Key Establishment Protocols - PowerPoint PPT Presentation

1 / 50
About This Presentation
Title:

Key Establishment Protocols

Description:

B A: EK(rB, nB, nA, A) Does not provide PFS. 13. Point-to-Point Key Update ... DA=(tA, rA, B, data1, PB(k1)), DB=(tB, rB, A, rA, data2, PA(k2)), A B: certA, DA, SA(DA) ... – PowerPoint PPT presentation

Number of Views:161
Avg rating:3.0/5.0
Slides: 51
Provided by: sconce
Category:

less

Transcript and Presenter's Notes

Title: Key Establishment Protocols


1
Key Establishment Protocols
  • Maithili Narasimha
  • November 11, 2009

2
Contents
  • Classification and framework
  • Key transport based on symmetric encryption
  • Key agreement based on symmetric techniques
  • Key transport based on public-key encryption
  • Key agreement based on asymmetric techniques
  • Secret sharing
  • Conference keying
  • Analysis of key establishment protocols

3
Concepts and Classification
  • Key establishment a shared secret becomes
    available to two or more parties, for subsequent
    cryptographic use.
  • key transport protocol
  • one party creates, and securely transfers it to
    the other(s).
  • key agreement protocol key establishment
    technique in which
  • a shared secret is derived by two (or more)
    parties
  • key pre-distribution vs. dynamic(session) key
    establishment

4
  • Use of trusted servers
  • trusted third party, trusted server,
    authentication server, key
  • distribution center (KDC), key translation
    center (KTC)
  • and certification authority (CA).
  • secure key establishment
  • each party in a key establishment protocol be
    able to determine the true identity of the
    other(s) which could possibly gain access to the
    resulting key, implying preclusion of any
    unauthorized additional parties from deducing the
    same key
  • secrecy of key and identification of those
    parties with access to it

5
Authentication
depends on context of usage
identity of a party, and aliveness at a given
instant
identity of the source of data
identity of party which may possibly share a key
evidence that a key is possessed by some party
evidence that an identified party possesses a
given key
6
Classification and concepts
  • (Implicit) Key authentication
  • one party is assured that no other party aside
    from a specifically identified second party may
    gain access to a particular secret key
  • independent of the actual possession of such key
    by the second party, or knowledge of such actual
    possession by the first party
  • Key confirmation
  • one party is assured that a second (possibly
    unidentified) party actually has possession of a
    particular secret key
  • Explicit key authentication
  • both (implicit) key authentication and key
    confirmation hold

7
Motivation for use of session key
  • Session key
  • ephemeral secret, i.e., one whose use is
    restricted to a short time period after which all
    trace of it is eliminated
  • Motivation
  • to limit available cipher-text
  • to limit exposure in the event of (session) key
    compromise
  • to avoid long-term storage of a large number of
    distinct secret keys
  • to create independence across communications
    sessions or applications

8
Key Establishment Protocol Characteristics
  • nature of the authentication
  • reciprocity of authentication unilateral vs.
    mutual
  • key freshness
  • key control key distribution vs. key agreement
  • efficiency
  • number of message exchanges
  • bandwidth
  • complexity of computations
  • pre-computation?
  • third party requirements
  • on-line (real-time), off-line, or no third party
  • degree of trust required in a third party
  • type of certificate used
  • non-repudiation

9
Assumptions and Adversaries
  • Attacks
  • passive attack adversary simply records data and
  • analyzes
  • active attack adversary modifies or injects
    messages
  • What are the attackers roles?
  • deduce a session key using information gained by
    eavesdropping
  • participate covertly in protocol initiated by one
    party, and influence it by altering messages so
    as to be able to deduce the key
  • initiate one or more protocol executions, and
    combine messages from one with another, so as to
    carry out one of the above attacks
  • without being able to deduce the session key,
    deceive a legitimate party regarding the identity
    of the party with which it shares a key
  • In entity authentication, adversarys objective
    is to arrange that one party receives messages
    which satisfy that party that the protocol has
    been run successfully with a party other than the
    adversary.

10
PFS and Known Key Attacks
  • perfect forward secrecy
  • Compromise of long-term key does not compromise
    past session keys
  • PFS ensures that previous traffic is locked
    securely in the past
  • known-key attack
  • compromise of past session keys allows either a
    passive adversary to compromise future session
    keys, or impersonation by an active adversary in
    the future

11
Contents
  • Classification and framework
  • Key transport based on symmetric encryption
  • Key agreement based on symmetric techniques
  • Key transport based on public-key encryption
  • Key agreement based on asymmetric techniques
  • Secret sharing
  • Conference keying
  • Analysis of key establishment protocols

12
Point-to-Point Key Update
  • Key Transport with one pass
  • Long term symmetric key K shared between A and B
  • A ? B EK(rA) rA is the
    session key
  • Implicit key authentication
  • Additional fields
  • timestamp, sequence number freshness
  • target identifier prevent undetectable message
    replay
  • Hence A ? B EK(rA, tA, B)
  • Mutual authentication B ? A EK(rB, tB, A) K
    f(rA, rB)
  • Key Transport with challenge-response
  • B ? A nB for freshness
  • A ? B EK(rA, nA, nB, B)
  • B ? A EK(rB, nB, nA, A)
  • Does not provide PFS

13
Point-to-Point Key Update
  • Authenticated Key Exchange Protocol 2 (AKEP2)
  • rA
  • (B, A, rA, rB), hK(B, A, rA, rB)
  • (A, rB), hK(A, rB)
  • Session key W hK(rB)
  • AKEP1
  • B ? A (B, A, rA, rB, (r, W ? hK(r)), hK(B, A,
    rA, rB, (r, W ? hK(r))
  • Optimization r rB

14
Shamirs no key algorithm
  • Protocol
  • KA mod p
  • (KA)B mod p
  • (KAB) A-1 mod p
  • Properties
  • Provides key transport
  • No a priori information is required
  • Protection from passive adversaries
  • Does not provide authentication

15
Kerberos
  • Basic setup
  • A, B, a trusted server share long-term pairwise
    secret keys a priori
  • Server either plays the role of KDC and itself
    supplies the session
  • key, or serves as a key translation center (KTC)
  • A and B share no secret, while T shares a secret
    with each
  • Goal for B to verify As identity, establishment
    of a shared key
  • Description
  • A requests from T credentials to allow it to
    authenticate itself to B
  • T plays the role of a KDC, returning to A a
    session key encrypted for A and a ticket
    encrypted for B
  • The ticket contains the session key and As
    identity
  • authentication of A to B when accompanied by
    appropriate message
  • created by A containing a timestamp encrypted
    under that session key

16
Kerberos
  • Protocol
  • A ? T A, B, NA
    NA freshness
  • T ? A EKBT(k, A, L), EKAT(k, NA, L, B)
    L lifetime
  • A ? B EKBT(k, A, L), Ek(A, TA, Asubkey)
  • B ? A Ek(TA, Bsubkey)
    Optional mutual authentication
  • Properties
  • Since timestamps are used, the hosts on which
    this protocol runs must provide both secure and
    synchronized clocks
  • If initial shared keys are password-derived,
    protocol is no more secure than secrecy of such
    password or their resistance to password-guessing
    attack
  • Asubkey and Bsubkey allow transfer of a key from
    A to B
  • Lifetime is intended to allow A to re-use the
    ticket
  • A creates new authenticator with new timestamp
    and same session key k

17
Needham-Schroeder
  • important primarily for historical reasons
  • Protocol
  • A ? T A, B, NA
  • T ? A EKAT(NA, B, k, EKBT(k, A))
  • A ? B EKBT(k, A)
  • B ? A Ek(NB)
  • A ? B Ek(NB-1)
  • Properties
  • The protocol provides A and B with a shared key k
    with key authentication
  • (4) and (5) provide entity authentication of A to
    B. B to A can be obtained using redundancy check
    on NB upon decrypting message (4).
  • If acceptable for A to re-use key k with B, A may
    securely cache (3) with k
  • To prevent replay of (4), Ek(NA) should be
    appended to message (3), and (4) should be
    replaced by Ek(NA-1, NB) allowing A to verify
    Bs knowledge of k

18
Needham-Schroeder vs. Kerberos
  • Kerberos lifetime parameter is not present in N-S
  • In N-S, (2) (which corresponds to Kerberos
    ticket) is double-encrypted
  • authentication here employs nonce rather than
    timestamp
  • since B has no way of knowing if k is fresh,
    should k ever be compromised, any party knowing
    it may both resend message (3) and compute a
    correct message (5) to impersonate A to B
  • This situation is ameliorated in Kerberos by the
    lifetime parameter which limits exposure to a
    fixed time interval.

19
Otway-Rees protocol
  • Protocol
  • A ? B M, A, B, EKAT(M, A, B, NA)
    M Another nonce
  • B ? T M, A, B, EKAT(M, A, B, NA), EKBT(M, A, B,
    NB)
  • T ? B EKAT(k, NA), EKBT(k, NB)
  • B ? A EKAT(k, NA)
  • Properties
  • Only 4 rounds
  • Does not require timestamps
  • Provides key authentication and key freshness but
    not entity authentication and key confirmation
  • NA could be eliminated in (1), (2), and replaced
    by M in (3), (4)
  • Could provide key confirmation and entity
    authentication (5 round)
  • B ? A EKAT(k, NA), Ek(NA, NB)
  • A ? B Ek(NB)

20
to recap
1-3
optional
none
point-to-point key update
3
no
none
Shamirs no-key protocol
4
yes
KDC
Kerberos
5
no
KDC
Needham-Schroeder shared-key
4
no
KDC
Otway-Rees
21
Contents
  • Classification and framework
  • Key transport based on symmetric encryption
  • Key agreement based on symmetric techniques
  • Key transport based on public-key encryption
  • Key agreement based on asymmetric techniques
  • Secret sharing
  • Conference keying
  • Analysis of key establishment protocols

22
Key Agreement(Symmetric key encryption)
  • KDS is said to be j-secure if coalition of j or
    fewer users can do no better at computing the key
    shared by two than a party which guesses key
    without any pieces whatsoever
  • Blom KDS bound In any j-secure KDS(m-bit session
    key), secret data by each user must be at least
    m(j 1) bits
  • Bloms scheme
  • engineered to provide unconditional security
    against coalitions of a specified maximum size
  • initial keying material assigned to each user
    allows computation of larger number of derived
    keys one per each other user
  • derived keys of different user pairs are not
    statistically independent

23
Contents
  • Classification and framework
  • Key transport based on symmetric encryption
  • Key agreement based on symmetric techniques
  • Key transport based on public-key encryption
  • Key agreement based on asymmetric techniques
  • Secret sharing
  • Conference keying
  • Analysis of key establishment protocols

24
Key Transport using PKC without signature
  • Needham-Schroeder
  • PB(k1, A)
  • PA(k1, k2)
  • PB(k2)
  • No signatures, Mutual authentication(keyentity),
    mutual key transport
  • Modified NS
  • PB(k1, A, r1)
  • PA(k2, r1, r2)
  • r2

25
Combining PK encryption and signature
  • Encrypting signed keys
  • A ? B PB(k, tA, SA(B, k, tA))
  • Problem Data for encryption is too large
  • Encrypting and signing separately
  • A ? B PB(k, tA), SA(B, k, tA)
  • Acceptable only if no information regarding
    plaintext data can be deduced from the signature
  • Signing encrypted keys
  • A ? B tA, PB(A, k), SA(B, tA, PB(A, k))
  • Can provide mutual authentication with two
    messages(timestamps) or three messages(challenge-r
    esponse)

26
X.509 strong authentication protocols
  • Assurances of X.509 strong authentication
  • identity of A, and that the token received by B
    was constructed by A
  • the token received by B was specifically intended
    for B
  • the token received by B has freshness
  • the secrecy of the transferred key.
  • X.509 strong two-way authentication
  • DA(tA, rA, B, data1, PB(k1)), DB(tB, rB, A, rA,
    data2, PA(k2)),
  • A ? B certA, DA, SA(DA)
  • B ? A certB, DB, SB(DB)
  • Comments
  • Since the protocol does not specify inclusion of
    an identifier within the scope of the encryption
    PB within DA, one cannot guarantee that the
    signing party actually knows (or was the source
    of) plaintext key

27
Hybrid Key Transport using PKE
  • Beller-Yacobi (4 pass)
  • Properties
  • mutual authentication, explicit key
    authentication
  • for applications where there is an imbalance in
    processing power between the two parties
  • identity of the weaker party remains concealed
    from eavesdroppers
  • Algorithm
  • B ? A certB (IB, nB, GB) certificate
    generated with RSA
  • A ? B PB(K) K3 mod nB
  • B ? A EK(m, 0t) symmetric key
    encryption
  • A ? B EK((v, w), certA) DSA signature
    with precomputation
  • Comment
  • To achieve mutual authentication, each party
    carry out at least one private-key operation, and
    one or two public-key operations
  • careful selection of two separate public-key
    schemes
  • RSA public operation and ElGamal private-key
    operation are cheap

28
Hybrid Key Transport using PKE
  • Beller-Yacobi (2 pass)
  • Algorithm
  • A B
  • precompute x, v gx mod nS select random
    challenge m
  • verify certB via PT(GB)
    ? send m, certB
  • compute (v, w) SA(m, IB)
    certB (IB, nB, GB)
  • send PB(v), Ev(certA, w) ?
    recover v, set K v
  • certA (IA, uA, GA) verify certA, signature
    (v, w)
  • Properties slightly weaker authentication
    assurances
  • B obtains entity authentication of A and obtains
    a key K that A alone knows, while A has key
    authentication with respect to B
  • For A to obtain explicit key authentication of B,
    a third message may be added whereby B exhibits
    knowledge through use of K on a challenge or
    standard message (e.g., 0t )

29
Key Transport based on PKC
1
no
no
3
mutual
no
1
data origin only
yes
1
data origin only
yes
1
data origin only
yes
2
mutual
yes
3
mutual
yes
4
mutual
yes
2
unilateral
yes
30
Contents
  • Classification and framework
  • Key transport based on symmetric encryption
  • Key agreement based on symmetric techniques
  • Key transport based on public-key encryption
  • Key agreement based on asymmetric techniques
  • Secret sharing
  • Conference keying
  • Analysis of key establishment protocols

31
Diffie-Hellman and ElGamal
  • Diffie-Hellman
  • Setup prime p, generator g of Zp
  • gx mod p
  • gy mod p
  • gyx mod p
  • fixed exponent zero-pass key agreement with
    special certificates
  • Signature is required!
  • ElGamal one-pass key agreement
  • b is Bs secret key
  • A ? B gx mod p
  • Shared key ? gxb
  • Unilateral key authentication
  • no entity authentication or key confirmation

32
MTI/A0
  • Protocol
  • A ? B gx mod p
  • B ? A gy mod p
  • A k (gy)aPKbx gya gbx gyabx
  • B k (gx)bPKay
  • Properties
  • Message independent
  • Secure against passive attacks only
  • Provides mutual (implicit) key authentication but
    neither key confirmation nor entity authentication

33
STS
  • Algorithm
  • gx mod p
  • gy mod p, Ek(SB(gy, gx))
  • Ek(SA(gx, gy))
  • Properties
  • Mutual entity authentication
  • Mutual (explicit) key authentication

34
Gunthers implicitly-certified ID-based PK
  • Algorithm
  • Summary TTP creates an implicitly-certified,
    publicly-recoverable DH PK for A, and transfers
    to A the corresponding private key.
  • TTP selects p and g of Zp, a random integer t,
    gcd(t, p -1) 1 as its private key, and
    publishes its public key u gt mod p
  • TTP assigns to each A DN IA and a random integer
    kA with gcd(kA, p-1) 1, then computes PA gkA
    mod p
  • PA is As reconstruction public data, allowing
    other parties to compute PAa below.
  • T solves the following equation for a
  • h(IA) tPA kAa (mod p - 1)
  • T securely transmits to A the pair (r, s) (PA,
    a) (ElGamal signature on IA)
  • Any other party can then reconstruct As public
    key PAa(gkA a ) by computing PAa gh(IA) u-PA
    mod p

35
DH with Implicitly-certified keys
  • Algorithm
  • A ? B IA, PA
  • B ? A IB, PB, (PA)y mod p
  • A ? B (PB)x mod p
  • Shared key ? K PAya PBxb

36
Key Agreement (Asymmetric technique)
msg
entity authentication
key authentication
2
none
none
1
none
unilateral
2
none
mutual-implicit
2
none
mutual-implicit
3
mutual
mutual-implicit
37
Contents
  • Classification and framework
  • Key transport based on symmetric encryption
  • Key agreement based on symmetric techniques
  • Key transport based on public-key encryption
  • Key agreement based on asymmetric techniques
  • Secret sharing
  • Conference keying
  • Analysis of key establishment protocols

38
Secret Sharing
  • Motivation
  • To safeguard cryptographic keys from loss,
    desirable to create backups
  • The greater the number of copies made, the
    greater the risk of security exposure the
    smaller the number, the greater the risk that all
    are lost
  • enhanced reliability without increased risk
  • facilitate distributed trust or shared control
    for critical activities by gating the critical
    action on cooperation by t of n users.
  • Basic idea
  • to start with a secret, and divide it into pieces
    called shares which are distributed amongst users
    such that the pooled shares of specific subsets
    of users allow reconstruction of the original
    secret
  • may be viewed as a key pre-distribution
    technique, facilitating one-time key
    establishment, wherein the recovered key is
    pre-determined

39
Secret Sharing
  • Trivial (n, n) scheme
  • S ? Si
  • Shouldnt split r bit key into r/t pieces
  • Threshold schemes
  • A (t, n) threshold scheme (t ? n) is a method by
    which
  • a trusted party computes secret shares Si, 1 ? i
    ? n from an initial secret S and securely
    distributes Si to user Pi such that the following
    is true
  • any t or more users who pool their shares may
    easily recover S
  • but any group knowing only t - 1 or fewer shares
    may not

40
Secret Sharing
  • Shamirs threshold scheme
  • based on polynomial interpolation, and that a
    uni-variate polynomial y f(x) of degree t - 1
    is uniquely defined by t points (xi, yi)
  • Algorithm
  • Setup T begins with a secret integer S it wishes
    to distribute among n users.
  • T chooses a prime p, defines a0 S, selects t-1
    random coefficients a1, , at-1 defining the
    polynomial over Zp, f(x) ?t-1j0 ajxj
  • T computes Si f(i) mod p for all i (1ltiltn),
    and securely transfers the share Si to Pi
  • Pooling of shares Group of t or more users pool
    shares, which provide t distinct points allowing
    computation of ajs

41
Secret Sharing
  • Properties
  • perfect Given knowledge of any t - 1 or fewer
    shares, the shared secret remain equally probable
  • ideal The size of one share is the size of the
    secret
  • extendable for new users New shares (for new
    users) may be computed and distributed without
    affecting shares of existing users.
  • varying levels of control possible Providing a
    single user with multiple shares bestows more
    control upon that individual
  • no unproven assumptions

42
Contents
  • Classification and framework
  • Key transport based on symmetric encryption
  • Key agreement based on symmetric techniques
  • Key transport based on public-key encryption
  • Key agreement based on asymmetric techniques
  • Secret sharing
  • Conference keying
  • Analysis of key establishment protocols

43
Conferencing Keying
  • A conference keying protocol is a generalization
    of two-party key establishment to provide three
    or more parties with a shared secret key
  • Cliques, BD, TGDH, STR

44
Contents
  • Classification and framework
  • Key transport based on symmetric encryption
  • Key agreement based on symmetric techniques
  • Key transport based on public-key encryption
  • Key agreement based on asymmetric techniques
  • Secret sharing
  • Conference keying
  • Analysis of key establishment protocols

45
Attack strategies and classic flaws
  • Intruder-in-the-middle
  • man-in-the-middle attack on unauthenticated DH
  • Reflection attack
  • Original protocol
  • A ? B rA
  • B ? A Ek(rA, rB)
  • A ? B rB
  • Attack
  • A ? E rA
  • E ? A rA Starting a new session
  • A ? E Ek(rA, rA) Reply of (2)
  • E ? A Ek(rA, rA) Reply of (1)
  • A ? E rA
  • Can be prevented by using two different keys k1
    and k2 for encryption

46
Attack strategies and classic flaws
  • Interleaving attacks
  • Flawed protocol
  • A ? B rA
  • B ? A rB, SB(rB, rA, A)
  • A ? B rA, SA(rA, rB, B)
  • Attack
  • E ? B rA
  • B ? E rB, SB(rB, rA, A)
  • E ? A rB
  • A ? E rA, SA(rA, rB, B)
  • E ? B rA, SA(rA, rB, B)
  • Due to symmetric messages (2), (3)

47
Analysis methods
  • ad hoc and practical analysis (Provide heuristic
    security)
  • convincing arguments that any successful attack
    requires resource level greater than the
    resources of the perceived adversary
  • May uncover protocol flaws establishing that a
    protocol is bad
  • Subtle flaws in protocols typically escape ad hoc
    analysis
  • reducibility from hard problems
  • proving that any successful protocol attack leads
    directly to the ability to solve a well-studied
    reference problem
  • provably secure protocol
  • A challenge is to establish that all possible
    attacks have been taken into account, and can be
    equated to solving the identified reference
    problems

48
Analysis methods
  • complexity-theoretic analysis
  • Model of computation is defined, and adversaries
    are modeled as having polynomial power. Security
    proof relative to the model is then constructed
  • The existence of underlying cryptographic
    primitives with specified properties is typically
    assumed.
  • An objective is to design cryptographic protocols
    which require the fewest cryptographic
    primitives, or the weakest assumptions.
  • Polynomial attacks which are feasible under such
    a model may in practice be computationally
    infeasible
  • Despite these issues, complexity-theoretic
    analysis is invaluable for formulating
    fundamental principles and confirming intuition.

49
Analysis methods
  • information-theoretic analysis
  • mathematical proofs involving entropy
    relationships to prove protocols are
    unconditionally secure
  • Adversaries are modeled to have unbounded
    computing resources
  • not applicable to most practical schemes for
    several reasons
  • many schemes can at best be computationally
    secure
  • typically involve keys of impractically large
    size, or can only be used once
  • formal methods
  • logics of authentication (BAN), term re-writing
    systems, expert systems, and other methods
    combining algebraic and state-transition
    techniques
  • help in finding flaws and redundancies in
    protocols
  • the proofs provided are proofs within the
    specified formal system, and cannot be
    interpreted as absolute proofs of security
  • Absence of discovered flaws does not imply the
    absence of flaws

50
  • Thank You!
Write a Comment
User Comments (0)
About PowerShow.com