PKI and Identity-Based Encryption Secure IT Conference 2007 Guido Appenzeller Voltage Security

Secure IT Conference Identity-Based Encryption (IBE) IBE is a new public key encryption algorithm  A number of widely-used encryption algorithms are already available (AES, RSA, ECC etc.)  Why on earth should we care about a new one? 1. IBE results in vastly simplified key management 2. As a result, IBE based solutions have a much lower total cost of ownership and much higher usability 3. It has gained widespread adoption in Industry and has opened up the use of encryption to new use cases

Identity-Based Encryption

Secure IT Conference Identity-Based Encryption Basic Idea: Public-key Encryption where Identities are Public Keys  IBE Public Key:  RSA Public Key: Public exponent=0x10001 Modulus=

Secure IT Conference IBE does not need certificates  Certificates bind Public Keys to Identities  e.g. has key 0x87F6…  Signed by a Certification Authority  In IBE, Identity and Public Key is the same  No certificate needed  No certificate revocation  No certificate servers  No pre-enrollment X

Secure IT Conference Identity-Based Encryption (IBE)  IBE is an old idea  Originally proposed by Adi Shamir, co-inventor of the RSA Algorithm, in 1984  First practical implementation  Boneh-Franklin Algorithm published at Crypto 2001  Based on well-tested building blocks for encryption (elliptic curves and pairings)  IBE is having a major impact already  Over 200 scientific publications on IBE/Pairings  Boneh-Franklin paper cited 450 times so far (Google Scholar)  Dan Boneh awarded 2005 RSA Conference Award for Mathematics for inventing IBE

Secure IT Conference How IBE works in practice Alice sends a Message to Bob Key Server key request + authenticate master secret public params

Secure IT Conference How IBE works in practice Second Message to Bob Key Server public params Fully off-line - no connection to server required

Secure IT Conference The IBE Key Server  Master Secret is used to generate keys  Each organization has a different secret  Thus different security domains  Server does not need to keep state  No storage associated with server  Easy load balancing, disaster recovery Key Server Master Secret s = Request for Private Key for Identity

Secure IT Conference User authentication Authentication needs differs by Application  More sensitive data, requires stronger authentication  Even for one organization, very different needs for different groups of users Key Server Auth. Service External authentication  Leverage existing passwords, directories, portals, etc.  One size doesn’t fit all

Secure IT Conference OMB Level: Level 1 Level 2 Level 4 Level 3 No Authentication answerback (VeriSign Class 1) answerback w/ passwords Directory with pre-enrollment Windows domain controller or SSO RSA SecurID PKI Smart Card, USB Token Three factor auth (Bio+PKI+PIN) Pre-enrollment Self-provisioning OOB password with call center reset The Authentication Gradient

Secure IT Conference Key Revocation, Expiration and Policy  What happens if I lose my private key?  Key validity enables revocation – “key freshness”  Every week public key changes, so every week a new private key is issued  revocation can be done on weekly basis  To revoke someone, simply remove him from the authentication mechanism (e.g. corporate directory) address key validity || week = 252

Secure IT Conference IEEE – Pairing Based IBE Standard  IEEE 1363 Standards Group  Wrote standard on RSA and Elliptic Curve Cryptography  Now taking steps to standardize IBE  IEEE  “Identity-Based Cryptographic methods using Pairings”  Main focus is on IBE, but also related methods (e.g. ID based signatures)  Strong support from Government and Industry  Meetings attended by representatives from NIST, NSA, HP, Microsoft, Gemplus, Motorola and others

Secure IT Conference IETF – IBE based Secure Standard  Internet Engineering Task Force  Sets standards for the Internet  TCP/IP, IPSec, HTTP, TLS, DNS etc.  Effort through the S/MIME Group  S/MIME today implemented in all major clients  IBE as an additional key transport for S/MIME  Standard includes IBE Key Request Protocol, IBE Parameter Lookup Protocol and selected IBE Algorithms  Final RFC expected in 2007

Secure IT Conference Standard Textbooks incorporating Identity-Based Encryption Elliptic Curves by Lawrence C. Washington Handbook of Elliptic and Hyperelliptic Curve Cryptography by Henri Cohen, Gerhard Frey Elliptic Curves in Cryptography Edited by Ian Blake, Gadiel Seroussi and Nigel Smart Cryptography: Theory and Practice (3 rd Ed.) by Douglas R. Stinson

Secure IT Conference Awards for IBE Products  IAPP Privacy Innovation Technology Award  AlwaysOn Top 100 Companies - July 2005  Red Herring 100 Top Private Companies 2005  Gartner Group – Cool Security Vendor 2005  eWeek Finalist 2005 – Management and Security  RSA 2005 Prize for Mathematics – Dr. Dan Boneh  SC Magazine Finalist 2005 – Best Security Solution and Best Encryption Solution  AlwaysOn “Top new innovator company” – July 2004  InfoWorld Innovators Award - May 2004 Bank  Network World “Tops in Innovation” - February, 2004  Technology News “Top Ten Technology Companies” - August, 2003 RSA Mathematics Prize 2005

Key Management

Secure IT Conference Encryption today is a solved problem Example: Encrypting an message Alice Bob Encryption Key Decryption Key How do we make sure Alice and Bob have the right keys?

Secure IT Conference What is hard about managing keys?  Enrollment  Key creation, duplicate keys  Distribution  Lookup, Storage and Access  Finding the encryption key of a recipient  Recovery of decryption keys Virus scanning, spam filtering Archiving s for compliance  Synchronizing distributed key stores  Key life cycle  Revoking keys, expiring keys  Backup of keys, disaster recovery

Secure IT Conference Key Management for Symmetric Keys Example: Organization with 8 people Key Store 28 keys How many keys total for 8 people? Key Server

Secure IT Conference Key Management with Symmetric Keys  One key per pair of users  Network of 8 parties requires managing 28 keys  Network of 1000 users requires 500,000 keys  Network of N parties requires N(N+1)/2 keys  Alternative: One key per  Network of 1000 users  Assume 50 s per user per day  18,250,000 keys per year  Key management with symmetric keys doesn’t scale!

Secure IT Conference Public Key Infrastructure (PKI)  Public Key Encryption  Users have a Public Key and a Private Key  Only need one key per party, total of N keys for N parties  Keys are bound to users with Certificates  Examples: RSA, Elliptic Curve etc.  Managing PKI has issues of its own  How do I create certificates for everyone?  How do I revoke a certificate?  How do I find the certificate of a recipient?  How do I manage certificate distribution  What do I do if private keys are lost  …

Secure IT Conference Key Management - Public Key Infrastructure Certificate Server binds Identity to Public Key Send Public Key, Authenticate Receive Certificate CA Signing Key Certification Authority CA Public Key Certificate Server Store Certificate Look up Bob’s Certificate, Check revocation CA Public Key Bob’s Private Key Bob’s Public Key Recovery Server Store Bob’s Private Key

Secure IT Conference Key Management - IBE Binding is done by mathematics IBE Key Server Master Secret Send Identity, Authenticate Receive Private Key Public Parameters Bob’s Private Key Certificate Server Store Certificate Look up Bob’s Certificate, Check revocation X Recovery Server Store Bob’s Private Key X

Deploying IBE Systems Example: Security

Secure IT Conference Secure – Deployment Options Today It’s not just Alice and Bob Virus Audit Archive Internet Normal Client Gateway Client with plug-in Blackberry BES Server System Generated Web Mail (via ZDM) Mobile Devices Client (via ZDM) Client (via plug-in) Client with plug-in IntranetDMZInternetRecipient’s Network

Secure IT Conference Gateways Internal NetworkINTERNET User receives decrypted 3 Encrypted arrives 1 Gateway decrypts 2 Key Server IBE Gateway

Secure IT Conference Inspecting Secured Data IBE allows content inspection for end-to-end encrypted data DMZLANINTERNET IBE Server Exchange, Domino, etc. User receives encrypted 3 GW Virus Audit Archive is scanned 2 Encrypted arrives 1 GW

Secure IT Conference  IBE Key Servers are “stateless”  No certificates to store  No private keys to store  No revocation lists  Easy to load-balance  Just put two of them next to each other  Easy backup and disaster recovery  Only master secret and policy needs to be backed up  Size: < 100 kByte, fits on floppy disk  Master secret is long lived, only need to back up once  Same for 100 or 100,000 users IBE Systems are extremely Scalable

Secure IT Conference  IBE Systems have a substantially lower TCO  Case Study: For encryption, IBE costs 30% of PKI  Less infrastructure needed, less additional FTE to manage solution  Fewer components to be concerned with Disaster Recovery  Easier user experience – less training and help desk support [Source: Ferris Research Case Study on Voltage Secur ] Total Cost of Ownership

Secure IT Conference Summary  IBE is a major breakthrough in Key Management  Much lower total cost of ownership than PKI  Better usability and deployment characteristics  Highly Scalable  Where to learn more  IEEE , IETF S/Mime Standards 