Key establishment and certificates Flashcards
What is key establishment?
The process of setting up cryptographic keys to protect a subsequent communication session
What does key establishment in TLS use public keys for?
To allow clients and servers to share a new communication key
What phases does key management consist of?
Generation
distribution
storage
destruction
What is key generation?
Process of generating keys, ideally random keys
What is key distribution?
Process of distributing the keys in a secure fashion
What is key storage?
Way of storing keys in such a way that they are available for use, but not to unautherized users
What is key destruction?
Process of destroying a key, as removing it from memory is not always easy
Name 3 types of keys
Long-term
Ephemeral
Session
What are long-term keys?
Intended to be used for a long time (hours, months, years, etc.)
Either symmetric or asymmetric
What are ephemeral keys?
Generated for single use, then deleted (e.g. diffie hellman)
What are session keys?
Used for one communication session (seconds, hours, a day)
Usually symmetric with ciphers such as AES (authenticated encryption)
Sessions should be independent
What does it mean to have independent sessions?
The compromise of one key does not affect other sessions.
What is a typical usage of long-term and ephemeral keys?
Used in establishment of session keys
What are the security goals of key establishment protocols?
Authentication: If a party A completes the protocol and believes the session key Kab is shared with B, then Kab should not be shared with a different party C. Authentication can be mutual or unilateral
Confidentiality: An adversary is unable to obtain the session key accepted by a prticular party
What is mutual authentication?
When both parties achieve the authentication goals
What is unilateral authentication?
The authentication goals are only achieved by one side
What are 3 approaches to key establishment protocols?
Key pre-distribution
Key transport
Key agreement
What is key pre-distribution?
Keys are set in advance.
A trusted authority (TA) generates and distributes long-term keys to all users when they join the system.
The simplest version assigns secret keys for each user pair, this scales poorly
The TA only operates in the pre-distribution phase, and don’t need to be online afterwards
What is key transport?
One party chooses the key and distributes it
A TA shares a long-term shared key with each user
TA generates and sends session keys to users when requested and protected by the long-term keys
TAs must be trusted, and they are a single point of attack
What is key agreement?
Two or more parties contribute to the session key
Usually add authentication with public keys, for example by signing the exchanged messages
What can be a problem with key transport?
Scalability
What is Kerberos?
Example of key transport establishment.
A SSO solution: users only provide username and password once for a session
Kerberos provides access selectively for different online services using individual tickets
Kerberos establishes a session key to deliver confidentiality and integrity services for each service access
How does key transport work with asymmetric cryptography?
- One user chooses key material and sends it encrypted with the other party’s public key
- Each party includes a random nonce to ensure that their key is new
- A key derivation function (KDF) binds the secret key material with other protocol elements to avoid some attacks.
What are some properties of a standard KDF?
Uses HMAC
Can be thought of as a hash function
Describe the Key transport protocol
2 parties: A and B
PKa: A’s public encryption key
Z: Random value generated by B
Kab: Session key
IDa: Identity of A
IDb: Identity of B
A sends IDa and Na to B
B sends IDb, Nb, E(Z, PKa) to A
Kab = KDF(Z, IDa, IDb, Na, Nb)
What is a widely used key agreement protocol?
Diffie-Hellman
What is the usual method of key establishment in TLS today?
TLS includes Diffie-Hellman
Describe signed Diffie-Hellman?
Parties: A and B
Identities: IDa and IDb
G: Group where computation takes place
g: Generator og G
a: random value chosen by A up to the order of G
b: random value chosen by B up to the order of G
SigA(m): a digital signature on message m by A
SigB(m): a digital signature on message m by B
Parties want to share session key
Both parties need each other’s public signature verification keys.
What secrecy does signed Diffie Hellman provide?
Forward secrecy because the long-term (signing) keys are only used for authentication
How does the signed Diffie-Hellman protocol work?
A sends IDa, g^a
B sends IDbm G^b, SigB(IDb, IDa, G^b, g^a)
A sends SigA(IDa, IDb, g^a, g^b)
A checks the signature received from B in step 2. If it is valid A computes the shared secret:
Z = (g^b)^a = g^ab
B then checks the signature received from A. If valid, computes Z:
Z = (g^b)^a = g^ab
Session key:
Kab = KDF(Z, IDa, IDb, g^a, g^b)
What happens when a long-term key is compromised?
Attacker can act as the owner of the long-term key.
Previous sessions can be compromised.
What is (perfect) forward secrecy?
When compromise of long-term private keys does not reveal session keys previously agreed using those long-term keys
What is Post-compromise security (PCS)
Protocols that can recover when long-term keys are compromised - also known as self-healing protocols.
The long-term key must evolve over time so that the attacker becomes locked out when the key updates.
What are self-healing protocols?
Protocols that can recover adter a long-term key is compromised
In what situations does PCS work?
When the attacker is passive
What is a way to achieve PCS?
Send a new Diffie-Hellman share with every message and change the session key also after every message
Does forward secrecy provide post-compromise security?
No, not by itself
What does digital certificates contain?
A public key and the owner identity
Often information such as signature algorithm and validity period
What are digital signatures used for?
Make sure we can be confident about the correct binding between a public key and its owner.
Important when using a public key to encrypt a message or to verify a digital signature
What is a certification authority (CA)?
Creates, issues and revokes certificates for users and other CAs
Have a certification practice statement (CPS)
What is public key infrastructure PKI?
A framework that is established to issue, maintain and revoke public-key certificates
What entities can be involved in PKIs?
Registration authorities
Naming authorities
Certification authorities
What does registration authorities do?
Manages identities
What does naming authorities do?
Manage domain naming
What does a CPS cover? (7)
- Does checks performed before certificate issue
- Physical, personnel and procedural security controls for the CA
- Technical and key pair protection and management controls
- Certificate revocation management procedures
- Audit procedures for the CA
- Accreditation information
- legal and privacy issues and liability limitations
How are certificates verified?
By checking that the CA signature is valid
Check that conditions set in the certificate are correct
The user of the certificate must have the correct public key of the CA
How can users obtain certificates?
Sent by owner during a protocol run
distributed with web browsers
In public directories
As part of DNS record
What are certification paths?
A chain of trust where CA_n certifies the public key of CA_(n-1) which further certifies the public key of CA_(n-2)
If an entity has a trusted copy of the public key of CAn, the certification path for all the intermediate CAs can be used to obtain a trusted copy of the public key of CA0
What is the structure of hierarchical PKIs?
Have root CA, intermediate CAs and users
CAs certify the public key of the entity below
Tree structure
How does non-hierarchical PKI work?
Any CAs can certify any CAs public key
Describe browser PKIs
Contain multiple hierarchies with preloaded public keys as root CAs
CAs and intermediate CAs can be added
What certificates are self-signed?
Root certificates
The CA for the root is the root itself
What are two widely deployed revocation mechanisms?
Certificate revocation lists (CRL)
Online certificate status protocol (OCSP)
Describe Certificate revocation lists (CRL)
Each CA periodically issues a list of revoked certificates which can be downloaded and then checked by clients
Describe Online certificate status protocol (OCSP)
A server maintains a current list of revoked certificates and responds to requests about specific certificates
Describe the notation of the Needham-Schroeder protocol
Parties to establish session key: A, B
S: The key that is the trusted authority
Shared secret keys: Kas, Kbs, Kab
Long-term: Kas, Kbs (shared by A and S, and B and S)
Kab: Session key generated by S
Na, Nb: Randomly generated nonce for one time use
S -> A: M (S sends message M to A)
{X}_K: Authenticated encryption of message X using the shared secret key K
What attack is the Needham-Schroeder protocol vulnerable to?
Replay attack
What is a replay attack?
An attacker is able to replay old protocol messages and the honest party accepts an old session key
How does the replay attack work on Needham-schroeder?
An attacker C obtains a session key K’ab previously established between A and B
C masquerades as A and is thus able to persuade B to use the old key K’ab
How can we defend against replay attacks?
The key established must be fresh for each session
What are three mechanisms used to achieve freshness?
Random challenges (nonces)
Timestamps (string on the current time)
Counters (increased for each message)
What is the repaired Needham-Schroeder protocol?
Uses random challenges to provide freshnes
What are tickets in regards to Needham-Schroeder?
Way to fix the NS protocol by using a key with a validity period
When A wishes to obtain access to server B, the auth server S issues a ticket to allow A access
Ticket format: {Kab, IDa, IDb, Tb}Kbs
Tb: A timestamp, which can be interpreted as a validity period
A can obtain the ticket and use it to gain access to B at any time while Tb is still valid
Describe the 3 level Kerberos protocol
Level 1: Client C interact with auth server AS to obtain a ticket-granting ticket (happens once per session)
Level 2: C interacts with ticket-granting server TGS to obtain a service ticket - happens once for each server during the session
Level 3: C interacts with app server V to obtain a service - happens each time client requests service during session
In 3 level kerberos, what information is sent between C and AS in level 1?
C to AS: IDc, IDtgs, N1
AS to C: {Kc, IDtgs, N1}Kc, ticket_tgs
Kc: Symmetric key shared with AS
N1: Nonce used by C to check that K_(c, tgs) is fresh
Ticket: {K_(c, tgs), IDc, T1}Ktgs
T1: Validity period
K_(c, tgs): Symmetric key generated by AS to share with TGS
Ktgs: Long-term key shared between AS and TGS
Result: User has ticket-granting ticket, which can be used to obtain different service granting. tickets
What is the result of level 2 interaction with TGS?
User has service-granting ticket which can be used to obtain access to a specific server
What is the result of level 3 interaction with TGS?
User has secure access to a specific server V
What are some limitations of Kerberos?
Limited scalability: Each realm needs to share a key with each other realm
Suited for corporate environments with shared trust
Offline password guessing is a possible attack when Kc is derived from a human memorable password
The standard does not specify how to use the session key once it is established
