[go: up one dir, main page]
Scribd
Upload
69 views31 pages

Cryptographic Key Management Guide

This document discusses cryptographic key management and distribution. It covers symmetric key distribution using symmetric and asymmetric encryption. It also discusses digital certificates, specifically X.509 certificates, which use public-key encryption and contain the user's public key signed by a certification authority. The document explains challenges in key management, such as distributing keys securely, and obtaining other users' public keys. It provides examples of key distribution techniques and the use of certificates to verify public keys and identities.

Uploaded by

Vishwa Moorthy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
69 views31 pages

Cryptographic Key Management Guide

This document discusses cryptographic key management and distribution. It covers symmetric key distribution using symmetric and asymmetric encryption. It also discusses digital certificates, specifically X.509 certificates, which use public-key encryption and contain the user's public key signed by a certification authority. The document explains challenges in key management, such as distributing keys securely, and obtaining other users' public keys. It provides examples of key distribution techniques and the use of certificates to verify public keys and identities.

Uploaded by

Vishwa Moorthy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 31

NET3106 – Network Security

Lecturer:
Houshyar Honar Pajooh
Room Number : AE-3-28 (University Building - East)
Email: houshyarh@sunway.edu.my

Sunway University | NET3106 Network Security | Houshyar Honar Pajooh | Aug 2022
SENSITIVE
NET3106 – Network Security
WEEK (10)
Cryptographic Key Management and
Distribution

Sunway University | NET3106 Network Security | Houshyar Honar Pajooh | Aug 2022
SENSITIVE
Contents
• Key Distribution and Management
– Symmetric Key Distribution using Symmetric Encryption
– Symmetric Key Distribution using Asymmetric Encryption
– Distribution of Public Keys

• Digital Certificates
– X.509 Certificates
Key Management
• Challenges
– How to share a secret key?
– How to obtain someone else’s public key?
– When to change keys?

• Assumptions and Principles


– Many users wish to communicate securely across network
– Attacker can intercept any location in network
– Manual interactions between users are undesirable (e.g. physical exchange of keys)
– More times a key is used, greater chance for attacker to discover the key
Cryptographic Key Management
• The secure use of cryptographic key algorithms depends on the
protection of the cryptographic keys
• Cryptographic key management is the process of administering or
managing cryptographic keys for a cryptographic system
– It involves the generation, creation, protection, storage,
exchange, replacement, and use of keys and enables selective
restriction for certain keys
• In addition to access restriction, key management also involves the
monitoring and recording of each key’s access, use, and context
• A key management system will also include key servers, user
procedures, and protocols
• The security of the cryptosystem is dependent upon successful key
management
Key Distribution Technique
• Term that refers to the means of delivering a key to two parties
who wish to exchange data without allowing others to see the
key
• For symmetric encryption to work, the two parties to an
exchange must share the same key, and that key must be
protected from access by others
• Frequent key changes are desirable to limit the amount of data
compromised if an attacker learns the key
Where Should Encryption Be Performed?
• Number of keys to be exchanged depends on number of entities wishing to communicate

• Related issue: where to perform encryption

• Encrypt separately across each link

• Encrypt only at end-points

– Link Encryption
▪ Encrypt data over individual links in network
▪ Each link end-point shares a secret key
▪ Decrypt/Encrypt at each device in path
▪ Requires all links/devices to support encryption
– End-to-End Encryption
▪ Encrypt data at network end-points (e.g. hosts or applications)
▪ Each pair of hosts/applications share a secret key
▪ Does not rely on intermediate network devices
Symmetric Key Distribution
• Given parties A and B, key distribution can be achieved in a number of
ways:
– A can select a key and physically deliver it to B
– A third party can select the key and physically deliver it to A and B
– If A and B have previously and recently used a key, one party can
transmit the new key to the other, encrypted using the old key
– If A and B each has an encrypted connection to a third party C, C
can deliver a key on the encrypted links to A and B
Figure 15.1 Key Distribution Between
Two Communicating Entities
Figure 15.2 Symmetric Key Hierarchy
Figure 15.3 Simple Use of Public-Key
Encryption to Establish a Session Key
Figure 15.4 Another Man-in-the-Middle
Attack
Figure 15.5 Public-Key Distribution of
Secret Keys
Figure 15.6 Uncontrolled Public-Key
Distribution
Figure 15.7 Public-Key Publication
Figure 15.8 Public-Key Distribution
Scenario
Figure 15.9 Exchange of Public-Key
Certificates
X.509 Certificates
• Part of the X.500 series of recommendations that define a directory service
– The directory is, in effect, a server or distributed set of servers that
maintains a database of information about users
• X.509 defines a framework for the provision of authentication services by the
X.500 directory to its users
– Was initially issued in 1988 with the latest revision in 2016
– Based on the use of public-key cryptography and digital signatures
– Does not dictate the use of a specific algorithm but recommends RSA
– Does not dictate a specific hash algorithm
• Each certificate contains the public key of a user and is signed with the
private key of a trusted certification authority
• X.509 defines alternative authentication protocols based on the use of
public-key certificates
Figure 15.10 X.509 Public-Key
Certificate Use
Certificates
Created by a trusted Certification Authority (CA) and have the following
elements:
• Version
• Serial number
• Signature algorithm identifier
• Issuer name
• Period of validity
• Subject name
• Subject’s public-key information
• Issuer unique identifier
• Subject unique identifier
• Extensions
• Signature
Figure 15.11 X.509 Formats
Obtaining a Certificate
• User certificates generated by a CA have the following characteristics:
– Any user with access to the public key of the CA can verify the user
public key that was certified
– No party other than the certification authority can modify the certificate
without this being detected
• Because certificates are unforgeable, they can be placed in a directory
without the need for the directory to make special efforts to protect them
– In addition, a user can transmit his or her certificate directly to other
users

• Once B is in possession of A’s certificate, B has confidence that messages it


encrypts with A’s public key will be secure from eavesdropping and that
messages signed with A’s private key are unforgeable
Figure 15.12 X.509 Hierarchy: A
Hypothetical Example
Certificate Revocation
• Each certificate includes a period of validity
– Typically a new certificate is issued just before the expiration
of the old one
• It may be desirable on occasion to revoke a certificate before it
expires, for one of the following reasons:
– The user’s private key is assumed to be compromised
– The user is no longer certified by this CA
– The CA’s certificate is assumed to be compromised

• Each CA must maintain a list consisting of all revoked but not


expired certificates issued by that CA
– These lists should be posted on the directory
X.509 Version 3
• Version 2 format does not convey all of the information that recent design
and implementation experience has shown to be needed
• Rather than continue to add fields to a fixed format, standards developers
felt that a more flexible approach was needed
– Version 3 includes a number of optional extensions
• The certificate extensions fall into three main categories:
– Key and policy information
– Subject and issuer attributes
– Certification path constraints

Each extension consists of:


• An extension identifier
• A criticality indicator
• An extension value
Key and Policy Information
• These extensions convey additional information about the subject and issuer
keys plus indicators of certificate policy
• A certificate policy is a named set of rules that indicates the applicability of a
certificate to a particular community and/or class of application with
common security requirements
• Included are:
– Authority key identifier
– Subject key identifier
– Key usage
– Private-key usage period
– Certificate policies
– Policy mappings
Certificate Subject and Issuer Attributes
• These extensions support alternative names, in alternative formats,
for a certificate subject or certificate issuer
• Can convey additional information about the certificate subject to
increase a certificate user’s confidence that the certificate subject is a
particular person or entity
• The extension fields in this area include:
– Subject alternative name
– Issuer alternative name
– Subject directory attributes
Certification Path Constraints
• These extensions allow constraint specifications to be included
in certificates issued for CAs by other CAs
• The constraints may restrict the types of certificates that can be
issued by the subject CA or that may occur subsequently in a
certification chain
• The extension fields in this area include:
– Basic constraints
– Name constraints
– Policy constraints
Figure 15.13 P K I Scenario
Summary
• Discuss the concept of a key hierarchy
• Understand the issues involved in using asymmetric encryption
to distribute symmetric keys
• Present an overview of public-key infrastructure concepts
• Present an overview of approaches to public-key distribution
and analyze the risks involved in various approaches
• List and explain the elements in an X.509 certificate
01010001
&
01000001

Sunway University | NET3106 Network Security | Houshyar Honar Pajooh | Aug 2022
SENSITIVE

You might also like