Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 4115.1Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.Chapter 15Key Management15.2Objectives To explain the need for a key-distribution center To show how a KDC can create a session key To show how two parties can use a symmetric-key agreement protocol to create a session key To describe Kerberos as a KDC and an authentication protocolChapter 15 To explain the need for certification authorities for public keys To introduce the idea of a Public-Key Infrastructure (PKI) and explain some of its duties15.315-1 SYMMETRIC-KEY DISTRIBUTION15-1 SYMMETRIC-KEY DISTRIBUTIONSymmetric-key cryptography is more efficient than Symmetric-key cryptography is more efficient than asymmetric-key cryptography for enciphering large asymmetric-key cryptography for enciphering large messages. Symmetric-key cryptography, however, messages. Symmetric-key cryptography, however, needs a shared secret key between two parties. The needs a shared secret key between two parties. The distribution of keys is another problem.distribution of keys is another problem.15.1.1 Key-Distribution Center: KDC15.1.2 Session KeysTopics discussed in this section:Topics discussed in this section:15.415.1.1 Key-Distribution Center: KDCFigure 15.1 Key-distribution center (KDC)15.5Flat Multiple KDCs.15.1.1 ContinuedFigure 15.2 Flat multiple KDCs15.6Hierarchical Multiple KDCs15.1.1 ContinuedFigure 15.3 Hierarchical multiple KDCs15.7A KDC creates a secret key for each member. This secret key can be used only between the member and the KDC, not between two members. 15.1.2 Session KeysA session symmetric key between two parties is used only once.Note15.8A Simple Protocol Using a KDC15.1.2 ContinuedFigure 15.4 First approach using KDC15.9Needham-Schroeder Protocol15.1.2 ContinuedFigure 15.5 Needham-Schroeder protocol15.1015.1.2 ContinuedFigure 15.6 Otway-Rees protocolOtway-Rees Protocol15.1115-2 KERBEROS15-2 KERBEROSA backbone network allows several LANs to be A backbone network allows several LANs to be connected. In a backbone network, no station is connected. In a backbone network, no station is directly connected to the backbone; the stations are directly connected to the backbone; the stations are part of a LAN, and the backbone connects the LANs. part of a LAN, and the backbone connects the LANs. 15.2.1 Servers15.2.2 Operation15.2.3 Using Different Servers15.2.4 Kerberos Version 514.2.5 RealmsTopics discussed in this section:Topics discussed in this section:Kerberos is an authentication protocol, and at the same time a KDC, that has become very popular. Several systems, including Windows 2000, use Kerberos. Originally designed at MIT, it has gone through several versions.15.1215.2.1 ServersFigure 15.7 Kerberos servers15.13Authentication Server (AS)The authentication server (AS) is the KDC in the Kerberos protocol. 15.2.1 ContinuedTicket-Granting Server (TGS)The ticket-granting server (TGS) issues a ticket for the real server (Bob). Real ServerThe real server (Bob) provides services for the user (Alice).15.1415.2.2 OperationFigure 15.8 Kerberos example15.15Note that if Alice needs to receive services from different servers, she need repeat only the last four steps. 15.2.3 Using Different Servers15.16The minor differences between version 4 and version 5 are briefly listed below:15.2.4 Kerberos Version 51) Version 5 has a longer ticket lifetime.2) Version 5 allows tickets to be renewed.3) Version 5 can accept any symmetric-key algorithm.4) Version 5 uses a different protocol for describing data types.5) Version 5 has more overhead than version 4.15.17Kerberos allows the global distribution of ASs and TGSs, with each system called a realm. A user may get a ticket for a local server or a remote server.15.2.5 Realms15.1815-3 SYMMETRIC-KEY AGREEMENT15-3 SYMMETRIC-KEY AGREEMENTAlice and Bob can create a session key between Alice and Bob can create a session key between themselves without using a KDC. This method of themselves without using a KDC. This method of session-key creation is referred to as the symmetric-session-key creation is referred to as the symmetric-key agreement. key agreement. 15.3.1 Diffie-Hellman Key Agreement15.3.2 Station-to-Station Key AgreementTopics discussed in this section:Topics discussed in this section:15.1915.3.1 Diffie-Hellman Key AgreementFigure 15.9 Diffie-Hellman method15.2015.3.1 ContinuedThe symmetric (shared) key in the Diffie-Hellman method is K = gxy mod p.Note15.2115.3.1 ContinuedLet us give a trivial example to make the procedure clear. Our example uses small numbers, but note that in a real situation, the numbers are very large. Assume that g = 7 and p = 23. The steps are as follows:Example 15.11. Alice chooses x = 3 and calculates R1 = 73 mod 23 = 21.2. Bob chooses y = 6 and calculates R2 = 76 mod 23 = 4.3. Alice sends the number 21 to Bob.4. Bob sends the number 4 to Alice.5. Alice calculates the symmetric key K = 43 mod 23 = 18.6. Bob calculates the symmetric key K = 216 mod 23 = 18.7. The value of K is the same for both Alice and Bob; gxy mod p = 718 mod 35 = 18.15.2215.3.1 ContinuedLet us give a more realistic example. We used a program to create a random integer of 512 bits (the ideal is 1024 bits). The integer p is a 159-digit number. We also choose g, x, and y as shown below:Example 15.215.23The following shows the values of R1, R2, and K.15.3.1 ContinuedExample 15.2Continued15.2415.3.1 ContinuedFigure 15.10 Diffie-Hellman idea15.25Security of Diffie-Hellman15.3.1 ContinuedDiscrete Logarithm AttackMan-in-the-Middle Attack15.2615.3.1 ContinuedFigure 15.11 Man-in-the-middle attack15.2715.3.2 Station-to-Station Key AgreementFigure 15.12 Station-to-station key agreement method15.2815-4 PUBLIC-KEY DISTRIBUTION15-4 PUBLIC-KEY DISTRIBUTIONIn asymmetric-key cryptography, people do not need to In asymmetric-key cryptography, people do not need