Key Agreement Schemes

Similar documents
Station-to-Station Protocol

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Applied Cryptography and Computer Security CSE 664 Spring 2017

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

CIS 4360 Secure Computer Systems Applied Cryptography

Auth. Key Exchange. Dan Boneh

Session key establishment protocols

Session key establishment protocols

L13. Reviews. Rocky K. C. Chang, April 10, 2015

ECE 646 Lecture 3. Key management

Public Key Algorithms

T Cryptography and Data Security

Key management. Required Reading. Stallings, Cryptography and Network Security: Principles and Practice, 5/E or 6/E

Data Security and Privacy. Topic 14: Authentication and Key Establishment

ECE 646 Lecture 3. Key management. Required Reading. Using the same key for multiple messages

Key management. Pretty Good Privacy

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Certificateless Public Key Cryptography

Diffie-Hellman. Part 1 Cryptography 136

1. Diffie-Hellman Key Exchange

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Total points: 71. Total time: 75 minutes. 9 problems over 7 pages. No book, notes, or calculator

Lecture 2 Applied Cryptography (Part 2)

Cryptographic Protocols 1

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

Public-key Cryptography: Theory and Practice

Protocols for Authenticated Oblivious Transfer

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Lecture 15 Public Key Distribution (certification)

Datasäkerhetsmetoder föreläsning 7

CT30A8800 Secured communications

Identification Schemes

Authentication in Distributed Systems

KEY AGREEMENT PROTOCOLS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 13 of Trappe and Washington

(2½ hours) Total Marks: 75

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Chapter 9: Key Management

Lecture Notes 14 : Public-Key Infrastructure

Overview of Authentication Systems

Key Management and Distribution

Other Topics in Cryptography. Truong Tuan Anh

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Authenticated Key Agreement without Subgroup Element Verification

Keywords Session key, asymmetric, digital signature, cryptosystem, encryption.

A Critical Analysis and Improvement of AACS Drive-Host Authentication

CIS 6930/4930 Computer and Network Security. Final exam review

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

CSC 482/582: Computer Security. Security Protocols

CS November 2018

CSE 565 Computer Security Fall 2018

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

CMSC 414 S09 Exam 2 Page 1 of 6 Name:

Lecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring Nitesh Saxena. Course Admin

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Crypto meets Web Security: Certificates and SSL/TLS

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

SSH. Partly a tool, partly an application Features:

Security Analysis of Shim s Authenticated Key Agreement Protocols from Pairings

A SECURE PASSWORD-BASED REMOTE USER AUTHENTICATION SCHEME WITHOUT SMART CARDS

Introduction to Cryptography Lecture 10

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Verification of Security Protocols

ECE 646 Lecture 3. Key management. Required Reading. Using Session Keys & Key Encryption Keys. Using the same key for multiple messages

Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol. John Jersin Jonathan Wheeler. CS259 Stanford University.

Proving who you are. Passwords and TLS

PROVING WHO YOU ARE TLS & THE PKI

CS Computer Networks 1: Authentication

2.1 Basic Cryptography Concepts

Computer Security 3e. Dieter Gollmann. Chapter 15: 1

The SafeNet Security System Version 3 Overview

Configuring Certificate Authorities and Digital Certificates

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Glenda Whitbeck Global Computing Security Architect Spirit AeroSystems

Public Key Algorithms

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

Spring 2010: CS419 Computer Security

Lecture 6 - Cryptography

Send documentation comments to

CPSC 467: Cryptography and Computer Security

Protecting Information Assets - Week 11 - Cryptography, Public Key Encryption and Digital Signatures. MIS 5206 Protecting Information Assets

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Chapter 9 Public Key Cryptography. WANG YANG

Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography

AIT 682: Network and Systems Security

Configuration of an IPSec VPN Server on RV130 and RV130W

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

CS 395T. Formal Model for Secure Key Exchange

Public-Key Infrastructure NETS E2008

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

1 Identification protocols

Transcription:

Key Agreement Schemes CSG 252 Lecture 9 November 25, 2008 Riccardo Pucella

Key Establishment Problem PK cryptosystems have advantages over SK cryptosystems PKCs do not need a secure channel to establish secret keys However, PKCs generally less efficient than SKCs So you often want SKCs anyways The problem: n agents on an insecure network Want to establish keys between pairs of agents to communicate securely

Distribution vs Agreement Last time: Secret Key Distribution Scheme (SKDS): Assume a Trusted Authority (TA) - a server TA chooses a secret key for communicating, and transmits it to parties that wants to communicate Key Agreement Scheme (KAS): Two or more parties want to establish a secret key on their own Uses public key cryptography

Main Goal of Key Agreement At the end of an exchange: Two parties share a key K The value of K is not known to any other party Secrecy Sometimes want more: mutual identification (chap. 9) No honest participant in a session of the scheme will accept after any interaction in which an adversary is active Also called mutual authentication

Attacker Models May or may not be a user in the system insider vs outsider attacker May be passive or active Alter messages in transit (including intercepting) Save messages for later reuse Attempt to masquerade as other users

Possible Attacker Objectives Passive objectives: Determine some (partial) information about key exchanged by users Active objectives: Fool U and V into accepting an invalid key E.g. an old expired key, or a key known to adv Make U and V believe they have exchanged a key with each other when that is not the case

Extended Attacker Models Known session key attack: Attacker learns session keys, want other session keys (as well as private keys) to remain secret Known private key attack: Attacker learns private key of a participant, want previous session keys to remain secret Perfect forward secrecy This is not a property of a cryptosystem, but of how a cryptosystem is used!

Diffie-Hellman Scheme a b

Diffie-Hellman Scheme a α b b

Diffie-Hellman Scheme a α b K = (α b ) a α b b K = ( ) b

Computational Diffie-Hellman Problem For the previous scheme to be secure, need for the group G and α to be such that: Given and α b, it is hard to find b Can show (6.7.3) that if you can solve the CDH problem, then you can solve the discrete log problem in G

Man-in-the-Middle Attack on DHS Oscar sits between and and substitutes his own messages Oscar

Man-in-the-Middle Attack on DHS Oscar sits between and and substitutes his own messages Oscar

Man-in-the-Middle Attack on DHS Oscar sits between and and substitutes his own messages α c Oscar

Man-in-the-Middle Attack on DHS Oscar sits between and and substitutes his own messages α c Oscar α d

Man-in-the-Middle Attack on DHS Oscar sits between and and substitutes his own messages α c α b Oscar α d

Man-in-the-Middle Attack on DHS Oscar sits between and and substitutes his own messages α c α b Oscar α d K 1 = ( ) b K 2 = (α c ) d

Authenticated DHS Various ways to authenticate DH Scheme: Use signatures Use ElGamal-style public keys Use passwords None of these approaches are perfect

Using signatures: Station-to-Station Scheme (1) a b

Using signatures: Station-to-Station Scheme (1) a A, b

Using signatures: Station-to-Station Scheme (1) a α b A, B, α b, sig B (A,α b, ) b

Using signatures: Station-to-Station Scheme (1) a α b A, B, α b, sig B (A,α b, ) sig A (B,,α b ) b

Using signatures: Station-to-Station Scheme (1) a α b A, B, α b, sig B (A,α b, ) sig A (B,,α b ) b K = (α b ) a K = ( ) b

Using signatures: Station-to-Station Scheme (2) a b

Using signatures: Station-to-Station Scheme (2) a A, b

Using signatures: Station-to-Station Scheme (2) a A, b K = ( ) b

Using signatures: Station-to-Station Scheme (2) a α b A, B, α b, {sig B (α b, )} K b K = ( ) b

Using signatures: Station-to-Station Scheme (2) a α b A, B, α b, {sig B (α b, )} K b K = (α b ) a K = ( ) b

Using signatures: Station-to-Station Scheme (2) a α b A, B, α b, {sig B (α b, )} K {sig A (,α b )} K b K = (α b ) a K = ( ) b

Using ElGamal public keys: One-Sided Authentication Let M be s private key, α M her public key M, a b

Using ElGamal public keys: One-Sided Authentication Let M be s private key, α M her public key A, M, a b K = ( ) b

Using ElGamal public keys: One-Sided Authentication Let M be s private key, α M her public key A, M, a B, α Mb b α Mb K = ( ) b

Using ElGamal public keys: One-Sided Authentication Let M be s private key, α M her public key A, M = M, a inverse of M in G B, α Mb b α Mb K = (α Mb ) M a K = ( ) b

Using ElGamal public keys: One-Sided Authentication Let M be s private key, α M her public key A, M, a B, α Mb b α Mb K = (α Mb ) M a K = ( ) b

Using ElGamal public keys: MTI Scheme Matsumoto, Takashima, Imai (1986) Let SA, SB be and s private keys SA, a SB, b

Using ElGamal public keys: MTI Scheme Matsumoto, Takashima, Imai (1986) Let SA, SB be and s private keys SA, a A, SB, b

Using ElGamal public keys: MTI Scheme Matsumoto, Takashima, Imai (1986) Let SA, SB be and s private keys SA, a A, SB, b K = (α SA ) b ( ) SB = α SAb+aSB

Using ElGamal public keys: MTI Scheme Matsumoto, Takashima, Imai (1986) Let SA, SB be and s private keys SA, a α b A, B, α b SB, b K = (α SA ) b ( ) SB = α SAb+aSB

Using ElGamal public keys: MTI Scheme Matsumoto, Takashima, Imai (1986) Let SA, SB be and s private keys SA, a α b A, B, α b SB, b K = (α SB ) a (α b ) SA K = (α SA ) b ( ) SB = α SBa+bSA = α SAb+aSB

Variants There are many variants of these schemes Using a keyed hash (a MAC) instead of encryption in STS(2) MQV protocol - MTI with more complex key computation IKE - a component of IPSec Each solves or addresses different issues, or make different tradeoff choices

Using passwords: Simple Password Encrypted Key Exchange Jablon (1996) Suppose and share a password p (not a key) a b

Using passwords: Simple Password Encrypted Key Exchange Jablon (1996) Suppose and share a password p (not a key) a hash(p) 2a b hash(p) 2a K = (hash(p) 2a ) b

Using passwords: Simple Password Encrypted Key Exchange Jablon (1996) Suppose and share a password p (not a key) a hash(p) 2b K = (hash(p) 2b ) a hash(p) 2a hash(p) 2b b hash(p) 2a K = (hash(p) 2a ) b

Using passwords: Simple Password Encrypted Key Exchange Main worry: dictionary attacks (brute force attacks against the password) Jablon (1996) Suppose and share a password p (not a key) Need to make hash(p) sure that 2a the opponent cannot mount offline dictionary attacks, and acannot use parties hash(p) 2b guess validators b hash(p) 2b hash(p) 2a K = (hash(p) 2b ) a K = (hash(p) 2a ) b

PKI and Certificates The main problem with the previous protocols: requiring a priori knowledge (public keys, password) A solution: send the public key as part of the protocol how do you know the key is the right key?

PKI and Certificates The main problem with the previous protocols: requiring a priori knowledge (public keys, password) A solution: send the public key as part of the protocol how do you know the key is the right key? X.509 standard Certificate, signed by a Certification Authority: Cert CA (U,pk U ) = (U, pk U, sig CA (U,pk U ))

Using signatures and certificates: Full Station-to-Station Scheme (1) a b

Using signatures and certificates: Full Station-to-Station Scheme (1) a Cert CA (A,ver A ), b K = ( ) b

Using signatures and certificates: Full Station-to-Station Scheme (1) a α b Cert CA (A,ver A ), Cert CA (B,ver B ), α b, sig B (A,α b, ) b K = (α b ) a K = ( ) b

Using signatures and certificates: Full Station-to-Station Scheme (1) a α b Cert CA (A,ver A ), Cert CA (B,ver B ), α b, sig B (A,α b, ) sig A (B,,α b ) b K = (α b ) a K = ( ) b

Certificates: Problem 1 Certificate Revocation When a secret key is compromised, we should revoke the certificate Expiration/TTL is not enough - all expired certificates are invalid, but not all invalid certificates are expired Use Certificate Revocation Lists (CRL) Need to be checked at every certificate validation Potential for denial-of-service attacks Somewhat defeats the purpose of PK No comprehensive solution

Certificates: Problem 2 Compromised Certification Authorities If a certificate authority is compromised, we cannot trust certificates it has signed Hierarchical certification authorities The chain of trust CA 3 s verification key is signed by CA 1 CA 1 s verification key is signed by RootCA CA 3 Root CA CA 1 CA 2 CA 4 BUT: Need to send all certificates in a chain

Who vouches for the RootCA s verification key? Certificates: Problem 2 Compromised Certification Authorities If a No certificate one - has authority to be is trusted compromised, we cannot trust certificates by some it other has signed means Hierarchical certification authorities The chain of trust CA 3 s verification key is signed by CA 1 CA 1 s verification key is signed by RootCA CA 3 Root CA CA 1 CA 2 CA 4 BUT: Need to send all certificates in a chain

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback