Key Agreement Protocol

1
Key Agreement Protocol

• Sheng Zhong

2
Public Key Cryptosystem vs. Private Key
Cryptosystem

• Public key Cryptosystem
• Allows sending message without a shared secret
  key.
• Slower.
• Private key Cryptosystem
• Faster
• - Needs a shared secret key.
• Question How to send a lot of data without a
  shared secret key?

3
Hybrid Cryptosystem

• To send a lot of data without a shared secret
  key
• Pick a key K at random.
• Use a public key cryptosystem to encrypt K under
  the receivers public key.
• Use a private key cryptosystem to encrypt data
  under key K.

4
Advantages Disadvantages of Hybrid Cryptosystem

• Advantages
• Sending data without shared secret key.
• Faster than public key cryptosystem.
• Disadvantages
• Ephemeral Key K is chosen solely by sender.
• If the receiver leaks her private key in the
  future, all old messages are subject to
  decryption by adversary.

5
Key Exchange Protocol

• To avoid disadvantages of hybrid cryptosystem, we
  need a protocol
• That sets up a shared key between two parties
  (whenever they need to communicate).
• Both parties contribute to the key.
• This is called (two-party) key agreement or key
  exchange.

6
Diffie-Hellman Key Exchange

• Invented by Diffie and Hellman in late 70s.
• Beginning of public key cryptography.
• Even earlier than RSA.
• But note that it is not a public key cryptosystem
  and does not use any public key cryptosystem.

7
The Protocol (1)

• Let p be a large prime.
• Let g be in Zp.
• Alice Choose a in 1,p-1) uniformly at random.
• Bob Choose b in 1,p-1) uniformly at random.

8
The Protocol (2)

• Alice ? Bob Aga mod p.
• Bob ? Alice Bgb mod p.
• Alice key is Ba mod p.
• Bob key is Ab mod p.
• Clearly, Alice and Bob agree on the same key
• Because Ab(ga) bgab(gb) aBa

9
Security Analysis

• The security is based on the CDH assumption.
• Recall CDH For appropriately chosen random group
  G, random generator g, and random exponents a, b,
  the probability of any efficient algorithm
  computing gab from g, ga, gb is negligible.
• In fact, this is why CDH is called Computational
  Diffie-Hellman.

10
Security Gap

• Problem CDH may not hold when g is not a
  generator of the group.
• For some reason, we may not be able to choose a
  generator g.
• This would make the protocol vulnerable.
• Example Suppose the order of g is k, i.e., gk1
  (mod p).
• If k is small, then an exhaustive search (in the
  group 1, g, g2, , gk-1) finds a, b.

11
Bridging the Gap

• In this case, make sure p-1 is divided by a large
  prime q.
• Then there are many elements of Zp having order
  q.
• Choose g such that its order is q.
• Now the group 1, g, g2, , gk-1 is large
  exhaustive search is infeasible.
• So although g is not a generator, the protocol is
  still secure.

12
Man-in-the-Middle Attack (1)

• The Diffie-Hellman key exchange protocol is
  secure only against an eavesdropping adversary.
• If a party can intercept messages, the protocol
  is vulnerable.
• The main idea is to impersonate Alice to talk
  with Bob and impersonate Bob to talk with Alice.

13
Man-in-the-Middle Attack (2)

• Alice Choose a in 1,p-1) uniformly at random.
• Bob Choose b in 1,p-1) uniformly at random.
• Alice ? Bob (Intercepted by Malice) Aga mod p.
• Bob ? Alice (Intercepted by Malice) Bgb mod p.

14
Man-in-the-Middle Attack (3)

• Malice Choose m.
• Malice impersonates Alice ? Bob Mgm mod p.
• Malice impersonates Bob ? Alice Mgm mod p.
• Alice key is Ma mod p(gam mod p).
• Bob key is Mb mod p(gbm mod p).
• Malice both gam mod p and gbm mod p are easy to
  compute.

15
Need for Authentication

• How can we deal with man-in-the-middle attack?
• Make sure messages received are indeed sent by
  the supposed sender.
• This is called authentication (Our Next Topic).