Techniques for distributing confidential keys

Various techniques and protocols are available to distribute cryptographic keys whose confidentiality must be preserved (both private keys and symmetric keys). These include the use of key layering (§13.3.1) and symmetric-key certificates (§13.3.2).

Key layering and cryptoperiods

Table 13.2 (page 545) may be used to classify keys based on usage. The class “confidentiality” may be sub-classified on the nature of the information being protected: user data vs. keying material. This suggests a natural key layering as follows:

1. master keys - keys at the highest level in the hierarchy, in that they themselves are not cryptographically protected. They are distributed manually or initially installed and protected by procedural controls and physical or electronic isolation.

Key management

Figure 13.4: Key management: symmetric-key vs. public-key encryption.

  • 2. key-encrypting keys - symmetric keys or encryption public keys used for key transport or storage of other keys, e.g., in the key transport protocols of Chapter 12. These may also be called key-transport keys, and may themselves be secured under other keys.
  • 3. data keys - used to provide cryptographic operations on user data (e.g., encryption, authentication). These are generally short-term symmetric keys; however, asymmetric signature private keys may also be considered data keys, and these are usually longer-term keys.

The keys at one layer are used to protect items at a lower level. This constraint is intended to make attacks more difficult, and to limit exposure resulting from compromise of a specific key, as discussed below.

  • 13.8 Note (protection of key-encrypting keys) Compromise of a key-encrypting key (and moreover, a master key as a special case thereof) affects all keys protected thereunder. Consequently, special measures are used to protect master keys, including severely limiting access and use, hardware protection, and providing access to the key only under shared control (§12.7.1).
  • 13.9 Example (key layering with master and terminal keys) Assume each terminal X from a predefined set shares a key-encrypting key (terminal key) Ii'x with a trusted central node C, and that C stores an encrypted list of all terminal keys under a master key Км- C may then provide a session key to terminals X and Y as follows. C obtains a random value R (possibly from an external source) and defines the session key to be 5 = Dkm (R), the decryption of R under Km- Using Км, C decrypts the key list to obtain Kx, computes S

from R, then encrypts S under Kx and transmits it to X. S is analogously transmitted to Y, and can be recovered by both X and Y.

Cryptoperiods, long-term keys, and short-term keys

13.10 Definition The cryptoperiod of a key is the time period over which it is valid for use by legitimate parties.

Cryptoperiods may serve to:

  • 1. limit the information (related to a specific key) available for cryptanalysis;
  • 2. limit exposure in the case of compromise of a single key;
  • 3. limit the use of a particular technology to its estimated effective lifetime; and
  • 4. limit the time available for computationally intensive cryptanalytic attacks (in applications where long-term key protection is not required).

hi addition to the key layering hierarchy above, keys may be classified based on temporal considerations as follows.

  • 1. long-term keys. These include master keys, often key-encrypting keys, and keys used to facilitate key agreement.
  • 2. short-term keys. These include keys established by key transport or key agreement, and often used as data keys or session keys for a single communications session. See Remark 13.11.

hi general, communications applications involve short-term keys, while data storage applications require longer-term keys. Long-term keys typically protect short-term keys. Diffie-Heilman keys are an exception in some cases (see §12.6.1). Cryptoperiods limit the use of keys to fixed periods, after which they must be replaced.

13.11 Remark (short-term use vs. protection) The term short as used in short-term keys refers to the intended time of the key usage by legitimate parties, rather than the protection lifetime (cf. §13.7.1). For example, an encryption key used for only a single session might nonetheless be required to provide protection sufficient to withstand long-term attack (perhaps 20 years), whereas if signatures are verified immediately and never checked again, a signature key may need to provide protection only for a relatively short period of time. The more severe the consequences of a secret key bemg disclosed, the greater the reward to an adversary for obtaining access to it, and the greater the time or level of effort an adversary will invest to do so. (See also §12.2.2, and §12.2.3 on perfect forward secrecy.)

< Prev   CONTENTS   Source   Next >