1. Field of the Invention
The present invention relates to providing security in communications across computer networks. More specifically, the present invention relates to a method and an apparatus for providing a key distribution center for clients and servers on a computer network that operates without having to store long-term server secrets.
2. Related Art
The advent of computer networks has led to an explosion in the development of applications that transfer information between computer systems across computer networks.
One problem with sending information across computer networks is that it is hard to ensure that sensitive information is kept confidential. This is because a message containing sensitive information can potentially traverse many different computer networks and many different computer systems before it arrives at its ultimate destination. An adversary can potentially intercept a message at any of these intermediate points along the way.
One way to remedy this problem is to “encrypt” sensitive data using an encryption key so that only someone who possesses a corresponding decryption key can decrypt the data. (Note that for commonly used symmetric encryption mechanisms the encryption key and the decryption key are the same key.) For example, a person sending sensitive data across a computer network can encrypt the sensitive data using the encryption key before it is sent across a computer network. At the other end, the recipient of the data can use the corresponding decryption key to decrypt the data.
Standards, such as Kerberos, have been developed to manage hundreds and potentially thousands of different keys that can be used to encrypt communications in a distributed computer system. Under Kerberos, a system can make use of a key distribution center (KDC) that stores a long-term secret for each principal in a domain. If a principal, Alice, wants to talk to another principal, Bob, Alice authenticates to the KDC, and then requests from the KDC a session key to use to talk to Bob as well as a “ticket to Bob”. (Note that Alice can authenticate to the KDC using a password or long term secret. Alternatively, Alice can authenticate beforehand.) The “ticket to Bob” is a message to Bob encrypted with a secret shared between Bob and the KDC. This message includes Alice's name and the session key to be used in communicating between Bob and Alice. Alice can then send Bob this “ticket to Bob” in order to enable Alice to communicate with Bob using the session key.
Kerberos also specifies how to create a “ticket granting ticket” (TGT). In order for a workstation not to keep a principal's long term secret around for a long time, when a principal first logs on to a workstation (and presumably before he can start running potentially malicious software), the workstation requests a TGT from the KDC. This TGT is encrypted with a key known to the KDC and includes the principal's name and a session key to be used in communicating between the principal and the KDC. By using the TGT, the workstation is able, for the next several hours, to forget the principal's long-term secret and only needs to remember the session key and the TGT. Note that it is advantageous not to keep the principal's long-term secret on the workstation for a long period of time, because the long-term secret can potentially fall into the hands of an adversary who momentarily obtains access to the workstation.
Note that using a KDC introduces a security vulnerability because someone who captures the database used by the KDC has access to all of the principals' long-term secrets. Also note that long term secrets typically include principal's passwords and server's pre-shared keys. Hence, momentary compromise of the KDC can allow an unauthorized party to impersonate clients and servers until these long-term secrets are changed.
It is preferable for the KDC to only maintain public keys for the principals. These public keys can be used to encrypt messages so that only entities holding corresponding private keys (the principals) can decrypt the messages. Note that an adversary who captures a public key stored in the KDC is unable to decrypt a message encrypted with the public key. To this end, an Internet Engineering Task Force (IETF) draft entitled, “Public Key Cryptography for Initial Authentication in Kerberos” (http://search.ietf.org/internet-drafts/draft-ietf-cat-kerberos-pk-init-12.txt) discloses how users can initially authenticate to the KDC with public key cryptography by storing public keys for users at a KDC, or having users present a certificate.
Unfortunately, performing decryption using a private key is a computationally intensive task, which requires considerably more computational effort than performing decryption using a symmetric key. What is needed is a method and apparatus for facilitating encryption and decryption that provides the security of using a private key without sacrificing the performance of using a symmetric key.