Key Management and distribution

Key Management and Distribution

What is Key Management?

Key management deals with:

• Creating cryptographic keys
• Distributing keys securely
• Storing keys safely
• Updating and revoking keys

Without proper key management, encryption is useless, even if the algorithm is strong.

Symmetric Key Distribution

What is Symmetric Key Cryptography?

• Same secret key is used for encryption and decryption
• Both sender and receiver must know the key

Main Problem

How to share the secret key securely?

Methods of Symmetric Key Distribution

Method	Explanation
Physical delivery	Hand-delivering key
Trusted third party	Key Distribution Center (KDC)
Previous shared key	Old key used to send new key
Secure channel	Using protected medium

Key Distribution Center (KDC)

A trusted server that distributes keys to users.

Working (Simple)

• User A requests key for B
• KDC generates session key
• KDC sends key securely to both

Real-Life Example

• Office ID card system
• Kerberos authentication
• Bank internal networks

Limitation of Symmetric Key Distribution

Issue	Reason
Scalability	Too many keys
Secure delivery	Key can be intercepted
Trust dependency	KDC must be trusted

Diffie–Hellman Key Exchange

What is Diffie–Hellman?

Diffie–Hellman is a key exchange algorithm that allows two parties to generate a shared secret key over an insecure channel.

No key is sent directly

Diffie–Hellman Algorithm Steps

1. Publicly agree on:

   • Prime number p

   • Generator g

2. User A chooses secret a

3. User B chooses secret b

4. Exchange:

$$$$

$$A = g^a \mod p$$

$$B = g^b \mod p$$

$$$$

5. Shared secret:

$$$$

K = g^{ab} \mod p

Why It Is Secure

• Based on Discrete Logarithm Problem
• Attacker sees p, g, A, B but cannot compute a or b

Real-Life Example

• HTTPS (SSL/TLS)
• Wi-Fi security
• Secure messaging apps

Limitation: Vulnerable to Man-in-the-Middle attack if not authenticated

Public Key Distribution

What is Public Key Distribution?

Public key distribution ensures users receive the correct public key of another user.

Methods of Public Key Distribution

Method	Description
Public announcement	Broadcast key publicly
Public directory	Central database
Public key authority	Trusted authority
Certificates	Digitally signed keys

Best Method: Digital Certificates (X.509)

Used globally in internet security.

X.509 Certificates

What is an X.509 Certificate?

An X.509 certificate is a digital document that:

• Binds a public key to an identity
• Is issued by a Certificate Authority (CA)

Contents of X.509 Certificate

Field	Description
Version	Certificate version
Serial number	Unique ID
Subject	Owner name
Public key	User’s public key
Validity	Expiry date
Issuer	Certificate Authority
Signature	CA’s digital signature

How Certificate Works

• CA verifies identity
• CA signs certificate using its private key
• Anyone can verify using CA’s public key

Real-Life Example

• HTTPS websites
• Online banking
• Digital signatures
• E-commerce portals

Public Key Infrastructure (PKI)

What is PKI?

Public Key Infrastructure (PKI) is a complete framework that manages:

• Digital certificates
• Public & private keys
• Certificate Authorities

Components of PKI

Component	Role
Certificate Authority (CA)	Issues certificates
Registration Authority (RA)	Verifies identity
Certificate Repository	Stores certificates
Revocation system	Cancels certificates
Users	Certificate holders

PKI Functions

• Key generation
• Certificate issuance
• Certificate revocation (CRL)
• Trust management

Real-Life Use of PKI

• SSL/TLS
• E-governance
• Digital signatures
• Corporate security

Comparison Table (Exam Favorite)

Aspect	Symmetric	Diffie-Hellman	Public Key
Key type	Same key	Shared secret	Public/Private
Speed	Fast	Medium	Slow
Security	Key distribution issue	Secure exchange	Very secure
Use	Bulk data	Key exchange	Authentication

Final Quick Revision Table

Topic	Key Point
Key Management	Controls encryption keys
Symmetric Distribution	Uses shared secret
Diffie-Hellman	Secure key exchange
Public Key Distribution	Identity verification
X.509	Digital certificate
PKI	Trust infrastructure

Authentication Applications & Electronic Mail Security

What are Authentication Applications?

Authentication applications are systems that verify the identity of users before allowing access to:

• Networks
• Servers
• Emails
• Online services

They ensure:

• Only authorized users get access
• Communication remains secure and trustworthy

Kerberos Authentication System

What is Kerberos?

Kerberos is a network authentication protocol that uses tickets and symmetric key cryptography to authenticate users securely.

It works on the concept of a trusted third party.

Why Kerberos Is Needed

• Passwords are not sent over the network
• Prevents replay attacks
• Provides single sign-on (SSO)

Main Components of Kerberos

Component	Role
Client	User requesting service
Authentication Server (AS)	Verifies user
Ticket Granting Server (TGS)	Issues service tickets
Key Distribution Center (KDC)	AS + TGS
Application Server	Provides service

Working of Kerberos (Step-by-Step)

• User logs in → sends request to AS
• AS verifies user → sends Ticket Granting Ticket (TGT)
• Client sends TGT to TGS
• TGS issues Service Ticket
• Client accesses server using ticket

Password is never transmitted

Real-Life Use of Kerberos

• Windows Active Directory
• Corporate networks
• University login systems

Advantages & Limitations

Advantages	Limitations
Secure authentication	Time synchronization required
No password transmission	KDC is single point of failure
Single sign-on	Complex setup

Electronic Mail Security

Why Email Security Is Needed

Emails are vulnerable to:

• Eavesdropping
• Message modification
• Spoofing
• Identity theft

Email security ensures:

• Confidentiality
• Authentication
• Integrity
• Non-repudiation

Pretty Good Privacy (PGP)

What is PGP?

PGP (Pretty Good Privacy) is an email security system that uses:

• Symmetric encryption
• Public key encryption
• Hashing
• Digital signatures

Services Provided by PGP

Service	Technique Used
Confidentiality	AES / IDEA
Authentication	Digital signature
Integrity	Hash functions
Key management	Public key cryptography

PGP Working (Simplified)

• Message is hashed
• Hash encrypted using sender’s private key (signature)
• Message encrypted using session key
• Session key encrypted using receiver’s public key
• Encrypted email sent

PGP Message Structure

Component	Purpose
Encrypted message	Confidentiality
Encrypted session key	Secure key transfer
Digital signature	Authentication

Real-Life Example

• Secure business emails
• Confidential documents
• Email encryption tools

Advantages & Limitations

Advantages	Limitations
Strong security	Complex for beginners
Hybrid encryption	Manual key management
Widely trusted	Not default in email clients

S/MIME (Secure/Multipurpose Internet Mail Extensions)

What is S/MIME?

S/MIME is a standard for secure email that uses:

• Digital certificates (X.509)
• Public Key Infrastructure (PKI)

It is built into most email clients.

Services Provided by S/MIME

Service	Description
Encryption	Confidential emails
Digital signature	Sender authentication
Integrity	Message unchanged
Non-repudiation	Sender cannot deny

How S/MIME Works

• Sender signs email using private key
• Email encrypted using recipient’s public key
• Certificate attached
• Receiver verifies certificate and decrypts message

Real-Life Use

• Corporate emails
• Government communication
• Banking and legal emails

PGP vs S/MIME 

Feature	PGP	S/MIME
Key management	User-managed	CA-based
Certificates	Optional	Mandatory
Ease of use	Moderate	Easy
Trust model	Web of trust	Hierarchical PKI
Usage	Individuals	Organizations

Final Quick Revision Table

Topic	Key Point
Kerberos	Ticket-based authentication
KDC	Trusted authority
PGP	Hybrid email security
S/MIME	Certificate-based email security
Email Security	Protects confidentiality & identity

MCA Exam Writing Tips

• Draw Kerberos ticket flow
• Write PGP working steps
• Compare PGP vs S/MIME
• Mention real-life applications