Cryptographic Protocols: Making the Network Secured Debdeep Mukhopadhyay IIT Kharagpur Protocols • Key Agreement • Authentication: Group Authentication • Key Agreement and Authentication • Key Agreement and authentication with key confirmation. • Secret Sharing Schemes • Zero Knowledge Protocols 1
Keys in a Protocol • Long Term Keys: Generated by a more costly process, like D-H. Stored in protected places (tamper-proof). Used to generate the session key, which is also known as the ephemeral or short-lived key. • Session-Key: Changed per session. Used in future encryptions. So, they are more prone to cryptanalysis and attacks. Thus, they must be changed on a more regular basis. Establishing the session Key • Set Up: – Three legitimate entities • Alice (A) • Bob (B) • Trusted Server (S) • Purpose: Establish new session key K AB • Objectives of the Key Establishment Protocol: – At the end K AB should be known to only A, B and of course S – A and B should know that K AB is newly generated 2
First Attempt S 1. A, B 2. K AB A B 3. K AB , A Security Assumption 1: The adversary is able to eavesdrop on all messages Second Attempt Long Term Keys S 1. A, B 2. {K AB } KAS, , {K AB } KBS A B 3. {K AB } KBS , A Security Assumption 2: Attacker is able to alter messages using any information available, reroute messages, generate and insert completely new message 3
Attack on Protocol-2 S 1. A, B 2. {K AB } KAS, , {K AB } KBS A C B 3. {K AB } KBS , A 3’. {K AB } KBS , D B thinks he is sharing with D, while he is actually doing it with A. So, B may leak some information meant only for D to A! So, we have the condition that all users should know with whom they are sharing keys. Another Attack on Protocol-2 Security Assumption 3: S Insiders can be attackers or combine with outsiders to pose 1’. A, C attacks 2. {K AC } KAS, , {K AC } KCS A thinks he is communicating C with B, while he is actually communicating with C. C knows K AC , and thus can 1. A, B masquerade as B to A, and 2’. {K AC } KAS, , {K AC } KCS obtain all information which A sends for B. A C 3. {K AC } KCS , A 4
Third Protocol Attempt Include the names of A and B in the 1. Cannot Eavesdrop encrypted message received 2. Cannot Alter message S from S. The Encryption algorithm is used 1. A, B for data integrity 2. {K AB ,B } KAS, , {K AB ,A } KBS and not for confidentiality. A B 3. {K AB ,A } KBS Security Assumption 4: Attacker is able to obtain any previous session key Attack on Protocol 3 ---- replay attack C Old Session Key 1. A, B 2. {K’ AB ,B } KAS, , {K’ AB ,A } KBS A B 3. {K’ AB ,A } KBS 5
Fourth Protocol Attempt Nonce (random value generated by one party and Remedy: Challenge- returned to that party to response using Nonces. show that a message is S newly generated) 1. A, B,N A 2. { K AB ,B, N A , {K AB ,A } KBS } KAS 3. {K AB ,A } KBS 4. {N B } KAB B A 5. {N B -1} KAB Essentially known as Needham and Schroeder’s Protocol Attack on Protocol-4 Assumption of Previous Protocol: --- Only A can correctly answer 4 th challenge of B ---- But C may know an old key K’ AB 3. {K’ AB ,A } KBS 4. {N B } K’AB B C 5. {N B -1} K’AB 6
Fifth Protocol Attempt S 2. A, B, N A , N B 3. {K AB ,B, N A } KAS, , {K AB ,A, N B } KBS 1. B, N B A B 4. {K AB , A, N B } KBS Protocol Architectures • It is not possible to establish an authenticated session key without existing secure channels already being available. • Off-line servers: Certified public keys are available to the principals. • On-line servers: Each principal shares a key with a trusted server. 7
Methods of session key generation • Key Transport: one principal generates the key, which is transferred to the others. • Key Agreement: session key is a function of inputs by all parties. • Hybrid Protocols also exist, which are key transport to a party, but agreement to the other. Number of Users • Two party • Multi-party (conference key protocols) complicate the matter a great deal. 8
Hybrid Protocol • A � B: A, N A • B � S: {N B ,A,B} KBS ,N A • S � A: {K AB ,A,B,N A } KAS ,N S • A � B: N S ,{A,B} KAB • B � A: {B,A} KAB Observe that B is not being given K AB explicitly. He can compute using a function f, K AB =f(N B ,N S ). To B this is an example of agreement, while for A it is a key transport. 9
Recommend
More recommend
