Key Management in

Public Key Cryptosystems

 Key Management

Public-key encryption helps address key distribution

problems
1. distribution of public keys
2. use of public-key encryption to distribute secret keys

2
 1. Distribution of Public Keys

• can be considered as using one of:

– Public announcement
– Publicly available directory
– Public-key authority
– Public-key certificates

3
 Public Announcement

• users distribute public keys to recipients or broadcast to

community at large
– eg. append PGP keys to email messages or post to
news groups or email list
• major weakness is forgery
– anyone can create a key claiming to be someone else
and broadcast it
– until forgery is discovered can masquerade as claimed
user for authentication

4
 Publicly Available Directory

• can obtain greater security by registering keys with a

public directory
• directory must be trusted with properties:
– contains {name, public-key} entries
– participants register securely with directory
– participants can replace key at any time
– directory is periodically published
– directory can be accessed electronically
• still vulnerable to tampering or forgery

5
Public-Key Authority

6
 Public-Key Authority

• improve security by tightening control over distribution

of keys from directory
• requires users to know public key for the directory
• then users interact with directory to obtain any desired
public key securely
– does require real-time access to directory when keys
are needed

7
 Public-Key Certificates

• The public-key authority could be a bottleneck in the

system.
– must appeal to the authority for the key of every other
user
• certificates allow key exchange without real-time access
to public-key authority
• a certificate binds identity to public key
• with all contents signed by a trusted Public-Key or
Certificate Authority (CA)
– Certifies the identity
– Only the CA can make the certificates

8
Public-Key Certificates

9
 Public-Key Distribution of Secret Keys

• public-key algorithms have relatively slow data rates

• so few users make exclusive use of public key encryption.
usually prefer private-key encryption to protect message
contents
• hence need a session key
• Public-Key encryption helps Distribution of Secret Keys

10
1. Simple Secret Key Distribution

• proposed by Merkle in 1979

– A generates a new temporary public private key pair
{PUa, PRa}
– A sends B the public key and A’s identity
– B generates a session key Ks sends it to A encrypted
using the supplied public key
– A decrypts the session key and both use
• problem is that an opponent can intercept and
impersonate both halves of protocol

11
 Public-Key Distribution of Secret
Keys
• First securely exchanged public-keys
using a previous method

12
 Diffie-Hellman Key Exchange
• first public-key type scheme proposed
– For key distribution only
• by Diffie & Hellman in 1976 along with the
exposition of public key concepts
– note: now know that James Ellis (UK CESG)
secretly proposed the concept in 1970
• is a practical method for public exchange
of a secret key
• used in a number of commercial products
13
 Diffie-Hellman Key Exchange
• a public-key distribution scheme
– cannot be used to exchange an arbitrary message
– rather it can establish a common key
– known only to the two participants
• value of key depends on the participants (and
their private and public key information)
• based on exponentiation in a finite (Galois) field
(modulo a prime or a polynomial) - easy
• security relies on the difficulty of computing
discrete logarithms (similar to factoring) – hard

14
 Diffie-Hellman Setup
• all users agree on global parameters:
– large prime integer or polynomial q
– α a primitive root mod q
• each user (eg. A) generates their key
– chooses a secret key (number): xA < q
– compute their public key: yA = αxA mod q
• each user makes public that key yA

15
 Diffie-Hellman Key Exchange
• shared session key for users A & B is K:
xB
K = yA mod q (which B can compute)
xA
K = yB mod q (which A can compute)
(example)
• K is used as session key in private-key
encryption scheme between Alice and Bob
• if Alice and Bob subsequently communicate,
they will have the same key as before, unless
they choose new public-keys
• attacker needs an x, must solve discrete log
16
 Diffie-Hellman Example
• users Alice & Bob who wish to swap keys:
• agree on prime q=353 and α=3
• select random secret keys:
– A chooses xA=97, B chooses xB=233
• compute public keys:
– y =397 mod 353 = 40 (Alice)
A
– y =3233 mod 353 = 248 (Bob)
B
• compute shared session key as:
xA 97
KAB= yB mod 353 = 248 = 160 (Alice)
xB 233
KAB= yA mod 353 = 40 = 160 (Bob)
17
 Elliptic Curve Cryptography
• majority of public-key crypto (RSA, D-H)
use either integer or polynomial arithmetic
with very large numbers/polynomials
• imposes a significant load in storing and
processing keys and messages
• an alternative is to use elliptic curves
• offers same security with smaller bit sizes

18
 Real Elliptic Curves
• an elliptic curve is defined by an equation in two
variables x & y, with coefficients
• consider a cubic elliptic curve of form
– y2 = x3 + ax + b
– where x,y,a,b are all real numbers
– also define zero point O
• have addition operation for elliptic curve
– Q+R is reflection of intersection R
– Closed form for additions
• (10.3) and (10.4) P.300-301

19
Real Elliptic Addition
Rule 1-5 in P.300

20
 Finite Elliptic Curves
• Elliptic curve cryptography uses curves whose
variables & coefficients are finite integers
• have two families commonly used:
– prime curves Ep(a,b) defined over Zp
• y2 mod p = (x3+ax+b) mod p
• use integers modulo a prime for both variables and coeff
• best in software
– Closed form of additions: P.303
– Example: P=(3,10), Q=(9,7), in E23(1,1)
• P+Q = (17,20)
• 2P = (7,12)

21
All points on E23(1,1)

22
 Finite Elliptic Curves
• have two families commonly used:
– binary curves E2m(a,b) defined over GF(2m)
• use polynomials with binary coefficients
• best in hardware
– Take a slightly different form of the equation
– Different close forms for addition (P.304)

23
 Elliptic Curve Cryptography
• ECC addition is analog of multiply
• ECC repeated addition is analog of
exponentiation
• need “hard” problem equiv to discrete log
– Q=kP, where Q,P are points in an elliptic curve
– is “easy” to compute Q given k,P
– but “hard” to find k given Q,P
– known as the elliptic curve logarithm problem
• Certicom example: E23(9,17) (P.305)
– k could be so large as to make brute-force fail

24
 ECC Key Exchange
• can do key exchange similar to D-H
• users select a suitable curve Ep(a,b)
– Either a prime curve, or a binary curve
• select base point G=(x1,y1) with large order n s.t.
nG=O
• A & B select private keys nA<n, nB<n
• compute public keys: PA=nA×G, PB=nB×G
• compute shared key: K=nA×PB, K=nB×PA
– same since K=nA×nB×G
• Example: P.305
25
 ECC Encryption/Decryption
• select suitable curve & point G as in D-H
• encode any message M as a point on the elliptic
curve Pm=(x,y)
• each user chooses private key nA<n
• and computes public key PA=nA×G
• to encrypt pick random k: Cm={kG, Pm+k Pb},
• decrypt Cm compute:
Pm+kPb–nB(kG) = Pm+k(nBG)–nB(kG) = Pm
• Example: P.307
26
27
 ECC Security
• relies on elliptic curve logarithm problem
• fastest method is “Pollard rho method”
• compared to factoring, can use much
smaller key sizes than with RSA etc
• for equivalent key lengths computations
are roughly equivalent
• hence for similar security ECC offers
significant computational advantages
28
Thank You
29