Identity-Based Encryption Technology Overview Public Key Cryptography Without Certificates Mark J. Schertler
Download ReportTranscript Identity-Based Encryption Technology Overview Public Key Cryptography Without Certificates Mark J. Schertler
Identity-Based Encryption Technology Overview Public Key Cryptography Without Certificates Mark J. Schertler Identity-Based Encryption (IBE) IBE is an old idea Originally proposed by Adi Shamir, S in RSA, in 1984 Not possible to build an IBE system based on RSA First practical implementation Boneh-Franklin Algorithm published at Crypto 2001 Bilinear Maps (Pairings) on Elliptic Curves • Based on well-tested mathematical building blocks Public Key Algorithm used for Key Transport The IBE breakthrough is having major impact Now over 400 scientific publications on IBE and Pairing Based Cryptography Major deployments in industry Standardization Efforts 2 IBE mathematics is being standardized in IEEE 1363.3 IETF S/MIME Informational RFC IBE Public Keys … Introduce This Elegance Public-key Encryption where Identities are used as Public Keys IBE Public Key: [email protected] RSA Public Key: Public exponent=0x10001 Modulus=13506641086599522334960321627880596993888147 560566702752448514385152651060485953383394028715 057190944179820728216447155137368041970396419174 304649658927425623934102086438320211037295872576 235850964311056407350150818751067659462920556368 552947521350085287941637732853390610975054433499 9811150056977236890927563 3 How IBE works in practice Alice sends a Message to Bob Key Server • Master Secret • Public Parameters 2 Receives Private Key 3 for [email protected] Requests private key, authenticates [email protected] [email protected] [email protected] 1 Alice encrypts with [email protected] 4 Bob decrypts with 4 Private Key How IBE works in practice Alice sends a Message to Bob Key Server Fully off-line - no connection to server required [email protected] [email protected] [email protected] 1 Charlie encrypts with [email protected] 5 Bob decrypts with 2 Private Key IBE Public Key Composition v2 || public key definition version ibe-server.acme.com#1234 || server location and public parameter version week = 252 || key validity period [email protected] e-mail address 6 IBE Benefits Dynamic “As Needed” Public and Private Key Generation No pre-generation or distribution of certificates Built-in Key Recovery – No ADKs Allows content, SPAM, and virus scanning at enterprise boundary Facilitates archiving in the clear per SEC regulations Policy in the Public Key e.g. Key Validity Period No CRLs Dynamic Groups Identities can be groups and roles; no re-issuing keys when group or role changes Minimal System State Master Secret / Public Parameters (~50KB) all you need for disaster recovery End user keys and message not stored on server Server scalability not limited by number of messages Benefits lead to: High system usability Highly scalable architecture Low operational impact Fully stateless operation 7 Public Key Infrastructure Certificate Server binds Identity to Public Key Certification Authority Certificate Server Store Certificate CA Signing Key CA Public Key Look up Bob’s Certificate, Check revocation Send Public Key, Authenticate Receive Certificate Recovery Server Store Bob’s Private Key 8 CA Public Key Bob’s Private Key Bob’s Public Key [email protected] [email protected] Identity Based Encryption Binding of Identity to Key is implicit IBE Key Server Certificate Server X Look up Bob’s Certificate, Check revocation Store Certificate Master Secret Public Parameters Send Identity, Authenticate Receive Private Key Recovery Server X Store Bob’s Private Key Public Parameters [email protected] 9 Bob’s Private Key [email protected] Adding IBE to CMSv3 Define OtherRecipientInfo Type for RecipientInfo in Enveloped Data Add IBE per RFC 3370 – CMS Algorithms Create IBE algorithm Informational RFC similar to RFC 2313 - PKCS #1: RSA Encryption Version 1.5 10 Based on CMSv3 - RFC 3852 Could be IEEE 1363.3 spec CMSv3 RecipientInfo ::= CHOICE { ktri KeyTransRecipientInfo, … ori [4] OtherRecipientInfo } OtherRecipientInfo ::= SEQUENCE { oriType OBJECT IDENTIFIER, oriValue ANY DEFINED BY oriType } oriValue ANY DEFINED BY oriType Version Domain and Parameter Version (Server Location) Schema • • 11 Validity Period Identity (RFC822) Public Parameters 12 IBE Public Keys - Revocation and Expiration IBE Public Key: [email protected] || week = 252 e-mail address 13 key validity IBE Systems use short lived keys Public key contains key validity Every week public key changes, so every week a new private key must be retrieved by the client Refresh period is configurable This simplifies key revocation Users removed from the directory, no longer get keys Above system is identical to a weekly CRL User authentication Voltage can support any type of authentication Authentication needs differs by Application More sensitive data, requires stronger authentication Identity-Based Encryption scales across all levels Authentication Adapters 14 PKI Smart Cards RSA SecurID LDAP, Active Directory Login/Password Email Answerback Username and password Voltage VSPS Auth. Service The IBE Key Server Master Secret s = 1872361923616378 Voltage Server Request for Private Key for Identity [email protected] Key Server has “Master Secret” to generate keys 15 A random secret is picked when the server is set up Each organization has a different Master Secret Private key is generated from Master Secret and Identity The IBE Security Model Master Secret and Public Parameters When the key server is set up: Generate a random Master Secret Derive Public Parameters from the master secret Distribute Public Parameters to all clients (one time setup only) Public Parameters are similar to a CA root certificate (long lived, bundled with software) During Operation: Client uses Public Parameters in the encryption operation Server uses Master Secret to generate private keys for users 16 IBE Key Server Master Secret 1238715613581 Public Parameters Public Parameters Public Parameters [email protected] [email protected] Voltage Enables Perimeter Content Scanning Filtering Spam and Viruses with End-to-End Encryption INTERNET DMZ LAN Voltage IBE Gateway Server Encrypted email arrives 17 1 Email is scanned GW Archive Audit Virus GW Exchange, Domino, etc. 2 User receives 3 encrypted email IBE’s on-the-fly key generation capability enables end-to-end encryption with content scanning Filter for Viruses, Trojans, Spam, etc. Allows archiving email for compliance, audit IBE: Setting A New Standard In Security Current Efforts IBCS-1 Standard Other IBE Technology Study Group Post IEEE Standards IEEE Working Group IEEE Study Group • Set structure of standard • Write PoA Feb/2005 • PBC/IBE Standard • Submit for ratification Mid 2005 > 2007 Current efforts are supported by Bell Canada, CESG, Gemplus, HP Labs, Microsoft, NTT DoCoMo, NoreTech, NSA, Siemens, STMicroelectronics IEEE and NIST fast-tracking IBE for standardization 18 Working Group No other cryptographic algorithms have begun this process so quickly Voltage IBE Toolkit FIPS 140-2 certified Voltage: Proven Ease of Use The easiest-to-use secure email: Seamless integration with leading mail clients No-download send/receive through Zero Download Messenger • No JavaScript, ActiveX, or browser plugins Policy-based encryption at network edge No change in user behavior Only secure messaging solution rated “Excellent” in usability by eWeek Labs “During my test of the system, it worked great. All a provider needed to do was send me an email encrypted based on my email address… It was simple and easy to operate.” 19 Voltage: “Stateless” Architecture Keys and messages are never stored on Voltage server Only one backup required for life of system Entire system can be recovered from single piece of data in minutes, whether 20 users or 20 million Messages can never be lost No separate message store to backup Administrator can decrypt messages at any point in future No ADKs required Full support for cleartext or encrypted archiving 20 Mail delivered using existing infrastructure Easily meet message retention policies Voltage: “Stateless” Architecture Highly scalable Strongest integration with network edge content scanning 21 New servers can be replicated from single backup Servers never need to be synchronized Can be load balanced using DNS Built for enterprise- and carrier-class environments Only solution with end-to-end encryption with anti-virus, antispam, archiving Voltage: Lowest Overhead Leverages existing mail infrastructure Self-provisioning authentication Same messages can be viewed with client or Zero Download Messenger No additional headcount required 22 No IT/administrative action required to enroll new users No need to select delivery methods Messages delivered using normal mail flow No new webmail/parallel mail infrastructure to manage, scale Other solutions are equivalent to running an entirely new Exchange/Notes system Voltage customers report 0.1 FTE required Identity-Based Encryption (IBE) IBE is an old idea First practical implementation Over 200 scientific publications on IBE/Pairings Dan Boneh awarded 2005 RSA Conference Award for Mathematics Standardization Efforts 23 Research funded by DARPA Boneh-Franklin Algorithm published at Crypto 2001 Based on well-tested building blocks for encryption: PKCS #7, S/MIME(CMS), 3DES, AES, SHA-256, DSS, SSL Industry acceptance Originally proposed by Adi Shamir, co-inventor of the RSA Algorithm, in 1984 IBE being standardized by NIST and IEEE 1363.3 IETF S/MIME? Voltage IBE breakthrough Highest system usability No certificates – no CRLs: ease of use for administrators and end users Lowest operational impact No new directories or resources required to manage system Fully stateless operation Keys dynamically generated – no storage required - simplifies disaster recovery, retention and backup Most flexible mobility architecture Architected for “occasionally-connected” users: full online and offline usage Most scalable architecture 24 Server scalability not limited by number of messages 25 IBE and PKI 26 1. Voltage Security 2. Identity-Based Encryption 3. IBE and PKI 1. Comparing IBE and PKI 2. Combining the Two 4. The future of IBE 5. Voltage and the DoD/DHS Public Key Infrastructure Working client side PKI Deployments are few Mainly government and defense A few large companies These deployments have major issues Deployment Cost Certificate Revocation Content scanning is still an unsolved issue (e.g. for filtering mail for viruses, spam or audits) Difficult to use Can IBE help? 27 Yes, IBE solves many of the issues of PKI Public Key Infrastructure Certificate Server binds Identity to Public Key Certification Authority Certificate Server Store Certificate CA Signing Key CA Public Key Look up Bob’s Certificate, Check revocation Send Public Key, Authenticate Receive Certificate Recovery Server Store Bob’s Private Key 28 CA Public Key Bob’s Private Key Bob’s Public Key [email protected] [email protected] Identity Based Encryption Binding of Identity to Key is implicit IBE Key Server Certificate Server X Look up Bob’s Certificate, Check revocation Store Certificate Master Secret Public Parameters Send Identity, Authenticate Receive Private Key Recovery Server X Store Bob’s Private Key Public Parameters [email protected] 29 Bob’s Private Key [email protected] IBE vs. PKI – Practical Implications IBE has no Certificates and Certificate management No certificate server No certificate lookups for the client No certificate (or key) revocation, CRLs, OCSP etc. • PKI requires pre-enrollment Instead, IBE uses short-lived keys. PKI can’t do this because this would compound lookup problem In PKI, recipient must generate key pair before sender can encrypt message IBE is Ad-Hoc capable, a sender can send message at any time IBE eliminates encryption key recovery/escrow server Most PKI applications require access to private keys (e.g. Lost keys, Financial Audit, Virus Filtering etc.) Key server can generate any key on the fly 30 IBE and PKI – Strengths and Weaknesses Public Key Infrastructure (PKI) Expensive to deploy and run Requires pre-enrollment Issuing certificates Works well for authentication Can be made highly secure through smart cards Identity-Based Encryption Ad-hoc capable Powerful for encryption 31 requires no pre-enrollment software only no key-lookup revocation is easy Content scanning easy Where to use PKI Inside the organization For maximum security/high cost deployments Mainly authentication and signing Where to use IBE Inside or outside the organization For any level of security Where encryption/ privacy is important Policy-Driven Encryption Who is it from? What company is it to? Who is it to? Does the sender want to encrypt? What does it say? 32 Policy-Based Encryption Policy-based encryption Controlled by administrators Automatically enforced based on message flow and/or content Can also allow users to opt-in, or opt-out based on keywords (no client s/w) At the network edge 33 Encryption decision occurs at the boundary to minimize exposure and maximize transparency A powerful tool for compliance Sample Policies • Encrypt all traffic to xyz.com • Encrypt from [email protected] • Encrypt all ePHI (lexicon) • Encrypt if subject contains “confidential” -OR•Encrypt all unless opt-out