Key Management in Cryptography

Key Management

In cryptography, distributing public and private keys between the sender and receiver can be a tedious task. If a third party (such as an attacker or eavesdropper) gains access to the key, the entire security system is compromised. Hence, securing the key exchange process becomes critical. This article discusses key management, how cryptographic keys function, types of key management, and the key management lifecycle.

What is Key Management?

Key management involves the processes and protocols for generating, storing, distributing, and managing cryptographic keys that are utilized in cryptographic algorithms to protect sensitive data. It ensures that the keys used to secure sensitive information are shielded from unauthorized access or loss. Effective key management is essential for maintaining the security of encrypted data and safeguarding digital assets from cyber threats. Proper key management guarantees the confidentiality, integrity, and availability of encrypted information by protecting cryptographic keys from unauthorized access, compromise, or loss.

How Cryptographic Keys Work?

Cryptographic keys are special codes used to encrypt (lock) and decrypt (unlock) information. In symmetric key cryptography, a single shared key is used for both encryption and decryption, meaning it must be kept secret between users. In asymmetric key cryptography, two keys are involved: a public key that can be used by anyone to encrypt messages or verify signatures, and a private key that only the owner uses to decrypt messages or create signatures. This separation makes it easier to distribute the public key openly while keeping the private key secure. Cryptographic keys are fundamental for ensuring secure communication, such as when accessing a secure website (HTTPS), where they help encrypt data and protect it from unauthorized access or criminal activity. Therefore, proper key management is crucial for maintaining the security and integrity of digital information.

Types of Key Management

Key management can be broken down into two main aspects:

Distribution of public keys.
Use of public-key encryption to distribute secrets.

Distribution of Public Keys

The public key can be distributed using four methods:

Public Announcement: In this method, the public key is broadcast to everyone. The major weakness of this method is the risk of forgery. An attacker can create a fake key pretending to be someone else and broadcast it. Until the forgery is discovered, the attacker can impersonate the claimed user.
Publicly Available Directory: Here, the public key is stored in a public directory. These directories are trusted and contain entries like {name, public-key}, with properties such as Participant Registration, access control, and modification rights. While directories can be accessed electronically, they are still vulnerable to tampering or forgery.
Public Key Authority: This approach is similar to the directory model but enhances security by having stricter controls over key distribution. Users need to know the public key of the directory. When needed, users access the directory in real-time to securely retrieve public keys.
Public Certification: In this case, an authority issues a certificate that binds a public key to an identity, facilitating key exchange without needing real-time access to the public key authority each time. The certificate includes information such as validity period and usage rights, all signed by the private key of the certificate authority. The certificate can be verified using the authority’s public key. The sender and receiver both request certificates from the certificate authority, containing their public keys, and then exchange these certificates to initiate secure communication.

Key Management Lifecycle

The key management lifecycle details the stages through which cryptographic keys are created, used, and eventually retired or destroyed. Proper management of these keys is essential for the security of cryptographic systems. Below is an overview of each stage:

Key Generation:
- Creation: Keys are generated using secure algorithms to ensure randomness and strength.
- Initialization: Keys are initialized with the specific parameters required for their intended use, such as length and cryptographic algorithm.
Key Distribution:
- Sharing: Secure methods must be used to share symmetric keys between parties.
- Publication: For asymmetric keys, the public key is shared openly, while the private key remains confidential.
Key Storage:
- Protection: Keys must be stored securely, often in hardware security modules (HSMs) or encrypted key stores, to prevent unauthorized access.
- Access Control: Only authorized users or systems should be allowed to access keys.
Key Usage:
- Application: Keys are used for their intended cryptographic purposes, such as encrypting or decrypting data, or signing and verifying messages.
- Monitoring: Key usage is monitored to detect any abnormal or unauthorized activities.
Key Rotation:
- Updating: Keys are periodically updated to reduce the risk of exposure or compromise.
- Re-Keying: New keys are generated and distributed, replacing old keys while maintaining continuous service.
Key Revocation:
- Invalidation: Keys that are no longer secure or needed are invalidated.
- Revocation Notices: For public keys, revocation certificates or notices are issued to inform others that the key should no longer be trusted.
Key Archival:
- Storage: Old keys are securely archived for future reference or compliance purposes.
- Access Restrictions: Archived keys are stored in a secure location with restricted access.
Key Destruction:
- Erasure: When keys are no longer required, they are securely destroyed to eliminate any possibility of recovery.
- Verification: The destruction process is verified to ensure that no copies of the key remains.

Implementation of Diffie-Hellman Algorithm

The Diffie-Hellman algorithm helps establish a shared secret for secure communication by exchanging data over a public network. It uses elliptic curves to generate points and derive a common secret key using specified parameters.

For simplicity, we’ll focus on four variables: a prime number PPP, a primitive root GGG, and two private values aaa and bbb. Both PPP and GGG are publicly known. Person 1 and Person 2 select private values aaa and bbb, then generate and exchange public keys. After the exchange, each person computes the same shared secret key, which can be used for encryption.

Step 1: Person 1 and Person 2 agree on public numbers P=23 and G=9
Step 2: Person 1 selects a private key a=4 and Person 2 selects a private key b=3
Step 3: Person 1 and Person 2 compute their public keys.
- Person 1: $\;x=(9^4\mod 23)=6561\mod 23=6\;$
- Person 2: $\;y=(9^3\mod 23)=729\mod 23=6\;$
Step 4: Person 1 and Person 2 exchange public keys.
Step 5: Person 1 receives y=16 and Person 2 receives x=6
Step 6: Person 1 and Person 2 compute their shared secret key:
- Person 1: $k_1=16^4\mod 23=65536\mod 23=9$
- Person 2: $\;k_2=6^3\mod 23=216\mod 23=9\;$
Step 7: The shared secret key is 9.

# Diffie-Hellman Code

# Power function to return value of a^b mod P
def power(a, b, p):
    if b == 1:
        return a
    else:
        return pow(a, b) % p

# Main function
def main():
    # Both persons agree upon the public keys G and P
    # A prime number P is taken
    P = 23
    print("The value of P:", P)

    # A primitive root for P, G is taken
    G = 9
    print("The value of G:", G)

    # Person 1 chooses the private key a
    # a is the chosen private key
    a = 4
    print("The private key a for Person 1:", a)

    # Gets the generated key
    x = power(G, a, P)

    # Person 2 chooses the private key b
    # b is the chosen private key
    b = 3
    print("The private key b for Person 2:", b)

    # Gets the generated key
    y = power(G, b, P)

    # Generating the secret key after the exchange of keys
    k1 = power(y, a, P)  # Secret key for Person 1
    k2 = power(x, b, P)  # Secret key for Person 2

    print("Secret key for Person 1 is:", k1)
    print("Secret key for Person 2 is:", k2)

if __name__ == "__main__":
    main()

Output:

The value of P : 23
The value of G : 9
The private key a for Person 1 : 4
The private key b for Person 2 : 3
Secret key for Person 1 is : 9
Secret key for Person 2 is : 9

Blockchain – Elliptic Curve Cryptography

Cryptography involves the study of methods for secure communication in the presence of adversaries. Encryption utilizes algorithms to convert plaintext into ciphertext and requires a secret key to decrypt it. There are two main types of encryption:

Symmetric-key Encryption (Secret Key Encryption): Symmetric-key algorithms use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext. The keys may be identical or have a simple transformation between them.
Asymmetric-key Encryption (Public Key Encryption): Asymmetric-key algorithms utilize a pair of related keys—a public key for encryption and a private key for decryption—to protect messages from unauthorized access or use.

Introduction to Elliptic Curve Cryptography

Elliptic Curve Cryptography (ECC) is an asymmetric encryption technique that leverages the algebraic properties of elliptic curves over finite fields. Unlike RSA, which relies on the difficulty of factoring large prime numbers, ECC employs the mathematical theory of elliptic curves to achieve equivalent security with smaller key sizes.

Victor Miller and Neal Koblitz independently proposed elliptic curve ciphers in the mid-1980s. They analogized these ciphers to existing public cryptosystems but replaced modular arithmetic with elliptic curve operations.

History of Elliptic Curve Cryptography

In 1985, Neal Koblitz and Victor S. Miller introduced the use of elliptic curves in cryptography.
Between 2004 and 2005, ECC algorithms became widely adopted.
Researchers in the 1980s discovered that elliptic curves could be a source of complex mathematical problems, thus enhancing the security of public key systems.
The term “elliptic curve” originates from the study of ellipses.
Calculating an ellipse’s surface area is straightforward, but determining its circumference involves solving a challenging integral.

Components of Elliptic Curve Cryptography

ECC Keys:
- Private Key: Generating an ECC private key is as simple as securely creating a random integer within a specific range.
- Public Key: ECC public keys are points on the elliptic curve, represented as integer coordinate pairs (x, y). These can be compressed to a single coordinate with an additional bit (odd/even).
Generator Point (Base Point):
- ECC systems use a predefined generator point, G, to create other points on the curve via multiplication by integers within the range [0…r], where r represents the order of the cyclic subgroup.

Elliptic Curve Cryptography Algorithms

ECC offers several algorithms based on elliptic curve arithmetic:

Digital Signature Algorithms:

ECDSA (Elliptic Curve Digital Signature Algorithm): Used for creating secure digital signatures.
EdDSA (Edwards-curve Digital Signature Algorithm): A faster alternative to ECDSA, particularly suited for embedded systems, with better resistance to side-channel attacks.

Encryption Algorithms:

ECIES (Elliptic Curve Integrated Encryption Scheme): Combines public-key cryptography with a symmetric cipher for versatile encryption.
EC-based ElGamal Encryption: An adaptation of the ElGamal scheme that relies on elliptic curve discrete logarithms.

Key Agreement Algorithms:

ECDH (Elliptic Curve Diffie-Hellman): Enables two parties to establish a shared secret over an insecure channel using elliptic curve key pairs.
FHMQV (Fully Hashed Menezes-Qu-Vanstone): An authenticated protocol based on the Diffie-Hellman scheme, offering security against active attackers.

Applications of Elliptic Curve Cryptography

Diffie-Hellman Key Exchange: ECC simplifies the exchange of secret keys between two parties.
Digital Signatures: Widely used in blockchain technologies like Bitcoin and Ethereum.
Online Encryption: ECC’s efficiency and reduced key size make it suitable for modern web applications.
Blockchain Applications: ECC underpins the cryptographic security of cryptocurrencies and digital ledgers.

ECC vs RSA

ECC offers significant advantages over RSA, including smaller key sizes, faster encryption processes, and reduced bandwidth requirements. Below is a comparison of key lengths for equivalent security:

Security (Bits)	RSA Key Length	ECC Key Length
80	1024	160-223
112	2048	224-255
128	3072	256-383
192	7680	384-511
256	15360	512+

Elliptic Curve Diffie-Hellman Protocol Implementation

Prerequisites:

Python basics
Cryptography fundamentals
Understanding of ECC and ECDH protocols

Install the required library using:

pip install tinyec

Example Python Code:

from tinyec import registry
import secrets

def compress(publicKey):
    return hex(publicKey.x) + hex(publicKey.y % 2)[2:]

curve = registry.get_curve('brainpoolP256r1')
Ka = secrets.randbelow(curve.field.n)
X = Ka * curve.g
print("X:", compress(X))
Kb = secrets.randbelow(curve.field.n)
Y = Kb * curve.g
print("Y:", compress(Y))
A_SharedKey = Ka * Y
B_SharedKey = Kb * X
print("Shared Keys Match:", A_SharedKey == B_SharedKey)

Types of Security Attacks

Side-channel Attacks: Exploit unintended information leakage during ECC processing.
Backdoor Attacks: Potential vulnerabilities introduced by malicious actors into pseudo-random generators.
Quantum Computing
Attacks: Quantum algorithms like Shor’s can potentially break ECC.

Benefits of Elliptic Curve Cryptography

Fast Key Generation: Quickly creates secure keys.
Smaller Key Size: Offers robust security with shorter keys compared to RSA.
Low Latency: Reduces delays in cryptographic operations.
Efficient Computation: Requires less computational power, ideal for resource-constrained environments.
High Security: Provides strong encryption equivalent to much larger RSA keys.

Limitations of Elliptic Curve Cryptography

Larger Encryption Size: Produces larger ciphertext compared to RSA.
Complex Implementation: More challenging to implement securely.
Binary Curve Processing Costs: Computational overhead associated with binary curve operations.