Content

➢ Key Management and Distribution

➢ Symmetric Key Distribution

➢ Public key Distribution

➢ PKI

➢ Kerberos

➢ E-mail Security

1
 Objective of Unit -4

• Learn about Key Management and distribution: Symmetric

key distribution, Diffie-Hellman Key Exchange

• To understand Public key distribution, X.509 Certificates,

Public key Infrastructure.

• To study Authentication Applications: Kerberos, Electronic

mail security: pretty good privacy (PGP), S/MIME.

2
 Key-distribution center (KDC) CO4

A KDC creates a secret key for each member. This secret

key can be used only between the member and the KDC,
not between two members.

Note
A session symmetric key between two parties
is used only once.

11/21/2023 3
 Key-distribution center (KDC) CO4

Key-distribution center (KDC)

11/21/2023 4
 Key-distribution center (KDC) CO4

Hierarchical Multiple KDCs

11/21/2023 5
 Key Distribution
➢ symmetric schemes require both parties to
share a common secret key
➢ issue is how to securely distribute this key
➢ whilst protecting it from others
➢ frequent key changes can be desirable
➢ often secure system failure due to a break
in the key distribution scheme
 Key Distribution
➢ symmetric schemes require both parties to
share a common secret key
➢ issue is how to securely distribute this key
➢ whilst protecting it from others
➢ frequent key changes can be desirable
➢ often secure system failure due to a break
in the key distribution scheme
Key Hierarchy
Key Distribution Scenario
 Key Distribution Issues
➢ hierarchies of KDC’s required for large
networks, but must trust each other
➢ session key lifetimes should be limited for
greater security
➢ use of automatic key distribution on behalf
of users, but must trust system
➢ use of decentralized key distribution
➢ controlling key usage
Simple Secret Key Distribution
➢ Merkle proposed this very simple scheme
⚫ allows secure communications
⚫ no keys before/after exist
Secret Key Distribution with
Confidentiality and
Authentication
 Symmetric-key Distribution CO4

Alice and Bob can create a session key between

themselves without using a KDC. This method of
session-key creation is referred to as the symmetric-
key agreement. We can create key using:-

1 Diffie-Hellman Key Agreement

11/21/2023 14
 Public-key Distribution CO4

In asymmetric-key cryptography, people do not need to

know a symmetric shared key; everyone shields a private
key and advertises a public key.

11/21/2023 18
 Public-key Distribution CO4

Public Announcement

11/21/2023 19
 Public Announcement

➢ users distribute public keys to recipients or

broadcast to community at large
➢ major weakness is forgery
⚫ anyone can create a key claiming to be
someone else and broadcast it
⚫ until forgery is discovered can masquerade as
claimed user
 Publicly Available Directory
➢ can obtain greater security by registering
keys with a public directory
➢ directory must be trusted with properties:
⚫ contains {name,public-key} entries
⚫ participants register securely with directory
⚫ participants can replace key at any time
⚫ directory is periodically published
⚫ directory can be accessed electronically
➢ still vulnerable to tampering or forgery
 Public-key Distribution CO4

Trusted Center

11/21/2023 22
 Public-Key Authority
➢ improve security by tightening control over
distribution of keys from directory
➢ has properties of directory
➢ and requires users to know public key for
the directory
➢ then users interact with directory to obtain
any desired public key securely
⚫ does require real-time access to directory
when keys are needed
⚫ may be vulnerable to tampering
Public-Key Authority
 Public-key Distribution CO4

Controlled Trusted Center

11/21/2023 25
 Public-Key Certificates
➢ certificates allow key exchange without
real-time access to public-key authority
➢ a certificate binds identity to public key
⚫ usually with other info such as period of
validity, rights of use etc
➢ with all contents signed by a trusted
Public-Key or Certificate Authority (CA)
➢ can be verified by anyone who knows the
public-key authorities public-key
Public-Key Certificates
 Public-key Distribution CO4

Certification Authority

11/21/2023 28
 Public-key Distribution CO4

X.509 Certificate

11/21/2023 29
The standard uses the following notation to define a certificate:
CA<<A>>= CA {V, SN, AI, CA, UCA, A, UA, Ap, TA}
where
Y << X >> = the certificate of user X issued by certification authority Y
Y{I} = the signing of I by Y. It consists of I with an encrypted
hash
code appended
V = version of the certificate
SN = serial number of the certificate
AI = identifier of the algorithm used to sign the certificate
CA = name of certificate authority
UCA = optional unique identifier of the CA
A = name of user A
UA = optional unique identifier of the user A
Ap = public key of user A
TA = period of validity of the certificate
 Public-key Distribution CO4
X.509 Certificate
Certificate Renewal
Each certificate has a period of validity. If there is no
problem with the certificate, the CA issues a new
certificate before the old one expires.

Certificate Renewal
In some cases a certificate must be revoked before its
expiration.

Delta Revocation
To make revocation more efficient, the delta certificate
revocation list (delta CRL) has been introduced.

11/21/2023 31
15.31
X.509 Certificates
 Public-key infrastructure
(PKI)
public-key infrastructure is :

the set of hardware, software, people, policies, and procedures needed to

create, manage, store, distribute, and revoke digital certificates based on
asymmetric encryption.

Objective for developing PKI:

To enable secure, convenient, and efficient acquisition of public keys.

Public-key infrastructure X.509 (PKIX) is a working group which has

been the driving force behind the setting up a formal and generic model
based on X.509 that is suitable for deploying a certificate- based
architecture on the internet
 Public-key Distribution CO4
Public-Key Infrastructures (PKI)

Some duties of a PKI

11/21/2023 34
Public Key Infrastructure
 Key Elements of PKIX model

1.) End Entity : term used to denote end users, devices or any other entity
that wants to get issue the public key certificate.

2.) Certification Authority (CA) : the issuer of certificates and certificate

revocation list (CRLs).

3.) Registration authority (RA) : it is an optional component that can

assume a number of administrative functions from the CA. It is often
associated with end entity registration process.

4.) CRL issuer : It is an optional component that a CA delegates to publish

CRLs.

5.) Repository : any method used to store certificates and CRL so that
they can be retrieved by end entity
 Public-key Distribution CO4

Trust Model
PKI hierarchical model

11/21/2023 37
 Kerberos CO4

Kerberos is an authentication protocol, and at the same

time a KDC, that has become very popular. Several
systems, including Windows 2000, use Kerberos.
Originally designed at MIT, it has gone through several
versions.

11/21/2023 38
 Kerberos Requirements
• its first report identified requirements as:
– secure
– reliable
– transparent
– scalable
 Kerberos v4 Overview
➢a basic third-party authentication scheme
➢have an Authentication Server (AS)
⚫users initially negotiate with AS to identify self
⚫AS provides a non-corruptible authentication
credential (ticket granting ticket TGT)
➢have a Ticket Granting server (TGS)
⚫users subsequently request access to other services
from TGS on basis of users TGT
➢using a complex protocol using DES
 Kerberos Co4

Kerberos servers

11/21/2023 42
 Kerberos CO4

Kerberos version 5
The minor differences between version 4 and version 5 are
briefly listed below:

1) Version 5 has a longer ticket lifetime.

2) Version 5 allows tickets to be renewed.
3) Version 5 can accept any symmetric-key algorithm.
4) Version 5 uses a different protocol for describing data
types.
5) Version 5 has more overhead than version 4.

11/21/2023 43
 References

Thank You

11/21/2023 70