Dr. Cunsheng DING ❁ Computer Security HKUST, Hong Kong Computer Security Cunsheng DING, HKUST COMP4631
Dr. Cunsheng DING ❁ Computer Security HKUST, Hong Kong Lecture 12: Key Distribution Protocols Outline of this Lecture 1. Merkel’s protocol. 2. The Needham-Schr¨ oder protocol. 3. Shamir’s three-pass protocol. Page 1 COMP4631
Dr. Cunsheng DING ❁ Computer Security HKUST, Hong Kong Secret Key Distribution with a PKC Comments: Public key cryptosystems are usually not used for real encryption, as they are very slow. They are used for distributing secret keys of one-key ciphers and/or for signing messages. Question: How to use a PKC for distributing a secret key? Page 2 COMP4631
Dr. Cunsheng DING ❁ Computer Security HKUST, Hong Kong Merkel’s Key Distribution Protocol Scenario: A and B want to establish a session key. � � k ( A ) , k ( A ) , and sends k ( A ) 1. A generates a key pair || ID A to B, where e e d ID A is an identifier of A . 2. B generates a secret key k , and sends E k ( A ) ( k ) to A . e � � 3. A computes D k ( A ) E k ( A ) ( k ) = k . e d � � k ( A ) , k ( A ) , and B discards k ( A ) 4. A discards . e e d Page 3 COMP4631
Dr. Cunsheng DING ❁ Computer Security HKUST, Hong Kong Merkel Key Distribution Protocol: Pictorial ✲ (1) k ( A ) || ID A e A B ✛ (2) E k ( A ) e ( k ) Comments: This protocol is vulnerable to an active attack. If an enemy E has control of the intervening communication channel, then E can “compromise” the communication without being detected. Question: What is the active attack? Page 4 COMP4631
Dr. Cunsheng DING ❁ Computer Security HKUST, Hong Kong Active Attack on the Merkel Protocol � � k ( A ) , k ( A ) , and sends k ( A ) 1. A generates a key pair || ID A intended for e e d B, where ID A is an identifier of A . � � k ( E ) , k ( E ) 2. E intercepts the message, creates its own key pair , and e d sends k ( E ) || ID A to B. e 3. B generates a secret key k , and sends E k ( E ) ( k ) (intended for A). e 4. E intercepts the message, decrypts it to get k ; then he computes and sends E k ( A ) ( k ) to A. e Comment: A and B are unaware that E has got k . Page 5 COMP4631
Dr. Cunsheng DING ❁ Computer Security HKUST, Hong Kong The Intruder-in-the-Middle Attack: Pictorial (A) k (E) k ID ID e e A A (1) (2) A E B (4) (3) Ek e (k) Ek (E) (k) (A) e attacker in the middle Active attack on the Merkel Protocol Page 6 COMP4631
Dr. Cunsheng DING ❁ Computer Security HKUST, Hong Kong The Modified Needham-Schr¨ oder Protocol For both confidentiality and authentication: Assume that A and B have exchanged their public keys with some method. (1) E k ( B ) [ N 1 || ID A ] e (2) E k ( A ) [ N 1 || N 2 ] ❄ ❄ e Initiator Responder A B ✻ (3) E k ( B ) [ N 2 || k ] e Remarks: Nonce N 1 is to identify this transaction uniquely. Page 7 COMP4631
Dr. Cunsheng DING ❁ Computer Security HKUST, Hong Kong The Modified Needham-Schr¨ oder Protocol 1. A sends E k ( B ) [ N 1 || ID A ] to B, where N 1 is a nonce used to identify this e transaction uniquely, and is generated by A. 2. B generates a new nonce N 2 , and sends E k ( A ) [ N 1 || N 2 ] to A . After e decryption A gets N 1 , and is sure that the responder is B. 3. A selects a secret key k and sends E k ( B ) [ N 2 || k ] to B . e (Encryption with B’s public key ensures confidentiality) 4. After decryption B gets N 2 and k , and is sure that its correspondent is A. Question: How does this protocol ensure both confidentiality and authenticity? Page 8 COMP4631
Dr. Cunsheng DING ❁ Computer Security HKUST, Hong Kong Page 9 COMP4631
Dr. Cunsheng DING ❁ Computer Security HKUST, Hong Kong Page 10 COMP4631
Dr. Cunsheng DING ❁ Computer Security HKUST, Hong Kong Shamir’s Three-Pass Protocol Objective: Alice wants to transfer a secret key k to Bob via a public communication channel. System Parameters: • A prime p is chosen so that the discrete logarithm problem mod p is hard. p is a public knowledge. • Alice selects a random number a with gcd( a, p − 1) = 1. a − 1 denotes the inverse of a mod p − 1. • Bob selects a random number b with gcd( b, p − 1) = 1. b − 1 denotes the inverse of b mod p − 1. Page 11 COMP4631
Dr. Cunsheng DING ❁ Computer Security HKUST, Hong Kong Shamir’s Three-Pass Protocol First of all, Alice computes k 1 = k a mod p . 1. Alice sends k 1 = k a mod p to Bob. 2. Bob sends k 2 = k b 1 mod p to Alice. 3. Alice sends k 3 = k a − 1 mod p to Bob. 2 Finally, Bob computes k = k b − 1 mod p . 3 Question: Why k = k b − 1 mod p ? 3 Page 12 COMP4631
Dr. Cunsheng DING ❁ Computer Security HKUST, Hong Kong Why k = k b − 1 mod p 3 By the definition of multiplicative inverse, a · a − 1 = u 1 ( p − 1) + 1 , b · b − 1 = u 2 ( p − 1) + 1 If k = 0, it is obvious. If k � = 0, by Fermat’s theorem k aa − 1 bb − 1 mod p k b − 1 mod p = 3 k [ u 1 u 2 ( p − 1)+ u 1 + u 2 ]( p − 1)+1 mod p = � ( k [ u 1 u 2 ( p − 1)+ u 1 + u 2 ]) ) p − 1 mod p � = k mod p = k mod p = k. Page 13 COMP4631
Dr. Cunsheng DING ❁ Computer Security HKUST, Hong Kong The Security of the Protocol 1. Alice sends k 1 = k a mod p to Bob. 2. Bob sends k 2 = k b 1 mod p to Alice. 3. Alice sends k 3 = k a − 1 mod p to Bob. 2 Security: security w.r.t. to passive attacks depends on the difficulty of solving the discrete logarithm problem. Not secure with respect to an active attack (the so-called intruder-in-the-middle attack). Page 14 COMP4631
Recommend
More recommend
