The primary disadvantage of symmetric cryptography is the difficulty distributing the secret keys. A key cannot be transmitted securely over data channels, unless it is encrypted. Encrypting the key, however, requires another key. At some point, a plaintext key needs to be exchanged between communicating partners. One solution is to manually distribute the key (e.g., by registered mail). Manual distribution, however, is costly, time consuming, and prone to errors. Two automated approaches for distributing secret keys are discussed in this section: the ANSI (American National Standards Institute) standard X9.17, ``Financial Institution Key Management'' [ANS85] [FIP92], and the Diffie/Hellman key exchange.
ANSI X9.17 was developed to address the need of financial institutions to transmit securities and funds securely using an electronic medium. Specifically, it describes the means to assure the secrecy of keys.
The ANSI X9.17 approach is based on a hierarchy of keys. At the bottom of the hierarchy are data keys (DKs). Data keys are used to encrypt and decrypt messages. They are given short lifespans, such as one message or one connection. At the top of the hierarchy are key encrypting keys (KKMs). KKMs, which must be distributed manually, are afforded longer lifespans than data keys. Using the two tier model, the KKMs are used to encrypt the data keys. The data keys are then distributed electronically to encrypt and decrypt messages.
The two tier model may be enhanced by adding another layer to the hierarchy. In the three tier model, the KKMs are not used to encrypt data keys directly, but to encrypt other key encrypting keys (KKs). The KKs, which are exchanged electronically, are used to encrypt the data keys. Figure 11.3 illustrates the exchange of keys between two parties using the three tier model.
Figure 11.3: Point-to-Point Environment.
To exchange keys, one of the communicating parties creates a special message defined in X9.17, called a CSM (Cryptographic Service Message). CSMs are fixed-formatted messages used to establish new keys or discontinue use of existing keys. The CSM originator includes a MAC with the message (as specified in X9.9, ``Message Authentication Standard'' [ANS86]) to guarantee its integrity.
Figure 11.3 illustrates two users exchanging key material directly. This environment is known as Point-to-Point. The ANSI X9.17 standard describes two other environments for key distribution: Key Distribution Centers and Key Translation Centers. The key centers allow centralized management of keys. Rather than two parties sharing a KKM, each party shares a KKM with the center. The centralized management environment is shown in figure 11.4.
Figure 11.4: Centralized Management Environment.
The difference between the Key Distribution Center and the Key Translation Center is that the Key Distribution Center generates keys for its users. If an originator wants to send an encrypted message to a recipient, the originator submits the request to the Key Distribution Center. The Center generates and returns two identical keys to the originator. The first key is encrypted using the KKM shared between the Center and the originator. The originator decrypts the key, and uses it to encrypt the message. The second key is encrypted using the KKM shared between the Center and the recipient. The originator transfers this key electronically to the recipient. The recipient decrypts the key, and uses it to decrypt the originator's message.
Key Translation Centers are used when two parties require the key management functions provided by the center, but one or both of the parties want to generate the KKs and DKs. In this scenario, the originator submits a key and the recipient name to the Center. The Center encrypts the key using the KKM shared between the Center and the recipient, and returns the encrypted key to the originator. The originator transfers the key electronically to the recipient.
The advantages of the key centers are flexibility and efficiency. Users only need to exchange and store one KKM (with the center), rather than one KKM per communications partner. The center administers the distribution of KKMs for all its users. One disadvantage of key centers is cost. Communication partners can reduce cost by first exchanging a KK with the aid of a key center, then distributing DKs using the Point-to-Point approach.
A different type of solution to the problem of secret key distribution is the Diffie/Hellman key exchange. The Diffie/Hellman key exchange allows certain information to be transmitted publicly, in order for two users to compute a shared key. The two users first agree upon a prime number and a primitive root, both of which may be public. Each user then selects a random number, computes some result based on the random number, the prime number, and the primitive root, and sends this result to the other user. Each user then performs one last computation based on the prime number, the user's own random number, and the result from the other user. This final computation yields a single value, which is the same for each user. This value can be used to generate secret keys.
The Diffie/Hellman key exchange is illustrated in figure 11.5.
Boxes in the figure are divided into two parts: the top part describes
the mathematical computation, and the bottom part applies the computation to
example values. The example values are trivial; their purpose is to
illustrate the technique. In an implementation, the prime number and
primitive root would be of the magnitude 
to 
.
Figure 11.5: Diffie/Hellman Key Exchange.
The security of the Diffie/Hellman exchange is based on the difficulty in computing discrete logarithms. In other words, knowing the public values (i.e., the prime number, p, and its primitive root, g), the value transmitted over the insecure channel (i.e., y), and that
y =does not yield x, and thus, does not yield the key, K.modulo p, for some x
The Diffie/Hellman key exchange does not provide authentication. If in figure 11.5, an intruder intercepts y(B) and transmits a different value, User A would establish a secret key with the intruder, rather than with User B. The Diffie/Hellman procedure needs to be augmented with some authentication mechanism.