Key Management And Key Distribution
7
Key Management And Key Distribution Key Management And Key Distribution The essential problems addressed by all cryptosystems is how to safely exchange keys and how to easily manage the keys while enabling reliable authentication, authorization and revocation. Simple symmetric distributed key systems – encrypted keys are distributed once physically by SA or by manufacturing. In Dynamic Distributed Key Infrastructures, distributed keys in turn exchange more device/person specific distributed keys, sizing a secure network in much the same way that DNS sizes the Internet. [email protected]
description
Key Management And Key Distribution. The essential problems addressed by all cryptosystems is how to safely exchange keys and how to easily manage the keys while enabling reliable authentication, authorization and revocation. - PowerPoint PPT Presentation
Transcript of Key Management And Key Distribution
Key Management And Key DistributionKey Management And Key Distribution
The essential problems addressed by all cryptosystems is how to safely exchange keys and how to easily manage the keys while enabling reliable authentication, authorization and revocation.
Simple symmetric distributed key systems – encrypted keys are distributed once physically by SA or by manufacturing.
In Dynamic Distributed Key Infrastructures, distributed keys in turn exchange more device/person specific distributed keys, sizing a secure network in much the same way that DNS sizes the Internet.
Traditional objections to symmetric systems
“Its security depends on a new key being generated and used each time a new message is encrypted; this means that the total number of key bits is too large to be practical”
“A large key-space comes at the price of longer keys, however, and these make the encryption and decryption processes slower. Thus the encryption system designer must trade off speed of operation against resistance to exhaustive search attacks.”
“Anyone using a symmetric-key encryption system must deal with the key exchange problem: if 1 or more recipients are to be able to decrypt a message, they must get the key, and they must be the only ones to get it. … Key exchange is thus a high-overhead operation.”
As much key material needs to be transmitted as the data to be encrypted.
Key storage is onerous.
These objections are no longer valid.
http://fermat.nap.edu/html/digital_dilemma/appE.html
What are the attributes of DDKI?
Dynamic Distributed Key system – what is it?
DDKI are systems utilizing distributed keys to safely create and distribute more distributed keys, dynamically and electronically, to scale large secure communities of interest in much the same way that DNS allows the Internet to size itself.
Self provisioning enables clients to generate their own session keys, encrypt their own content and authenticate themselves – this eliminates the majority of server overhead in massive networks and adds little overhead to the client.
Expanding a secure community of interest like DNS does
This is a simple secure closed distributed systemDynamic elements
• dynamic session keys and addresses
• dynamically authenticate session with DIVA
How do we dynamically, electronically and securely expand to add the millions of existing appliances and to build new secure networks users?
Networks
Clients or appliances like routers and switching
Secure Network Server
In existing DDKI
1. Server sends serial number read utilty to new applianceas a firmware patch.
2. New appliance sends MAC#, serial #, NAM, UID to server
3. Server generates unique keys and unique startingoffset from serial #, updates itself with UID, offset,
key info, encrypts private key with application key, andsends package with encrypted private key(s) and secure
application to the new device. New client, router, switch etc.
Coming in from the cold
1. Expand secure networks in 3 steps electronically
2. Secure legacy networks and hardware with software/firmware patches – MFG acceptance is helpful
3. Device receives secure distributed key pair
4. All legacy hardware with MAC# etc. and firmware are quickly and inexpensively added to DDKI
5. Persons can add password for access and two factor authentication
http://fermat.nap.edu/html/digital_dilemma/appE.html
“Unlike encryption, digital signature technology is not encumbered by export
restrictions.”
1. Utilizing new symmetrical identity management keys reinforces the usefulness AES algorithms and keys
2. Utilizing trans-encryption makes huge networks using AES fast
3. Utilizing super strength authentication keys comply with standards that many enterprises and governments are required to use.
SENDER
AESWN
DISTRIBUTED AES – WN KEY PAIR 1 TIME
• PHYSICALLY BY SYSTEM ADMINISTRATOR
• ELECTRONICALLY WITH KEY GENERATED
TO SPECIFIC DEVICE
WN KEY MULTI-FUNCTION
• RNG FOR SESSION KEY – NO FAILURES NIST
• AUTHENTICATION – ID MANAGEMENT
------
GENERATE SESSION KEY WITH WN RNG
ENCRYPT DOC WITH AES ALGORITH AND SESSION KEY
ENCRYPT SESSION KEY WITH DISTRIBUTED AES KEY
AUTHENTICATE ENCRYPTED SESSION KEY WITH WN
EMBED IN HEADER OF ENCRYPTED DOC
TRANS-ENCRYPT AUTHENTICATED
SESSION KEY FROM SENDER TO RECEIVER
ALL KEY PAIRS STOREDMINIMAL BECAUSE OF
MULTIPLICITY
KEY STORAGE IS CHEAPCHOOSE WHETHER TO STORE OR
FORWARD DOCS
TRANSFER ENCRYPTED DOCTRANSFER ENCRYPTED DOC
RECEIVER
AES WN
ABOVE PROCESS =
NO KEY EXCHANGE
SIMPLE SYMMETRIC DISTRIBUTED KEY SYSTEM
