Upload
anurag-panday
View
236
Download
0
Embed Size (px)
Citation preview
8/3/2019 Chap 12 New
1/50
1
Key Establishment Protocols
Maithili Narasimha
April 30, 2012
8/3/2019 Chap 12 New
2/50
2
Contents
Classification and framework Key transport based on symmetric encryption
Key agreement based on symmetric techniques
Key transport based on public-key encryption
Key agreement based on asymmetric techniques Secret sharing
Conference keying
Analysis of key establishment protocols
8/3/2019 Chap 12 New
3/50
3
Concepts and Classification
Key establishment: a shared secret becomes available totwo or more parties, for subsequent cryptographic use.
key transport protocol one party creates, and securely transfers it to the other(s).
key agreement protocol: key establishment technique inwhich a shared secret is derived by two (or more) parties
key pre-distribution vs. dynamic(session) key establishment
8/3/2019 Chap 12 New
4/50
4
Use of trusted servers
trusted third party, trusted server, authentication server, keydistribution center (KDC), key translation center (KTC)
and certification authority (CA).
secure key establishment
each party in a key establishment protocol be able to determine the true
identity of the other(s) which could possibly gain access to the resulting
key, implying preclusion of any unauthorized additional parties from
deducing the same key secrecy of key and identification of those parties with access to it
8/3/2019 Chap 12 New
5/50
5
Authentication
evidence that an identified party possesses a given key
evidence that a key is possessed by some party
identity of party which may possibly share a key
identity of the source of data
identity of a party, and aliveness at a given instant
depends on context of usage
entity
authentication
explicit key
authentication
key confirmation
(implicit) key
authentication
data origin
authentication
authentication
8/3/2019 Chap 12 New
6/50
6
Classification and concepts
(Implicit) Key authentication one party is assured that no other party aside from a specifically identifiedsecond party may gain access to a particular secret key
independent of the actual possession of such key by the second party, or
knowledge of such actual possession by the first party
Key confirmation one party is assured that a second (possibly unidentified) party actually
has possession of a particular secret key
Explicit key authentication
both (implicit) key authentication and key confirmation hold
8/3/2019 Chap 12 New
7/50
7
Motivation for use of session key
Session key ephemeral secret, i.e., one whose use is restricted to a short
time period after which all trace of it is eliminated
Motivation
to limit available cipher-text
to limit exposure in the event of (session) key compromise
to avoid long-term storage of a large number of distinct secret
keys
to create independence across communications sessions or
applications
8/3/2019 Chap 12 New
8/50
8
Key Establishment Protocol Characteristics
nature of the authentication
reciprocity of authentication: unilateral vs. mutual key freshness
key control: key distribution vs. key agreement
efficiency
number of message exchanges bandwidth
complexity of computations
pre-computation?
third party requirements
on-line (real-time), off-line, or no third party
degree of trust required in a third party
type of certificate used
non-repudiation
8/3/2019 Chap 12 New
9/50
9
Assumptions and Adversaries
Attacks
passive attack: adversary simply records data and
analyzes
active attack: adversary modifies or injects messages
What are the attackers roles?
deduce a session key using information gained by eavesdropping;
participate covertly in protocol initiated by one party, and influence it by alteringmessages so as to be able to deduce the key
initiate one or more protocol executions, and combine messages from one withanother, so as to carry out one of the above attacks
without being able to deduce the session key, deceive a legitimate party regardingthe identity of the party with which it shares a key
In entity authentication, adversarys objective is to arrange that one party receivesmessages which satisfy that party that the protocol has been run successfully witha party other than the adversary.
8/3/2019 Chap 12 New
10/50
10
PFS and Known Key Attacks
perfect forward secrecy Compromise of long-term key does not compromise past session keys
PFS ensures that previous traffic is locked securely in the past
known-key attack
compromise of past session keys allows either a passive adversary to
compromise future session keys, or impersonation by an active adversary
in the future
8/3/2019 Chap 12 New
11/50
11
Contents
Classification and framework
Key transport based on symmetric encryption
Key agreement based on symmetric techniques
Key transport based on public-key encryption
Key agreement based on asymmetric techniques
Secret sharing
Conference keying
Analysis of key establishment protocols
8/3/2019 Chap 12 New
12/50
12
Point-to-Point Key Update Key Transport with one pass
Long term symmetric key K shared between A and B
A B: EK(rA) {rA is the session key}
Implicit key authentication
Additional fields
timestamp, sequence number: freshness
target identifier: prevent undetectable message replay Hence A B: EK(rA, tA, B)
Mutual authentication: B A: EK(rB, tB, A): K = f(rA, rB)
Key Transport with challenge-response
B A: nB : for freshness A B: EK(rA, nA, nB, B)
B A: EK(rB, nB, nA, A)
Does not provide PFS
8/3/2019 Chap 12 New
13/50
13
Point-to-Point Key Update
Authenticated Key Exchange Protocol 2 (AKEP2)
rA
(B, A, rA, rB), hK(B, A, rA, rB)
(A, rB), hK(A, rB)
Session key W = hK(rB)
AKEP1 B A: (B, A, rA, rB, (r, W hK(r)), hK(B, A, rA, rB, (r, W hK(r))
Optimization: r= rB
8/3/2019 Chap 12 New
14/50
14
Shamirs no key algorithm
Protocol
KA mod p
(KA)B mod p
(KAB) A-1
mod p
Properties
Provides key transport
No a priori information is required
Protection from passive adversaries
Does not provide authentication
8/3/2019 Chap 12 New
15/50
15
Kerberos
Basic setup
A, B, a trusted server share long-term pairwise secret keys a priori Server either plays the role of KDC and itself supplies the session
key, or serves as a key translation center (KTC)
A and B share no secret, while T shares a secret with each
Goal: for B to verify As identity, establishment of a shared key
Description
A requests from T credentials to allow it to authenticate itself to B
T plays the role of a KDC, returning to A a session key encrypted for A
and a ticket encrypted for B
The ticket contains the session key and As identity authentication of A to B when accompanied by appropriate message
created by A containing a timestamp encrypted under that session key
8/3/2019 Chap 12 New
16/50
16
Kerberos
Protocol
A T: A, B, NA NA: freshness
T A: EKBT(k, A, L), EKAT(k, NA, L, B): L: lifetime
A B: EKBT(k, A, L), Ek(A, TA, Asubkey)
B A: Ek(TA, Bsubkey) Optional mutual authentication
Properties Since timestamps are used, the hosts on which this protocol runs must
provide both secure and synchronized clocks
If initial shared keys are password-derived, protocol is no more securethan secrecy of such password or their resistance to password-guessingattack
Asubkey and Bsubkey allow transfer of a key from A to B
Lifetime is intended to allow A to re-use the ticket
A creates new authenticator with new timestamp and same session key k
8/3/2019 Chap 12 New
17/50
17
Needham-Schroeder important primarily for historical reasons
Protocol
1. A T: A, B, NA2. T A: EKAT(NA, B, k, EKBT(k, A))
3. A B: EKBT(k, A)
4. B A: Ek(NB)
5. A B: Ek(NB-1)
Properties The protocol provides A and B with a shared key k with key
authentication
(4) and (5) provide entity authentication of A to B. B to A can be obtainedusing redundancy check on NB upon decrypting message (4).
If acceptable for A to re-use key k with B, A may securely cache (3) withk
To prevent replay of (4), Ek(NA) should be appended to message (3), and (4)should be replaced by Ek(NA1, NB) allowing A to verify Bs knowledge of k
8/3/2019 Chap 12 New
18/50
18
Needham-Schroeder vs. Kerberos
Kerberos lifetime parameter is not present in N-S
In N-S, (2) (which corresponds to Kerberos ticket) is double-
encrypted
authentication here employs nonce rather than timestamp
since B has no way of knowing if k is fresh, should k ever becompromised, any party knowing it may both resend message (3)
and compute a correct message (5) to impersonate A to B
This situation is ameliorated in Kerberos by the lifetime parameter which
limits exposure to a fixed time interval.
8/3/2019 Chap 12 New
19/50
19
Otway-Rees protocol
Protocol
A B: M, A, B, EKAT(M, A, B, NA) M: Another nonce
B T: M, A, B, EKAT(M, A, B, NA), EKBT(M, A, B, NB)
T B: EKAT(k, NA), EKBT(k, NB)
B A: EKAT(k, NA)
Properties Only 4 rounds
Does not require timestamps
Provides key authentication and key freshness but not entity authenticationand key confirmation
NA could be eliminated in (1), (2), and replaced by M in (3), (4)
Could provide key confirmation and entity authentication (5 round)
B A: EKAT(k, NA), Ek(NA, NB)
A B: Ek(NB)
8/3/2019 Chap 12 New
20/50
20
to recap
messagestimestampServer
4noKDC
5noKDC
4yesKDC
3nonone
1-3optionalnone
Otway-Rees
Needham-Schroeder shared-key
Kerberos
Shamirs no-key protocol
point-to-point key update
8/3/2019 Chap 12 New
21/50
21
Contents
Classification and framework
Key transport based on symmetric encryption
Key agreement based on symmetric techniques
Key transport based on public-key encryption
Key agreement based on asymmetric techniques Secret sharing
Conference keying
Analysis of key establishment protocols
8/3/2019 Chap 12 New
22/50
22
Key Agreement(Symmetric key encryption)
KDS is said to be j-secure if coalition of j or fewer users can do
no better at computing the key shared by two than a party which
guesses key without any pieces whatsoever
Blom KDS bound: In any j-secure KDS(m-bit session key),
secret data by each user must be at least m(j + 1) bits
Bloms scheme
engineered to provide unconditional security against coalitions of a
specified maximum size
initial keying material assigned to each user allows computation of larger
number of derived keys one per each other user derived keys of different user pairs are not statistically independent
8/3/2019 Chap 12 New
23/50
23
Contents
Classification and framework
Key transport based on symmetric encryption
Key agreement based on symmetric techniques
Key transport based on public-key encryption
Key agreement based on asymmetric techniques Secret sharing
Conference keying
Analysis of key establishment protocols
8/3/2019 Chap 12 New
24/50
24
Key Transport using PKC without signature Needham-Schroeder
PB(k1, A)
PA(k1, k2)
PB(k2)
No signatures, Mutual authentication(key+entity), mutual key transport
Modified NS
PB(k1, A, r1)
PA(k2, r1, r2)
r2
eliminating third encryption
8/3/2019 Chap 12 New
25/50
25
Combining PK encryption and signature
Encrypting signed keys
A B: PB(k, tA, SA(B, k, tA))
Problem: Data for encryption is too large
Encrypting and signing separately
A B: PB(k, tA), SA(B, k, tA) Acceptable only if no information regarding plaintext data can be deduced
from the signature
Signing encrypted keys
A B: tA, PB(A, k), SA(B, tA, PB(A, k))
Can provide mutual authentication with two messages(timestamps) orthree messages(challenge-response)
8/3/2019 Chap 12 New
26/50
26
X.509 strong authentication protocols
Assurances of X.509 strong authentication
identity of A, and that the token received by B was constructed by A
the token received by B was specifically intended for B;
the token received by B has freshness
the secrecy of the transferred key.
X.509 strong two-way authentication
DA=(tA, rA, B, data1, PB(k1)), DB=(tB, rB, A, rA, data2, PA(k2)),
A B: certA, DA, SA(DA)
B A: certB, DB, SB(DB)
Comments Since the protocol does not specify inclusion of an identifier within the
scope of the encryption PB within DA, one cannot guarantee that the
signing party actually knows (or was the source of) plaintext key
8/3/2019 Chap 12 New
27/50
27
Hybrid Key Transport using PKE
Beller-Yacobi (4 pass)
Properties
mutual authentication, explicit key authentication
for applications where there is an imbalance in processing power between thetwo parties
identity of the weaker party remains concealed from eavesdroppers
Algorithm B A : certB = (IB, nB, GB) : certificate generated with RSA
A B : PB(K) =K3 mod nB
B A : EK(m, {0}t) : symmetric key encryption
A B : EK((v, w), certA) : DSA signature with precomputation
Comment To achieve mutual authentication, each party carry out at least one private-keyoperation, and one or two public-key operations
careful selection of two separate public-key schemes RSA public operation and ElGamal private-key operation are cheap
8/3/2019 Chap 12 New
28/50
28
Hybrid Key Transport using PKE
Beller-Yacobi (2 pass)
Algorithm
A B
precompute x, v = gx mod nS select random challenge m
verify certB via PT(GB) send m, certB
compute (v, w) =SA(m, IB) certB = (IB, nB, GB) send PB(v), Ev(certA, w) recover v, set K = v
certA = (IA, uA, GA) verify certA, signature (v, w)
Properties: slightly weaker authentication assurances
B obtains entity authentication of A and obtains a key K that A alone knows,
while A has key authentication with respect to B For A to obtain explicit key authentication of B, a third message may be added
whereby B exhibits knowledge through use of K on a challenge or standard
message (e.g., {0}t )
8/3/2019 Chap 12 New
29/50
29
Key Transport based on PKC
#msgentity authenticationSign required
2unilateralyes
4mutualyes3mutualyes
2mutualyes
1data origin onlyyes
1data origin onlyyes
1data origin onlyyes
3mutualno
1nono
Beller-Yacobi (2-pass)
Beller-Yacobi (4-pass)X.509 (3-pass)random #s
X.509 (2-pass)timestamps
signing encrypted keys
separate signing, encrypting
encrypting signed keys
Needham-Schroeder PK
basic PK encryption (1-pass)
8/3/2019 Chap 12 New
30/50
30
Contents
Classification and framework
Key transport based on symmetric encryption
Key agreement based on symmetric techniques
Key transport based on public-key encryption
Key agreement based on asymmetric techniques Secret sharing
Conference keying
Analysis of key establishment protocols
8/3/2019 Chap 12 New
31/50
31
Diffie-Hellman and ElGamal Diffie-Hellman
Setup: prime p, generator g of Zp*
gx mod p
gy mod p
gyx mod p
fixed exponent: zero-pass key agreement with special certificates
Signature is required!
ElGamal one-pass key agreement
b is Bs secret key
A B : gx mod p
Shared key gxb
Unilateral key authentication
no entity authentication or key confirmation
8/3/2019 Chap 12 New
32/50
32
MTI/A0 Protocol
A B : gx mod p
B A : gy mod p
A: k = (gy)aPKbx = gya gbx = gya+bx
B: k = (gx)bPKay
Properties
Message independent
Secure against passive attacks only
Provides mutual (implicit) key authentication but neither key confirmation
nor entity authentication
8/3/2019 Chap 12 New
33/50
33
STS Algorithm
gx mod p
gy mod p, Ek(SB(gy, gx))
Ek(SA(gx, gy))
Properties
Mutual entity authentication
Mutual (explicit) key authentication
8/3/2019 Chap 12 New
34/50
34
Gunthers implicitly-certified ID-based PK Algorithm
Summary: TTP creates an implicitly-certified, publicly-recoverable DHPK for A, and transfers to A the corresponding private key.
1. TTP selects p and g of Zp*, a random integer t, gcd(t, p 1) = 1 as its
private key, and publishes its public key u = gt mod p
2. TTP assigns to each A DN IA and a random integer kA with gcd(kA, p1)= 1, then computes PA = g
kA mod p
PAis As reconstruction public data, allowing other parties to compute PAa
below.
3. T solves the following equation for a
h(IA) = tPA + kAa (mod p 1)
4. T securely transmits to A the pair (r, s) = (PA, a) (ElGamal signature on
IA)
5. Any other party can then reconstruct As public key PAa(=gkA a ) by
computing PAa = gh(IA) uPA mod p
8/3/2019 Chap 12 New
35/50
35
DH with Implicitly-certified keys
Algorithm
A B : IA, PA
B A : IB, PB, (PA)y mod p
A B : (PB)x mod p
Shared key K = PAya PB
xb
8/3/2019 Chap 12 New
36/50
36
Key Agreement (Asymmetric technique)
3mutualmutual-implicit
2nonemutual-implicit
2nonemutual-implicit
1noneunilateral
2nonenone
STS
Gunther
MTI/A0
ElGamal key agreement
Diffie-Hellman
#msgentity authenticationkey authentication
8/3/2019 Chap 12 New
37/50
37
Contents
Classification and framework
Key transport based on symmetric encryption
Key agreement based on symmetric techniques
Key transport based on public-key encryption
Key agreement based on asymmetric techniques Secret sharing
Conference keying
Analysis of key establishment protocols
8/3/2019 Chap 12 New
38/50
38
Secret Sharing
Motivation
To safeguard cryptographic keys from loss, desirable to create backups
The greater the number of copies made, the greater the risk of security
exposure; the smaller the number, the greater the risk that all are lost
enhanced reliability without increased risk
facilitate distributed trust or shared control for critical activities by gatingthe critical action on cooperation by t of n users.
Basic idea
to start with a secret, and divide it into pieces called shares which are
distributed amongst users such that the pooled shares of specific subsets of
users allow reconstruction of the original secret
may be viewed as a key pre-distribution technique, facilitating one-time
key establishment, wherein the recovered key is pre-determined
8/3/2019 Chap 12 New
39/50
39
Secret Sharing
Trivial (n, n) scheme
S = Si
Shouldnt split r bit key into r/t pieces
Threshold schemes
A (t, n) threshold scheme (t n) is a method by which
a trusted party computes secret shares Si, 1 i n from an initial secret S andsecurely distributes Si to user Pi such that the following is true:
any t or more users who pool their shares may easily recover S
but any group knowing only t 1 or fewer shares may not
8/3/2019 Chap 12 New
40/50
40
Secret Sharing
Shamirs threshold scheme
based on polynomial interpolation, and that a uni-variate polynomial y =
f(x) of degree t 1 is uniquely defined by t points (xi, yi)
Algorithm
Setup: T begins with a secret integer S it wishes to distribute among n users. T chooses a prime p, defines a0= S, selects t1 random coefficients a1, ,
at1 defining the polynomial over Zp, f(x) = t1j=0 ajx
j
T computes Si = f(i) mod p for all i (1
8/3/2019 Chap 12 New
41/50
41
Secret Sharing
Properties perfect: Given knowledge of any t 1 or fewer shares, the shared secret
remain equally probable
ideal: The size of one share is the size of the secret
extendable for new users: New shares (for new users) may be computed
and distributed without affecting shares of existing users.
varying levels of control possible: Providing a single user with multiple
shares bestows more control upon that individual
no unproven assumptions
8/3/2019 Chap 12 New
42/50
42
Contents
Classification and framework
Key transport based on symmetric encryption
Key agreement based on symmetric techniques
Key transport based on public-key encryption
Key agreement based on asymmetric techniques Secret sharing
Conference keying
Analysis of key establishment protocols
8/3/2019 Chap 12 New
43/50
43
Conferencing Keying
A conference keying protocol is a generalization of two-party
key establishment to provide three or more parties with a shared
secret key
Cliques, BD, TGDH, STR
8/3/2019 Chap 12 New
44/50
44
Contents
Classification and framework
Key transport based on symmetric encryption
Key agreement based on symmetric techniques
Key transport based on public-key encryption
Key agreement based on asymmetric techniques Secret sharing
Conference keying
Analysis of key establishment protocols
8/3/2019 Chap 12 New
45/50
45
Attack strategies and classic flaws
Intruder-in-the-middle
man-in-the-middle attack on unauthenticated DH
Reflection attack Original protocol
1. A B : rA
2. B A : Ek
(rA
, rB
)
3. A B : rB
Attack
1. A E : rA
2. E A : rA : Starting a new session
3. A E : Ek(rA, rA) : Reply of (2)
4. E A : Ek(rA, rA) : Reply of (1)
5. A E : rA
Can be prevented by using two different keys k1 and k2 for encryption
8/3/2019 Chap 12 New
46/50
46
Attack strategies and classic flaws
Interleaving attacks
Flawed protocol
1. A B : rA
2. B A : rB, SB(rB, rA, A)
3. A B : rA, SA(rA, rB, B)
Attack1. E B : rA
2. B E : rB, SB(rB, rA, A)
3. E A : rB
4. A E : rA, SA(rA, rB, B)
5. E B : rA, SA(rA, rB, B) Due to symmetric messages (2), (3)
8/3/2019 Chap 12 New
47/50
47
Analysis methods
ad hoc and practical analysis (Provide heuristic security)
convincing arguments that any successful attack requires resource level
greater than the resources of the perceived adversary
May uncover protocol flaws establishing that a protocol is bad
Subtle flaws in protocols typically escape ad hoc analysis
reducibility from hard problems proving that any successful protocol attack leads directly to the ability to
solve a well-studied reference problem
provably secure protocol
A challenge is to establish that all possible attacks have been taken into
account, and can be equated to solving the identified reference problems
8/3/2019 Chap 12 New
48/50
48
Analysis methods
complexity-theoretic analysis
Model of computation is defined, and adversaries are modeled as having
polynomial power. Security proof relative to the model is then
constructed
The existence of underlying cryptographic primitives with specified
properties is typically assumed.
An objective is to design cryptographic protocols which require the
fewest cryptographic primitives, or the weakest assumptions.
Polynomial attacks which are feasible under such a model may in
practice be computationally infeasible
Despite these issues, complexity-theoretic analysis is invaluable forformulating fundamental principles and confirming intuition.
A l i h d
8/3/2019 Chap 12 New
49/50
49
Analysis methods
information-theoretic analysis mathematical proofs involving entropy relationships to prove protocols
are unconditionally secure
Adversaries are modeled to have unbounded computing resources
not applicable to most practical schemes for several reasons
many schemes can at best be computationally secure
typically involve keys of impractically large size, or can only be used once
formal methods logics of authentication (BAN), term re-writing systems, expert systems,
and other methods combining algebraic and state-transition techniques
help in finding flaws and redundancies in protocols
the proofs provided are proofs within the specified formal system, andcannot be interpreted as absolute proofs of security
Absence of discovered flaws does not imply the absence of flaws
8/3/2019 Chap 12 New
50/50
Thank You!