KEY AGREEMENT PROTOCOLS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 13 of Trappe and Washington

Similar documents
Datasäkerhetsmetoder föreläsning 7

Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography

Chapter 10 Security Protocols

Authentication and Key Distribution

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

Spring 2010: CS419 Computer Security

CS 161 Computer Security

Key Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10

ECE 646 Lecture 3. Key management

Diffie-Hellman. Part 1 Cryptography 136

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Session key establishment protocols

Session key establishment protocols

What did we talk about last time? Public key cryptography A little number theory

Public Key Algorithms

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Fall 2010/Lecture 32 1

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Information Security CS 526

Key management. Required Reading. Stallings, Cryptography and Network Security: Principles and Practice, 5/E or 6/E

Station-to-Station Protocol

T Cryptography and Data Security

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring Nitesh Saxena. Course Admin

ECE 646 Lecture 3. Key management. Required Reading. Using the same key for multiple messages

Key management. Pretty Good Privacy

Lecture 6 - Cryptography

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

Key Agreement Schemes

CS3235 Seventh set of lecture slides

18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh

CS Computer Networks 1: Authentication

Key Exchange. Secure Software Systems

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Public Key Algorithms

CSCE 813 Internet Security Kerberos

CSC/ECE 774 Advanced Network Security

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

1. Diffie-Hellman Key Exchange

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Other Topics in Cryptography. Truong Tuan Anh

Lecture 7 - Applied Cryptography

Cryptographic Protocols 1

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Kurose & Ross, Chapters (5 th ed.)

ECE 646 Lecture 3. Key management. Required Reading. Using Session Keys & Key Encryption Keys. Using the same key for multiple messages

Applied Cryptography and Computer Security CSE 664 Spring 2017

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Chapter 9: Key Management

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

Cryptography and Network Security

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

CSC 774 Network Security

Key Management and Distribution

CT30A8800 Secured communications

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Network Security (NetSec)

CS 332 Computer Networks Security

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Cryptographic Checksums

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

2.1 Basic Cryptography Concepts

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

CSC 474/574 Information Systems Security

Network Security. Chapter 8. MYcsvtu Notes.

Cryptography III Want to make a billion dollars? Just factor this one number!

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Real-time protocol. Chapter 16: Real-Time Communication Security

CT30A8800 Secured communications

Cryptography and Network Security Chapter 10. Fourth Edition by William Stallings

Chapter 8. Network Security. Need for Security. An Introduction to Cryptography. Transposition Ciphers One-Time Pads

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

CS 161 Computer Security

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

KEY DISTRIBUTION AND USER AUTHENTICATION

Lecture 2 Applied Cryptography (Part 2)

(2½ hours) Total Marks: 75

TopSec Product Family Voice encryption at the highest security level

Encryption. INST 346, Section 0201 April 3, 2018

22-security.txt Tue Nov 27 09:13: Notes on Security Protocols , Fall 2012 Carnegie Mellon University Randal E.

Keywords Session key, asymmetric, digital signature, cryptosystem, encryption.

Security: Focus of Control. Authentication

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Chapter 9. Public Key Cryptography, RSA And Key Management

Authentication Part IV NOTE: Part IV includes all of Part III!

Public-key encipherment concept

Chapter 10 : Private-Key Management and the Public-Key Revolution

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Sankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology. Question Bank

Network Security Chapter 8

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Public Key Cryptography and the RSA Cryptosystem

CS 395T. Analyzing SET with Inductive Method

Overview. Public Key Algorithms I

Transcription:

KEY AGREEMENT PROTOCOLS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 13 of Trappe and Washington

DIFFIE-HELLMAN KEY EXCHANGE Alice & want to exchange a ton of data using the nice & fast AES cryptosystem. But first they have to agree on a key. Diffie-Hellman Setup p, a large prime (Public) and α, a prim. elem. of Z p (Public) Alice Chooses x ran Z p 1 (Private) and sends αx (mod p) to. Chooses y ran Z p 1 (Private) and sends αy (mod p) to Alice. Alice Computes k = (α y ) x = α x y (mod p). Computes k = (α x ) y = α x y (mod p). Eve Knows α x (mod p) and α y (mod p). Wants α x y (mod p). 1

THE MAN-IN-THE-MIDDLE ATTACK Alice Eve Eve Chooses z ran Z p 1. Intercepts α x and α y. Sends α z to Alice and. Eve computes k AE = (α x ) z and k BE = (α y ) z. Alice believes she has exchanged a key with. believes he has exchanged a key with Alice. Eve reads everything & sends whatever she wants, spoofing Alice &. We need to fix this!! 2

STATION TO STATION (STS) PROTOCOL Use signatures & a trusted authority (Trent) to defend against man-in-the-middle. Setup Each user U has sig U - a signature algorithm ver U - a verification algorithm (established by Trent) p, a prime α, a prim. elem. of Z p Alice Chooses x ran Z p 1 and computes αx (mod p). Chooses y ran Z p 1 and computes αy (mod p). More... 3

Alice Sends α x to. STATION TO STATION, CONTINUED Computes k = (α x ) y. Sends α y and E K (sig B (α y, α x )) to Alice. Alice Computes K = (α y ) x. Decrypts E K (sig B (α y, α x )) and obtains sig B (α y, α x ). Asks Trent to verify that ver B is s verification alg. Uses ver B to verify s signature. Sends E K (sig A (α x, α y )) to. Decrypts E K (sig A (α x, α y )) & obtains sig A (α x, α y ). Asks Trent to verify that ver A is A s verification alg. Uses ver A to verify Alice s sig. What is Eve to do? E k ( ) & D K ( ) - say AES 4

KEY PRE-DISTRIBUTION Key Distribution A TA (Trent) and n users + a secure channel between TA and each User TA sends K to n users securely. Key Agreement Two users + a public network The users interact to agree on a key K. Key Pre-Distribution TA and n users + a public network + a secure channel between TA and each User For each pair of users U, V (U V ) The TA constructs a key K UV (= K V U ) and sends it to U and V securely. ( n ) 2 messages too many! each user stores n 1 keys too many! 5

BLOM S DISTRIBUTION SCHEME p, prime with p > n = # of users SETUP Keys chosen from Z p TA Chooses p as above. (public) For each user U, chooses r U Z p. (public) (U V = r U r V ) Chooses a, b, c ran Z p (private) For each user U, the TA computes: a U = a + b r U mod p (private) b U = b + c r U mod p (private) and sends them securely to U. Each user U Constructs g U (x) = a U + b U x. When Alice & want to communicate Alice computes K AB = g A (r B ) and computes K BA = g B (r A ). CLAIM: K AB = K BA. proof on board 6

BREAKING BLOM S SCHEME: I Eve wants to determine a, b, and c. She knows: a E = a + b r E b E = b + c r E Two equations, three unknowns, no dice Eve also wants to determine K AB. She knows: K AB = a + b (r A + r B ) + c (r A r B ) a E = a + b r E b E = b + c r E Three equations, four unknowns: a, b, c, and K AB. Fact: For every possible value of K AB, there is a solution for a, b, and c. But what if Eve has a friend? 7

BREAKING BLOM S SCHEME: II Together Eve and Ocsar know: a E a + b r E a E b + c r E (mod p) a O a + b r O a E b + c r O Four equations, three unknowns: a, b, and c. So, Eve and Oscar together can break the scheme. The scheme can be generalized to be secure against coalitions of k users k a parameter. E.g., There is a version that is secure against coalitions of 15 users, but fails against a 16 user coalition. 8

TRANSPORT PROTOCOLS Alice Chooses k and sends it to securely to. OR Trent (The TA) acts as a key server: Alice wants to talk to. She tells Trent & Trent issues a key to Alice and for the session. Shamir s Three Pass Protocol (Here Trent = Alice.) Alice Publishes a prime p (with a hard disc. log problem) Alice Chooses a ran Z p 1. a 1 a 1 (mod p 1) Chooses b ran Z p 1. b 1 b 1 (mod p 1) Alice Sends K 1 = K a mod p to. Sends K 2 = K b 1 mod p = Ka b mod p to Alice. Alice Sends K 3 = K a 1 2 mod p = K b mod p to. Computes K = K b 1 3 mod p. Man-in-the-middle problems! 9

KERBEROS, I Clients: users, processes Servers: gateways The Dramatis Personæ Cliff - a client Serge - a server Trent - a T.A. (authentication server) Grant - a ticket granting server Before Cliff and Serge share no secret data After Serge will have verified Cliff s ID A session key (for Cliff and Serge) will have been established. Background The following is all symmetric key cryptography! 10

KERBEROS, II See drawing on board 1: Cliff Trent Requests ticket to ticket-granting server. Cliff supplies his name and Grant s name. 2: Trent Cliff Checks out Cliff and if O.K. Generates K CG Sends Cliff T = def e KC (K CG ) K C = Cliff s secret key Constructs T GT = def Grant s ID e KG (Cliff s ID, timestamp 1, K CG ) Sends Cliff T GT. K G = Grants s secret key 3: Cliff Grant Decrypts T to obtain K CG. Constructs Auth CG = def e KCG (Cliff s ID,timestamp 2 ). Sends T GT and Auth CG to Grant. 11

KERBEROS, III See drawing on board 4: Grant Cliff Grant decrypts T GT and obtains: Cliff s ID, K CG, and timestamp 1. Decrypts Auth CG and obtains: Cliff s ID and timestamp 2. Checks that the two versions of Cliff s ID match. Checks that the two timestamps are suff. close. If OK, Grant generates K CS = the Cliff-Serge session key. Generates ServeTicket = def e KS (Cliff s ID, timestamp 3, Exp-Time, K CS ). Sends ServTicket and e KCG (K CS ) to Cliff. Exp-Time = how long K CS is good for K S = Serge s secret key 12

KERBEROS, IV 5: Cliff Serge Cliff decrypts e KCG (K CS ) and obtains K CS. Cliff constructs Auth CS = def e KCS (Cliff s ID, timestamp 4 ). Cliff sends Auth CS and ServTicket to Serge. Serge: Decrypts ServTicket to obtain: Cliff s ID, timestamp 3, Exp-Time, and K CS Using K CS decrypts Auth CS to obtain: Cliff s ID, timestamp 4 Checks that the two versions of Cliff s ID match. Checks that timestamp 4 timestamp 3 + Exp-Time. If OK, Cliff and Serge can chat using K CS. 13

PUBLIC KEY INFRASTRUCTURES (PKIS) Public Key Infrastructure A set of protocols for publishing and certifying keys Certificate Some information signed by its publisher, a certification authority. identity certification id + email address + public keys credential certification access rights See 14.4 of T&W for more detail. (This is a possible final paper topic.) 14

NEXT INFORMATION THEORY 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback