lecture 5.2: key distribution: private key setting

Lecture 5.2: Key Distribution: Private Key Setting

CS 436/636/736 Spring 2012

Nitesh Saxena

Course Administration

• HW2 due– Tuesday, 11am – Feb 28

• HW1 to be distributed– Please remind if I forget

04/21/23 2Lecture 5.2: Private Key

Distribution

Course Admin

• Mid-Term Exam– On March 08 (Thursday)– In class, from 11am-12:15pm

• Covers lectures up to Feb 23 (this week)• In-class review on Mar 06 (Tuesday)• Strictly closed-book (no cheat-sheets are

allowed)• A sample exam will be provided as we near the

exam date04/21/23 3

Lecture 5.2: Private Key Distribution

Course Admin

• Next Lecture will be short– I have to attend our big Security Center event• http://thecenter.uab.edu/ai1ec_event/cyber-summit-

2012/?instance_id=21• Entertain the guests at the luncheon

– We will stop at 11:40am

04/21/23Lecture 5.2: Private Key

Distribution4

Outline of Today’s lecture

• Key Distribution • Introduction• Protocol for private key distribution• Kerberos: Real-world system


Distribution

Some questions from last time

• Can OTP make for a good MAC?• Can H(K||m) make for a good MAC?• Does HMAC provide non-repudiation?


Distribution

Key Distribution

• Cryptographic primitives seen so far assume– In private key setting: Alice and Bob share a secret

key which is unknown to Oscar.– In public key setting: Alice has a “trusted” (or

authenticated) copy of Bob’s public key.• But how does this happen in the first place?• Alice and Bob meet and exchange key(s)• Not always practical or possible.• We need key distribution, first and foremost!• Idea: make use of a trusted third party (TTP)04/21/23 7


“Private Key” Distribution: an attempt • Protocol assumes that Alice and Bob share a

session key KA and KB with a Key Distribution Center (KDC).– Alice calls Trent (Trusted KDC) and requests a

session key to communicate with Bob.– Trent generates random session key K and sends E

KA(K) to Alice and E KB

(K) to Bob.

– Alice and Bob decrypt with KA and KB respectively to get K.

• This is a key distribution protocol.• Susceptible to replay attack! 8

Session Key Exchange with KDC – Needham-Schroeder Protocol

• A -> KDC IDA || IDB || N1

(Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random nonce identifying this request)

• KDC -> A E KA( K || IDB || N1 || E KB

(K || IDA))

Encrypted(Here is a key, for you to talk to Bob as per your request N1 and also an envelope to Bob containing the same key)

• A -> B E KB(K || IDA)

(I would like to talk using key in envelope sent by KDC)

• B -> A E K(N2) (OK Alice, But can you prove to me that you are indeed Alice and know the key?)

• A -> B E K(f(N2)) (Sure I can!)

• Dennig-Sacco (replay) attack on the protocol04/21/23 9


Session Key Exchange with KDC – Needham-Schroeder Protocol (corrected version with

mutual authentication)• A -> KDC: IDA || IDB || N1

(Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random

nonce identifying this request)

• KDC -> A: E KA( K || IDB || N1 || E KB

(TS1, K || IDA))

Encrypted(Here is a key, for you to talk to Bob as per your request N1 and also an

envelope to Bob containing the same key)

• A -> B: E K(TS2), E KB(TS1, K || IDA)

(I would like to talk using key in envelope sent by KDC; here is an authenticator)

• B -> A: E K(TS2+1) (OK Alice, here is a proof that I am really Bob)


Distribution

Kerberos - Goals

• Security– Next slide.

• Reliability• Transparency– Minimum modification to existing network

applications.

• Scalability– Modular distributed architecture.


Distribution

Kerberos – Security Goals

• No cleartext passwords over network.• No cleartext passwords stored on servers.• Minimum exposure of client and server keys.• Compromise of a session should only affect

that session • Require password only at login.


Distribution

Kerberos - Assumptions

• Global clock.• There is a way to distribute authorization

data.– Kerberos provides authentication and not

authorization.


Distribution

Kerberos Key Distribution (1)

Joe KDCI would like toTalk to the File Server

KDC

Step 1Joe toKDC

Step 2KDC Session key

for User

Session key for service


Distribution


Step 3KDC

Session Key forJoe

Dear Joe,This key for File server

Box 1

LockedWith Joe’skey

Session Key forFile server

Dear File server,This key for Use with Joe

Box 2

LockedWith FileServer’skey

Joe KDCStep 4KDC to Joe

Box 1 Box 2


Distribution


Dear Joe,This key for File server

OpenedBox 1 Session Key for

File server


Box 2


Step 5Joe

Step 6Joe

Session Key forFile server


Box 2


Dear File server,The time is

3:40 pm

Box 3

LockedWith Sessionkey


Distribution


JoeFile

Server

Step 7Joe toFileserver

Box 2 Box 3

Step 8Fileserver Dear File server,

This key for Use with Joe

UnlockedBox 2

Dear File server,The time is

3:40 pm

UnlockedBox 3


Distribution


• For mutual authentication, file server can create box 4 with time stamp and encrypt with session key and send to Joe.

• Box 2 is called ticket.• KDC issues ticket only after authenticating

password• To avoid entering passwords every time access

needed, KDC split into two – authenticating server and ticket granting server.


Distribution

Kerberos– One Slide Overview

04/21/23 19

Version 4 Summary


Distribution

Kerberos - Limitations

• Every network service must be individually modified for use with Kerberos.

• Requires a global clock• Requires secure Kerberos server.• Requires continuously available or online

server.


Distribution

Further Reading

• Stallings Chapter 15 • HAC Chapter 12


Distribution

Some questions

• Can a KDC learn communication between Alice and Bob, to whom it issued keys?

• What if the KDC server is down or congested?• What if the KDC server is compromised?


Distribution

lecture 5.2: key distribution: private key setting

Documents

secret key

private key settingcs

key distribution protocol

session key ka

random session key

assumein private key

public key setting

key distribution center