References Introduction to Cryptography Security Protocols ◮ ”Key Establishment,” Chapter 13 of Understanding Cryptography by Paar & Pelzl ◮ Wide Mouth Frog Protocol from Wikipedia Jim Royer https://en.wikipedia.org/wiki/Wide_Mouth_Frog_protocol October 9, 2018 ◮ Explain like I’m 5: Kerberos by Lynn Root http://www.roguelynn.com/words/explain-like-im-5-kerberos/ ◮ Secure Electronic Transaction from Wikipedia https://en.wikipedia.org/wiki/Secure_Electronic_Transaction Crypto ❖ Security Protocols 1 Crypto ❖ Security Protocols 2 Having PKC’s Does Not End Our Problems Recall: Diffie-Hellman Key Exchange Alice & Bob want to exchange a ton of data using the nice & fast AES cryptosystem. But first they have to agree on a key. How to distribute public keys? Diffie-Hellman ◮ Bob can go to Alice’s web page for her p , a large prime (Pub) and α , a prim. elem. of Z ∗ Setup p (Pub) public keys. ran p − 1 (Priv.) and sends α x ( mod p ) to Bob ◮ But how does he know it is really Alice. ∈ Z ∗ Alice Picks x ◮ Key exchange/distribution needs to ran p − 1 (Priv.) and sends α y ( mod p ) to Alice ∈ Z ∗ Bob Picks y include authentication. Computes k = ( α y ) x = α xy ( mod p ) . Alice ◮ Here is an example of the problem ... Computes k = ( α x ) y = α xy ( mod p ) . Bob Knows α x and α y , but wants α xy Eves all ( mod p ) . Crypto ❖ Security Protocols 3 Crypto ❖ Security Protocols 4
The Man-in-the-Middle Attack Key Establishment Schemes Alice ← → Eve ← → Bob There are roughly two sort of such schemes: ◮ Key agreement schemes (e.g., Diffie-Hellman) ran ∈ Z ∗ Eve Chooses z p − 1 . Parties jointly generate a secret key Intercepts α x and α y . ◮ Key Transport Schemes (examples below) Sends α z to Alice and Bob. One party (Trent) generates & distributes secret keys. Eve computes k AE = ( α x ) z and k BE = ( α y ) z . Trent = Trusted Authority Alice believes she has exchanged a key with Bob. One reason we want robust, low-overhead key establishment schemes is that we want Bob believes he has exchanged a key with Alice. session keys: keys that are good only for a very limited time Eve reads everything & sends whatever she wants, spoofing Alice & Bob. (Why?) We need to fix this!! Crypto ❖ Security Protocols 5 Crypto ❖ Security Protocols 6 Station to Station (STS) Protocol Station to Station, Continued Sends α x to Bob. Alice Computes k = ( α x ) y . Use signatures & a trusted authority (Trent) to defend against MiM. Bob E k ( · ) & D k ( · ) - say AES Sends α y and E k ( sig B ( α y , α x )) to Alice. (Diffie, van Oorshot, & Wiener). Computes k = ( α y ) x . More details: https://en.wikipedia.org/wiki/Station-to-Station_protocol Alice Decrypts E k ( sig B ( α y , α x )) and obtains sig B ( α y , α x ) . Setup Each user U has Asks Trent to verify that ver B is Bob’s verification alg. sig U — a signature algorithm Uses ver B to verify Bob’s signature. ver U — a verification algorithm (established by Trent) Sends E k ( sig A ( α x , α y )) to Bob. p , a prime Decrypts E k ( sig A ( α x , α y )) & obtains sig A ( α x , α y ) . Bob α , a primitive element of Z ∗ p Asks Trent to verify that ver A is A’s verification alg. ran p − 1 and computes α x ( mod p ) . ∈ Z ∗ Alice Chooses x Uses ver A to verify Alice’s sig. ran p − 1 and computes α y ( mod p ) . ∈ Z ∗ Alice is assured that Bob is assured that Bob Chooses y ◮ Bob can compute k (Why?) ◮ Alice can compute k (Why?) More... ◮ No one but A&B can compute k (Why?) ◮ No one but A&B can compute k (Why?) Crypto ❖ Security Protocols 7 Crypto ❖ Security Protocols 8
Establishing Keys & Trusting the Result Blom’s Distribution Scheme Key Distribution n = # of users keys ∈ Z p p a prime > n A TA (Trent) and n users + a secure channel between TA and each User TA Setup TA sends K to n users securely. ran ∈ Z p (private). The TA chooses p as above (public) and a , b , c Key Agreement For each user U , the TA chooses r U ∈ Z p (public), with U � = V = ⇒ r U � = r V Two users + a public network For each user U , the TA computes: The users interact to agree on a key K . a U = a + b · r U mod p b U = b + c · r U mod p (private) Sends a U and b U securely to U . Key Pre-Distribution Setup for a user U TA and n users + a pub. network + a secure channel tween TA and each user For each pair of users U , V ( U � = V ) U constructs g U : x �→ ( a U + b U · x ) . The TA constructs a key K UV (= K VU ) and sends it to U and V securely. When Alice & Bob want to communicate ◮ ( n 2 ) messages too many! Alice computes K AB = g A ( r B ) and Bob computes K BA = g B ( r A ) . ◮ each user stores n − 1 keys too many! Claim: K AB = K BA . proof on board Crypto ❖ Security Protocols 9 Crypto ❖ Security Protocols 10 Blom’s Distribution Scheme Security Protocols Breaking Blom’s Scheme: I n = # of users p a prime > n keys ∈ Z p 2018-10-09 TA Setup ran The TA chooses p as above (public) and a , b , c ∈ Z p (private). For each user U , the TA chooses r U ∈ Z p (public), with U � = V = ⇒ r U � = r V For each user U , the TA computes: a U = a + b · r U mod p b U = b + c · r U mod p (private) Sends a U and b U securely to U . Setup for a user U Eve wants to determine a , b , and c . Blom’s Distribution Scheme U constructs g U : x �→ ( a U + b U · x ) . When Alice & Bob want to communicate Alice computes K AB = g A ( r B ) and Bob computes K BA = g B ( r A ) . She knows: Claim: K AB = K BA . proof on board a E = a + b · r E b E = b + c · r E K AB ≡ g A ( r B ) Two equations, three unknowns, no dice ≡ a A + b A · r B Eve also wants to determine K AB . ≡ ( a + b · r A ) + ( b + c · r A ) · r B She knows: K AB = a + b · ( r A + r B ) + c · ( r A · r B ) ≡ a + b · ( r A + r B ) + c · r A · r B a E = a + b · r E ≡ ( a + b · r B ) + ( b + c · r B ) · r A b E = b + c · r E ≡ a B + b B · r A ≡ g B ( r A ) Three equations, four unknowns: a , b , c , and K AB . ≡ K BA Fact: For every possible value of K AB , there is a solution for a , b , and c . But what if Eve has a friend? Crypto ❖ Security Protocols 11
Breaking Blom’s Scheme: II Transport Protocols Alice chooses k and sends it to securely to Bob ...or Together Eve and Ocsar know: Trent acts as a key server: Alice tells Trent she wants to talk to Bob. a E ≡ a + b · r E Trent issues a key to Alice and Bob for the session. b E ≡ b + c · r E ( mod p ) a O ≡ a + b · r O Shamir’s Three Pass Protocol — Here Trent = Alice b O ≡ b + c · r O Alice Publishes a prime p (with a hard discrete log problem) ran Four equations, three unknowns: a , b , and c . ∈ Z ∗ Chooses a p − 1 . ran So, Eve and Oscar together can break the scheme. ∈ Z ∗ Bob Chooses b p − 1 . Sends K 1 = K a mod p to Bob. ◮ The scheme can be generalized to be secure against coalitions of k users — k a Alice 1 mod p = K a · b mod p to Alice. Sends K 2 = K b parameter. Bob Sends K 3 = K a − 1 mod p = K b mod p to Bob. Alice ◮ E.g., There is a version that is secure against coalitions of 15 users, but fails against 2 Computes K = K b − 1 Bob mod p . a 16 user coalition. 3 Man-in-the-middle problems! Crypto ❖ Security Protocols 12 Crypto ❖ Security Protocols 13 Authenticated Key Distributions, I Authenticated Key Distributions, II ◮ Key pre-distribution schemes involve too much overhead to be practical. Typically, you want to refresh keys once every so often. ◮ An alternative is to have a trusted authority (our buddy Trent) issue new keys Sequence numbers Each message has a sequence number (securely) as needed. (i.e., “This is the 137th message I’ve sent you”) ◮ Authentication is a crucial issue. This entails lots of bookkeeping. Eve can pretend to be Trent, Alice, Bob, ... Timestamps Each message has an expiration date. ◮ Replay attacks This requires a “global clock”. • Eve records a valid interaction. Nonces A challenge message issued only once. • She repeats it later to pretend to be another party, or Requires a correct response for validity. to tease out some response to compromise a key. • To protect against this, we need to keep keys etc. confidential and guarantee each message is fresh (i.e., not a replay). ◮ For confidentiality ...initially shared keys ◮ For freshness: sequence numbers, timestamps, and nonces Crypto ❖ Security Protocols 14 Crypto ❖ Security Protocols 15
Recommend
More recommend
