Apr 30, 2002 Mårten Trolin 1

Previous lecture – passwords

• Passwords for authentication– Storing hashed passwords

– Use of salt

• Passwords for key generation– PKCS#5

Apr 30, 2002 Mårten Trolin 2

Today’s program – key generation and distribution

• Generating keys

• Distributing keys– Key splitting

• Master key and derived keys

• Key lengths– Symmetric keys

– Asymmetric keys

Apr 30, 2002 Mårten Trolin 3

Generating keys

• Key generation requires a good source of random bits– Bad key material makes system vulnerable to attacks. Has been

done in practice.

– Hardware generators provide the best source.

– For end-user applications - some user interaction can be used (mouse movement, key strokes, etc.)

– Using system time for high security requirements is a bad idea!

• For high-security applications, key generation should take place in a closed environment.

Apr 30, 2002 Mårten Trolin 4

Distributing symmetric keys

• Symmetric keys are very sensitive and must be distributed with great care.

• Depending on how valueable the key is, different approaches are possible.– Send the key to recipient by physically secure means, e.g., by

courier, by registered mail etc.

– If a common key exists, send the new key encrypted under the common key.

– Split the key into components and send the key components with different security officers.

Apr 30, 2002 Mårten Trolin 5

Key splitting

• One option for distributing keys with lower risk is to split the key into components and send the parts separately.

• After generation, the key is split into n parts. To recreate the key, all n parts must be available.

• Knowledge of less than n parts should give as little help as possible for recreating of keys.

• How do we do this?

Apr 30, 2002 Mårten Trolin 6

Splitting into parts of equal length

• When splitting into parts of equal length, the key of length l is split into n components, each of length l / n.

• First part consists of bits 1 through (l / n) – 1, second part of bits l / n though 2(l / n) – 1, etc.

• A disadvantage of this method is that knowledge of several parts reveals parts of the key, and leaves fewer bits for guessing.

Apr 30, 2002 Mårten Trolin 7

Exclusive-or with random bit strings

• If we want to distribute an l-bit key k as n components, we first generate (n – 1) l-bit strings u1, u2, …, un – 1.

• The n’th component is computed as un = k u1 u2 … un – 1, where denotes bitwise XOR.

• The basic properties of XOR gives that u1 u2 … un

= k.

• This method gives higher security, since knowledge of either n – 1 components reveals nothing about the key.– Recall that with the previous method, this knowledge revealed

several key bits, making a brute-force attack on the rest easier.

Apr 30, 2002 Mårten Trolin 8

Distributing keys for asymmetric keys

• Distributing the public part of asymmetric keys is simple – no special security measures are needed.

• Distributing keys in certificates makes it easier to prove the owner of the key.

• If the private part is to be distributed, the same techniques as for symmetric keys can be used.

Apr 30, 2002 Mårten Trolin 9

Key Derivation

• Key derivation is a technique to assign individual keys without having to store a key per user.

• The key information is concentrated into a single master key.

• Every key is derived from this master key.

• The individual keys are computed on-the-fly from the master key and user information.

Encryption Master key

User information

Individual key

Apr 30, 2002 Mårten Trolin 10

Session Keys

• For security reasons it is often a good idea to use different keys for each transaction.

• Keys used only for one transaction are called session keys. Encryption

Individual key

Session information

Session key

Apr 30, 2002 Mårten Trolin 11

Key Management – Setup

• If two systems need to share a common symmetric key, there are several possiblities.

– Can be created by system A and transferred to system B.

– Can be created by system A and transferred to system B.

– Can be created by a third party and transferred both to system A and system B.

System A System B

Master Key

Master Key

Master Key M

aste

r Key

Keygeneration

Apr 30, 2002 Mårten Trolin 12

Zone Master Key – ZMK

• If the two systems have one common symmetric key, this key can be used to encrypt other keys that are sent between the systems.

• This key is often called Zone Master Key, ZMK.• Once this common key has been established, exchanging further

keys is simple.

Apr 30, 2002 Mårten Trolin 13

Symmetric Key Management – Zone Master Key

Configurationsystem Host system

Generation of Zone Master Key

Zone Master Key sent as components to host by security officers

ZMK Component 1

ZMK Component 2

ZMK Component 3

Components reassembled as the host to give the same key

Apr 30, 2002 Mårten Trolin 14

Transfer of Zone Master Key

• When transferring the Zone Master Key, no single person will see the key.

• Key components are given out only one at the time, so that no one person sees all components.

• When combining the components, each component is first encrypted. Only when all components are encrypted do the security officers meet and give all components.

Apr 30, 2002 Mårten Trolin 15

Symmetric Key Management – Key Export

System A System B

System A and system B shares ZMK

Symmetric key encrypted under ZMK and sent

Key ZMK ZMK Key

Symmetric key decrypted at system B

Symmetric key generated

Apr 30, 2002 Mårten Trolin 16

Key length

• Apart from selecting a good algorithm, the key length to be used must be chosen.

• When selecting the key length, you need to take into account security requirements and hardware costs.– Longer keys are more secure, but encryption and decryption

takes longer time.

– How sensitive is the data? Do we need to protect it for twenty seconds, twenty days or twenty years?

– Who do we want to protect ourselves against? The causal eaves-dropper, a competing company or a foreign government?

Apr 30, 2002 Mårten Trolin 17

Symmetric key lengths

• If the symmetric cipher is good, the only way to break the key is to do exhaustive search. For an n-bit key, this requires 2n iterations.

• As of today, 64-bit keys take a few years to crack for someone with enough resources. 128-bit keys are virtually impossible to break, and are likely to stay that way for the foreseeable future.

• Since encryption and decryption is fast, there is usually no reason to use less than 128 bits.

Apr 30, 2002 Mårten Trolin 18

Symmetric key lengths

• The graph below demonstrates how the time necessary to break a key depends on the key length.

Tim

e to

bre

ak

Key length

Apr 30, 2002 Mårten Trolin 19

Asymmetric key lengths

• For asymmetric systems, there are much more efficient ways than exhaustive search to retrieve the key.– For RSA, factoring the modulus gives the private key.

• The longest RSA key that is publicly known to have been broken is 512 bits.– Two years ago, this required 30 CPU-years.

• 1024 bit keys probably remain secure for the next years.

• Be very careful with comparisons between strength of symmetric and asymmetric keys!

Apr 30, 2002 Mårten Trolin 20

Asymmetric keys

• Asymmetric keys often have a longer life-span than symmetric keys.– Symmetric keys are used for session encryption, which often has

to be kept secret only for a limited period.

– Asymmetric keys are used for signatures that may have to remain secure for several decades.

• Analyze the situation and choose the most appropriate solution!