Scribd
Upload
55 views23 pages

Network Security Cryptography

The document discusses key distribution techniques for symmetric encryption including manually delivering keys, using a trusted third party, deriving new keys from old keys, and distributing keys over encrypted connections. It also describes using a key hierarchy with session keys and master keys, as well as controlling key usage with tags or control vectors.

Uploaded by

nazer
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
55 views23 pages

Network Security Cryptography

The document discusses key distribution techniques for symmetric encryption including manually delivering keys, using a trusted third party, deriving new keys from old keys, and distributing keys over encrypted connections. It also describes using a key hierarchy with session keys and master keys, as well as controlling key usage with tags or control vectors.

Uploaded by

nazer
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 23

Network Security Cryptography

• Lecture# 5
• Lecture Slides Prepared by:
• Dr. Syed Irfan Ullah
• Abasyn University Peshawar
Class Management
• Three Segments:
– Regular Class: 5:15 PM
– Revision of Previous Lectures: 5:30 PM-6:20
PM
– Test: 6:30 PM-7:00 PM
Securing a Network

• Location for Confidentiality Attacks


• Location of Encryption Devices
– (Discussed Already)

• Key Distribution
Key Distribution
• For symmetric encryption to work, the two parties must share
the same key and that key must be protected from access by
others

• Alice’s options in establishing a shared secret key with Bob


include (Ways for sharing a key):
1. Alice selects a key and physically delivers it to Bob
2. Trusted third party key distribution center (T3P or KDC) selects a key
and physically delivers it to Alice and Bob
3. If Alice and Bob have previously and recently used a key, it can be
used to distribute a new key
4. If Alice and Bob have keys with the KDC, KDC can deliver a key on
the encrypted links to Alice and Bob
Key Distribution
• Manual delivery is a
reasonable requirement with
link encryption, challenging
with end-to-end encryption
– The number of keys
grows quadratically with
the number of endpoints
• T3P key(s) constitute a rich
target of opportunity
• Initial (master) key
distribution remains a
challenge
Key Distribution
1. A key could be selected by A and physically
delivered to B.
2. A third party could select the key and physically
deliver it to A and B.
3. If A and B have previously used a key, one party
could transmit the new key to the other, encrypted
using the old key.
4. If A and B each have an encrypted connection to
a third party C, C could deliver a key on the
encrypted links to A and B.
Key Distribution
• Session key:
– Data encrypted with a one-time session key.At
the conclusion of the session the key is
destroyed
• Permanent key:
– Used between entities for the purpose of
distributing session keys
Use of a Key Hierarchy
• Use of a KDC is based
on the use of a hierarchy
of keys
– Session key : temporary
encryption key used
between two parties
– Master key : long-lasting
key that are used between
a KDC and a party for
the purpose of encrypting
the transmission of
session keys
A Key Distribution Scenario
• Assume each user shares a unique master key with the KDC
• Alice desires a one-time session key to communicate with Bob
(1) Alice issues a request to the KDC for a session key to be used
with Bob. Alice’s request includes a nonce to prevent replay
attack
(2) KDC responds with a message encrypted under Alice’s key. The
message contains the session key, the nonce, and the session key
along with Alice’s identity encrypted under Bob’s key
(3) Alice forwards the data encrypted under Bob’s Key to Bob
(4-5) Alice and Bob mutually authenticate under the session key
• (4) Bob sends a nonce to Alice encrypted under the session
key
• (5) Alice applies a transformation to the nonce and sends the
result back to Bob
A Key Distribution Scenario
Hierarchical Key Control
• Instead of a single KDC, a hierarchy of KDCs can be
established; local KDCs and a golbal KDC
 
 
• Local KDCs exchange keys through a global KDC
 
 
 
• Can be extended to three or more layers (hierarchy)
 
 
  • Hierarchical scheme
 

– Minimizes the effort involved in master key


distribution
– Limits the damage of a faulty or subverted KDC to
its local area only
Session Key Lifetime
• Tradeoffs in the session key lifetime
• The more frequent session keys, the more secure,
but the less performance (the more network load
and delay)
• For connection-oriented protocols, one option is
to associate a session with a connection
• For long-lived connections, must periodically
rekey
• For connectionless protocols, rekey at intervals
A Transparent Key Control
Scheme
Decentralized Key Distribution

1. A issues a request to B for a session key and


includes a nonce, N1
2. B responds with a message encrypted using the
shared master key. Response includes the session
key selected by B, an identifier of B, the value of
f(N1), and another nonce, N2
3. Using the new session key, A returns f(N2) to B
Controlling Key Usage
• It is desirable to impose some control on the way in which
automatically distributed keys are used
– e.g. we may wish to define different types of session keys on the
basis of use, such as
• Data-encrypting key
• PIN-encrypting key
• File-encrypting key
• One technique is to associate a tag with each key
– Tag is a bit-vector representing the key’s usage or type
– e.g. the extra 8 bits in each 56-bit DES key can be used as a tag
– Limited flexibility and functionality due to the limited tag size
– Because the tag is not transmitted in clear form, it can be used only at
the point of decryption, limiting the ways in which key use can be
controlled
• A more flexible scheme is to use a control vector
Control Vector Scheme
• Each session key has an associated control vector
• Control vector consists of a number of fields that specify
the uses and restrictions for that session key
• The length of control vector may vary
• Control vector is cryptographically coupled with the at
the time of key generation at the KDC CV:K :
control vector
master key
m
– Hash value = H = h(CV) Ks: session key
– Key input = Km  H
– Encrypted session key = EKm  H [Ks]
• When a session key is delivered to a user from the KDC,
it is accompanied by the control vector in clear form
Control Vector Scheme
• The session key can be recovered only by using both
the master key and the control vector
– Ks = DKm  H[EKm  H [Ks]]

• Advantages (over the 8-bit tag)


– No restriction on length of control vector
(arbitrarily complex controls to be imposed on key
use)
– Control vector is available in clear form at all stage
of operation  Key control can be exercised in
multiple locations
Control Vector Scheme

© ©
Class Test(1)
• Q.1
– What is the OSI security architecture?
– Explain the difference between an attack surface and an
attack tree.
• Q.2
– Consider an automated cash deposit machine in which
users provide a card or an account number to deposit cash.
Give examples of confidentiality, integrity, and availability
requirements associated with the system, and, in each case,
indicate the degree of importance of the requirement.
Class Test(2)
• Q.3 For each of the following assets, assign a low, moderate, or high impact level for
the loss of confidentiality, availability, and integrity, respectively. Justify your answers.
a. A student maintaining a blog to post public information.
b. An examination section of a university that is managing sensitive information
about exam papers.
c. An information system in a pathological laboratory maintaining the patient’s
data.
d. A student information system used for maintaining student data in a university
that contains both personal, academic information and routine administrative
information (not privacy related). Assess the impact for the two data sets
separately and the information system as a whole.
e. A University library contains a library management system which controls the
distribution of books amongst the students of various departments. The library
management system contains both the student data and the book data. Assess the
impact for the two data sets separately and the information system as a whole.
Some other schemes also..

?
What….
Some other schemes also..
.
.
.
Self
.
.
Organizations that provide
key distribution Facility…?
Assignment…. Self
\Documents and Settings\< username >\Application
Data\Microsoft\Crypto\RSA……?

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy