non-pki methods for public key distribution
DESCRIPTION
Non-PKI Methods for Public Key Distribution. Authors: Mohammad Peyavian, Allen Roginsky and Nevenko Zunic Source: Computers & Security, Vol.23, pp.97-103, 2004. Adviser: Min-Shiang Hwang Speaker: Chun-Ta Li Date: 2004/10/28. Outline. Introduction The first proposed scheme - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/1.jpg)
Non-PKI Methods for Public Key Distribution
Authors: Mohammad Peyavian, Allen Roginsky and Nevenko ZunicSource: Computers & Security, Vol.23, pp.97-103, 2004.Adviser: Min-Shiang HwangSpeaker: Chun-Ta LiDate: 2004/10/28
![Page 2: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/2.jpg)
Outline
• Introduction
• The first proposed scheme
• The second proposed scheme
• The third proposed scheme
• Conclusions
• Comments
![Page 3: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/3.jpg)
Introduction
CA
Server
Client
1
23
2
1
3
• The X.509 PKI requires a huge and expensive infrastructure with complex operations.
Archived public key distribution without CA
Archived public key distribution without CA
![Page 4: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/4.jpg)
Introduction (cont.)
• ID: client’s user id -- not a secret value
• PKc: initial public component of the client’s public key pair
• SKc: initial secret component of the client’s public key pair
• PKs: initial public component of the server’s public key pair
• SKs: initial secret component of the server’s public key pair
• EPK(B): data B encrypted with an asymmetric public key PK.
• ESK(B): data B signed by an asymmetric secret key SK.
![Page 5: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/5.jpg)
The first proposed scheme
Client Server(1) generates (ID, PW)
(2) sends (ID, PW) to client
(3) sends ID, PKc, H(ID, PKc, PW) to server
(4) sends ID, PKs, H(ID, PKs, PW) to server
// PW used only once for authenticating the flows from the client and server
• Public key distribution
![Page 6: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/6.jpg)
The first proposed scheme (cont.)
• The first scheme can be added to the top of current SSL implementations (PW-based authentication).– PWc: client generates a password– Client sends PWc to the server (e.g. on-line banking)
Client Server
(2) sends ID, ePKs(PWc), eSKc(H(ID, PWc)) to server
(1) generates PWc
![Page 7: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/7.jpg)
The first proposed scheme (cont.)
Client Server
(1) sends ID, “SKc compromised”, eSKc(H(ID, “SKc compromised”) to server
• Public key change if client’s SKc is compromised
• The client and server do not do any further exchange
• Until the client generates and sends a new public key to server
• The sending of a new public key is done as “Public key distribution”
// If server public key is compromised, contrariwise
![Page 8: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/8.jpg)
The first proposed scheme (cont.)
Client Server
(1) sends ID, new_PKc, eSKc(H(ID, new_PKc) to server
• Regular client public key change (periodically)
• Both the client and server start using the new client’s public key
• They won’t accept any message with the old public key
// If server generates a new public key, contrariwise
![Page 9: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/9.jpg)
The second proposed scheme
– P: prime modulus for Diffie-Hellman algorithm
– Rc: generates random number from the client
– Rs: generates random number from the server
– D: Diffie-Hellman public key
– S: symmetric secret key derived from Diffie-Hellman algorithm
• Given that the client and server share an ID and PW– One-sided: Only the client needs to get the server’s public key (PKs).
– Two-sided: Both client and sever need to exchange public keys.
![Page 10: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/10.jpg)
The second proposed scheme (cont.)
Client Server• Public key exchange protocol
(1) generates P, Rc and computes public key Dc Dc
= PWRc mod P
(2) sends ID, Dc, P to server
(3) computes public key Ds Ds = PWRs mod P
(4) computes symmetric secret key S S = DcRs mod P = PWRcRs mod P
(5) sends ID, [PKs], Ds, H(ID, Dc, P, [PKs], Ds, S) to client
(6) computes symmetric secret key S S = DsRc mod P = PWRcRs mod P
(7) verifies H(ID, Dc, P, [PKs], Ds, S) using the S value that is derived
(8) sends ID, [PKc], H(ID, PKs, Ds, [PKc], new_PW, S), [eS(new_PW)] to server
![Page 11: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/11.jpg)
The second proposed scheme (cont.)
Client Server
(1) sends ID, “SKc compromised”, eSKc (H(ID, “SKc compromised”) to server
• Public key change if client secret key is compromised
• The client and server do not do any further exchange
• Until the client generates and sends a new public key to server
• The sending of a new public key is done as “Public key distribution”
// If server public key is compromised, contrariwise
![Page 12: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/12.jpg)
The second proposed scheme (cont.)
Client Server
(1) sends ID, new_PKc, eS (H(ID, new_PKc) to server
• Regular client public key change (periodically)
• Both the client and server start using the new client’s public key
• They won’t accept any message with the old public key
// If server generates a new public key, contrariwise
![Page 13: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/13.jpg)
The third proposed scheme
• Public key exchange protocol– Given that the client and server share an ID and PW
Client Server(1) sends ID, PKc, H(ID, PKc, PW, Rc) to server
(2) sends ID, PKs, H(ID, PKs, PW, Rs) to server
(3) sends ID, ePKs(Rc) to server
(4) sends ID, ePKc(Rs) to server
// PW used only once for authenticating the flows from the client and server
![Page 14: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/14.jpg)
The third proposed scheme (cont.)
• The third scheme can be added to the top of current SSL implementations (PW-based authentication).– PWc: client generates a password– Client sends PWc to the server (e.g. on-line banking)
Client Server
(2) sends ID, ePKs(PWc, Rc), eSKc(H(ID, PWc, Rc)) to server
(1) generates PWc
![Page 15: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/15.jpg)
Conclusions
• The proposed scheme can distribute the public key without CA.
• This paper is to present alternative simpler solutions to the X.509 PKI to save storage, bandwidth and to reduce the complexity of the operations.
![Page 16: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/16.jpg)
Comments
• How to send the PKs and PKc to the client and the server in secure? (The first scheme)– Attacker can masquerade server and client to send the wr
ong PKs` (pair of SKs`) and wrong PKc` (pair of SKc`)– Attacker will require the PKc– Attacker will require the PWc , because of the client enc
rypt it by using the wrong PKs`
![Page 17: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/17.jpg)
Comments (cont.)• Man-in-the-middle attack (The second scheme)
– Public key exchange protocol
Client Attacker Server(1) generates P, Rc and computes public key Dc Dc
= PWRc mod P
(2) sends ID, Dc`, P to server
(3) computes public key Ds Ds = PWRs mod P
(4) computes symmetric secret key S` S` = Dc`Rs mod P = PWRcRtRs mod P
(5) sends ID, [PKs], Ds`, H(ID, Dc, P, [PKs], Ds`, S`) to client
(6) computes symmetric secret key S S` = Ds`Rc mod P = PWRsRtRc mod P (7) verifies H(ID, Dc, P, [PKs], Ds`, S
`) using the S` value that is derived
(8) sends ID, [PKc], H(ID, PKs, Ds, [PKc], new_PW`, S`), [eS`(new_PW`)] to server
Dc` = DcRt = PWRcRt mod P
Ds` = DsRt = PWRsRt mod P
![Page 18: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/18.jpg)
Comments (cont.)
• How to send the PKs and PKc to the client and the server in secure? (The third scheme)– Attacker can masquerade server and client to send the wr
ong PKs` (pair of SKs`) and wrong PKc` (pair of SKc`)– Attacker will require the PKc– Attacker will require the PWc , because of the client enc
rypt it by using the wrong PKs`
![Page 19: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/19.jpg)
Thanks for your attention
![Page 20: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/20.jpg)
![Page 21: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/21.jpg)
Cryptanalysis of the first proposed scheme
Client Attacker Server(1) generates (ID, PW)
(2) sends (ID, PW) to client
(3`) sends ID, PKc`, H(ID, PKc`, PW) to server
(4`) sends ID, PKs`, H(ID, PKs`, PW) to server
// PW used only once for authenticating the flows from the client and server
• Public key distribution
(3) sends ID, PKc, H(ID, PKc, PW) to server
(4) sends ID, PKs, H(ID, PKs, PW) to server
![Page 22: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/22.jpg)
Cryptanalysis of the first proposed scheme (cont.)
• The first scheme can be added to the top of current SSL implementations (PW-based authentication).– PWc`: attacker generates a password– Attacker sends PWc` to the server
Client Server
(2`) sends ID, ePKs(PWc`), eSKc`(H(ID, PWc`)) to server
(1) generates PWc without change
(2) sends ID, ePKs(PWc), eSKc(H(ID, PWc)) to server
![Page 23: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/23.jpg)
Cryptanalysis of the third proposed scheme
• Public key exchange protocol– Given that the client and server share an ID and PW
Client Attacker Server
(1`) sends ID, PKc`, H(ID, PKc`, PW, Rc`) to server
(2`) sends ID, PKs`, H(ID, PKs`, PW, Rs`) to server
(3`) sends ID, ePKs(Rc`) to server
(4`) sends ID, ePKc(Rs`) to server
// PW used only once for authenticating the flows from the client and server
(1) sends ID, PKc, H(ID, PKc, PW, Rc) to server
(2) sends ID, PKs, H(ID, PKs, PW, Rs) to server
(3) sends ID, ePKs(Rc) to server
(4) sends ID, ePKc(Rs) to server
![Page 24: Non-PKI Methods for Public Key Distribution](https://reader035.vdocument.in/reader035/viewer/2022062518/56814496550346895db139f2/html5/thumbnails/24.jpg)
Cryptanalysis of the third proposed scheme (cont.)
• The third scheme can be added to the top of current SSL implementations (PW-based authentication).– PWc`: attacker generates a password– Attacker sends PWc` to the server
Client Attacker Server
(2`) sends ID, ePKs(PWc`, Rc`), eSKc`(H(ID, PWc`, Rc`)) to server
(1) generates PWc
(2) sends ID, ePKs(PWc, Rc), eSKc(H(ID, PWc, Rc)) to server
without change