<< . .

. 2
( : 6)



. . >>

[1] Kerberos information (including papers and doc- errors”a general weakness of all autokeying
umentation) may be found at the following site: methods.
http://web.mit.edu/kerberos/www/ Arvid Damm (1919) proposed an autokeying
[2] Kohl, J. and B.C. Neuman (1993). “The Kerberos variant of encryption (“in¬‚uence letter”) that was
network authentication service (V5).” Internet Re-
used in the German WW II teletype cipher ma-
quest for Comments 1510.
chines SZ 40 and T 52. Claude Shannon gave
[3] Kohl, J., B.C. Neuman, and T.Y. Ts™o (1994). “The
(1949) the warning that autokeying Vigen` re en-
e
evolution of the kerberos authentication system.”
cryption with a priming key of length d is
Distributed Open Systems. IEEE Computer Society
equivalent to Vigen` re encryption of d-grams with
e
Press, Los Alamitos, CA, 78“94.
period 2 · d, i.e. by successively adding and sub-
[4] Neuman, B.C. and T. Ts™o (1994). “Kerberos: An au-
tracting ; thus it offers little security.
thentication service for computer networks.” IEEE
Communications, 32 (9), 33“38. Chaitin de¬nes a random sequence as an in¬-
nite sequence such that no ¬nite subsequence has
a shorter algorithmic characterization than the
KEY listing of the subsequence”no subsequence can be
condensed into a shorter algorithmic description.
A key is an element from an alphabet (the key A keytext, i.e., a sequence of key elements, with
alphabet) that selects, resp. de¬nes a particular this property is called holocryptic. No sequence
324 Key


form a group under composition: the key group.
Such a cryptosystem is a pure cryptosystem. Ex-
amples are the Vigen` re encryption and the Beau-
e
fort encryption, where the key group is a cyclic
group, and the Vernam encryption by addition
mod. 2, where the key group is (C 2 )n , the n-fold
direct group of the cyclic group of order 2. A trivial
example is encryption by a monoalphabetic selfre-
ciprocal permutation π, where the key group is C 2 ,
the cyclic group of order 2 consisting of π and the
identity. Encryption with a key group, although
it offers technical convenience, should be avoided
since it opens particular ways of cryptanalytic
attack.
We conclude this entry with some words on vari-
ous roles that keys can play and how they are com-
municated in cryptosystems. (This is called key
negotiation.)
In a classical setting, if a communication from
participant A to participant B should be pro-
tected by encryption, A has to tell B what key
to use for decryption, or B has to tell A what
key to use for encryption. In command struc-
tures, there is also the possibility that the com-
mand tells both participants which keys to use.
To this end, they make use of key directives: di-
rectories containing all relevant keys. Of course,
transmission of all the information concerning the
key should be done after encryption with a differ-
ent cryptosystem. Violating this maxime for their
Enigma traf¬c was a serious cryptographic blun-
der of the German Wehrmacht staff. (We note that
modern cryptographic protocols (e.g., the Dif¬e“
Hellman key agreement) scheme) may generate
the same key for A and B without encrypted
Fig. 1. One-time pad of Russian origin
communication.
A session key or message-encrypting key is a
keytext used during one communication session.
generated by a deterministic, ¬nite-state machine,
In the Enigma traf¬c a session key was called
i.e. by a deterministic algorithm, even if it does not
˜Spruchschlussel ™ (text setting). A base key is a key
¨
terminate, has this property.
used for encrypting keys (˜key-encrypting key™). In
An individual key is a keytext (German
the Enigma traf¬c, they were called ˜Grundstel-
˜i-Wurm™) that is not copied from any source what-
lung™ (basic wheel setting) and formed part of the
soever. A one-time key is a keytext that is used just
˜Tagesschlussel™ (daily key).
¨
one time. Any written version of it (one-time pad,
A symmetric or conventional or classical cryp-
OTP) should be destroyed after use.
tosystem is a communication line with two part-
A random key is a random sequence used as a
ners who are at different times both sender and
key sequence. To be cryptographically useful, it
receiver and use the same cryptosystem, each one
should by necessity be an individual key and a one-
having a private key for encryption and one for
time key. Randomness should be achieved during
decryption”altogether four keys. If in an endo-
the generation of the key sequence. Tests for ran-
morphic cryptosystem selfreciprocal permutations
domness can only disprove it, but cannot prove it.
(see substitutions and permutations) are used as
Chaitin™s de¬nition has only theoretical value”it
key elements, keys for encryption and for decryp-
is mainly used as an instrument to show that a
tion coincide.
particular key sequence is nonrandom.
A private key cryptosystem is a cryptosystem
In an endomorphic cryptosystem, the encryp-
where sender and recipient share encryption and
tion steps (governed by the key characters) may
Key agreement 325


decryption keys (to be kept secret). In a secret key equal portion toward the computation of the resul-
cryptosystem sender and recipient share one com- tant shared key value (as opposed to one user com-
mon key (to be kept secret). puting and distributing a key value to other users).
Key symmetric cryptosystem: If two operations The original, and still most famous, protocol
de¬ned by keys A, B commute and are mutually for key agreement was proposed by Dif¬e and
reciprocals: A · B = B · A = identity, A may be Hellman (see Dif¬e“Hellman key agreement)
used by partner A for encryption and by partner B along with their concept for public-key cryptogra-
for decryption, while B may be used by partner A phy. Basically, users Alice and Bob send public-key
for decryption and by partner B for encryption” values to one another over an insecure channel.
altogether only two keys. If in an endomor- Based on the knowledge of their corresponding pri-
phic cryptosystem selfreciprocal permutations are vate keys, they are able to correctly and securely
used as key elements, only one key is needed. compute a shared key value. An eavesdropper,
In many cryptosystems, actually in all classical however, is unable to similarly compute this key
ones, knowledge of the encryption key allows for using only knowledge of the public key values.
an easy determination of the decryption key. This, There are numerous variations to the basic
however, is not necessarily so: As James H. Ellis Dif¬e“Hellman key agreement protocol. One clas-
pointed out in 1970, there may exist encryption si¬cation is based upon the longevity of the pub-
methods where the knowledge of an encryption lic keys shared between Alice and Bob. For exam-
key does not suf¬ce to derive the decryption key ple, the public keys may be long-term, or static, in
ef¬ciently”in 1973 Clifford Cocks found in the which case each public key would likely be con-
multiplication of suf¬ciently large prime numbers tained in a public-key certi¬cate. Alternatively,
the wanted, practically non-invertible operation. the public keys may be short-term, or ephemeral,
This led to the idea of public key cryptography, in which case the public keys would be for one-time
which is also called asymmetric cryptography. It use during the protocol session. Hybrid protocols
was published in this form for the ¬rst time in 1976 combine both uses; for example, Alice may use an
by Whit¬eld Dif¬e and Martin E. Hellman. In this ephemeral public key while Bob might use a static
system, a key A is publicly announced by partici- public key.
pant A with the proviso that he possesses a key B The protocol instantiation in which both Alice
such that he can decrypt with B any message sent and Bob use ephemeral public keys is vulnera-
to him by anybody as long as it is encrypted with ble to a man-in-the-middle attack (see man-in-the-
A. This allows a star-like communication system. middle attack), unless additional precautions are
The advantage that no key negotiation is neces- taken. Use of static public keys helps to ensure
sary and the key directory is open to the public is that exchanged values are properly authenticated.
burdened by the fact that secrecy is only guaran- In addition, the exchanged values may be further
teed to the extent that reconstruction of the (se- protected against attack. The station-to-station
cret) decryption key (private key) from the public protocol is such a protocol in which exchanged val-
key needs exponential time and therefore is in- ues are encrypted and signed.
tractable. Although the original Dif¬e“Hellman key
agreement protocol is presented as a communica-
Friedrich L. Bauer
tion between two users, the protocol has been ex-
tended to allow more than two users to agree upon
Reference
a key. Several variations for such a protocol have
been described in the literature, and vary based
[1] Bauer, F.L. (1997). “Decrypted secrets.” Methods
upon the number of protocol rounds, the amount
and Maxims of Cryptology. Springer-Verlag, Berlin.
of information exchanged, the number of broad-
cast messages, and other parameters.

KEY AGREEMENT Mike Just

Key agreement refers to one form of key exchange References
(see also key encryption key) in which two or more
users execute a protocol to securely share a re- [1] Menezes, A., P. van Oorschot, and S. Vanstone
sultant key value. As an alternative to key agree- (1997). Handbook of Applied Cryptography. CRC
ment, a key transport protocol may be used. The Press, Boca Raton, FL.
distinguishing feature of a key agreement proto- [2] Stinson, D.R. (1995). Cryptography: Theory and
col is that participating users each contribute an Practice. CRC Press, Boca Raton, FL.
326 Key authentication


KEY AUTHENTICATION the negotiated key) could be used to encrypt an
agreed upon message. Any of these mechanisms
will prove to the legitimate recipient that some-
Key authentication is the property obtained when
one has possession of the key and used it to create
performing a key establishment protocol (see also
the received values.
key agreement and key management) and one en-
In many environments both (implicit) key au-
tity has the assurance that only a particularly
thentication and key con¬rmation are required
identi¬ed other party may possibly know the ne-
properties. In such circumstances, when both
gotiated key. This property may be unilateral if
properties are obtained, it is said that “explicit
only one party participating in the protocol has
key authentication” has been achieved. Explicit
the assurance, or it may be mutual if both parties
key authentication is the property obtained when
have the assurance. Key authentication is some-
one party has assurance that only a particularly
times referred to as “implicit key authentication”
identi¬ed other party actually has knowledge or
to distinguish it from “explicit key authentica-
possession of the negotiated key. Again, this prop-
tion”, which is discussed below.
erty may be either mutual or unilateral.
(Implicit) Key authentication can be obtained
A popular, typical example of a key establish-
within a key establishment protocol in a number
ment protocol that provides mutual explicit key
of ways. One possible method of obtaining this
authentication is the station-to-station protocol/
property is to encrypt the key to be established,
STS protocol. In fact most of the protocols in use
k, for the other party using his (symmetric or
today that provide explicit key authentication are
asymmetric) key. In this case, since the only other
based upon the STS protocol. Examples include
party that could possibly decrypt the encrypted
the SSL protocol (see secure socket layer) and
key is the intended recipient, the appropriate as-
the protocols used in IPSEC .
surance is obtained. Many of the variants of the
Entity authentication is the assurance that the
Dif¬e“Hellman protocol (see Dif¬e“Hellman key
identi¬ed party is actually alive and participating
exchange protocol) also provide key authentica-
in the protocol at that time. Quite often protocols
tion. For example, consider the case where both
that provide explicit key authentication will also
parties A and B have static authenticated (i.e.,
provide entity authentication since the identi¬ed
certi¬ed) Dif¬e“Hellman public keys ± a and ± b ,
party must prove knowledge of the negotiated key.
respectively. If the agreed-upon key is simply k =
However, it is not always the case that any key
± ab , then both parties have assurance that only
negotiation protocol that includes entity authen-
the other party could possibly compute this key.
tication will also provide explicit (or implicit) key
A property of key establishment protocols that
authentication. Care must be taken to ensure that
is similar to key authentication is the property
the entity whose identity has been authenticated
known as “key con¬rmation”. Key con¬rmation
is the same entity as the one establishing the key.
is the property obtained when one party has
Otherwise, subtle attacks may allow one entity to
the assurance that some other party actually
have its identity authenticated and another entity
has possession of the negotiated key. Notice that
to establish the key.
this property is distinct from key authentica-
tion in that the assurance is obtained relative
Robert Zuccherato
to “some other party” instead of “a particularly
identi¬ed other party”. Thus, with key con¬rma-
tion the other party need not be identi¬ed or
even known at all. Also note that key con¬rma-
KEY ENCRYPTION KEY
tion provides assurance that the key is actually
known by the other party whereas key authen-
tication only provides assurance that the other Most cryptographic systems require some sup-
party could possibly know the key. As with key au- porting Key Management, e.g., to enable key ex-
thentication, key con¬rmation may be mutual or change or key transport. In order to ensure that
unilateral. keys are not used for different purposes, as oth-
Typically key con¬rmation is obtained in one erwise lack of duality indirectly might thwart the
of three ways. First, a (one-way) hash of the ne- system, one introduces key labels and key usage as
gotiated key could be sent from one party to the well as key layers. Whereas data keys (used to en-
other. Second, the key (or a key derived from crypt data) at the bottom layer are exchanged fre-
the negotiated key) could be used in a MAC quently as so-called session keys, key encryption
(see message authentication code) to authenticate keys are used to exchange session keys or other
a message. Finally, the key (or a key derived from key exchange keys belonging to layers just below,
Key escrow 327


and are typically rarely or even never exchanged, libertarian, product vendor, and academic com-
and if so, then either by key custodians or public munities. Civil libertarians feared that escrow
key techniques. might someday be made mandatory; product ven-
dors wondered whether the marked would support
Peter Landrock cryptographic systems that provided the U.S. Gov-
ernment access to the protected information; and
academics worried about whether the risks were
worth the bene¬ts. An ad hoc group of cryptog-
KEY ESCROW raphers and computer scientists argued that key
escrow systems “are inherently less secure, more
Key Escrow: “Something (e.g., a document, an en- costly, and more dif¬cult to use” [5].
cryption key) is delivered to a third person to be Nevertheless, many data storage system own-
given to the grantee only upon the ful¬llment of a ers wished to recover data encrypted by the users
condition.”
in the event that the user loses, destroys, or is un-
Escrowed Encryption Standard (EES),
able to produce the encryption key. Researchers
FIPS 185 [1]
and encryption product vendors began to design
and implement systems that provided for the re-
On April 16, 1993, the U.S. Government an-
covery of user keys (often by the system adminis-
nounced a new encryption initiative aimed at pro-
trator) [6]. This process is commonly referred to
viding a high level of communications security and
as key recovery. Today, many encryption product
privacy without jeopardizing effective law enforce-
manufacturers provide a key recovery capability
ment, public safety, and national security. This ini-
in their products or in the systems that make use
tiative involved the development of tamper resis-
of their products. Key recovery in these systems
tant cryptographic chips (Clipper and Capstone)
is primarily for the bene¬t of the user or the sys-
that implemented an encryption/decryption algo-
tem owner. Authorized law enforcement of¬cials
rithm (SKIPJACK) for the protection of sensi-
would have to present their authorization to the
tive information transmitted between two parties.
system administrator/owner before obtaining ac-
What was special about these chips was that each
cess to any keys or information. The system ad-
one contained a device unique key that would give
ministrator/owner would then be able to decide on
a third party, in possession of the key, the ca-
the appropriate action. This is a well-understood
pability to decrypt all data encrypted using the
and accepted process that has been used for many
chip. The purpose of this feature was to provide a
years.
means by which properly authorized law enforce-
While the initial concept of Key Escrow was not
ment of¬cials could decrypt encrypted communi-
successful, it led to a greater appreciation for the
cations. Authorization involved procedures mod-
need of users and system owners to have backup
eled on those required for the authorization of a
capabilities for the recovery of encryption keys or
wiretap [2].
the data that they protect.
SKIPJACK was designed by the National Se-
curity Agency. A review group of four experts Miles E. Smid
reviewed the originally classi¬ed Skipjack algo-
rithm, and reported that there was no signi¬cant
risk that the algorithm had “trapdoors” or could References
be broken by any known method of attack [3]. The
National Institute of Standards and Technology [1] National Institute of Standards and Technology
(NIST) speci¬ed some details of the escrow param- (1994). “Escrowed Encryption Standard (EES).”
eters in FIPS 185. NIST also worked with repre- Federal Information Processing Standard (FIPS
PUB 185).
sentatives of the Justice Department, the Trea-
[2] Delaney, D.P. et al. (1993). “Wiretap laws and
sury Department, the National Security Agency,
procedures: What happens when the government
and the Federal Bureau of Investigation to develop
taps a line.” Available from Georgetown Univer-
and implement a Key Escrow System for the pro-
sity, Department of Computer Science, Washington,
tection and controlled release of the information
DC, from cpsr.org, or by e-mail from denning
necessary to reconstruct the device unique keys @cs.georgetown.edu.
[4]. The system was designed so that no single per- [3] Brickell, E.F. et al. (1993). “The SKIPJACK review,
son or organization could compromise the device Interim Report: The SKIPJACK Algorithm.” Avail-
unique key. able from Georgetown University, Of¬ce of Public
Although the use of escrow cryptography was Affairs, Washington, DC, from cpsr.org, or by e-mail
not mandatory, it raised concerns from the civil from denning@cs.georgetown.edu.
328 Key management


ef¬ciently. The concept of asymmetric cryptogra-
[4] Denning, D.E. and M. Smid (1994). “Key escrowing
today.” IEEE Communications Magazine, 32 (9), 58“ phy was ¬rst introduced to the general public in
68. 1976 (see [3]), but much of the technology neces-
[5] Abelson, H. et al. “The risks of key recovery, key es- sary to support public key cryptography was not
crow, & trusted third party encryption.” Available on available until the mid-1990s.
cdt.org/crypto/risks98 or epic.org/crypto/key escrow.
As illustrated below, symmetric cryptography
[6] Denning, D.E. (1996). “Descriptions of key escrow
and asymmetric cryptography are not necessarily
systems.” Communications of the ACM, February
mutually exclusive. In fact, these techniques can
26, 1997 version available on cosc.Georgetown.edu/
be used together in order to offer a complemen-
∼denning/crypto/appendix.html.
tary set of services. For example, symmetric cryp-
tography can be used to encrypt a message and
asymmetric cryptography can be used to securely
transfer the secret key used to encrypt the ¬le to
KEY MANAGEMENT the intended recipient(s). However, this is not al-
ways possible and other distribution mechanisms
INTRODUCTION: Cryptographic keys are used to may be required.
To illustrate these concepts in more detail, we
encrypt/decrypt data or to create/verify digital sig-
will ¬rst discuss key management associated with
natures (see key). One of the biggest issues associ-
a secret key only system. This will be followed
ated with cryptography is the secure distribution
by a discussion of public key cryptography and
of these keys to the appropriate communicating
how public key and secret key cryptography can
parties. This is referred to as key distribution or
be used together.
key establishment. The life cycle associated with
this keying material (i.e., the initialization, distri-
SYMMETRIC OR SECRET KEY CRYPTOGRAPHY
bution, and cancellation of the keys) is referred to
as key management. The purpose of this section is
Background
to discuss key management, with particular em-
phasis on key distribution.
Before we discuss key management, it is impor- When the ¬rst electronic symmetric cryptosys-
tant to understand that there are two basic types tems were deployed, key management was physi-
of cryptography: (1) symmetric or secret key and (2) cal in nature and it required a signi¬cant amount
asymmetric or public key. of human involvement. Keys were centrally gen-
Symmetric cryptography is characterized by the erated and recorded on media such as paper or
fact that the same key is used to perform both magnetic tape and the keying material was physi-
the encryption and decryption. This means that cally distributed to the appropriate locations. This

<< . .

. 2
( : 6)



. . >>