. PHI (lexicon) • Encrypt if subject contains “confidential” -OR • Encrypt all unless opt-out