24.2

Key Translation Center (KTC)

  • Trusted server for secure communication between parties without a direct key.

  • Key Wrapping and Unwrapping: KTC receives wrapped keys from one entity and unwraps/rewraps using different symmetric keys for another entity.

  • Facilitates long-term key sharing with KTC to ensure secure communication.

  • Can utilize symmetric-key certificates to prevent storing user secrets securely.

Key Distribution Center (KDC)

  • Trusted server similar to KTC, generates and distributes session keys.

  • Components:

    • Authentication Service (AS): Verifies user identity and issues Ticket Granting Tickets (TGTs).

    • Ticket Granting Service (TGS): Issues service tickets upon TGT presentation for network resource access.

  • Process: Initial login for TGT, then request access via TGS.

Symmetric Key Distribution via Asymmetric Encryption

  • Public key systems not efficient for large data encryption; used for secret key distribution instead.

Public-Key Distribution of Secret Keys

  1. Initiator A encrypts a message to responder B using B's public key.

  2. Responder B replies, verifying A by sending back A's nonce and a new nonce.

  3. A returns the new nonce encrypted with B's public key.

  4. A sends a secret key to B securely.

  5. B retrieves the secret key using decryption.

Public Key Certificates

  • Verifies ownership of public keys; contains public key, owner identifier, and CA's signature.

  • Participants can securely exchange keys without a public-key authority contact.

  • Requirements for validity and trust include ability to read, verify origin, and time validity.

X.509 Certificates

  • Standard format for public key certificates, extensively used in protocols like TLS/SSL.

  • Defines a framework for authentication services and includes essential details like serial number, issuer information, validity period, and subject's public key.

  • Signed by a trusted certification authority ensuring validity.

  • Each certificate includes unique identifiers and possible extensions.

Basic Structure of X.509 Certificate

  • Version: Indicates the version of the standard.

  • Serial Number: Unique ID from the Certificate Authority.

  • Issuer Name: Name of the CA.

  • Validity Period: Start and end dates for certificate validity.

  • Subject Public Key Info: Contains the public key and corresponding algorithm used.