IT404

Network Security
Module 08
Key Management and Distribution
MAIN REFERENCE
• Cryptography and Network Security: Principles and Practice, 7th Edition, William Stallings, Pearson, 2016.
• Network Security Essentials: Applications and Standards, 6th Edition, William Stallings, Pearson, 2016..
Learning Outcomes

1 2 3 4

• Discuss • Describe • Understand • List and

concept of the the issues explain
a key distribution involved in elements in
hierarchy of public using an X.509
keys asymmetric certificate
encryption
to distribute
symmetric
keys
8.1 Introduction
 Topics of cryptographic key management and key distribution are
complex
 Cryptographic
 Protocol
 Management issues
 Symmetric schemes require both parties to share a common secret
key
 Public key schemes require parties to acquire valid public keys
8.2 Key Management
 Two aspects
Distribution of public keys
Use of public-key encryption to distribute secret keys
 Distribution of Public Keys
A. Public Announcement
B. Publicly available directory
C. Public-key authority
D. Public-key certificates
8.3 Key Management - Public Announcement
 Any participant broadcast their to other participant.
 Major weakness? Public announcement forgery
8.4 Key Management – Publicly Available Directory
 Improvement for previous technique.
 Maintenance and key distribution by trusted organization.
 Elements in the scheme include:-
 Directory maintenance
 Participants registration
 Periodic key change
 Periodic directory updates
 Electronic access for participants
8.5 Key Management – Public-Key Authority

 Distribution of public keys from directory for

better security
 Steps include:
1. A sends timestamped message to Public-key
Authority
2. Authority responds with encrypted message
3. A stores B’s public key and also uses it to encrypt
a message to B
4. B retrieves A’s public key from the authority
5. Public key safely delivered to A and B
6. B sends message to A
7. A returns N2, encrypted using B’s public key
8.6 Key Management – Public-Key Certificates
 Used by participants to exchange keys without
contacting a public-key authority.
 Certificates consists of
1. Public key
2. An identifier of the key owner
3. Block signed by trusted 3rd party (Certificate
Authority)
 Scheme requirements:-
 Certificate readable to determine name and public
key of certificate’s owner
 Verifiable certificate by participants originated from
certificate authority
 Creation and update of certificates only done by
Certificate Authority
 Certificate currency verified any participant
8.7 X-509 Certificates
 Directory service defined under X.500 series by ITU-T in 1988, revised in 2000
 Maintains database of users’ information
1) User name mapping to network address
2) Attributes
3) Information about users
 Defines a framework for authentication services provision for X.500 directory
 Repository of public-key certificates
 Each certificates contain:-
 User public key
 Private key signed by Certificate Authority
 Based on public-key cryptography and digital signatures.
X-509 Certificates
8.8 Certificates
8.9 Key Distribution

 For two parties A and B, key distribution can be

achieved in a number of ways, as follows:
1. A can select a key and physically deliver it to B.
2. A third party can select the key and physically
deliver it to A and B.
3. If A and B have previously and recently used a
key, one party can transmit the new key to the
other, encrypted using the old key.
4. If A and B each has an encrypted connection to
a third party C, C can deliver a key on the
encrypted links to A and B.
8.10 Key Distribution Scenario

1. A issues for a session key to the KDC

2. KDC responds with encrypted message
3. A stores the session key for upcoming
session and forward to B
4. B sends a nonce to A
8.11 Hierarchical Key Control

 Extended to three or even more layers, depending on the size of

the user population and the geographic scope of the internetwork.

 minimizes the effort involved in master key distribution

 limits the damage of a faulty or subverted KDC to its local area only.
8.12 Session Key Lifetime

 For connection-oriented protocols,

 to use the same session key for the length of time that the connection
is open, using a new session key for each new session.

 For a connectionless protocol,

 no explicit connection initiation or termination.
8.13 Transparent Key Control Scheme

 Useful for providing end-to-end

encryption at a network or transport
level

 Assumes communication makes use

of connection-oriented end-to-end
protocol
8.14 Decentralized Key Control
 Steps in establishing session key:-
1. A issues request to B for a session key
2. B responds with encrypted message using shared master key
3. Using new session key, A return to B.
8.15 Controlling Key Usage

 Key hierarchy concept reduce number of keys that requires manual management
and distribution.

 Some control is required in managing distributed keys

8.16 Simple Secret Key Distribution

 Suggested by Merkle (1979)

 No key exist before the start of the communication and none exist after – risk of
compromise is minimal and secure from eavesdropping.
 Insecure against adversary who intercept messages – man-in-the-middle attack.
8.17 Hybrid Scheme
 Approach introduced for IBM mainframes
 Retain the use of KDS
 3-level approach that concentrates on:-
Performance
Backward compatibility
Summary
 Distribution of public keys involves; Public Announcement, Publicly
available directory, Public-key authority, Public-key certificates.
 X.509 defines a framework based on public-key cryptography and digital
signatures
 Symmetric Key Distribution using Symmetric Encryption includes
hierarchical key control, session key lifetime, transparent key control
scheme, decentralized key control
 Asymmetric Key Distribution using Asymmetric Encryption includes
simple secret distribution and hybrid scheme