Key Establishment Protocols. Cryptography CS 507 Erkay Savas Sabanci University

Transcription

1 Key Establishment Potocols Cyptogaphy CS 507 Ekay Savas Sabanci Univesity

2 Key distibution poblem Secuity of the keys Even if the cyptogaphic algoithms & potocols ae cyptogaphically ulta-secue, a possible compomise of secet keys o pat of them will have gave consequences. How two (o moe) paties will exchange (agee on) keys fo secet communication if they ae unable to meet. Main poblem is to shae secet infomation fo symmetic cyptogaphy. Public key cyptogaphy keys ae stoed on public databases. 12/27/2002 Ekay Savas 2

3 Key Ageement Potocols Type of potocol wheeby a key is established by exchanging infomation between two paties. Each paty deives the secet key fom the infomation that is exchanged. Key exchange is best done using public key cyptogaphy. Diffie-Hellman potocol establishes a key with tansfe of two messages. Howeve, DH does not povide authentication. Station-to-Station potocol is authenticated vesion of DH potocol. 12/27/2002 Ekay Savas 3

4 DH Key Exchange (EC vesion) A basepoint P on E:y 2 x 3 + ax +b (mod p). Alice Bob s A s B pivate keys Q A = s A P Q B = s B P public keys Q B Q A s A Q B. s B Q A. R = (x, y ) = s A Q B = s B Q A = s A s B P K = Hash(x paam). (key deivation, IEEE P1363) 12/27/2002 Ekay Savas 4

5 The Intude-in-the-Middle Attack Alice Eve Bob s A s E s B Q A = s A P Q E = s E P Q B = s B P Q A, Q B Q E s A Q E = s A s E P K 1 =s E Q A =s A s E P K 2 = s E Q B = s B s E P Q E s B Q E =s B s E P 12/27/2002 Ekay Savas 5

6 Station-to-Station Potocol Authenticated key ageement potocol. Alice and Bob wants to shae a secet key to use in encyption function E K (.) Alice and Bob use thei pivate keys to sign the exchanged messages. Sign function : Sign pivatekey () Veify function : Veify publickey () Public keys ae obtained fom a public tusted data base Alice Bob s A s B pivate keys Q A = s A P Q B = s B P public keys 12/27/2002 Ekay Savas 6

7 Station-to-Station Potocol Alice Bob R = (x, y ) = s B Q A, K = Hash(x paam). E K (Sign sb (Q A, Q B )) R = s A Q B K = Hash(x paam) D K (Sign sb (Q A, Q B )) Veify QB (Sign sb (Q A, Q B )) E K (Sign sa (Q A, Q B )) D K (Sign sa (Q A, Q B )) Veify QA (Sign sa (Q A, Q B )) 12/27/2002 Ekay Savas 7

8 Confeence Keying SetupLage pime p and a geneato α in Z P *. Key Geneation Use U i selects a andom intege i 1 i p-2. Computes z i α i mod p and sends z i to each of the othe t-1 goup membes. Computation of key Each use U i,afte eceiving z i-1 and z i+1 computes i zi i i i x + 1 i i mod p + 1 = α 1 zi 1 and sends x i to othe membes 12/27/2002 Ekay Savas 8

9 Confeence Keying Afte eceiving x j fo 1 j t and j i, U i computes K t t 1 t i 1 i i+ 1 i+ ( t 3) xi+ ( t 2) = K = ( z ) i x x mx i mod p Example: Uses U 1, U 2, U 3 and U 4 selects 1, 2, 3 and 4 at andom z 1 α 1 mod p z 2 α 2 mod p z 3 α 3 mod p z 4 α 4 mod p 12/27/2002 Ekay Savas 9

10 12/27/2002 Ekay Savas 10 Confeence Keying x 1 α mod p x 2 α mod p x 3 α mod p x 4 α mod p mod ) ( p x x x z K = α mod ) ( p x x x z K = α

11 Key Pe-distibution Alice and Bob have to meet in advance to exchange secets in ode to geneate keys. When the shaed secet is compomised, they have to meet again. Eveything will be diffeent with a tusted thid paty, Tent. Tent will poduce a secet key K AB fo evey pai of uses, say (A, B), that will be used as a secet key. Tent is poweful enough to maintain a secue channel with eveyone. Tent will have to poduce n(n-1)/2 keys fo a goup of n use. 12/27/2002 Ekay Savas 11

12 Blom Key Pe-distibution Scheme This method educes the amount of infomation sent by the tusted authoity. Thee ae n uses. Select a lage pime p and let eveyone know it. 1. Each use U in the netwok is assigned a distinct numbe U (mod p). 2. Tent chooses thee secet andom numbes a, b, c (mod p). 3. Fo each use, Tent calculates the numbes a U a + b U (mod p), b U b + c U (mod p). 12/27/2002 Ekay Savas 12

13 Blom Key Pe-distibution Scheme 4. Tent sends a U, b U via his secue channel to U. 5. Each use U foms the linea polynomial g U (x) = a U + b U x 6. If Alice (A) wants to communicate with Bob (B), then Alice computes K AB = g A ( B ) while Bob computes K BA = g B ( A ) 7. It can be shown that K AB = K BA. So they can stat the secue communication. 12/27/2002 Ekay Savas 13

14 Example Conside a netwok consisting of Alice (A), Bob (B), and Chalie (C). Let p = 23 and let A = 11, B = 3, C = 2. Suppose Tent chooses the numbes a = 8, b = 3, c = 1. The coesponding linea polynomials of each use g A (x) = x g B (x) =17 + 6x g C (x) =14 + 5x 12/27/2002 Ekay Savas 14

15 Example It is now possible to calculate the keys K AB = g A ( B ) = 14 o K BA = g B ( A ) = 14 K AC = g A ( C ) = 0 o K CA = g C ( A ) = 0 K BC = g A ( C ) = 6 o K CB = g C ( B ) = 6 If two uses (Eve and Osca) shae thei secets (a E,b E ) and (a O, b O ) they can detemine a, b, c; theefoe they find all the pais of a U, b U O E 0 O a b c b a b E O O (mod p) 12/27/2002 Ekay Savas 15

16 Secuity of Blom s Scheme Since the deteminant of the matix is E O and U s is chosen to be distinct, the deteminant is nonzeo mod p, and theefoe the system has a solution. Without Eve s help, Osca has only 2 3 matix and he cannot find a, b, c. Suppose he wants to calculate the key K AB. Since K AB a + b A + b B + c A B (mod p). 12/27/2002 Ekay Savas 16

17 12/27/2002 Ekay Savas 17 Secuity of Blom s Scheme Osca has the following matix The deteminant is ( O A ) ( O B ) 0 (mod p). Then, thee is a solution a, b, c fo evey possible value of K AB. Thee ae Blom schemes that ae secue against a coalitions of at most k uses, but which succumb to conspiacies of k+1 uses. ) (mod p b a K c b a O O AB O O B A B A +

18 Key Distibution In key pe-distibution schemes, keys ae pedetemined and that thee is no easy way to change them. Keys must be changed afte cetain time. A class of key establishment potocols, known as tanspot potocols, povide two appoaches: 1. One paty to decide on a key and tansmit it to othe, Alice employs a secue potocol to tansmit the key 2. A tusted authoity, Tent, will act as a key seve. Alice equests a key fom Tent that is good fo a single session Tent sends this key to both Alice and Bob via a secue channel. 12/27/2002 Ekay Savas 18

19 Kebeos Kebeos is a eal-wold implementation of a symmetic key cyptogaphy potocol which povides secuity and authentication in key exchange between uses in a netwok. Suppots both entity authentication and key establishment. Kebeos oiginated fom a lage poject in M.I.T., called Athena. Athena was oiginally designed fo integating a huge netwok of wokstations so that students can secuely access thei files fom anywhee in the net. 12/27/2002 Ekay Savas 19

20 Kebeos Kebeos is based on a client-seve achitectue. A client is eithe a use o some softwae that has some tasks to accomplish. Send an , pint documents, mount devices, etc. Seves ae lage entities whose function is to povide sevices to the clients. The basic Kebeos model has the following paticipants 1. Cliff: a client 2. Simon: a seve 3. Tent: a tusted authoity (a.k.a authentication seve) 4. Gant: ticket-ganting seve. 12/27/2002 Ekay Savas 20

21 Kebeos Potocol Cliff equests a sevice fom Simon, But, they do not have any shaed infomation fo a secue tansmission. Kebeos give them a secet infomation secuely so that they can inteact secetly. The potocol begins with Cliff equesting cedentials (ticket) fom Tent so that he can authenticate himself to Simon. Tent shae a secet infomation (e.g. a passwod) with each use in the system. Tent plays the ole of Key Distibution Cente (KDC). They can use any secet ciphe algoithm. 12/27/2002 Ekay Savas 21

22 Simplified Kebeos Potocol Tent 2 1 Cliff 3 4 Simon 12/27/2002 Ekay Savas 22

23 Kebeos: Notation Cliff and Tent shae K TC Simon and Tent shae K TS E: encyption algoithm N C : a nonce chosen by Cliff T C : a timestamp chosen by Cliff k : a session key chosen by Tent. L: Validity peiod of the ticket (lifetime) Ticket S = E KST (k, C, L) Authenticato = E k (C, T C, C subkey ) 12/27/2002 Ekay Savas 23

24 Kebeos: Steps Step 1 Cliff geneates a nonce N C and sends the following message to Tent (C, S, N C ) Step 2 Tent geneates a new session key k, and defines the validity peiod (i.e. L) fo the ticket. He calculates Ticket S = E KST (k, C, L) and E KCT (k, N C, L, S) Step 3 Cliff decypts the non-ticket pat of the message using K CT and obtains k, N C, L, and S; saves L fo efeence and compaes N C and S against those in message sent in Step 1. 12/27/2002 Ekay Savas 24

25 Kebeos: Steps (cont.) Step 3 Cliff chooses a fesh T C and calculates Authenticato = E k (C, T C, C subkey ) and sends it along with Ticket S to Simon. Step 4 Simon eceives these messages, decypts Ticket S = E KST (k, C, L) using K ST.He obtains k which he uses to decypt Authenticato = E k (C, T C, C subkey ). Simon checks that The identifie fields in Authenticato and Ticket match. The timestamp T C in Authenticato is valid. Simon s local time is within the lifetime L specified in the ticket. 12/27/2002 Ekay Savas 25

26 Kebeos: Steps (cont.) If all the checks pass in Step 4, Simon declaes the authentication of Cliff successful. Step 5 (optional) Simon authenticates himself to Cliff. He calculates E k (T C, S subkey ) and sends it to Cliff (He needs to exclude C fom the calculations since the new value must be diffeent fom Authenticato = E k (C, T C, C subkey )) Step 6 (optional) Cliff decypts E k (T C, S subkey ). If the time stamps match which he sent in Step 3, he then declaes the authentication of Simon successful. 12/27/2002 Ekay Savas 26

27 Secuity and options in Kebeos Since timestamps ae used, the hosts on which this potocol uns must povide both secue and synchonized clocks. If the shaed keys btw Tent, and Cliff and Simon ae passwods, the potocol is no moe secue than the stength of the passwods. Optional keys C subkey and S subkey allow tansfe of a key fom Cliff to Simon o vice vesa. They can combine these keys to deive anothe key, f (C subkey, S subkey ). The lifetime within the ticket allows Cliff to e-use the ticket ove a limited peiod fo multiple inteactions to Simon without additional inteactions with Tent. 12/27/2002 Ekay Savas 27

28 Public Key Infastuctue (PKI) A famewok consisting of policies defining the ules unde which the cyptogaphic systems opeate and pocedues fo geneating and publishing keys and cetificates. A cetificate binds one s identity to its public key. A cetificate contains infomation signed by its publishe, who is commonly efeed as the Cetification Authoity (CA). Thee ae diffeent types of cetificates 12/27/2002 Ekay Savas 28

29 Cetificates Identity cetificates contains entity s identity infomation such as addess, and a list of public keys fo the entity. Cedential cetificates contain infomation descibing access ights. Data in cetificates is encypted (signed) using CA s pivate key. If Alice knows the public key of the CA, she can extact Bob s identity and his public keys fom his cetificate issued by the CA. 12/27/2002 Ekay Savas 29

30 Tust in PKI Alice might not tust Bob, She has to tust the CA. PKI consists of many CAs. A CA can cetify anothe CA if the fome is moe tusted. Diffeent levels of tust Alice and Bob may have diffeent CAs Alice s CA may only tust Bob s CA to cetify Bob and but not cetify othes. Tust elationships become vey elaboate. It may be difficult to detemine how much Alice can tust a cetificate she eceives. 12/27/2002 Ekay Savas 30

31 Petty Good Pivacy (PGP) A pogam to encypt and sign messages. Uses a combination of public and pivate keys Each use maintains a public-key ing, which consists of the public keys of people with whom the use exchanges . Alice, fo example, signs the keys in he key ing with he pivate key to potect them. PGP allows use to exchange key ings. Key evocation is a poblem. 12/27/2002 Ekay Savas 31

32 Petty Good Pivacy (PGP) When Alice eceives Bob s keying, she gives it one of the fou diffeent tust level: Complete tust: she will tust any key in bob s keying Patial tust: She has some confidence on the keys; but pefes to see that the key has been signed by othe uses befoe she tusts a cetain key in the keying. No tust: She does not tust Bob s cetification of any keys. Unknown: She is not sue. Typically, teated the same as no tust. As uses exchange keyings, a web of tust is built between uses. 12/27/2002 Ekay Savas 32

33 X.509 PGP is good fo secuity. But moe seious applications, such as e-commoce, equies moe sophisticated PKIs. X.509 is an intenational standad that is designed to povide authentication fo diectoy sevices on lage compute netwoks. X.509 is used in Visa and Mastecad s SET standad. X.509 cetificates contains fields descibing tust policies. It is possible to designate that a public key is suitable fo secue but not suitable fo e-commece applications. 12/27/2002 Ekay Savas 33