Key Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10

Transcription

1 Key Establishment Chester Rebeiro IIT Madras CR Stinson : Chapter 10

2 Multi Party secure communication C D A B E F N parties want to communicate securely with each other (N=6 in this figure) If sends a message to V ( V and,v Ɛ {a,b,c,d,e,f}) Only V should be able to read the message No other parties (even if they cooperate) should be able to read the message CR 2

3 Adversary Assumptions C attacker A B Passive Attacker (evesdropper) Active Attacker Aim : fool A and B into accepting an invalid key ( invalid key : expired key, a key chosen by the attacker) fool A / B into believing that they have exchanged a key with the other get partial information about the key exchanged between A and B Modus-Operandi : alter messages save messages and replay later masquerade CR 3

4 Adversary Assumptions c d 2-party colluding attackers a b Attackers can collude to get the secrets k-party colluding attacks K attackers collude CR 4

5 Types of Keys Long lived keys Generally used for authentication, setting up session keys Could be either a key corresponding to a symmetric cipher Or a private key corresponding to a public key cipher Session keys sed for a brief period of time such as a single session. Typically session key corresponds to a symmetric key cipher and requires to be changed periodically Derived from LL keys CR 5

6 Example (the keys in GSM) Long lived (LL) keys SIM contains a individual subscriber authentication key (k i ) It is never transmitted or the network. A copy of k i is also stored in databases in the base station k i is used to authenticate the SIM using an algorithm called A3 Session keys (k c ) Created at the time of a call changed periodically during the call It is created using k i and an algorithm A8 Voice and Signals are encrypted using the session key kiusing a cipher A5 CR 6

7 Why use Session Keys? Limit the amount of ciphertext an attacker sees. Limit exposure when device is compromised. Limits the amount of long term information that needs to be stored on device. CR 7

8 Distributing LL Keys Non-interactively LL keys are stored in the device (such as TPMs) Or computed from stored secrets (such as PFs) Interactively Could also be sent to the device by a trusted authority (TA) Trusted Authority Verifies identities of users Issues certificates Has a secure link with each user Distribution schemes from TA sing public key constructs ser s store private keys ser certificates stored by TA contains the public keys sing symmetric key constructs TA has a secure channel to distribute secret keys to pairs of users A B TA C D E F CR 8

9 Key Predistribution Defining Feature: Key Pre-distribution affects all users CR slide borrowed from Hossein Hajiabolhassan(SB) 9

10 Key Predistribution Scheme CR Slide borrowed from Hossein Hajiabolhassan(SB) 10

11 TA Solution using symmetric key cryptography (Naïve Scheme) C D K AB A B K AB E F TA generates a key and sends it securely to A and B. Storage in each user : N 1 Maximum secure links : N Network Overheads : N transfers 2 can we reduce the overheads? CR 11

12 Trading Security for reduced Overheads C E F D K AB A B K AB The naïve scheme protects against N-2 colluding users What if we reduce this assumption to say k (< N-2) colluding users? Security reduces But overheads may also reduce. CR 12

13 Blom s Key PreDistribution Scheme Aim : each pair of users require a unique key nconditionally secure key distribution in a k-party colluding network (k < N 2) At-most k parties can collude (k parties acting together will not be able to determine the key for anyone else) Maximum secure links N (no change here) Network Transfers : N(k+1) N 2 (reduced from ) Storage : Each user stores (k+1) elements (reduced from N-1 ) CR 13

14 Blom s Key Distribution Scheme (for k=1) Public parameters: (1) prime p (> N)and (2) for each user a distinct value r u Ɛ Z p Trusted Authority 1. Choose secreta, b, c Ɛ Z p and forms the polynomial f(x,y) = (a + b(x + y) + cxy) mod p = (a + by) + (b + cy)x mod p 2. For each user u, the TA computes f(x, r u )and transmitstwo elements(k+1) to user over a secure channel a = (a + br ) mod p and b = (b + cr )x mod p sage : if and V want to communicate : has f(x, r ), computes K V = f(r V, r ) V :has f(x, r V ), computes K V = f(r, r V ) = f(r V, r ) = K V CR 14

15 Blom s Key Distribution Scheme (for k=1) Why it works? Public parameters: (1) prime p (> N)and (2) for each user a distinct value r u Ɛ Z p a,b, c are the only secrets. If an attacker can compute these, then the Trusted system is broken! Authority 1. Choose secreta, b, c Ɛ Z p and forms the polynomial f(x,y) = (a + b(x + y) + cxy) mod p = (a + by) + (b + cy)x mod p sage : if and V want to communicate : has f(x, r ), computes K V = f(r V, r ) f(x,y) is symmetric. Interchanging x and y values will not alter results. 2. For each user u, the TTP computes f(x, r u )and transmitstwo elements (k+1) to user over a secure channel a = (a + br ) mod p and b = (b + cr )x mod p This is an Affine transformation. There are three unknowns (a, b, c). Therefore requires 3 equations to solve. However, each user has only a and b. Needs more information!! V :has f(x, r V ), computes K V = f(r, r V ) = f(r V, r ) = K V CR 15

16 Blom s scheme is unconditionally secure What does this means? Any other user W (not or V) cannot get any information about K V aprioriprobability of K V = aposterioriprobability of K V =1/ Z p Given all of Blom spublic parameters and f(x, r W ) What W has? a W = a + br W b W = b + cr W Two equations; three unknowns (a, b, c) This is an underdetermined system therefore number of solutions possible is Zp. Aposterioriprobability of K V = 1/ Z p CR 16

17 2-party Colluding Attackers If two attackers (say W and X) collude, then 4 equations present and 3 unknowns This will result in a unique solution for a,b,c system broken!!! What W and X have? a W = a + br W b W = b + cr W a X = a + br X b X = b + cr X W X 2-party coalition attackers Thus, the scheme is not secure against 2 (or more) party colluding attacks CR 17

18 Generalizing Blom s Scheme More complex polynomial so that secret coefficients cannot be retrieved For a k-party colluding network f( x, y) wherea i, j k i= 0 j= 0 Z k = p a i, j x i y (0 i, j mod j k) p and a i, j = a j, i for all i, j CR 18

19 Limits of Blom s Scheme Pairwise keys cannot be changed i.e. and V cannot change their keys To change keys, all users need to be reconfigured Thus, it is difficult to implement this scheme for session keys CR 19

20 Key Distribution Patterns (This is a secret operation). CR 20

21 Key Distribution Patterns (Trivial Example) Suppose There are n users (n = 4) and v keys (v = 6) k k has keys k1, k2, k3 k3 2 has keys k1, k4, k M = 5 k has keys k2, k4, k k 5 4 has keys k3, k5, k 6 k keys users CR 21

22 Group Keys Consider that a subset of users P ( P 2) want to communicate together Define, keys ( 1) = { k1, k2, k3} keys ) = { k, k, } ( k5 keys ( P ) = keys ( ) keys ( ) = k 1 2) 1 Each user in P can compute keys(p) independently because M is public In this case, k P = keys(p) = k 1 can be used as the key If keys( P) > 2, then define k P = k i i keys( P) modk CR 22

23 Security of Group Keys Consider another subset of users F, who want to collaborate to determine the group key k P 1 If F P φ, then there exists some F who can compute j k P 2 Assume F P = φ If keys( P) keys j ( ) j F then there exists asubsetinf who can cooperateto compute k P If such a subset does not exist, then the system in unconditionally secure CR 23

24 Another Example M: n=7, v=7 Storage in each user is k 1 k 7 No other user has both k 1 and k 7. 3 has k 1 but not k 7 4 has k 7 but not k 1 Therefore the scheme is secure against single party attackers The scheme is not secure against two (or more) party attackers If 3 and 4 collaborate, they can compute k 1 + k 7 CR 24

25 Key Distribution Pattern (Trivial Example) If there are n users, For each pair to communicate securely, the matrix size is Each user must store n 1 keys n n 2 Security Guarantee: The system is secure against a coalition of size n 2. i.e. to get the key between Alice and Bob, everyone remaining must cooperate Maximum security guarantees, but huge of storage requirements. CR Can we trade security for lower storage? 25

26 Fiat-Naor Key Distribution Patterns Consider nusers : = { 1, 2,., n }. How do we construct a key pattern matrix Mwhich can resist attacks from wcollating users (1 w n) (w is called the security parameter) w n 1. Compute: v= i= 0 i 2. Computethe matrix M (v x n) The columns are the users( 1, 2,.., n ) Each row corresponds incidence vector of a subset of users with cardinality at-least n-w CR 26

27 Example Number of users is 6 Security Parameter w = 1 v = 7 Subsets of having at-least n-w elements CR 27 },,,, { },,,, { },,,, { },,,, { },,,, { },,,,, {

28 Example Number of users is 6 Security Parameter w = 1 v = 7 Note that no other user (individually) has access to all keys k 1, k 2, k 3, and k 6 Thus the system is secure against non-cooperating attackers CR 28

29 Session Keys Are between pairs of users (e.g. Alice and Bob) Distribution of Session Keys Makes use of the TA TA tells Alice and Bob the secret key TA k ab k ab CR 29

30 Setting : (shared keys with TA) TA K A, K B, K C, K D K A a b K B c K C d K D TA shares a secret key with each user. This key is used to securely communicate between TA and a user. CR 30

31 Needham Schroeder Scheme TA K A, K B Randomly Choose session key K Compute t B = E K B(K ID(A)) y 1 = E K A(r A K ID(B) t B ) 1 Alice Need to talk to Bob securely Pick a random number r A r A, ID(B) 2 y 1 K A Bob K B Such random number often called Nonce (numbers used once) ID(B) is a unique identifier for Bob ID(A) is a unique identifier for Alice t B, is called Bob s ticket Note t B is embedded in y 1 CR 31

32 Needham Schroeder Scheme K A, K B TA Alice Bob Randomly Choose session key K 1 K,K A Need to talk to B securely Pick a random number r A K B Compute t B = E K B(K ID(A)) y 1 = E K A(r A K ID(B) t B ) y 1 2 Decrypt y 1 using K A Check if ID(B), r A matches If they match, then send t B to Bob Alice now has the secret session key K CR 32

33 Needham Schroeder Scheme TA K A, K B Randomly Choose session key K 1 Alice Need to talk to B securely Pick a random number r A K, K A K,K Bob B Compute t B = E K B(K ID(A)) y 1 = E K A(r A K ID(B) t B ) y 1 2 Decrypt y 1 using K A Check if ID(B), r A matches If they match, then send t B to Bob t B 3 Decrypt t B using K B Pick a random number r B Compute y 2 = E K (r B ) Bob too now has the secret K, He also has ID(A), so he knows it s a session key with Alice CR K is used for encrypting r B 33

34 Needham Schroeder Scheme K A, K B TA Alice Bob Randomly Choose session key K 1 Need to talk to B securely Pick a random number r A K, K A K, K B Compute t B = E K B(K ID(A)) y 1 = E K A(r A K ID(B) t B ) y 1 2 Decrypt y 1 using K A Check if ID(B), r A matches If they match, then send t B to Bob 3 t B 4 Decrypt t B using K B Pick a random number r B Compute y 2 = E K (r B ) Decrypt y 2 using K to get r B Compute y 3 =E K (r B -1) y 2 5 y 3 CR 34

35 Needham Schroeder Scheme TA K A, K B Randomly Choose session key K 1 Alice K A Need to talk to B securely Pick a random number r A Bob K B Compute t B = E K B(K ID(A)) y 1 = E K A(r A K ID(B) t B ) y 1 2 Decrypt y 1 using K A Check if ID(B), r u matches If they match, then send t B to Bob t B 3 4 Decrypt t B using K B Pick a random number r B Compute y 2 = E K (r B ) This step tell Bob that K is indeed correct CR 35 Decrypt y 2 using K to get r B Compute y 3 =E K (r B -1) y 2 5 y 3 Decrypt y 3 and verify the correctness of r B -1. If incorrect, reject

36 Denning-Sacco Attack on the NS Scheme This is a known session key attack / replay attack, where the attacker has a previously used session key between and V, and can convinces V to use this old session key Input is a previously used session key K, which was used between A and B Attacker Bob Has a previously used t B = E K B(K ID()) and K Decrypt y 2 using K to get r B Compute y 3 =E K (r B -1) 3 t B 4 y 2 5 y 3 Decrypt t B using K B Pick a random number r B Compute y 2 = E K (r B ) Decrypt y 3 and verify the correctness of r B -1. If incorrect, reject CR 36

37 Denning-Sacco Attack on the NS Scheme What is the flaw in the NS scheme? Bob has no way to know if t B has been used previously. Attacker Bob Input is a previously used session key K, which was used between A and B Has a previously used t B = E K B(K ID()) and K t B 3 Decrypt t B using K B Pick a random number r B Compute y 2 = E K (r B ) 4 Fixed in Kerberos by adding a timestamp Decrypt y 2 using K to get r B Compute y 3 =E K (r B -1) y 2 5 y 3 Decrypt y 3 and verify the correctness of r B -1. If incorrect, reject CR 37

38 Kerberos (setup a session key K between Alice and Bob) TA Alice Bob Randomly Choose secret key K; Set Lifetime L compute K A, K B m 1 = E K A(R A, K, L, ID(B)) m 2 = E K B(K, L, ID(A)) 1 K A Need to talk to Bob securely. Generate R A K is the session key chosen by the TTP It is valid only for the until time L. The timestamps are added to prevent replay attacks ID(B) is a unique identifier for Bob ID(A) is a unique identifier for Alice These are use to authenticate the parties K B CR 38

39 Kerberos (setup a session key K between Alice and Bob) TA K A, K B Randomly Choose secret key K; Set Lifetime L 1 Alice Need to talk to Bob securely. Generate R A K, K A K Bob B compute m 1 = E K A(R A,K, L, ID(B)) m 2 = E K B(K, L, ID(A)) 2 (R A, K, L, ID(B)) D K A(m 1 ) m 3 = E K (T, ID(A)) Only Alice can decrypt message m 1 Alice will verify * the current time to check for validity * if R A matches * If ID(B) is correct T is the current timestamp CR 39

40 Kerberos (setup a session key K between Alice and Bob) TA K A, K B Randomly Choose secret key K; set Lifetime L compute m 1 = E K A(R A,K, L, ID(B)) m 2 = E K B(K, L, ID(A)) 1 2 Alice Need to talk to Bob securely. Generate R A K, K A K, K Bob B Only Bob can decrypt message m 2 After decrypting m 2, he can decrypt m 3 using K (R A, K, L, ID(B))D K A(m 1 ) m 3 = E K (T, ID(A)) 3 (K, L, ID(A))D K B(m 2 ) (T, ID(A)) D K (m 3 ) Check lifetime; check ID(A) is the same in both decryptions check if ID matches, and T <= L T = T + 1; m 4 = e K (T+1) CR 40

41 Kerberos (setup a session key K between Alice and Bob) TA K A, K B Randomly Choose secret key K; Lifetime L 1 Alice Need to talk to Bob securely. Generate R A K, K A K, K B Bob compute m 1 = E K A(R A,K, L, ID(B)) m 2 = E K B(K, L, ID(A)) 2 (R A, K, L, ID(B))= D K A(m 1 ) m 3 = E K (T, ID(A)) 3 This ensures that Bob has successfully received the correct key K (K, L, ID(A))= D K B(m 2 ) (T, ID(A)) = D K (m 3 ) Alice and Bob can now communicate using session key K (T )= D K (m 4 ) Verify timestamp is indeed T = T check if ID matches, and T <= L T = T + 1; m 4 = e K (T+1) CR 41

42 Limitations of Kerberos Requires all users and the TA to be synchronized due to the timestamp requirements. Not easily done Does not completely prevent replay attacks Replay attacks can still occur within the lifetime (L) of a key Is key confirmation (step 4) actually needed? Nobody else can decrypted the encrypted message anyways. CR 42

43 Bellare-Rogaway Scheme K A, K B TA Alice Bob K A Need to talk to Bob securely. Generate R A 1 K B Generate R B 2 Notice that Alice contacts Bob first. This is crucial to eliminate replay attacks CR 43

44 Bellare-Rogaway Scheme K A, K B TA Alice Bob K A Need to talk to Bob securely. Generate R A 1 K B Generate R B y B =(E K B (K), MAC B(ID(A), ID(B), R B, E K B (K)) y A =(E K A (K), MAC A(ID(A), ID(B), R A, E K A (K)) 2 y A 3 y B ses MAC, prevents double encryption. No timestamps present CR 44

45 Bellare-Rogaway Scheme K A, K B TA Alice Bob K A Need to talk to Bob securely. Generate R A 1 K B Generate R B y B =(E K B (K), MAC B(ID(A), ID(B), R B, E K B (K)) y A =(E K A (K), MAC A(ID(A), ID(B), R A, E K A (K)) 2 y A 3 y B Decrypt K; Compute MAC. Verify ID(B), ID(A), R A, K Decrypt K; Compute MAC. Verify ID(B), ID(A), R B, K Replay attacks prevented. As Alice and Bob expect a key K corresponding to R A and R B No key confirmation phase. Alice / Bob does not know if the other person has received the key. CR 45

46 Security of Bellare-Rogaway Session Key Distribution Scheme The Bellare-Rogaway scheme is secure under the assumptions A, B, and TA are honest MACs generated are secure Secret keys are not known to anyone other than the required parties Random numbers are generated perfectly CR 46

47 BR Scheme Analysis : When Attacker is Passive Attacker Knows r A, r B, ID(A), ID(B), y A, y B Attacker cannot get the K because she doesn t have K A or K B that decrypts Y A, Y B respectively K A, K B TA Alice Bob K A Need to talk to Bob securely. Generate R A 1 K B Generate R B y B =(E K B (K), MAC B(ID(A), ID(B), R B, E K B (K)) y A =(E K A (K), MAC A(ID(A), ID(B), R A, E K A (K)) 2 y A 3 y B Decrypt K; Compute MAC. Verify ID(B), ID(A), R A, K Decrypt K; Compute MAC. Verify ID(B), ID(A), R B, K CR 47

48 BR Scheme Analysis : When Attacker is Active and Impersonates Bob Attacker Sends ID(M) instead of ID(B) to TA Alice finds that the MAC she computes does not match the MAC sent by the TA K A, K B TA Alice Attacker(M) K A Need to talk to Bob securely. Generate R A 1 K B Generate R B y B =(E K M (K), MAC M(ID(A), ID(M), R B, E K M (K)) y A =(E K A (K), MAC A(ID(A), ID(M), R A, E K A (K)) 2 y A 3 y B Decrypt K; Compute MAC (ID(A), ID(B), R A, E KA (K)) Finds that MACs do not match Aborts the communication Decrypt K; Compute MAC. Verify ID(B), ID(A), R B, K CR 48

49 BR Scheme Analysis : When Attacker is Active and Impersonates Bob Attacker Sends ID(B) as usual Attacker cannot decrypt y B because she does not have the decryption key KB Messages sent from Alice encrypted with K, cannot be decrypted by the attacker K A, K B TA Alice Attacker(M) K A Need to talk to Bob securely. Generate R A 1 K B Generate R B y B =(E K B (K), MAC B(ID(A), ID(B), R B, E K M (K)) y A =(E K A (K), MAC A(ID(A), ID(B), R A, E K A (K)) 2 y A 3 y B Decrypt K; Compute MAC (ID(A), ID(B), RA, E KB (K)) MACs match Cannot decrypt y B Because Attacker has no decryption key K B CR 49

50 BR Scheme Analysis : When Attacker is Active and Impersonates Alice Attacker sends ID(A), r A to Bob Attacker cannot decrypt y A because she does not have the decryption key K A Messages sent from Bob encrypted with K, cannot be decrypted by the attacker K A, K B TA Attacker Bob K A Need to talk to Bob securely. Generate R A 1 K B Generate R B y B =(E K B (K), MAC B(ID(A), ID(B), R B, E K B (K)) y A =(E K A (K), MAC A(ID(A), ID(B), R A, E K A (K)) 2 y A 3 y B Cannot decrypt y A Because Attacker has no decryption key K A Decrypt K; Compute MAC. Verify ID(B), ID(A), R B, K CR 50

51 Key Agreement Schemes How does Alice and Bob agree upon a secret key without active use of a TA? sers use a public key algorithm The secret key agreed on is a function of Alices public and private keys Bob s public and private keys CR 51

52 Recall Diffie Hellman Key Exchange Alice and Bob agree upon a prime pand a generator g. This is public information choose a secret a compute A = g a mod p choose a secret b compute B = g b mod p Compute K = B a mod p B A Compute K = A b mod p A b mod p = (g a ) b mod p = (g b ) a mod p = B a mod p CR 52

53 Diffie Hellman (Man in the Middle Attack) choose a secret a compute A = g a mod p A For some m compute M = g m mod p B choose a secret b compute B = g b mod p M M Compute K a = M a mod p Compute K a = A m mod p K b = B m mod p Compute K b = M b mod p CR 53

54 Diffie Hellman (Man in the Middle Attack) choose a secret a compute A = g a mod p What s missing is Authentication! Alice and Bob need to authenticate each other before exchanging messages A For some m compute M = g m mod p B choose a secret b compute B = g b mod p M M Compute K a = M a mod p Compute K a = A m mod p K b = B m mod p Compute K b = M b mod p CR 54