The Key Distribution Infrastructure and its Management
Does it have an inventory? Or a secret box of keys? Let's find out!
First, find Alice & Bob who are going to establish
- the shared secret key for symmetric cryptography
- valid/authenticated public keys for asymmetric cryptography
One thing I would like to mention here that Key selection & management is as important as encryption & decryption algorithm.
Approaches for Key Distribution
Let say there are two users A & B.
- User A can select a key and physically deliver it to User B.
- A third party can physically deliver the key to A & B.
- If A & B have communicated previously, then they can use the previous key to encrypt and communicate the new key.
- If A & B have secure connections via trusted third party C, then C can deliver the key.
The Hierarchy of Keys
Session Key >> Master Key
Session Key:
- temporary; used for one or few sessions
- used between users for data encryption
Master Key:
- used to encrypt session keys; not cryptographically protected
- it is shared between the user & key distribution center
Decentralized Key Distribution
Assuming the master key(Km) is distributed to both Alice & Bob by some secure means. Now, we will use Km to distribute & share session keys(Ks).
IDa & IDb are identity-based encryptions using nonce values N1 & N2 (here)
Nonce values- a number used once to sign an encrypted communication, e.g. a newly generated random number used to ensure that old communications cannot be used in reply attacks.
Procedure:
- A sends an encrypted message with nonce value N1 and then B also sends N2 to A.
- Then B sends an encrypted message using master key Km, session key Ks, ID, f(N1), N2.
- Then A sends Ks with f(N2); both parties now got their session keys.
f(N1 or N2)=encrypting function
Public-Key Authority:
- builds on public directory securely registering {IDi, Ki}
- securely distribute keys from the directory
- require users to know authority’s Kau(key used by authority)
- require real-time access for authority
Whenever a session key is needed for communication between A & B, real-time access of authority is needed. The authority intervenes during each key distribution using its Kau and all the procedures are the same as a decentralized system of distribution, it’s just that there are 3 parties involved now.
However, there is no access to check the integrity of authority and this makes it vulnerable & tamper-able.
What is a Public-Key Certificate?
- builds on public-key authority; binds i to Ki
- it allows key-exchange without real-time access to authority
- contains validity period, rights of use
- signed by Certificate Authority(CA)
NOTE:
- any user can read a certificate
- any user can verify a certificate
- only CA can create/update certificates
- any user can verify the validity of a certificate
The CA uses Digital Signatures for certificates(for authentication)
The Public-Key Infrastructure:
- It is the system comprised of hardware, software, people policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates.
- It enables secure, convenient, and efficient acquisition of public keys.
- It also provides functionality for certificates revocation & registration.
This the end of our Symmetric & Asymmetric Cryptography. Refer to previous blogs for context. Next, I will be starting Hashing and its functions, Hash Chains, etc. Stay tuned!
~Ashutosh