Upload
le-lieu
View
192
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
2/24/2012
1
LOGO
IT Faculty – DaLat University
February - 2012
Key Exchange Protocols
Encryption
For a plaintext M, a crypto algorithm A
and a cryptographic key K , the ciphertext
M‟ is calculated as follows:
M‟ = A(K,M) = {M}K
Perfect Encryption
i) Without the key K (in the case of a
symmetric cryptosystem), or the matching
private key of K (in the case of an
asymmetric cryptosystem), the ciphertext
{M}K does not provide any cryptanalytic
means for finding the plaintext message
M.
2/24/2012
2
Perfect Encryption
ii) The ciphertext {M}K and maybe together
with some known information about the
plaintext message M do not provide any
cryptanalytic means for finding the key K
(in the case of a symmetric cryptosystem),
or the matching private key of K (in the
case of an asymmetric cryptosystem).
The Dolev-Yao Threat Model
In that model
Malice (can ):
• can obtain any message passing through the
network
• is a legitimate user of the network, and thus in
particular can initiate a conversation with any other
user
• will have the opportunity to become a receiver to
any principal
• can send messages to any principal by
impersonating any other principal
The Dolev-Yao Threat Model
Malice (cannot ):
• cannot guess a random number which is chosen from a
sufficiently large space
• without the correct secret (or private) key, cannot retrieve
plaintext from given ciphertext, and cannot create valid
ciphertext from given plaintext, wrt. the perfect encryption
algorithm
• cannot find the private component, i.e., the private key,
matching a given public key
• while he may have control of a large public part of our
computing and communication environment, in general,
he is not in control of many private areas of the
computing environment, such as accessing the memory
of a principal's offline computing device
2/24/2012
3
The Dolev-Yao Threat Model
Suppose that two principals Alice and Bob wish
to communicate with each other in a secure
manner
ƒ Suppose also that Alice and Bob have never
met before, so they do not already share a
secret key between them and do not already
know for sure the other party's public key
ƒ Then how can they communicate securely over
completely insecure networks?
The Dolev-Yao Threat Model
The Dolev-Yao Threat Model
2/24/2012
4
The Dolev-Yao Threat Model
1. Alice generates K at random, creates
{K}KAT, and sends to Trent: Alice, Bob,
{K}KAT
2. Trent finds keys KAT, KBT, decrypts
{K}KAT to reveal K, creates {K}KBT and
sends to Bob: Alice, Bob, {K}KBT
3. Bob decrypts {K}KBT to reveal K, forms
and sends to Alice: {Hello Alice, I'm
Bob!}K
.
The Dolev-Yao Threat Model
Problem: K created by Alice is not strong
enough Bob is unhappy about this
� New protocol: “Session key from Trent”
2/24/2012
5
An attack
The Dolev-Yao Threat Model
This attack will only succeed if Malice is a
legitimate user known to Trent a realistic
assumption – an insider attacker is often
more of a threat than outsiders
A fix: 1. Alice sends to Trent: Alice, {Bob}KAT;
2/24/2012
6
The Dolev-Yao Threat Model
Another attack
1. Alice sends to Trent: Alice, {Bob}KAT;
1. Malice("Alice") sends to Trent: Alice,
{Malice}KAT
The Dolev-Yao Threat Model
Instead, Malice can alter the message
from Trent to Alice (message line 2 in
Protocol "Session Key From Trent) into the
following:
Malice("Trent") sends to Alice: {K'}KAT
The Dolev-Yao Threat Model
Malice can alter some protocol messages
without detection.
This suggests that the protocol needs a
security service which can guard against
tampering of messages.
This brings us to the following security
service “Protocol with message
authentication”
2/24/2012
7
Protocol with Message Authentication
Malice has always been able to alter some
protocol messages without detection
None of the protocols designed so far has
provided any cryptographic protection
against message alteration.
Thus, one way to fix these protocols is to
provide such protection
Protocol with Message Authentication
The protection should enable legitimate
principals who have the right cryptographic
keys to detect any unauthorized alteration
of any protected protocol messages.
Such protection or security service is
called message authentication (is also
called data integrity)
Protocol with Message Authentication
We observe that Malice‟s alteration of the
protocol messages has caused the
following two effects:
a session key is shared between wrong
principals
a wrong session key get established
message authentication protection should
provide a cryptographic binding between
the session key to be established and its
intended users.
2/24/2012
8
Protocol with Message Authentication
This lead to a new protocol: “Message
Authentication”, where the identities of
Alice and Bob are included in the
encrypted message parts sent by Trent.
Perfect encryption for message authentication service
Perfect Encryption with Notation {M}K (for
message authentication service)
iii) Without the key K, even with the knowledge
of the plaintext M, it should be impossible for
someone to alter {M}K without being detected
by the recipient during the time of decryption
2/24/2012
9
Attack on Protocol "Message Authentication"
Problem: message replay attack.
ƒ Malice intercepts Alice's request, then:
1. Alice sends to Malice(“Trent”)
2. Malice(“Trent”) sends to Alice: {Bob,K'}KAT
,{Alice,K'} KBT
ƒ Two ciphertext blocks containing K' are a
replay of old messages which Malice has
recorded from a previous run of the
protocol (between Alice and Bob)
Attack on Protocol "Message Authentication"
This attack will cause Alice & Bob to reuse
the old session key K„
ƒ Since K' is old, it may be possible for
Malice to have discovered its value
Protocol “challenge-response"
Using this method Alice will generate a
new random number NA at the start of the
protocol and send this to Trent with the
request for a new session key
The random number NA created by Alice
for enabling the challenge-response
mechanism is called a nonce which stands
for a number used once
2/24/2012
10
Protocol “challenge-response"
An attack on the Needham-Schroeder
symmetric key authentication protocol:
Bob thinks he is sharing a new session key
with Alice while actually the key is an old one
and may be known to Malice
2/24/2012
11
Solution
A Protocol Using Public-key Cryptosystems
Called the Needham-Schroeder Public-
key Authentication Protocol
Alice public key is KA, Alice private key is
K-1A
2/24/2012
12
A Protocol Using Public-key Cryptosystems
An attack on public key authentication
protocol
Found after 17 years
Result: Bob thinks he is sharing secrets NA,
NB with Alice while actually sharing them with
Malice
Method: Malice makes use of Alice as she is
trying to establish a connection with him
A Protocol Using Public-key Cryptosystems
Malice may ask for a session key and
Bob may believe that this request is from
Alice
ƒ Then, an example if Bob is a bank,
Malice(“Alice”) sends to Bob the following
command:
{ NA, NB, Transfer 5000$ from my account to
Malice's“}KB
2/24/2012
13
A Protocol Using Public-key Cryptosystems
It is fairly easy to change the protocol so
as to prevent the attack. If we include the
responder's identity in message 6 of the
protocol
2-6. Bob sends to Malice("Alice"): {Bob, NA,
NB}KA
A Protocol Using Public-key Cryptosystems
This is what we are using nowadays