CS6750: Cryptography and Communica7on Security

Size: px

Start display at page:

Download "CS6750: Cryptography and Communica7on Security"

Miranda Nicholson
6 years ago
Views:

1 CS6750: Cryptography and Communica7on Security Class 5: Key Distribu7on and PKIs Dr. Erik- Oliver Blass Travis Mayberry

2 Plan 1. The problem of key distribu7on 2. The idea of Merkle, Diffie and Hellman 3. The solu7on of Rivest, Shamir, and Adleman 4. Public- Key Infrastructures 5. Iden7ty- based encryp7on

3 How to distribute cryptographic keys? (And why is it a problem?!) If the users can meet in person beforehand it s simple. But what to do if they cannot meet? (a typical example: on- line shopping)

4 A naive solu7on: Predeploy Pairwise Keys A company gives to every employee P i a separate key K ij to communicate with every P j P 2 P 3 K 12 K 13 K 14 P 4 P 1 K 15 P 5

5 Drawbacks Quadra7c number of keys required High storage & deployment costs P 2 P 3 P 4 P 1 Other drawbacks? P 5

6 Alterna7ve: Key Distribu7on Centers Some trusted server (a Key Distribu>on Center, KDC) gives the keys to the users on the fly feasible if the users are, e.g., working in one company Therefore, we will discuss it! infeasible on the internet relies on the honesty of KDC Why?! KDC needs to be permanently available (no crash) Single point of failure, perfect target for an a_ack...

7 How to establish a key with a trusted server? key shared by Alice and the server: K AS key shared by Bob and the server: K BS server S A want to establish a fresh session key B Looks easy, but not so trivial as it may seem!

8 Nota7on {M} K a message M encrypted and authen7cated with K Formally: K=(K 0,K 1 ) {M} K = Enc K0 (M), Tag K1 (Enc K0 (M)) Authen7cated Encryp7on

9 Idea 1 key shared by Alice and the server: K AS key shared by Bob and the server: K BS (A,B) server S selects a random K AB {K AB } K AS {K AB } K BS Ticket A {K AB } K BS, A B

10 An a_ack key shared by Alice and the server: K AS (A,B) {K AB } K AS {K AB } K BS server S selects a random K AB key shared by Bob and the server: K BS I m talking to D {K AB } K BS, A {K AB } K BS, D A B

11 Idea 2 key shared by Alice and the server: K AS key shared by Bob and the server: K BS (A,B) server S selects a random K AB Alice verifies this! {K AB, B} K AS {K AB, A} K BS A {K AB, A} K BS B

12 A replay a_ack the adversary stores the values that the server sent in the previous session and replays them. (A,B) So, the key is not fresh {K AB, B} K AS {K AB, A} K BS A {K AB, A} K BS B

13 How to protect against replay a_acks? Nonce number used once. Nonce is a random number generated by one party and returned to that party to show that a message is newly generated ( fresh ).

14 Idea 3: Needham- Schroeder 1972 key shared by Alice and the server: K AS key shared by Bob and the server: K BS server S A,B,N A selects a random K AB {K AB, B, N A, {K AB, A} KBS } KAS Ticket 1 Ticket 2 {K AB, A} K BS A {N B } K AB {N B - 1} K AB B Why this?

15 A replay a_ack on Needham- Schroeder Assume that an old session key X AB is known to the adversary. then this might happen: {X AB, A} K BS {N B } X AB {N B - 1} X AB Bob Known Session Key A_ack

AB, B, N A } K AS {K AB, A, N B } K BS (A,B) A Now, Alice knows that Bob has K AB.

16 Fixed Needham- Schroeder protocol key shared by Alice and the server: K AS key shared by Bob and the server: K BS (A,B,N A, {A,N B } K BS ) server S selects a random K AB {K AB, B, N A } K AS {K AB, A, N B } K BS (A,B) A Now, Alice knows that Bob has K AB. {A,N B } K BS {K AB, A, N B } K BS {N B } K AB {N B - 1} K AB B Now, Bob knows that has K AB.

17 Plan 1. The problem of key distribu7on 2. The idea of Merkle, Diffie and Hellman 3. The solu7on of Rivest, Shamir and Adleman 4. Public- Key Infrastructure 5. Iden7ty- based encryp7on

18 The solu7on without KDC Public- Key Cryptography Ralph Merkle (1974) Whihield Diffie and Mar7n Hellman (1976)

19 A li_le bit of history Diffie and Hellman were the first to publish a paper containing the idea of public- key cryptography: W.Diffie and M.E.Hellman, New direc>ons in cryptography IEEE Trans. Inform. Theory, IT- 22, 6, 1976, pp A similar idea was described by Ralph Merkle: in 1974 he described it in a project proposal for a Computer Security course at UC Berkeley (it was rejected) in 1975 he submi_ed it to the CACM journal (it was rejected) (see h_p:// ) It 1997 the GCHQ (the Bri7sh equivalent of the NSA) revealed that they knew it already in 1973.

20 The idea Instead of using one key k, use 2 keys (pk,sk), where pk is used for encryp>on, sk is used for decryp>on. pk can be public, and only sk has to be kept secret! That s why it s called: public- key cryptography m c := Enc(k,m) Dec(k,c) Alice c := Enc(pk,m) Bob Dec(sk,c) k pk k sk

21 Same idea can also work for authen7ca7on sk is used for compu>ng a tag, pk is used for verifying correctness of the tag. this will be called signatures Sign the signing algorithm m (m,t := Tag(k,m)) Vrfy(k,m,t) Alice (m,t := Sign(sk,m)) Bob Vrfy(pk,m,t) k sk k pk

22 Anyone can send encrypted messages to anyone else public register: P 2 4. P 3 computes Dec(sk 3,c) P 3 pk 1 sk 3 pk 2 pk 3 pk 4 2. reads pk 3 P 1 P 4 pk 5 1. P 1 wants to send m to P 3 P 5

23 Anyone can verify the signatures public register: P 2 Sign(sk 3,m) P 3 pk 1 sk 3 pk 2 pk 3 2. reads pk 3 Sign(sk 3,m) P 4 pk 4 P 1 pk 5 3. computes Vrfy(pk 3,m,t) P 5

24 Advantages of signature schemes Digital signatures are: 1. publicly verifiable 2. transferable 3. provide non- repudia>on (we explain it on the next slides)

25 Look at MACs... k k m є {0,1}* (m, t=tag k (m)) Alice Bob Why should I trust you? Look, I got (m,t) from Alice! 1. I don t know k, so how can I verify the tag? 2. You could have created t yourself (because you know k)! Carol

26 Signatures are publicly- verifiable! sk A m є {0,1}* (m, σ =Sign sk (m)) Alice Bob Look, I got (m,σ) from Alice! I can calculate Vrfy(pk A,m,σ) and check. Carol

27 à Signatures are transferable Alice sk A σ = Sign(sk A,m) Alice signed m Alice signed m Alice signed m I believe it! I believe it! I believe it! pk A P 1 (m,σ) (m,σ) (m,σ) pk A pk A pk A P 2 P 3 P 4

28 Non- repudia7on sk A m є {0,1}* (m, σ =Sign sk (m)) Alice Bob I ve got (m,σ) from Alice What would happen in case of a MAC? It s not true! I never signed m! Vrfy(pk,m,σ) = yes so you cannot repudiate signing m... Judge

29 Important problems Who maintains the register? How to contact it securely? How to revoke the key (if it is lost)?... We will discuss these things later (when we will be talking about Public- Key Infrastructures)

30 Is public key cryptography possible? In physical world : yes! Examples: 1. normal wri_en signatures 2. padlocks: anyone can lock it the key is needed to unlock

The observa7on of Diffie and Hellman (pk,

31 The observa7on of Diffie and Hellman (pk, sk) the key pair plaintexts public- key encryp7on: Enc(pk,x) Dec(sk,y) ciphertexts signature schemes: easy only if one knows sk tags ( signatures ) Sign(sk,y) Vrfy(pk,x) messages Looks similar... easy only if one knows sk

32 Trapdoor permuta>ons (informal defini7on) A trapdoor permuta7on is a family of permuta7ons indexed by pk є K: {Enc pk : M C } pk є K such that for every key pk, there exists a key sk, and this is denoted Dec sk Enc pk easy M easy: one can compute Enc pk - 1 if one knows a trapdoor sk hard (otherwise) C

33 How to encrypt a message m? messages encryp>on: decryp>on: c := Enc pk (m) m := Dec sk (c) plaintexts one can compute it only if one knows sk

34 How to sign a message m? signing: one can compute it only if one knows sk Dec sk (m) signatures verifying: Enc pk (m) messages Warning: In general it is not that simple. We will explain it later.

35 Plan 1. The problem of key distribu7on 2. The idea of Merkle, Diffie and Hellman 3. The solu7on of Rivest, Shamir, and Adleman 4. Public- Key Infrastructure 5. Iden7ty- based encryp7on

36 Do trapdoor func7ons exist? Yes: exponen7a7on modulo N, where N is a product of two large primes. Ron Rivest, Adi Shamir, and Leonard Adleman (1977) RSA func7on is (conjectured to be) a trapdoor permuta7on!

37 The RSA func7on A first look! N = pq, such that p and q are random primes, and p = q e random, such that gcd(e, (p- 1)(q- 1)) = 1 d random, such that ed = 1 (mod (p- 1)(q- 1)) pk := (N,e) sk := (N,d) Enc pk : Z N Z N is defined as: Enc pk (m) = m e mod N. Dec sk : Z N Z N is defined as: Dec sk (c) = c d mod N.

38 Ques7ons and doubts N = pq, such that p and q are random primes, and p = q e random such that gcd(e, (p- 1)(q- 1)) = 1 d such that ed = 1 (mod (p- 1)(q- 1)) pk := (N,e) sk := (N,d) Enc pk : Z N Z N is defined as: Enc pk (m) = m e mod N. Dec sk : Z N Z N is defined as: Dec sk (c) = c d mod N. How large these primes need to be? How to sample them? Looks a bit strange... Can exponen7a7on be done efficiently? Enc pk (1) = 1 e mod N = 1 Oops... We will address it later...! encryp7on is determinis7c...

39 Is RSA secure? Is RSA secure: 1. as an encryp7on scheme? 2. as a signature scheme? The answer is not that simple. First, we would need to define security! We will do it in the next lectures.

40 End of Class

41 Remember this slide? public register: pk 1 P 2 sk 2 P 3 sk 3 pk 2 pk 3 pk 4 pk 5 How to maintain such a public register? P 1 sk 1 sk 5 P 5 P 4 sk 4

42 A problem sk A m є {0,1}* (m, σ =Sign sk (m)) Alice Bob It s not true! I never signed m! I got (m,σ) from Alice Vrfy(pk,m,σ) = yes so you cannot repudiate signing m... But pk is not my public key! Judge

Solu7on: cer7fica7on authori>es A simplified

and pk Alice, pays authority Cer>fica>on

cer>ficate: Alice Sign sk Cert ( pk Alice is a

43 Solu7on: cer7fica7on authori>es A simplified view: (pk Cert,sk Cert ) arrives with her ID and pk Alice, pays authority Cer>fica>on Authority checks the ID of Alice and issues a cer>ficate: Alice Sign sk Cert ( pk Alice is a public key of Alice ) Now, everyone can verify that pk Alice is a public key of Alice. So, Alice can a_ach it to every signature. really everyone?

44 How to verify the cer7ficate? To verify the cer7ficate coming from Cert, one needs: 1. to know the public key of Cert 2. to trust Cert How?

45 Plan 1. The problem of key distribu7on 2. The idea of Merkle, Diffie and Hellman 3. The solu7on of Rivest, Shamir and Adleman 4. Public- Key Infrastructure 5. Iden7ty- based encryp7on

46 Users can cer7fy keys of other users knows pk 2 knows pk 3 P 1 P 2 P 3 pk 1 pk 2 pk 3 Requirement trusts P 2 P 2 cer7fies that pk 3 is a public key of P 3 signature of P 2 that pk 3 is the public key of P3 P 1 believes This should be done only if P 2 really met P 3 in person and verified his iden7ty.

47 knows pk 2 knows pk 3 knows pk 4 P 1 P 2 P 3 P 4 pk 1 pk 2 pk 3 pk 4 trusts P 2 trusts P 3 P 2 cer7fies that pk 3 is a public key of P 3 signature of P 2 P 3 cer7fies that pk 4 is a public key of P 4 signature of P 3 P 1 believes that pk 4 is a public key of P 4

of P 3 signature of P 2 P 1 believes P 3 cer7fies that pk 4 is a public key of P 4 signature of P

48 knows pk 2 knows pk 3 knows pk 4 knows pk 5 P 1 P 2 P 3 P 4 P 5 pk 1 pk 2 pk 3 pk 4 pk 5 trusts P 2 trusts P 3 This is called a cer>ficate chain trusts P 4 P 2 cer7fies that pk 3 is a public key of P 3 signature of P 2 P 1 believes P 3 cer7fies that pk 4 is a public key of P 4 signature of P 3 that pk 5 is a public key of P 5 P 4 cer7fies that pk 5 is a public key of P 5 signature of P 4

49 A problem knows pk 2 knows pk 3 knows pk 4 P 1 P 2 P 3 P 4 pk 1 pk 2 pk 3 pk 4 trusts P 2 trusts P 3 What if P 1 does not know P 3? How can he trust him? Naïve answer: P 2 can recommend P 3 to P 1.

50 A ques7on: is trust transi7ve? Does: P 1 P 2 P 3 pk 1 pk 2 pk 3 trusts P 2 trusts P 3 imply: P 1 P 2 P 3 pk 1 pk 2 pk 3 trusts P 3?

51 Example I can recommend P 3 P 1 P 2 P 3 pk 1 pk 2 trusts that P 2 is a very honest person pk 3 trusts that P 3 is a very honest person P 1 P 2 P 3 pk 1 pk 2 pk 3 Does not trust that P 3 is honest, because he thinks that P 2 is honest, but very naive

52 Moral Trust is not transi>ve: P 1 trusts in the cer7ficates issued by P 2 is not the same as saying: P 1 trusts that if P 2 says one can trust the cer7ficates issued by P 3 then one can trust the cer7ficates issued by P 3

level 1 recommenda7on: P i : you can trust in all the cer>ficates issued by P i+1 level 2 recommenda7on: P i : you can trust all the level 1 recommenda>ons issued by P i+1 level 3 recommenda7on: P i

53 level 1 recommenda7on: P i : you can trust in all the cer>ficates issued by P i+1 level 2 recommenda7on: P i : you can trust all the level 1 recommenda>ons issued by P i+1 level 3 recommenda7on: P i : you can trust all the level 2 recommenda>ons issued by P i+1 and so on... Recommenda7on levels Recursively: level n+1 recommenda7on: P i : you can trust all the level n recommenda>ons issued by P i+1

54 Now, if: P 1 P 2 P 3 P 4 P 1 trusts in all the recommenda7ons of level 2 issued by P 2 P 2 issues a recommenda7on of level 2 for P 3 P 3 issues a recommenda7on of level 1 for P 4 then P 1 P 2 P 3 P 4 trusts the cer7ficates issued by P 4 Of course, also recommenda7ons need to be signed. Starts to look complicated?

55 There is more! P 1 can associate trust value v p1p2 to P 2, P 2 assigns v p2p3 to P 3 etc. P 1 trusts P 2 with v p1p2 = 0.9 P 2 trusts P 3 with v p2p3 = 0.5 à P 1 trusts P 3 with v p1p3 = v p1p2 v p2p3 =0.45 Idea: if v p1px < threshold, P 1 does not trust P x anymore P 1 and P x need to meet and sign cer7ficates Also, trust values need to be signed!

56 Result: Web of Trust Example: Philadelphia Linux User Group

57 Prac7cal alterna7ve? Web browsers! In web browsers, X.509 cer7ficates include recommenda7on. Here, the level of recommenda7ons is bounded using a field called basic constraints/path length. X.509 is used for example in SSL. à in every Web browser So, let s look at it.

62 this field limits the recommenda7on depth (here it s unlimited)

63 Concrete example Let s go to the Bank of Rome website

64 a cer7ficate chain contains 3 cer7ficates

65 the second cer7ficate was signed by Verisign Primary Authority for Verisign Inc. (it s not strange, we will discuss it)

66 The third cer7ficate was issued by Verisign Inc. for Banca di Roma

The typical picture web browser knows these

author of the browser is competent nobody

67 The typical picture web browser knows these cer>ficates Verisign DigiCert Entrust... Implicit assump7ons: Verisign USA Verisign Europe the author of the browser is honest, the author of the browser is competent nobody manipulated the browser is it always true? Bank of America a cer7ficate path

68 What happens when Alice contacts the bank? Alice sends (cert 1,..., cert n ) Bank If Alice s browser knows cert 1, it can verify the chain and trust the public key of the bank from cert n

69 What happens if cer7fica7on path is invalid? For example, if the first cer7ficate in the path is not known to the user. Experiment: let s delete the Verisign cer7ficate in the configura7on of the browser...

71 What happens?

72 Plan 1. The problem of key distribu7on 2. The idea of Merkle, Diffie and Hellman 3. The solu7on of Rivest, Shamir and Adleman 4. Public- Key Infrastructures 5. Iden7ty- based encryp7on

Iden7ty based cryptography Main idea: User s iden7fier ID is the public key. (e.g., ID = user s email address).

73 Iden7ty based cryptography Main idea: User s iden7fier ID is the public key. (e.g., ID = user s address). message M C = Enc(ID,M) ID: peter@gmail.com ques>on: What is the private key?

Solu7on central authority Generates secret key SK peter@gmail.com : Extract(SK, peter@gmail.com) peter@gmail.

74 Solu7on central authority Generates secret key SK : Extract(SK, peter@gmail.com holds a master secret key SK Generates secret key of SK joe@yahoo.com : Extract(SK, joe@yahoo.com) Generates secret key of SK john@gmail.com : Extract(SK, john@yahoo.com) joe@yahoo.com john@gmail.com sent over a secure link

75 How to decrypt knows SK message M C = Enc(peter@gmail.com, M) peter@gmail.com calculates M=Dec(SK peter, C)

76 ID- based encryp7on Main advantage: no need for mul7ple cer7ficates, PKI Drawbacks: S7ll, users need to trust authority Need to have a secure link to it

77 ID- based encryp7on Proposed by Adi Shamir in (implemented iden7ty- based signatures) Encryp7on schemes proposed by Boneh and Franklin (2001) and, independently, Cocks (2001). In 2002 Boneh started a company Voltage Security that produces solu7ons based on his ID- based scheme.

78 Conclusion Key exchange for Alice and Bob Centralized server, Web of Trust, PKI Third trusted party required Does it work without? No!

79 End of Class

1 Identification protocols

ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that