Key Exchange With Public Key Cryptography • With no trusted arbitrator • Alice sends Bob her public key • Bob sends Alice his public key • Alice generates a session key and sends it to Bob encrypted with his public key, signed with her private key • Bob decrypts Alice’s message with his private key • Encrypt session with shared session key Lecture 6 Page 1 CS 236 Online
Basic Key Exchange Using PK K EA , K DA K EB , K DB Alice’s PK is K DA Bob’s PK is K DB E KEA (E KDB ( K S )) Bob Alice E KDB ( K S ) K S K S Bob verifies the message came from Alice Bob extracts the key from the message Lecture 6 Page 2 CS 236 Online
Man-in-the-Middle With Public Keys K EA , K DA K EM , K DM K EB , K DB Alice’s PK is K DM Alice’s PK is K DA Alice Bob Mallory Now Mallory can pose as Alice to Bob Lecture 6 Page 3 CS 236 Online
And Bob Sends His Public Key K EA , K DA K EM , K DM K EB , K DB Bob’s PK is K DB Bob’s PK is K DM Alice Bob Mallory Now Mallory can pose as Bob to Alice Lecture 6 Page 4 CS 236 Online
Alice Chooses a Session Key K EA , K DA K EM , K DM K EB , K DB E KEA (E KDM ( K S )) E KEM (E KDB ( K S )) K S K S Alice K S Bob Mallory Bob and Alice are sharing a session key Unfortunately, they’re also sharing it with Mallory Lecture 6 Page 5 CS 236 Online
Combined Key Distribution and Authentication • Usually the first requires the second – Not much good to be sure the key is a secret if you don’t know who you’re sharing it with • How can we achieve both goals? – In a single protocol – With relatively few messages Lecture 6 Page 6 CS 236 Online
Needham-Schroeder Key Exchange • Uses symmetric cryptography • Requires a trusted authority – Who takes care of generating the new key • More complicated than some protocols we’ve seen Lecture 6 Page 7 CS 236 Online
Needham-Schroeder, Step 1 K A K B R A Alice Bob Alice,Bob,R A Trent K A K B Lecture 6 Page 8 CS 236 Online
What’s the Point of R A ? • R A is random number chosen by Alice for this invocation of the protocol – Not used as a key, so quality of Alice’s random number generator not too important • Helps defend against replay attacks • This kind of random number is sometimes called a nonce Lecture 6 Page 9 CS 236 Online
Needham-Schroeder, Step 2 Including R A prevents replay K A K B Including Bob prevents R A attacker from replacing Bob’s Alice Bob identity Including the encrypted E KA (R A ,Bob,K S , message for Bob E KB (K S ,Alice)) ensures Bob’s message can’t be Trent R A What’s all this K S replaced K A K B stuff for? Lecture 6 Page 10 CS 236 Online
Needham-Schroeder, Step 3 E KB (K S ,Alice) K A K B K S Alice So we’re done, right? Bob K S Wrong! Trent K A K B Lecture 6 Page 11 CS 236 Online
Needham-Schroeder, Step 4 E KS (R B ) K B K A K S K S Alice Bob R B R B Trent K A K B Lecture 6 Page 12 CS 236 Online
Needham-Schroeder, Step 5 E KS (R B -1) K B K A K S K S Alice Bob R B R B Now we’re done! R B -1 Trent K A K B Lecture 6 Page 13 CS 236 Online
What’s All This Extra Stuff For? K A Alice knows she’s K B talking to Bob Alice Bob Trent said she was Can Mallory jump in later? E KA (R A ,Bob,K S , No, only Bob E KB (K S ,Alice)) could read the Trent key package K S K A K B Trent created Lecture 6 Page 14 CS 236 Online
What’s All This Extra Stuff For? E KB (K S ,Alice) K A K B What about those random numbers? K S Alice Bob Can Mallory Trent said he was Bob knows jump in later? he’s talking No, all later to Alice messages will use K S , which Mallory Trent K A K B doesn’t know Lecture 6 Page 15 CS 236 Online
Mallory Causes Problems • Alice and Bob do something Mallory likes • Mallory watches the messages they send to do so • Mallory wants to make them do it again • Can Mallory replay the conversation? – Let’s try it without the random numbers Lecture 6 Page 16 CS 236 Online
Mallory Waits For His Chance E KA (Bob,K S , K B K A E KB (K S ,Alice)) Alice Bob Mallory Alice,Bob Trent K A K B Lecture 6 Page 17 CS 236 Online
What Will Alice Do Now? • The message could only have been created by Trent • It properly indicates she wants to talk to Bob • It contains a perfectly plausible key • Alice will probably go ahead with the protocol Lecture 6 Page 18 CS 236 Online
The Protocol Continues E KB (K S ,Alice) K B K A K S K S Alice Bob Mallory Mallory steps aside for a bit With no nonces, we’re done Trent K A K B Lecture 6 Page 19 CS 236 Online
So What’s the Problem? • Alice and Bob agree K S is their key – They both know the key – Trent definitely created the key for them – Nobody else has the key • But . . . Lecture 6 Page 20 CS 236 Online
Mallory Steps Back Into the Picture E KS (Old message 1) E KS (Old message 2) K B K A K S K S Alice Bob Mallory Mallory can It’s using the replay Alice and current key, so Bob’s old Alice and Bob conversation will accept it Trent K A K B Lecture 6 Page 21 CS 236 Online
How Do the Random Numbers Help? • Alice’s random number assures her that the reply from Trent is fresh • But why does Bob need another random number? Lecture 6 Page 22 CS 236 Online
Why Bob Also Needs a Random Number K B K A E KB (K S ,Alice) K S Alice Bob Mallory Let’s say Alice But Mallory doesn’t want to wants Bob to talk to Bob think Alice wants to talk Trent K A K B Lecture 6 Page 23 CS 236 Online
So What? K B E KS (Old message 1) K S Bob Mallory Mallory can now play back an old message from Alice to Bob And Bob will have no reason to be suspicious Bob’s random number exchange assures him that Alice really wanted to talk Lecture 6 Page 24 CS 236 Online
So, Everything’s Fine, Right? • Not if any key K S ever gets divulged • Once K S is divulged, Mallory can forge Alice’s response to Bob’s challenge • And convince Bob that he’s talking to Alice when he’s really talking to Mallory Lecture 6 Page 25 CS 236 Online
Mallory Cracks an Old Key E KS ( R B ) K B K S E KB (K S ,Alice) E KS (R B - 1) R B K S Bob Mallory R B - 1 Mallory compromises 10,000 computers belonging to 10,000 grandmothers to crack K S Unfortunately, Mallory knows K S So Mallory can answer Bob’s challenge Lecture 6 Page 26 CS 236 Online
Recommend
More recommend
