Information protection mechanisms assume cryptographic keys to be distributed to the communicating parties prior to secure communications. The secure management of these keys is one of the most critical elements when integrating cryptographic functions into a system, since even the most elaborate security concept will be ineffective if the key management is weak. An automatic distribution of keys typically employs different types of messages. A transaction usually is initiated by requesting a key from some central facility (e.g., a KDC), or from the entity a key is to be exchanged with. Cryptographic Service Messages (CSMs) are exchanged between communicating parties for the transmission of keying material, or for authentication purposes. CSMs may contain keys, or other keying material, such as the distinguished names of entities, key-IDs, counters, or random values. CSMs have to be protected depending on their contents and on the security requirements.
Key Management Requirements
Generic requirements include the following.
- Data confidentiality should be provided while secret keys and possibly other data are being transmitted or stored.
- Modification detection prevents the active threat of unauthorized modification of data items. In most environments, all CSMs have to be protected against modification.
- Replay detection is to counter unauthorized duplication of data items.
- Timeliness requires that the response to a challenge message is prompt and does not allow for playback of some authentic response message by an impersonator.
- Entity authentication is to corroborate that an entity is the one claimed.
- Data origin authentication (proof/nonrepudiation of origin) is to make certain that the source of a message is the one claimed.
- Proof/nonrepudiation of reception shows the sender of a message that the message has been received by its legitimate receiver correctly.
- Notarization is the registration of messages to attest at a later stage its content, origin, destination, or time of issue.
Key Management Protocols
Correctness of key management protocols requires more than the existence of secure communication channels between entities and key management servers. For example, it critically depends on the capability of those servers to reliably follow the protocols. Therefore, each entity has to base its deductions not only on the protocol elements sent and received, but also on its trust in the server which, for that reason, often is called a Trusted Party.
Key Management Services
Key management is facilitated by the key management services which include entity registration, key generation, certification, authentication, key distribution, and key maintenance. Entity registration is a procedure by which an individual or a device is authenticated to the system. An absolute identification is provided if a link between an ID (e.g., a distinguished name or a device-ID) and some physical representation of the identified subject (e.g., a person or a device) can be established. An identification can be carried out manually or automatically. Absolute identification always requires at least one initial manual identification (e.g., by showing a passport, or a device-ID).
Mutual authentication usually is based on the exchange of certificates. In any system, an entity is represented by some public data, called its (public) credentials (e.g., ID and address). Besides that, an entity may own secret credentials (e.g., testimonials) that may or may not be known by some trusted party. Whenever an entity is registered, a certificate based upon its credentials is issued as a proof of registration. This may involve various procedures, from a protected entry in a specific file to a signature by the certification authority (CA) on the credentials.
Key generation refers to procedures by which keys or pairs of keys of good cryptographic quality are securely and unpredictably generated. This implies the use of a random or pseudo-random process involving random seeds, which cannot be manipulated. Requirements are that certain elements of the key space are not more probable than others, and that it is not possible for the unauthorized to gain knowledge about keys.
Issuing of Certificates
Certificates are issued for authentication purposes. A credential containing identifying data together with other information (e.g., public keys) is rendered unforgeable by some certifying information (e.g., a digital signature provided by the key certification center). Certification may be an on-line service where some CA provides interactive support and is actively involved in key distribution processes; or it may be an offline service so that certificates are issued to each entity only at some initial stage.
Authentication/Verification may be either:
- entity authentication or identification
- message content authentication
- message origin authentication
The term verification refers to the process of checking the appropriate claims, that is, the correct identity of an entity, the unaltered message content, or the correct source of a message. The validity of a certificate can be verified using some public information (e.g., a public key of the key certification center), and can be carried out without the assistance of the CA, so that the trusted party is only needed for issuing the certificates. Key distribution refers to procedures by which keys are securely provided to parties legitimately asking for them. The fundamental problem of key exchange or distribution is to establish keying material to be used in symmetric mechanisms whose origin, integrity, and confidentiality can be guaranteed. As a result of varied design decisions appropriate to different circumstances, a large variety of key distribution protocols exist.
Key Distribution Protocols
The basic elements of a key distribution protocol are as follows.
The confidentiality of a data item D can be ensured by enciphering D with an appropriate key K which is denoted by eK(D). Depending on whether a secret key algorithm or a public key algorithm is used for the enciphering process, D will be enciphered with a secret key K shared between the sender and the legitimate recipient of the message, or with the legitimate recipient B’s public key KBp. Encipherment with the sender A’s private key KAs, may be used to authenticate the origin of data item D, or to identify A. Encipherment with a secret key provides modification detection if B has some means to check the validity of D (e.g., if B knows D beforehand, or if D contains suitable redundancy).
Modification Detection Codes
To detect the modification of a data item D, one can add some redundancy that has to be calculated using a collision-free function, that is, it must be infeasible to find two different values of D that render the same result. Moreover, this process has to involve a secret parameter K in order to prevent forgery. An appropriate combination of K and D also allows for data origin authentication. Examples of suitable building blocks are MACs, or hash functions combined with encipherment. The generic form of this building block is D||mdcK(D). Modification detection codes (mdc) enable the legitimate recipient to detect unauthorized modification of the transmitted data immediately after receipt. The correctness of distributed keying material can also be checked if the sender confirms his knowledge of the key in a second step.
Replay Detection Codes
To detect the replay of a message and to check its timeliness, some explicit or implicit challenge and response mechanism has to be used, since the recipient has to be able to decide on the acceptance. In most applications, the inclusion of a replay detec- tion code denoted by D||rdc (e.g., a timestamp TD, a counter CT, or a random number R) will only make sense if it is protected by modification detection. With symmetric cryptographic mechanisms, key modification, that is, some combination (e.g., XOR) of the secret key with an rdc, can be used to detect the replay of a message. A special case is the process of key offsetting used to protect keying material enciphered for distribution where the key used for encipherment is XORed with a count value.
Proof of Knowledge of a Key
Authentication can be implemented by showing knowledge of a secret (e.g., a secret key). Nevertheless, a building block that proves the knowledge of a key K can also be useful, when K is public. There are several ways for A to prove to B the knowledge of a key that are all based on the principle of challenge and response in order to prevent a replay attack. Depending on the challenge which may be a data item in cleartext or in ciphertext, A has to process the key K and the rdc in an appropriate way (e.g., by encipherment, or by calculating a MAC), or A has to perform a deciphering operation. The challenge may explicitly be provided by B (e.g., a random number R) or implicitly be given by a synchronized parameter (e.g., a timestamp TD, or a counter CT). For some building blocks, the latter case requires only one pass to prove knowledge of K; its tradeoff is the necessary synchronization. If B provides a challenge enciphered with a key K∗, the enciphered data item has to be unpredictable (e.g., a random number R, or a key K∗∗). The generic form of this building block is authK(A to B).
Point to point key distribution
This is the basic mechanism of every key distribution scheme. If based on symmetric cryptographic techniques, point to point key distribution requires that the two parties involved already share a key that can be used to protect the keying material to be distributed. If based on asymmetric techniques, point to point key distribution requires that each of the two parties has a public key with its associated secret key, and the certificate of the public key produced by a CA known to the other party. General assumptions are: (i) the initiator A is able to generate or otherwise acquire a secret key K∗ and (ii) security requirements are confidentiality of K∗, modification and replay detec- tion, mutual authentication of A and B, and a proof of delivery for K∗. For point to point key distribution protocols based on symmetric cryptographic techniques we additionally assume: (iii) a key KAB is already shared by A and B.
Key maintenance includes procedures for key activation, key storage, key replacement, key translation, key recovery, black listing of compromised keys, key deactivation, and key deletion. Some of the issues of key maintenance are addressed below.
Storage of Keying Material
Storage of keying material refers to a key storage facility which provides secure storage of keys for future use, for example, confidentiality and integrity for secret keying material, or integrity for public keys. Secret keying material must be protected by physical security (e.g., by storing it within a cryptographic device) or enciphered by keys that have physical security. For all keying material, unauthorized modification must be detectable by suitable authentication mechanisms.
Key archival refers to procedures by which keys for notarization or nonrepudiation services can be securely archived. Archived keys may need to be retrieved at a much later date to prove or disprove certain claims.
Key replacement enables parties to securely update their keying material. A key shall be replaced when its compromise is known or suspected. A key shall also be replaced within the time deemed feasible to determine it by an exhaustive attack. A replaced key shall not be reused. The replacement key shall not be a variant or any nonsecret transformation of the original key.
Key recovery refers to cryptographic keys which may become lost due to human error, software bugs, or hardware malfunction. In communication security, a simple handshake at session initiation can ensure that both entities are using the same key. Also, message authentication techniques can be used for testing that plaintext has been recovered using the proper key. Key authentication techniques permit keys to be validated prior to their use. In the case where a key was lost, it still may be possible to recover that key by searching part of the key space. This approach may be successful, if the number of likely candidates is small enough.
Key deletion refers to procedures by which parties are assured of the secure destruction of keys that are no longer needed. Destroying a key means eliminating all records of this key, such that no information remaining after the deletion provides any feasibly usable information about the destroyed key.
Published on Sun 22 March 2015 by Lydia Pilkington in Security with tag(s): cryptography