PKI and Identity-Based Encryption Secure IT Conference 2007 Guido Appenzeller Voltage Security
Secure IT Conference Identity-Based Encryption (IBE) IBE is a new public key encryption algorithm A number of widely-used encryption algorithms are already available (AES, RSA, ECC etc.) Why on earth should we care about a new one? 1. IBE results in vastly simplified key management 2. As a result, IBE based solutions have a much lower total cost of ownership and much higher usability 3. It has gained widespread adoption in Industry and has opened up the use of encryption to new use cases
Identity-Based Encryption
Secure IT Conference Identity-Based Encryption Basic Idea: Public-key Encryption where Identities are Public Keys IBE Public Key: RSA Public Key: Public exponent=0x10001 Modulus=
Secure IT Conference IBE does not need certificates Certificates bind Public Keys to Identities e.g. has key 0x87F6… Signed by a Certification Authority In IBE, Identity and Public Key is the same No certificate needed No certificate revocation No certificate servers No pre-enrollment X
Secure IT Conference Identity-Based Encryption (IBE) IBE is an old idea Originally proposed by Adi Shamir, co-inventor of the RSA Algorithm, in 1984 First practical implementation Boneh-Franklin Algorithm published at Crypto 2001 Based on well-tested building blocks for encryption (elliptic curves and pairings) IBE is having a major impact already Over 200 scientific publications on IBE/Pairings Boneh-Franklin paper cited 450 times so far (Google Scholar) Dan Boneh awarded 2005 RSA Conference Award for Mathematics for inventing IBE
Secure IT Conference How IBE works in practice Alice sends a Message to Bob Key Server key request + authenticate master secret public params
Secure IT Conference How IBE works in practice Second Message to Bob Key Server public params Fully off-line - no connection to server required
Secure IT Conference The IBE Key Server Master Secret is used to generate keys Each organization has a different secret Thus different security domains Server does not need to keep state No storage associated with server Easy load balancing, disaster recovery Key Server Master Secret s = Request for Private Key for Identity
Secure IT Conference User authentication Authentication needs differs by Application More sensitive data, requires stronger authentication Even for one organization, very different needs for different groups of users Key Server Auth. Service External authentication Leverage existing passwords, directories, portals, etc. One size doesn’t fit all
Secure IT Conference OMB Level: Level 1 Level 2 Level 4 Level 3 No Authentication answerback (VeriSign Class 1) answerback w/ passwords Directory with pre-enrollment Windows domain controller or SSO RSA SecurID PKI Smart Card, USB Token Three factor auth (Bio+PKI+PIN) Pre-enrollment Self-provisioning OOB password with call center reset The Authentication Gradient
Secure IT Conference Key Revocation, Expiration and Policy What happens if I lose my private key? Key validity enables revocation – “key freshness” Every week public key changes, so every week a new private key is issued revocation can be done on weekly basis To revoke someone, simply remove him from the authentication mechanism (e.g. corporate directory) address key validity || week = 252
Secure IT Conference IEEE – Pairing Based IBE Standard IEEE 1363 Standards Group Wrote standard on RSA and Elliptic Curve Cryptography Now taking steps to standardize IBE IEEE “Identity-Based Cryptographic methods using Pairings” Main focus is on IBE, but also related methods (e.g. ID based signatures) Strong support from Government and Industry Meetings attended by representatives from NIST, NSA, HP, Microsoft, Gemplus, Motorola and others
Secure IT Conference IETF – IBE based Secure Standard Internet Engineering Task Force Sets standards for the Internet TCP/IP, IPSec, HTTP, TLS, DNS etc. Effort through the S/MIME Group S/MIME today implemented in all major clients IBE as an additional key transport for S/MIME Standard includes IBE Key Request Protocol, IBE Parameter Lookup Protocol and selected IBE Algorithms Final RFC expected in 2007
Secure IT Conference Standard Textbooks incorporating Identity-Based Encryption Elliptic Curves by Lawrence C. Washington Handbook of Elliptic and Hyperelliptic Curve Cryptography by Henri Cohen, Gerhard Frey Elliptic Curves in Cryptography Edited by Ian Blake, Gadiel Seroussi and Nigel Smart Cryptography: Theory and Practice (3 rd Ed.) by Douglas R. Stinson
Secure IT Conference Awards for IBE Products IAPP Privacy Innovation Technology Award AlwaysOn Top 100 Companies - July 2005 Red Herring 100 Top Private Companies 2005 Gartner Group – Cool Security Vendor 2005 eWeek Finalist 2005 – Management and Security RSA 2005 Prize for Mathematics – Dr. Dan Boneh SC Magazine Finalist 2005 – Best Security Solution and Best Encryption Solution AlwaysOn “Top new innovator company” – July 2004 InfoWorld Innovators Award - May 2004 Bank Network World “Tops in Innovation” - February, 2004 Technology News “Top Ten Technology Companies” - August, 2003 RSA Mathematics Prize 2005
Key Management
Secure IT Conference Encryption today is a solved problem Example: Encrypting an message Alice Bob Encryption Key Decryption Key How do we make sure Alice and Bob have the right keys?
Secure IT Conference What is hard about managing keys? Enrollment Key creation, duplicate keys Distribution Lookup, Storage and Access Finding the encryption key of a recipient Recovery of decryption keys Virus scanning, spam filtering Archiving s for compliance Synchronizing distributed key stores Key life cycle Revoking keys, expiring keys Backup of keys, disaster recovery
Secure IT Conference Key Management for Symmetric Keys Example: Organization with 8 people Key Store 28 keys How many keys total for 8 people? Key Server
Secure IT Conference Key Management with Symmetric Keys One key per pair of users Network of 8 parties requires managing 28 keys Network of 1000 users requires 500,000 keys Network of N parties requires N(N+1)/2 keys Alternative: One key per Network of 1000 users Assume 50 s per user per day 18,250,000 keys per year Key management with symmetric keys doesn’t scale!
Secure IT Conference Public Key Infrastructure (PKI) Public Key Encryption Users have a Public Key and a Private Key Only need one key per party, total of N keys for N parties Keys are bound to users with Certificates Examples: RSA, Elliptic Curve etc. Managing PKI has issues of its own How do I create certificates for everyone? How do I revoke a certificate? How do I find the certificate of a recipient? How do I manage certificate distribution What do I do if private keys are lost …
Secure IT Conference Key Management - Public Key Infrastructure Certificate Server binds Identity to Public Key Send Public Key, Authenticate Receive Certificate CA Signing Key Certification Authority CA Public Key Certificate Server Store Certificate Look up Bob’s Certificate, Check revocation CA Public Key Bob’s Private Key Bob’s Public Key Recovery Server Store Bob’s Private Key
Secure IT Conference Key Management - IBE Binding is done by mathematics IBE Key Server Master Secret Send Identity, Authenticate Receive Private Key Public Parameters Bob’s Private Key Certificate Server Store Certificate Look up Bob’s Certificate, Check revocation X Recovery Server Store Bob’s Private Key X
Deploying IBE Systems Example: Security
Secure IT Conference Secure – Deployment Options Today It’s not just Alice and Bob Virus Audit Archive Internet Normal Client Gateway Client with plug-in Blackberry BES Server System Generated Web Mail (via ZDM) Mobile Devices Client (via ZDM) Client (via plug-in) Client with plug-in IntranetDMZInternetRecipient’s Network
Secure IT Conference Gateways Internal NetworkINTERNET User receives decrypted 3 Encrypted arrives 1 Gateway decrypts 2 Key Server IBE Gateway
Secure IT Conference Inspecting Secured Data IBE allows content inspection for end-to-end encrypted data DMZLANINTERNET IBE Server Exchange, Domino, etc. User receives encrypted 3 GW Virus Audit Archive is scanned 2 Encrypted arrives 1 GW
Secure IT Conference IBE Key Servers are “stateless” No certificates to store No private keys to store No revocation lists Easy to load-balance Just put two of them next to each other Easy backup and disaster recovery Only master secret and policy needs to be backed up Size: < 100 kByte, fits on floppy disk Master secret is long lived, only need to back up once Same for 100 or 100,000 users IBE Systems are extremely Scalable
Secure IT Conference IBE Systems have a substantially lower TCO Case Study: For encryption, IBE costs 30% of PKI Less infrastructure needed, less additional FTE to manage solution Fewer components to be concerned with Disaster Recovery Easier user experience – less training and help desk support [Source: Ferris Research Case Study on Voltage Secur ] Total Cost of Ownership
Secure IT Conference Summary IBE is a major breakthrough in Key Management Much lower total cost of ownership than PKI Better usability and deployment characteristics Highly Scalable Where to learn more IEEE , IETF S/Mime Standards