Chapter Seven

Key Management

Md. Rafiqul Islam 1

 Key Management
# Public-key cryptosystem helps to solve key
distribution problems

# Two aspects of key management:

 distribution of public keys
 use of public-key cryptosystem to distribute secret
keys

Md. Rafiqul Islam 2

 Distribution of Public Keys
 Distribution of public keys can be performed
using:
public-key authority
public-key certificates

Md. Rafiqul Islam 3

 Public-Key Distribution by PA
If A and B want to communicate each other, they
will register their public keys (Kpub, A and Kpub, B)
to the public authority.
Thus the authority can send encrypted message to
A as well as to B.
PA

KPub, A
Kpub, B

A
B
PA = Public-key Authority

Md. Rafiqul Islam 4

 Public key distribution
 After registration PA gives them (A and B) the
public key of the authority.

PA

Kpub, auth Kpub, auth

A B

Md. Rafiqul Islam 5

 Public Key Distribution by PA
 Suppose A needs current public key of B.
1) A sends a message to PA (public-key authority)
as follows:
M1 = Request || Time1.
2) The authority sends cipher text to A:
C1 = E (Kp, auth, [ Kpub, B ||M1])
Where Kp, auth is the private key of the authority.
PA

M1 C1

Md. Rafiqul Islam 6

 Public key Distribution By PA
 A will decrypt C1 using the public key of the
authority and get the public key of B:
P1 = D (Kpub,Auth, C1)
P1 = Kpub, B ||M1

A got the public key of the authority after the

registration of his public key to the authority.

Md. Rafiqul Islam 7

 Public Key Distribution
3) Now A will send an encrypted message to B as
follows:
C2 = E (Kpub,B, [IDA|| N1])

Where N1 is called nonce, which is generally

a random number.
A will send C2 to get a response from B to ensure
that Kpub,B is the public key of B. Now B should say
‘yes’ it belongs to him.
Md. Rafiqul Islam 8
Previous Three Steps at a Glance
1) M1 = Request || Time1. [Request from A]
2) C1 = E (Kp, auth, [ Kpub, B||M1]) [Response from PA]
3) C2 = E (Kpub,B,[IDA|| N1]) [Cipher Message from A]

PA

M1
C1
C2
A B

Md. Rafiqul Islam 9

 Public Key Distribution

To give response to A’s message, B should send an

encrypted message. So that masqarand can not
know his public key. To send an encrypted
message to A, B has to know the public key of A.
4) Now B sends a request to the authority as
follows:
M2 = Request || Time 2

Md. Rafiqul Islam 10

 Public key Distribution
5)The authority sends an encrypted message to B as
follows:
C3 = E (Kp, auth, [Kpub, A ||M2])

PA

M2 C3
B

By decrypting the message B gets the public key

of A.
Md. Rafiqul Islam 11
 Public Key Distribution
6) B responds to A with an encrypted message as
follows:
C4 = E (Kpub, A, [N1||N2])
A decrypts C4 and get N1, which proves that B
sends C4 as response. Because no one except B
knows N1,whis was sent by A.
7) A responds to B as follows:
C5 = E (Kpub, B, N2)
Similarly B decrypts C5 and became sure that the message
was from A (by getting N2).
Md. Rafiqul Islam 12
 Public Key Distribution
C4 = E (Kpub, A, [N1||N2])
C4

A B

C5

C5 = E (Kpub, B, N2)

Md. Rafiqul Islam 13

Public Key Distribution at a Glance

PA

(1) M1 (4) M2
(2) C1 (5) C3

(3) C2
A B
(6) C4

(7) C5

Md. Rafiqul Islam 14

 Public Key Distribution

(1) M1 = Request || Time1. [A

Request
PA]
(2) C1 = E (Kp, auth, [ Kpub, B ||M1]) [PA Response
A]
Message
(3) C2 = E (Kpub,B, [IDA|| N1]) [A B]
Request

(4) M2 = Request || Time 2 [B PA]

Response

(5) C3 = E (Kp, auth, [Kpub, A ||M2]) [PA B]

Reply

(6) C4 = E (Kpub, A, [N1||N2]) [B Reply

A]

(7) C5 = E (Kpub, B, N2) [A B]

Md. Rafiqul Islam 15

 Public-Key Authority
PR = Private key, PU = Public key

Md. Rafiqul Islam 16

 Public-key Distribution through
Certificate Authority
# User A registers his public key to the certificate
authority (CA).
# The CA sends a certificated (encrypted message
containing public key of A) to A.
# Similarly B registers his public key to the CA.
# The CA sends a certificate to B.
# If A and B wants to share secret message, A and
B will exchange their certificate.

Md. Rafiqul Islam 17

 Public-key Certificate

CA

Kpub, A CA

CA = E(Kp, Auth, [T1 || IDA || Kpub, A ])

Md. Rafiqul Islam 18

 Public Certificate

CA

Kpub, B CB

CB = E(Kp, Auth, [T1 || IDB || Kpub, B ])

Md. Rafiqul Islam 19

 Public key certificate
CA = E(Kp, Auth, [T1 || IDA || Kpub, A ])
CB = E(Kp, Auth, [T1 || IDB || Kpub, B ])

CA

A B

CB
Both A and B knew the public key of CA and they
can decrypt the certificates (CA, CB). Thus they
will get the public key of each other.
Md. Rafiqul Islam 20
 Public-Key Certificates
PU = Public key, PR = Private key

Md. Rafiqul Islam 21

 Secret key distribution
 In symmetric or private key cryptosystem both
parties share the same key for encryption and
decryption.
 Secret or private key can be distributed using
public key encryption. The following is the way
of distribution:
# Suppose A and B wish to share the secret. If key
and the key is in possession of A, then A
encrypts the secret key using public key of B
and sends to B. B decrypts the message and
gets the secret key.
Md. Rafiqul Islam 22
 Secret key distribution
 However in this process there is a drawback:
how B ensures that the encrypted message is
from A.
So, to share the secret key at first A and B will
authenticate each other. Next A will send secret
key in cipher text (encrypted secret key) to B.

Md. Rafiqul Islam 23

 Secret key distribution
 The process is as follows:
1) A sends an encrypted message to B.
C1= E (Kpub, B, [N1 || IDA]).
2) B responds as sending another cipher text
C2 = E(Kpub, A, [N1 || N2])
Where N1 and N2 are nonce.

Md. Rafiqul Islam 24

 Secret key distribution.

 A responds with the following cipher text

3) C3 = E(Kpub, B, N2).

A now sends the encrypted secret key in cipher

text as follows:

4) C4 = E(Kpub,.B,[ N1 || Ks]).

Where Ks is the secret key.

Md. Rafiqul Islam 25

 Secret key distribution at a glance

1) C1= E (Kpub, B, [N1 || IDA]) [Initiative from A]

2) C2 = E(Kpub, A, [N1 || N2]) [Response from B]

3) C3 = E(Kpub, B, N2) [Response from A]

4) C4 = E(Kpub,.B,[ N1 || Ks]) [Key from A].

B recognizes A by IDA. A recognizes and authenticates B by

N1. B authenticates A by N2. After recognition and

authentication A sends secret key.

Md. Rafiqul Islam 26
Pictorial view of key distribution

C1

C2

A C3 B

C4

Md. Rafiqul Islam 27

 Distribution of Secret Key
PU = Public key, Ks = Secret key

28
Md. Rafiqul Islam 28
 Diffie-Hellman (D-H) key exchange
# The scheme was first publicly published by W.
Diffie and M. Hellman in 1976.

# It is a cryptographic protocol that allows two

parties without prior knowledge to share secret
key over an insecure communication channel.

# The synonym of Diffe-Hellman key exchange

scheme is Diffie-Hellman key agreement scheme.

Md. Rafiqul Islam 29

 Diffie-Hellman Key Exchange

g, p, x
g<p, x<p y

S = gx mod p S, g, p
R = gy mod p

K = Rx mod p
K = Sy mod p

x is a secret at this end

y is a secret at this end.

Md. Rafiqul Islam 30

 Diffie-Hellman Key exchange
 Verification:

1) K = Sy mod p = (gx mod p)y mod p = gxy mod p

2) K = Rx mod p = (gy mod p)x mod p = gxy mod p

Md. Rafiqul Islam 31

 Diffie-Hellman key Exchange
 Example:
Suppose A and B share the secret.
1) Select p = 29 and g = 2
2) A chooses a secret integer x = 8 and computes
S = gx mod p = 28 mod 29 = 24
3) B choose a secret integer y = 18 and computes,
R = gy mod p = 218 mod 29 = 13
4) A computes, K = Rx mod p = R8 mod 29
= 138 mod 29 = 16
5) B computes, K = Sy mod p = 2418 mod 29 = 16.

Md. Rafiqul Islam 32

 Thank You.

Md. Rafiqul Islam 33