Symmetric Cryptographic Protocols

Size: px

Start display at page:

Download "Symmetric Cryptographic Protocols"

Corey Anderson
5 years ago
Views:

1 Symmetric Cryptographic Protocols

2 Mahalingam Ramkumar Symmetric Cryptographic Protocols 2123

3 Mahalingam Ramkumar Mississippi State University Mississippi State Mississippi USA ISBN ISBN (ebook) DOI / Springer Cham Heidelberg New York Dordrecht London Library of Congress Control Number: Springer International Publishing Switzerland 2014 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Exempted from this legal reservation are brief excerpts in connection with reviews or scholarly analysis or material supplied specifically for the purpose of being entered and executed on a computer system, for exclusive use by the purchaser of the work. Duplication of this publication or parts thereof is permitted only under the provisions of the Copyright Law of the Publisher s location, in its current version, and permission for use must always be obtained from Springer. Permissions for use may be obtained through RightsLink at the Copyright Clearance Center. Violations are liable to prosecution under the respective Copyright Law. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made. The publisher makes no warranty, express or implied, with respect to the material contained herein. Printed on acid-free paper Springer is part of Springer Science+Business Media (

4 To my late mom, Rajalakshmi. v

5 Preface Symmetric cryptography deals with: 1. the construction of efficient pseudo random functions (PRF), which are the building blocks of symmetric cryptography, and 2. symmetric cryptographic protocols, which are strategies to utilize the building blocks to solve some of our our day-to-day problems. This book does not concern itself with the building blocks themselves; several well studied PRFs in the form of block ciphers and hash functions already exist. The focus of this book is instead on the (often under appreciated) range and utility of protocols and constructions that utilize symmetric PRFs. Lack of widespread appreciation of the scope of symmetric cryptography has led to the unwarranted use of more expensive asymmetric cryptography in situations where symmetric cryptography is adequate. Perhaps, it is the sheer elegance of asymmetric primitives that instills in us the desire to honor them by utilizing them even in situations where symmetric cryptography is adequate. This is one situation that this book aims to rectify. The specific topics addressed in this book include: 1. various key distribution strategies for unicast, broadcast, and multicast security associations, and 2. strategies for constructing compact and efficient digests of dynamic databases. A unified treatment of seemingly unrelated protocols is made possible by the fact that only three basic strategies, viz., hash chains, hash trees, and the surprising uniqueness of random subsets, are reused in a variety of different ways in different protocols. Ultimately, the utility a cryptographic algorithm stems from the ability to leverage well-deserved assumptions regarding the properties of such algorithms; that we can virtually guarantee the existence of specific relationships between various inputs and outputs of the algorithm; for example, that the preimage of a cryptographic hash was chosen before the image was computed, and not vice-versa. Cryptographic algorithms are building blocks for the construction of application-specific cryptographic protocols, to enable enforcement of application-specific requirements, between various (application-specific) inputs and outputs. vii

6 viii Preface By themselves, cryptographic protocols (unfortunately) do not provide the necessary (application-specific) context to the inputs and outputs. It is up to security protocols that utilize cryptographic protocols to do so. Consequently, practical security protocols will always need to make some additional noncryptographic assumptions regarding the environment in which the cryptographic protocol is executed, and the privacy of keys employed by the algorithms. Almost every security issue we face in our day-to-day lives stems from the simple fact that many such noncryptographic assumptions turn out to be unjustified. For example, while the secure socket layer (SSL) is perfectly safe as a cryptographic protocol, when used as a security protocol, many vulnerabilities can crop up like the recent Heart-bleed vulnerability, or the fact that SSL as a security protocol relies on the integrity of the public key infrastructure (PKI), which in turn relies on unverifiable assumptions regarding the integrity of PKI certificate authorities. Perhaps the only practical recourse is to invest in an infrastructure to realize sufficiently trustworthy hardware modules. Such modules should be capable of guaranteeing a safe environment in which a wide variety of cryptographic protocols necessary for a wide range of applications can run unmolested. Only the well-deserved trust in the assumed properties of cryptographic algorithms, and the integrity of such hardware modules, can then be bootstrapped to realize security protocols without the need to make unjustifiable assumptions like the integrity of software and hardware components in general purpose computers or the integrity of personnel/organizations with access to sensitive data processed in the computers. The versatility and low resource requirement for protocols based on symmetric PRFs make them very well suited for such an approach. Simple fixed functionality involving only PRF and logical operations, executed within the confines of deliberately resource limited modules, can be more readily verified to be free of malicious functionality. Almost every security protocol outlined in this book pays extra attention to additional constraints that may be imposed due to the fact that the security protocols will need to be executed inside a trustworthy (and severely resource limited) boundary. Chapter 1 is a brief review of well-known properties of symmetric PRFs like hash functions and block ciphers. Chapter 2 outlines some useful constructions using PRFs that are reused throughout this book. Chapter 3 presents key predistribution schemes for pairwise authentication strategies that are traditionally considered as nonscalable. Two such schemes, the modified Leighton Micali scheme (MLS) and the identity tickets (IT) schemes are, however, shown to be scalable enough for most practical applications. Chapter 4 outlines a strategy for employing such schemes in conjunction with trustworthy hardware modules with trivial functionality to secure the domain name system (DNS). This approach is compared with the current security protocol, DNSSEC, for securing DNS. Chapters 5 and 6 present various scalable key predistribution schemes. Chapter 5 outlines many of the advantages of probabilistic schemes over deterministic schemes. Chapter 6 outlines three scalable schemes realized as extensions of nonscalable

7 Preface ix schemes discussed in Chap. 3. Chapter 7 highlights special considerations for protecting the integrity of secrets inside resource limited tamper-responsive boundaries. Such considerations are taken into account to reevaluate the strengths of various key distribution schemes, and the overhead associated with each approach. Chapter 8 reviews strategies for multicast security associations like one-to-many associations (or broadcast security) and group security associations facilitated using broadcast encryption. While most broadcast encryption schemes employ a treelike structure, flat schemes based on probabilistic key distribution have some compelling advantages. The utility of such schemes for practical deployments of publish subscribe systems is also discussed in this chapter. Chapter 9 presents a useful authenticated data structure, the ordered Merkle tree (OMT), and it s utility in assuring the integrity of a wide variety of dynamic databases maintained by untrusted entities. Two variations of the OMT, viz., the index ordered Merkle tree (IOMT), and the domain ordered Merkle tree (DOMT), are discussed. Simple algorithms intended to be executed by a trusted resource limited verifier, to assure the integrity of a database maintained by an untrusted prover, are presented. Chapter 10 discusses a new credential transaction model as a specification of application-specific security protocols. For any system with a desired set of assurances, the strategy is to identity different roles for participants in the system, and a set of permitted credential transactions for each role. The permitted credential transactions are chosen to guarantee that no desired assurance is violated. Thus, as long as we can assure the integrity of credential transactions, we can assure the integrity of the entire system (that all desired assurances are met). The credential transaction model permits the design of a universal trusted base as a hypothetical specification for trusted credential management modules (CMM). Irrespective of the specific nature of the system, CMMs are entrusted with the task of assuring the integrity of credential transactions. Only assumptions regarding the integrity of PRFs, and the integrity of simple algorithms executed inside CMMs to verify the integrity of credential transactions, are bootstrapped by the security protocol (the transaction model) to realize all desired assurances. Such an approach eliminates the need for unjustifiable trust in complex hardware/software components, and personnel with the ability to influence the operation of such computers. The core functional components of CMMs include functionality described in Chap. 7 for unicast security associations, and functionality for maintaining OMTs, described in Chap. 9. Starkville, MS April 2014 Mahalingam Ramkumar

8 Contents 1 Introduction Cryptographic Algorithms Symmetric Cryptographic Algorithms Asymmetric Algorithms Using Cryptographic Algorithms Block Cipher Modes Hash Function Hashed Message Authentication Code Asymmetric Encryption and Signatures Cryptographic Protocols and Security Protocols Security Protocols Symmetric Protocols Symmetric Security Protocols Some Useful Constructions Hash Chains Hash Accumulator Hash Tree Random Subsets S i S n (S i S j ) S n Nonscalable Key Distribution Schemes Online KDC NS Protocol Leighton Micali Protocol Offline KDC Basic KDS for Static Small-Scale Networks Key Distribution for Dynamic Networks MLS Key Distribution Identity Ticket (IT) Scheme Comparison xi

9 xii Contents MLS with Multiple KDCs MLS Applications MLS for Internet Security Protocols Domain Name System DNS Records Securing DNS Link-Security Approaches DNSSEC Authenticated Denial DNS-Walk MLS Based Alternative to DNSSEC Extending Link-Security Approaches Principle of TCB-DNS Computing Link Secrets The TCB-DNS Protocol The Atomic Relay Algorithm Preparation of TCB-DNS Master File Verification of RRSets Proof of Correctness Practical Considerations TCB-DNS vs. DNSSEC Authenticated Denial Overhead Replay Attacks DNSSEC with TSIG NSEC3 Opt-Out Alternative to IPSec IPSec Operation IPSec Issues IPSec Alternative Leveraging TCB-DNS Scalable Key Distribution Schemes Certificates Based Schemes Identity Based Schemes Identity-Based Key Predistribution Schemes Blom s Schemes Probabilistic KPSs (PKPS) Allocation of Subsets Random Preloaded Subsets Hash-Chain KPS Hashed Random Preloaded Subsets (HARPS) (n, p)-security of HARPS Probability of Winning a Round Optimization of Parameters... 73

10 Contents xiii 5.5 Deterministic Versus Probabilistic KPSs KPS Complexity Complexity Versus Desired Collusion Resistance n Using External Resources Low Complexity Hardware Multiple KDCs and Renewal Exploiting Multi-path Diversity Conclusions Scalable Extensions of Nonscalable Schemes Parallel Basic KPS Parallel Leighton Micali Scheme (PLM) (n, p)-security of PBK and PLM Optimal Choice of Parameters m and M Subset Keys and Identity Tickets (SKIT) (n, p)-security of SKIT Optimal Choice of Parameters Comparison of KPSs Beyond (n, p)-security (n, φ, p a )-Security of RPS (n, φ, p a )-Security of PBK/PLM (n, φ, p a )-Security of SKIT Addressing Message Injection Attacks PLM for Sensor Networks Classical Sensor Network Model Assumptions Key Distribution for Sensor Networks Key Establishment Performance and Overhead Conclusions Using PKPSs with Tamper-Responsive Modules Core Principles Active and Passive Shields State Transitions Single-Step Countermeasures The DOWN Policy DOWN-Enabled Modules DOWN with Other Asymmetric Schemes DOWN With ID-Based Schemes DOWN Assurance and Complexity DOWN with PKPSs A Second Look at Key Predistribution Scheme (KPS) Complexity Generic Device Model

11 xiv Contents 7.4 Comparison of KPSs Deployment Complexity Complexity During Regular Operation PLM PBK RPS and HARPS KPS Algorithms MLS Scalable KPSs Security Protocols Utilizing f pw () Atomic Relay Protocols Atomic Authentication Relay Algorithm Atomic Path Secret Relay Algorithm Accepting Relays Conclusions Broadcast Authentication and Broadcast Encryption Certificates-Based Broadcast Authentication (BA) One-Time Signatures (OTS) Timed Efficient Stream Loss Tolerant Authentication (TESLA) Identity-Based Broadcast Authentication (BA) Using Key Predistribution Reducing Signature Size Effect of Decrypt Only When Necessary (DOWN) Assurance Broadcast Encryption Tree-Based Broadcast Encryption (BE) Schemes Broadcast Encryption (BE) Using Probabilistic Key Distribution Broadcast Encryption (BE) by Sources Other Than Key Distribution Center (KDC) Performance of Probabilistic Key Predistribution Scheme Broadcast Encryption (PKPS BE) Performance Bounds Over-Provisioning Keys Hashed Random Preloaded Subsets (HARPS) vs. Random Preloaded Subsets (RPS) Models for Broadcast Encryption (BE) G = N Models N>>GModels Batch Sizes for External Sources Application of Probabilistic Key Predistribution Scheme Broadcast Encryption (PKPS BE) in Publish Subscribe Systems Desirable Features

12 Contents xv PKPS-BE vs. T-BE for Pub Sub Systems Pub Sub Operation Authenticated Data Structures Merkle Tree as an ADS Merkle Tree Protocols Ordered Merkle Tree OMT Leaves OMT Nodes Verification and Update Protocols Insertion of OMT Leaves Reordering OMT Leaves Index Ordered Merkle Tree Domain Ordered Merkle Tree Summary of OMT Properties OMT Algorithms in Trusted Resource Limited Boundaries Self-Certificates Core OMT Functions OMT Functions Exposed by T Root Equivalence Certificates Module T State Using Module Functions Context/Application Dependent Functions Infrastructural Requirements Universal Trusted Computing Bases Practical Systems Complexity and Ignorance System Security Model Trusted Platform Modules Realizing a TCG Trusted Platform Pitfalls of the TCG Approach Trinc Virtual Counters Credential Management Modules Credential Transaction Model Consequential Transactions Virtual Networks VN State Changes CMM State and VN State Changing VN State CMMs as ADS Constructors and Verifiers CMM System Architecture CMM Universe Creation of Virtual Networks

13 xvi Contents Intra-VN Key Distribution VN Links Credential Transaction Model of Representative Systems Credential Transaction Model for DNS DNS Transactions Transaction Models for Other Systems Conclusions References Index

14 Acronyms HMAC MAC KDC PKI OTS KDS KPS PKPS RPS HARPS BKP MLS IT PBK PLM SKIT ADS OMT IOMT DOMT VN DNS BGP AS Hashed Message Authentication Code Message Authentication Code Key Distribution Center Public Key Infrastructure One Time Signature Key Distribution Scheme Key Predistribution Scheme Probabilistic Key Predistribution Scheme Random Preloaded Subsets Hashed Random Preloaded Subsets Basic Key Predistribution Modified Leighton Micali Scheme Identity Tickets Parallel Basic Key Predistribution Scheme Parallel Leighton Micali Scheme Subset Key and Identity Tickets Authenticated Data Structures Ordered Merkle Tree Index Ordered Merkle Tree Domain Ordered Merkle Tree Virtual Network Domain Name System Border Gateway Protocol Autonomous System xvii

Guide to OSI and TCP/IP Models

SPRINGER BRIEFS IN COMPUTER SCIENCE Mohammed M. Alani Guide to OSI and TCP/IP Models SpringerBriefs in Computer Science Series editors Stan Zdonik Peng Ning Shashi Shekhar Jonathan Katz Xindong Wu Lakhmi