Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tolga Acar 24 Feb. 2011 1 Distributed Key Management and Cryptographic Agility.

Published byEaster Gallagher Modified over 8 years ago

Similar presentations

Presentation on theme: "Tolga Acar 24 Feb. 2011 1 Distributed Key Management and Cryptographic Agility."— Presentation transcript:

1 Tolga Acar 24 Feb. 2011 1 Distributed Key Management and Cryptographic Agility

2 Overview Distributed Key Lifecycle – Problem statement and status quo – Distributed Key Manager – Typical application scenario and architecture Hardware Rooted Key Management – How to use TPMs for key management – TPM Key hierarchy Diving into Cryptographic Theory – Security Definitions – Cryptographic Agility 2

3 Distributed Key Management 3 Where is the correct key? How is it protected?

4 Key Lifecycle Model Creation. A key object is created on at least one replica, but its attributes (e.g., key value) are not set. Initialization. The key object has all its core key attributes set on at least one replica. Full Distribution. An initialized key is available on all replicas. Active. An initialized key is available for cryptographic operations on at least one replica. Inactive. An initialized key is available for some cryptographic operations on all replicas (e.g., decrypt, only). Termination. An initialized key is permanently deleted from all replicas. 4

5 Key State Transitions 5 Cryptographic operations Create and initialize a key

6 DKM Problem Statement No cross-user and cross-machine data protection – Windows Data Protection API (DPAPI) is single-user, single-machine. – KeyCzar and PKCS#11 uses local keys; no distribution mechanism. Engineering problem – Ad-hoc key management groups (protection siloes) – Scalability & Availability (10Ks of machines) – Geo-redundancy (multiple data centers) – Key lifecycle management (automation) Cryptography problem – Protect arbitrary data (broad applicability) – Use existing algorithms (e.g. AES, HMAC-SHA2) – Automatically update group keys (key rollover) – Crypto agile (algorithm and key length changes) 6

7 DKM Architecture 7

8 DKM Approach Active Directory Approach – Key storage is straightforward Store group keys in AD objects Protect keys with AD object ACLs AD security groups correspond to principals / groups – Rely on Active Directory replication for high availability – Network transport is secure (LDAP with Kerberos) DKM provides – Auto key update mechanism – Multiple groups and multiple keys per group – Cryptographic policy per domain and per group – Crypto agility 8

9 Walkthrough: DKM in Hosted E-Mail Scenario: – Hosting mail for multiple tenants in a datacenter – Product supports message aggregation from other providers for users with multiple email accounts User signs in once E-Mail Server fetches and aggregates mail – Tenant Admins must be able to perform Administrative tasks But should NOT be able to read user credentials 9

10 Walkthrough: DKM in Hosted E-Mail 10

11 DKM in Hosted E-Mail 11

12 DKM-TPM Motivation Secret Protection Technology: Approach sits between a pure HSM solution and a full software solution. ExpensiveModerateInexpensive Cost: Very SecureMore Secure Moderate (OS-Dependent) Security: HardEasierEasy Deployment: HSM Hardware Security Module HSM Hardware Security Module TPM -b ased Crypto TPM -b ased Crypto Software Crypto No Hardware Software Crypto No Hardware

13 DKM-TPM Key Hierarchy

14 DKM-TPM Roles 1.Master (Root of Trust) Root of Trust for TPM public keys Role assignment to TPM public keys Push to Stores 2.Store (Repositories) DKM repository (keys, policies, and metadata) DKM Responder Responds to requests from Masters, Stores, and Nodes 3.Node (Application servers) Cryptographic operations with DKM keys Client API Sends requests to Stores

15 DKM-TPM Roles Master Master PK List Store PK List Node PK List Configuration Store DKM Keys Policies Master PK List Store PK List Node PK List Configuration Node Master PK List Store PK List Node PK List Configuration CommServerCommClient TPM KM & CryptoRepository TPM KM & CryptoRepository TPM KM & CryptoRepository Node Logic & APIStore Logic & APIMaster Logic & API

16 Cryptosystem Security Definitions Probabilistic Polynomial-Time (PPT) adversaries – Probabilistic randomized algorithm that gives the correct answer with > ½ probability. Random Oracle Model (RO or ROM) – Black box with a stateful uniform random response 16 y  {0, 1}* If (x in A)y  Fetch(A,x) ElseStore(x,y) in A Return y Random Oracle x y

17 Attack Game Encryption scheme security definitions – IND-R: Indistinguishability from Random – IND-CPA: Indistinguishability under Chosen Plaintext Attack (a.k.a. semantic security) – IND-CCA: Indistinguishability under Chosen Ciphertext Attack IND-CPA ⊂ IND-CCA 17 b  {0, 1} C = Enc(K, m b ) Return C Left-Right Oracle m 0, m 1 C Guess b? IND-CPA Game

18 Ciphertext Attacks IND-CCA2: Indistinguishability under adaptive chosen ciphertext attack – Decryption Oracle access (non-trivial) Non-adaptive – Query the decryption oracle till the challenge ciphertext is received Adaptive – Continuous queries to the oracle (max q queries) IND-CPA ⊂ IND-CCA ⊂ IND-CCA2 18

19 IND-CCA/CCA2 Game 19 m = Dec(K, C) Decrypt m 0, m 1 C Queries {m,C} Responses {C,m} C = Enc(K, m) Encrypt b  {0, 1} C = Enc(K, m b ) Left-Right Oracle C m m = Dec(K, C) Decrypt Guess b? Challenge Adaptive (CCA2) Adversary Free Oracle Access

20 Cryptographic Agility Cryptographic primitives as sets: – PRF = {F : F is a secure pseudorandom function} – AE = {F : F is a secure authenticated encryption scheme} Assume F 1 and F 2 have the same key space and length Informal Definition: A primitive Π is agile if any F 1, F 2 ∈ Π can securely use the same key. 20 F1F1 F2F2 K

21 Pseudo Random Function Agility Facts PRF: F is a PRF if no efficient adversary can distinguish F(K,.) from a random function. F 1 (K 1,x) and F 2 (K 2,x) are not distinguishable from a pair of random functions. 21 x F 1 (K,x) F1F1 F2F2 x F 2 (K,x) K Definition: A set {F 1,F 2 } is agile if F 1 (K,x) and F 2 (K,x) are not distinguishable from a pair of random functions. Question: Are PRFs agile? – Yes, if every {F 1,F 2 } is agile. Answer: No. – Example: F 2 (K,x) = NOT (F 1 (K,x)) Now, what?

22 Agility in Practice Certain primitives are agile: collision-resistant hash functions Strong agility is achievable in practice: Authenticated Encryption – Don’t use the key directly in the encryption algorithm – Use a derived subkey in 22 ⊥ (x,F 1 (K,x)) F1F1 F2F2 K PRF-based security for Authenticated Encryption: CCM, GCM, etc. – Pick a PRF from a small agile set Encryption of M with K, with PRF – K ae = PRF(K, ) – C = E(K ae, M) Decryption – K ae = PRF(K, ) – M = D(K ae, C)

23 Two provably secure methods for authenticated encryption Encrypt(Key, Msg) R := random IV := random K* := KDF(Key, Enc:AlgID, MAC:AlgID, R) sig := MAC(K*.MacKey, Msg) ctext := Encrypt(K*.EncKey, IV, Msg || sig) return R || ctext Encrypt(Key, Msg) R := random IV := random K* := KDF(Key, Enc:AlgID, MAC:AlgID, R) ctext := Encrypt(K*.EncKey, IV, Msg) sig := MAC(K*.MacKey, ctext) return R || ctext || sig Finally resolving the MAC-then-encrypt vs encrypt-then-MAC debate ….both are now secure with the help of a KDF!

Download ppt "Tolga Acar 24 Feb. 2011 1 Distributed Key Management and Cryptographic Agility."

Similar presentations

Authentication Applications The Kerberos Protocol Standard

Authentication Applications The Kerberos Protocol Standard
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Security Definitions in Computational Cryptography

Security Definitions in Computational Cryptography
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
Overview of Cryptography Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Practical Techniques for Searches on Encrypted Data Author:Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀汶承.

Practical Techniques for Searches on Encrypted Data Author:Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀汶承.

Similar presentations

Ads by Google