Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Transcription

1 Key Agreement Guilin Wang School of Computer Science, University of Birmingham 1 Motivations As we know, symmetric key encryptions are usually much more efficient than public key encryptions, especially in the aspect of computational complexity. Therefore, to send a (large) message M the following diagram is often used. 1. A B : Enc P KB (K), E K (M). (1) Here, A and B are the identities of the two communicating parties, Alice and Bob. Enc P KB ( ) is the public key encryption algorithm with respect to Bob s public key P K B, while E K ( ) denotes a symmetric encryption algorithm associated with a session key K. After receiving the expected information from Alice, Bob first decrypts Enc P KB (K) to get the session key K using his private key SK B, and then derives the message M from E K (M) using K. The above scheme looks good, but it has some limitations in practice. (a) If the receiver Bob does not have a public key at all, do we have any other approaches that allow Alice and Bob to agree on a session key K? For example, most of ordinary Internet users have no any certified public key nowadays. (b) If the sender Alice wants to send a message to a group of n receivers, is there any more efficient solution, instead of encrypting the same session key to each receiver individually? 2 Introduction Our topic today is key agreement, or key establishment, a little wider concept. Let us first give some basic definitions. Definition 1 [5]. Key establishment is a process or protocol that enables two or more parties to share a secret session key, which can be used for subsequent secure communications. Roughly speaking, key establishment schemes can be classified into key transport and key agreement, according to whether the key is determined by one party or all parties. Definition 2 [5]. A key transport protocol or mechanism is a key establishment technique where one party creates or obtains a secret key, and then securely transfers it to the other(s). Definition 3 [5]. A key agreement protocol or mechanism is a key establishment technique in which a shared secret key is derived by two (or more) parties as a function of information contributed by, or associated with, each of these, (ideally) such that no party can predetermine the resulting value.

2 2 The School of Computer Science, University of Birmingham 2.1 The Diffie-Hellman Protocol The first solution of key agreement is the Diffie-Hellman (DH) protocol [3], also called exponential key exchange. This protocol allows two parties to agree on a shared session key by exchanging two messages over a public (so insecure) network, though they may never know each other before or share any secret in advance. To run the protocol, it is assumed that a large prime p has been properly chosen and published, together with a generator g of large prime order q modulo p. That is, q is the least positive integer such that g q = 1 mod p, g Z p. In practice, we may select primes p and q such that p = 1024 and q = A B : K x = g x mod p 2. B A : K y = g y mod p Output : K xy = (K x ) y mod p = (K y ) x mod p = g xy mod p. (2) Here is the detailed description of the above protocol. To negotiate with Bob for a session key Alice firs picks a random number x [1, p 2], and sends value K x = g x mod p to Bob. Then, Bob similarly selects a random number y [1, p 2] and returns Alice the value of K y = g y mod p. Finally, Alice derives the session key as K xy = (K y ) x mod p, while Bob obtains the same key by computing K xy = (K x ) y mod p. Note that sometimes we may just treat K xy a raw keying material, from which a real session key is derived. For example, let session key sk = H(K xy A B), where H is a secure hash function. The security of Diffie-Hellman protocol relies on the following computational assumption. Definition 4 (Computational Diffie-Hellman Assumption) (for short, CDH assumption). For properly chosen p, g and q, it is computationally infeasible to derive g xy mod p from values g x mod p and g y mod p, where x and y are random secrets. Remark 1: A related problem is the discrete logarithm assumption (DL assumption). Namely, for properly chosen p, g and q, it is computationally infeasible to derive x from values g x mod p, where x is a random secret. Moreover, it is easy to know that CDH assumption is at least as strong as than DL assumption, since you can break CDH assumption if you already know an algorithm to break DL assumption. However, it is an open problem how to break DL assumption if you can break CDH assumption. CDH assumption looks nice and intractable, but the Diffie-Hellman protocol is not secure in practice, because it is vulnerable to an attack known as Man-in-the-Middle attack. 2.2 Man-in-the-Middle Attack For a third party Cindy, who can control the communications between Alice and Bob, the Man-in-the-Middle Attack (MITM attack) (illustrated in Eq. (4)) can be mounted against the Diffie-Hellman protocol. When Alice initializes a protocol instance by sending K x to Bob, Cindy intercepts this value and impersonates Bob by replying K a to Alice. At the same time, Cindy pretends to be Alice and sends Bob the value K b to initialize another protocol run, and then intercepts the respondence value K y from Bob. The result is that Cindy and Alice share K xa = g xa mod p, Cindy and Bob share K yb = g yb mod p, but Alice and Bob might mistakenly believe that they have successfully agreed on a shared key.

3 Key Agreement: A Guest Lecture, 12 Nov A (B)C : K x = g x mod p 2. C(B) A : K a = g a mod p 1. C(A) B : K b = g b mod p 2. B (A)C : K y = g y mod p (3) The MITM attack may cause severe consequence, since Cindy can unwrap and re-wrap all secure envelopes for the coming communications between Alice and Bob such that they still think everything is ok. So, we want to know why the Diffie-Hellman protocol is not secure, especially without breaking the underlying CDH assumption? The reason is that it does not encompass any authentication mechanism, i.e., no party is sure whether the other communicating party is really the party claimed to be. 2.3 Station-to-Station Protocol To repair the security flaw in the Diffie-Hellman protocol, the following station-to-station (STS) protocol is proposed by Diffie, van Oorschot and Wiener in For simplicity, all modulo p operations have been omitted. 1. A B : g x 2. B A : g y, E K (Sig B (g y, g x )) 3. A B : E K (Sig A (g x, g y )) (4) Output : K xy = (g x ) y = (g y ) x = g xy. To add authentication, the STS protocol requires that both parties have a pair of public keys for signature generation and verification, and know a publicly released symmetric key encryption. In contrast, note that the Diffie-Hellman protocol do not have these assumptions. The first step of STS protocol is the same as in the the Diffie-Hellman protocol. Upon receiving g x, Bob derives the session key by K = (g x ) y by selecting randomness y, and then sends Alice back g y together with his encrypted signature E K (Sig B (g y, g x )) on message (g y, g x ). In step 3, Alice first computes the session key K = (g y ) x, decrypts Sig B (g y, g x ) from E K (Sig B (g y, g x )) by using K, and finally checks whether Sig B (g y, g x ) is Bob s valid signature on message (g y, g x ). If the answer is no, Alice could terminate the protocol execution. Otherwise, Alice sends Bob her encrypted signature E K (Sig A (g x, g y )) on message (g x, g y ). Once E K (Sig A (g x, g y )) is received correctly, Bob knows that Alice has already obtained the secret key K. According to the above description, we can see that in the STS protocol, signatures are used to authenticate a communicating party s identity, while the symmetric encryption associated with the just established session key K is employed to show the knowledge of this session key by encrypting the signatures. 3 More Concepts and Protocols To understand what kinds of threats key agreement protocols in open channels may be subject to, we need to discuss what are the security requirements, and what are the allowed behaviours for an attacker, whose goal is to break one ore more of the security requirements. The following are the main security requirements of key agreement protocols.

4 4 The School of Computer Science, University of Birmingham Definition 5 [5]. We say a key agreement protocol satisfies key authentication, if one party is assured that other than specifically identified parties (including identified trusted parties, if any) it is infeasible for anyone else to derive a particular secret key. Note that key authentication does not guarantee that all parities involved actually possess the secret key. Due to this reason, key authentication is sometimes called implicit key authentication, more precisely. Definition 6 [5]. We say a key agreement protocol satisfies key confirmation, if one party is assured that all other parties (possibly unidentified) actually have possession of a particular secret key. Definition 7 [5]. We say a key agreement protocol satisfies explicit key authentication, if both (implicit) key authentication and key confirmation hold, i.e., only all identified parties actually have possession of a particular secret key. When designing and analyzing security protocols, we assume that all underlying cryptographic mechanisms used are secure. These basic building blocks are usually encryption algorithms, digital signatures, hash functions and so on. Such an assumption is quite reasonable, since one cannot expect a protocol is secure if its underlying cryptographic primitives are flawed. Consequently, the main target of an attacker or adversary against a security protocol is trying to subvert the protocol, instead of cryptanalyzing the underlying cryptographic algorithms. Attackers could be passive or active. A passive attacker attempts to defeat the security requirements of a security protocol by just simply eavesdropping, recording, and then analyzing the data among communicating parties. In contrast, an active attacker has the ability to completely control the communication channel, so it is able to record, alter, delete, insert, redirect, reorder, and reuse past or current messages, and inject new messages [5]. Ideally, we expect a protocol is efficient and secure against active attacks under weakest assumptions. 3.1 Authenticated Key Exchange Protocol In 1994, Bellare and Rogaway proposed a key agreement protocol, called AKEP2 (Authenticated Key Exchange Protocol 2). By assuming that the two parties Alice and Bob share two long-term secret keys k and k, this protocol uses two keyed hash functions H k ( ) and H k ( ) to realize key agreement. 1. A B : N a 2. B A : B, A, N a, N b, H k (B, A, N a, N b ) 3. A B : A, N b, H k (A, N b ) (5) Output : K = H k (N b ). Here, N a and N b are nonces generated by Alice and Bob respectively. Both parties can deduce the final session key as K = H k (N b ). AKEP2 provides mutual entity authentication and (implicit) key authentication. AKEP2 is interesting, but it requires two parties share some secrets in advance. However, this assumption does no hold in some scenarios. For instance, two parties never having communications before want to exchange data someday. In addition, if one user has communications with a lot of people, he/she has to maintain a table for the secrets shared with those people. To avoid these two limitations, the solution is to introduce a trusted sever S by requiring each party to share a distinct secret with the server.

5 Key Agreement: A Guest Lecture, 12 Nov The Needham-Schroeder Protocol The Needham-Schroeder (NS) protocol, proposed in 1978, is essentially a key transport protocol, since the session key is totally selected by a trusted server, or called authentication server. Besides the trusted sever S, the NS protocol also supposes that there is a secure and publicly known symmetric encryption algorithm E for the session key transport and message authentication. 1. A S : A, B, N a 2. S A : E Kas (N a, B, K, E Kbs (K, A)) 3. A B : E Kbs (K, A) 4. B A : E K (N b ) 5. A B : E K (N b 1) (6) Output : K (Session key). Here, N a and N b are nonces. K as and K bs are the long-term secret keys shared by Alice and the server, and Bob and the server, respectively, while K is the session key generated by the sever for Alice and Bob. In the first three steps, Alice gets the session key K from the server and forwards it to Bob. And the last two messages allow Bob to check whether Alice is currently using the same session key K. The NS protocol is vulnerable to a replay attack, identified by Denning and Sacco in 1981, in which an attacker Cindy can impersonate Alice to cheat Bob by using a compromised old session key K between Alice and Bob. Here is the attack: 3. C(A) B : E Kbs (K, A) 4. B (A)C : E K (N b ) (7) 5. C(A) B : E K (N b 1) The Denning-Sacco attack implies that in the viewpoint of Bob, the NS protocol does not provide key freshness. A key is called fresh, if it is guaranteed to be a newly generated key, from the view point of one party involved in the protocol. To provide key freshness for the NS protocol, the sever can insert a timestamp T into the key certificate for Bob, i.e., replacing E Kbs (K, A) by E Kbs (K, T, A). Remark 2: In fact, there are two NS protocols. The above discussed is the symmetric NS protocol, which has been extended to Kerberos, a system developed at MIT within the project Athena in the 1980s. The public key NS protocol is also interesting, especially due to an attack by Gavin Lowe after 17 years of publication of the NS protocol. This is also a good example showing that security protocols are notoriously error prone. 3.3 Password-based Protocols In the NS protocol, both parties are required to share long-term secrets with the server. If these parties are human beings, who need to access the server via some untrusted terminals from time to time, such as accessing on-line bank service, long secret keys are not easy to memorize. One naive approach is to let each party sharing a short password with the server, and set this password as the long-term key or derive the long-term key from the password. However, people tend to pick easily-guessable passwords, i.e., passwords are short strings with low entropy. Consequently, the above simple approach suffers the so called off-line dictionary attack. For example, if the K bs in the NS protocol is substituted by a password P bs shared by Bob and the server, even a passive attacker can deduce the session key K without too

6 6 The School of Computer Science, University of Birmingham much effort. The reason is that by eavesdropping message E Pbs (K, A), the attacker can try all possible passwords P to decrypt ciphertext E Pbs (K, A). Once the resulting plaintext contains the suffix A, the identity of Alice, P is likely the correct password P bs and the rest of plaintext is likely the session key. The following Encrypted Key Exchange (EKE) protocol, proposed by Bellovin and Merritt in 1992, avoids the above weakness. 1. A B : E P (P K) 2. B A : E P (Enc P K (K)) Output : K (Session key). Here, P is the password shared between Alice and Bob, while P K is an ephemeral public key generated by Alice so she also holds the corresponding private key. In the step 1, Alice sends this temporary public key P K to Bob encrypted under password P. Then, in step 2, Bob selects a session key K and forwards it to Alice by using double encryptions E P (Enc P K (K)). Namely, K is first encrypted under public key P K and then symmetrically encrypted under password P. Upon receiving E P (Enc P K (K)), Alice can then derive K by using the password P and the private key corresponding to P K. In the literature, there are a lot of password-based protocols, for example, referring to reference [1]. 3.4 Group Key Agreement Protocols In the above, only two-party key agreement protocols, perhaps involving an additional trusted third party, are discussed. Now, we introduce a group key agreement protocol, proposed Burmester and Desmedt [2], which enables a group of parties efficiently establishing a session key. Essentially, the Burmester-Desmedt (BD) protocol is an extension of the Diffie-Hellmann protocol. Using the same system parameters as in Section 2.1, the BD protocol for n parties (n > 2) can be briefly reviewed as follows. Step 1. Each party U i (i = 1, 2, ) selects a random number x i and broadcasts k i = g x i mod p. Step 2. Each party U i broadcasts K i = (k i+1 /k i 1 ) x i mod p, where the index are taken in a cycle. Step 3. Now, each party U i computes the session key K by K = k nx i i 1 Kn 1 i Ki+1 n 2 K i 2 mod p. (9) It is easy to know that if all parties follow the above protocol then all of them will obtain the same session key from Eq.(9), which is K = g x 1x 2 +x 2 x 3 + +x nx 1 mod p. (10) The Burmester-Desmedt protocol is secure against passive attacker under the assumption that the computational Diffie-Hellmann problem is intractable, i.e., the CDH assumption holds. 4 Summary In this handout, we briefly introduced the basic concepts and mechanisms for key agreement, which is a protocol or mechanism that allows two or multiple parties to agree on a shared secret (8)

7 Key Agreement: A Guest Lecture, 12 Nov key efficiently and securely. A number of well-know protocols were reviewed and discussed by pointing out their security features and weaknesses. In particular, we illustrated the man-inthe-middle-attack, replay attack, and off-line dictionary attack. References 1. Colin Boyd and Anish Mathuria. Protocols for Authentication and Key Establishment. Springer-Verlag, Mike Burmester and Yvo Desmedt. A Secure and Scalable Group Key Exchange System. Information Process Letter, 2005, 94(3): Original version appears in the proceedings of EUROCRYPT 94, LNCS 950, pp Whitfield Diffie and Martin E. Hellman. New Directions in Cryptography. IEEE Transaction on Information Theory, November 1976, 22(6): Dieter Gollmann. Computer Security, 2nd Edition, chapter 12: Authentication in Distributed System. John Wiley & Sons, Ltd, Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography, chapter 12: Key Establishment Protocols. CRC Press, Key-agreement Protocol. protocol.