CS 470 - PowerPoint PPT Presentation

About This Presentation
Title:

CS 470

Description:

Key Distribution CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk CS470, A.Selcuk Key Distribution * CS470, A.Selcuk Key Distribution * Key ... – PowerPoint PPT presentation

Number of Views:34
Avg rating:3.0/5.0
Slides: 14
Provided by: AliAydi6
Category:
Tags: boneh

less

Transcript and Presenter's Notes

Title: CS 470


1
Key Distribution
  • CS 470
  • Introduction to Applied Cryptography
  • Instructor Ali Aydin Selcuk

2
Key Distribution/Establishment
  • How to have two parties agree on an encryption
    key securely?
  • Public key encryption Solves the problem against
    passive attackers.E.g. DH Key ExchangeTru
    dy cant get gab mod p.

3
Active Attacks
  • Attacker can intercept, modify, insert, delete
    messages on the network.
  • E.g., Man-in-the-Middle attack against
    DHTrudy can translate messages between
    Alice Bob without being noticed
  • Similar attacks possible on RSA other PKC
    protocols.

4
Trusted Third Parties
  • Solution against active attackers Trusted Third
    Parties (TTPs)
  • Symmetric key solution KDC
  • Everyone registers with the KDC, shares a secret
    key.
  • When A B want to communicate, they contact the
    KDC obtain a session key.
  • Public key solution CA
  • Everyone registers with the CA, obtains a
    certificate for his/her public key.
  • Certificate A document signed by the CA,
    including the ID and the public key of the
    subject.
  • People obtain each others certificates thru a
    repository, a webpage, or at the beginning of the
    protocol,
  • and use the certified public keys in the
    protocols.

5
KDC vs. CA
  • KDC
  • faster (being based on symmetric keys)
  • has to be online
  • CA
  • doesnt have to be online
  • if crashes, doesnt disable the network
  • much simpler
  • scales better
  • certificates are not disclosure-sensitive
  • a compromised CA cant decrypt conversations
  • KDCs are preferred for LANs, CAs for WANs (e.g.,
    the Internet).

6
Key Distribution with KDC
  • A simple protocolKA, KB Long-term secret
    keys of Alice, Bob.KAm Encryption of m with
    KA.
  • Problems with this protocol
  • possible delayed delivery of KBA,B,KAB.
  • No freshness guarantee for B (i.e., Trudy can
    replay KBA,B,KAB for a previously compromised
    KAB).
  • (Both problems can be fixed easily.)

7
Key Distribution with CA
  • A simple protocol
  • certificates are obtained in advance
  • session key transport with public key encryption
  • mX Encryption of message m with the public key
    of X
  • mX Signature on message m with the public key
    of X
  • Problems with this protocol
  • B doesnt authenticate A.
  • No freshness guarantee for B.

8
Station-to-Station Protocol
  • Authenticated DH protocol basis for many
    real-life apps.
  • Certified PKs are used for signing the public DH
    parameters. A slightly simplified
    versionwhere x ga mod p, y gb mod p,
    k gab mod p.
  • STS vs. encrypted key transport STS (DH)
    provides perfect forward secrecy.(In encrypted
    transport, if the long-term RSA key is
    compromised, the session keys are also
    compromised.)

9
Multiple Domains with KDC
  • A to talk to B
  • contacts KDCA
  • KDCA contacts KDCB, or tells A how to contact
    KDCB (e.g. generates a session key for A KDCB)
  • KDCB generates a session key for A B, passes it
    to them.

10
Multiple Domains with CA
  • A, to authenticate the public key of B,
  • verifies Bs cert. issued by CAB,
  • verifies CABs cert. issued by CAA,
  • B does vice versa to authenticate As key

11
ID-Based Crypto
  • Idea Is a scheme possible where Alices public
    key is her ID?
  • Would solve the problem of authenticating a
    public key received.
  • Q But if anyone can derive the public key from
    the ID, cant they derive the private key as
    well?
  • Support from a trusted private key generator.
  • Private keys are generated from a unique secret S
    known by PKG.
  • Users know a one-way function of S, sufficient
    for public key generation.
  • Practical schemes exist for signature (Shamir)
    and encryption (Boneh-Franklin).

12
ID-Based Crypto
  • Advantages
  • There is no need for Alice to retrieve Bobs
    certificate to send him an encrypted message.
  • Alice can send Bob an encrypted message even
    before he gets his decryption key.
  • Disadvantages
  • Key revocation is (almost) impossible.
  • It is not so significant in interactive
    protocols.
  • Feature
  • Inherent key escrow.

13
Crypto-Based ID
  • Similar to ID-based crypto, ID and PK are
    inherently related.
  • But instead of generating PK from ID, do the
    opposite IDA h(PKA).
  • Useful in pseudonym systems where (part of) the
    ID can be given a random value.
  • P2P systems
  • IPv6 cryptographically generated address
  • No big brother is necessary.
Write a Comment
User Comments (0)
About PowerShow.com