Symmetric Key Distribution using Symmetric Encryption
For symmetric encryption to work, the two parties to an exchange must share the same key, and that key must be protected from access by others. Furthermore, frequent key changes are usually desirable to limit the amount of data compromised if an attacker learns the key. Therefore, the strength of any cryptographic system rests with the key distribution technique, a term that refers to the means of delivering a key to two parties who wish to exchange data without allowing others to see the key. For two parties A and B, key distribution can be achieved in a number of ways, as follows:
1. A can select a key and physically deliver it to B.
2. A third party can select the key and physically deliver it to A and B.
3. If A and B have previously and recently used a key, one party can transmit the new key to the other, encrypted using the old key.
4. If A and B each has an encrypted connection to a third party C, C can deliver a key on the encrypted links to A and B.
Options 1 and 2 call for manual delivery of a key. For link encryption, this is a reasonable requirement, because each link encryption device is going to be exchanging data only with its partner on the other end of the link. However, for end-to-end encryption over a network, manual delivery is awkward. In a distributed system, any given host or terminal may need to engage in exchanges with many other hosts and terminals over time. Thus, each device needs a number of keys supplied dynamically. The problem is especially difficult in a wide-area distributed system.
The scale of the problem depends on the number of communicating pairs that must be supported. If end-to-end encryption is done at a network or IP level, then a key is needed for each pair of hosts on the network that wish to communicate. Thus,if there are $N$ hosts, the number of required keys is $[N(N - 1)]/2$. If encryption is done at the application level, then a key is needed for every pair of users or processes that require communication. Thus, a network may have hundreds of hosts but thousands of users and processes. A network using node-level encryption with 1000 nodes would conceivably need to distribute as many as half a million keys. If that same network supported 10,000 applications, then as many as 50 million keys may be required for application-level encryption.
option 3 is a possibility for either link encryption or end-to-end encryption, but if an attacker ever succeeds in gaining access to one key, then all subsequent keys will be revealed. Furthermore, the initial distribution of potentially millions of keys still must be made.
For end-to-end encryption, some variation on option 4 has been widely adopted. In this scheme, a key distribution center is responsible for distributing keys to pairs of users (hosts, processes, applications) as needed. Each user must share a unique key with the key distribution center for purposes of key distribution.
The use of a key distribution center is based on the use of a hierarchy of keys. At a minimum, two levels of keys are used. Communication between end systems is encrypted using a temporary key, often referred to as a session key. Typically, the session key is used for the duration of a logical connection, such as a frame relay connection or transport connection, and then discarded. Each session key is obtained from the key distribution center over the same networking facilities used for end-user communication. Accordingly, session keys are transmitted in encrypted form, using a master key that is shared by the key distribution center and an end system or user.
For each end system or user, there is a unique master key that it shares with the key distribution center. Of course, these master keys must be securely distributed in some fashion. However, the scale of the problem is vastly reduced. If there are $N$ entities that wish to communicate in pairs, then, as was mentioned, as many as $[N(N - 1)]/2$ session keys are needed at any one time. However, only $N$ master keys are required, one for each entity. Thus, master keys can be distributed in some non-cryptographic way, such as physical delivery.
A Key Distribution Scenario
The key distribution concept can be deployed in a number of ways. A typical scenario is illustrated in Figure 14.3. The scenario assumes that each user shares a unique master key with the key distribution center (KDC). Let us assume that user $A$ wishes to establish a logical connection with $B$ and requires a one-time session key to protect the data transmitted over the connection.
A has a master key, $K_a$, known only to itself and the KDC; similarly, $B$ shares the master key $K_b$ with the KDC. The following steps occur.
1. $A$ issues a request to the KDC for a session key to protect a logical connection to $B$. The message includes the identity of $A$ and $B$ and a unique identifier, $N_1$, for this transaction, which we refer to as a nonce. The nonce may be a timestamp, a counter, or a random number; the minimum requirement is that it differs with each request. Also, to prevent masquerade, it should be difficult for an opponent to guess the nonce. Thus, a random number is a good choice for a nonce.
2. The KDC responds with a message encrypted using $K_a$. Thus, $A$ is the only one who can successfully read the message, and $A$ knows that it originated at the KDC. The message includes two items intended for $A$:
■ The one-time session key, $K_s$, to be used for the session
■ The original request message, including the nonce, to enable $A$ to match this response with the appropriate request.
Thus, $A$ can verify that its original request was not altered before reception by the KDC and, because of the nonce, that this is not a replay of some previous request.
In addition, the message includes two items intended for $B:$
■ The one-time session key, $K_s$, to be used for the session
■ An identifier of $A$ (e.g., its network address), $ID_A$.
These last two items are encrypted with $K_b$ (the master key that the KDC shares with $B$). They are to be sent to $B$ to establish the connection and prove $A$’s identity.
3. $A$ stores the session key for use in the upcoming session and forwards to $B$ the information that originated at the KDC for $B$, namely, $E(K_b,[K_s ||ID_A])$.Because this information is encrypted with $K_b$, it is protected from eavesdropping.$B$ now knows the session key ($K_s$), knows that the other party is $A$ (from $ID_A$), and knows that the information originated at the KDC (because it is encrypted using $K_b$).
At this point, a session key has been securely delivered to $A$ and $B$, and they may begin their protected exchange. However, two additional steps are desirable:
4. Using the newly minted session key for encryption, $B$ sends a nonce, $N_2$, to $A$.
5. Also, using $K_s$, $A$ responds with $f(N_2)$, where $f$ is a function that performs some transformation on $N_2$ (e.g., adding one).
These steps assure $B$ that the original message it received (step 3) was not a replay.Note that the actual key distribution involves only steps 1 through 3, but that steps 4 and 5, as well as step 3, perform an authentication function.
Hierarchical Key Control
It is not necessary to limit the key distribution function to a single KDC. Indeed, for very large networks, it may not be practical to do so. As an alternative, a hierarchy of KDCs can be established.
For example, there can be local KDCs, each responsible for a small domain of the overall inter network, such as a single LAN or a single building. For communication among entities within the same local domain, the local KDC is responsible for key distribution. If two entities in different domains desire a shared key, then the corresponding local KDCs can communicate through a global KDC. In this case, any one of the three KDCs involved can actually select the key.The hierarchical concept can be extended to three or even more layers, depending on the size of the user population and the geographic scope of the inter network.
A hierarchical scheme minimizes the effort involved in master key distribution, because most master keys are those shared by a local KDC with its local entities. Furthermore, such a scheme limits the damage of a faulty or subverted KDC to its local area only.
Session Key Lifetime
The more frequently session keys are exchanged, the more secure they are, because the opponent has less ciphertext to work with for any given session key. On the other hand, the distribution of session keys delays the start of any exchange and places a burden on network capacity. A security manager must try to balance these competing considerations in determining the lifetime of a particular session key.
For connection-oriented protocols, one obvious choice is to use the same session key for the length of time that the connection is open, using a new session key for each new session. If a logical connection has a very long lifetime, then it would be prudent to change the session key periodically, perhaps every time the PDU (protocol data unit) sequence number cycles.
For a connection less protocol, such as a transaction-oriented protocol, there is no explicit connection initiation or termination. Thus, it is not obvious how often one needs to change the session key. The most secure approach is to use a new session key for each exchange. However, this negates one of the principal benefits of connection less protocols, which is minimum overhead and delay for each transaction.A better strategy is to use a given session key for a certain fixed period only orfor a certain number of transactions.
A Transparent Key Control Scheme
The approach suggested in Figure 14.3 has many variations, one of which is described in this subsection. The scheme (Figure 14.4) is useful for providing end-to-end encryption at a network or transport level in a way that is transparent to the end users. The approach assumes that communication makes use of a connection- oriented end-to-end protocol, such as TCP. The noteworthy element of this approach is a session security module (SSM), which may consist of functionality at one protocol layer, that performs end-to-end encryption and obtains session keys on behalf of its host or terminal.
The steps involved in establishing a connection are shown in Figure 14.4. When one host wishes to set up a connection to another host, it transmits a connection request packet (step 1). The SSM saves that packet and applies to the KDC for permission to establish the connection (step 2). The communication between the SSM and the KDC is encrypted using a master key shared only by this SSM and the KDC. If the KDC approves the connection request, it generates the session key and delivers it to the two appropriate SSMs, using a unique permanent key for each SSM (step 3). The requesting SSM can now release the connection request packet, and a connection is set up between the two end systems (step 4). All user data exchanged between the two end systems are encrypted by their respective SSMs using the one-time session key.
The automated key distribution approach provides the flexibility and dynamic characteristics needed to allow a number of terminal users to access a number of hosts and for the hosts to exchange data with each other.
Decentralized Key Control
The use of a key distribution center imposes the requirement that the KDC be trusted and be protected from subversion. This requirement can be avoided if key distribution is fully decentralized. Although full decentralization is not practical for larger networks using symmetric encryption only, it may be useful within a local context.
A decentralized approach requires that each end system be able to communicate in a secure manner with all potential partner end systems for purposes of session key distribution. Thus, there may need to be as many as $[n(n - 1)]/2$ master keys for a configuration with $n$ end systems.
A session key may be established with the following sequence of steps (Figure 14.5).
1. $A$ issues a request to $B$ for a session key and includes a nonce, $N_1$.
2. $B$ responds with a message that is encrypted using the shared master key. The response includes the session key selected by $B$, an identifier of $B$, the value $f(N_1)$, and another nonce, $N_2$.
3. Using the new session key, $A$ returns $f(N_2)$ to $B.$
Comments
Post a Comment