Better to know some
... than all
Key Establishment, Management and Certification
Key establishment is any process whereby a shared secret key becomes available to two or more parties, for subsequent cryptographic use.
Key management is the set of processes and mechanisms which support key establishment and the maintenance of ongoing keying relationships between parties, including replacing older keys with new keys as necessary.
Key establishment can be broadly subdivided into key agreement and key transport. Many and various protocols have been proposed to provide key establishment.
A major issue when using symmetric-key techniques is the establishment of pair wise secret keys. This becomes more evident when considering a network of entities, any two of which may wish to communicate. The arrowed edges indicate the 15 possible two-party communications which could take place. Since each pair of entities wish to communicate, this small network requires the secure exchange of (6/2) = 15 key pairs. In a network with n entities, the number of secure key exchanges required is (n/2) = n(n-1)/2.
The network diagram depicted is simply the amalgamation of 15 two party communication. In practice, networks are very large and the key management problem is a crucial issue. There are a number of ways to handle this problem. Two simplistic methods are discussed; one based on symmetric-key and the other on public-key techniques.
Key management through symmetric-key techniques
One solution which employs symmetric-key techniques involves an entity in the network which is trusted by all other entities. The entity is referred to as a trusted third party (TTP). Each entity Ai shares a distinct symmetric key ki with the TTP. These keys are assumed to have been distributed over a secured channel. If two entities subsequently wish to communicate, the TTP generates a key k (sometimes called a session key) and sends it encrypted under each of the fixed keys for entities A1 and A5.
1. It is easy to add and remove entities from the network.
2. Each entity needs to store only one long-term secret key.
1. All communications require initial interaction with the TTP.
2. The TTP must store n long-term secret keys.
3. The TTP has the ability to read all messages.
4. If the TTP is compromised, all communications are insecure.
Key management through public-key techniques
There are a number of ways to address the key management problem through public-key techniques. Each entity in the network has a public/private encryption key pair. The public key along with the identity of the entity is stored in a central repository called a public file. If an entity A1 wishes to send encrypted messages to entity A6, A1 retrieves the public key e6 of A6 from the public file, encrypts the message using this key, and sends the ciphertext to A6.
1. No trusted third party is required.
2. The public file could reside with each entity.
3. Only n public keys need to be stored to allow secure communications between any pair of entities, assuming the only attack is that by a passive adversary.
The key management problem becomes more difficult when one must take into account an adversary who is active (i.e. an adversary who can alter the public file containing public keys).
To prevent this type of attack, the entities may use a TTP to certify the public key of each entity. The TTP has a private signing algorithm ST and a verification algorithm VT assumed to be known by all entities. The TTP carefully verifies the identity of each entity, and signs a message consisting of an identifier and the entity's authentic public key. This is a simple example of a certificate, binding the identity of an entity to its public key . A1 uses the public key of A6 only if the certificate signature verifies successfully.
Advantages of using a TTP to maintain the integrity of the public file include:
1. It prevents an active adversary from impersonation on the network.
2. The TTP cannot monitor communications. Entities need trust the TTP only to bind identities to public keys properly.
3. Per-communication interaction with the public file can be eliminated if entities store certificates locally.
Even with a TTP, some concerns still remain:
1. If the signing key of the TTP is compromised, all communications become insecure.
2. All trust is placed with one entity.
Trusted third parties and public-key certificates
The trust placed on this entity varies with the way it is used, and hence motivates the following classification.
A TTP is said to be unconditionally trusted if it is trusted on all matters. For example, it may have access to the secret and private keys of users, as well as be charged with the association of public keys to identifiers.
A TTP is said to be functionally trusted if the entity is assumed to be honest and fair but it does not have access to the secret or private keys of users.
The distribution of public keys is generally easier than that of symmetric keys, since secrecy is not required. However, the integrity (authenticity) of public keys is critical.
A public-key certificate consists of a data part and a signature part. The data part consists of the name of an entity, the public key corresponding to that entity, possibly additional relevant information (e.g., the entity's street or network address, a validity period for the public key, and various other attributes). The signature part consists of the signature of a TTP over the data part.
In order for an entity B to verify the authenticity of the public key of an entity A, B must have an authentic copy of the public signature verification function of the TTP. For simplicity, assume that the authenticity of this verification function is provided to B by non cryptographic means, for example by B obtaining it from the TTP in person. B can then carry out the following steps:
1. Acquire the public-key certificate of A over some unsecured channel, either from a central database of certificates, from A directly, or otherwise.
2. Use the TTP's verification function to verify the TTP's signature on A's certificate.
3. If this signature verifies correctly, accept the public key in the certificate as A's authentic public key; otherwise, assume the public key is invalid.
Before creating a public-key certificate for A, the TTP must take appropriate measures to verify the identity of A and the fact that the public key to be certificated actually belongs to A. One method is to require that A appear before the TTP with a conventional passport as proof of identity, and obtain A's public key from A in person along with evidence that A knows the corresponding private key. Once the TTP creates a certificate for a party, the trust that all other entities have in the authenticity of the TTP's public key can be used transitively to gain trust in the authenticity of that party's public key, through acquisition and verification of the certificate.
Classes of attacks and security models
Over the years, many different types of attacks on cryptographic primitives and protocols have been identified. The discussion here limits consideration to attacks on encryption and protocols. The attacks these adversaries can mount may be classified as follows:
1. A Passive attack is one where the adversary only monitors the communication channel. A passive attacker only threatens confidentiality of data.
2. An Active attack is one where the adversary attempts to delete, add, or in some other way alter the transmission on the channel. An active attacker threatens data integrity and authentication as well as confidentiality.
A passive attack can be further subdivided into more specialized attacks for deducing plaintext from ciphertext.
Attacks on encryption schemes
The objective of the following attacks is to systematically recover plaintext from ciphertext, or even more drastically, to deduce the decryption key.
1. A Ciphertext-only attack is one where the adversary (or cryptanalyst) tries to deduce the decryption key or plaintext by only observing ciphertext. Any encryption scheme vulnerable to this type of attack is considered to be completely insecure.
2. A Known-plaintext attack is one where the adversary has a quantity of plaintext and corresponding ciphertext. This type of attack is typically only marginally more difficult to mount.
3. A Chosen-plaintext attack is one where the adversary chooses plaintext and is then given corresponding ciphertext. Subsequently, the adversary uses any information deduced in order to recover plaintext corresponding to previously unseen ciphertext.
4. An Adaptive chosen-plaintext attack is a chosen-plaintext attack wherein the choice of plaintext may depend on the ciphertext received from previous requests.
5. A Chosen-ciphertext attack is one where the adversary selects the ciphertext and is then given the corresponding plaintext. One way to mount such an attack is for the adversary to gain access to the equipment used for decryption (but not the decryption key, which may be securely embedded in the equipment). The objective is then to be able, without access to such equipment, to deduce the plaintext from ciphertext.
6. An Adaptive chosen-ciphertext attack is a chosen-ciphertext attack where the choice of ciphertext may depend on the plaintext received from previous requests. Most of these attacks also apply to digital signature schemes and message authentication codes. In this case, the objective of the attacker is to forge messages or MACs respectively.
Attacks on protocols
The following is a partial list of attacks which might be mounted on various protocols. Until a protocol is proven to provide the service intended, the list of possible attacks can never be said to be complete.
1. Known-key attack. In this attack an adversary obtains some keys used previously and then uses this information to determine new keys.
2. Replay. In this attack an adversary records a communication session and replays the entire session, or a portion thereof, at some later point in time.
3. Impersonation. Here an adversary assumes the identity of one of the legitimate parties in a network.
4. Dictionary. This is usually an attack against passwords. Typically, a password is stored in a computer file as the image of an unkeyed hash function. When a user logs on and enters a password, it is hashed and the image is compared to the stored value. An adversary can take a list of probable passwords, hash all entries in this list, and then compare this to the list of true encrypted passwords with the hope of finding matches.
5. Forward search. This attack is similar in spirit to the dictionary attack and is used to decrypt messages.
6. Interleaving attack. This type of attack usually involves some form of impersonation in an authentication protocol.