PKI and Identity-Based EncryptionSecure IT Conference 2007

Guido AppenzellerVoltage Security

Secure IT Conference 2007

2

Identity-Based Encryption (IBE)Identity-Based Encryption (IBE)

IBE is a new public key encryption algorithm A number of widely-used encryption algorithms are

already available (AES, RSA, ECC etc.) Why on earth should we care about a new one?

1. IBE results in vastly simplified key management

2. As a result, IBE based solutions have a much lower total cost of ownership and much higher usability

3. It has gained widespread adoption in Industry and has opened up the use of encryption to new use cases

Identity-Based Encryption

Secure IT Conference 2007

4

Identity-Based EncryptionIdentity-Based Encryption

Basic Idea: Public-key Encryption where Identities are Public Keys

IBE Public Key:

alice@gmail.com RSA Public Key:

Public exponent=0x10001Modulus=135066410865995223349603216278805969938881475605667027524485143851526510604859533833940287150571909441798207282164471551373680419703964191743046496589274256239341020864383202110372958725762358509643110564073501508187510676594629205563685529475213500852879416377328533906109750544334999811150056977236890927563

Secure IT Conference 2007

5

IBE does not need certificatesIBE does not need certificates

Certificates bind Public Keys to Identities e.g. bob@b.com has key 0x87F6… Signed by a Certification Authority

In IBE, Identity and Public Key is the same No certificate needed No certificate revocation No certificate servers No pre-enrollment X

Secure IT Conference 2007

6

Identity-Based Encryption (IBE)Identity-Based Encryption (IBE)

IBE is an old idea Originally proposed by Adi Shamir, co-inventor of the RSA

Algorithm, in 1984

First practical implementation Boneh-Franklin Algorithm published at Crypto 2001 Based on well-tested building blocks for encryption

(elliptic curves and pairings)

IBE is having a major impact already Over 200 scientific publications on IBE/Pairings Boneh-Franklin paper cited 450 times so far (Google Scholar) Dan Boneh awarded 2005 RSA Conference Award for

Mathematics for inventing IBE

Secure IT Conference 2007

7

How IBE works in practiceAlice sends a Message to BobHow IBE works in practiceAlice sends a Message to Bob

bob@b.com

KeyServer

alice@a.com

bob@b.com

key request +

authenticate

master secret

publicparams

publicparams

publicparams

Secure IT Conference 2007

8

How IBE works in practiceSecond Message to BobHow IBE works in practiceSecond Message to Bob

bob@b.com

KeyServer

charlie@c.com

bob@b.com

publicparams

publicparams

Fully off-line - no connection to server requiredFully off-line - no connection to server required

Secure IT Conference 2007

9

The IBE Key ServerThe IBE Key Server

Master Secret is used to generate keys Each organization has a different secret

Thus different security domains Server does not need to keep state

No storage associated with server Easy load balancing, disaster recovery

Key Server

Master Secrets =

Request for Private Key for Identity bob@b.combob@b.com

18723619236163781872361923616378

Secure IT Conference 2007

10

User authenticationUser authentication

Authentication needs differs by Application More sensitive data, requires stronger authentication Even for one organization, very different needs for different

groups of users

KeyServer

Auth.Service

External authentication Leverage existing passwords,

directories, portals, etc. One size doesn’t fit all

Secure IT Conference 2007

11

OMB-04-04Level:

Level 1

Level 2

Level 4

Level 3

No Authentication

Email answerback (VeriSign Class 1)

Email answerback w/ passwords

Directory with pre-enrollment

Windows domain controller or SSO

RSA SecurID

PKI Smart Card, USB Token

Three factor auth (Bio+PKI+PIN) Pre-enrollm

entS

elf-provisioning

OOB password with call center reset

The Authentication GradientThe Authentication Gradient

Secure IT Conference 2007

12

Key Revocation, Expiration and PolicyKey Revocation, Expiration and Policy

What happens if I lose my private key? Key validity enables revocation – “key freshness”

Every week public key changes, so every week a new private key is issued revocation can be done on weekly basis

To revoke someone, simply remove him from the authentication mechanism (e.g. corporate directory)

bob@b.com

e-mail address key validity

|| week = 252

Secure IT Conference 2007

13

IEEE 1363.3 – Pairing Based IBE StandardIEEE 1363.3 – Pairing Based IBE Standard

IEEE 1363 Standards Group Wrote standard on RSA and Elliptic Curve Cryptography Now taking steps to standardize IBE

IEEE 1363.3 “Identity-Based Cryptographic methods

using Pairings” Main focus is on IBE, but also related

methods (e.g. ID based signatures)

Strong support from Government and Industry Meetings attended by representatives from NIST, NSA,

HP, Microsoft, Gemplus, Motorola and others

Secure IT Conference 2007

14

IETF – IBE based Secure Email StandardIETF – IBE based Secure Email Standard

Internet Engineering Task Force Sets standards for the Internet TCP/IP, IPSec, HTTP, TLS, DNS etc.

Effort through the S/MIME Group S/MIME today implemented in all major email clients IBE as an additional key transport for S/MIME Standard includes IBE Key Request Protocol, IBE

Parameter Lookup Protocol and selected IBE Algorithms Final RFC expected in 2007

Secure IT Conference 2007

15

Standard Textbooks incorporating Identity-Based EncryptionStandard Textbooks incorporating Identity-Based Encryption

Elliptic CurvesbyLawrence C. Washington

Handbook of Elliptic and Hyperelliptic Curve CryptographybyHenri Cohen, Gerhard Frey

Elliptic Curves in CryptographyEdited byIan Blake, Gadiel Seroussi and Nigel Smart

Cryptography: Theory and Practice (3rd Ed.)byDouglas R. Stinson

Secure IT Conference 2007

16

Awards for IBE ProductsAwards for IBE Products

IAPP Privacy Innovation Technology Award - 2006

AlwaysOn Top 100 Companies - July 2005

Red Herring 100 Top Private Companies 2005

Gartner Group – Cool Security Vendor 2005

eWeek Finalist 2005 – Email Management and

Security

RSA 2005 Prize for Mathematics – Dr. Dan Boneh

SC Magazine Finalist 2005 – Best Email Security

Solution and Best Encryption Solution

AlwaysOn “Top new innovator company” – July 2004

InfoWorld Innovators Award - May 2004 Bank

Network World “Tops in Innovation” - February, 2004

Technology News “Top Ten Technology Companies”

- August, 2003

RSA Mathematics Prize 2005

Key Management

Secure IT Conference 2007

18

Encryption today is a solved problemExample: Encrypting an email messageEncryption today is a solved problemExample: Encrypting an email message

Alice Bob

EncryptionKey

DecryptionKey

How do we make sure Alice and Bob have the right keys?

Secure IT Conference 2007

19

What is hard about managing keys?What is hard about managing keys?

Enrollment Key creation, duplicate keys Distribution

Lookup, Storage and Access Finding the encryption key of a recipient Recovery of decryption keys

• Virus scanning, spam filtering• Archiving emails for compliance

Synchronizing distributed key stores

Key life cycle Revoking keys, expiring keys Backup of keys, disaster recovery

Secure IT Conference 2007

20

Key Management for Symmetric KeysExample: Organization with 8 peopleKey Management for Symmetric KeysExample: Organization with 8 people

Key Store

28 keys

4

3

2

5

6

7

11 2 3 4

5 6 7

1 2 3

4 5 6

7 8 ..

.. .. ..

.. .. ..

.. .. ..

.. .. ..

.. .. ..

.. .. ..

..

8

8

How many keys totalfor 8 people?

KeyServer

Secure IT Conference 2007

21

Key Management with Symmetric KeysKey Management with Symmetric Keys

One key per pair of users Network of 8 parties requires managing 28 keys Network of 1000 users requires 500,000 keys Network of N parties requires N(N+1)/2 keys

Alternative: One key per email Network of 1000 users Assume 50 emails per user per day 18,250,000 keys per year

Key management with symmetric keys doesn’t scale!

Secure IT Conference 2007

22

Public Key Infrastructure (PKI)Public Key Infrastructure (PKI)

Public Key Encryption Users have a Public Key and a Private Key Only need one key per party, total of N keys for N parties Keys are bound to users with Certificates Examples: RSA, Elliptic Curve etc.

Managing PKI has issues of its own How do I create certificates for everyone? How do I revoke a certificate? How do I find the certificate of a recipient? How do I manage certificate distribution What do I do if private keys are lost …

Secure IT Conference 2007

23

Key Management - Public Key InfrastructureCertificate Server binds Identity to Public KeyKey Management - Public Key InfrastructureCertificate Server binds Identity to Public Key

bob@b.comalice@a.com

Send Public Key,

Authenticate

ReceiveCertificate

CA Signing Key

CertificationAuthority

CA Public Key

Certificate Server

StoreCertificate

Look up Bob’s Certificate,Check revocation

CA Public Key Bob’s Private KeyBob’s Public Key

RecoveryServer

Store Bob’s Private Key

Secure IT Conference 2007

24

Key Management - IBEBinding is done by mathematicsKey Management - IBEBinding is done by mathematics

bob@b.com

IBE Key Server

alice@a.com

Master Secret

SendIdentity,

Authenticate

ReceivePrivate Key

Public Parameters

Public Parameters Bob’s Private Key

Certificate Server

StoreCertificate

Look up Bob’s Certificate,Check revocation

X RecoveryServer

Store Bob’s Private KeyX

Deploying IBE SystemsExample: Email Security

Secure IT Conference 2007

26

Secure Email – Deployment Options TodayIt’s not just Alice and BobSecure Email – Deployment Options TodayIt’s not just Alice and Bob

Virus

Audit

Archive

Internet

Normal Client

Gateway

Client with plug-in

Blackberry BES Server

System Generated

Email

Web Mail(via ZDM)

MobileDevices

Client(via ZDM)

Client(via plug-in)

Client with plug-in

Intranet DMZ Internet Recipient’s Network

Secure IT Conference 2007

27

Email GatewaysEmail Gateways

Internal NetworkINTERNET

User receivesdecrypted email

3Encrypted email arrives

1

Gateway decrypts email

2

KeyServer

IBEGateway

Secure IT Conference 2007

28

Inspecting Secured DataIBE allows content inspection for end-to-end encrypted dataInspecting Secured DataIBE allows content inspection for end-to-end encrypted data

DMZ LANINTERNET

IBE Server

Exchange, Domino, etc.

User receivesencrypted email

3

GW

Vir

us

Au

dit

Arc

hiv

e

Email is scanned2Encrypted email arrives

1G

W

Secure IT Conference 2007

29

IBE Key Servers are “stateless” No certificates to store No private keys to store No revocation lists

Easy to load-balance Just put two of them next to each other

Easy backup and disaster recovery Only master secret and policy needs to

be backed up Size: < 100 kByte, fits on floppy disk Master secret is long lived, only need

to back up once Same for 100 or 100,000 users

IBE Systems are extremely ScalableIBE Systems are extremely Scalable

Secure IT Conference 2007

30

IBE Systems have a substantially lower TCO Case Study: For email encryption, IBE costs 30% of PKI

Less infrastructure needed, less additional FTE to manage solution Fewer components to be concerned with Disaster Recovery Easier user experience – less training and help desk support[Source: Ferris Research Case Study on Voltage SecureMail]

Total Cost of OwnershipTotal Cost of Ownership

Secure IT Conference 2007

31

SummarySummary

IBE is a major breakthrough in Key Management Much lower total cost of ownership than PKI Better usability and deployment characteristics Highly Scalable

Where to learn more IEEE 1363.3, IETF S/Mime Standards www.voltage.com