SlideShare a Scribd company logo

key distribution in network security

Download as PPT, PDF
babak danyal
babak danyal

Cns 13f-lec07- key distribution

EducationTechnology
1 of 38
Network Security Confidentiality Using Symmetric Encryption Chapter 7
Symmetric Key Cryptography Plain-text input Plain-text output “AxCv;5bmEseTfid3)f GsmWe#4^,sdgfMwir 3:dkJeTsY8Rs@! q3%” “The quick brown fox jumps over the lazy dog” Cipher-text “The quick brown fox jumps over the lazy dog” Encryption Decryption Same key (shared secret)
Confidentiality using Symmetric Encryption • Traditionally symmetric encryption is used to provide message confidentiality • Consider a typical scenario – Workstations on LANs access other workstations & servers on LAN – LANs are interconnected using switches/routers – With external lines or radio/satellite links
Points of Vulnerability
Confidentiality using Symmetric Encryption • Consider attacks and placement in this scenario – – – – snooping from another workstation use dial-in to a LAN or a server to snoop use external router link to enter & snoop monitor and/or modify traffic on external links
Confidentiality using Symmetric Encryption • Have two major placement alternatives – Link Encryption – End-to-End Encryption
Location of Encryption Device Link Encryption • Encryption devices are placed at each end of the link • Encryption occurs independently on every link • All the communication is made secure • A lot of encryption devices are required • Decrypt each packet at every switch • High level of security
Link Encryption Implications • All paths must use link encryption • Each pair of node must share a unique key – Large number of keys should be provided
End-to-End Encryption • Source encrypts and the Receiver decrypts • Payload encrypted • Header in the clear • Only destination and reciever share the key • High Security: Both link and end-to-end encryptions are needed
Encryption Across a Packet Switching Network
Traffic Analysis • When using end-to-end encryption must leave headers in clear – So network can correctly route information • Although content is protected, traffic flow patterns are not • Ideally want both at once – End-to-End protects data contents over entire path and provides authentication – Link protects traffic flows from monitoring
Placement of Encryption • Can place encryption function at various layers in OSI Reference Model – Link encryption occurs at layers 1 or 2 – End-to-End can occur at layers 3, 4, 6, 7 – As move higher, less information is encrypted but it is more secure and more complex with more entities and keys
Encryption coverage implications of store and forward communications
Traffic Analysis • Monitoring of communications flows between parties – Useful both in military & commercial spheres • Link encryption obscures header details – But overall traffic volumes in networks and at endpoints is still visible • Traffic padding can further obscure flows – But at cost of continuous traffic
Traffic Padding Encryption Device
Required Key Protection CONFIDENTIALITY INTEGRITY AUTHENTICATION AVAILABILITY
Key Storage • In Files – Using access control of operating system • In Crypto Tokens – Smart card, USB crypto token – Supports complete key life-cycle on token • Generation – storage – use – destruction – provide means to ensure that there is no way to get a key out • Key Backup (also known as key escrow)
Number of keys required to support Arbitrary connections
Use of a Key Hierarchy
Key Renewal • Keys should be renewed • More available cipher texts may facilitate certain attacks • How often depends on the crypto algorithm – Can depend on the amount of encrypted data – May depend on time (exhaustive key search requires time) • Regular key renewal can reduce damage in case of (unnoticed) key compromise • Protocols like SSL/TLS include features for (secret) key renewal
Key Life-Cycle Unrecoverabl e deletion Requires a secure random source! Key Generation Key Storage and Usage Key Destruction Time Keys must be protected
Key Distribution • Means of Exchanging Keys between two parties • Keys are used for conventional encryption • Frequent key exchanges are desirable – Limiting the amount of data compromised • Strength of cryptographic system rests with Key Distribution Mechanism
Key Distribution • Symmetric schemes require both parties to share a common secret key • Issue is how to securely distribute this key • Often a secure system failure due to a break in the key distribution scheme
Key Distribution • Two parties A and B can have various key distribution alternatives: 1. A can select key and physically deliver to B 2. third party can select & deliver key to A & B 3. if A & B have communicated previously can use previous key to encrypt a new key 4. if A & B have secure communications with a third party C, C can relay key between A & B
Key Distribution Scenario
Key Distribution Scenario 1. A issues a request to the KDC for a session key – – Nonce is also sent Nonce includes identities of communicating parties and a unique value 1. KDC sends a response encrypted with A’s secret key KA – – – It includes one time session key KS Original request message, including the nonce Message also includes KS and ID of A encrypted with KB intended for B
Key Distribution Scenario 3. A stores KS and forwards information for B i.e., EKB[KS||IDA] 4. B sends a nonce to A encrypted with KS 5. A responds by performing some function on nonce like incrementing The last two steps assure B that the message it received was not a replay
Key Distribution Entities • Key Distribution Center – Provides one time session key to valid users for encryption • Front end Processor – Carries out the end to end encryption – Obtains session key from the KDC on behalf of its host
Key distribution for symmetric keys • Key distribution for symmetric keys by a central server (KDC): - fixed number of distributions (for given n) - However, need security protocol
Key Distribution Issues Hierarchical Key Control • Not suitable that a single KDC is used for all the users • Hierarchies of KDC’s required for large networks • A single KDC may be responsible for a small number of users since it shares the master keys of all the entities attached to it • If two entities in different domains want to communicate, local KDCs communicate through a global KDC • Must trust each other
Session Key Lifetimes • Session key lifetimes should be limited for greater security • More frequently the session keys are exchanged, more secure they become • For connection oriented protocols, it should be valid for the duration of connection • For connectionless protocols key should be valid for a certain duration
Transparent Key Control • Use of automatic key distribution on behalf of users, but must trust system 1. Host sends packet requesting connection 2. Front End buffers packet; asks KDC for session key 3. KDC distributes session key to both front ends 4. Buffered packet transmitted
Automatic Key Distribution for Connection-Oriented Protocol KDC FEP HOST F E P F E P HOST
Decentralized Key Control • • • • KDCs need to be trusted and protected This can be avoided by the use of decentralized key distribution Decentralized approach requires that each node be able to communicate in a secure manner Session key may be established in following way 1. A issues a request to B for a session key and includes a nonce, N1. 2. B responds with a message that is encrypted using the shared secret key • Response includes session key, ID of B, the value f(N1) and nonce N2 1. Using the new session key, A returns f(N2) to B
Decentralized Key Distribution
Controlling Key Usage • Different types of session keys e.g., – Data encrypting key: for general communication across network – PIN-encrypting key: for PIN used in electronic funds – File encrypting key: for encrypting files stored on a publicly accessible location • Avoid using master key instead of session key since some unauthorized application may obtain the master key and exploit it
Key Distribution • Session key – Data encrypted with a one-time session key. At the conclusion of the session the key is destroyed • Permanent key – Used between entities for the purpose of distributing session keys
Summary • Have considered: – use of symmetric encryption to protect confidentiality – need for good key distribution – use of trusted third party KDC’s

Recommended

Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
Pawan Arya
 
IP Security
IP SecurityIP Security
IP Security
Keshab Nath
 
S/MIME
S/MIMES/MIME
S/MIME
maria azam
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distribution
Riya Choudhary
 
Substitution techniques
Substitution techniquesSubstitution techniques
Substitution techniques
vinitha96
 
Public Key Cryptosystem
Public Key CryptosystemPublic Key Cryptosystem
Public Key Cryptosystem
Devakumar Kp
 
SHA- Secure hashing algorithm
SHA- Secure hashing algorithmSHA- Secure hashing algorithm
SHA- Secure hashing algorithm
Ruchi Maurya
 
Agreement Protocols, distributed File Systems, Distributed Shared Memory
Agreement Protocols, distributed File Systems, Distributed Shared MemoryAgreement Protocols, distributed File Systems, Distributed Shared Memory
Agreement Protocols, distributed File Systems, Distributed Shared Memory
SHIKHA GAUTAM
 

Recommended

Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
Pawan Arya
 
IP Security
IP SecurityIP Security
IP Security
Keshab Nath
 
S/MIME
S/MIMES/MIME
S/MIME
maria azam
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distribution
Riya Choudhary
 
Substitution techniques
Substitution techniquesSubstitution techniques
Substitution techniques
vinitha96
 
Public Key Cryptosystem
Public Key CryptosystemPublic Key Cryptosystem
Public Key Cryptosystem
Devakumar Kp
 
SHA- Secure hashing algorithm
SHA- Secure hashing algorithmSHA- Secure hashing algorithm
SHA- Secure hashing algorithm
Ruchi Maurya
 
Agreement Protocols, distributed File Systems, Distributed Shared Memory
Agreement Protocols, distributed File Systems, Distributed Shared MemoryAgreement Protocols, distributed File Systems, Distributed Shared Memory
Agreement Protocols, distributed File Systems, Distributed Shared Memory
SHIKHA GAUTAM
 
Classical encryption techniques
Classical encryption techniquesClassical encryption techniques
Classical encryption techniques
Dr.Florence Dayana
 
Security services and mechanisms
Security services and mechanismsSecurity services and mechanisms
Security services and mechanisms
Rajapriya82
 
Network security & cryptography full notes
Network security & cryptography full notesNetwork security & cryptography full notes
Network security & cryptography full notes
gangadhar9989166446
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
Digital signature(Cryptography)
Digital signature(Cryptography)Digital signature(Cryptography)
Digital signature(Cryptography)
Soham Kansodaria
 
Web Security
Web SecurityWeb Security
Web Security
Dr.Florence Dayana
 
Block Cipher and its Design Principles
Block Cipher and its Design PrinciplesBlock Cipher and its Design Principles
Block Cipher and its Design Principles
SHUBHA CHATURVEDI
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
patisa
 
CMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureCMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signature
Adarsh Patel
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security Architecture
BharathiKrishna6
 
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
JAINAM KAPADIYA
 
Secure Hash Algorithm (SHA-512)
Secure Hash Algorithm (SHA-512)Secure Hash Algorithm (SHA-512)
Secure Hash Algorithm (SHA-512)
DUET
 
Cryptography ppt
Cryptography pptCryptography ppt
Cryptography ppt
OECLIB Odisha Electronics Control Library
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
Shashank Shetty
 
Kerberos
KerberosKerberos
Kerberos
Sutanu Paul
 
block ciphers
block ciphersblock ciphers
block ciphers
Asad Ali
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash function
Mijanur Rahman Milon
 
Hash Function
Hash FunctionHash Function
Hash Function
Siddharth Srivastava
 
Key management
Key managementKey management
Key management
Sujata Regoti
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation
harshit chavda
 
ch07.ppt
ch07.pptch07.ppt
ch07.ppt
ssuser4198c4
 
Slidecast - Workshop
Slidecast - WorkshopSlidecast - Workshop
Slidecast - Workshop
Samant Khajuria
 

More Related Content

What's hot

Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
patisa
 

What's hot (20)

Classical encryption techniques
Classical encryption techniquesClassical encryption techniques
Classical encryption techniques
 
Security services and mechanisms
Security services and mechanismsSecurity services and mechanisms
Security services and mechanisms
 
Network security & cryptography full notes
Network security & cryptography full notesNetwork security & cryptography full notes
Network security & cryptography full notes
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
Digital signature(Cryptography)
Digital signature(Cryptography)Digital signature(Cryptography)
Digital signature(Cryptography)
 
Web Security
Web SecurityWeb Security
Web Security
 
Block Cipher and its Design Principles
Block Cipher and its Design PrinciplesBlock Cipher and its Design Principles
Block Cipher and its Design Principles
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
 
CMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureCMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signature
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security Architecture
 
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
 
Secure Hash Algorithm (SHA-512)
Secure Hash Algorithm (SHA-512)Secure Hash Algorithm (SHA-512)
Secure Hash Algorithm (SHA-512)
 
Cryptography ppt
Cryptography pptCryptography ppt
Cryptography ppt
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
Kerberos
KerberosKerberos
Kerberos
 
block ciphers
block ciphersblock ciphers
block ciphers
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash function
 
Hash Function
Hash FunctionHash Function
Hash Function
 
Key management
Key managementKey management
Key management
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation
 

Similar to key distribution in network security

BAIT1103 Chapter 3
BAIT1103 Chapter 3BAIT1103 Chapter 3
BAIT1103 Chapter 3
limsh
 

Similar to key distribution in network security (20)

ch07.ppt
ch07.pptch07.ppt
ch07.ppt
 
Slidecast - Workshop
Slidecast - WorkshopSlidecast - Workshop
Slidecast - Workshop
 
Confidentiality using symmetric encryption.pptx
Confidentiality using symmetric encryption.pptxConfidentiality using symmetric encryption.pptx
Confidentiality using symmetric encryption.pptx
 
ch13 ABCD.ppt
ch13 ABCD.pptch13 ABCD.ppt
ch13 ABCD.ppt
 
BAIT1103 Chapter 3
BAIT1103 Chapter 3BAIT1103 Chapter 3
BAIT1103 Chapter 3
 
Is unit-4-part-1
Is unit-4-part-1Is unit-4-part-1
Is unit-4-part-1
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
 
Cryptography and Network Security
Cryptography and Network SecurityCryptography and Network Security
Cryptography and Network Security
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006
 
Unit08
Unit08Unit08
Unit08
 
Improved authentication & key agreement protocol using elliptic curve cryptog...
Improved authentication & key agreement protocol using elliptic curve cryptog...Improved authentication & key agreement protocol using elliptic curve cryptog...
Improved authentication & key agreement protocol using elliptic curve cryptog...
 
UNIT 4 CRYPTOGRAPHIC SYSTEMS.pptx
UNIT 4 CRYPTOGRAPHIC SYSTEMS.pptxUNIT 4 CRYPTOGRAPHIC SYSTEMS.pptx
UNIT 4 CRYPTOGRAPHIC SYSTEMS.pptx
 
Cryptography and Network Security
Cryptography and Network SecurityCryptography and Network Security
Cryptography and Network Security
 
UNIT-IV.pptx
UNIT-IV.pptxUNIT-IV.pptx
UNIT-IV.pptx
 
Encryption techniques
Encryption techniquesEncryption techniques
Encryption techniques
 
Slide Deck Class Session 8 – FRSecure CISSP Mentor Program
Slide Deck Class Session 8 – FRSecure CISSP Mentor ProgramSlide Deck Class Session 8 – FRSecure CISSP Mentor Program
Slide Deck Class Session 8 – FRSecure CISSP Mentor Program
 
Security Threats at OSI layers
Security Threats at OSI layersSecurity Threats at OSI layers
Security Threats at OSI layers
 
Lec 10 - Key Management.ppt
Lec 10 - Key Management.pptLec 10 - Key Management.ppt
Lec 10 - Key Management.ppt
 
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
 
ch13.ppt
ch13.pptch13.ppt
ch13.ppt
 

More from babak danyal

Lecture1 Intro To Signa
Lecture1 Intro To SignaLecture1 Intro To Signa
Lecture1 Intro To Signa
babak danyal
 
Problems at independence
Problems at independenceProblems at independence
Problems at independence
babak danyal
 

More from babak danyal (20)

applist
applistapplist
applist
 
Easy Steps to implement UDP Server and Client Sockets
Easy Steps to implement UDP Server and Client SocketsEasy Steps to implement UDP Server and Client Sockets
Easy Steps to implement UDP Server and Client Sockets
 
Java IO Package and Streams
Java IO Package and StreamsJava IO Package and Streams
Java IO Package and Streams
 
Swing and Graphical User Interface in Java
Swing and Graphical User Interface in JavaSwing and Graphical User Interface in Java
Swing and Graphical User Interface in Java
 
Tcp sockets
Tcp socketsTcp sockets
Tcp sockets
 
block ciphers and the des
block ciphers and the desblock ciphers and the des
block ciphers and the des
 
Lecture10 Signal and Systems
Lecture10 Signal and SystemsLecture10 Signal and Systems
Lecture10 Signal and Systems
 
Lecture8 Signal and Systems
Lecture8 Signal and SystemsLecture8 Signal and Systems
Lecture8 Signal and Systems
 
Lecture7 Signal and Systems
Lecture7 Signal and SystemsLecture7 Signal and Systems
Lecture7 Signal and Systems
 
Lecture6 Signal and Systems
Lecture6 Signal and SystemsLecture6 Signal and Systems
Lecture6 Signal and Systems
 
Lecture5 Signal and Systems
Lecture5 Signal and SystemsLecture5 Signal and Systems
Lecture5 Signal and Systems
 
Lecture4 Signal and Systems
Lecture4 Signal and SystemsLecture4 Signal and Systems
Lecture4 Signal and Systems
 
Lecture3 Signal and Systems
Lecture3 Signal and SystemsLecture3 Signal and Systems
Lecture3 Signal and Systems
 
Lecture2 Signal and Systems
Lecture2 Signal and SystemsLecture2 Signal and Systems
Lecture2 Signal and Systems
 
Lecture1 Intro To Signa
Lecture1 Intro To SignaLecture1 Intro To Signa
Lecture1 Intro To Signa
 
Lecture9 Signal and Systems
Lecture9 Signal and SystemsLecture9 Signal and Systems
Lecture9 Signal and Systems
 
Lecture9
Lecture9Lecture9
Lecture9
 
Cns 13f-lec03- Classical Encryption Techniques
Cns 13f-lec03- Classical Encryption TechniquesCns 13f-lec03- Classical Encryption Techniques
Cns 13f-lec03- Classical Encryption Techniques
 
Classical Encryption Techniques in Network Security
Classical Encryption Techniques in Network SecurityClassical Encryption Techniques in Network Security
Classical Encryption Techniques in Network Security
 
Problems at independence
Problems at independenceProblems at independence
Problems at independence
 

Recently uploaded

Recently uploaded (20)

FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
latest AZ-104 Exam Questions and Answers
latest AZ-104 Exam Questions and Answerslatest AZ-104 Exam Questions and Answers
latest AZ-104 Exam Questions and Answers
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptx21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptx
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 

key distribution in network security

  • 1. Network Security Confidentiality Using Symmetric Encryption Chapter 7
  • 2. Symmetric Key Cryptography Plain-text input Plain-text output “AxCv;5bmEseTfid3)f GsmWe#4^,sdgfMwir 3:dkJeTsY8Rs@! q3%” “The quick brown fox jumps over the lazy dog” Cipher-text “The quick brown fox jumps over the lazy dog” Encryption Decryption Same key (shared secret)
  • 3. Confidentiality using Symmetric Encryption • Traditionally symmetric encryption is used to provide message confidentiality • Consider a typical scenario – Workstations on LANs access other workstations & servers on LAN – LANs are interconnected using switches/routers – With external lines or radio/satellite links
  • 5. Confidentiality using Symmetric Encryption • Consider attacks and placement in this scenario – – – – snooping from another workstation use dial-in to a LAN or a server to snoop use external router link to enter & snoop monitor and/or modify traffic on external links
  • 6. Confidentiality using Symmetric Encryption • Have two major placement alternatives – Link Encryption – End-to-End Encryption
  • 7. Location of Encryption Device Link Encryption • Encryption devices are placed at each end of the link • Encryption occurs independently on every link • All the communication is made secure • A lot of encryption devices are required • Decrypt each packet at every switch • High level of security
  • 8. Link Encryption Implications • All paths must use link encryption • Each pair of node must share a unique key – Large number of keys should be provided
  • 9. End-to-End Encryption • Source encrypts and the Receiver decrypts • Payload encrypted • Header in the clear • Only destination and reciever share the key • High Security: Both link and end-to-end encryptions are needed
  • 10. Encryption Across a Packet Switching Network
  • 11. Traffic Analysis • When using end-to-end encryption must leave headers in clear – So network can correctly route information • Although content is protected, traffic flow patterns are not • Ideally want both at once – End-to-End protects data contents over entire path and provides authentication – Link protects traffic flows from monitoring
  • 12. Placement of Encryption • Can place encryption function at various layers in OSI Reference Model – Link encryption occurs at layers 1 or 2 – End-to-End can occur at layers 3, 4, 6, 7 – As move higher, less information is encrypted but it is more secure and more complex with more entities and keys
  • 13. Encryption coverage implications of store and forward communications
  • 14. Traffic Analysis • Monitoring of communications flows between parties – Useful both in military & commercial spheres • Link encryption obscures header details – But overall traffic volumes in networks and at endpoints is still visible • Traffic padding can further obscure flows – But at cost of continuous traffic
  • 17. Key Storage • In Files – Using access control of operating system • In Crypto Tokens – Smart card, USB crypto token – Supports complete key life-cycle on token • Generation – storage – use – destruction – provide means to ensure that there is no way to get a key out • Key Backup (also known as key escrow)
  • 18. Number of keys required to support Arbitrary connections
  • 19. Use of a Key Hierarchy
  • 20. Key Renewal • Keys should be renewed • More available cipher texts may facilitate certain attacks • How often depends on the crypto algorithm – Can depend on the amount of encrypted data – May depend on time (exhaustive key search requires time) • Regular key renewal can reduce damage in case of (unnoticed) key compromise • Protocols like SSL/TLS include features for (secret) key renewal
  • 21. Key Life-Cycle Unrecoverabl e deletion Requires a secure random source! Key Generation Key Storage and Usage Key Destruction Time Keys must be protected
  • 22. Key Distribution • Means of Exchanging Keys between two parties • Keys are used for conventional encryption • Frequent key exchanges are desirable – Limiting the amount of data compromised • Strength of cryptographic system rests with Key Distribution Mechanism
  • 23. Key Distribution • Symmetric schemes require both parties to share a common secret key • Issue is how to securely distribute this key • Often a secure system failure due to a break in the key distribution scheme
  • 24. Key Distribution • Two parties A and B can have various key distribution alternatives: 1. A can select key and physically deliver to B 2. third party can select & deliver key to A & B 3. if A & B have communicated previously can use previous key to encrypt a new key 4. if A & B have secure communications with a third party C, C can relay key between A & B
  • 26. Key Distribution Scenario 1. A issues a request to the KDC for a session key – – Nonce is also sent Nonce includes identities of communicating parties and a unique value 1. KDC sends a response encrypted with A’s secret key KA – – – It includes one time session key KS Original request message, including the nonce Message also includes KS and ID of A encrypted with KB intended for B
  • 27. Key Distribution Scenario 3. A stores KS and forwards information for B i.e., EKB[KS||IDA] 4. B sends a nonce to A encrypted with KS 5. A responds by performing some function on nonce like incrementing The last two steps assure B that the message it received was not a replay
  • 28. Key Distribution Entities • Key Distribution Center – Provides one time session key to valid users for encryption • Front end Processor – Carries out the end to end encryption – Obtains session key from the KDC on behalf of its host
  • 29. Key distribution for symmetric keys • Key distribution for symmetric keys by a central server (KDC): - fixed number of distributions (for given n) - However, need security protocol
  • 30. Key Distribution Issues Hierarchical Key Control • Not suitable that a single KDC is used for all the users • Hierarchies of KDC’s required for large networks • A single KDC may be responsible for a small number of users since it shares the master keys of all the entities attached to it • If two entities in different domains want to communicate, local KDCs communicate through a global KDC • Must trust each other
  • 31. Session Key Lifetimes • Session key lifetimes should be limited for greater security • More frequently the session keys are exchanged, more secure they become • For connection oriented protocols, it should be valid for the duration of connection • For connectionless protocols key should be valid for a certain duration
  • 32. Transparent Key Control • Use of automatic key distribution on behalf of users, but must trust system 1. Host sends packet requesting connection 2. Front End buffers packet; asks KDC for session key 3. KDC distributes session key to both front ends 4. Buffered packet transmitted
  • 33. Automatic Key Distribution for Connection-Oriented Protocol KDC FEP HOST F E P F E P HOST
  • 34. Decentralized Key Control • • • • KDCs need to be trusted and protected This can be avoided by the use of decentralized key distribution Decentralized approach requires that each node be able to communicate in a secure manner Session key may be established in following way 1. A issues a request to B for a session key and includes a nonce, N1. 2. B responds with a message that is encrypted using the shared secret key • Response includes session key, ID of B, the value f(N1) and nonce N2 1. Using the new session key, A returns f(N2) to B
  • 36. Controlling Key Usage • Different types of session keys e.g., – Data encrypting key: for general communication across network – PIN-encrypting key: for PIN used in electronic funds – File encrypting key: for encrypting files stored on a publicly accessible location • Avoid using master key instead of session key since some unauthorized application may obtain the master key and exploit it
  • 37. Key Distribution • Session key – Data encrypted with a one-time session key. At the conclusion of the session the key is destroyed • Permanent key – Used between entities for the purpose of distributing session keys
  • 38. Summary • Have considered: – use of symmetric encryption to protect confidentiality – need for good key distribution – use of trusted third party KDC’s

Editor's Notes

  1. Have many locations where attacks can occur in typical scenarios.
  2. This is one of the most critical areas in security systems - on many occasions systems have been broken, not because of a poor encryption algorithm, but because of poor key selection or management. It is absolutely critical to get this right!
  3. Physical delivery (1 & 2) is simplest - but only applicable when there is personal contact between recipient and key issuer. Is fine for link encryption where devices & keys occur in pairs, but does not scale as number of parties who wish to communicate grows. A third party is a trusted intermediary, whom all parties trust, to mediate the establishment of secure communications between them. Must trust intermediary not to abuse the knowledge of all session keys. As number of parties grow, some variant of 4 is only practical solution.
  4. Stallings Fig 7.9. Based on concept of having a “Key Distribution Center” (KDC) which shares a unique key with each party (user). See text for details of steps in distribution process.