Professional Documents
Culture Documents
Key Distribution
Agenda
Symmetric Key distribution using symmetric techniques
Symmetric Key distribution using Asymmetric techniques
Symmetric Key distribution using hybrid techniques
Asymmetric Key distribution
Certificate Example
Definition
Link encryption (link or physical layer encryption): is an approach to
communications security that encrypts and decrypts all traffic at each end of
a communications line
End-to-end encryption (Application encryption) : messages are
encrypted by the sender at the point of origin and only decrypted by the
intended receiver.
Symmetric Key
distribution using
symmetric techniques
Definition
A session key is a temporary encryption key used between two principals.
A master key is a long-lasting key that is used between a key distribution
center and a principal for the purpose of encoding the transmission of session
keys. Typically, the master keys are distributed by noncryptographic
means.
Anonceis an arbitrary number used only once in a cryptographic
communication, in the spirit of anonceword () . The nonce may be
a timestamp, a counter, or a random number; the minimum requirement is
that it differs with each request.
We will always talk about distributing session keys or public keys.
Limitation :
The tag length is limited to 8 bits, limiting its flexibility and functionality.
Because the tag is not transmitted in clear form, it can be used only at the point of
decryption, limiting the ways in which key use can be controlled.
Confidentiality & Authentication, .. But how it got the Public key of the other?
Hybrid approach
Distribute session key using master key (symmetric Encryption)
Distribute Master keys using ( Public Encryption)
Rational ?
Performance (public-private encryption is computational costy)
Backward compatibility
Distribution of Public
key
Public-Key Authority
Like Public directory but with Authentication
24
Public announcement
Public Available directory
Public-key authority
Public-key Certificate
certificates allow key exchange without real-time access to publickey authority
a certificate binds identity to public key usually with other info
such as period of validity, rights of use etc
with all contents signed by a trusted Public-Key or Certificate
Authority (CA)
can be verified by anyone who knows the public-key authorities
public-key
Public-Key Certificates
1. Any participant can read a
certificate to determine the
name and public key of the
certificates owner.
2. Any participant can verify
that the certificate originated
from the certificate authority
and is not counterfeit.
3. Only the certificate
authority can create and
update certificates.
4. Any participant can verify
the currency of the
certificate.
26
Public-Key Certificates
Limitation:
It takes time, in case of
certificate change.
Users might use old
certificates.
27
X.509 CERTIFICATES
Remember: Public-Key
.Certificates Req
1. Any participant can read a certificate to determine the name and public key of the
certificates owner.
2. Any participant can verify that the certificate originated from the certificate authority
and is not counterfeit.
3. Only the certificate authority can create and update certificates.
4. Any participant can verify the currency of the certificate.
Because certificates are unforgeable, they can be placed in a directory without the need
for the directory to make special efforts to protect them.
31
Chain of CA
Is there only One CA in the world ?
Initially
A has certificate from CA X1. A securely knows X1s public key.
B has certificate from CA X2. B securely knows X2s public key.
Chain of CA
Notation : X1 has certificate of X2
Previous example:
mean?)
X1 <<X2>>
X1 <<X2>> X2 <<B>>
Certificate Revocation
(invalidating)
Why ?
The users private key is assumed to be compromised.
The user is no longer certified by this CA. Reasons for this include that the subjects name has
changed, the certificate is superseded, or the certificate was not issued in conformance with the CAs
policies.
The CAs certificate is assumed to be compromised.
Each CA must maintain a list (CRL) consisting of all revoked but not expired certificates
issued by that CA
Each certificate revocation list (CRL) posted to the directory is signed by the issuer.
CRL includes
37
Thank You