Key Management And Key Distribution The essential problems addressed by all cryptosystems is how to safely exchange keys and how to easily manage the keys while enabling reliable authentication, authorization and revocation. Simple symmetric distributed key systems – encrypted keys are distributed once physically by SA or by manufacturing. In Dynamic Distributed Key Infrastructures, distributed keys in turn exchange more device/person specific distributed keys, sizing a secure network in much the same way that DNS sizes the Internet. firstname.lastname@example.org
Traditional objections to symmetric systems “Its security depends on a new key being generated and used each time a new message is encrypted; this means that the total number of key bits is too large to be practical” “A large key-space comes at the price of longer keys, however, and these make the encryption and decryption processes slower. Thus the encryption system designer must trade off speed of operation against resistance to exhaustive search attacks.” “Anyone using a symmetric-key encryption system must deal with the key exchange problem: if 1 or more recipients are to be able to decrypt a message, they must get the key, and they must be the only ones to get it. … Key exchange is thus a high-overhead operation.” As much key material needs to be transmitted as the data to be encrypted. Key storage is onerous. http://fermat.nap.edu/html/digital_dilemma/appE.html These objections are no longer valid.
Dynamic Distributed Key system – what is it? DDKI are systems utilizing distributed keys to safely create and distribute more distributed keys, dynamically and electronically, to scale large secure communities of interest in much the same way that DNS allows the Internet to size itself. What are the attributes of DDKI? Self provisioning enables clients to generate their own session keys, encrypt their own content and authenticate themselves – this eliminates the majority of server overhead in massive networks and adds little overhead to the client.
Expanding a secure community of interest like DNS does This is a simple secure closed distributed system Dynamic elements • dynamic session keys and addresses • dynamically authenticate session with DIVA How do we dynamically, electronically and securely expand to add the millions of existing appliances and to build new secure networks users? Clients or appliances like routers and switching Networks
Coming in from the cold 1. Server sends serial number read utilty to new appliance as a firmware patch. 2. New appliance sends MAC#, serial #, NAM, UID to server 3. Server generates unique keys and unique starting offset from serial #, updates itself with UID, offset, key info, encrypts private key with application key, and sends package with encrypted private key(s) and secure application to the new device. Secure Network Server In existing DDKI New client, router, switch etc. • Expand secure networks in 3 steps electronically • Secure legacy networks and hardware with software/firmware patches – MFG acceptance is helpful • Device receives secure distributed key pair • All legacy hardware with MAC# etc. and firmware are quickly and inexpensively added to DDKI • Persons can add password for access and two factor authentication
Utilizing new symmetrical identity management keys reinforces the usefulness AES algorithms and keys • Utilizing trans-encryption makes huge networks using AES fast • Utilizing super strength authentication keys comply with standards that many enterprises and governments are required to use. “Unlike encryption, digital signature technology is not encumbered by export restrictions.” http://fermat.nap.edu/html/digital_dilemma/appE.html
DISTRIBUTED AES – WN KEY PAIR 1 TIME • PHYSICALLY BY SYSTEM ADMINISTRATOR • ELECTRONICALLY WITH KEY GENERATED • TO SPECIFIC DEVICE • WN KEY MULTI-FUNCTION • RNG FOR SESSION KEY – NO FAILURES NIST • AUTHENTICATION – ID MANAGEMENT SIMPLE SYMMETRIC DISTRIBUTED KEY SYSTEM ------ GENERATE SESSION KEY WITH WN RNG ENCRYPT DOC WITH AES ALGORITH AND SESSION KEY ENCRYPT SESSION KEY WITH DISTRIBUTED AES KEY AUTHENTICATE ENCRYPTED SESSION KEY WITH WN EMBED IN HEADER OF ENCRYPTED DOC AES WN WN AES TRANS-ENCRYPT AUTHENTICATED SESSION KEY FROM SENDER TO RECEIVER ALL KEY PAIRS STORED MINIMAL BECAUSE OF MULTIPLICITY KEY STORAGE IS CHEAP CHOOSE WHETHER TO STORE OR FORWARD DOCS TRANSFER ENCRYPTED DOC TRANSFER ENCRYPTED DOC RECEIVER SENDER ABOVE PROCESS = NO KEY EXCHANGE