Key establishment and certificates

Question 1

What is key establishment?

Answer 1

The process of setting up cryptographic keys to protect a subsequent communication session

Question 2

What does key establishment in TLS use public keys for?

Answer 2

To allow clients and servers to share a new communication key

Question 3

What phases does key management consist of?

Answer 3

Generation

distribution

storage

destruction

Question 4

What is key generation?

Answer 4

Process of generating keys, ideally random keys

Question 5

What is key distribution?

Answer 5

Process of distributing the keys in a secure fashion

Question 6

What is key storage?

Answer 6

Way of storing keys in such a way that they are available for use, but not to unautherized users

Question 7

What is key destruction?

Answer 7

Process of destroying a key, as removing it from memory is not always easy

Question 8

Name 3 types of keys

Answer 8

Long-term

Ephemeral

Session

Question 9

What are long-term keys?

Answer 9

Intended to be used for a long time (hours, months, years, etc.)

Either symmetric or asymmetric

Question 10

What are ephemeral keys?

Answer 10

Generated for single use, then deleted (e.g. diffie hellman)

Question 11

What are session keys?

Answer 11

Used for one communication session (seconds, hours, a day)

Usually symmetric with ciphers such as AES (authenticated encryption)

Sessions should be independent

Question 12

What does it mean to have independent sessions?

Answer 12

The compromise of one key does not affect other sessions.

Question 13

What is a typical usage of long-term and ephemeral keys?

Answer 13

Used in establishment of session keys

Question 14

What are the security goals of key establishment protocols?

Answer 14

Authentication: If a party A completes the protocol and believes the session key Kab is shared with B, then Kab should not be shared with a different party C. Authentication can be mutual or unilateral

Confidentiality: An adversary is unable to obtain the session key accepted by a prticular party

Question 15

What is mutual authentication?

Answer 15

When both parties achieve the authentication goals

Question 16

What is unilateral authentication?

Answer 16

The authentication goals are only achieved by one side

Question 17

What are 3 approaches to key establishment protocols?

Answer 17

Key pre-distribution

Key transport

Key agreement

Question 18

What is key pre-distribution?

Answer 18

Keys are set in advance.

A trusted authority (TA) generates and distributes long-term keys to all users when they join the system.

The TA only operates in the pre-distribution phase, and don’t need to be online afterwards

Question 19

What is key transport?

Answer 19

One party chooses the key and distributes it

A TA shares a long-term shared key with each user

TA generates and sends session keys to users when requested and protected by the long-term keys

TAs must be trusted, and they are a single point of attack

Question 20

What is key agreement?

Answer 20

Two or more parties contribute to the session key

Usually add authentication with public keys, for example by signing the exchanged messages

Question 21

What can be a problem with key transport?

Answer 21

Scalability

Question 22

What is Kerberos?

Answer 22

Example of key transport establishment.

A SSO solution: users only provide username and password once for a session

Kerberos provides access selectively for different online services using individual tickets

Kerberos establishes a session key to deliver confidentiality and integrity services for each service access

Question 23

How does key transport work with asymmetric cryptography?

Answer 23

1. One user chooses key material and sends it encrypted with the other party’s public key
2. Each party includes a random nonce to ensure that their key is new
3. A key derivation function (KDF) binds the secret key material with other protocol elements to avoid some attacks.

Question 24

What are some properties of a standard KDF?

Answer 24

Uses HMAC

Can be thought of as a hash function

Question 25

Describe the Key transport protocol

Answer 25

2 parties: A and B

PKa: A’s public encryption key
Z: Random value generated by B
Kab: Session key
IDa: Identity of A
IDb: Identity of B

A sends IDa and Na to B
B sends IDb, Nb, E(Z, PKa) to A

Kab = KDF(Z, IDa, IDb, Na, Nb)

Question 26

What is a widely used key agreement protocol?

Answer 26

Diffie-Hellman

Question 27

What is the usual method of key establishment in TLS today?

Answer 27

TLS includes Diffie-Hellman

Question 28

Describe signed Diffie-Hellman?

Answer 28

Parties: A and B
Identities: IDa and IDb

G: Group where computation takes place
g: Generator og G

a: random value chosen by A up to the order of G
b: random value chosen by B up to the order of G

SigA(m): a digital signature on message m by A
SigB(m): a digital signature on message m by B

Parties want to share session key
Both parties need each other’s public signature verification keys.

Question 29

What secrecy does signed Diffie Hellman provide?

Answer 29

Forward secrecy because the long-term (signing) keys are only used for authentication

Question 30

How does the signed Diffie-Hellman protocol work?

Answer 30

A sends IDa, g^a

B sends IDbm G^b, SigB(IDb, IDa, G^b, g^a)

A sends SigA(IDa, IDb, g^a, g^b)

A checks the signature received from B in step 2. If it is valid A computes the shared secret:
Z = (g^b)^a = g^ab

B then checks the signature received from A. If valid, computes Z:
Z = (g^b)^a = g^ab

Session key:
Kab = KDF(Z, IDa, IDb, g^a, g^b)

Question 31

What happens when a long-term key is compromised?

Answer 31

Attacker can act as the owner of the long-term key.

Previous sessions can be compromised.

Question 32

What is (perfect) forward secrecy?

Answer 32

When compromise of long-term private keys does not reveal session keys previously agreed using those long-term keys

Question 33

What is Post-compromise security (PCS)

Answer 33

Protocols that can recover when long-term keys are compromised - also known as self-healing protocols.

The long-term key must evolve over time so that the attacker becomes locked out when the key updates.

Question 34

What are self-healing protocols?

Answer 34

Protocols that can recover adter a long-term key is compromised

Question 35

In what situations does PCS work?

Answer 35

When the attacker is passive

Question 36

What is a way to achieve PCS?

Answer 36

Send a new Diffie-Hellman share with every message and change the session key also after every message

Question 37

Does forward secrecy provide post-compromise security?

Answer 37

No, not by itself

Question 38

What does digital certificates contain?

Answer 38

A public key and the owner identity

Often information such as signature algorithm and validity period

Question 39

What are digital signatures used for?

Answer 39

Make sure we can be confident about the correct binding between a public key and its owner.

Important when using a public key to encrypt a message or to verify a digital signature

Question 40

What is a certification authority (CA)?

Answer 40

Creates, issues and revokes certificates for users and other CAs

Have a certification practice statement (CPS)

Question 41

What is public key infrastructure PKI?

Answer 41

A framework that is established to issue, maintain and revoke public-key certificates

Question 42

What entities can be involved in PKIs?

Answer 42

Registration authorities
Naming authorities
Certification authorities

Question 43

What does registration authorities do?

Answer 43

Manages identities?

Question 44

What does naming authorities do?

Answer 44

Manage domain naming

Question 45

What does a CPS cover?

Answer 45

Covers issues such as:
- Does checks performed before certificate issue
- Physical, personnel and procedural security controls for the CA
- Technical and key pair protection and management controls
- Certificate revocation management procedures
- Audit procedures for the CA
- Accreditation information
- legal and privacy issues and liability limitations

Question 46

How are certificates verified?

Answer 46

By checking that the CA signature is valid

Check that conditions set in the certificate are correct

The user of the certificate must have the correct public key of the CA

Question 47

How can users obtain certificates?

Answer 47

Sent by owner during a protocol run

distributed with web browsers

In public directories

As part of DNS record

Question 48

What are certification paths?

Answer 48

A chain of trust where CA_n certifies the public key of CA_(n-1) which further certifies the public key of CA_(n-2)

If an entity has a trusted copy of the public key of CAn, the certification path for all the intermediate CAs can be used to obtain a trusted copy of the public key of CA0

Question 49

What is the structure of hierarchical PKIs?

Answer 49

Have root CA, intermediate CAs and users

CAs certify the public key of the entity below

Tree structure

Question 50

How does non-hierarchical PKI work?

Answer 50

Any CAs can certify any CAs public key

Question 51

Describe browser PKIs

Answer 51

Contain multiple hierarchies with preloaded public keys as root CAs

CAs and intermediate CAs can be added

Question 52

What certificates are self-signed?

Answer 52

Root certificates

The CA for the root is the root itself

Question 53

What are two widely deployed revocation mechanisms?

Answer 53

Certificate revocation lists (CRL)

Online certificate status protocol (OCSP)

Question 54

Describe Certificate revocation lists (CRL)

Answer 54

Each CA periodically issues a list of revoked certificates which can be downloaded and then checked by clients

Question 55

Describe Online certificate status protocol (OCSP)

Answer 55

A server maintains a current list of revoked certificates and responds to requests about specific certificates

Question 56

Describe the notation of the Needham-Schroeder protocol

Answer 56

Parties to establish session key: A, B
S: The key that is the trusted authority

Shared secret keys: Kas, Kbs, Kab
Long-term: Kas, Kbs (shared by A and S, and B and S)
Kab: Session key generated by S

Na, Nb: Randomly generated nonce for one time use

S -> A: M (S sends message M to A)

{X}_K: Authenticated encryption of message X using the shared secret key K

Question 57

What attack is the Needham-Schroeder protocol vulnerable to?

Answer 57

Replay attack

Question 58

What is a replay attack?

Answer 58

An attacker is able to replay old protocol messages and the honest party accepts an old session key

Question 59

How does the replay attack work on Needham-schroeder?

Answer 59

An attacker C obtains a session key K’ab previously established between A and B

C masquerades as A and is thus able to persuade B to use the old key K’ab

Question 60

Look at the Figures on slide 31, 33, 34

Question 61

How can we defend against replay attacks?

Answer 61

The key established must be fresh for each session

Question 62

What are three mechanisms used to achieve freshness?

Answer 62

Random challenges (nonces)
Timestamps (string on the current time)
Counters (increased for each message)

Question 63

What is the repaired Needham-Schroeder protocol?

Answer 63

Uses random challenges to provide freshnes

Question 64

What are tickets in regards to Needham-Schroeder?

Answer 64

Way to fix the NS protocol by using a key with a validity period

When A wishes to obtain access to server B, the auth server S issues a ticket to allow A access

Ticket format: {Kab, IDa, IDb, Tb}Kbs

Tb: A timestamp, which can be interpreted as a validity period

A can obtain the ticket and use it to gain access to B at any time while Tb is still valid

Question 65

Describe the 3 level Kerberos protocol

Answer 65

Level 1: Client C interact with auth server AS to obtain a ticket-granting ticket (happens once per session)

Level 2: C interacts with ticket-granting server TGS to obtain a service ticket - happens once for each server during the session

Level 3: C interacts with app server V to obtain a service - happens each time client requests service during session

Question 66

In 3 level kerberos, what information is sent between C and AS in level 1?

Answer 66

C to AS: IDc, IDtgs, N1

AS to C: {Kc, IDtgs, N1}Kc, ticket_tgs
Kc: Symmetric key shared with AS
N1: Nonce used by C to check that K_(c, tgs) is fresh

Ticket: {K_(c, tgs), IDc, T1}Ktgs
T1: Validity period
K_(c, tgs): Symmetric key generated by AS to share with TGS
Ktgs: Long-term key shared between AS and TGS

Result: User has ticket-granting ticket, which can be used to obtain different service granting. tickets

Question 67

What is the result of level 2 interaction with TGS?

Answer 67

User has service-granting ticket which can be used to obtain access to a specific server

Question 68

TODO: Go through figures for 3-level Kerberos (40, 42, 44)

Question 69

What is the result of level 3 interaction with TGS?

Answer 69

User has secure access to a specific server V

Question 70

What are some limitations of Kerberos?

Answer 70

Limited scalability: Each realm needs to share a key with each other realm

Suited for corporate environments with shared trust

Offline password guessing is a possible attack when Kc is derived from a human memorable password

The standard does not specify how to use the session key once it is established