Public Key Management
Outline • Key management with asymmetric encryption • Diffie-Hellman key exchange
Key Management (public) • public-key encryption helps address key distribution problems • have two aspects of this: – distribution of public keys – use of public-key encryption to distribute secret keys
Distribution of Public Keys • can be considered as using one of: – Public announcement – Publicly available directory – Public-key authority – Public-key certificates
Public Announcement • users distribute public keys to recipients or broadcast to community at large – (e. g. post to a newsgroup) • major weakness is forgery • Weakness: anyone can create a key claiming to be someone else and broadcast it (impersonation attack)
Publicly available directory • Publicly available directory: Achieve greater security by registering keys with a public directory • Weakness: directory must be trusted and still vulnerable to forgery
Public key authorities improve security by tightening control over distribution of keys from directory has properties of directory and requires users to know public key for the directory then users interact with directory to obtain any desired public key securely does require real-time access to directory when keys are needed may be vulnerable to tampering
Public-Key Certificates • Certificates allow key exchange without real-time access to public-key authority • a certificate binds the identity (of the public key pair owner) to a public key – usually with other info such as period of validity, rights of use etc • with all contents signed by a trusted Public-Key or Certificate Authority (CA) • can be verified by anyone who knows CA’s public key • E. g. Cert. Alice = < IDAlice, SN, Expiry, PKAlice, Sig. CA(IDAlice, SN, Expiry, PKAlice) > • So each user only needs to maintain a valid CA’s public key
Public-Key Certificates Certificate Authority IDAlice, PKAlice Cert. Alice IDBob, PKBob Cert. Alice Cert. Bob Cert. Alice = < IDAlice, SN, Expiry, PKAlice, Sig. CA(IDAlice, SN, Expiry, PKAlice) >
Distribution of Secret Keys using Public Key
Distribution of Secret Keys using Public Key • public-key cryptography can be used for secrecy or authentication – but public-key algorithms are slow • We want to use symmetric key encryption algorithm encrypt bulk message – Because symmetric key encryption algorithms are hundreds of times faster than public key encryption algorithms • So two communicating parties usually 1. negotiate a symmetric key (called session key) with the help of public key algorithms 2. Then use the session key to encrypt messages 3. For each new session (e. g. login your online banking service again after closing the web browser), a new session key will be established.
Public-Key Distribution of Secret Keys Cert. Alice Cert. Bob … Alice session key negotiation Public key encrypted … Message flows Session key encrypted Bob
Diffie-Hellman Key Exchange • A Key Exchange Protocol: – provide a secure way for two communicating parties to share a symmetric key (so called a session key) – This session key is then used to provide privacy and authentication for subsequent message flow. – History: problem first posed by Merkle at UC Berkeley, Diffie and Hellman came up with the protocol: Alice a R Zp-1 Bob ga mod p gb mod p b R Zp-1 Shared Session Key = gab mod p • More details next…
Diffie-Hellman Key Exchange Setup • Alice and Bob agree on global parameters: – Large prime integer p (e. g. 1024 bits long) – g a primitive root • Alice – chooses a random positive integer: a < p – computes y. A = ga mod p • Bob does the same and generates y. B = gb mod p
Diffie-Hellman Key Exchange • Shared session key for Alice and Bob is KAB: KAB = ga b mod p = y. Ab mod p (which Bob can compute) = y. Ba mod p (which Alice can compute) • KAB will then be used as a session key in symmetric key algorithms between Alice and Bob • Attacker needs to find KAB from y. A and y. B – A difficult problem
Diffie-Hellman Key Exchange Example Alice and Bob want to carry out DH Key Exchange: 1. Agree on prime p=353 and g=3 2. Select random secret keys: – A chooses a = 97 – B chooses b = 233 3. Compute session key contributions – y. A = 397 mod 353 = 40 (Alice) – y. B = 3233 mod 353 = 248 (Bob) 4. Compute shared session key as: KAB = y. Ba mod 353 = 24897 mod 353 = 160 (Alice) KAB = y. Ab mod 353 = 40233 mod 353 = 160 (Bob)
Скачать презентацию Public Key Management Outline Key management
60f20c883545889be944c5f2e72bccc2.ppt