cp - IETF | studyslide.com

cp - IETF

Transcript cp - IETF

Identity-Based Encryption
Technology Overview
Public Key Cryptography Without Certificates
Mark J. Schertler
Identity-Based Encryption (IBE)

IBE is an old idea



Originally proposed by Adi Shamir, S in RSA, in 1984
Not possible to build an IBE system based on RSA
First practical implementation

Boneh-Franklin Algorithm published at Crypto 2001
 Bilinear Maps (Pairings) on Elliptic Curves
•


Based on well-tested mathematical building blocks
Public Key Algorithm used for Key Transport
The IBE breakthrough is having major impact

Now over 400 scientific publications on IBE and Pairing Based
Cryptography
 Major deployments in industry

Standardization Efforts


2
IBE mathematics is being standardized in IEEE 1363.3
IETF S/MIME Informational RFC
IBE Public Keys
… Introduce This Elegance
Public-key Encryption where Identities are used as Public Keys

IBE Public Key:
[email protected]

RSA Public Key:
Public exponent=0x10001
Modulus=13506641086599522334960321627880596993888147
560566702752448514385152651060485953383394028715
057190944179820728216447155137368041970396419174
304649658927425623934102086438320211037295872576
235850964311056407350150818751067659462920556368
552947521350085287941637732853390610975054433499
9811150056977236890927563
3
How IBE works in practice
Alice sends a Message to Bob
Key Server
• Master Secret
• Public Parameters
2
Receives
Private Key
3
for [email protected]
Requests
private key,
authenticates
[email protected]
[email protected]
[email protected]
1
Alice encrypts with
[email protected]
4
Bob decrypts with 4
Private Key
How IBE works in practice
Alice sends a Message to Bob
Key Server
Fully off-line - no connection to server required
[email protected]
[email protected]
[email protected]
1
Charlie encrypts
with [email protected]
5
Bob decrypts with 2
Private Key
IBE Public Key Composition
v2 ||
public key definition version
ibe-server.acme.com#1234 ||
server location and public parameter version
week = 252 ||
key validity period
[email protected]
e-mail address
6
IBE Benefits
Dynamic “As Needed” Public and Private Key Generation




No pre-generation or distribution of certificates
Built-in Key Recovery – No ADKs
Allows content, SPAM, and virus scanning at enterprise boundary
Facilitates archiving in the clear per SEC regulations
Policy in the Public Key


e.g. Key Validity Period
No CRLs
Dynamic Groups

Identities can be groups and roles; no re-issuing keys when group or role changes
Minimal System State



Master Secret / Public Parameters (~50KB) all you need for disaster recovery
End user keys and message not stored on server
Server scalability not limited by number of messages
Benefits lead to:
High system usability
Highly scalable architecture
Low operational impact
Fully stateless operation
7
Public Key Infrastructure
Certificate Server binds Identity to Public Key
Certification
Authority
Certificate
Server
Store
Certificate
CA Signing Key
CA Public Key
Look up
Bob’s Certificate,
Check revocation
Send
Public Key,
Authenticate
Receive
Certificate
Recovery
Server
Store Bob’s
Private Key
8
CA Public Key
Bob’s Private Key
Bob’s Public Key
[email protected]
[email protected]
Identity Based Encryption
Binding of Identity to Key is implicit
IBE Key Server
Certificate
Server
X
Look up
Bob’s Certificate,
Check revocation
Store
Certificate
Master Secret
Public
Parameters
Send
Identity,
Authenticate
Receive
Private Key
Recovery
Server
X
Store Bob’s
Private Key
Public Parameters
[email protected]
9
Bob’s Private Key
[email protected]
Adding IBE to CMSv3

Define OtherRecipientInfo Type for RecipientInfo
in Enveloped Data


Add IBE per RFC 3370 – CMS Algorithms

Create IBE algorithm Informational RFC similar to
RFC 2313 - PKCS #1: RSA Encryption Version
1.5

10
Based on CMSv3 - RFC 3852
Could be IEEE 1363.3 spec
CMSv3
RecipientInfo ::= CHOICE {
ktri KeyTransRecipientInfo,
…
ori [4] OtherRecipientInfo }
OtherRecipientInfo ::= SEQUENCE {
oriType OBJECT IDENTIFIER,
oriValue ANY DEFINED BY oriType }
oriValue ANY DEFINED BY oriType



Version
Domain and Parameter Version (Server Location)
Schema
•
•

11
Validity Period
Identity (RFC822)
Public Parameters
12
IBE Public Keys - Revocation and Expiration
IBE Public Key: [email protected] || week = 252
e-mail address


13
key validity
IBE Systems use short lived keys

Public key contains key validity

Every week public key changes, so every week a new private
key must be retrieved by the client

Refresh period is configurable
This simplifies key revocation

Users removed from the directory, no longer get keys

Above system is identical to a weekly CRL
User authentication
Voltage can support any type of authentication
Authentication needs differs by Application


More sensitive data, requires stronger authentication
Identity-Based Encryption scales across all levels
Authentication Adapters






14
PKI Smart Cards
RSA SecurID
LDAP, Active Directory
Login/Password
Email Answerback
Username and password
Voltage
VSPS
Auth.
Service
The IBE Key Server
Master Secret
s = 1872361923616378
Voltage Server
Request for Private Key
for Identity [email protected]

Key Server has “Master Secret” to generate
keys



15
A random secret is picked when the server is
set up
Each organization has a different Master Secret
Private key is generated from Master Secret
and Identity
The IBE Security Model
Master Secret and Public Parameters
When the key server is set up:
 Generate a random Master
Secret
 Derive Public Parameters from
the master secret
 Distribute Public Parameters to
all clients (one time setup only)
 Public Parameters are similar
to a CA root certificate (long
lived, bundled with software)
During Operation:
 Client uses Public Parameters
in the encryption operation
 Server uses Master Secret to
generate private keys for users
16
IBE Key
Server
Master Secret
1238715613581
Public
Parameters
Public
Parameters
Public
Parameters
[email protected]
[email protected]
Voltage Enables Perimeter Content Scanning
Filtering Spam and Viruses with End-to-End Encryption
INTERNET
DMZ
LAN
Voltage IBE
Gateway Server
Encrypted
email arrives

17
1
Email is
scanned
GW
Archive
Audit
Virus
GW
Exchange,
Domino, etc.
2
User receives 3
encrypted email
IBE’s on-the-fly key generation capability enables end-to-end encryption with content
scanning
 Filter for Viruses, Trojans, Spam, etc.
 Allows archiving email for compliance, audit
IBE: Setting A New Standard In Security
Current Efforts
IBCS-1 Standard
Other IBE
Technology
Study Group
Post IEEE
Standards
IEEE Working Group
IEEE Study Group
• Set structure of standard
• Write PoA
Feb/2005
• PBC/IBE Standard
• Submit for ratification
Mid 2005
> 2007

Current efforts are supported by Bell Canada, CESG, Gemplus, HP Labs,
Microsoft, NTT DoCoMo, NoreTech, NSA, Siemens, STMicroelectronics

IEEE and NIST fast-tracking IBE for standardization


18
Working Group
No other cryptographic algorithms have begun this process so quickly
Voltage IBE Toolkit FIPS 140-2 certified
Voltage: Proven Ease of Use

The easiest-to-use secure email:


Seamless integration with leading mail clients
No-download send/receive through Zero Download
Messenger
•



No JavaScript, ActiveX, or browser plugins
Policy-based encryption at network edge
No change in user behavior
Only secure messaging solution rated “Excellent”
in usability by eWeek Labs
“During my test of the system, it worked great.
All a provider needed to do was send me an email
encrypted based on my email address… It was
simple and easy to operate.”
19
Voltage: “Stateless” Architecture

Keys and messages are never stored on Voltage server


Only one backup required for life of system



Entire system can be recovered from single piece of data in
minutes, whether 20 users or 20 million
Messages can never be lost

No separate message store to backup

Administrator can decrypt messages at any point in future

No ADKs required
Full support for cleartext or encrypted archiving

20
Mail delivered using existing infrastructure
Easily meet message retention policies
Voltage: “Stateless” Architecture

Highly scalable





Strongest integration with network edge content
scanning

21
New servers can be replicated from single backup
Servers never need to be synchronized
Can be load balanced using DNS
Built for enterprise- and carrier-class environments
Only solution with end-to-end encryption with anti-virus, antispam, archiving
Voltage: Lowest Overhead

Leverages existing mail infrastructure




Self-provisioning authentication


Same messages can be viewed with client or Zero
Download Messenger
No additional headcount required

22
No IT/administrative action required to enroll new users
No need to select delivery methods


Messages delivered using normal mail flow
No new webmail/parallel mail infrastructure to manage,
scale
Other solutions are equivalent to running an entirely new
Exchange/Notes system
Voltage customers report 0.1 FTE required
Identity-Based Encryption (IBE)

IBE is an old idea


First practical implementation





Over 200 scientific publications on IBE/Pairings
Dan Boneh awarded 2005 RSA Conference Award for Mathematics
Standardization Efforts


23
Research funded by DARPA
Boneh-Franklin Algorithm published at Crypto 2001
Based on well-tested building blocks for encryption:
PKCS #7, S/MIME(CMS), 3DES, AES, SHA-256, DSS, SSL
Industry acceptance


Originally proposed by Adi Shamir, co-inventor of the RSA
Algorithm, in 1984
IBE being standardized by NIST and IEEE 1363.3
IETF S/MIME?
Voltage IBE breakthrough
Highest system usability

No certificates – no CRLs: ease of use for administrators and end users
Lowest operational impact

No new directories or resources required to manage system
Fully stateless operation

Keys dynamically generated – no storage required - simplifies disaster
recovery, retention and backup
Most flexible mobility architecture

Architected for “occasionally-connected” users:
full online and offline usage
Most scalable architecture

24
Server scalability not limited by number of messages
25
IBE and PKI
26
1.
Voltage Security
2.
Identity-Based Encryption
3.
IBE and PKI
1.
Comparing IBE and PKI
2.
Combining the Two
4.
The future of IBE
5.
Voltage and the DoD/DHS
Public Key Infrastructure

Working client side PKI Deployments are few



Mainly government and defense
A few large companies
These deployments have major issues

Deployment Cost
 Certificate Revocation
 Content scanning is still an unsolved issue
(e.g. for filtering mail for viruses, spam or audits)
 Difficult to use

Can IBE help?

27
Yes, IBE solves many of the issues of PKI
Public Key Infrastructure
Certificate Server binds Identity to Public Key
Certification
Authority
Certificate
Server
Store
Certificate
CA Signing Key
CA Public Key
Look up
Bob’s Certificate,
Check revocation
Send
Public Key,
Authenticate
Receive
Certificate
Recovery
Server
Store Bob’s
Private Key
28
CA Public Key
Bob’s Private Key
Bob’s Public Key
[email protected]
[email protected]
Identity Based Encryption
Binding of Identity to Key is implicit
IBE Key Server
Certificate
Server
X
Look up
Bob’s Certificate,
Check revocation
Store
Certificate
Master Secret
Public
Parameters
Send
Identity,
Authenticate
Receive
Private Key
Recovery
Server
X
Store Bob’s
Private Key
Public Parameters
[email protected]
29
Bob’s Private Key
[email protected]
IBE vs. PKI – Practical Implications

IBE has no Certificates and Certificate management

No certificate server
 No certificate lookups for the client
 No certificate (or key) revocation, CRLs, OCSP etc.
•

PKI requires pre-enrollment



Instead, IBE uses short-lived keys. PKI can’t do this because this would
compound lookup problem
In PKI, recipient must generate key pair before sender can encrypt
message
IBE is Ad-Hoc capable, a sender can send message at any time
IBE eliminates encryption key recovery/escrow server

Most PKI applications require access to private keys
(e.g. Lost keys, Financial Audit, Virus Filtering etc.)
 Key server can generate any key on the fly
30
IBE and PKI – Strengths and Weaknesses
Public Key Infrastructure (PKI)


Expensive to deploy and run
Requires pre-enrollment



Issuing certificates
Works well for authentication
Can be made highly secure through
smart cards
Identity-Based Encryption

Ad-hoc capable



Powerful for encryption



31
requires no pre-enrollment
software only
no key-lookup
revocation is easy
Content scanning easy
Where to use PKI
 Inside the
organization
 For maximum
security/high cost
deployments
 Mainly authentication
and signing
Where to use IBE
 Inside or outside the
organization
 For any level of
security
 Where encryption/
privacy is important
Policy-Driven Encryption
Who is it from?
What company is
it to?
Who is it to?
Does the sender
want to encrypt?
What does it
say?
32
Policy-Based Encryption

Policy-based encryption

Controlled by administrators
 Automatically enforced based
on message flow and/or
content
 Can also allow users to opt-in,
or opt-out based on keywords
(no client s/w)

At the network edge


33
Encryption decision occurs at
the boundary to minimize
exposure and maximize
transparency
A powerful tool for compliance
Sample Policies
• Encrypt all traffic to xyz.com
• Encrypt from [email protected]
• Encrypt all ePHI (lexicon)
• Encrypt if subject contains
“confidential”
-OR•Encrypt all unless opt-out