University of London

BSc Computing and

Information Systems
CIS326 Computer Security
Key Management

Objectives:
• Explain the problems that arise when
generating, storing, transmitted and
using keys in asymmetric and
symmetric key cryptosystems

CIS 326 - Computer Security

Key Management
Symmetric vs. Asymmetric Cryptography

CIS 326 - Computer Security

Number of keys
The number of keys each person requires in a
symmetric key cryptosystem grows as the number of
users grow.

Whereas, in an asymmetric cryptosystem the public

key (encryption key) is available to all other users,
hence there is no ‘key growth’

In general, if there are n people using a symmetric

key cryptosystem to communicate then the total
number of keys required is
n * (n – 1)/2

CIS 326 - Computer Security

Key Management Issues

1. Key Generation
• Where are the keys generated and by whom?
Perhaps Alice generates the keys and sends
one to Bob (or vice versa) or maybe a Trusted
Third Party (TTP) generates the keys for them.
• How are the keys generated?
• Is there a secure method to generate a key
between Alice and Bob, or are the keys just a
random stream?

CIS 326 - Computer Security

Key Management cont..

2. Key Storage
Where are the keys held once they have been
generated?

3. Key Distribution
How are the keys distributed to Alice and Bob
(from each other or from the TTP)? The
channel they are using to communicate is
insecure so they cannot send the keys over
this channel.

CIS 326 - Computer Security

Key Management cont..

4. Key Replacement
How often are the keys replaced?
In some applications, a key is used only
once. In other circumstances, the key
may be used for a time period of one
second or perhaps one day.
A key with a limited life is called a
session key.

CIS 326 - Computer Security

Further Issues

Chaining Keys
This is when Alice generates a new session
key, and sends it to Bob first encrypting it with
the old session key.

What’s the problem with this technique?

If Charles discovers one key then he will be

able to determine all subsequent keys

CIS 326 - Computer Security

Further Issues cont..
Random Numbers
• Random numbers are very important in
cryptography. For example keys are often strings
of random binary bits.

• How are random numbers generated?

1. Flipping a fair coin is a truly random event, but it’s not
practical to use such sources of random data in a
computer programme.
2. An alternative method involves the use of
pseudo-random numbers which are generated
by pseudorandom number generator (PNG)

CIS 326 - Computer Security

Random Numbers
• A random number generator uses some
function f to generate a list of random numbers
within a given range.
• Typically the next random number depends in
some way on the previous one so that
xn+1 = f(xn)

• The function f must be kept secret. Why?

• A PNG is cryptographically strong if an attacker
cannot predict the next number, no matter how
much previous data output he or she has seen.

CIS 326 - Computer Security

Key Exchange Protocols
Using asymmetric keys to exchange
symmetric keys
• An asymmetric key is used to encrypt
and transmit a symmetric key for use with
a symmetric key cryptosystem
1. Alice generates a symmetric key KAB
2. Alice obtains Bob’s public key and
encrypts KAB
3. Alice send the ciphertext ‘c’ to Bob who
decrypts it with his private key to recover
KAB
CIS 326 - Computer Security
Key Exchange Protocols
• Diffie-Hellman key exchange protocol.
Diffie-Hellman is based on the Discrete
Logarithm Problem (DLP) and is
reasonably secure, however is
susceptible to MiTM attacks
• The Needham-Schroeder protocol is
another method to exchange keys
between Alice and Bob, which uses a
Trusted Third Party (TTP)

CIS 326 - Computer Security

The Needham-Schroeder
Protocol
• This protocol also provides a way of
exchanging a session key between
Alice and Bob
• This protocol uses a Trusted Third
Party (TTP) or a Server (S).
• The protocol use only symmetric key
cryptography

CIS 326 - Computer Security

• Alice and the server have a key KAS
• Bob and the server have a key KBS
• Alice and Bob want to establish a
shared key KAB so that Alice can send
Bob a message.
• They communicate with each other
and the server as follows:

CIS 326 - Computer Security

Needham-Schroeder

1. A S: A, B

2. S A: eKAS(B, KAB, eKBS(A, KAB))

3. Alice decrypts to get B, KAB, eKBS(A, KAB)

4. A B: eKBS(A, KAB)

Bob decrypts to get A, KAB

CIS 326 - Computer Security

Needham-Schroeder 2

1. A S: A, B, NA
2. S A: eKAS(B, NA, KAB, eKBS(A, KAB))
3. A B: eKBS(A, KAB)
4. B A: eKAB(NB)
5. A B: eKAB(NB -1 )

N represents a nonce, which is extra information

including a timestamp and a random identifier.

CIS 326 - Computer Security

Trusting Public Keys
When using a public key cryptosystem for
any purpose, there has to be a reliable way
of ensuring that identities are correctly and
incorruptibly linked with cryptographic keys

Two ways of accomplishing this are:

1.Digital Certificates
2.Web of trust

CIS 326 - Computer Security

Certificates – X.509

• A certificate consists of a public key

together with an identification of the
key user.
• The certificate is issued by a trusted
third party (TTP) called a certification
agency (CA)
• The certification agency might be a
government agency or financial
institution
CIS 326 - Computer Security
The CA guarantees the link between the
user and the public key by digitally
signing a document which contains:
• the user name,
• the public key,
• the name of the CA,
• the expiry date of the certificate
• other information such as access rights
(optional).

CIS 326 - Computer Security

X.509 Certification Process

• Bob generates a document containing

his relevant information and presents
himself with this document to the CA.
• The CA confirm Bob’s identity.
• The CA hash the document using
SHA-1 and encrypt it using their own
private key.
• This is the certificate.

CIS 326 - Computer Security

X.509 Certification Process

• If Alice wants to communicate with Bob she

looks up his public key document and
certificate.
• She will use the public key of the CA to
decrypt the certificate.
• She will hash the document using SHA-1
• If these two items are the same then she
knows that she can safely communicate
with Bob using the public key since the CA
has verified his identity.

CIS 326 - Computer Security

Web of Trust
PGP has no TTP or CA, so how do users certify
public keys?

PGP uses a model called comparative trust.

Basically each user has an idea of the amount of
trust they place on the identity of another user. The
user is either classified as ‘unknown’, ‘trusted’,
marginally trusted’ or ‘completely trusted’.

A key legitimacy field is applied to each user and

when keys are exchanged this field is also included

CIS 326 - Computer Security

PGP Trust Model Example

CIS 326 - Computer Security

 2 of 2 Protocol

• A key is split into 2 pieces. Both pieces

are needed to recover the original key.
• Assume the key K is a b bit binary
number
K = k1 k2 k3….. kb
• Each bit ki is either a 0 or a 1
• The size of the key space is 2b

CIS 326 - Computer Security

1. The first key piece X1 is a b-bit string chosen
at random.
2. The second key piece X2 is computed by
XORing K and X1
Å
X2 = K X1
3. The key K is recovered by XORing the two
key pieces together.
Å
K = X1 X 2
4. Neither X1 nor X2 reveal any information
about K on their own since they are both
random strings of 0’s and 1’s.
CIS 326 - Computer Security
Example (2 of 2 protocol)
Generation of Key Pieces
The key K = 10110101 Å
Key part X1= 01011010
Key part X2 = 11101111

Recovery of Key
Key part X1 = 01011010 Å
Key part X2 = 11101111

The key K = 10110101

CIS 326 - Computer Security

 n of n protocol
The 2 of 2 protocol can be generalised to an n of n
protocol.
1. Generate n - 1 random b-bit numbers X1 … Xn-1.
2. The final key piece is computed by XORing the
key K with X1 , X2 , …, Xn-1
Å Å Å Å
Xn = K X1 X2 …… Xn-1
3. The key K is recovered by XORing all of the key
pieces together Å Å
K = X 1 … Xn
Only if all n pieces are known can the key K be
determined
CIS 326 - Computer Security
 Example (4 of 4 protocol)

Generation of Key Parts Recovery of the Key

K = 10100110 X1= 11010101 Å

Å
X1= 11010101 Å X2= 00110100 Å
X2= 00110100 Å X3= 00110011 Å
X3= 00110011 X4= 01110100

X4= 01110100 K = 10100110

CIS 326 - Computer Security

 2 of 3 protocol

• Three key pieces are generated. Any

two of the three pieces are needed to
recover the original key.
• The key K has b bits. We need a
parameter ‘p’ which is a prime > 2b.
• The best choice of ‘p’ is the smallest
value satisfying p > 2b
• The value of p is public.

CIS 326 - Computer Security

 2 of 3 Protocol
Alice owns the key K, generates 3 pieces for 3
people Q1, Q2 and Q3 as follows:
1. Alice generates a random number ‘a’ and 3
further random numbers x1, x2 and x3 all different
and all between 0 and p.
2. Alice computes ki = (a*xi +K) mod p for i =1,2,3.
3. Alice keeps the value ‘a’ secret, and gives each
of the 3 key holders a pair (xi , ki).

CIS 326 - Computer Security

 Recovering K

Each key holder has a pair (xi , ki) and knows

that ki = (a*xi + K) mod p, but without knowledge
of a , this equation cannot be solved.

There are p possible values for a and hence p

possible values for K.

However, if two key holders get together, they

can form 2 equations in 2 unknowns which can
be solved simultaneously for K.
CIS 326 - Computer Security
 Recovering K
Suppose the first two key holders share their
information. Then they know:
k1 = (a*x1 + K) mod p (1)
k2 = (a*x2 + K) mod p (2)

Multiplying the first equation by x2 and the

second equation by x1 gives 2 more
equations:

(x2 *k1) = x2 (a*x1 ) + (x2* K) mod p (3)

(x1 *k1) = x1 (a*x2 ) + (x1* K) mod p (4)
CIS 326 - Computer Security
Now subtracting equation (4) from equation (3)
gives

(x2 *k1) = (a*x1*x2 ) + (x2* K) mod p (3)

(x1 *k1) = (a*x1*x2 ) + (x1* K) mod p (4)
(x2 *k1 - x1 *k1) = (K *(x2 - x1)) mod p

CIS 326 - Computer Security

 Example 2 of 3 Protocol
Generation of Key Parts
K = 31, p = 67
a = 21, x1 = 3, x2 = 11, x3 = 17

k1 = (21*3 + 31) mod 67 = 94 mod 67 = 27

k2 = (21*11 + 31) mod 67 = 262 mod 67 = 61
k3 = (21*17 + 31) mod 67 = 388 mod 67 = 53

Q1 = {3,27} Q2 = {11,61} Q3 = {17,53}

CIS 326 - Computer Security

Example 2 of 3 Protocol
Recovery of the Key
Suppose key holders Q1 and Q2 decide to share their
information so we know Q1 = {3,27} and Q2 = {11,61}

We have the equations:

27 = 3a +K mod 67 (1) *11
61 = 11a+K mod 67 (2) * 3

(11*27) = (3*11*a) + 11K mod 67

(61*3) = (3*11*a) + 3K mod 67

(11*27)-(61*3) = (11K-3K) mod 67

114 = 8K mod 67
K = 31
CIS 326 - Computer Security
 2 of n protocol
• The 2 of 3 protocol can be generalised
to provide a 2 of n protocol.
• The key holders generates as many
key pairs (ki, xi) as necessary using
the same method as for the 2 of 3
protocol.
• Any two key holders can retrieve the
original key.

CIS 326 - Computer Security

Summary
• Demonstrated that it is necessary for a symmetric
cryptographic system to have a method to generate and
transmit the shared key between two cryptosystem
users
• Demonstrated how public key cryptography can be
used to encrypt and transmit a shared symmetric key
• Demonstrated how the Needham-Schroeder key
exchange protocol works and how it prevents a
cryptanalyst from discovering the shared key
• Explained how the X.509 certification protocol allows a
trusted third party to sign keys and how a public key
cryptosystem user can obtain a certificate and verify
that a key is genuine
• Explained how the web of trust scheme works

CIS 326 - Computer Security