Chapter 14

Key Management
PRASAD B
Asst. Prof.
Domain:K9
School of Computing and Information Technology
Lovely Professional University

Email:

[email protected]
[email protected]

14.1
 Chapter 14
Objectives
 To explain the need for a key-distribution center
 To show how a KDC can create a session key
 To show how two parties can use a symmetric-key
agreement protocol to create a session key
 To describe Kerberos as a KDC and an
authentication protocol
 To explain the need for certification authorities
for public keys
 To introduce the idea of a Public-Key
Infrastructure (PKI) and explain some of its duties

14.2
 14-1 SYMMETRIC-KEY DISTRIBUTION

Symmetric-key cryptography is more efficient than

asymmetric-key cryptography for enciphering large
messages. Symmetric-key cryptography, however,
needs a shared secret key between two parties. The
distribution of keys is another problem.

Topics discussed in this section:

14.1.1 Key-Distribution Center: KDC
14.1.2 Session Keys
14.3
 14.1.1 Key-Distribution Center: KDC

Figure 14.1 Key-distribution center (KDC)

14.4
 14.1.1 Continued

Flat Multiple KDCs.

Figure 14.2 Flat multiple KDCs

14.5
 14.1.1 Continued
Hierarchical Multiple KDCs

Figure 14.3 Hierarchical multiple KDCs

14.6
 14.1.2 Session Keys
A KDC creates a secret key for each member. This secret
key can be used only between the member and the KDC,
not between two members.

Note
A session symmetric key between two parties is
used only once.

14.7
 14.1.2 Continued
A Simple Protocol Using a KDC
Figure 14.4 First approach using KDC

14.8
 14.1.2 Continued
Needham-Schroeder Protocol

Figure 14.5
Needham-Schroeder
protocol

14.9
 14.1.2 Continued
Otway-Rees Protocol

Figure 14.6
Otway-Rees protocol

14.10
 14-2 KERBEROS

A backbone
Kerberos is an network allows protocol,
authentication several and
LANs to same
at the be
connected.
time a KDC, In that
a backbone
has become network, no station
very popular. is
Several
directly connected
systems, includingto Windows
the backbone;
2000,the use
stations are
Kerberos.
part of a LAN,
Originally and the
designed backbone
at MIT, connects
it has the LANs.
gone through several
versions.

Topics discussed in this section:

14.2.1 Servers
14.2.2 Operation
14.2.3 Using Different Servers
14.2.4 Kerberos Version 5
14.2.5 Realms
14.11
 14.2.1 Servers
Figure 14.7 Kerberos servers

14.12
 14.2.1 Continued

Authentication Server (AS)

The authentication server (AS) is the KDC in the
Kerberos protocol.

Ticket-Granting Server (TGS)

The ticket-granting server (TGS) issues a ticket for the
real server (Bob).

Real Server
The real server (Bob) provides services for the user
(Alice).

14.13
 14.2.2 Operation
Figure 14.8 Kerberos example

14.14
 14.2.3 Using Different Servers

Note that if Alice needs to receive services from different

servers, she need repeat only the last four steps.

14.15
 14.2.4 Kerberos Version 5

The minor differences between version 4 and version 5

are briefly listed below:

1) Version 5 has a longer ticket lifetime.

2) Version 5 allows tickets to be renewed.
3) Version 5 can accept any symmetric-key algorithm.
4) Version 5 uses a different protocol for describing data
types.
5) Version 5 has more overhead than version 4.

14.16
 14.2.5 Realms

Kerberos allows the global distribution of ASs and TGSs,

with each system called a realm. A user may get a ticket
for a local server or a remote server.

14.17
 14-3 SYMMETRIC-KEY AGREEMENT

Alice and Bob can create a session key between

themselves without using a KDC. This method of
session-key creation is referred to as the symmetric-
key agreement.

Topics discussed in this section:

14.3.1 Diffie-Hellman Key Agreement
14.3.2 Station-to-Station Key Agreement

14.18
 14.3.1 Diffie-Hellman Key Agreement

Figure 14.9 Diffie-Hellman method

14.19
 14.3.1 Continued

Note
The symmetric (shared) key in the Diffie-Hellman
method is K = gxy mod p.

14.20
 14.3.1 Continued

Example 14.1
Let us give a trivial example to make the procedure clear. Our
example uses small numbers, but note that in a real situation, the
numbers are very large. Assume that g = 7 and p = 23. The steps
are as follows:
1. Alice chooses x = 3 and calculates R1 = 73 mod 23 = 21.
2. Bob chooses y = 6 and calculates R2 = 76 mod 23 = 4.
3. Alice sends the number 21 to Bob.
4. Bob sends the number 4 to Alice.
5. Alice calculates the symmetric key K = 43 mod 23 = 18.
6. Bob calculates the symmetric key K = 216 mod 23 = 18.
7. The value of K is the same for both Alice and Bob;
gxy mod p = 718 mod 35 = 18.

14.21
 14.3.1 Continued
Example 14.2

Let us give a more realistic example. We used a program to create

a random integer of 512 bits (the ideal is 1024 bits). The integer p
is a 159-digit number. We also choose g, x, and y as shown below:

14.22
 14.3.1 Continued
Example 14.2 Continued

The following shows the values of R1, R2, and K.

14.23
 14.3.1 Continued

Figure 14.10 Diffie-Hellman idea

14.24
 14.3.1 Continued

Security of Diffie-Hellman

Discrete Logarithm Attack

Man-in-the-Middle Attack

14.25
 14.3.1 Continued
Figure 14.11 Man-in-the-middle attack

14.26
 14.3.2 Station-to-Station Key Agreement
Figure 14.12 Station-to-station key agreement method

14.27
 14-4 PUBLIC-KEY DISTRIBUTION

In asymmetric-key cryptography, people do not need to

know a symmetric shared key; everyone shields a
private key and advertises a public key.

Topics discussed in this section:

14.4.1 Public Announcement
14.4.2 Trusted Center
14.4.3 Controlled Trusted Center
14.4.4 Certification Authority
14.4.5 X.509
14.4.6 Public-Key Infrastructures (PKI)
14.28
 14.4.1 Public Announcement

Figure 14.13 Announcing a public key

14.29
 14.4.2 Trusted Center
Figure 14.14 Trusted center

14.30
 14.4.3 Controlled Trusted Center
Figure 14.14 Controlled trusted center

14.31
 14.4.4 Certification Authority
Figure 14.16 Certification authority

14.32
 14.4.5 X.509

Certificate
Figure 14.17 shows the format of a certificate.

14.33
 14.4.5 Continued

Certificate Renewal
Each certificate has a period of validity. If there is no
problem with the certificate, the CA issues a new
certificate before the old one expires.

Certificate Renewal
In some cases a certificate must be revoked before its
expiration.

Delta Revocation
To make revocation more efficient, the delta certificate
revocation list (delta CRL) has been introduced.

14.34
 14.4.5 Continued

Figure 14.17 Certificate revocation format

14.35
 14.4.6 Public-Key Infrastructures (PKI)

Figure 14.19 Some duties of a PKI

14.36
 14.4.6 Continued
Trust Model

Figure 14.20 PKI hierarchical model

14.37
 14.4.6 Continued

Example 14.3
Show how User1, knowing only the public key of the CA (the
root), can obtain a verified copy of User3’s public key.

Solution
User3 sends a chain of certificates, CA<<CA1>> and
CA1<<User3>>, to User1.

a. User1 validates CA<<CA1>> using the public key of CA.

b. User1 extracts the public key of CA1 from CA<<CA1>>.
c. User1 validates CA1<<User3>> using the public key of CA1.
d. User1 extracts the public key of User 3 from CA1<<User3>>.

14.38
 14.4.6 Continued

Example 14.4
Some Web browsers, such as Netscape and Internet Explorer,
include a set of certificates from independent roots without a
single, high-level, authority to certify each root. One can find the
list of these roots in the Internet Explorer at Tools/Internet
Options/Contents/Certificate/Trusted roots (using pull-down
menu). The user then can choose any of this root and view the
certificate.

14.39
 14.4.6 Continued

Figure 14.21 Mesh model

14.40
 14.4.6 Continued

Example 14.5
Alice is under the authority Root1; Bob is under the authority
Root4. Show how Alice can obtain Bob’s verified public key.

Solution
Bob sends a chain of certificates from Root4 to Bob. Alice looks at
the directory of Root1 to find Root1<<Root1>> and
Root1<< Root4>> certificates. Using the process shown in Figure
14.21, Alice can verify Bob’s public key.

14.41