Professional Documents
Culture Documents
Most of the products nnd srnndnrds thnt use public•kcy cryptography fo r e ncryption
and digirnl signatures use RSA. As we have seen, the key length fo r secure RSA
use hns increased o ve r recent yea rs. nnd th is has put a heavie r processing load on
npplications using RSA. This burden has ramificatio ns. espccinlly ror c lec1ronic com•
mc rcc sites that conduct large numbers of secure transactio ns. A compet ing system
challenges RSA: e lliptic curve cryptography (ECC). ECC is sho wing up in standard-
izatio n e ffo rts, including the IE EE P l363 Sta ndard for Public.Ke y Cryptography.
The principal attraction of ECC. compared to RSA. is that it a ppea rs to o ffer
equal security for a far smalle r key size. the reby re ducing processing o verhead. On
the othe r ha nd , ahho ugh the Lheory of ECC has been a round fo r some time. it is
o nly recently that products have begun 10 appe ar and thnt the re hns bee n susrnine d
cryptanalytic inte rest in prob ing for weaknesses. According ly. the confidence leve l
in ECC is no t ye t as high :is that in RSA.
ECC is fundamc ntnlly mo re difficuh 10 e xplain than e ithe r RSA or Diffie•
Hellman. a nd a full mathe matical description is beyond the scope o f this b ook.
11tis sectio n and the next give some backg ro und on elliptic curves a nd ECC. We
begin with n brie f review o f the concept o f abc li an group. Next, we cxn n1inc the
concept o f e lliptic curves defined over the renl numbers. This is followed by a took
at e lliptic curves defined over finite fie lds. Finnlly. we nrc able to examine elliptic
curve cip hers.
The re ade r may wish to review the material on finite fie lds in Chaptc r 4 before
proceeding.
Abelian Groups
Recall fro m Chapte r 4 th at an abelian group G. sometimes de noted by fG, · I, is
a set o f cle ments wi1h n binary opcra1io n. de noted by · . thn1 a ssociates to each
o rde red pair (a, IJ) of c leme n ts in Gan e lement (a· t,) in G. such that the fo llowing
axio ms nrc obeycd :3
11M opcrulor • 15 generic 11nd can rdcr t u 11dch1ion. multiplicu1ion, or 1on1c o ther ma1hcnuitk11I operat ion.
the group. with expo ncntia1ion de fined as repeated muhiplicatio n. For example.
,,a: mod q
s (a x " x ... x fl) mod q. To attack Diffic-1-fc llmon. 1.he attack.er must
ktimcs
d ctcnninc k given a nnd a": this is the d iscrete logarithm pro blem.
Fo r e lliptic curve cryp tography. an o peration over e lliptic curves. called nddi•
lion. is used. Multiplicntio n is de fine d by re peated additio n. Fo r example.
a X k = (a + a + ... + a)
k times
whe re 1he addition is pe rformed over an e lliptic curve. Cr yptana lysis involves dete r-
mining k gi\1 cn a a nd (a X k) .
An elliptic curn is defined by an equa1io n in two variables wil h coefficients.
For cryp1ogrnphy, the va ria bles nnd coefficie nts arc restricted to cle me nts in a finite
field. which results in the d efinition o f a finite abclian gro up. Before looking 01 this.
we first look at e lliptic cu rves in which the variables nnd coefficie nts nre rcnl num-
bers. This case is perha ps cnsic r to visualize.
y • V.r'+ t1x+b
Fo r give n values o f" a nd b , the plot consists o ( positive and ncga live valuc:1 o f y for
e ach value o f x . Thus, each c un1c is symmetric aboul y == 0. Figure 10.4 shows two
e xamples o f elliptic curves. As you can sec . the formu la some ti mes produces weird-
looking curves.
Now. consider the set o f points E(,,. /J) co nsisting o f all o f 1hc po ints (x. y) that
satisfy Equatio n ( 10.1) together with the c lement 0 . Using a differe nt value o f 1he
pnir (a. b) results inn diffe rent set E(a . b). Using this te rmino logy. the two curves in
Figure 10.4 depict the sets E( - I. 0) nnd E( I. I), rcspccti•ely.
•N01c 1ha1 x .11nd y are true ,·arutbles, which lake o n values. ThU ,sin ronlrul toour d i1cuJSion ofpolyno-
mial n np and fields 1n Oiaptc r 4. whe re x was trca.tcd a, an indeterminate.
IO.\ / [llll'llC l'Lll.\"l.Alltlll\1l11C 297
: - (l' + Q)
''
'
'''
_, ''
''
' u• + O)
-4
- V' + QI
'
i
''
''
''
''
'
i
''
''
-• (P + QI
- 2 - I
(b) ,.l • .1-'+ x + I
l·iJ:urc.· IIU Example of Elliptic Curves
c, o\f.1.1R1L DL~cRJ11 1m., m .-tzmrno....- It can be shown that a group can be defined
based on the set E(ll. b) for specific values of a and/Jin Equation (10.1), provided
the following condition 1s met:
To define the group. we must define an operation. called addition and dcn.otcd by
+, for the set E (a. b), where" and b satisfy Equation (10.2). ln geometric tem1s. the
rules for addition can be stated as follows: If three points on an elliptic curve lie on a
straight line. their sum is 0 . From this definition. we can define the rules of addition
over an elliptic curve.
1. 0 serves as the additive identity. Thus O = - 0: for any point Pon the elliptic
curve. P + 0 = P. In what follows. we assume P 7' 0 and Q ,'- 0.
2. The negative of a point Pis the point with the same x coorclinatc but the nega-
tive of the ycoordinatc;that is. if P = (x, y), then - P = (x. - y). Note that these
1wopointscanbcjoinedbyavcr1.ical linc. Notcthat P + (-!') P - P =
0. =
3. To add two points P and Q with different x coordinates. draw a s1rnight line
between them and find the third point of intersection R. It is easily seen that
the re is a unique point R that is the poin1 of intersection (unless lhe line is
tangcnl 10 the curve at either P or Q. in which case we take R P or R Q.= =
respectively). To fomt a group structure. we need to define addition on these
three points: P + Q =
-R.1bat is, we define P + Q to be the mirror image
(with respect to the x axis) of the third point of intersection. Figure 10.4 illus-
trates this construction.
4. The geometric interpretation of the preceding item also applies to tv.o points,
P and - P. with the same x coordinalc. The points arc joined by a vertical line,
which can be ,'lcwcd as also in1ersec1ing the curve at the infinity point. We
therefore have P + (- P) =
0. which is consistent with item (2).
5. To double a point Q , draw the tangent line and find the other point of intcr-
scc1ion S. Then Q + Q = 2Q = -S.
With the preceding list of rules. it can be shown that the set E(t1. b) is an abe-
lian group .
XR 3.ri,-+-
=(- ")' -2.t'p
2yp
( 10.4)
YR 3.r;, + ") (xr -
=( ~ xR) - Yr
curves over GF(2'"). For a prime curve over Zp, we use a cubic equation in which
the variables and coefficients all take on values in the set of integers from Othrough
p - l and in which calcuJations arc performed modulo p. For a binary run·e de-
fined over GF(2'"). the variables and coefficients all take on values in GF(2"") and
in calculations arc performed over GF(2'"). [FERN99J points out tha t prime curves
are best for software applications. because the extended bit-fiddling operations
needed by binary curves arc not required: and that binary curves are best for hard-
ware applications. where it takes remarkably few logic gates to create a powerful.
fast cryptosystcm. We examine these two families in this section and the next.
The re is no obvious geometric inte rpretation of elliptic curve aritltmetic over
finite fields. TI1c alge braic interpretation used for elliptic curve arithmetic over real
numbers does readily carry over. and this is the approach we take.
For elliptic curves over Z p, as with real numbers, we limit ourselves to equa -
tions of the fomt of Equation ( 10.l), but in this case with coefficients and variables
li mited to ZP:
/ modp = (x3 + "·' + /,) modp ( 10.S)
For example. Equation (10.5) is satisfied for" = I. b = I. x = 9, y = 7. p = 23:
7 2 mod 23 = (9' + 9 + I ) mod 23
49 mod 23 = 739 mod 23
3 =3
Now consider the set E p(a. b ) consisting of all pairs of integers (x. y) that sat-
isfy Equation (10.5). together with a point at infinity 0. The coefficients a and band
the variables x and y arc all elemenlS of Zp-
For example, let p =
23 and consider the elliptic curve y2 .r3 + x + 1. =
In this case. a = b = l. Note that this equation is the same as that of Figure 10.4b.
The figure shows a continuous curve with aU of the real points that satisfy t.he equation.
For the set E 23(1. 1). we are only interested in the nonnegative integers in the quad -
ran1 from (0. OJ through (p - l , p - I) tha1 satisfy the equation mod p. Table 10.1
lists the points (other than 0) that arc part of E 23( 1. I). Figure 10.5 plots the points
o f E 23 (J. 1); note that the points, with o ne exception. are symmetric about y = 11.5.
22 .-~~~~~~~~~~~~~~~~~~~
21
20 HH-+-+-+-t--1--t--i-HH-+-+-+-t-.....,_i-HH
19 HH-+-+...+--t-+--t-HHIH-+-+-t--t--t--i-HH
18 t-;l-t-1--t--+--+--+-+--t-t-11-t-1--t--+--+--+-+-- -t-1t-1
17 t-;l-t-1--t--+--+--+-+--t-t-11-t-1--t--+--+--+-+--t-t-1t-1
16 .-4t--+-+-+-+--+--+-+-- -t-11-t......-+-+--+--+-+-+-t-1>---<
15
14 >---<1-t-+-+-+--+--+-+-+-t-11-t-+-+-+--+--+-+-+-t-1>---<
13 HH➔-+-+-t--t--t--i-HH-+-+-+-t--t--t--i-HH
12 HH-+-+-+-t-....-t--i-HH-+-+-+-t--t--t--i-HH
' II
10 f---<1-t......-+-+--+--+-+-+-t-11-t-+-+-+--+--+-+-+-t-1>---<
. ~~~-~~~~~~~~~~~~~~~~
0 I 2 J .t S 6 7 8 9 10 11 12 13 14 JS 16 17 18 19 20 21 22
It can be shown that a finite abelian group can be defined based on the set
Ep(ll, b) provided that (x3 + ax + b) modp has no repeated factors. This is equiva-
lent to the condition
(4a' + 27b2) mod p ,' 0 mod p ( 10.6)
Note that Equation (10.6) has the same form as Equation (10.2).
The rules for addition over Ep(ll. b ). correspond to the algebraic technique de-
scribed for e lliptic curves defined over reo.1 numbers. For nll points P , Q E E p(o. b):
I . P + 0 = P.
2. If P =
(x,.y,). then P + (x,,-y,) =
0 . The poin1 (x,.-y,) is the ne ga-
tive or P. deno1cd as - P. For example. in £ 2'(1. 1). for P =
( 13. 7), we have
- P = ( 13, - 7). B ui - 7 mod 23 = 16. Therefore. - P = (13. 16), w hich is also
in £,,(1, I).
3. If P = (x,.y,) and Q = (x11.y11) wil h P ,. -Q. then R = P + Q = (-'••YR)
is determined by the following rules:
where
Yo - Yr) modp if P ,. Q
A= !( XQ - Xp
where it is understood that the variables x and y a nd the coefficients ti and b arc cle-
me nts or GF(2'") and that calculations are performed in G F(2'").
Now conside r the set Er (o, b) consisting of all pairs of integers (.t, y) that sat-
isfy Equation ( 10.7). together with a point at in finity 0.
Fo r example, let us use the finite field GF(Z') with the irreducible polynomial
/(:r) = .r4 + x + I. This yields a generato r g thal satisfies /(g) = 0 with a value o f
g~ = g + I. or in binary, g = 0010. We can develop the powers o f gas follows.
YR = A(Xp + XR) + x. + Yr
10 -l / ULll'lll Cl,'ll\'1- CR Yi'HlGIL\11IIY 303
I " H-+-+-+--+--+--+-+-+-H-+-+-+---<
, " t-HH--+-t--t--t--t-+-t-HH--+--i
81! H--+--+-t--t--t--t--1-t-HH--+-t---<
, " H--+--+-t--+--t--t--1-t-H--+--+-t---<
r '° H-+-+-+--+--+--+-+-O-H-+-+-+---<
r' H-+-+-+--+--+--+-+-+-H-+-+-+---<
r' H--+-+-t--t-+-t--1-t-H--+--+-t---<
r' H--+--+-t--t--t--t--1-t-H--+--+-t---<
1• t-HH--+-t--t--+--t-+-t-HH--+--i
1' H-+-+-+--+--+--+-+-+-1-i-+-+-+---<
,• H--+--+-t--t--+--t--1-t-H--+--+-t---<
1 ' H-+-+-+---+--+--+-+-+-1-i-+-+-+---<
r' H-+-+-+--+--+--+-+-+-H-+-+-+---<
g >-<-+-+-+--+--+--+-+-+->-<-+-+-+---<
t ,_.._._.__.__..__._...__._.._,_.._._.__.__.
I 8 f ,, ,4 ,' , . t? s' l 810 &' 11 , ' 2 &" 8 u 0
where
A = YCI + Yr
XQ + Xp
XR = ).2 + A + a
YR = XJ, + (A + l )xR
where
A = :rp + ~
Xp
Q is found. Thus.
P = ( 16.5):2P = (20.20):3P = ( 14. 14): 4f' = ( 19.20):5P = ( 13. 10):
6P = (7. 3): 7P = (8. 7): 8P = ( 12. 17): 9/' = (4. 5)
Because 9P =(4. 5) = Q. the discrete loga rithm Q (4. 5) 10 the base =
P = (16. 5) is k = 9. In a rea l application. k would be so lnrge as to make 1hc b ru1c-
force approach infeasible.
In 1he remainder of 1hls sec1lon. we show two approaches 10 ECC 1ha1 give the
flavor o f this 1cchniquc.
K - ,,,, X PA
It is the point P,,. 1ha1 will be encrypted as a ciphe rtcxt and subscqucn1ly decrypted.
No te thnt we canno t simply e ncode the message as the x or y coordinntc of a point.
because not all such coordinntcs a rc in Eq(a. /J): for example, sec Table 10. 1. Again,
there arc several approaches to this encoding. which we will not address here. but
sufncc il to say that lhc rc urc rcln1.ivcly s traigh tforwnrd 1cchniqucs thnt con be used .
As with 1hc key exchange system. nn encryption/decryp1io n syste m requires n
point G and an elliptic gro up E11(t1. b) as parameters. Each user A sclcc1s a private
key""' a nd ge ne rates a public key l',1 • 11,4 X G.
To encrypt a nd send a message P,,. to B. A chooses n rnndom positive integer k
and produces the ciphc rtcxt C'" consisting of the pair o f points:
Cm - lkG. Pm + kP•}
No1c thm A has used B's public key Pn, To decrypt 1he ciphe rtcxt. 8 multiplies 1he
first poinl in the p.iir by B's private key a nd subtracts the result fro m the second point:
Pm + kPH - flH(kG) - f'm + k(t1BG) - " •(kG) - Pm
A has moskcd I.he message P,,. by adding kP11 to it. Nobody but A knows the
value of k. so even tho ugh P,, is a public key, nobod y can remove th e mask k/'11•
However. A also includes a "cl ue," which is e no ugh 10 re move the mask if o ne
knows the private key "B· For an attacker to recover the message. the attacker
would hnve to compute k g ive n G and kG. which is assumed to be lrnrd.
Let us consider n si mple example. The global public elcmen1s arc q = 257:
Eq(ll. b) • E257(0. - 4). whic h is eq uivale n t to the curve x3 - 4: and G • l =
(2. 2). Bob"s priva1e key is "• -
10 1. and his public key is P 8 - 11 8 G 101(2. 2) =
• ( 197. 167). Alice wishes to send a mcssogc to Bob that is encoded in !he clliplic
point Pm =
( 112. 26). Alice chooses random integer k = 4 1 nnd compules kG •
41(2. 2) • ( 136, 128). kP8 - 41 (197. 167) - (68. 84) a nd f',. + kf'8 - (112. 26)
=
+ (68. 84) (246. 174). Alice sends 1he c ipher1c x1 C., - (C1. C2) 1(136. 128). =
(246. 174)110 Bob. Bob receives 1he ciphe r1ex1 and co mpu1cs C2 - 118 C 1 =
(246. 174) - 10 1( 136. 128) • (246. 174) - (68. 84) - ( I 12. 26).
ou1put and can be used to build a PRNG. Because asymmetric algorithms are typically
much slower lhnn symmetric algorithms. asymmelric nlgorilhms a.r e not used 10 gener-
ate open-ended PRNG bi1 streams. Rather. the asymmetric approach is useful Cor crcnt-
ing n pscudorandom function (PRF) for generating u short pscudorandom bit sequence.
In this section. we examine two PRNG designs based on pscudorondom functions.
Sclup =
Sclccl p. </ p rimes: 11 ,,q:¢(11) =
(p - l)(q - I). Select• such
that gcd(e. ,J,(11)) - I. These arc the standard RSA setup selections
(see Figure 9.5). In addition. let N a ilog, 11J + I (the bitlength o r 11).
Select ,. k such thnt , + k :a N.
Seed Select a random seed -GJ of bitleng1h ,.
Gene rate Generate a pseudorandom sequence or length k X musing the loop
ror i from I to m do
y, • ,f/- 1mod II
=
x1 r most significant bits or y1
=
z, k least significan t b its of y,
Output The o utputscqucncc is,1 llz,11... 11 z...
Sttd • .r1
ff, r. r. k ff. r. r, k ff, r.r, k
Enttypt
1J•.rfmodff
lltc parameters 11. ,. e. and k arc selected 10 satisfy the followi ng six
requirements.
Given the security concerns expressed for this PRNG. the only motivation for
its use would be that it is used in a system that already implements ECC but docs
not implement any other symmetric, asymmetric. or hash cryptographic algorithm
that could be used to build a PRNG.
Key Tcnns
Review Questions
IU.I Brieny explain Diffie-Hellman key exchange.
l0.2 What is an elliptic curYc?
IO.J What is the zero point of an elliptic cu1Yc?
IU.-1 What is the sum of three points on an elliptic curve lhat lie on a straight line'}
Problenu
ID.I Users A and B use the Diffie-Hellman key exchange technique with a common prime
q = 11 and a primitive root o = 7.
L If user A has pri\'ate key X,4 = 5, what is A's public key Y,41
h. If user 8 has private key XB = 12. what is B's public key YB?
c. What is the shared secret key?
IU.2 Consider a Diffie-Hellman scheme with a common prime q = 11 and a primiti\'e roo1
()/ = 2.
L Show that 2 is a primitive root of 11.
b. If user A has public key Y,4 = 9. what is A's private key X,4?
c. If user B has public key YB= 3. what is the secret key K shared with A?
IO.J In the Diffie-Hellman protocol. each participant selects a secret number x and sends
the other panidpani a' mod q for some public number a. What would happen if the
participants sent each other x" for some public number a ins1ead? Give at least one
method Alice and Bob could use to agree on a key. Can Eve break you r system with-
out finding the secret numbers? Can Eve ftnd the secret numbers?
IOA This problem illustrates the point that the Diffie-Hellman protocol is not secure with-
out the step where you take the modulus: i.e. !he .. Indiscrete Log Problem~ is nol a
hard problem! You are Eve and have captured Alice and Bob and imprisoned the m.
You overhear the following dialog.
Bob: Oh. let's not bother with the prime in the Diffic-Hcllman protocol. it
wiU make things easier.
Alice: Okay. but we still need a base a to raise things 10. How about a = 3'}
Bob: All right. then my result is 27.
AJitt: And mine is 243.
What is Bob's private key XB and Alice·s pri,•ate key X,4? What is their secret com-
bined key? (Don'I forget to show your work.)
l0.5 Section 10.1 describes a man in the middle attack on th e O iffie H ellman key ex
change protocol in which the adversary generates two public-private key pairs for the
attack. Could the same attack be accomplished with one pair? Explain.
l0.6 Consider an Elgamal scheme with a common prime q = 1l and a primitive root
a = 7.
L If B has public key YB = 3 and A choose the random integer k = 2. "'hat is the
ciphertext of M = 30?
h. IJ A now chooses a diJrerent value of k so that the encoding or M = 30 is
C = (59. Ci). what is the integer C 1?
l0.7 RuJe (5) for doing arithmetic in elliptic curves m·er real numbers states that to double
a point Q2• draw the tangent line and ftnd the other point of intersection S. Then
Q + Q = 2Q = -S. lfthe tangent line is not vertical. there will be exactly one point
of intersection. Howe\'er. suppose the tangent line is vertica l? In 1h01 case, what is the
value 2Q? What is the value 3Q?
418 c·H.\.f'lLR _. KLY MANALL"-11:.NI o\Nll l)ISIRJUL,IH):\I
,.,,. ..
.. Yes, lie would. Tire key of tltt! outer door, the key of tire office, and the key of the
LEARNING OBJECTIVES
After studying this chapte r, you should be able to:
Discuss the concept of a key hierarchy.
Understa nd the issues involved in using asymmetric encryption to djstrib-
ute symmetric keys.
Present an overview of approaches to public-key distribution and analyze
the risks involved in various approaches.
List and explain the clements in an X.509 certificate.
Present an overview of public-key infrastructure concepts.
The topics of cryptographic key management and cryptographic key distribution arc
complex, involving cryptographic. protocol, and managemen1 considerations. The pur-
pose of this chapter is to give the reader a feel for the issues involved and a broad sur-
vey of Lhc various aspects of key management and distribution. For more informal.ion,
the place to start is the three-volume NIST SP 800-57, followed by the recommended
readings listed al the end of this chapter.
For symmetric encryption to work, the two parties lo an exchange must share the
same key. and that key must be protected from access by others. Furthermore. fre-
quent key changes arc usually desirable to limit the amount of data compromised if
an attacker learns Lhc key. Therefore. Lhe strength of any cryptographic system rests
with the kry dis1ributio11 technique. a term that refers to the means of delivering a
key to two parties who wish lo exchange data without allowing others to sec the key.
For two parties A and 8 . key distribution can be achieved in a number of ways. as
follows:
I. A can select a key and physically deliver it to 8 .
?. A third party can select the key and physically deliver it to A and 8.
3. lf A and 8 have previously and recently used a key.one party cnn transmit the
new key to the other, encrypted u.i.ing the old key.
..t. If A and 8 each has an encrypted connection to a third party C. C can deliver
a key on the encrypted Links to A and 8 .
Options I and 2 call for manual delivery of a key. For link encryption. this
is a reasonable requirement, because each link e ncryption device is going to be
exchanging data only with its part.ncr on the other end of the link. However. for
end-to -e nd encryption over a network. manual delivery is awkward. l.n a d istrib-
uted system. any given host or terminal may need 10 engage in exchanges with
many other hosts and terminals over time. Thus. each device needs a number o f
keys supplied dynamically. The problem is especially difficult in a wide-area dis•
tributed system.
The scale of the problem depends on the number of communicating pairs that
must be supponed. l.f end-to-end encryption is done at a network or LP level. then
a key is needed for each pair of hosts on the network that wish to communicate.
Thus. if there are N hosts. the number of required keys is (N(N - l)J/2. lf encr)'p·
tion is done at the application level, then a key is needed for every pair of users
or processes that require communica tion. T hus. a network may have hundreds of
hosts but lhousands of users and processes. Figure 14.1 illustrates the magnitude of
Lhe- key distribution task for end-10-cnd encryption. 1 A network using node-level
encryption with HXlO nodes would conceivably need to distribute as man y as half a
million keys. If that same network supported 10.000 applications. then as many as
50 million keys may be required for application-level encryption.
Returning to our list. option 3 is a possibility for either link encryption or end-
to-end encryption, but if an a ttacker ever succeeds in gaining access to one key. then
all subseq uent keys will be revealed. F unhermorc. the initial distribution of poten-
tially millions of keys still must be made.
For end-to-end encryption, some variation on option 4 has been widely
adopted. In t.his sch eme. a key distribut ion cen ter is responsible for d istribu1ing
keys to pairs of users (hosts. processes. applications) as needed. Each user must
share a unique key with the key distribution center for purposes of key distribution.
The use of a key distribution center is based on the use of a hierarchy of keys.
At a minimum. two levels of keys are used (Figu re 14.2). Communication between
end systems is encrypted using a temporary key. often referred to as a session key.
Typically. the session key is used for the duration of a logical connection. such as a
frame relay connection or transport connection. and then discarded. Each session
key is obtained from the key distribution cen ter over the same networking facilities
1Note that this figure uses a log-log scale. .so tha1 a linear graph inctica1cs upone.n1ial gro"-1.h. A basic
~VX'w of log scales is in the rrn1.lh n:lrcsher document at the Compuu:r Science Stucknt Resource Site at
WiUiamStallinp.comlStudentSuppon.html
420 CHAPTER 1-1 / KEY MANAGE.\1.£NT AND DISTRIBUTION
!
i
z. 101 1,-----11-------c, '- - - - + - - - - - - - - - - - 1
1Cf 1,------11-- /- - - - - - - - - - + - - - - - - - - - - - - - - t
... ------ ..
Dam (~~HHHI)
........... .....
~':"
M:istt>rlr.:cys
l
....-----
___ _...
□□ J
Non-c:rypiogruphic-
protm mn
Fi1tun• 1-'.2 The Use o f a Key Hierar chy
Kry Oh~ribution
Ct>ntu ( KDC) l nhlaior A R~ponder B
1
"''
d istrihlltion
l ft'pli
14 I S\'\IMl 1 Ill( Kl-\' lllSTlllUUI l(lN U"il~(; S\'.\t\.ll Jlll( 1-.N<:llYl'I l()!\i 423
KOC. In this case. any one of the three K.DCs involved can actually select the key.
1l1e hierarchical concept can be extend ed 10 three or even more layers, depending
o n the size of lhe user population and the geographic scope of the internetwork.
A hierarchical scheme minimizes the effort involved in master key dist.ribu-
Lion, because most mas1er keys arc 1hosc shared by a local KDC with its local enti-
ties. Furthermo re. such a scheme limits the damage of a fault y or subverted KDC 10
i1s local area only.
Key
d istr ibution
center
I. lloi.1 ~nd,i p loK'kN t'TqUl'Slln1t C'(lfUM't"llon.
l. Stturity k ni« buffrn1 packt1: asks
KUC for 5tf.SM>n key.
J. KDC dlstribulu sa,lon 1,;c-)' to bolh hosts.
'- Buffr:ml 1,adcd 1.111nsml11td.
(Appllcat~)
d§) .-·:.-·
:0: .
: ......
Ne1work
"
------- ------- ----- -······ 0 ····--··
HOST
The automated key distribution approach provides 1hc ncxibility and dynamic
chnrncteristics needed to allow n number of terminnl users to access a number of
hosts and for the hosts 10 exchange dotn with each 01hcr.
1,t I / \Y.\1Mf 1 Ill( KJ Y lllStlllHUt ION U\I~(, \Y."l.tMJ Jill( I NUt.YlrJJO!'. 425
lnil: lor
~
~ ( l )IIJ,,,IIN1 ~
session key distribution. Thus, there may need 10 be as many as 111(11 - l) J/2 master
keys for a conl'igurntion with II end systems.
A session key ma y be established wi1h the following sequence or steps
( Figure 14.5).
I. A issues a request to B for a session key and includes a nonce. N,.
?. B responds with n message that is encrypted using the shared master key. The
response includes the session key selected by B. nn identifier of 8 . the vuluc
f(N1), and nno1hcr no nce. N2•
.t Using the new session key. A returns f(N2) to 8 .
1l1us. although euch node must maintain at most (11 - I) maste r keys. as many
session keys as required may be generated and used. Because the messages trans•
fcrred using the master key arc sho rt. cryptanalysis is di((icult. As before. session
keys ure used for only a limited time to protect them.
lllus. it may be desira ble to institute controls in sys1c ms that limit !he ways
in whicl1 keys nre used. bnscd o n characte ristics associa ted with those keys. One
simple pion is 10 associate a tag with each key ([JO NE82); sec a lso {DAVl89)). 111c
proposed technique is for use with DES and makes use o f the extra 8 bits in each
64. bit DES key. Thal is. the eight no n.key bits o rdinarily reserved fo r pari1y check•
ing form the key tag. The bits have the following interpre tation:
One bit indicates whe ther the key is n sessio n key or a master key.
• One bit indicates whe ther 1hc key can be used for e ncryption.
• O ne bit indicates whe ther the key can be used for decrypti on.
• 1l1c remaining bits are spares for future use.
Because the tag is embedded in the key. ii is e ncrypted alo ng with the key when that
key is di s1ribu1cd, 1hus providing pro tcc1ion. The drawbacks of this scheme a rc
I. 1l1e tag length is limited to 8 bits, limiting i1s nexibility rmd functionality.
2. Beca use the tag is no t 1rnnsmiued in clear fo rm, ii can be used only a t the
point of decryptio n. limiting the ways in which key use can be controlled.
A mo re ncxiblc sche me. refe rred to as the control vec1or. is described in
(MATY9 1a a nd bj. In this scheme. each sessio n key has an associate d control vecto r
consisling of a number o f fie lds that specify the uses ond restrictions for that session
kcy. 1l1e length o f the contro l vector mny vnry.
1l1e contro l vector is c ryptographically coupled with the key at the time o f
key generation a t the KOC. The coupling a nd decoupling processes a rc illustrated
in Figure 14.6. As a first step. the contro l vecto r is passed thro ugh a hash function
that pro duces a value whose le ngth is equal 10 the encryption key le ng1h. N ash
functio ns arc discussed in detail in Chapter 11. In esse nce. a hash function maps
values from o larger range into a smaller range with a reasonably uniform spread.
1l1us. for example, if numbe rs in the rnngc I to 100 a rc hashed into numbers in the
range I to 10, approximately 10% o r the source values s hould map into et1ch of the
ta rget values.
TI1e hash value is then XO Red wilh the mns1er key 10 produce an output that
is used as the key input for e ncrypting the sessio n key. Thus.
Mash value = // = h(CV)
Key input • Km® II
Ciphcrtext = E([Km (i) /i]. K:,)
whe re K,n is the m aste r key a nd KJ is the sessio n key. The sessio n key is recovered
in plaintext by the reverse operation:
.....,
l'tahMn l
....
Clphmot
t:nc:rypdon l>taypdon
f'unnion t' unnlun
Use o f the control vector has two ad vantages over use o f an 8-bit tag. First. there
is no restriction on length of the contro l vector. whic h enables arbitrarily complex con-
1rols to be imposed on key use. Second. 1hc con1rol vcc1o r is available in clear fom1 at
all stages or operation.1110s. control of key use can be exercised in multiple locatio ns.
Because of the inefficiency of public•key cryptosystc ms. they a rc alrnos1 never used
for the direct encryptio n o f sizable block o f data. but arc limited to relatively small
blocks. One ur the 1110:,1 impurlant m,es uf a public-key c ryptusy:,tc m is to c m;rypt
secre t ke ys for distribution. We sec many specific e xa mples o r this in Part Five.
He rc. we discuss general principles and typical approaches.
3. A computes D(PR0 , E(PU•• KJ)) to recover lhc secret key. Because o nly A
can decrypt lhe message. only A and B will know Lhe identity or KJ.
4. A discards PU• and PR. and 8 discards PU•.
A and B can now securely communica1e using conventional e ncryption an d
the session key KJ. Al the completion or the exchan ge. both A and B discard KJ.
Despite its simplicity. this is an attractive protocol. No keys exist before lhc start of
the communication and none exist after the completion of communication. Thus,
the risk of compromise of the keys is minimal. At the same time, the communication
is secure from eavesdropping.
The protocol depicted in Figure 14.7 is insecure against an advcr.mry wh o
can intercept messages and then either relay the intercepted message or substitute
anolher message (sec Figure 1.3c), Such an a ttack is known as a man-in -l he-middlc
altack IR IVES4). We saw this type of attack in Chapter IO (Figure 10.2). In the
present case. if an adversary, D , has control of the intervening communication chan-
nel. then D can compromise the communication in the following fash ion wilhout
being detecte d (Figure 14.8).
I . A generates a public/private key pair IPU0 , PR0 ) and transmi ts a message
intended for B consisting of PU0 and an idenlifier of A , /DA.
?. D intercepts the message. creates its own public/private key pair jPUd, PR.11
and transmits PU1 /DA to 8 .
3. B generates a secret key. K1 • and transmits E(PU.,. K1 ).
4. D inlerccpts the message and learns K., by computing D(PRJ. E(PU11 • KJ)).
:i. D transmits E(PU0 • K,) to A.
The result is that both A and B know KJ and arc unaware that KJ h as also been
revealed to D. A and 8 can now exchange messages using K,. D no longer actively
in terferes with t.be communications channel but simply eavesdrops. Knowing K1 , Scan
decrypt all messages, and both A and 8 arc unaware of the problem. Thus. this sim-
ple protocol is only useful in an environment where t.he only threat is eavesdropping.
~
"L-,
Alice
~ ~ Da rlh llob
Priulr kryPRI)
Publk key PUo
t~
PUn,mA
K,•
Of,PRn, F.iPUn, Kl))
I I JE(PU.,. (N,IIID,4])~
- - - - - (2)E(PU.. fN1I I N z l ) ~
Respoode
B
(J)E(PU• N~ ~
A Hybrid Scheme
Ye t another way to use publjc-key encryption to distribute secret keys is a hybrid
approach in use on lBM mainframes [LE93]. This scheme retains the use of a key
distribution center ( KOC) that shares a secret master key with each user and dis-
tributes secret session keys encrypted with the master key. A public-key scheme is
used to distribute the master keys. The following rationale is provided for using this
three•level approach:
• Perforrua.n ce: There a re many applications. especiall y transaction-oriented
applicatjons, in which the session keys change frequently. Distribution of ses-
sion keys by public-key encryption could degrade overall system perfom1ance
be.cause of the relatively high compu1ational load of public-key encryption
and decryption. With a three-level hierarchy. public.key encryption is used
only occasionally lo update the master key between a user and the KOC.
• Backward compatibility: The hybrid scheme is easily overlaid on an existing
KOC scheme with minimal disruption or software changes.
The addition of a public•key layer prO\-ides a secure. efficient means of dis•
tributing master keys. This is an advantage in a configuration in which a single KO C
serves a widely distributed set o f users.
Several techniques have been proposed for the distribution of p ublic keys. Virtually
all these proposals can be grouped into the following general schemes:
Public announcement
Publicly available directory
Public-key authority
Public•key cenificates
PuhhC'•key
directory
Public-Ke)' Authority
Stronger sccuri1y for public-k ey distributio n can b e achieved by p roviding
tighte r contro l over the d istributio n o f public keys from th e directory, A ty pical
scenario is illustrated in Fig ure 14. 12. which is based on a figure in IPOPE79J.
A s before, the sce nario assumes that a ce ntral autho rity ma in tains a dynamic
directory of public keys of aH pa rticipants. In addition. e ach participant reliably
kno ws a pu blic key for the autho rity. with o nly 1hc authority kno wing the corre-
spo nding priva te key. The following ste ps ( matc hed by numbe r to Figure 14. 12)
occur.
I. A sends a timesta mped messa ge to 1he public-key autho rity c oruaining a
request for the curre nt public key of B.
2. The authority respo nds with a message that is e ncrypte d us ing 1hc autho r-
ity's private key. PR-,uuh· Thus. A is able lo decrypt the message using the
autho rity's public key. The refore, A is assured lhnt the message origina1cd
with the authority. The message includes the following:
B's public key, PUb, which A can use 10 encrypt messages destined for B
1l1e original request used 10 enable A 10 match this respo nse with the cor-
responding e arlie r req ue st and 10 verify that the origina l request was no t
alte red before receptio n by the autho rity
The o riginal timestamp g iven so A can d ete rmine thal this is nol an o ld
message fro m the a ulho rity containing a key o the r th an B's current
public key
PubUC'• k~y
l.nitiatorA Authority Rtspoodr:r B
t
( I ) Requo:1 UT1
(J)E(PU I ID ON))
3. A sto res B's public key a nd also uses it to e ncrypt a message to B containing
an ide ntifie r o f A (/DA) and a nonce (N1) . which is used 10 ident ify this trans-
action uniquely.
4. 5. B re trieves A ·s p ublic key fro m the a utho rit y in the same ma nner as A
retrieved B's public key.
At this point. public keys have been securely d e livered 10 A and B. and !hey
may begin their pro1ected exchange. Mo we ve r, two additional steps arc d esirable:
6. B sends a message to A encrypte d with PU11 a nd contai ning A 's nonce (N1)
as well as a new no nce gene rated b y B (N2). Because o nly B could have
decrypted message (3). the presence of N1 in message (6) assures A that the
correspondent is B.
7. A re turns N 2 , which is e ncrypted using B's pub lic key. to assure B 1hat its
correspondent is A.
llms. n totnl of sc"cn messages arc required. 1-lowcvcr, the ini1ial five mes-
sages need be used o nly infrequently because bo th A and B can save the o ther's
public key fo r future use- a tech nique known as caching. Pe riodically. a user sho uld
request fresh copies of the public keys of its corresponde nts to e ns ure currency.
Public-Key Certificates
1l1c scenario o f Figure 14.12 is a11rnc1ive, yet ii has some drawbacks. The public-key
autho rity could be somewhat of n bottle neck in the syste m, for a use r muSl appeal
to the a utho rity for a pub lic key fo r every o the r user that it wishes to contact. As
before. the directo ry o f n ames and public keys maintained by the a uthorily is vul•
nerable to tampering.
434 lll.'\Pl lR 1-4 K[Y 1\1.'\N.~(,D,UNT AND DISlRIULJH):\.
Certlfica1e
~ Authority ~
1/ /
PU. /
c,.,,,,_ ,,,,m,,ru.11
"--
"-._
c,,.,,,,_ ,,,~
Pll,
A B
A B
( b) ..~thlln~ina C'tnifltlllH
ITU.'f recommendation X.509 is part of 1hc X.500 series of recommend ations that
define :i directory service. The directory is, in effect. a server or distributed set
of servers that maintains a database of information about use rs. The information
includes a mapping from user name 10 network address. as well as other n11ribu1es
and information about the users.
X.509 defines n framework for the provision of authe nticntion services by the
X.500 directory to its users. The directory may serve as a repository of public-key
certificates of the type discussed in Section 14.3. Each certificate contains the public
key of a user and is signed with Lhe private key of a trusted certification authority.
In addition. X.509 defines nltern.:itive nuthe111ication protocols based on 1hc use of
public-key ccnificntcs.