SB 9: Trust in Keys Flashcards
What is the difference between a session key and an interchange key?
Interchange key: a key associated with a principal to a communication. Can convince the reciever the sender is who they say they are. Used for all sessions. Changes independently of session inititation and termination.
Session key: a key associated with the communication itself. Generated for a single session and discarded once the session ends. Prevents forward search attacks.
The distinction lies in the difference between a communication and a user involved in the communication.
How can keys be exchanged?
- The key is enciphered before sent OR it must be derived without an exchange of data from which the key can be derived
- A 3rd party can be used
- The cryptosystems and protocols are publicly known. The key(s) is the only secret data.
What is a certificate?
A token that binds an identity to a key. Contains information like timestamp, public key and a representation of the identity.
How can a certificate be validated?
- Tree-like hierarchy
- An arbitrary arrangement of certifiers that rely on each individuals knowledge of the certifiers.
By obtaining the public key and doing a comparison between the computed hash value and the desiphered hash value of the certificate.
What fields can exist in a certificate?
There are fields containing various information such as who the certificate was issued to, information about the public key, etc. Lastly the signature, an ensiphered hash of all other fields. Depending on the protocol used the fields can vary slightly.
What is a certificate authority?
An entity that issues certificates
Describe the PKI?
It manages public keys and certificate authorities. It is complex because of different requirements for different protocols.
A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities. It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred.
In cryptography, a PKI is an arrangement that binds public keys with respective identities of entities (like people and organizations).[1] The binding is established through a process of registration and issuance of certificates at and by a certificate authority (CA).
Mention a problem with PKI
The heart of any PKI is trust. Trusting that the identity is correct and trusting that the private keys are properly protected.
How can you store keys?
Public keys only need integrity protection. Private keys need confidentiality as well. The storage of public keys is therefore not the big issue.
- Store on a separate device
- (Better) Split the key then store it on a separate device.
What is a principal?
a unique entity
What is an identity (in computer science)?
specifies a principal
What is the purpose of using identity when dealing with cryptography?
Accountability: it can track principals actions. Who did what can then be identified.
Access control: requires an identity to determine what actions are allowed and not.
What is key management?
The distribution of keys. Mechanisms used to bind an identity to a key. The generation, maintenance and revoking of such keys.
How does the symmetric cryptographic key exhange work?
It relies on a trusted 3rd party “C”. “A” shares a secret key with “C”. “B” shares a different secret key with “C”. The goal is to provide a secret key that “A” and “B” share.
Vulnerable to a replay attack.
The basis for many more sophisticated protocols.