Previous lecture

1
Previous lecture smart-cards

• Card-terminal authentication
• Card-issuer authentication

2
Todays program key generation and distribution

• About previous assignment
• New assignment
• Generating keys
• Distributing keys
• Key splitting
• Master key and derived keys
• Key lengths
• Symmetric keys
• Asymmetric keys

3
Assignment

• Completely solved assignment gives 20 points
• Six points deducted if chaining not implemented
• Penalty for delay one point per day
• Common problems
• Static Initialization Vector (IV)
• Padding not bijectional
• Encryption algorithm used

4
Initialization Vector (IV)

• In CBC mode, the IV is used for the first XOR
• Using a constant IV always gives the same
  ciphertext for a certain clear text.
• A good system should generate the IV dynamically
• From some random generator
• From the system time, etc.
• Since the IV is necessary for decryption, the IV
  must be given in clear in the output
• The IV itself is not secret, and giving it in
  clear does not create a security problem.

5
Padding

• If the clear text is not a multiple of the block
  length, some padding must be used.
• The padding must be bijectional, i.e., the extra
  characters added must be removed after decryption
• Padding by adding spaces to the clear text does
  not work, since you cant know if the spaces were
  added during padding, or if they were in the
  clear text from the beginning
• How to create a bijectional padding?

6
Bijectional padding schemes

• A padding scheme is bijectional if depad(pad(s))
  s.
• If there are certain characters that for some
  reason cannot appear in the clear text, they can
  be used for padding.
• In general, this is not a good solution, since
  such conditions may change.
• Example Let l be the length of the original
  clear text, and let b be the block length. Set l
  the smallest multiple of b such that l gt l.
  Create a string of length l whose first l bytes
  are the clear text. Set the last byte to l - l.
• This is reversible, since when decrypting, it is
  possible to read the last byte and remove the
  corresponding number of padding characters.

7
Encryption algorithm used

• In the assignment, you need the basic DES
  encryption.
• Since ECB (Electronic Code Book) provides
  encryption without any further processing, this
  is what we want.
• In Java, use DES/ECB/NoPadding
• In other libraries, either call DES directly, or
  ECB without padding

8
New assignment

• Create signature according to EMV specifications
  (15 p)
• Create issuer certificate according to EMV
  specifications (5 p)

9
Generating keys

• Key generation requires a good source of random
  bits
• Bad key material makes system vulnerable to
  attacks. Has been done in practice.
• Hardware generators provide the best source.
• For end-user applications - some user interaction
  can be used (mouse movement, key strokes, etc.)
• Using system time for high security requirements
  is a bad idea!
• For high-security applications, key generation
  should take place in a closed environment.

10
Distributing symmetric keys

• Symmetric keys are very sensitive and must be
  distributed with great care.
• Depending on how valueable the key is, different
  approaches are possible.
• Send the key to recipient by physically secure
  means, e.g., by courier, by registered mail etc.
• If a common key exists, send the new key
  encrypted under the common key.
• Split the key into components and send the key
  components with different security officers.

11
Key splitting

• One option for distributing keys with lower risk
  is to split the key into components and send the
  parts separately.
• After generation, the key is split into n parts.
  To recreate the key, all n parts must be
  available.
• Knowledge of less than n parts should give as
  little help as possible for recreating of keys.
• How do we do this?

12
Splitting into parts of equal length

• When splitting into parts of equal length, the
  key of length l is split into n components, each
  of length l / n.
• First part consists of bits 1 through (l / n)
  1, second part of bits l / n though 2(l / n) 1,
  etc.
• A disadvantage of this method is that knowledge
  of several parts reveals parts of the key, and
  leaves fewer bits for guessing.

13
Exclusive-or with random bit strings

• If we want to distribute an l-bit key k as n
  components, we first generate (n 1) l-bit
  strings u1, u2, , un 1.
• The nth component is computed as un k ? u1 ?
  u2 ? ? un 1, where ? denotes bitwise XOR.
• The basic properties of XOR gives that u1 ? u2 ?
  ? un k.
• This method gives higher security, since
  knowledge of either n 1 components reveals
  nothing about the key.
• Recall that with the previous method, this
  knowledge revealed several key bits, making a
  brute-force attack on the rest easier.

14
Distributing keys for asymmetric keys

• Distributing the public part of asymmetric keys
  is simple no special security measures are
  needed.
• Distributing keys in certificates makes it easier
  to prove the owner of the key.
• If the private part is to be distributed, the
  same techniques as for symmetric keys can be used.

15
Key Derivation

• Key derivation is a technique to assign
  individual keys without having to store a key per
  user.
• The key information is concentrated into a single
  master key.
• Every key is derived from this master key.
• The individual keys are computed on-the-fly from
  the master key and user information.

User information
Encryption
Master key
Individual key
16
Session Keys

• For security reasons it is often a good idea to
  use different keys for each transaction.
• Keys used only for one transaction are called
  session keys.

Session information
Encryption
Individual key
Session key
17
Key Management Setup
System A
System B

• If two systems need to share a common symmetric
  key, there are several possiblities.
• Can be created by system A and transferred to
  system B.
• Can be created by system A and transferred to
  system B.
• Can be created by a third party and transferred
  both to system A and system B.

Master Key
Master Key
Master Key
Master Key
Key generation
18
Zone Master Key ZMK

• If the two systems have one common symmetric key,
  this key can be used to encrypt other keys that
  are sent between the systems.
• This key is often called Zone Master Key, ZMK.
• Once this common key has been established,
  exchanging further keys is simple.

19
Symmetric Key Management Zone Master Key
Host system
Configuration system
ZMK Component 1
ZMK Component 2
ZMK Component 3
Components reassembled as the host to give the
same key
Generation of Zone Master Key
Zone Master Key sent as components to host by
security officers
20
Transfer of Zone Master Key

• When transferring the Zone Master Key, no single
  person will see the key.
• Key components are given out only one at the
  time, so that no one person sees all components.
• When combining the components, each component is
  first encrypted. Only when all components are
  encrypted do the security officers meet and give
  all components.

21
Symmetric Key Management Key Export
System A
System B
Key
ZMK
ZMK
Key
System A and system B shares ZMK
Symmetric key encrypted under ZMK and sent
Symmetric key generated
Symmetric key decrypted at system B
22
Key length

• Apart from selecting a good algorithm, the key
  length to be used must be chosen.
• When selecting the key length, you need to take
  into account security requirements and hardware
  costs.
• Longer keys are more secure, but encryption and
  decryption takes longer time.
• How sensitive is the data? Do we need to protect
  it for twenty seconds, twenty days or twenty
  years?
• Who do we want to protect ourselves against? The
  causal eaves-dropper, a competing company or a
  foreign government?

23
Symmetric key lengths

• If the symmetric cipher is good, the only way to
  break the key is to do exhaustive search. For an
  n-bit key, this requires 2n iterations.
• As of today, 64-bit keys take a few years to
  crack for someone with enough resources. 128-bit
  keys are virtually impossible to break, and are
  likely to stay that way for the foreseeable
  future.
• Since encryption and decryption is fast, there is
  usually no reason to use less than 128 bits.

24
Symmetric key lengths

• The graph below demonstrates how the time
  necessary to break a key depends on the key
  length.

25
Asymmetric key lengths

• For asymmetric systems, there are much more
  efficient ways than exhaustive search to retrieve
  the key.
• For RSA, factoring the modulus gives the private
  key.
• The longest RSA key that is publicly known to
  have been broken is 512 bits.
• Two years ago, this required 30 CPU-years.
• 1024 bit keys probably remain secure for the next
  years.
• Be very careful with comparisons between strength
  of symmetric and asymmetric keys!

26
Asymmetric keys

• Asymmetric keys often have a longer life-span
  than symmetric keys.
• Symmetric keys are used for session encryption,
  which often has to be kept secret only for a
  limited period.
• Asymmetric keys are used for signatures that may
  have to remain secure for several decades.
• Analyze the situation and choose the most
  appropriate solution!