Auth. Key Exchange. Dan Boneh

Transcription

1 Auth. Key Exchange

2 Review: key exchange Alice and want to generate a secret key Saw key exchange secure against eavesdropping Alice k eavesdropper?? k This lecture: Authenticated Key Exchange (AKE) key exchange secure against active adversaries

3 Active adversary Adversary has complete control of the network: Can modify, inject and delete packets Example: man-in-the-middle Alice m Adv. m Moreover, some users are honest and others are corrupt Corrupt users are controlled by the adversary Key exchange with corrupt users should not affect other sessions Adversary may corrupt an honest user at time T We want sessions established at time t < T to remain secure

4 Trusted Third Party (TTP) All AKE protocols require a TTP to certify user identities. Registration process: Alice I am Alice, proof TTP I am.com, proof sk alice Two types of TTP: sk bank Online TTP: actively participates in every key exchange (Kerberos) Benefit: security using only symmetric crypto Offline TTP (CA): contacted only during registration ( not quite true)

5 AKE: syntax Alice sk alice cert alice Alice sk bank cert bank vk CA vk CA k, or k, Alice or Followed by Alice sending E(k, data ) to

6 AKE security (very informal) Suppose Alice successfully completes an AKE to obtain (k, ) If is not corrupt then: Authenticity for Alice: (similarly for ) If Alice s key k is shared with anyone, it is only shared with Secrecy for Alice: (similarly for ) To the adversary, Alice s key k is indistinguishable from random (even if adversary sees keys from other instances of Alice or ) Consistency: if completes AKE then it obtains (k, Alice)

7 One-sided AKE?? vk CA Alice sk bank cert bank vk CA k, or k,?? or Security: authenticity for Alice and secrecy for Alice has no guarantees for identity of peer (no consistency) Commonly used on the Web (often followed by ID protocol)

8 Things to remember Do not design AKE protocol yourself Just use latest version of TLS

9 Building blocks cert bank : contains pk bank. has sk bank. E bank ((m,r)) = E(pk bank, (m,r)) where E is chosen-ciphertext secure Recall: from E bank ((m,r)) adv. cannot build E bank ((m,r )) for r r S alice ((m,r)) = S( sk alice, (m,r) ) where S is a signing algorithm R: some large set, e.g. {0,1} 256

10 Protocol #1

11 Simple one-sided AKE protocol k K?? r R, cert bank Alice c E bank ((k, r)) sk bank cert bank k, k,?? decrypt(c), check correct r Thm : this protocol is a secure one-sided AKE Informally: if Alice and are not corrupt then we have (1) secrecy for Alice and (2) authenticity for Alice

12 Insecure variant 1: r not encrypted r R, cert bank k K Alice c E bank (k) sk bank cert bank no r k, k,?? Problem: replay attack

13 Replay attack r R, cert bank k K Alice c E bank (k) c 1 E sym (k, I am Alice, pay Bob 30$ ) sk bank cert bank Later: r R, cert bank c sk bank cert bank c 1

14 Protocol #2

15 Simple one-sided AKE with forward-secrecy check sig. σ k K?? Alice pk, cert bank σ S bank (pk) c E(pk, k) sk bank cert bank (pk, sk) Gen k D(sk, c) delete sk k, k,?? (pk, sk) are ephemeral: sk is deleted when protocol completes Compromise of : past sessions are unaffected

16 Insecure variant: do not sign pk k K?? Alice pk, cert bank σ S bank (pk) c E(pk, k) (pk, sk) Gen k D(sk, c) delete sk k, k,?? Attack: complete key exposure

17 Attack: key exposure bank pk, cert bank Alice (pk, sk ) Gen (pk, sk) Gen pk, cert bank k K c E(pk, k) E sym (k, data ) Adv. gets k and data

18 Two-sided AKE For now: no forward secrecy

19 Two-sided AKE (mutual authentication) sk alice cert alice k K bank Alice k, r R, cert bank c E bank ((k, alice )) σ S alice ((r, c, bank )), cert alice Thm : this protocol is a secure AKE Informally: alice k, Alice sk bank cert bank decrypt(c), check correct id, check sig. σ if Alice and are not corrupt then we have (1) secrecy and (2) authenticity for Alice and for

20 Insecure variant: encrypt r instead of Alice Any change to protocol makes it insecure, sometime in subtle ways Example: sk alice cert alice k K bank r R, cert bank Alice c E bank ((k, r)) σ S alice ((r, c, bank )), cert alice k, alice k, Alice sk bank cert bank decrypt(c), check correct r, check sig. σ

21 bank Alice Attack: identity misbinding r R, cert bank c E bank ((k, r)) σ S alice ((r, c, bank )), cert alice c σ S evil ((r, c, bank )), cert evil E sym (k, deposit this check into my account ) evil decrypt(c), check r, check sig. σ

22 Insecure variant: do not sign c sk alice bank r R, cert bank alice cert alice k K Alice c E bank ((k, alice )) sk bank cert bank k, σ S alice ((r, bank )), cert alice no c k, Alice decrypt(c), check correct id, check sig. σ Attack: key exposure

23 Attack: key exposure bank Alice r R, cert bank c E bank ((k, Alice )) σ S alice ((r, bank )), cert alice c E bank ((k, Alice )) σ, cert alice E sym (k, data ) alice decrypt(c ), check id, check sig. σ Adversary can read data

24 Many more AKE variants Two-sided AKE with forward secrecy: AKE with end-point privacy: Goal: certificates are not visible to adversary (TLS 1.3) AKE based on a shared secret between Alice and : High entropy shared secret: want forward secrecy Password: ensure no offline dictionary attack (PAKE)

25 Online Cryptography Course Auth. key exchange TLS v1.2 key exchange

26 TLS session setup (handshake) Client C ClientHello (and extensions) [Certificate], ClientKeyExchange, [CertificateVerify] ServerHello (and ext.), [Certificate], [ServerKeyExchange], [CertificateRequest], ServerHelloDone Server secret key S cert ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data

27 Brief overview of SSL/TLS browser ClientHello (cipher-list) ServerHello (cipher), ServerCert (PK) server cert SK key exchange (many options): RSA, DHE, ECDHE, [ServerKeyExchange] ClientKeyExchange PreK Finished (key & params confirmation) PreK HTTP data encrypted with KDF(PreK) In this diagram: one sided authentication (no client authentication)

28 The need for negotiating ciphers US browser prefer NIST ciphers Russian browser Prefer GOST ciphers (Russian) does not understand ECDHE Web server in Russia old browser

29 Abstract TLS: RSA exchange (simplified) Client ClientHello: r C, SID, cipher-list Server verify cert S pick random 46 byte PreK ServerHello: r S, SID, cipher, cert S ClientKeyExchange: c E(pk S, PreK) MasterK PRF ms ( PreK, r C ll r S ) SessionKeys PRF ke ( MasterK, r S ll r C ) secret key cert S decrypt c to get PreK Finished (FinishedData) Finished (FinishedData) Key Confirmation: FinishedData = PRF vd ( MasterK, hash(handshakemessages) )

30 Properties r C, r S : prevent replay of of old session RSA key exchange: no forward secrecy Compromise of server secret key exposes old sessions Costly RSA decryption on server, easier RSA enc. on client One sided identification: Browser identifies server using server-cert Server has no guarantees about client s identity TLS has support for mutual auth. (client needs sk C and cert C )

31 TLS key exchange with forward-secrecy (DHE) Client verify cert S and σ random b in 1..p ClientHello(r c ) (simplified) ServerHello(r p, g, A g a s ), Cert, ServerKeyExchange (p), σ sign(sk S, (r c,r s,p,g,a)) ClientKeyExchange: B g b (p) PreK g ab MasterK PRF ms ( PreK, r C ll r S ) Fix prime p and g sk S : signing key Server random a in 1..p PreK g ab Delete b SessionKeys PRF ke ( MasterK, r S ll r C ) Finished Finished Delete a

32 Prefer ECDHE over DHE Elliptic curve Diffie-Hellman

33 Performance: RSA vs. forward-secrecy Cost of crypto operations on server per handshake: RSA key exchange: one RSA-2048 decryption (deprecated in TLS 1.3) ECDHE: Diffie-Hellman in group G with generator g G 1. One exp. to compute A g a G 2. One sig. on Diffie-Hellman parameters (G,g,A) 3. One exp. to compute DH secret: PreK g ab G must be done for every handshake Server support (2014): RSA (99.9%), DHE (60%), ECDHE(18%)

34 Session Resume Goal: reduce # of full handshakes server Alice MasterK Full handshake MasterK Session Store Few hours later (new TCP connection) Alice Abbreviated handshake reuse old MasterK retrieve old MasterK

35 Client MasterK(bank) C Session resume (simplified) SID C =0: full handshake SID C 0: resume old session If SID C = SID S then resume else full ClientHello: r C, SID C ServerHello: r S, SID S SID S SID C if SID C ST SID S random, otherwise SessionKeys PRF ke ( MasterK, r S ll r C ) Session Store (ST) MasterK(Alice) ChangeCipherSpec Finished ChangeCipherSpec Finished

36 THE END