Keys

1
Keys Key ManagementChapters 7, 8

• Keys
• Symmetric Length
• Public Key Length
• Key Management
• Generating, Using, Storing Keys
• Backup Keys
• Destroying Keys

2
Symmetric Key Length

• Keys
• Symmetric Length
• Depends on algorithm
• DES 56 bits or 112 bits
• AES 128, 196, or 256
• Key space of possible keys
• DES key space 256
• AES key space 2256

3
Public Key Length

• Keys
• Depend on the product of two very large primes
• Easy to multiply
• Hard to factor
• Cracking Public key crypto depends on factoring
  very large numbers

4
Current Recommendations

• For confidentiality beyond 2030 use 3072 bit keys
  for both RSA and D-H.
• 3072 bit keys for RSA is equivalent to 128 bit
  AES keys
• For more secure asymmetric encryption you have to
  use Elliptic Curve Cryptography
• ECC Keys should be twice the length of the AES
  key length

5
Factoring Methods

• General number sieve
• 2048 bit numbers 31020 mip-years
• Special number field sieve
• 2048 bit numbers 41014 mip-years

6
Generating Keys

• Bad/weak keys
• Some keys are very weak, some are poor choices
• Some are prone to dictionary attacks
• Random symmetric keys
• Must test for know weak keys for an algorithm

7
Generating Keys

• Key generation
• Hash of passwords
• Hash of pass phrases
• Information theory
• English 1.3 bits of info per 8 bit character
• 10 words 49 characters 64 bit key

8
Distributing Keys

• Large networks have large problems
• 6 person networks require 15 key exchanges
• 1000 person network networks require 500,000 key
  exchanges
• A very good random number generator is required

9
Using Keys

• Key storage
• Sits on disk subject to forensic exam, nosey
  co-worker, etc.
• Who uses the key

10
Storing Keys

• Magnetic card stripes
• Smart cards
• RFIDs
• Some key host
• Key escrow server

11
Backup Keys

• What if
• The key owner forgets
• The key owner quits
• The key owner dies
• The computer is stolen/destroyed

12
Destroying Keys

• Keys have a limited lifetime
• Validation that the key is destroyed
• Ket storage medium must be completely destroyed

13
Key Management

• PKI Public Key Infrastructure
• X.509 is the generally accepted standard for PKI
  held by ITU
• IETF X.509 working group pkix
• MIL uses it.

14
Certificate Data Version 1 (0x0) Serial
Number 7829 (0x1e95) Signature Algorithm
md5WithRSAEncryption Issuer CZA, STWestern
Cape, LCape Town, OThawte Consulting cc,
OUCertification Services Division, CNThawte
Server CA/emailAddressserver-certs_at_thawte.com
Validity Not Before Jul 9 160402 1998 GMT Not
After Jul 9 160402 1999 GMT Subject CUS,
STMaryland, LPasadena, OBrent Baccala,
OUFreeSoft, CNwww.freesoft.org/emailAddressbacc
ala_at_freesoft.org Subject Public Key Info Public
Key Algorithm rsaEncryption RSA Public Key
(1024 bit) Modulus (1024 bit) 00b431980ac4b
c62c188aadcb0c8bb 333519d50c64b93d
41b296fcf331e1 6636d08e561244ba75
ebe81c9c5b66 70335214c9ec4f9151703
9de538517 16946eeef4d56fd5cab3475e
1b0c7b c5cc2b6bc190c316310dbf7ac7
4777 8fa021c74cd0166500c10fd7b880e
3 d2756bc1ea9e5c5cea7dc1a110bcb8
e8351c9e27527e418f Exponent 65537
(0x10001) Signature Algorithm md5WithRSAEncryptio
n 935f8f5fc5afbf0aaba56dfb245fb659
5d9d 922e4a1b8bac7d99175dcd19f6ade
f632f92 ab2f4bcf0a1390ee2c0e4303be
f6ea8e9c67 d0a24003f7ef6a150979a9
46edb7161b4172 0d19aaaddd9adfab975
065f55e85a6ef19d1 5ade9dea63cdcbcc
6d5d0185b56dc8f3d9f7
8f0efcba1f34e9966e6ccff2ef9bbfdeb5
22 689f To