key establishing protocols

Document Sample
key establishing protocols Powered By Docstoc
					Key Establishment Protocols
 Human protocols --- the rules followed in human
   » Example: Asking a question in class
 Networking protocols --- rules followed in networked
  communication systems
   » Examples: HTTP, FTP, etc.
 Security protocol --- the (communication) rules followed
  in a security application
   » Examples: SSL, IPSec, Kerberos, etc.

      Key Establishment Protocols
 Cryptographic protocols that use long-term keys in
  order to setup short-term (session) keys
 Needed
    » to limit available cipher-text
    » to limit exposure in the event of key compromise
    » to create independence across communications
      sessions or applications

 Key transport protocol
   » one party creates, and securely transfers it to the
 Key agreement protocol: key establishment
  technique in which
   » a shared secret is derived by two (or more) parties

 {M}K: encryption of M with symmetric key K
   » Only some who knows K can read M (confidentiality)
   » Only some who knows K can construct {M}K
 sigX(M): digital signature of M using the private key of
  entity X
   » Assume not a message-recovering signature (but it can be)

 Here, we are concerned with attacks on protocols, not
  directly on the crypto
 We assume that crypto algorithm is secure

            First Protocol Attempt
 Alice                       Server        Bob
               1: A, B

         2: {K}KAS, {K}KBS

             3: {K}KBS, A

 K = session key for A and B generated by Server
 Server shares key KAS with Alice, key KBS with Bob, key
  KCS with Carol, etc.
 Is this secure?
                  Assumption 1
 The adversary can alter all messages sent in a protocol
  using any information available
 The adversary can re-route any message to any
 The adversary can generate and insert completely new

Alice                     Charlie                 Server
             1: A, B                   1’: A, C

                       2: {K}KAS, {K}KCS

         3: {K}KCS, A

 What went wrong?
 Alice accepts K as a session key with Bob
 But K is known to Charlie!

                    Key exclusivity
 A (respectively, B) should have assurance that K is
  known only to A and B and any mutually trusted
  parties (if any)
 This property is often called implicit key authentication
  (Menezes, Oorschot and Vanstone)
   » N.B. this property is actually a confidentiality property

            Second Protocol Attempt
 Alice                                Server                 Bob
                     1: A, B

         2: {K, B}KAS, {K, A}KBS

                         3: {K, A}KBS

 Bob’s (Alice’s) ID is bound to K
    » Proves that server will reveal K to Bob (Alice) only
    » Encryption must ensure message integrity
 This protocol protects against the previous attack
 Is it secure? See the next slide …

            Security Assumption 2
 An adversary can obtain the value of the session key
  used in any sufficiently old previous run of the protocol

                      Replay Attack
Alice                               Charlie     Bob
                                    as server
                1: A, B

    2: {K*, B}KAS, {K*, A}KBS

                          3: {K*,
 K* = old session key between A and B
 What’s went wrong?
 Charlie knows K*!

                   Key Freshness
 Alice and Bob should have assurance that K is newly
 One method for achieving freshness
   » Challenge sent from Alice to Server
   » Only Server can provide the correct response
   » Challenge chosen so that replay is not possible
 For challenge, a random value or “number used once”

               Nonce-based protocol
Bob                      Alice                       Server
          1: B, NB                 2: A, B, NA, NB

      4: {K, A, NB}KBS       3: {K, B, NA}KAS, {K, A, NB}KBS

 NA, NB = nonces generated by A and B resp.
 This protocol protects against replay attack

                 Key Agreement
 Shared secret value created jointly by both parties

 Useful to prevent any one party from replaying the
  shared secret value

 Use of public keys and/or signatures not necessary (can
  also use shared key cryptography)

       Long-term key compromise
 Forward secrecy
   » Property that compromise of long-term keys does not
     compromise past session keys

 Key compromise impersonation
   » Property that compromise of long-term key of A allows
     adversary to masquerade to A as another user

           Diffie-Hellman Protocol
  Alice                                  Bob
Choose             1: gx                 Choose
random x                                 random y
                   2: gy

 Alice computes K as (gy)x = gxy
 Bob compute K as (gx)y = gxy
 Assumes the following is hard:
  Given g, p, and ga mod p, what is a?
        Limitation of Diffie-Hellman
 Lacks authentication property
   » Neither A nor B can be sure who else can know the agreed
 One Attack
   » Adversary masquerades as Alice, sends gz to Bob, and is
     able to obtain the key computed by Bob with Alice
 Solution: Authenticated Diffie-Hellman protocols

Authenticated Diffie-Hellman Protocols
 Approach 1
  » Extra information is added to the messages exchanged
    between parties (typically signature of each party)
     • Shared key = Diffie-Hellman key
 Approach 2
  » Extra information is used in the calculation of the shared
    secret (typically long-term public and private keys)

                     STS Protocol
                  [Diffie, Oorschot, Wiener]
 Authentication by signatures
    Alice                                 Bob
  Choose rA             tA                 Choose rB
  tA =   (g)rA                             tB = (g)rB
 K = (tB)rA
                    tB, {sigB(tB, tA)}K
                                           K = (tA)rB
 Decrypt/Verify      {sigA(tA, tB)}K

 What if each party signs only its own exponential? [Variant 1]
 What if the signatures are not encrypted? [Variant 2]
                 STS Variant 1
 Signature excludes other party’s exponential

   Alice                               Bob
Choose rA             tA                Choose rB
tA =   (g)rA                            tB = (g)rB
                 tB, {sigB(tB)}K
K = (tB)rA                              K = (tA)rB
Decrypt/Verify    {sigA(tA)}K

 What advantage does the Adversary have if Adv finds
  (rB, sigB(grB))?

                       STS Variant 2
 Removing encryption on signatures

Alice                           Charlie                          Bob

                  tA           tC = tA              tC

           tB, sigB(tB, tC)               tB, sigB(tB, tC)

              sigA(tA, tB)                  sigC(tC, tB)
 A accepts K = (g)rArB as a shared key with Bob
 B accepts the same key but with Charlie
 This is known as unknown key share attack
   » C doesn’t know K, but B may consider anything sent by A using K as
     coming from C                                                        23
       Unknown key share attacks
 Adversary’s goal:
   » Make one party A believe that key K is only known to A and
     B, when B actually believes that K is only known to B and C
 Some countermeasures
   » Certification authority checks for possession of private key
     before issuing certificates
   » Provide assurance that the communication partner has the
     same key (key confirmation)
   » Include identities in the key derivation function

         Remarks on original STS
 With the encryption under K, adv. C cannot send the
  encrypted signature for a successful unknown key
  share attack
 Attack remains if Adv can obtain certificate for a
  signature verification key that is identical to that of A
 Is it possible to achieve protection against UKS without

           STS - encryption removed
 Includes identity of peer in each signature
   Alice                                    Bob
Choose rA             tA                 Choose rB
tA =   (g)rA                             tB = (g)rB
K = (tB)rA
                 tB, sigB(tB, tA, A)
                                         K = (tA)rB
  Verify           sigA(tA, tB, B)

 Do these “insignificant” changes help prevent UKS?
 Yes!
                         MTI C(0)
 A, B have long-term public keys                 and
       Alice                                         Bob

 A computes                 . B computes                    .
 Provides forward secrecy (why?)
 What if adversary finds long-term private keys            ?
   » If A and B destroy     and     after computing K, Adv. cannot
     discover past keys (although subsequent sessions are compromised)

                 Attack on MTI C(0)
         Alice                                          Charlie
                                                        as Adv

 Assume: Adversary C has long-term private key         of A
 Result
   » A believes              is only known to A and B
   » But C can compute K as
    Adv. can masquerade to A as any other user
 Protocol is vulnerable to key compromise impersonation
                          MTI A(0)
   Authentication by combining long-term and random inputs
   A, B have long-term public keys               and

   Alice                                        Bob

   A computes                   . B computes

   Lacks forward secrecy (why?)
   Resistant to key compromise impersonation (why?)

Shared By: