Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45Slide 46Slide 47Slide 48Slide 49Slide 50Slide 51Slide 52Slide 53Slide 54Slide 55Slide 56Slide 57Slide 58Slide 59Slide 60Slide 61Slide 62Slide 63Slide 64Slide 65Slide 66Slide 67Slide 68Slide 69Slide 70Slide 71Slide 72Slide 73Slide 74Slide 75Slide 76Slide 77Slide 78Slide 79Slide 80Slide 81Slide 82Slide 83Slide #10-1Key ManagementCS498SHSpring 2006Based on slides provided by Matt Bishop for use with Computer Security: Art and Science, with assist from H. KhuranaSlide #10-2Reading•Chapter 10 in Computer Security: Art and ScienceSlide #10-3Key Management Motivation•Cryptographic security depends on keys–Size–Generation–Retrieval and Storage•Example–House security system no good if key or code is under the matSlide #10-4Overview•Key Generation•Key Exchange and management–Classical (symmetric)–Public/private•Digital Signatures•Key Storage (next time)Slide #10-5Notation•X Y : { Z || W } kX,Y–X sends Y the message produced by concatenating Z and W encrypted by key kX,Y, which is shared by users X and Y•A T : { Z } kA || { W } kA,T–A sends T a message consisting of the concatenation of Z encrypted using kA, A’s key, and W encrypted using kA,T, the key shared by A and T•r1, r2 nonces (nonrepeating random numbers)Slide #10-6Session and Interchange Keys•Long lived Interchange Keys only exist to boot strap•Short lived session keys used for bulk encryptionKb,KaKa,Kb{Ka,b}Ka{m1}Ka,bKa,bKa,bSlide #10-7Session and Interchange Keys•Alice wants to send a message m to Bob–Assume public key encryption–Alice generates a random cryptographic key ks and uses it to encrypt m•To be used for this message only•Called a session key–She encrypts ks with Bob’s public key kB•kB encrypts all session keys Alice uses to communicate with Bob•Called an interchange key–Alice sends { m } ks ||{ ks } kBSlide #10-8Benefits•Limits amount of traffic encrypt with single key–Standard practice, to decrease the amount of traffic an attacker can obtain•Prevents some attacks–Example: Alice will send Bob message that is either “BUY” or “SELL”. Eve computes possible ciphertexts { “BUY” } kB and { “SELL” } kB. Eve intercepts encrypted message, compares, and gets plaintext at onceSlide #10-9Key Generation•Goal: generate keys that are difficult to guess•Problem statement: given a set of K potential keys, choose one randomly–Equivalent to selecting a random number between 0 and K–1 inclusive•Why is this hard: generating random numbers–Actually, numbers are usually pseudo-random, that is, generated by an algorithmSlide #10-10What is “Random”?•Sequence of cryptographically random numbers: a sequence of numbers n1, n2, … such that for any integer k > 0, an observer cannot predict nk even if all of n1, …, nk–1 are known–Best: physical source of randomness•Random pulses•Electromagnetic phenomena•Characteristics of computing environment such as disk latency•Ambient background noiseSlide #10-11What is “Pseudorandom”?•Sequence of cryptographically pseudorandom numbers: sequence of numbers intended to simulate a sequence of cryptographically random numbers but generated by an algorithm–Very difficult to do this well•Linear congruential generators [nk = (ank–1 + b) mod n] broken•Polynomial congruential generators [nk = (ajnk–1j + … + a1nk–1 a0) mod n] broken too•Here, “broken” means next number in sequence can be determinedSlide #10-12Best Pseudorandom Numbers•Strong mixing function: function of 2 or more inputs with each bit of output depending on some nonlinear function of all input bits–Examples: DES, MD5, SHA-1, avalanche effect–Use on UNIX-based systems:(date; ps gaux) | md5where “ps gaux” lists all information about all processes on systemSlide #10-13Separate Channel•Ideally you have separate secure channel for exchanging keys–Direct secret sharing grows at N2Telephone, separate data network, ESP, sneaker netRegular data networkSlide #10-14Key Exchange Algorithms•Goal: Alice, Bob get shared key–All cryptosystems, protocols publicly known•Only secret data is the keys–Anything transmitted is assumed known to attacker•Key cannot be sent in clear as attacker can listen in–Options•Key can be sent encrypted, or derived from exchanged data plus data not known to an eavesdropper (Diffie-Hellman)•Alice, Bob may trust third partySlide #10-15Shared Channel•Generally separate channel is not practical–No trustworthy separate channel–Want to scale linearly with additional usersRegular data networkKey ExchangeKA,KB, … KZKAKBSlide #10-16Classical Key Exchange•Bootstrap problem: how do Alice, Bob begin?–Alice can’t send it to Bob in the clear!•Assume trusted third party, Cathy–Alice and Cathy share secret key kA–Bob and Cathy share secret key kB•Use this to exchange shared key ksSlide #10-17Simple ProtocolAliceCathy{ request for session key to Bob } kAAliceCathy{ ks } kA || { ks } kBAliceBob{ ks } kBEveBob{ ks } kBSlide #10-18Problems•How does Bob know he is talking to Alice?–Replay attack: Eve records message from Alice to Bob, later replays it; Bob may think he’s talking to Alice, but he isn’t–Session key reuse: Eve replays message from Alice to Bob, so Bob re-uses session key•Protocols must provide authentication and defense against replaySlide #10-19Needham-SchroederAlice CathyAlice || Bob || r1 Alice Cathy{ Alice || Bob || r1 || ks || { Alice || ks } kB } kAAlice Bob{ Alice || ks } kBAlice Bob{ r2 } ksAlice Bob{ r2 – 1 } ksAuRPAuAu + RPSlide #10-20Argument: Alice talking to Bob•Second message–Encrypted using key only she, Cathy knows•So Cathy encrypted it–Response to first message•As r1 in it matches r1 in first message•Third message–Alice knows only Bob can read it•As only Bob can derive session key from message–Any messages encrypted with that key are from BobSlide #10-21Argument: Bob talking to Alice•Third message–Encrypted using key only he, Cathy know•So Cathy encrypted it–Names Alice, session key•Cathy provided session key, says Alice is other
View Full Document
Unlocking...