Download - Key Exchange Protocols
![Page 1: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/1.jpg)
Key Exchange Protocols
J. Mitchell
CS 259
![Page 2: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/2.jpg)
Next few lectures Today 1/17
• Brief cryptography background• Key exchange protocols and properties
Thursday 1/19• Wireless security: 802.11i• Choose your project partner
Next Tues 1/24• Password authentication protocols
Next Thurs 1/26• Contract-signing protocols
Project presentation #1 2/2
Talk about protocols for a while before looking at more tools
![Page 3: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/3.jpg)
Encryption scheme:• functions to encrypt, decrypt data • key generation algorithm
Secret key vs. public key• Public key: publishing key does not reveal key-1
• Secret key: more efficient, generally key = key-1 Hash function, MAC
• Map input to short hash; ideally, no collisions• MAC (keyed hash) used for message integrity
Signature scheme• Functions to sign data, verify signature
Basic Concepts in Cryptography
![Page 4: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/4.jpg)
Cryptosystem A cryptosystem consists of five parts
• A set P of plaintexts• A set C of ciphertexts• A set K of keys• A pair of functions encrypt: K P C decrypt: K C P such that for every key kK and plaintext pP decrypt(k, encrypt(k, p)) = p
![Page 5: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/5.jpg)
What is a “secure” cryptosystem?
One idea• If enemy intercepts ciphertext, cannot recover plaintext
Issues in making this precise• What else might your enemy know?
– The kind of encryption function you are using– Some plaintext-ciphertext pairs from last year– Some information about how you choose keys
• What do we mean by “cannot recover plaintext” ?– Ciphertext contains no information about plaintext– No efficient computation could make a reasonable guess– Cannot use ciphertext for any nontrivial purpose
![Page 6: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/6.jpg)
Passive Adversary
Challenger Attacker
m0, m1
E(mi)
guess 0 or 1
![Page 7: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/7.jpg)
Chosen ciphertext CCA1
Challenger Attackerm0, m1
E(mi)guess 0 or 1
cD(c)
![Page 8: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/8.jpg)
Chosen ciphertext CCA2
Challenger Attacker
m0, m1
E(mi)
guess 0 or 1
cD(c)
c E(mi) D(c)
![Page 9: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/9.jpg)
Different keys to encrypt and decrypt• encrypt(key, message)
• decrypt(key -1, encrypt(key, message)) = message
Encryption key does not help decrypt• Cannot compute m from encrypt(key, m) and key,
unless you have key-1
Public-key Cryptosystem
key pair
![Page 10: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/10.jpg)
Example: RSA Arithmetic modulo pq
• Generate secret primes p, q • Generate secret numbers a, b with xab x mod pq
Public encryption key n, a• Encrypt(n, a, x) = xa mod n
Private decryption key n, b• Decrypt(n, b, y) = yb mod n
Main properties• This works• Cannot compute b from n,a
– Apparently, need to factor n = pq
n
![Page 11: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/11.jpg)
Cryptographic hash functions Length-reducing function h
• Map arbitrary strings to strings of fixed length One way (“preimage resistance”)
• Given y, hard to find x with h(x)=y Collision resistant
• Hard to find any distinct m, m’ with h(m)=h(m’) Also useful: 2nd preimage resistance
• Given x and y=h(x) hard to find x’x with h(x’)=h(x)
• Collision resistance 2nd preimage resistance
![Page 12: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/12.jpg)
Iterated hash functions Repeat use of block cipher or custom
function• Pad input to some multiple of block length• Iterate a length-reducing function f
– f : 22k -> 2k reduces bits by 2– Repeat h0= some seed hi+1 = f(hi, xi)
• Some final function g completes calculation
Pad to x=x1x2 …xk
f
g
xi
f(xi-1)
x
![Page 13: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/13.jpg)
Applications of one-way hash Password files (one way) Digital signatures (collision resistant)
• Sign hash of message instead of entire message Data integrity
• Compute and store hash of some data• Check later by recomputing hash and comparing
Keyed hash for message authentication• MAC – Message Authentication Code
![Page 14: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/14.jpg)
Digital Signatures Public-key encryption
• Alice publishes encryption key• Anyone can send encrypted message• Only Alice can decrypt messages with this
key Digital signature scheme
• Alice publishes key for verifying signatures• Anyone can check a message signed by
Alice• Only Alice can send signed messages
![Page 15: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/15.jpg)
Properties of signatures Functions to sign and verify
• Sign(Key-1, message)
• Verify(Key, x, m) =
Resists forgery• Cannot compute Sign(Key-1, m) from m and Key• Resists existential forgery: given Key, cannot produce Sign(Key-1, m) for any random or otherwise arbitrary m
true if x = Sign(Key-1, m)false otherwise
![Page 16: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/16.jpg)
Encryption scheme:• functions to encrypt, decrypt data • key generation algorithm
Secret key vs. public key• Public key: publishing key does not reveal key-1
• Secret key: more efficient, generally key = key-1 Hash function, MAC
• Map input to short hash; ideally, no collisions• MAC (keyed hash) used for message integrity
Signature scheme• Functions to sign data, verify signature
Basic Concepts in Cryptography
![Page 17: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/17.jpg)
Key Management Out of band
• Can set up some keys this way (Kerberos) Public-key infrastructure (PKI)
• Leverage small # of public signing keys Protocols for session keys
• Generate short-lived session key• Avoid extended use of important secret• Don’t use same key for encryption and signing• Forward secrecy
Cryptography reduces many problems to key management
![Page 18: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/18.jpg)
Key Distribution: Kerberos Idea
Client
KeyCenter
Server
Shared symmetric key Kc
Shared symmetric key Ks
{Kcs, {Kcs}Ks}Kc
{Kcs}Ks { msg }Kcs
Key Center generates session key Kcs and distributes using shared long-term keys
![Page 19: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/19.jpg)
Public-Key Infrastructure
Certificate Authority
Client Server
Known public signature verification key Ka
Sign(Ka, Ks), Sign(Ks, msg)
CertificateSign(Ka, Ks)
Ks
Server certificate can be verified by any client that has CA key KaCertificate authority is “off line”
![Page 20: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/20.jpg)
Key Exchange Parties may have initial information Generate and agree on session key
• Authentication – know ID of other party• Secrecy – key not known to any others• Avoid replay attack• Forward secrecy• Avoid denial of service• Identity protection – disclosure to others• Other properties you can think of???
![Page 21: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/21.jpg)
Diffie-Hellman Key Exchange Assume finite group G = S,
• Generator g so every xS is x = gn
• Example: integers modulo prime p Protocol
ga mod p
gb mod p
A B
Alice, Bob share gab mod p not known to anyone else
![Page 22: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/22.jpg)
Diffie-Hellman Key Exchange
Authentication?Secrecy?Replay attackForward secrecy?Denial of service?Identity protection?
ga mod p
gb mod pA B
![Page 23: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/23.jpg)
IKE subprotocol from IPSEC
A, (ga mod p)
B, (gb mod p)
Result: A and B share secret gab mod pSignatures provide authentication, as long as signature
verification keys are known
A B
m1
m2 ,
signB(m1,m2)
signA(m1,m2)
![Page 24: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/24.jpg)
IPSec: Network Layer Security Authentication Header (AH)
• Access control and authenticate data origins• replay protection• No confidentiality
Encapsulated Secure Payload (ESP)• Encryption and/or authentication
Internet Key management (IKE)• Determine and distribute secret keys • Oakley + ISAKMP• Algorithm independent
Security policy database (SPD)• discarded, or bypass
![Page 25: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/25.jpg)
IKE: Many modes Main mode
• Authentication by pre-shared keys• Auth with digital signatures• Auth with public-key encryption• Auth with revised public-key encryption
Quick mode• Compress number of messages• Also four authentication options
![Page 26: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/26.jpg)
Aug 2001 Position Statement In the several years since the standardization of
the IPSEC protocols (ESP, AH, and ISAKMP/IKE), … several security problems…, most notably IKE.
Formal and semi-formal analyses by Meadows, Schneier et al, and Simpson, have shown … security problems in IKE stem directly from its complexity.
It seems … only a matter of time before serious *implementation* problems become apparent, again due to the complex nature of the protocol, and the complex implementation that must surely follow.
The Security Area Directors have asked the IPSEC working group to come up with a replacement for IKE.
![Page 27: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/27.jpg)
How to study complex protocol
![Page 28: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/28.jpg)
General Problem in Security Divide-and-conquer is fundamental
• Decompose system requirements into parts• Develop independent software modules• Combine modules to produce required
system
Common belief:• Security properties do not compose
Difficult system development problem
![Page 29: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/29.jpg)
Example protocol Protocol P1
A B : {message}KB
A B : KA-1
This satisfies basic requirements• Message is transmitted under encryption • Revealing secret key KA-1 does not reveal
message
![Page 30: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/30.jpg)
Similar protocol Protocol P2
B A : {message’}KA
B A : KB-1
Transmits msg securely from B to A• Message is transmitted under encryption • Revealing secret key KB-1 does not reveal
message
![Page 31: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/31.jpg)
Composition P1; P2 Sequential composition of two protocols
A B : {message}KB
A B : KA-1
B A : {message’}KA
B B : KB-1
Definitely not secure• Eavesdropper learns both keys, decrypts
messages
![Page 32: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/32.jpg)
STS family
m=gx, n=gy
k=gxy
STS0H
STSa STSaH
STSHSTS
STS0
STSPH
JFK1
distributecertificates
cookie
openresponder
JFK0
symmetrichash
JFK
protect identities
RFK
STSP
![Page 33: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/33.jpg)
Example Construct protocol with properties:
• Shared secret • Authenticated• Identity Protection• DoS Protection
Design requirements for IKE, JFK, IKEv2 (IPSec key exchange protocol)
![Page 34: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/34.jpg)
Component 1 Diffie-Hellman A B: ga
B A: gb
• Shared secret (with someone)– A deduces:
Knows(Y, gab) (Y = A) ۷ Knows(Y,b)• Authenticated• Identity Protection• DoS Protection
![Page 35: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/35.jpg)
Component 2 Challenge Response: A B: m, A B A: n, sigB {m, n, A} A B: sigA {m, n, B}
• Shared secret (with someone)• Authenticated
– A deduces: Received (B, msg1) Λ Sent (B, msg2)• Identity Protection• DoS Protection
![Page 36: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/36.jpg)
Composition ISO 9798-3 protocol: A B: ga, A B A: gb, sigB {ga, gb, A} A B: sigA {ga, gb, B}
• Shared secret: gab• Authenticated• Identity Protection• DoS Protection
m := ga
n := gb
![Page 37: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/37.jpg)
Refinement Encrypt signatures: A B: ga, A B A: gb, EK {sigB {ga, gb, A}} A B: EK {sigA {ga, gb, B}}
• Shared secret: gab• Authenticated• Identity Protection• DoS Protection
![Page 38: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/38.jpg)
Transformation Use cookie: JFK core protocol
A B: ga, A B A: gb, hashKB {gb, ga} A B: ga, gb, hashKB {gb, ga}
EK {sigA {ga, gb, B}}B A: gb, EK {sigB {ga, gb, A}}• Shared secret: gab• Authenticated• Identity Protection• DoS Protection
(Here B must store b in step 2, but we’ll fix this later…)
![Page 39: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/39.jpg)
Cookie transformation Typical protocol
• Client sends request to server• Server sets up connection, responds• Client may complete session or not (DOS)
Cookie version• Client sends request to server• Server sends hashed data back
– Send message #2 later after client confirms• Client confirms by returning hashed data• Need extra step to send postponed message
![Page 40: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/40.jpg)
Cookie in JFK Protocol susceptible to DOS A B: ga, A B A: gb, EK {sigB {ga, gb, A}} A B: EK {sigA {ga, gb, B}}
Use cookie: JFK core protocolA B: ga, A
B A: gb, hashKB {gb, ga} A B: ga, gb, hashKB {gb, ga}, eh2
B A: gb, eh1
eh1
eh2
![Page 41: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/41.jpg)
Efficiency: Reuse D-H key Costly to compute ga, gb, gab
Solution• Keep medium-term ga, gb (change ~10 min)• Replace ga by pair ga, nonce
JFKi, JFKr protocols (except cert or grpinfo, …)A B: Na, ga, A
B A: Nb, gb, hashKB {Nb, Na, gb, ga} A B: Na, Nb, ga, gb, hashKB {Nb, Na, gb, ga}, EK {sigA {Na, Nb, ga, gb, B}}
B A: gb, EK {sigB {Na, Nb, ga, gb, A}}Note: B does not need to store any short-term data in step 2
![Page 42: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/42.jpg)
Conclusion Many protocol properties
• Authentication Secrecy• Prevent replay Forward secrecy• Denial of service Identity protection
Systematic understanding is possible• But be careful; easy to make mistakes• State of the art: need to analyze complete protocol
![Page 43: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/43.jpg)
![Page 44: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/44.jpg)
Block cipher modes (for DES, AES, …)
ECB – Electronic Code Book mode• Divide plaintext into blocks• Encrypt each block independently, with same key
CBC – Cipher Block Chaining• XOR each block with encryption of previous block• Use initialization vector IV for first block
OFB – Output Feedback Mode• Iterate encryption of IV to produce stream cipher
CFB – Cipher Feedback Mode• Output block yi = input xi encyrptK(yi-1)+
![Page 45: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/45.jpg)
Electronic Code Book (ECB)
PlainPlain Text Text
t CipCiphe r Tex her T
Block Ciphe
r
Block Ciphe
r
Block Ciphe
r
Block Ciphe
r
Problem: Identical blocks encrypted identically No integrity check
![Page 46: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/46.jpg)
Cipher Block Chaining (CBC)PlainPlain Text Text
t CipCiphe r Tex her T
Block Ciphe
r
IV
Block Ciphe
r
Block Ciphe
r
Block Ciphe
r
Advantages: Identical blocks encrypted differently Last ciphertext block depends on entire input
![Page 47: Key Exchange Protocols](https://reader036.vdocument.in/reader036/viewer/2022062521/5681306d550346895d964e82/html5/thumbnails/47.jpg)
Comparison (for AES, by Bart Preneel)
Similar plaintext blocks produce similar ciphertext (see outline
of head)No apparent pattern