Page 1: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Key Distribution and Agreement Schemes

CSG 252 Fall 2006

Riccardo Pucella

Page 2: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Key Establishment Problem

PK cryptosystems have advantages over SK cryptosystems

PKCs do not need a secure channel to establish secret keysHowever, PKCs generally less efficient than SKCsSo you often want SKCs anyways

The problem: n agents on an insecure networkWant to establish keys between pairs of agents to communicate securely

Page 3: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Distribution vs Agreement

Secret Key Distribution Scheme (SKDS):Assume a special entity in the network, a Trusted Authority (TA)TA chooses a secret key for communicating, and transmits it to parties that wants to communicate

Key Agreement Scheme (KAS):Two or more parties want to establish a secret key on their own

Page 4: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Main Goal of Schemes

At the end of an exchange:Two parties share a key KThe value of K is not known to any other party

Except maybe the TA

Sometimes want more: mutual identification (chap. 9)No honest participant in a session of the scheme will accept after any interaction in which an adversary is active

Page 5: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Long-Lived vs Session KeysLL keys:

Long-lived keys, usually shared between TA and users

Session keys:Used for a session-based communication

Why the distinction?Limit amount of ciphertext available to an attackerLimit exposure in event of key compromise

Assuming session keys do not reveal info about LL keys or other session keys

Page 6: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Attacker Models

May or may not be a user in the systeminsider vs outsider attacker

May be passive or activeAlter messages in transit (including intercepting)Save messages for later reuseAttempt to masquerade as other users

Page 7: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Possible Attacker Objectives

Passive objectives:Determine some (partial) information about key exchanged by users

Active objectives:Fool U and V into accepting an “invalid” key

E.g. an old expired key, or a key known to advMake U and V believe they have exchanged a key with each other when that is not the case

Page 8: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Extended Attacker Models

Known session key attack:Attacker learns session keys, want other session keys (as well as LL keys) to remain secret

Known LL key attack:Attacker learns LL keys of a participant, want previous session keys to remain secretPerfect forward secrecy

This is not a property of a cryptosystem, but of how a cryptosystem is used!

Page 9: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Key Distribution Scheme:

Needham-Schroeder Scheme



ID(Alice) || ID(Bob) || rA

Page 10: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Key Distribution Scheme:

Needham-Schroeder Scheme



tBob = eKBob (K || ID(Alice))

eKAlice (rA || ID(Bob) || K || tBob)

Page 11: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Key Distribution Scheme:

Needham-Schroeder Scheme




Page 12: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Key Distribution Scheme:

Needham-Schroeder Scheme



eK (rB)

Page 13: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Key Distribution Scheme:

Needham-Schroeder Scheme



eK (rB-1)

Page 14: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Denning-Sacco Attack on NSSKnown session key attack

Suppose Oscar eavesdropped on the messages exchanges in an old session between Alice and Bob (which used key K)

Oscar sends intercepted ticket tBob to BobBob replies with eK(rB) for some random rB

Oscar can decrypt and send back eK(rB-1)

Key K is not (necessarily) known to Bob’s intended recipient AliceKey K is know to Oscar

Page 15: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Key Distribution Scheme:

Bellare-Rogaway Scheme



ID(Alice) || ID(Bob) || rA

Page 16: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Key Distribution Scheme:

Bellare-Rogaway Scheme



ID(Alice) || ID(Bob) || rA || rB

Page 17: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Key Distribution Scheme:

Bellare-Rogaway Scheme



eKAlice (K) ||MACAlice (ID(Bob) || ID(Alice) || rA || eKAlice (K))

Page 18: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Key Distribution Scheme:

Bellare-Rogaway Scheme



eKBob (K) ||MACBob (ID(Alice) || ID(Bob) || rB || eKBob (K))

Page 19: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Key Agreement Scheme:

Diffie-Hellman Scheme


G a group and α∈G of order n


a b

Page 20: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Key Agreement Scheme:

Diffie-Hellman Scheme


G a group and α∈G of order n


a b


Page 21: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Key Agreement Scheme:

Diffie-Hellman Scheme


G a group and α∈G of order n


a bαb

K = (αb)a K = (αa)b

Page 22: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Computational Diffie-Hellman Problem

For the previous scheme to be secure, need for the group G and α to be such that:

Given αa and αb, it is hard to find αab

Can show (6.7.3) that if you can solve the CDH problem, then you can solve the discrete log problem in G

Page 23: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Man-in-the-Middle Attack on DHS

Oscar sits between Alice and Bob and substitutes his own messages






Page 24: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Key Agreement Scheme:

Station-to-Station Scheme


G a group and α∈G of order n

Cert(U) = (ID(U), verU, sigTA (ID(U),verU))

αa, Cert(Alice)

a b

Page 25: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Key Agreement Scheme:

Station-to-Station Scheme


G a group and α∈G of order n

Cert(U) = (ID(U), verU, sigTA (ID(U),verU))

αb, sigBob (ID(Alice)||αa||αb), Cert(Bob)

a b


Page 26: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Key Agreement Scheme:

Station-to-Station Scheme


G a group and α∈G of order n

Cert(U) = (ID(U), verU, sigTA (ID(U),verU))

a b


sigAlice (ID(Bob)||αa||αb)


Page 27: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Key Agreement Scheme:

Station-to-Station Scheme


G a group and α∈G of order n

Cert(U) = (ID(U), verU, sigTA (ID(U),verU))

a b


K = (αb)a K = (αa)b

Page 28: Key Distribution and Agreement  · PDF fileKey Distribution and Agreement Schemes CSG 252 Fall 2006 Riccardo Pucella

Other SchemesOther schemes are modifications of DH-style schemes to reduce computation, or the amount of data the needs to be exchanged

MTI SchemesDoes not require users to sign messagesPut αa in certificates

Girault SchemeDoes not require certificatesNeed to go through a TA

Encrypted Key ExchangeEncrypt DHS exponents using a shared key
