The Key Distribution Infrastructure and its Management

Does it have an inventory? Or a secret box of keys? Let's find out!

First, find Alice & Bob who are going to establish

1. the shared secret key for symmetric cryptography
2. valid/authenticated public keys for asymmetric cryptography

One thing I would like to mention here that Key selection & management is as important as encryption & decryption algorithm.

Approaches for Key Distribution

Let say there are two users A & B.

• User A can select a key and physically deliver it to User B.
• A third party can physically deliver the key to A & B.
• If A & B have communicated previously, then they can use the previous key to encrypt and communicate the new key.
• If A & B have secure connections via trusted third party C, then C can deliver the key.

The Hierarchy of Keys

Session Key >> Master Key

Session Key:

• temporary; used for one or few sessions
• used between users for data encryption

Master Key:

• used to encrypt session keys; not cryptographically protected
• it is shared between the user & key distribution center

Decentralized Key Distribution

Assuming the master key(Km) is distributed to both Alice & Bob by some secure means. Now, we will use Km to distribute & share session keys(Ks).

The decentralized system of Key Distribution

IDa & IDb are identity-based encryptions using nonce values N1 & N2 (here)

Nonce values- a number used once to sign an encrypted communication, e.g. a newly generated random number used to ensure that old communications cannot be used in reply attacks.

Procedure:

• A sends an encrypted message with nonce value N1 and then B also sends N2 to A.
• Then B sends an encrypted message using master key Km, session key Ks, ID, f(N1), N2.
• Then A sends Ks with f(N2); both parties now got their session keys.

f(N1 or N2)=encrypting function

Public-Key Authority:

• builds on public directory securely registering {IDi, Ki}
• securely distribute keys from the directory
• require users to know authority’s Kau(key used by authority)
• require real-time access for authority

Whenever a session key is needed for communication between A & B, real-time access of authority is needed. The authority intervenes during each key distribution using its Kau and all the procedures are the same as a decentralized system of distribution, it’s just that there are 3 parties involved now.

However, there is no access to check the integrity of authority and this makes it vulnerable & tamper-able.

What is a Public-Key Certificate?

• builds on public-key authority; binds i to Ki
• it allows key-exchange without real-time access to authority
• contains validity period, rights of use
• signed by Certificate Authority(CA)

NOTE:

• any user can read a certificate
• any user can verify a certificate
• only CA can create/update certificates
• any user can verify the validity of a certificate

The CA uses Digital Signatures for certificates(for authentication)

The Public-Key Infrastructure:

• It is the system comprised of hardware, software, people policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates.
• It enables secure, convenient, and efficient acquisition of public keys.
• It also provides functionality for certificates revocation & registration.

This the end of our Symmetric & Asymmetric Cryptography. Refer to previous blogs for context. Next, I will be starting Hashing and its functions, Hash Chains, etc. Stay tuned!

~Ashutosh