Chap 12 New

8/3/2019 Chap 12 New

1/50

1

Key Establishment Protocols

Maithili Narasimha

April 30, 2012

8/3/2019 Chap 12 New

2/50

2

Contents

Classification and framework Key transport based on symmetric encryption

Key agreement based on symmetric techniques

Key transport based on public-key encryption

Key agreement based on asymmetric techniques Secret sharing

Conference keying

Analysis of key establishment protocols

8/3/2019 Chap 12 New

3/50

3

Concepts and Classification

Key establishment: a shared secret becomes available totwo or more parties, for subsequent cryptographic use.

key transport protocol one party creates, and securely transfers it to the other(s).

key agreement protocol: key establishment technique inwhich a shared secret is derived by two (or more) parties

key pre-distribution vs. dynamic(session) key establishment

8/3/2019 Chap 12 New

4/50

4

Use of trusted servers

trusted third party, trusted server, authentication server, keydistribution center (KDC), key translation center (KTC)

and certification authority (CA).

secure key establishment

each party in a key establishment protocol be able to determine the true

identity of the other(s) which could possibly gain access to the resulting

key, implying preclusion of any unauthorized additional parties from

deducing the same key secrecy of key and identification of those parties with access to it

8/3/2019 Chap 12 New

5/50

5

Authentication

evidence that an identified party possesses a given key

evidence that a key is possessed by some party

identity of party which may possibly share a key

identity of the source of data

identity of a party, and aliveness at a given instant

depends on context of usage

entity

authentication

explicit key

authentication

key confirmation

(implicit) key

authentication

data origin

authentication

authentication

8/3/2019 Chap 12 New

6/50

6

Classification and concepts

(Implicit) Key authentication one party is assured that no other party aside from a specifically identifiedsecond party may gain access to a particular secret key

independent of the actual possession of such key by the second party, or

knowledge of such actual possession by the first party

Key confirmation one party is assured that a second (possibly unidentified) party actually

has possession of a particular secret key

Explicit key authentication

both (implicit) key authentication and key confirmation hold

8/3/2019 Chap 12 New

7/50

7

Motivation for use of session key

Session key ephemeral secret, i.e., one whose use is restricted to a short

time period after which all trace of it is eliminated

Motivation

to limit available cipher-text

to limit exposure in the event of (session) key compromise

to avoid long-term storage of a large number of distinct secret

keys

to create independence across communications sessions or

applications

8/3/2019 Chap 12 New

8/50

8

Key Establishment Protocol Characteristics

nature of the authentication

reciprocity of authentication: unilateral vs. mutual key freshness

key control: key distribution vs. key agreement

efficiency

number of message exchanges bandwidth

complexity of computations

pre-computation?

third party requirements

on-line (real-time), off-line, or no third party

degree of trust required in a third party

type of certificate used

non-repudiation

8/3/2019 Chap 12 New

9/50

9

Assumptions and Adversaries

Attacks

passive attack: adversary simply records data and

analyzes

active attack: adversary modifies or injects messages

What are the attackers roles?

deduce a session key using information gained by eavesdropping;

participate covertly in protocol initiated by one party, and influence it by alteringmessages so as to be able to deduce the key

initiate one or more protocol executions, and combine messages from one withanother, so as to carry out one of the above attacks

without being able to deduce the session key, deceive a legitimate party regardingthe identity of the party with which it shares a key

In entity authentication, adversarys objective is to arrange that one party receivesmessages which satisfy that party that the protocol has been run successfully witha party other than the adversary.

8/3/2019 Chap 12 New

10/50

10

PFS and Known Key Attacks

perfect forward secrecy Compromise of long-term key does not compromise past session keys

PFS ensures that previous traffic is locked securely in the past

known-key attack

compromise of past session keys allows either a passive adversary to

compromise future session keys, or impersonation by an active adversary

in the future

8/3/2019 Chap 12 New

11/50

11

Contents

Classification and framework

Key transport based on symmetric encryption



Key agreement based on asymmetric techniques

Secret sharing

Conference keying


8/3/2019 Chap 12 New

12/50

12

Point-to-Point Key Update Key Transport with one pass

Long term symmetric key K shared between A and B

A B: EK(rA) {rA is the session key}

Implicit key authentication

Additional fields

timestamp, sequence number: freshness

target identifier: prevent undetectable message replay Hence A B: EK(rA, tA, B)

Mutual authentication: B A: EK(rB, tB, A): K = f(rA, rB)

Key Transport with challenge-response

B A: nB : for freshness A B: EK(rA, nA, nB, B)

B A: EK(rB, nB, nA, A)

Does not provide PFS

8/3/2019 Chap 12 New

13/50

13

Point-to-Point Key Update

Authenticated Key Exchange Protocol 2 (AKEP2)

rA

(B, A, rA, rB), hK(B, A, rA, rB)

(A, rB), hK(A, rB)

Session key W = hK(rB)

AKEP1 B A: (B, A, rA, rB, (r, W hK(r)), hK(B, A, rA, rB, (r, W hK(r))

Optimization: r= rB

8/3/2019 Chap 12 New

14/50

14

Shamirs no key algorithm

Protocol

KA mod p

(KA)B mod p

(KAB) A-1

mod p

Properties

Provides key transport

No a priori information is required

Protection from passive adversaries

Does not provide authentication

8/3/2019 Chap 12 New

15/50

15

Kerberos

Basic setup

A, B, a trusted server share long-term pairwise secret keys a priori Server either plays the role of KDC and itself supplies the session

key, or serves as a key translation center (KTC)

A and B share no secret, while T shares a secret with each

Goal: for B to verify As identity, establishment of a shared key

Description

A requests from T credentials to allow it to authenticate itself to B

T plays the role of a KDC, returning to A a session key encrypted for A

and a ticket encrypted for B

The ticket contains the session key and As identity authentication of A to B when accompanied by appropriate message

created by A containing a timestamp encrypted under that session key

8/3/2019 Chap 12 New

16/50

16

Kerberos

Protocol

A T: A, B, NA NA: freshness

T A: EKBT(k, A, L), EKAT(k, NA, L, B): L: lifetime

A B: EKBT(k, A, L), Ek(A, TA, Asubkey)

B A: Ek(TA, Bsubkey) Optional mutual authentication

Properties Since timestamps are used, the hosts on which this protocol runs must

provide both secure and synchronized clocks

If initial shared keys are password-derived, protocol is no more securethan secrecy of such password or their resistance to password-guessingattack

Asubkey and Bsubkey allow transfer of a key from A to B

Lifetime is intended to allow A to re-use the ticket

A creates new authenticator with new timestamp and same session key k

8/3/2019 Chap 12 New

17/50

17

Needham-Schroeder important primarily for historical reasons

Protocol

1. A T: A, B, NA2. T A: EKAT(NA, B, k, EKBT(k, A))

3. A B: EKBT(k, A)

4. B A: Ek(NB)

5. A B: Ek(NB-1)

Properties The protocol provides A and B with a shared key k with key

authentication

(4) and (5) provide entity authentication of A to B. B to A can be obtainedusing redundancy check on NB upon decrypting message (4).

If acceptable for A to re-use key k with B, A may securely cache (3) withk

To prevent replay of (4), Ek(NA) should be appended to message (3), and (4)should be replaced by Ek(NA1, NB) allowing A to verify Bs knowledge of k

8/3/2019 Chap 12 New

18/50

18

Needham-Schroeder vs. Kerberos

Kerberos lifetime parameter is not present in N-S

In N-S, (2) (which corresponds to Kerberos ticket) is double-

encrypted

authentication here employs nonce rather than timestamp

since B has no way of knowing if k is fresh, should k ever becompromised, any party knowing it may both resend message (3)

and compute a correct message (5) to impersonate A to B

This situation is ameliorated in Kerberos by the lifetime parameter which

limits exposure to a fixed time interval.

8/3/2019 Chap 12 New

19/50

19

Otway-Rees protocol

Protocol

A B: M, A, B, EKAT(M, A, B, NA) M: Another nonce

B T: M, A, B, EKAT(M, A, B, NA), EKBT(M, A, B, NB)

T B: EKAT(k, NA), EKBT(k, NB)

B A: EKAT(k, NA)

Properties Only 4 rounds

Does not require timestamps

Provides key authentication and key freshness but not entity authenticationand key confirmation

NA could be eliminated in (1), (2), and replaced by M in (3), (4)

Could provide key confirmation and entity authentication (5 round)

B A: EKAT(k, NA), Ek(NA, NB)

A B: Ek(NB)

8/3/2019 Chap 12 New

20/50

20

to recap

messagestimestampServer

4noKDC

5noKDC

4yesKDC

3nonone

1-3optionalnone

Otway-Rees

Needham-Schroeder shared-key

Kerberos

Shamirs no-key protocol

point-to-point key update

8/3/2019 Chap 12 New

21/50

21

Contents






Conference keying


8/3/2019 Chap 12 New

22/50

22

Key Agreement(Symmetric key encryption)

KDS is said to be j-secure if coalition of j or fewer users can do

no better at computing the key shared by two than a party which

guesses key without any pieces whatsoever

Blom KDS bound: In any j-secure KDS(m-bit session key),

secret data by each user must be at least m(j + 1) bits

Bloms scheme

engineered to provide unconditional security against coalitions of a

specified maximum size

initial keying material assigned to each user allows computation of larger

number of derived keys one per each other user derived keys of different user pairs are not statistically independent

8/3/2019 Chap 12 New

23/50

23

Contents






Conference keying


8/3/2019 Chap 12 New

24/50

24

Key Transport using PKC without signature Needham-Schroeder

PB(k1, A)

PA(k1, k2)

PB(k2)

No signatures, Mutual authentication(key+entity), mutual key transport

Modified NS

PB(k1, A, r1)

PA(k2, r1, r2)

r2

eliminating third encryption

8/3/2019 Chap 12 New

25/50

25

Combining PK encryption and signature

Encrypting signed keys

A B: PB(k, tA, SA(B, k, tA))

Problem: Data for encryption is too large

Encrypting and signing separately

A B: PB(k, tA), SA(B, k, tA) Acceptable only if no information regarding plaintext data can be deduced

from the signature

Signing encrypted keys

A B: tA, PB(A, k), SA(B, tA, PB(A, k))

Can provide mutual authentication with two messages(timestamps) orthree messages(challenge-response)

8/3/2019 Chap 12 New

26/50

26

X.509 strong authentication protocols

Assurances of X.509 strong authentication

identity of A, and that the token received by B was constructed by A

the token received by B was specifically intended for B;

the token received by B has freshness

the secrecy of the transferred key.

X.509 strong two-way authentication

DA=(tA, rA, B, data1, PB(k1)), DB=(tB, rB, A, rA, data2, PA(k2)),

A B: certA, DA, SA(DA)

B A: certB, DB, SB(DB)

Comments Since the protocol does not specify inclusion of an identifier within the

scope of the encryption PB within DA, one cannot guarantee that the

signing party actually knows (or was the source of) plaintext key

8/3/2019 Chap 12 New

27/50

27

Hybrid Key Transport using PKE

Beller-Yacobi (4 pass)

Properties

mutual authentication, explicit key authentication

for applications where there is an imbalance in processing power between thetwo parties

identity of the weaker party remains concealed from eavesdroppers

Algorithm B A : certB = (IB, nB, GB) : certificate generated with RSA

A B : PB(K) =K3 mod nB

B A : EK(m, {0}t) : symmetric key encryption

A B : EK((v, w), certA) : DSA signature with precomputation

Comment To achieve mutual authentication, each party carry out at least one private-keyoperation, and one or two public-key operations

careful selection of two separate public-key schemes RSA public operation and ElGamal private-key operation are cheap

8/3/2019 Chap 12 New

28/50

28

Hybrid Key Transport using PKE

Beller-Yacobi (2 pass)

Algorithm

A B

precompute x, v = gx mod nS select random challenge m

verify certB via PT(GB) send m, certB

compute (v, w) =SA(m, IB) certB = (IB, nB, GB) send PB(v), Ev(certA, w) recover v, set K = v

certA = (IA, uA, GA) verify certA, signature (v, w)

Properties: slightly weaker authentication assurances

B obtains entity authentication of A and obtains a key K that A alone knows,

while A has key authentication with respect to B For A to obtain explicit key authentication of B, a third message may be added

whereby B exhibits knowledge through use of K on a challenge or standard

message (e.g., {0}t )

8/3/2019 Chap 12 New

29/50

29

Key Transport based on PKC

#msgentity authenticationSign required

2unilateralyes

4mutualyes3mutualyes

2mutualyes

1data origin onlyyes



3mutualno

1nono

Beller-Yacobi (2-pass)

Beller-Yacobi (4-pass)X.509 (3-pass)random #s

X.509 (2-pass)timestamps

signing encrypted keys

separate signing, encrypting

encrypting signed keys

Needham-Schroeder PK

basic PK encryption (1-pass)

8/3/2019 Chap 12 New

30/50

30

Contents






Conference keying


8/3/2019 Chap 12 New

31/50

31

Diffie-Hellman and ElGamal Diffie-Hellman

Setup: prime p, generator g of Zp*

gx mod p

gy mod p

gyx mod p

fixed exponent: zero-pass key agreement with special certificates

Signature is required!

ElGamal one-pass key agreement

b is Bs secret key

A B : gx mod p

Shared key gxb

Unilateral key authentication

no entity authentication or key confirmation

8/3/2019 Chap 12 New

32/50

32

MTI/A0 Protocol

A B : gx mod p

B A : gy mod p

A: k = (gy)aPKbx = gya gbx = gya+bx

B: k = (gx)bPKay

Properties

Message independent

Secure against passive attacks only

Provides mutual (implicit) key authentication but neither key confirmation

nor entity authentication

8/3/2019 Chap 12 New

33/50

33

STS Algorithm

gx mod p

gy mod p, Ek(SB(gy, gx))

Ek(SA(gx, gy))

Properties

Mutual entity authentication

Mutual (explicit) key authentication

8/3/2019 Chap 12 New

34/50

34

Gunthers implicitly-certified ID-based PK Algorithm

Summary: TTP creates an implicitly-certified, publicly-recoverable DHPK for A, and transfers to A the corresponding private key.

1. TTP selects p and g of Zp*, a random integer t, gcd(t, p 1) = 1 as its

private key, and publishes its public key u = gt mod p

2. TTP assigns to each A DN IA and a random integer kA with gcd(kA, p1)= 1, then computes PA = g

kA mod p

PAis As reconstruction public data, allowing other parties to compute PAa

below.

3. T solves the following equation for a

h(IA) = tPA + kAa (mod p 1)

4. T securely transmits to A the pair (r, s) = (PA, a) (ElGamal signature on

IA)

5. Any other party can then reconstruct As public key PAa(=gkA a ) by

computing PAa = gh(IA) uPA mod p

8/3/2019 Chap 12 New

35/50

35

DH with Implicitly-certified keys

Algorithm

A B : IA, PA

B A : IB, PB, (PA)y mod p

A B : (PB)x mod p

Shared key K = PAya PB

xb

8/3/2019 Chap 12 New

36/50

36

Key Agreement (Asymmetric technique)

3mutualmutual-implicit

2nonemutual-implicit

2nonemutual-implicit

1noneunilateral

2nonenone

STS

Gunther

MTI/A0

ElGamal key agreement

Diffie-Hellman

#msgentity authenticationkey authentication

8/3/2019 Chap 12 New

37/50

37

Contents






Conference keying


8/3/2019 Chap 12 New

38/50

38

Secret Sharing

Motivation

To safeguard cryptographic keys from loss, desirable to create backups

The greater the number of copies made, the greater the risk of security

exposure; the smaller the number, the greater the risk that all are lost

enhanced reliability without increased risk

facilitate distributed trust or shared control for critical activities by gatingthe critical action on cooperation by t of n users.

Basic idea

to start with a secret, and divide it into pieces called shares which are

distributed amongst users such that the pooled shares of specific subsets of

users allow reconstruction of the original secret

may be viewed as a key pre-distribution technique, facilitating one-time

key establishment, wherein the recovered key is pre-determined

8/3/2019 Chap 12 New

39/50

39

Secret Sharing

Trivial (n, n) scheme

S = Si

Shouldnt split r bit key into r/t pieces

Threshold schemes

A (t, n) threshold scheme (t n) is a method by which

a trusted party computes secret shares Si, 1 i n from an initial secret S andsecurely distributes Si to user Pi such that the following is true:

any t or more users who pool their shares may easily recover S

but any group knowing only t 1 or fewer shares may not

8/3/2019 Chap 12 New

40/50

40

Secret Sharing

Shamirs threshold scheme

based on polynomial interpolation, and that a uni-variate polynomial y =

f(x) of degree t 1 is uniquely defined by t points (xi, yi)

Algorithm

Setup: T begins with a secret integer S it wishes to distribute among n users. T chooses a prime p, defines a0= S, selects t1 random coefficients a1, ,

at1 defining the polynomial over Zp, f(x) = t1j=0 ajx

j

T computes Si = f(i) mod p for all i (1

8/3/2019 Chap 12 New

41/50

41

Secret Sharing

Properties perfect: Given knowledge of any t 1 or fewer shares, the shared secret

remain equally probable

ideal: The size of one share is the size of the secret

extendable for new users: New shares (for new users) may be computed

and distributed without affecting shares of existing users.

varying levels of control possible: Providing a single user with multiple

shares bestows more control upon that individual

no unproven assumptions

8/3/2019 Chap 12 New

42/50

42

Contents






Conference keying


8/3/2019 Chap 12 New

43/50

43

Conferencing Keying

A conference keying protocol is a generalization of two-party

key establishment to provide three or more parties with a shared

secret key

Cliques, BD, TGDH, STR

8/3/2019 Chap 12 New

44/50

44

Contents






Conference keying


8/3/2019 Chap 12 New

45/50

45

Attack strategies and classic flaws

Intruder-in-the-middle

man-in-the-middle attack on unauthenticated DH

Reflection attack Original protocol

1. A B : rA

2. B A : Ek

(rA

, rB

)

3. A B : rB

Attack

1. A E : rA

2. E A : rA : Starting a new session

3. A E : Ek(rA, rA) : Reply of (2)

4. E A : Ek(rA, rA) : Reply of (1)

5. A E : rA

Can be prevented by using two different keys k1 and k2 for encryption

8/3/2019 Chap 12 New

46/50

46

Attack strategies and classic flaws

Interleaving attacks

Flawed protocol

1. A B : rA

2. B A : rB, SB(rB, rA, A)

3. A B : rA, SA(rA, rB, B)

Attack1. E B : rA

2. B E : rB, SB(rB, rA, A)

3. E A : rB

4. A E : rA, SA(rA, rB, B)

5. E B : rA, SA(rA, rB, B) Due to symmetric messages (2), (3)

8/3/2019 Chap 12 New

47/50

47

Analysis methods

ad hoc and practical analysis (Provide heuristic security)

convincing arguments that any successful attack requires resource level

greater than the resources of the perceived adversary

May uncover protocol flaws establishing that a protocol is bad

Subtle flaws in protocols typically escape ad hoc analysis

reducibility from hard problems proving that any successful protocol attack leads directly to the ability to

solve a well-studied reference problem

provably secure protocol

A challenge is to establish that all possible attacks have been taken into

account, and can be equated to solving the identified reference problems

8/3/2019 Chap 12 New

48/50

48

Analysis methods

complexity-theoretic analysis

Model of computation is defined, and adversaries are modeled as having

polynomial power. Security proof relative to the model is then

constructed

The existence of underlying cryptographic primitives with specified

properties is typically assumed.

An objective is to design cryptographic protocols which require the

fewest cryptographic primitives, or the weakest assumptions.

Polynomial attacks which are feasible under such a model may in

practice be computationally infeasible

Despite these issues, complexity-theoretic analysis is invaluable forformulating fundamental principles and confirming intuition.

A l i h d

8/3/2019 Chap 12 New

49/50

49

Analysis methods

information-theoretic analysis mathematical proofs involving entropy relationships to prove protocols

are unconditionally secure

Adversaries are modeled to have unbounded computing resources

not applicable to most practical schemes for several reasons

many schemes can at best be computationally secure

typically involve keys of impractically large size, or can only be used once

formal methods logics of authentication (BAN), term re-writing systems, expert systems,

and other methods combining algebraic and state-transition techniques

help in finding flaws and redundancies in protocols

the proofs provided are proofs within the specified formal system, andcannot be interpreted as absolute proofs of security

Absence of discovered flaws does not imply the absence of flaws

8/3/2019 Chap 12 New

50/50

Thank You!

Documents

Chap 12 New