Bishop: Chapter 10 (Cont.) Key Management: Storage & Revoking

1. Bishop: Chapter 10 (Cont.)Key Management: Storage & Revoking csci5233 Computer Security

2. Topics • Key exchange • Session vs interchange keys • Classical vs public key methods • Key generation • Cryptographic key infrastructure • Certificates • Key storage • Key escrow • Key revocation • Digital signatures csci5233 Computer Security

3. Storing Keys • Multi-user or networked systems: attackers may defeat access control mechanisms • Encipher the file containing keys • Attacker can monitor keystrokes to decipher files • Key will be resident in memory that attacker may be able to read • Use physical devices like “smart card” • Key never enters system • Card can be stolen, so have 2 devices combine bits to make a single key csci5233 Computer Security

4. Key Escrow • Key escrow system allows authorized third party to recover key • Useful when keys belong to roles, such as system operator, rather than individuals • Business: recovery of backup keys • Law enforcement: recovery of keys that authorized parties require access to • Goal: provide this without weakening cryptosystem • Very controversial. Why? csci5233 Computer Security

5. Desirable Properties • Escrow system should not depend on encipherment algorithm. That is, no inter-dependence. • Privacy protection mechanisms must work from end to end and be part of user interface. That is, only authorized parties with the escrowed keys can access the messages. • Requirements must map to key exchange protocol. That is, a person cannot bypass the key escrow system. • System supporting key escrow must require all parties to authenticate themselves. That is, only authorized parties may use the escrowed keys. • If message to be observable for limited time, key escrow system must ensure keys valid for that period of time only.  violated by the Clipper project csci5233 Computer Security

6. Components • User security component • Does the encripherment, decipherment • Supports the key escrow component • Key escrow component • Manages storage, use of data recovery keys • Data recovery component • Does key recovery csci5233 Computer Security

7. Example: ESS, Clipper Chip • Escrow Encryption Standard • Set of interlocking components • Designed to balance need for law enforcement access to enciphered traffic with citizens’ right to privacy • Clipper chip prepares per-message escrow information • Each chip numbered uniquely by UID • Special facility programs chip • Key Escrow Decrypt Processor (KEDP) • Available to agencies authorized to read messages csci5233 Computer Security

8. User Security Component • UID: Unique ID for Device, unique for each chip • Unique device key:kunique • Nonunique family key: kfamily , an 80-bit encryption key for the entire family of Clipper chips • Cipher is Skipjack • Classical cipher: 80 bit key, 64 bit input, output blocks • Each piece of enciphered message is accompanied by a law enforcement agents’ field (LEAF): • { UID || { ksession } kunique || hash } kfamily • hash: 16 bit authenticator from session key and initialization vector csci5233 Computer Security

9. Programming User Components • Done in a secure facility • Two escrow agencies needed • Agents from each present • Each supplies a random seed and key number • Family key components combined to get kfamily • Key numbers combined to make key component enciphering keykcomp • Random seeds mixed with other data to produce sequence of unique keys kunique • Each chip imprinted with UID, kunique, kfamily csci5233 Computer Security

10. The Escrow Components • During initialization of user security component, the process creates ku1 and ku2 where kunique = ku1ku2 • First escrow agency gets { ku1 } kcomp • Second escrow agency gets { ku2 } kcomp csci5233 Computer Security

11. Obtaining Access • Alice obtains legal authorization to read message • She runs message LEAF through KEDP • LEAF is { UID || { ksession } kunique || hash } kfamily • KEDP uses (known) kfamily to validate LEAF, obtain sending device’s UID • Authorization, LEAF taken to escrow agencies csci5233 Computer Security

12. Agencies’ Role • Each validates authorization • Each supplies { kui } kcomp and the corresponding key number • KEDP takes these and LEAF: • Key numbers produce kcomp • kcomp produces ku1 and ku2 • ku1 and ku2 produce kunique • kunique and LEAF produce ksession csci5233 Computer Security

13. Problems • (minor) hash too short • LEAF 128 bits, so given a hash of 16 bits: • 2112 LEAFs show this as a valid hash • 1 has actual session key, UID • Takes about 42 minutes to generate a LEAF with a valid hash but meaningless session key and UID; in fact, deployed devices would prevent this attack • (major) Scheme does not meet temporal requirement • As kunique fixed for each unit, once message is read, any future messages can be read. csci5233 Computer Security

14. Yaksha Security System • Key escrow system meeting all 5 criteria • Based on RSA, central server • Central server (Yaksha server) generates session key • Each user has 2 private keys • Alice’s modulus nA, public key eA • First private key dAA known only to Alice • Second private key dAY known only to Yaksha central server • dAAdAY = dA mod nA (meaning dAAdAY mod nA = dA mod nA csci5233 Computer Security

15. Alice and Bob • Alice wants to send message to Bob • Alice asks Yaksha server for session key • Yaksha server generates ksession • Yaksha server sends Alice the key as: CA = (ksession) dAY eA mod nA • Alice computes (CA)dAA mod nA = ksession Remember: dAAdAY = dA mod nA • Questions: • Who knows dA? • How would Alice determine dAA without knowing dAY ? csci5233 Computer Security

16. Analysis • Authority can read only one message per escrowed key • Meets requirement 5 (temporal one), because “time” interpreted as “session” • Independent of message enciphering key • Meets requirement 1 • Interchange algorithm, keys fixed • Others met by supporting infrastructure csci5233 Computer Security

17. Alternate Approaches to Escrow • Tie to time [Beth, etc. 1994] • The secret key used to generate the session key is not given as escrow key, but a related key is. • To derive the actual key from the related key, the authority must solve an instance of the discrete log problem. • Tie to probability: Translucent cryptography [Bellare/Rivest 1999] • Oblivious transfer: message received with specified probability • Idea: translucent cryptography allows fraction f of messages to be read by third party • Not key escrow, but similar in spirit csci5233 Computer Security

18. Key Revocation • Certificates invalidated before expiration • Usually due to compromised key • May be due to change in circumstance (e.g., someone leaving company) • Problems • Entity revoking certificate authorized to do so • Revocation information circulates to everyone fast enough • Network delays, infrastructure problems may delay information csci5233 Computer Security

19. CRLs • Certificate revocation list lists certificates that are revoked • X.509: only certificate issuer can revoke certificate • Added to CRL • PGP: signers can revoke signatures; owners can revoke certificates, or allow others to do so • Revocation message placed in PGP packet and signed • Flag marks it as revocation message csci5233 Computer Security

20. Next • Bishop, Chapter 10 (Cont.): • Digital Signatures csci5233 Computer Security