Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Transcription

1 Lecture 15 PKI & Authenticated Key Exchange COSC-260 Codes and Ciphers Adam O Neill Adapted from

2 Today We will see how signatures are used to create public-key infrastructures and trust in public keys.

3 Today We will see how signatures are used to create public-key infrastructures and trust in public keys. We will study the problem of authenticated session key agreement, which is the core of protocols SSL, SSH, TLS, IPSEC,

4 Public-key Setting Alice Bob pk[a] jkiasatbsstneij M D sk[a] (C) C C $ E pk[a] (M) $ S sk[a] (M) M, - Vpk[A] (M, ) Bob can: send encrypted data to Alice verify her signatures as long as he has Alice s public key pk[a]. But how does he get pk[a]?

5 Naive Attempt Man %- in the - attack Alice Bob ear " How about: (pk[a], sk[a]) $ K Alice, pk[a] -. middle M D sk[a] (C) C C $ E pk[a] (M) $ S sk[a] (M) M, - V pk[a] (M, )

6 Certificates & PKI Bob needs to obtain an authentic copy of Alice s public key.

7 Certificates & PKI Bob needs to obtain an authentic copy of Alice s public key. 8 The public-key infrastructure (PKI) is responsible for this. Usually realized via certificates.

8 Certificate Process Alice generates pk and sends it to CA CA does identity check µ, Certificate authority Alice proves knowledge of secret key to CA CA issues certificate to Alice Alice sends certificate to Bob Bob verifies certificate and extracts Alice s pk

9 Local key generation Mice runs key generation of the scheme locally =) secret key is only known to Alice.

10 Identity Check sends Plane to CA there needs to be some ' ' out of band " check on Alice 's identity

11 Proof of Knowledge Zero - knowledge proofs of knowledge. In practice something weaker called a " done. proof of - possession : gnature on a random Challenge. " is typically

12 pk Certificate Issue ; Once CA is convinced that pk belongs to Alice it forms a certificate CERT A =(CERTDATA, ), where is the CA s signature on CERTDATA, computed under the CA s secret key sk[ca]. CERTDATA: pk, ID (Alice) %s% :# Name of CA Expiry date of certificate Restrictions Security level... The certificate CERT A is returned to Alice. :m m, her pk via A signature Called the Certificate.

13 Certificate Usage Alice can send CERT A to Bob who will: (CERTDATA, ) CERT A Check V pk[ca] (CERTDATA, (pk, Alice, expiry,...) )=1wherepk[CA] isca spublickey CERTDATA Check certificate has not expired... If all is well we are ready for usage.

14 Obtaining CA s PK Preloaded in your browser.

15 CA Hierarchies # ICANM ngr% *^ # 4- my at

16 Why hierarchies? Easier for local CA s to check identities of local users.

17 Why hierarchies? Easier for local CA s to check identities of local users. Reduces workload of individual CA s.

18 Why hierarchies? Easier for local CA s to check identities of local users. Reduces workload of individual CA s. Browsers only need to have root PK s pre-loaded.

19 Revocation and CRLs Revocation needs to happen when e.g. a key is compromised.

20 Revocation and CRLs Revocation needs to happen when e.g. a key is compromised. CA maintains and disseminates a list of revoked certificates. CRL - Certificate revocation list

21 Revocation and CRLs Revocation needs to happen when e.g. a key is compromised. CA maintains and disseminates a list of revoked certificates. Something like 20% of certificates are revoked in practice big problem with public-key crypto!

22 agreement Session Key Exchange authenticated session key agreement A pk[b] - B pk[a] - K 0K D Most important type of session key exchange in practice, used in all communication security protocols: SSL, SSH, TLS, IPSEC, ,...

23 Security - privacy : K from adversary random cannot distinguish as authenticity : security against mltm attacks.

24 . To A Basic Protocol A pk[b] A, R A - R B, C, B, Sign B (A, B, R A, R B, C) o A, Sign A (A, B, R A, R B ) - B pk[a].io C $ E A (K) Session key K is chosen by B. R A, R B are random nonces. Sign P (M) isp s signature of M under sk[p]. It is verifiable given pk[p]. E A ( ) is encryption under A s public key pk[a], decryptable using sk[a].

25 Forward Secrecy A pk[b] B pk[a] A, R A - R B, C, B, Sign B (A, B, R A, R B, C) C $ E A (K) A, Sign A (A, B, R A, R B ) - C B C $ B E K (M) Nov. 20: Adversary E records above flows. Dec. 18: A s, system compromised and sk[a] exposed. Dec. 19: A revokes pk[a] so that no further damage is done but cannot prevent E fromk D sk[a] (C); M D K (C B ). Can we achieve forward secrecy: Privacy of communication done prior to exposure of sk[a] is not compromised?

26 G- An Improved : Protocol A pk[b] B pk[a] A, g a - g b, B, Sign B (A, B, g a, g b ) A, Sign A (A, B, g a, g b ) - Session key is K = H( A, B, g a, g b, g ab ). Adversary E records above flows on Nov. 20. On Dec. 18, sk[a] is exposed. This allows E to forge A s signatures, but A can address this by revoking pk[a]. But sk[a] does not help E obtain K. There is no public-key encryption here, only signatures. All standard protocols use DH to get forward security in ways like this.

27 Password - based authenticated key. Greenery Password-based Protocols ( PAKE) Suppose Alice and Bob share not a cryptographic key but a (human memorizable) password pw.

28 Password-based Protocols Suppose Alice and Bob share not a cryptographic key but a (human memorizable) password pw. They want to use this long-lived secret to agree on a session key.

29 Password-based Protocols Suppose Alice and Bob share not a cryptographic key but a (human memorizable) password pw. They want to use this long-lived secret to agree on a session key. The goal is security against dictionary attacks: should not reveal f(pw) for some public function f. m.

30 Naive Protocol A pw A, g a - B pw jeer z } { B, g b, MAC pw (1, A, B, g a, g b ) A, MAC pw (0, A, B, g a, g b ) - Session key is K = H(A, B, g a, g b, g ab ). Dictionary attack is possible: Let f be defined by f (x) =MAC x (1, A, B, g a, g b ) Then, letting D be the dictionary of candidate passwords, get the target password pw via for all pw 0 2 D do if f (pw 0 )= then return pw 0 a -7

31 Better Protocol A pw A, E pw (g a ) - B, E pw (g b ), H(1, A, B, g a, g b, g ab ) B pw A, H(2, A, B, g a, g b, g ab ) - E : PW G! G is a block cipher over group G and keyspace PW of all possible passwords; the session key is K = H(0, A, B, g a, g b, g ab ). This has been proven secure against dictionary attack [BPR00].