KEY AGREEMENT PROTOCOLS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 13 of Trappe and Washington

Transcription

1 KEY AGREEMENT PROTOCOLS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 13 of Trappe and Washington

2 DIFFIE-HELLMAN KEY EXCHANGE Alice & want to exchange a ton of data using the nice & fast AES cryptosystem. But first they have to agree on a key. Diffie-Hellman Setup p, a large prime (Public) and α, a prim. elem. of Z p (Public) Alice Chooses x ran Z p 1 (Private) and sends αx (mod p) to. Chooses y ran Z p 1 (Private) and sends αy (mod p) to Alice. Alice Computes k = (α y ) x = α x y (mod p). Computes k = (α x ) y = α x y (mod p). Eve Knows α x (mod p) and α y (mod p). Wants α x y (mod p). 1

3 THE MAN-IN-THE-MIDDLE ATTACK Alice Eve Eve Chooses z ran Z p 1. Intercepts α x and α y. Sends α z to Alice and. Eve computes k AE = (α x ) z and k BE = (α y ) z. Alice believes she has exchanged a key with. believes he has exchanged a key with Alice. Eve reads everything & sends whatever she wants, spoofing Alice &. We need to fix this!! 2

4 STATION TO STATION (STS) PROTOCOL Use signatures & a trusted authority (Trent) to defend against man-in-the-middle. Setup Each user U has sig U - a signature algorithm ver U - a verification algorithm (established by Trent) p, a prime α, a prim. elem. of Z p Alice Chooses x ran Z p 1 and computes αx (mod p). Chooses y ran Z p 1 and computes αy (mod p). More... 3

5 Alice Sends α x to. STATION TO STATION, CONTINUED Computes k = (α x ) y. Sends α y and E K (sig B (α y, α x )) to Alice. Alice Computes K = (α y ) x. Decrypts E K (sig B (α y, α x )) and obtains sig B (α y, α x ). Asks Trent to verify that ver B is s verification alg. Uses ver B to verify s signature. Sends E K (sig A (α x, α y )) to. Decrypts E K (sig A (α x, α y )) & obtains sig A (α x, α y ). Asks Trent to verify that ver A is A s verification alg. Uses ver A to verify Alice s sig. What is Eve to do? E k ( ) & D K ( ) - say AES 4

6 KEY PRE-DISTRIBUTION Key Distribution A TA (Trent) and n users + a secure channel between TA and each User TA sends K to n users securely. Key Agreement Two users + a public network The users interact to agree on a key K. Key Pre-Distribution TA and n users + a public network + a secure channel between TA and each User For each pair of users U, V (U V ) The TA constructs a key K UV (= K V U ) and sends it to U and V securely. ( n ) 2 messages too many! each user stores n 1 keys too many! 5

7 BLOM S DISTRIBUTION SCHEME p, prime with p > n = # of users SETUP Keys chosen from Z p TA Chooses p as above. (public) For each user U, chooses r U Z p. (public) (U V = r U r V ) Chooses a, b, c ran Z p (private) For each user U, the TA computes: a U = a + b r U mod p (private) b U = b + c r U mod p (private) and sends them securely to U. Each user U Constructs g U (x) = a U + b U x. When Alice & want to communicate Alice computes K AB = g A (r B ) and computes K BA = g B (r A ). CLAIM: K AB = K BA. proof on board 6

8 BREAKING BLOM S SCHEME: I Eve wants to determine a, b, and c. She knows: a E = a + b r E b E = b + c r E Two equations, three unknowns, no dice Eve also wants to determine K AB. She knows: K AB = a + b (r A + r B ) + c (r A r B ) a E = a + b r E b E = b + c r E Three equations, four unknowns: a, b, c, and K AB. Fact: For every possible value of K AB, there is a solution for a, b, and c. But what if Eve has a friend? 7

9 BREAKING BLOM S SCHEME: II Together Eve and Ocsar know: a E a + b r E a E b + c r E (mod p) a O a + b r O a E b + c r O Four equations, three unknowns: a, b, and c. So, Eve and Oscar together can break the scheme. The scheme can be generalized to be secure against coalitions of k users k a parameter. E.g., There is a version that is secure against coalitions of 15 users, but fails against a 16 user coalition. 8

10 TRANSPORT PROTOCOLS Alice Chooses k and sends it to securely to. OR Trent (The TA) acts as a key server: Alice wants to talk to. She tells Trent & Trent issues a key to Alice and for the session. Shamir s Three Pass Protocol (Here Trent = Alice.) Alice Publishes a prime p (with a hard disc. log problem) Alice Chooses a ran Z p 1. a 1 a 1 (mod p 1) Chooses b ran Z p 1. b 1 b 1 (mod p 1) Alice Sends K 1 = K a mod p to. Sends K 2 = K b 1 mod p = Ka b mod p to Alice. Alice Sends K 3 = K a 1 2 mod p = K b mod p to. Computes K = K b 1 3 mod p. Man-in-the-middle problems! 9

11 KERBEROS, I Clients: users, processes Servers: gateways The Dramatis Personæ Cliff - a client Serge - a server Trent - a T.A. (authentication server) Grant - a ticket granting server Before Cliff and Serge share no secret data After Serge will have verified Cliff s ID A session key (for Cliff and Serge) will have been established. Background The following is all symmetric key cryptography! 10

12 KERBEROS, II See drawing on board 1: Cliff Trent Requests ticket to ticket-granting server. Cliff supplies his name and Grant s name. 2: Trent Cliff Checks out Cliff and if O.K. Generates K CG Sends Cliff T = def e KC (K CG ) K C = Cliff s secret key Constructs T GT = def Grant s ID e KG (Cliff s ID, timestamp 1, K CG ) Sends Cliff T GT. K G = Grants s secret key 3: Cliff Grant Decrypts T to obtain K CG. Constructs Auth CG = def e KCG (Cliff s ID,timestamp 2 ). Sends T GT and Auth CG to Grant. 11

13 KERBEROS, III See drawing on board 4: Grant Cliff Grant decrypts T GT and obtains: Cliff s ID, K CG, and timestamp 1. Decrypts Auth CG and obtains: Cliff s ID and timestamp 2. Checks that the two versions of Cliff s ID match. Checks that the two timestamps are suff. close. If OK, Grant generates K CS = the Cliff-Serge session key. Generates ServeTicket = def e KS (Cliff s ID, timestamp 3, Exp-Time, K CS ). Sends ServTicket and e KCG (K CS ) to Cliff. Exp-Time = how long K CS is good for K S = Serge s secret key 12

14 KERBEROS, IV 5: Cliff Serge Cliff decrypts e KCG (K CS ) and obtains K CS. Cliff constructs Auth CS = def e KCS (Cliff s ID, timestamp 4 ). Cliff sends Auth CS and ServTicket to Serge. Serge: Decrypts ServTicket to obtain: Cliff s ID, timestamp 3, Exp-Time, and K CS Using K CS decrypts Auth CS to obtain: Cliff s ID, timestamp 4 Checks that the two versions of Cliff s ID match. Checks that timestamp 4 timestamp 3 + Exp-Time. If OK, Cliff and Serge can chat using K CS. 13

15 PUBLIC KEY INFRASTRUCTURES (PKIS) Public Key Infrastructure A set of protocols for publishing and certifying keys Certificate Some information signed by its publisher, a certification authority. identity certification id + address + public keys credential certification access rights See 14.4 of T&W for more detail. (This is a possible final paper topic.) 14

16 NEXT INFORMATION THEORY 15