Upload
tuan
View
35
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Overview of Key Establishment Techniques: Key Distribution, Key Agreement and PKI. Wade Trappe. Lecture Overview. We now begin our look at building protocols using the basic tools that we have discussed. - PowerPoint PPT Presentation
Citation preview
Overview of Key Establishment Overview of Key Establishment Techniques:Techniques:
Key Distribution, Key Agreement and PKIKey Distribution, Key Agreement and PKI
Wade Trappe
Lecture OverviewLecture Overview
We now begin our look at building protocols using the basic tools that we have discussed.
The discussion in this lecture will focus on issues of key establishment and the associated notion of authentication
These protocols are not real, but instead are meant to serve just as a high-level survey
Later lectures will go into specific protocols and will uncover practical challenges faced when implementing these protocols
Key Establishment: The problemKey Establishment: The problem
Securing communication requires that the data is encrypted before being transmitted.
Associated with encryption and decryption are keys that must be shared by the participants.
The problem of securing the data then becomes the problem of securing the establishment of keys.
Task: If the participants do not physically meet, then how do the participants establish a shared key?
Two types of key establishment:– Key Agreement– Key Distribution
Key DistributionKey Distribution
Key Agreement protocols: the key isn’t determined until after the protocol is performed.
Key Distribution protocols: one party generates the key and distributes it to Bob and/or Alice (Shamir’s 3pass, Kerberos).
Shamir’s Three-Pass Protocol:– Alice generates and Bob generates . – A key K is distributed by:
Alice BobpmodKK a1
pmodKK b12
pmodKK1a
23
pmodKK1b
3
Bob Calculates:
*pZa *
pZb
Basic TTP Key Distribution Basic TTP Key Distribution
KDC
Ka
Kb
Step 1Step 2
1. A Sends: {Request || IDA || IDB || N1}2. KDC Sends: EKa[ KAB|| {Request || IDA || IDB || N1}||EKb(KAB, IDA)]
Step 3Step 4
3. A Sends: EKb(KAB, IDA)
Step 5
4. B Sends: EKAB(N2) 5. A Sends: EKAB(f(N2))
Key AgreementKey Agreement In many scenarios, it is desirable for two parties to exchange messages in order to establish a shared secret that may be used
to generate a key. The Diffie-Hellman (DH) protocol is a basic tool used to establish shared keys in two-party communication. Two parties, A and B, establish a shared secret by:
The security of the DH scheme is based upon the intractibility of the Diffie-Hellman Problem:
The Diffie-Hellman scheme can be extended to work on arbitrary groups (e.g. Elliptic Curves).
Given a prime p, a generator g of , and elements and , it is computationally difficult to find .
*pZ pmodga pmodgb
pmodgab
pmodgpmodg:Bpmodgpmodg:A
pmodg:ABpmodg:BA
abbaabab
ba
Intruder In The MiddleIntruder In The Middle
The Intruder-in-the-Middle attack on Diffie-Hellman is based upon the following strategy to improve one’s chess ranking:– Eve challenges two grandmasters, and uses GM1’s moves against GM2.
Eve can either win one game, or tie both games.
Eve has and can perform the Intruder-in-the-Middle attack by:
Alice BobEvepmodga pmodgb
pmodgz pmodgzCalculates
pmodgKza
AE pmodgKzb
BE
Calculates
Calculates
BEAE K,K
Decrypts data with KBE
Decrypts data with KAE, uses data and encrypts with KBE
Encrypts data with KAE
DATAEAEK DATAE
BEK
Begins DH Begins DH
*pZz
Station-to-Station ProtocolStation-to-Station Protocol
Digital signatures can be used to prevent this protocol failure (STS Protocol).
A digital signature is a scheme that ties a message and its author together.– Private sig( ) function and Public ver( ) function.
Alice Bobpmodga
abBK
b g,gsigE,pmodg
baAK g,gsigE
pmodgKba
Calculates
pmodgKab
Calculates
Decrypts to get:
abB g,gsig
Verifies sig Verifies sig
Distribution of Public KeysDistribution of Public Keys
There are several techniques proposed for the distribution of public keys:– Public announcement– Publicly available directory– Public key authority– Public key certificates
Public AnnouncementPublic Announcement
Idea: Each person can announce or broadcast their public key to the world.
Example: People attach their PGP or RSA keys at the end of their emails.
Weakness: – No authenticity: Anyone can forge such an announcement– User B could pretend to be User A, but really announce User B’s public
key.
Public Directory ServicePublic Directory Service
Idea: Have a public directory or “phone book” of public keys. This directory is under the control/maintenance of a trusted third party (e.g. the government).
Involves:– Authority maintains a directory of {name, PK}– Each user registers public key. Registration should involve
authentication.– A user may replace or update keys. – Authority periodically publishes directory or updates to directory.– Participants can access directory through secure channel.
Weaknesses:– If private key of directory service is compromised, then opponent
can pretend to be directory service.– Directory is a single point of failure.
Public Key AuthorityPublic Key Authority
Idea: More security is achieved if the authority has tighter control over who gets the keys.
Assumptions:– Central authority maintains a dynamic directory of public keys of
all users.– Central authority only gives keys out based on requests.– Each user knows the public key of the authority.
Weaknesses:– Public Key Authority is a single point of failure.– User has to contact PK Authority, thus the PK Authority can be a
bottleneck for service.
Public Key Authority, protocolPublic Key Authority, protocol
PK Auth
ABStep 1Step 2
1. A Sends: {Request || Time1}2. PK Auth: EdAuth[ eB|| {Request || Time1}]
Step 3Step 6
3. A Sends B: EeB(IDA||N1)
Step 7
4 and 5. B does steps 1 and 2.
6. B Sends: EeA(N1||N2)
Step 4
Step 5
7. A Sends: EeB(N2)
Public Key CertificatesPublic Key Certificates
Idea: Use certificates! Participants exchange keys without contacting a PK Authority in a way that is reliable.
Certificates contain:– A public key (created/verified by a certificate authority).– Other information.
Certificates are given to a participant using the authority’s private key.
A participant conveys its key information to another by transmitting its certificate.
Other parties can verify that the certificate was created/verified by the authority.
Weakness:– Requires secure time synchronization.
Public Key Certificates, overview Public Key Certificates, overview
Cert Auth
A B
Give eA securely to CA
CertA = EdAuth{Time1||IDA||eA}
CertACert B
Securely give eB to CA
CertB = EdAuth{Time2||IDB||eB}
Requirements:•Any participant can read a certificate to determine the name and public key of the certificate’s owner.•Any participant can verify that the certificate originated from the certificate authority and is not counterfeit.•Only the certificate authority can create and update certificates.•Any participant can verify the currency of the certificate.
X.509 PK CertificatesX.509 PK Certificates
X.509 is a very commonly used public key certificate framework.
The certificate structure and authentication protocols are used in:– IP SEC– SSL– SET
X.509 Certificate Format:– Version 1/2/3– Serial is unique within the CA– First and last time of validity
Version
Cert Serial #
Algorithm & Parms
Issuer Name
Validity Time: Not before/after
Subject Name
PK Info: Algorithm, Parms, Key
. . .Signature (w/ hash)
X.509 Certificate ChainingX.509 Certificate Chaining
Its not feasible to have one CA for a large group of users.
Suppose A knows CA X1, B knows CA X2. If A does not know X2’s PK then CertX2(B) is useless to A.
If X1 and X2 have certified each other then A can get B’s PK by:– A obtains CertX1(X2)– A obtains CertX2(B)– Because B has a trusted copy of
X2’s PK, A can verify B’s certificate and get B’s PK.
Certificate Chain:– {CertX1(X2)|| CertX2(B)}
Procedure can be generalized to more levels.
A B
X1 X2
{CertX1(X2)|| CertX2(B)}
CertX1(X2) CertX2(X1)