06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 8 November, 2012 Handout 7 Summary of this handout: Key Exchange Protocols — Wide-Mouth Frog — Needham-Schroeder — Kerberos — Otway-Rees — Some Cryptanalysis Techniques — Overview on Passive and Active Attacks II.5 Key Exchange Protocols For the symmetric ciphers discussed so far we have assumed that both sender and receiver are familiar with the key used for encryption and decryption. In practise, however, exchanging and maintaining keys is a major issue. In particular, in the situation where many users want to communicate over an insecure network (e.g., the Internet), it is important that shared keys are exchanged in a manner that is private and integrity-assured. Moreover, we need to be able to establish ad hoc communications between participants unknown to each other. This is achieved by means of key exchange protocols Some of the important aspects for key maintenance are: Key Lifetime The longer a key is used the more vulnerable the communication. Keys therefore have to be renewed frequently and old keys have to be properly destroyed. Key Security Keys should never be reused and should be chosen as randomly as possible in order to increase security. Key reuse is theoretically not a problem. Suppose we take Rijndael in its eas- iest form, i.e., with keylength of 128 bits, then even if we would have used one new key every nanosecond since the beginning of the universe (which is assumed to be 2 34 years old), we still would have 2 86 keys left. Although we can assume that the security of a cipher does not depend on the particular choice of key, i.e., all keys lead to an equally secure cipher, it is nevertheless important that the key is random and can therefore not be easily guessed. [See point 56 below.] Key Distribution The most vulnerable part of key management is the actual exchange of keys. The main idea of symmetric key exchange protocols is that one uses a trusted third party. Both Alice and Bob only share a permanent key only with this trusted third party, which then produces session keys that are distributed to Alice and Bob and used for their subsequent communication. We will discuss some of the key exchange protocols in this handout. 56. Aside: Non-linear Keyspaces Most ciphers are designed such that they provide full security no matter what the secret key is. However, occasionally one might want to design a cipher that behaves differently, in that it is secure only for some keys in the space of all possible keys, while it is deliberately defined to be weak for other keys. Such keyspaces are called non-linear . If a user is unaware which keys make the cipher secure and which leave it weak, the cipher designer can use this knowledge as a back door. The NSA is known to have defined ciphers that had non-linear keyspaces. 57. New People Involved We need some new players in our game of Cryptography: Trent A trusted third party that is often central to symmetric key exchange. For example, this can be an authentication server or an Internet service provider. Mallory A malicious attacker, who can modify messages, substitute her own messages, replay old mes- sages, and so on. Unlike defending against Eve, who can only eavesdrop, securing a system against Mallory is much harder. 55
58. Notation Recall, that the main idea of the symmetric key exchange protocols is that both Alice and Bob only share a permanent key with Trent and get a unique session key issued by Trent for communication. In order to establish this session key, however, we will need additional information that is to be exchanged. Here is an overview of the concepts we will use for defining the protocols: A Alice’s name. B Bob’s name. T Trent’s name. E A Encryption with a key Trent shares with Alice. E B Encryption with a key Trent shares with Bob. K The session key produced by Trent for communication between Bob and Alice. Encryption with the session key K . E K I An index number. S A , S B , S T A timestamp issued by Alice, Bob, or Trent, respectively. L The lifetime of timestamps. N A , N B A nonce chosen by Alice or Bob, respectively. M An additional nonce. In addition, we have to denote the direction of message passing. We will for instance write A → B when a message is sent from Alice to Bob or T → A if Trent sends a message to Alice. For the definition of protocols we will employ the notation we have used so far during the handouts. Since our notation varies somewhat from the notation for cryptographic protocols used in many textbooks and research papers here is a brief comparison. If we write A − → B : S A � A � E K ( B � N A � M ) which means that Alice sends Bob the concatenation of a timestamp, Alice’s name, and Bob’s name, a nonce and the plaintext encrypted with Alice’s and Bob’s shared key. One can express this in security protocol notation as A − → B : S A , A, { B, N A , M } K where { M } K means everything inside the curly brackets is encrypted with key K . II.5.1 Wide-Mouth Frog Wide-mouth frog is a very simple protocol that transfers a key K from Alice to Bob via Trent, using only two messages. It uses timestamps to synchronise clocks between the parties involved, which makes it often difficult to implement. In addition the protocol relies on Alice to choose the session key K and then transports this key over to Bob. This implies that Bob trusts Alice to be competent in making secure keys and keeping them secret. This is a very strong assumption and the main reason that this protocol is not used much in real life. However, it is very simple and gives a good example of how protocols are described. Trent 1: A � E A ( S A � K � B ) 2: E B ( S T � K � A ) Alice Bob 56
First Alice sends her name together with an encrypted timestamp and session key to Trent. A − → T : A � E A ( S A � K � B ) On obtaining the first message Trent decrypts the last part and checks that the timestamp is recent. This decrypted message tells Trent he should forward the key to Bob. If the timestamp is verified to be recent, Trent encrypts the key along with his timestamp and passes this encryption to Bob. T − → B : E B ( S T � K � A ) On obtaining this message Bob decrypts it and checks if the timestamp is recent, then he can recover both the key K and the name of Alice, i.e., the person who wants to send data to him using this key. Observe that the concept of “recent” is left open for interpretation! II.5.2 Needham-Schroeder In Needham-Schroeder Alice initiates the communication directly with Bob, but first obtains the rele- vant information and session key K from Trent. During the key exchange nonces are used to ensure authenticity of messages: Trent 1: A � B � N A 2: E A ( N A � K � B � E B ( K � A )) 3: E B ( K � A ) 4: E K ( N B ) Alice Bob 5: E K ( N B − 1) First Alice sends a message to Trent identifying herself and Bob, telling Trent she wants to communicate with Bob: A − → T : A � B � N A Trent generates K and sends back to Alice two copies of the key. One decipherable by Alice and one encrypted with E B for Alice to forward to Bob. Since Alice may be requesting keys for several different people, the nonce N A assures Alice that the message is fresh and that Trent is replying to that particular message and the inclusion of Bob’s name tells Alice who she is to share this key with: T − → A : E A ( N A � K � B � E B ( K � A )) Alice forwards the key to Bob who can decrypt it with the key he shares with Trent, thus authenticating the data: A − → B : E B ( K � A ) Bob needs to check that the third message was not a replay. So he needs to know if Alice is still alive, hence, in the fourth message he encrypts a nonce back to Alice: B − → A : E K ( N B ) Alice performs a simple operation on the nonce, re-encrypts it and sends it back verifying that she is still alive and that she holds the key: A − → B : E K ( N B − 1) 57
Recommend
More recommend