Transcript Hashing - Computer Science

Key Management
Sandy Kutin
CSPP 532
7/24/01
Last Week: PKI
Public key algorithms (RSA)
Bob has public key B, private key b
Confidentiality: anyone can write to Bob
Authentication: Bob can sign messages
Non-repudiation: Signature usable in court
Solves key distribution problem
Leads to other problems
Key Questions
Who is trusted? (Key publication)
What if Bob is “terminated”? (Key recovery)
Where do you keep a key? (Key storage)
When does a key expire? (Key termination,
key archival, key revocation)
Why might the FBI see your key? (Key
escrow)
How do you create randomness on a
computer? (Key generation)
Pretty Good Privacy
First widespread implementation of RSA
PGP, by Phil Zimmerman (June 1991)
Free email implementation of RSA
encrypts with 3DES, IDEA, or CAST-128
signatures (MD5, SHA-1), compression, radix64
Cross-platform; used around the world
Commercial version also available
We’ll use it as a reference point
Talkin’ ‘bout my generation
Public/private pairs, and also session keys
True random numbers: require user input
PGP: Type; use letters, timing information
Mouse movements sometimes used
Convert weak randomness to strong
e.g., a line of text to a 128-bit key
use encryption (also, hashing)
in theoretical CS, use hashes for this
purpose
Pseudo-random Numbers
How do you generate “random” numbers?
PRNG: Pseudo-random number generator
Example: Linear Congruential Generator
X0 = seed (e.g., time)
Xn+1 = aXn + c mod m
This is what computers do; good for a lot
Not good for key generation; easy to break
(Eve figures out one key, or a few; learns all)
CSPRBG (I’d like to buy a vowel)
Cryptographically-secure pseudo-random
bit generator:
given first k bits, no polynomial-time way to
guess the k+1th bit more than 50% of the time
A few techniques; we’ll discuss them
One simple idea: Xi = EK(i), or EK(PRNG)
(then, take a single bit)
PGP uses a CSPRBG for session keys
Key Storage
OK, I have a key; where do I put it?
Hard drive unsafe. Brain unsafe.
Three Authentication Factors:
Knowledge Factor (password, PIN)
Possession Factor (smart card, badge, key)
Biometric Factor (retinal scan, voiceprint)
Best to use a combination
PGP: Knowledge, Possession
Key Storage in PGP
Public/private pair B, b generated by PGP
User inputs key K; save B, EK(b) to disk
EK is CAST-128; 128-bit key
Problem: how do you remember 128 bits?
User enters passphrase P; K = H(P)
H is SHA-1, keeping only the first 128 bits
Hash converts weak randomness to strong
No structure to the 128-bit value K
And the passphrase is...
So how long should your passphrase be?
An attacker can do 2128 work, guess K
Should contain 128 bits of “entropy”
English text: roughly 1 bit per character
Bottom line: you have to remember it
Other attacks anyway:
Keyboard sniffers, memory dumps
Solution: key in tamper-proof hardware
When good keys go bad
Part of PKI policy: expiration dates
algorithms become outdated
even a good key can be overused
minimize damage if a key is compromised
Key termination: stop using it
Key archival: keep a copy somewhere
Key revocation: tell everyone else it’s bad
The hard part; we’ll discuss this in a bit
Has anybody seen my keys?
Keys get lost. People are fired, or die.
Backing up EK(b) is easy, but need b or K.
Someone in the company has to have it.
Key escrow: government has a copy
Necessary for wiretaps; are taps necessary?
Clipper, Capstone; no one trusted them
One solution: secret-sharing schemes
M people get pieces; any m can solve for b
Key publication
How does Alice get Bob’s public key?
We’ll call this “key publication”
Another name: public-key key management
Original solution: “phone book”
Who prints the book?
What if it’s compromised, or intercepted?
How do you look someone up? Unique ID?
What if Bob has multiple names, keys?
Do keys expire? What if a key is compromised?
Solution #1: DispeRSAL
One idea: Carol meets Bob face-to-face
Carol says “This is Bob’s key”, signs it
Ted knows Carol, says “This is Carol’s key,
and I trust her”, signs it
Alice knows Ted; verifies chain of signatures
Flaw #1: “weakest link”
Flaw #2: >6 degrees of separation
Flaw #3: Unique IDs, expiration, ...
PGP: Web of Trust
Refined version of the “chain of trust”
Assign weight; how much do you trust a
key? (“mine”, “always”, “usually”)
See how many people, at what trust level,
validate Bob’s key; if it’s enough, you trust
the key
Same problems with
expiration/revocation, unique IDs, long
chains, ...
#2: Certificate Authorities
Certificate Authority (CA): trusted by all
CA representative verifies Bob’s key
Combines his name, info, key, expiration
date, etc. into a “certificate”
Signs the certificate using the CA’s key
Bob publicizes the certificate
Alice knows CA’s public key, verifies;
knows she’s communicating with Bob
A LaboRSAving solution
Obvious problem: whom do we trust?
Not as bad as it sounds; commerce goes
forward (e.g., VeriSign)
Second problem: how to verify everyone
Hierarchical structure:
global, local, company, department,
individual
To verify a signature, work your way up
The relevant question isn’t “whom do we
A Bunch of MalarKey
Big problem: certificates are meaningless
In January, 2001, someone got VeriSign
to issue him/her Microsoft certificates
VeriSign messed up: “human error”
Bad certificates immediately placed on
revocation list
But Microsoft messed up: IE doesn’t
check the list
Patch issued. Have you installed it?
When I fight the CA,
the CA always wins
The CA has no good means of checking
up on a potential customer
Credit card databases wanted to get into
CA business; thought they knew secrets
SSN, DoB, mother’s maiden name; all had
been sold already, publicly available
No secrets left
The CA has an impossible job
Validation Authorities
Austin, chapter 5: discusses VAs
Issuing certificates is a separate job
VA handles revocation, online
confirmation, levels of trust
Analogy for CA/VA split: credit cards
Bank (CA) checks credit, identity; issues card
Store checks card with Visa/MasterCard (VA)
Isolates problems, doesn’t solve them
OveRSAturation
Problem: so many certificates, so much
information; how do you tell what’s safe?
What does a certificate mean? Does it
guarantee fiscal security?
What do you do if a certificate appears not
to match? Do you trust it anyway?
Example: the HBO store
Recommended Reading
Miller-Rabin primality testing: Stallings,
Section 7.4
Key management: Austin, Chapter 4
Key publication, Certificate Authorities:
Stallings, Section 6.3
Austin, Chapter 5
PGP: Stallings, Section 12.1