key exchange protocols n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Key Exchange Protocols PowerPoint Presentation
Download Presentation
Key Exchange Protocols

Loading in 2 Seconds...

play fullscreen
1 / 47

Key Exchange Protocols - PowerPoint PPT Presentation


  • 111 Views
  • Uploaded on

CS 259. Key Exchange Protocols. J. Mitchell. Next few lectures. Today 1/17 Brief cryptography background Key exchange protocols and properties Thursday 1/19 Wireless security: 802.11i

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Key Exchange Protocols' - gili


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
next few lectures
Next few lectures
  • Today 1/17
    • Brief cryptography background
    • Key exchange protocols and properties
  • Thursday 1/19
    • Wireless security: 802.11i
    • Choose your project partner
  • Next Tues 1/24
    • Password authentication protocols
  • Next Thurs 1/26
    • Contract-signing protocols
  • Project presentation #1 2/2

Talk about protocols for a while before looking at more tools

basic concepts in cryptography
Basic Concepts in Cryptography
  • Encryption scheme:
    • functions to encrypt, decrypt data
    • key generation algorithm
  • Secret key vs. public key
    • Public key: publishing key does not reveal key-1
    • Secret key: more efficient, generally key = key-1
  • Hash function, MAC
    • Map input to short hash; ideally, no collisions
    • MAC (keyed hash) used for message integrity
  • Signature scheme
    • Functions to sign data, verify signature
cryptosystem
Cryptosystem
  • A cryptosystem consists of five parts
    • A set P of plaintexts
    • A set C of ciphertexts
    • A set K of keys
    • A pair of functions

encrypt: K  P  C

decrypt: K  C  P

such that for every key kK and plaintextpP

decrypt(k, encrypt(k, p)) = p

what is a secure cryptosystem
What is a “secure” cryptosystem?
  • One idea
    • If enemy intercepts ciphertext, cannot recover plaintext
  • Issues in making this precise
    • What else might your enemy know?
      • The kind of encryption function you are using
      • Some plaintext-ciphertext pairs from last year
      • Some information about how you choose keys
    • What do we mean by “cannot recover plaintext” ?
      • Ciphertext contains no information about plaintext
      • No efficient computation could make a reasonable guess
      • Cannot use ciphertext for any nontrivial purpose
passive adversary

m0, m1

E(mi)

guess 0 or 1

Passive Adversary

Challenger

Attacker

chosen ciphertext cca1

c

D(c)

m0, m1

E(mi)

guess 0 or 1

Chosen ciphertext CCA1

Challenger

Attacker

chosen ciphertext cca2

c

D(c)

m0, m1

E(mi)

c  E(mi)

D(c)

guess 0 or 1

Chosen ciphertext CCA2

Challenger

Attacker

public key cryptosystem
Public-key Cryptosystem
  • Different keys to encrypt and decrypt
    • encrypt(key, message)
    • decrypt(key -1, encrypt(key, message)) = message
  • Encryption key does not help decrypt
    • Cannot compute m from encrypt(key, m) and key, unless you have key-1

key pair

example rsa
Example: RSA
  • Arithmetic modulo pq
    • Generate secret primes p, q
    • Generate secret numbers a, b with xab  x mod pq
  • Public encryption key n, a
    • Encrypt(n, a, x) = xa mod n
  • Private decryption key n, b
    • Decrypt(n, b, y) = yb mod n
  • Main properties
    • This works
    • Cannot compute b from n,a
      • Apparently, need to factor n = pq

n

cryptographic hash functions
Cryptographic hash functions
  • Length-reducing function h
    • Map arbitrary strings to strings of fixed length
  • One way (“preimage resistance”)
    • Given y, hard to find x with h(x)=y
  • Collision resistant
    • Hard to find any distinct m, m’ with h(m)=h(m’)
  • Also useful: 2nd preimage resistance
    • Given x and y=h(x) hard to find x’x with h(x’)=h(x)
    • Collision resistance  2nd preimage resistance
iterated hash functions
Iterated hash functions
  • Repeat use of block cipher or custom function
    • Pad input to some multiple of block length
    • Iterate a length-reducing function f
      • f : 22k -> 2k reduces bits by 2
      • Repeat h0= some seed

hi+1 = f(hi, xi)

    • Some final function g

completes calculation

x

Pad to x=x1x2 …xk

xi

f(xi-1)

f

g

applications of one way hash
Applications of one-way hash
  • Password files (one way)
  • Digital signatures (collision resistant)
    • Sign hash of message instead of entire message
  • Data integrity
    • Compute and store hash of some data
    • Check later by recomputing hash and comparing
  • Keyed hash for message authentication
    • MAC – Message Authentication Code
digital signatures
Digital Signatures
  • Public-key encryption
    • Alice publishes encryption key
    • Anyone can send encrypted message
    • Only Alice can decrypt messages with this key
  • Digital signature scheme
    • Alice publishes key for verifying signatures
    • Anyone can check a message signed by Alice
    • Only Alice can send signed messages
properties of signatures
Properties of signatures
  • Functions to sign and verify
    • Sign(Key-1, message)
    • Verify(Key, x, m) =
  • Resists forgery
    • Cannot compute Sign(Key-1, m) from m and Key
    • Resists existential forgery:

given Key, cannot produce Sign(Key-1, m)

for any random or otherwise arbitrary m

  • true if x = Sign(Key-1, m)
  • false otherwise
basic concepts in cryptography1
Basic Concepts in Cryptography
  • Encryption scheme:
    • functions to encrypt, decrypt data
    • key generation algorithm
  • Secret key vs. public key
    • Public key: publishing key does not reveal key-1
    • Secret key: more efficient, generally key = key-1
  • Hash function, MAC
    • Map input to short hash; ideally, no collisions
    • MAC (keyed hash) used for message integrity
  • Signature scheme
    • Functions to sign data, verify signature
key management
Key Management
  • Out of band
    • Can set up some keys this way (Kerberos)
  • Public-key infrastructure (PKI)
    • Leverage small # of public signing keys
  • Protocols for session keys
    • Generate short-lived session key
    • Avoid extended use of important secret
    • Don’t use same key for encryption and signing
    • Forward secrecy

Cryptography reduces many problems to key management

key distribution kerberos idea
Key Distribution: Kerberos Idea

Shared symmetric key Kc

KeyCenter

{Kcs, {Kcs}Ks}Kc

Shared symmetric key Ks

Client

{Kcs}Ks { msg }Kcs

Server

Key Center generates session key Kcs and distributes using shared long-term keys

public key infrastructure
Public-Key Infrastructure

Known public signature verification key Ka

Certificate Authority

Certificate

Sign(Ka, Ks)

Ks

Sign(Ka, Ks), Sign(Ks, msg)

Client

Server

Server certificate can be verified by any client that has CA key Ka

Certificate authority is “off line”

key exchange
Key Exchange
  • Parties may have initial information
  • Generate and agree on session key
    • Authentication – know ID of other party
    • Secrecy – key not known to any others
    • Avoid replay attack
    • Forward secrecy
    • Avoid denial of service
    • Identity protection – disclosure to others
    • Other properties you can think of???
diffie hellman key exchange
Diffie-Hellman Key Exchange
  • Assume finite group G = S, 
    • Generator g so every xS is x = gn
    • Example: integers modulo prime p
  • Protocol

ga mod p

gb mod p

A

B

Alice, Bob share gab mod p not known to anyone else

diffie hellman key exchange1
Diffie-Hellman Key Exchange

ga mod p

gb mod p

A

B

  • Authentication?
  • Secrecy?
  • Replay attack
  • Forward secrecy?
  • Denial of service?
  • Identity protection?
ike subprotocol from ipsec

m1

m2

IKE subprotocol from IPSEC

A, (ga mod p)

B, (gb mod p)

, signB(m1,m2)

signA(m1,m2)

A

B

Result: A and B share secret gab mod p

Signatures provide authentication, as long as signature verification keys are known

ipsec network layer security
IPSec: Network Layer Security
  • Authentication Header (AH)
    • Access control and authenticate data origins
    • replay protection
    • No confidentiality
  • Encapsulated Secure Payload (ESP)
    • Encryption and/or authentication
  • Internet Key management (IKE)
    • Determine and distribute secret keys
    • Oakley + ISAKMP
    • Algorithm independent
  • Security policy database (SPD)
    • discarded, or bypass
ike many modes
IKE: Many modes
  • Main mode
    • Authentication by pre-shared keys
    • Auth with digital signatures
    • Auth with public-key encryption
    • Auth with revised public-key encryption
  • Quick mode
    • Compress number of messages
    • Also four authentication options
aug 2001 position statement
Aug 2001 Position Statement
  • In the several years since the standardization of the IPSEC protocols (ESP, AH, and ISAKMP/IKE), … several security problems…, most notably IKE.
  • Formal and semi-formal analyses by Meadows, Schneier et al, and Simpson, have shown … security problems in IKE stem directly from its complexity.
  • It seems … only a matter of time before serious *implementation* problems become apparent, again due to the complex nature of the protocol, and the complex implementation that must surely follow.
  • The Security Area Directors have asked the IPSEC working group to come up with a replacement for IKE.
general problem in security
General Problem in Security
  • Divide-and-conquer is fundamental
    • Decompose system requirements into parts
    • Develop independent software modules
    • Combine modules to produce required system
  • Common belief:
    • Security properties do not compose

Difficult system development problem

example protocol
Example protocol

Protocol P1

A  B : {message}KB

A  B : KA-1

  • This satisfies basic requirements
    • Message is transmitted under encryption
    • Revealing secret key KA-1does not reveal message
similar protocol
Similar protocol

Protocol P2

B  A : {message’}KA

B  A : KB-1

  • Transmits msg securely from B to A
    • Message is transmitted under encryption
    • Revealing secret key KB-1does not reveal message
composition p1 p2
Composition P1; P2
  • Sequential composition of two protocols

A  B : {message}KB

A  B : KA-1

B  A : {message’}KA

B  B : KB-1

  • Definitely not secure
    • Eavesdropper learns both keys, decrypts messages
sts family
STS family

STS0H

STS0

cookie

distribute

certificates

open

responder

STSa

JFK0

STSaH

m=gx, n=gy

k=gxy

STS

STSH

JFK1

protect

identities

STSPH

JFK

STSP

symmetric

hash

RFK

example
Example
  • Construct protocol with properties:
    • Shared secret
    • Authenticated
    • Identity Protection
    • DoS Protection
  • Design requirements for IKE, JFK, IKEv2 (IPSec key exchange protocol)
component 1
Component 1
  • Diffie-Hellman

A  B: ga

B  A: gb

    • Shared secret (with someone)
      • A deduces:

Knows(Y, gab)  (Y = A) ۷ Knows(Y,b)

    • Authenticated
    • Identity Protection
    • DoS Protection
component 2
Component 2
  • Challenge Response:

A  B: m, A

B  A: n, sigB {m, n, A}

A  B: sigA {m, n, B}

    • Shared secret (with someone)
    • Authenticated
      • A deduces: Received (B, msg1) Λ Sent (B, msg2)
    • Identity Protection
    • DoS Protection
composition

m := ga

n := gb

Composition
  • ISO 9798-3 protocol:

A  B: ga, A

B  A: gb, sigB {ga, gb, A}

A  B: sigA {ga, gb, B}

    • Shared secret: gab
    • Authenticated
    • Identity Protection
    • DoS Protection
refinement
Refinement
  • Encrypt signatures:

A  B: ga, A

B  A: gb, EK {sigB {ga, gb, A}}

A  B: EK {sigA {ga, gb, B}}

    • Shared secret: gab
    • Authenticated
    • Identity Protection
    • DoS Protection
transformation
Transformation
  • Use cookie: JFK core protocol

A  B: ga, A

B  A: gb, hashKB {gb, ga}

A  B: ga, gb, hashKB {gb, ga}

EK {sigA {ga, gb, B}}

B  A: gb, EK {sigB {ga, gb, A}}

    • Shared secret: gab
    • Authenticated
    • Identity Protection
    • DoS Protection
  • (Here B must store b in step 2, but we’ll fix this later…)
cookie transformation
Cookie transformation
  • Typical protocol
    • Client sends request to server
    • Server sets up connection, responds
    • Client may complete session or not (DOS)
  • Cookie version
    • Client sends request to server
    • Server sends hashed data back
      • Send message #2 later after client confirms
    • Client confirms by returning hashed data
    • Need extra step to send postponed message
cookie in jfk
Cookie in JFK
  • Protocol susceptible to DOS

A  B: ga, A

B  A: gb, EK {sigB {ga, gb, A}}

A  B: EK {sigA {ga, gb, B}}

  • Use cookie: JFK core protocol

A  B: ga, A

B  A: gb, hashKB {gb, ga}

A  B: ga, gb, hashKB {gb, ga}, eh2

B  A: gb, eh1

eh1

eh2

efficiency reuse d h key
Efficiency: Reuse D-H key
  • Costly to compute ga, gb, gab
  • Solution
    • Keep medium-term ga, gb (change ~10 min)
    • Replace ga by pair ga, nonce
  • JFKi, JFKr protocols (except cert or grpinfo, …)

A  B: Na, ga, A

B  A: Nb, gb, hashKB {Nb,Na, gb, ga}

A  B: Na,Nb, ga, gb, hashKB {Nb,Na, gb, ga},

EK {sigA {Na,Nb, ga, gb, B}}

B  A: gb, EK {sigB {Na,Nb, ga, gb, A}}

  • Note: B does not need to store any short-term data in step 2
conclusion
Conclusion
  • Many protocol properties
    • Authentication Secrecy
    • Prevent replay Forward secrecy
    • Denial of service Identity protection
  • Systematic understanding is possible
    • But be careful; easy to make mistakes
    • State of the art:

need to analyze complete protocol

block cipher modes for des aes

+

Block cipher modes (for DES, AES, …)
  • ECB – Electronic Code Book mode
    • Divide plaintext into blocks
    • Encrypt each block independently, with same key
  • CBC – Cipher Block Chaining
    • XOR each block with encryption of previous block
    • Use initialization vector IV for first block
  • OFB – Output Feedback Mode
    • Iterate encryption of IV to produce stream cipher
  • CFB – Cipher Feedback Mode
    • Output block yi = input xi encyrptK(yi-1)
electronic code book ecb
Electronic Code Book (ECB)

Plain

Text

Plain

Text

Block Cipher

Block Cipher

Block Cipher

Block Cipher

Ciphe

rTex

tCip

herT

Problem: Identical blocks encrypted identically

No integrity check

cipher block chaining cbc

Block Cipher

Block Cipher

Cipher Block Chaining (CBC)

Plain

Text

Plain

Text

IV

Block Cipher

Block Cipher

Ciphe

rTex

tCip

herT

Advantages: Identical blocks encrypted differently

Last ciphertext block depends on entire input

comparison for aes by bart preneel
Comparison (for AES, by Bart Preneel)

Similar plaintext blocks produce similar ciphertext (see outline of head)

No apparent pattern