Tài liệu Overview of Key Establishment Techniques:Key Distribution, Key Agreement and PKI pdf

 The Diffie-Hellman DH protocol is a basic tool used to establish shared keys in two-party communication.. Distribution of Public Keys There are several techniques proposed for the dis

Overview of Key Establishment

Techniques:

Key Distribution, Key Agreement and PKI

Wade Trappe

Lecture Overview

 We now begin our look at building protocols using the basic tools that we have discussed

 The discussion in this lecture will focus on issues of key

establishment and the associated notion of authentication

 These protocols are not real, but instead are meant to serve just

as a high-level survey

 Later lectures will go into specific protocols and will uncover practical challenges faced when implementing these protocols

Key Establishment: The problem

 Securing communication requires that the data is encrypted

before being transmitted

 Associated with encryption and decryption are keys that must be shared by the participants

 The problem of securing the data then becomes the problem of securing the establishment of keys

 Task: If the participants do not physically meet, then how do the participants establish a shared key?

 Two types of key establishment:

– Key Agreement

– Key Distribution

Key Distribution

 Key Agreement protocols: the key isn’t determined until after the protocol is performed

 Key Distribution protocols: one party generates the key and distributes it to Bob and/or Alice (Shamir’s 3pass, Kerberos)

 Shamir’s Three-Pass Protocol:

– Alice generates and Bob generates

– A key K is distributed by:

p mod K

K2  1b

 K  mod p

K3  2 a1

 K  mod p

K  3 b1 Bob Calculates:

* p

Z

Basic TTP Key Distribution

KDC

Ka

Kb

Step 1Step 2

1 A Sends: {Request || IDA || IDB || N1}

2 KDC Sends: EKa[ KAB|| {Request || IDA || IDB || N1}||EKb(KAB, IDA)]

Step 3 Step 4

3 A Sends: EKb(KAB, IDA)

Step 5

KAB (f(N2))

Key Agreement

 In many scenarios, it is desirable for two parties to exchange messages in order to establish a shared secret that may be used

to generate a key.

 The Diffie-Hellman (DH) protocol is a basic tool used to establish shared keys in two-party communication.

 Two parties, A and B, establish a shared secret by:

 The security of the DH scheme is based upon the intractibility of the Diffie-Hellman Problem:

 The Diffie-Hellman scheme can be extended to work on arbitrary groups (e.g Elliptic Curves).

Given a prime p, a generator g of , and elements and ,

it is computationally difficult to find

* p

p mod

gab

: A

p mod g

: A B

p mod g

: B A

ab b

a ab

a b

b a









Intruder In The Middle

 The Intruder-in-the-Middle attack on Diffie-Hellman is based upon

the following strategy to improve one’s chess ranking:

– Eve challenges two grandmasters, and uses GM1’s moves against GM2 Eve can either win one game, or tie both games.

 Eve has and can perform the Intruder-in-the-Middle attack by:

p mod

p mod

Calculates

 g mod p

Calculates

Calculates

BE

AE , K K

Decrypts data

with KBE

Decrypts data with KAE, uses data and

encrypts with

KBE

Encrypts data

with KAE

 DATA 

E AE

BE

K

* p

Z

z 

Station-to-Station Protocol

 Digital signatures can be used to prevent this protocol failure (STS

Protocol).

 A digital signature is a scheme that ties a message and its author

together.

– Private sig( ) function and Public ver( ) function.

B K

b mod p , E sig g , g g

A

K sig g , g E

 g mod p

Calculates

 g mod p

Calculates

Decrypts to get:

 b a

B g , g

sig

Verifies sig

Verifies sig

N-to-N Group Key Establishment

 Many group scenarios require contributory key establishment protocols.

 1-to-1 Key Establishment: Diffie-Hellman (DH) protocol

 Two parties, A and B, establish a shared secret by:

 Extensions to multi-user scenarios:

– Ingemarsson: Requires N-1 rounds and O(N 2 ) exponentiations

– Burmester-Desmedt: Requires 2 rounds but full broadcast

– GDH (Steiner et al.): Requires N rounds and O(N) exp A : g mod p g mod p B : g mod p g mod p

p mod g

: A B

p mod g

: B A

ab b

a ab

a b

b a









Butterfly Group Diffie-Hellman

u1

u2

u3

u4

u5

u6

u7

u8

Example:

p mod g

x

p mod g

: u u

p mod g

: u u

2 1

2 1

1 1

1 2

2 1















p mod g

x

p mod g

: u u

p mod g

: u u

1 2

1 1

1 2

1 1

x x 2

1

x 1 3

x 3 1







p mod g

x

p mod g

: u u

p mod g

: u u

2 2

2 1

2 2

2 1

x x 3

1

x 1 5

x 5 1







 Can be extended to arbitrary radix b using Ingemarsson as the basic building block.

 Optimal radix in both cases is 2.

 log N 

) 1 b (

N log N ) 1 b (

TM   b

The Conference Tree

 Group key formation procedure is described by:

– Communication flow diagram

– Conference Tree

 Conference tree describes the subgroups and subgroup keys.

K000 K001 K010 K011K100 K101 K110 K111

11

u2

u3

u4

u5

u6

u7

u8

u1

1

K

Distribution of Public Keys

 There are several techniques proposed for the distribution of public keys:

– Public announcement

– Publicly available directory

– Public key authority

– Public key certificates

Public Announcement

world.

emails.

– No authenticity: Anyone can forge such an announcement

– User B could pretend to be User A, but really announce User B’s public key.

Public Directory Service

 Idea: Have a public directory or “phone book” of public keys

This directory is under the control/maintenance of a trusted third party (e.g the government)

 Involves:

– Authority maintains a directory of {name, PK}

– Each user registers public key Registration should involve

authentication.

– A user may replace or update keys

– Authority periodically publishes directory or updates to directory – Participants can access directory through secure channel.

 Weaknesses:

– If private key of directory service is compromised, then opponent can pretend to be directory service.

– Directory is a single point of failure.

Public Key Authority

control over who gets the keys

– Central authority maintains a dynamic directory of public keys of all users.

– Central authority only gives keys out based on requests.

– Each user knows the public key of the authority.

– Public Key Authority is a single point of failure.

– User has to contact PK Authority, thus the PK Authority can be a bottleneck for service.

Public Key Authority, protocol

PK Auth

A

B

Step 1Step 2

1 A Sends: {Request || Time1}

2 PK Auth: EdAuth[ eB|| {Request || Time1}]

Step 3 Step 6

3 A Sends B: EeB(IDA||N1)

Step 7

4 and 5 B does steps 1 and 2.

6 B Sends: EeA(N1||N2)

Step 4 Step 5

7 A Sends: EeB(N2)

Public Key Certificates

contacting a PK Authority in a way that is reliable

– A public key (created/verified by a certificate authority).

– Other information.

 Certificates are given to a participant using the authority’s

private key

 A participant conveys its key information to another by

transmitting its certificate

 Other parties can verify that the certificate was created/verified

by the authority

– Requires secure time synchronization.

Public Key Certificates, overview

Cert Auth

Give eA securely to CA

CertA = EdAuth{Time1||IDA||eA}

CertA Cert B

Securely give eB to CA CertB = EdAuth{Time2||IDB||eB}

Requirements:

•Any participant can read a certificate to determine the name and public key of the certificate’s

owner.

•Any participant can verify that the certificate originated from the certificate authority and is not

counterfeit.

•Only the certificate authority can create and update certificates.

•Any participant can verify the currency of the certificate.

X.509 PK Certificates

 X.509 is a very commonly used

public key certificate framework

 The certificate structure and

authentication protocols are used

in:

– IP SEC

– SSL

– SET

 X.509 Certificate Format:

– Version 1/2/3

– Serial is unique within the CA

– First and last time of validity

Version Cert Serial # Algorithm & Parms Issuer Name

Validity Time:

Not before/after Subject Name

PK Info: Algorithm, Parms, Key

Signature (w/ hash)

X.509 Certificate Chaining

 Its not feasible to have one CA for a

large group of users.

 Suppose A knows CA X 1 , B knows

CA X 2 If A does not know X 2 ’s PK

then Cert X2 (B) is useless to A.

 If X1 and X2 have certified each

other then A can get B’s PK by:

– A obtains CertX1(X2)

– A obtains CertX2(B)

– Because B has a trusted copy of

X2’s PK, A can verify B’s

certificate and get B’s PK.

 Certificate Chain:

– {CertX1(X2)|| CertX2(B)}

 Procedure can be generalized to

more levels.

{CertX1(X2)|| CertX2(B)}

CertX1(X2) CertX2(X1)