© 2007 Levente Buttyán and Jean-Pierre Hubaux Security and Cooperation in Wireless Networks Appendix A: Introduction to cryptographic

© 2007 Levente Buttyán and Jean-Pierre Hubaux

Security and Cooperation in Wireless Networks

http://secowinet.epfl.ch/

Appendix A: Introduction to cryptographicalgorithms and protocols

symmetric and asymmetric key encryption;hash functions;MAC functions;digital signatures;key establishment protocols;advanced authentication techniques;

2/80Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols

Chapter outline

A.1 IntroductionA.2 EncryptionA.3 Hash functionsA.4 Message authentication codesA.5 Digital signaturesA.6 Session key establishment protocolsA.7 Pseudo-random number generatorsA.8 Advanced authentication techniques


Introduction

security is about how to prevent attacks, or -- if prevention is not possible -- how to detect attacks and recover from them

an attack is a a deliberate attempt to compromise a system; it usually exploits weaknesses in the system’s design, implementation, operation, or management

attacks can be– passive

• attempts to learn or make use of information from the system but does not affect system resources

• examples: eavesdropping message contents, traffic analysis • difficult to detect, should be prevented

– active• attempts to alter system resources or affect their operation• examples: masquerade (spoofing), replay, modification (substitution,

insertion, destruction), denial of service• difficult to prevent, should be detected

A.1 Introduction


Main security services authentication

– aims to detect masquerade– provides assurance that a communicating entity is the one that it claims

to be

access control– aims to prevent unauthorized access to resources

confidentiality– aims to protect data from unauthorized disclosure– usually based on encryption

integrity– aims to detect modification and replay– provides assurance that data received are exactly as sent by the sender

non-repudiation– provides protection against denial by one entity involved in a

communication of having participated in all or part of the communication– two basic types: non-repudiation of origin and non-repudiation of

delivery

A.1 Introduction


Some security mechanisms

encryption– symmetric key, asymmetric (public) key

digital signature

access control schemes– access control lists, capabilities, security labels, ...

data integrity mechanisms– message authentication codes, sequence numbering, time

stamping, cryptographic chaining

authentication protocols– passwords, cryptographic challenge-response protocols,

biometrics

traffic padding, route control, …

A.1 Introduction


Chapter outline



EE DDmplaintext

Kencryption key

K’decryption key

EK(m)ciphertext

DK’ (EK(m)) = m

eavesdroppingadversary

Classical model of encryption

goal of the adversary:– to systematically recover plaintexts from ciphertexts– to deduce the (decryption) key

Kerckhoff’s principle:– we must assume that the adversary knows all details of E and

D– security of the system should be based on the protection of

the decryption key

A.2 Encryption


Adversary models

ciphertext-only attack– the adversary can only observe ciphertexts produced by the

same encryption key

known-plaintext attack– the adversary can obtain corresponding plaintext-ciphertext

pairs produced with the same encryption key

(adaptive) chosen-plaintext attack– the adversary can choose plaintexts and obtain the

corresponding ciphertexts

(adaptive) chosen-ciphertext attack– the adversary can choose ciphertexts and obtain the

corresponding plaintexts

related-key attack– the adversary can obtain ciphertexts, or plaintext-ciphertext

pairs that are produced with different encryption keys that are related in a known way to a specific encryption key

A.2 Encryption


Security of encryption schemes

an encryption scheme is secure in a given adversary model if it is computationally infeasible for the adversary to determine the target decryption key under the assumptions of the given model

for many encryption schemes used in practice, no proof of security exists– these schemes are used, nevertheless, because they are

efficient and they resist all known attacks

some encryption schemes are provably secure, however these schemes are often inefficient

A.2 Encryption


Basic classification encryption schemes

symmetric-key encryption– it is easy to compute K’ from K (and vice versa)– usually K’ = K– two main types:

• stream ciphers – operate on individual characters of the plaintext

• block ciphers – process the plaintext in larger blocks of characters

asymmetric-key encryption– it is hard (computationally infeasible) to compute K’ from K– K can be made public ( public-key cryptography)

A.2 Encryption


Block ciphers

an n bit block cipher is a function E: {0, 1}n x {0, 1}k {0, 1}n, such that for each K {0, 1}k, E(x, K) = EK(x) is an invertible mapping from {0, 1}n to {0, 1}n

EE

… …

…

n bit input n bit output

k bit key

A.2 EncryptionBlock ciphers


Block cipher design criteria

completeness– each bit of the output block should depend on each bit of the

input block and on each bit of the key

avalanche effect– changing one bit in the input block should change

approximately half of the bits in the output block– similarly, changing one key bit should result in the change of

approximately half of the bits in the output block

statistical independence– input and output should appear to be statistically

independent



How to satisfy the design criteria?

complex encryption function can be built by composing several simple operations which offer complementary – but individually insufficient – protection

simple operations:– elementary arithmetic operations– logical operations (e.g., XOR)– modular multiplication – transpositions– substitutions– ...

combine two or more transformations in a manner that the resulting cipher is more secure than the individual components



Example: DES (Data Encryption Standard)

input size: 64 output size: 64 key size: 56 16 rounds Feistel structure

Initial PermutationInitial Permutation

FF+

FF+

FF+

FF+

…

Initial Permutation-1Initial Permutation-1

(64)

(64)

(32)(32)

(48)

(48)

(48)

(48)

Key S

chedule

r

(56)

K

K1

K2

K16

K3

X

Y



Example: the DES round function F

Si – substitution box (S-box)

P – permutation box (P-box)

++++++ ++++++ ++++++ ++++++ ++++++ ++++++ ++++++ ++++++

S1S1 S2S2 S3S3 S4S4 S5S5 S6S6 S7S7 S8S8

PP

keyinjection



Example: the DES key scheduler

each key bit is used in around 14 out of 16 rounds

Permuted Choice 1Permuted Choice 1


Left shift(s) Left shift(s)


Left shift(s) Left shift(s)

…

(28)

(56)

K

(28)

(28)(28)

(48)

(48)

K1

K2



Exhaustive key search attack

given a small number of plaintext-ciphertext pairs encrypted under a key K, K can be recovered by exhaustive key search with 2k-1 processing complexity (expected number of operations)– input: (X, Y), (X’, Y’), …– progress through the entire key space, and for each candidate key K’,

do the following:• decrypt Y with K’• if the result is not X, then throw away K’• if the result is X, then check the other pairs (X’, Y’), …• if K’ does not work for at least one pair, then throw away K’ and take another

key• if K’ worked for all pairs (X, Y), (X’, Y’), …, then output K’ as the target key

– on average, the target key is found after searching half of the key space

if the plaintexts are known to contain redundancy, then ciphertext-only exhaustive key search is possible with a relatively small number of ciphertexts

in practice, key size should be at least 128 bitsA.2 EncryptionBlock ciphers


Algebraic attacks

having a large key size is only a necessary condition for the security of a block cipher– a block cipher can be broken due to the weaknesses in its

internal (algebraic) structure, even if it uses large keys

example:– naïve exhaustive key search against DES: 255

– attack using the complementation property of DES: 254

Y = DESK(X) implies Y* = DESK*(X*), where X* denotes the bitwise complement of X

– differential cryptanalysis of DES: 247

– linear cryptanalysis of DES: 243



Block cipher modes of operation

ECB – Electronic Codebook– used to encipher a single plaintext block (e.g., a DES key)

CBC – Cipher Block Chaining– repeated use of the encryption algorithm to encipher a

message consisting of many blocks

CFB – Cipher Feedback– used to encipher a stream of characters, dealing with each

character as it comes

OFB – Output Feedback– another method of stream encryption, used on noisy

channels

CTR – Counter – simplified OFB with certain advantages

A.2 EncryptionBlock cipher modes of operation


ECB mode

encrypt

decrypt

EE

P1

C1

K EE

P2

C2

K EE

PN

CN

K…

DD

C1

P1

K DD

C2

P2

K DD

CN

PN

K…



Properties of the ECB mode

identical plaintext blocks result in identical ciphertext blocks (under the same key, of course)– messages to be encrypted often have very regular formats– repeating fragments, special headers, string of 0s, etc. are quite

common

blocks are encrypted independently of other blocks– reordering ciphertext blocks result in correspondingly reordered

plaintext blocks– ciphertext blocks can be cut from one message and pasted in

another, possibly without detection

error propagation: one bit error in a ciphertext block affects only the corresponding plaintext block (results in garbage)

overall: not recommended for messages longer than one block, or if keys are reused for more than one block



CBC mode

encrypt

decrypt

EE

P1

C1

K

+

EE

P2

C2

K

+

EE

P3

C3

K

+

EE

PN

CN

K

+IV CN-1

…

DD

C1

P1

K

+IV

DD

C2

P2

K

+

DD

C3

P3

K

+

DD

CN

PN

K

+CN-1



Properties of the CBC mode encrypting the same plaintexts under the same key, but different

IVs result in different ciphertexts

ciphertext block Cj depends on Pj and all preceding plaintext blocks– rearranging ciphertext blocks affects decryption– however, dependency on the preceding plaintext blocks is only via the

previous ciphertext block Cj-1

– proper decryption of a correct ciphertext block needs a correct preceding ciphertext block only

error propagation: – one bit error in a ciphertext block Cj has an effect on the j-th and (j+1)-

st plaintext block• Pj’ is complete garbage and Pj+1’ has bit errors where Cj had• an attacker may cause predictable bit changes in the (j+1)-st plaintext

block

error recovery:– recovers from bit errors (self-synchronizing)– cannot, however, recover from frame errors (“lost” bits)



Integrity of the IV in the CBC mode

the IV need not be secret, but its integrity should be protected– malicious modification of the IV allows an attacker to make

predictable changes to the first plaintext block recovered

one solution is to send the IV in an encrypted form at the beginning of the CBC encrypted message



Padding

the length of the message may not be a multiple of the block size of the cipher

one can add some extra bytes to the short end block until it reaches the correct size – this is called padding

usually the last byte indicates the number of padding bytes added – this allows the receiver to remove the padding

05

short end block padding



CFB mode

encrypt decrypt

EE

Pi Ci

K

+

shift register (n)

(n)

select s bitsselect s bits

(n)

(s)

(s) (s)

(s)

initialized with IV

EE

Ci Pi

K

+

shift register (n)

(n)


(n)

(s)

(s) (s)

(s)initialized with IV



Properties of the CFB mode encrypting the same plaintexts under the same key, but different

IVs result in different ciphertexts

the IV can be sent in clear

ciphertext block Cj depends on Pj and all preceding plaintext blocks– rearranging ciphertext blocks affects decryption– proper decryption of a correct ciphertext block needs the preceding

n/s ciphertext blocks to be correct

error propagation:– one bit error in a ciphertext block Cj has an effect on the decryption of

that and the next n/s ciphertext blocks (the error remains in the shift register for n/s steps)

• Pj’ has bit errors where Cj had, all the other erroneous plaintext blocks are garbage

• an attacker may cause predictable bit changes in the j-th plaintext block

error recovery:– self synchronizing, but requires n/s blocks to recover



OFB mode

encrypt decrypt

EE

Pi Ci

K

+

shift register (n)

(n)


(n)

(s)

(s) (s)

(s)

initialized with IV

EE

Ci Pi

K

+

shift register (n)

(n)


(n)

(s)

(s) (s)

(s)

initialized with IV



Properties of the OFB mode a different IV should be used for every new message, otherwise

messages will be encrypted with the same key stream

the IV can be sent in clear– however, if the IV is modified by the attacker, then the cipher will

never recover (unlike CFB)

ciphertext block Cj depends on Pj only (does not depend on the preceding plaintext blocks)– however, rearranging ciphertext blocks affects decryption

error propagation:– one bit error in a ciphertext block Cj has an effect on the decryption

of only that ciphertext block• Pj’ has bit errors where Cj had• an attacker may cause predictable bit changes in the j-th plaintext block

error recovery:– recovers from bit errors– never recovers if bits are lost or the IV is modified



CTR mode

encrypt decrypt

EE

Pi Ci

K

+

(n)

(n)

(n)

counter + i

(n)

EE

Ci Pi

K

+

(n)

(n)

(n)

counter + i

(n)



Properties of the CTR mode

similar to OFB

cycle length depends on the size of the counter (typically 2n)

the i-th block can be decrypted independently of the others– parallelizable (unlike OFB)– random access

the values to be XORed with the plaintext can be pre-computed

at least as secure as the other modes

note1: in CFB, OFB, and CTR mode only the encryption algorithm is used (decryption is not needed), that is why some ciphers (e.g., AES) is optimized for encryption

note2: the OFB and CTR modes essentially make a synchronous stream cipher out of a block cipher, whereas the CFB mode converts a block cipher into a self-synchronizing stream-cipher



Stream ciphers

while block ciphers simultaneously encrypt groups of characters, stream ciphers encrypt individual characters– may be better suited for real time applications

stream ciphers are usually faster than block ciphers in hardware (but not necessarily in software)

limited or no error propagation– may be advantageous when transmission errors are probable

note: the distinction between stream ciphers and block ciphers is not definitive– stream ciphers can be built out of block ciphers using CFB,

OFB, or CTR modes– a block cipher in ECB or CBC mode can be viewed as a

stream cipher that operates on large charactersA.2 EncryptionStream ciphers


Synchronous stream ciphers

the key stream is generated independently of the plaintext and of the ciphertext

needs synchronization between the sender and the receiver– if a character is inserted into or deleted from the ciphertext stream

then synchronization is lost and the plaintext cannot be recovered– additional techniques must be used to recover from loss of synch.

no error propagation– a ciphertext character that is modified during transmission affects

only the decryption of that character an attacker can make changes to selected ciphertext characters and

know exactly what effect these changes have on the plaintext (if h = XOR)

ii gk

gk hh

fkfk

i+1zi

pi

ci

A.2 EncryptionStream ciphers


Self-synchronizing stream ciphers

the key stream is generated as a function of a fixed number of previous ciphertext characters

self-synchronizing– since the size t of the register is fixed, a lost ciphertext character

affects only the decryption of the next t ciphertext characters

limited error propagation– if a ciphertext character is modified, then decryption of the next t

ciphertext characters may be incorrect

ciphertext characters depend on all previous plaintext characters– better diffusion of plaintext statistics

gkgk hh

zi

pi

ci

…

regis

ter

A.2 EncryptionStream ciphers


The Vernam cipher and the one-time pad

Vernam cipher– ci = pi ki for i = 1, 2, …

where pi are the plaintext digits, ki are the key stream digits, ci are the ciphertext digits, and is the bitwise XOR operation

one-time pad– a Vernam cipher where the key stream digits are generated

independently and uniformly at random– the one-time pad is unconditionally secure [Shannon, 1949]

• I(P; C) = H(P) - H(P|C) = 0

– a necessary condition for a symmetric key cipher to be unconditionally secure is that H(K) H(P) [Shannon, 1949]

• practically, the key must have as many bits as the compressed plaintext

• impractical because of key management problemsA.2 EncryptionStream ciphers


Asymmetric-key encryption

asymmetric-key encryption– it is hard (computationally infeasible) to compute K’ from K

K can be made public (public-key cryptography)– no need for key setup before communication

public-keys are not confidential but they must be authentic !

the security of asymmetric-key encryption schemes is usually based on some well-known or widely believed hard problems

EE DDmplaintext

K(public) encryption key

K’(private) decryption key

EK(m)ciphertext

DK’ (EK(m)) = m

attacker

A.2 EncryptionA.2.2 Asymmetric-key encryption


Examples for hard problems

factoring problem– given a positive integer n, find its prime factors

• true complexity is unknown• it is believed that it does not belong to P

discrete logarithm problem– given a prime p, a generator g of Zp

*, and an element y in Zp*,

find the integer x, 0 x p-2, such that gx mod p = y• true complexity is unknown• it is believed that it does not belong to P

Diffie-Hellman problem – given a prime p, a generator g of Zp

*, and elements gx mod p and gy mod p, find gxy mod p

• true complexity is unknown• it is believed that it does not belong to P



The RSA encryption scheme

key generation– select p, q large primes (about 500 bits each)– n = pq, (n) = (p-1)(q-1)– select e such that 1 < e < (n) and gcd(e, (n)) = 1– compute d such that ed mod (n) = 1 (this is easy if (n) is

known)– the public key is (e, n)– the private key is d

encryption– represent the message as an integer m in [0, n-1]– compute c = me mod n

decryption– compute m = cd mod n



Relation to factoring

the problem of computing d from (e, n) is computationally equivalent to the problem of factoring n– if one can factor n, then one can easily compute d– if one can compute d, then one can efficiently factor n

the problem of computing m from c and (e, n) (called the RSA problem) is believed to be computationally equivalent to factoring– if one can factor n, then one can easily compute m from c

and (e, n)– there’s no formal proof for the other direction



The need for salting

let us assume that the adversary observes a ciphertext c = EK(m)

let the set of possible plaintexts be M

if M is small, then the adversary can try to encrypt every message in M with the publicly known key K until she finds the message m that maps into c

the usual way to prevent this attack is to randomize the encryption– some random bytes are added to the plaintext message

before encryption through the application of the PKCS #1 formatting rules

– when the message is decrypted, the recipient can recognize and discard these random bytes



The ElGamal encryption scheme

key generation– generate a large random prime p and choose generator g of the

multiplicative group Zp* = {1, 2, …, p-1}

– select a random integer a, 1 a p-2, and compute A = ga mod p– the public key is (p, g, A)– the private key is a

encryption– represent the message as an integer m in [0, p-1]– select a random integer r, 1 r p-2, and compute R = gr mod p– compute C = mAr mod p– the ciphertext is the pair (R, C)

decryption– compute m = CRp-1-a mod p

proof of decryptionCRp-1-a mArRp-1-a mgargr(p-1-a) mgp-1)r m (mod p)



Relation to hard problems

security of the ElGamal scheme is said to be based on the discrete logarithm problem in Zp

*, although equivalence has not been proven yet

recovering m given p, g, A, R, and C is equivalent to solving the Diffie-Hellman problem



Digital enveloping

plaintext message

symmetric-keycipher

(e.g., in CBC mode)

symmetric-keycipher

(e.g., in CBC mode)

public keyof the receiver

asymmetric-keycipher

asymmetric-keycipher

digital envelop

generate randomsymmetric key

generate randomsymmetric key

bulk encryption key

most popular public-key encryption methods are several orders of magnitude slower than the best known symmetric key schemes

public-key encryption is used together with symmetric-key encryption; the technique is called digital enveloping



Chapter outline



Hash functions

a hash function maps bit strings of arbitrary finite length to bit strings of fixed length (n bits)

many-to-one mapping collisions are unavoidable however, finding collisions are difficult the hash value

of a message can serve as a compact representative image of the message (similar to fingerprints)

message of arbitrary length

fix lengthhash value / message digest / fingerprint

hash function

hash function

A.3 Hash functions


Desirable properties of hash functions

ease of computation– given an input x, the hash value h(x) of x is easy to compute

weak collision resistance (2nd preimage resistance)– given an input x, it is computationally infeasible to find a

second input x’ such that h(x’) = h(x)

strong collision resistance (collision resistance)– it is computationally infeasible to find any two distinct inputs

x and x’ such that h(x) = h(x’)

one-way property (preimage resistance)– given a hash value y (for which no preimage is known), it is

computationally infeasible to find any input x s.t. h(x) = y

A.3 Hash functions


The Birthday Paradox

Given a set of N elements, from which we draw k elements randomly (with replacement). What is the probability of encountering at least one repeating element?

first, compute the probability of no repetition:– the first element x1 can be anything

– when choosing the second element x2, the probability of x2 x1 is 1-1/N

– when choosing x3, the probability of x3 x2 and x3 x1 is 1-2/N

– … – when choosing the k-th element, the probability of no repetition is

1-(k-1)/N – the probability of no repetition is (1 - 1/N)(1 - 2/N)…(1 – (k-1)/N)– when x is small, (1-x) e-x

– (1 - 1/N)(1 - 2/N)…(1 – (k-1)/N) = e-1/Ne-2/N … e-(k-1)/N = e-k(k-1)/2N

the probability of at least one repetition after k drawing is 1 – e-k(k-1)/2N

A.3 Hash functions


The Birthday Paradox (cont’d)

How many drawings do you need, if you want the probability of at least one repetition to be ?

solve the following for k: = 1 – e-k(k-1)/2N

k(k-1) = 2N ln(1/1-)k sqrt(2N ln(1/1-))

examples: = ½ k 1.177 sqrt(N) = ¾ k 1.665 sqrt(N) = 0.9 k 2.146 sqrt(N)

origin of the name “Birthday Paradox”:– elements are dates in a year (N = 365)– among 1.177 sqrt(365) 23 randomly selected people, there will

be at least two that have the same birthday with probability ½

A.3 Hash functions


Choosing the output size of a hash function

the Birthday Paradox have a profound impact on the design of hash functions (and other cryptographic algorithms and protocols)!– let n be the output size of a hash function– among ~sqrt(2n) = 2n/2 randomly chosen messages, with

high probability, there will be a collision pair– it is easier to find collisions than to find preimages or 2nd

preimages for a given hash value in order to resist birthday attacks, 2n/2 should be sufficiently

large (e.g., n = 160 bits)

A.3 Hash functions


Iterated hash functions

input is divided into fixed length blocks x1, x2, …, xL

last block is padded if necessary– Merkle-Damgard strengthening: padding contains the length of the

message

each input block is processed according to the following scheme

f is called the compression function– can be based on a block cipher, or– can be a dedicated compression function

x1

CV0

(b)

(n) (n)

CV1

ff

x2

(b)

(n)

CV2

ff

x3

(b)

(n)

CV3

ff

xL

(b)

(n)h(x) = CVL

ffCVL-1

…

A.3 Hash functions


Chapter outline



Message authentication codes (MACs)

MAC functions can be viewed as hash functions with two functionally distinct inputs: a message and a secret key

they produce a fixed size output (say n bits) called the MAC practically it should be infeasible to produce a correct MAC

for a message without the knowledge of the secret key MAC functions can be used to implement data integrity and

message origin authentication services

message of arbitrary length

fix lengthMAC

MAC function

MAC function secret key

A.4 Message authentication codes


MAC generation and verification

MACMACmessage MAC

genera

tion secret key

MACMACmessage MAC

veri

fica

tion

secret keycomparecompare

yes/no



Desirable properties of MAC functions

ease of computation– given an input x and a secret key k, it is easy to compute

MACk(x)

key non-recovery– it is computationally infeasible to recover the secret key k,

given one or more text-MAC pairs (xi, MACk(xi)) for that k

computation resistance– given zero or more text-MAC pairs (xi, MACk(xi)), it is

computationally infeasible to find a text-MAC pair (x, MACk(x)) for any new input x xi

– computation resistance implies key non-recovery but the reverse is not true in general



CBC MAC

CBC MAC is secure for messages of a fixed number of blocks

(adaptive chosen-text existential) forgery is possible if variable length messages are allowed

it is recommended to involve the length of the message in the CBC MAC computation

EE

x1

k

+

EE

x2

k

+

EE

x3

k

+

EE

xN

cN

k

+0 cN-1

…

c1 c2 c3

E-1E-1

EE

k’

k

MAC

optio

nal



HMAC

k+ ipad

CV0ff

x1

ff

xL|padding1

ff

k+ opad

CV0ff

M|padding2

ff

MCV1

inner

CV1outer

HMACk(x)

…

hash fn

hash fn

HMACk(X) = H( k’’|H( k’|X ))



Chapter outline



Digital signatures

similar to MACs but– unforgeable by the receiver– verifiable by a third party

used for message authentication and non-repudiation (of message origin)

based on public-key cryptography– private key defines a signing transformation SA

• SA(m) =

– public key defines a verification transformation VA

• VA(m, ) = true if SA(m) =

• VA(m, ) = false otherwise

A.5 Digital signatures


Attacks on digital signature schemes

key-only attack– only the public key is available to the adversary

known-message attack – the adversary has signatures for a set of messages known to

her but not chosen by her

chosen-message attack– the adversary obtains signatures for messages chosen by

her before attempting to break the signature scheme

adaptive chosen-message attack– the adversary is allowed to use the signer as an oracle– she may request signatures for messages which depend on

previously obtained signatures



“Hash-and-sign” paradigm

public/private key operations are slow hash the message first and apply public/private key operations

to the hash value only

hh encenc

private keyof sender

message hash signature

hhmessage hash

decdec

public keyof sender

signature

comparecompare

yes/no

genera

tion

veri

fica

tion



Examples of digital signature scheme

RSA– essentially identical to the RSA encryption scheme– signature = decryption with private key– typical signature length is 1024 bits

DSA (Digital Signature Algorithm)– based on the ElGamal signature scheme– typical signature length is 1024 bits

ECDSA (Elliptic Curve DSA)– same as DSA but works over elliptic curves– reduced signature length (typically 320 bits)



Chapter outline



Session key establishment protocols

goal of session key establishment protocols– to setup a shared secret between two (or more) parties– it is desired that the secret established by a fixed pair of

parties varies on subsequent executions of the protocol (dynamicity)

– established shared secret is used as a session key to protect communication between the parties

motivation for use of session keys– to limit available ciphertext for cryptanalysis– to limit exposure caused by the compromise of a session key– to avoid long-term storage of a large number of secret keys

(keys are created on-demand when actually required)– to create independence across communication sessions or

applications

A.6 Session key establishment protocols


Basic classification

key transport protocols– one party creates or otherwise obtains a secret value, and

securely transfers it to the other party

key agreement protocols– a shared secret is derived by the parties as a function of

information contributed by each, such that no party can predetermine the resulting value



Further services

entity authentication

implicit key authentication– one party is assured that no other party aside from a specifically

identified second party (and possibly some trusted third parties) may gain access to the established session key

key confirmation– one party is assured that a second (possibly unidentified) party

actually possesses the session key– possession of a key can be demonstrated by

• producing a one-way hash value of the key or • encryption of known data with the key

explicit key authentication – implicit key authentication + key confirmation

key freshness– one party is assured that the key is new (never used before)



Further protocol characteristics

reciprocity– guarantees are provided unilaterally– guarantees are provided mutually

efficiency– number of message exchanges (passes) required– total number of bits transmitted (i.e., bandwidth used)– complexity of computations by each party– possibility of precomputations to reduce on-line computational

complexity

third party requirements– on-line, off-line, or no third party at all– degree and type of trust required in the third party

system setup– distribution of initial keying material



The Wide-Mouth-Frog protocol

Alice BobServer

generate k

A, EKas( B, k, Ta )

EKbs( A, k, Ts )

summary: a simple key transport protocol that uses a trusted third partyAlice generates the session key and sends it to Bob via the trusted third party

characteristics: implicit key authentication for Alice explicit key authentication for Bob key freshness for Bob with timestamps (flawed) unilateral entity authentication of Alice on-line third party (Server) trusted for secure relaying of keys and

verification of freshness, in addition A is trusted for generating good keys initial long-term keys between the parties and the server are required



A flaw in the Wide-Mouth-Frog protocol

summary: after observing one run of the protocol, Trudy can continuously use the Server as an oracle until she wants to bring about re-authentication between Alice and Bob

B, EKbs( A, k, Ts )

EKas( B, k, Ts

(1))

A, EKas( B, k, Ts

(1))

EKbs( A, k, Ts

(2))

...

EKbs( A, k, Ts

(n))

BobTrudyServer



Signed encrypted keys

BobAlice

A, EKb(k), Ta, SKa(B,EKb(k),Ta)

generate k

summary: Alice generates a session key, encrypts it with Bob’s public key, then sings it, and sends it to Bob

characteristics: unilateral entity authentication (of Alice), mutual implicit key authentication, no key confirmation, key freshness with timestamp, clock synchronization, off-line third party for issuing public key certificates may be required, initial exchange of public keys between the parties may be required, Alice is trusted to generate keys, non-repudiation guarantee for Bob



The Diffie-Hellman protocol

BobAlice

select random xcompute gx mod p

select random ycompute gy mod p

gx mod p

gy mod p

compute k = (gy)x mod p compute k = (gx)y mod p

summary: a key agreement protocol based on one-way functions; in particular, securityof the protocol is based on the hardness of the discrete logarithm problem and that of the Diffie-Hellman problem

characteristics: NO AUTHENTICATION, key freshness with randomly selected exponents, no party can control the key, no need for a trusted third party

assumptions: p is a large prime, g is a generator of Zp*, both are publicly known system

parameters



Chapter outline



Pseudo-random number generators (PRNGs)

a random number is a number that cannot be predicted by an observer before it is generated– if the number is generated within the range [0, N-1], then its

value cannot be predicted with any better probability than 1/N

– the above is true even if the observer is given all previously generated numbers

a cryptographic pseudo-random number generator (PRNG) is a mechanism that processes somewhat unpredictable inputs and generates pseudo-random outputs– if designed, implemented, and used properly, then even an

adversary with enormous computational power should not be able to distinguish the PRNG output from a real random sequence

A.7 Pseudo-random number generators


General operation of PRNGs


internalstate

internalstate

unpredictableinput samples(from physicalprocesses)

pseudo-random bitsindistinguishable fromreal random bits

…

one-way fn

entropypool

entropypool

re-keying

state update


Desirable properties of PRNGs

the adversary cannot compute the internal state of the PRNG, even if she has observed many outputs of the PRNG

the adversary cannot compute the next output of the PRNG, even if she has observed many previous outputs of the PRNG

if the adversary can observe or even manipulate the input samples that are fed in the PRNG, but she does not know the internal state of the PRNG, then the adversary cannot compute the next output and the next internal state of the PRNG

if the adversary has somehow learned the internal state of the PRNG, but she cannot observe the input samples that are fed in the PRNG, then the adversary cannot figure out the internal state of the PRNG after the re-keying operation



Chapter outline



Hash chains a hash chain is a sequence of hash values that are computed by

iteratively calling a one-way hash function on an initial value v0

properties:– given vi, it is easy to compute any vj for j > i (vj = h(j-i)(vi))– but it is difficult to compute vk for k < i (one-way property of h)

hash chains can be used for repeated authentications at the cost of a single digital signature– Alice computes a hash chain and commits to it by signing vn and distributing it

to potential verifiers– later on, Alice can authenticate herself repeatedly (at most n times) by

revealing the elements of the hash chain in reverse order– when vn-i is revealed, verifiers can check if h(i)(vn-i) = vn (or h(vn-i) = vn-i+1 if they

remember the last revealed element)– each hash chain element can be used only once for authenticating Alice – verifiers are assured that only Alice could have released the next hash chain

element

hash chains can be stored efficiently with a storage complexity that is logarithmic in the length of the hash chain

A.8 Advanced authentication techniques

v0 v1 v2 v3 vn-1 vnh h h h h…


Merkle-trees the limitation of hash chains is that elements can only be revealed

sequentially Merkle-trees overcome this problem by allowing for the pre-authentication

of a set of values with a single digital signature (on the root u0 of the tree) and for the revelation of those values in any order

when revealing a value vi, Alice must also reveal all the values assigned to the sibling vertices on the path from vi’ to the root (e.g., v3 is revealed together with v4’, u12, u5678)

verifiers hash the revealed values appropriately and check if the result is u0



TESLA

a broadcast authentication mechanism based on symmetric key cryptographic primitives

main idea: asymmetry through delayed disclosure of authentication keys– Alice wants to broadcast a message m– Alice computes a MAC on m with a key unknown to the verifiers– verifiers receive message m with the MAC, but they cannot

immediately verify authenticity– later, Alice discloses the key used to compute the MAC– verifiers can now verify the MAC; if it is correct, they know that the

message was sent by Alice, because at the time of reception nobody else knew the key

assumptions:– loose time synchronization between the participants– each party knows an upper bound on the maximum synchronization

error– initial secret between the parties to bootstrap the whole mechanism



TESLA (cont’d)

MAC keys are consecutive elements in a one-way key chain:– K0 K1 … Kn

– Ki = h(Ki-1)

protocol operation:– setup: Alice sends Kn to each verifier in an authentic manner– time is divided into epochs– each message sent in epoch i is authenticated with key Kn-i

– Kn-i is disclosed in epoch i+d, where d is a system parameter– Kn-i is verified by checking h(Kn-i) = Kn-i+1

example:Kn-1 Kn-2 Kn-3 Kn-4

P1 P2 P3 P4 P5 P6 P7 time

Kn-1 Kn-2 Kn-3key disclosure schedule

Kn



Conclusions

security services are implemented by using security mechanisms

many security mechanisms are based on cryptography (e.g., encryption, digital signature, message authentication codes, …)

but be cautious: “If you think cryptography is going to solve your problem, you don't

understand cryptography and you don't understand your problem.”-- Roger Needham

other important aspects are– physical protection– procedural rules– education

Documents

© 2007 Levente Buttyán and Jean-Pierre Hubaux Security and Cooperation in Wireless Networks Appendix A: Introduction to cryptographic