Tải bản đầy đủ (.ppt) (20 trang)

Tài liệu Overview of Key Establishment Techniques: Key Distribution, Key Agreement and PKI pdf

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (308.3 KB, 20 trang )


Overview of Key Establishment
Overview of Key Establishment
Techniques:
Techniques:
Key Distribution, Key Agreement and PKI
Key Distribution, Key Agreement and PKI
Wade Trappe
Lecture Overview
Lecture Overview

We now begin our look at building protocols using the basic
tools that we have discussed.

The discussion in this lecture will focus on issues of key
establishment and the associated notion of authentication

These protocols are not real, but instead are meant to serve just
as a high-level survey

Later lectures will go into specific protocols and will uncover
practical challenges faced when implementing these protocols
Key Establishment: The problem
Key Establishment: The problem

Securing communication requires that the data is encrypted
before being transmitted.

Associated with encryption and decryption are keys that must be
shared by the participants.


The problem of securing the data then becomes the problem of
securing the establishment of keys.

Task: If the participants do not physically meet, then how do the
participants establish a shared key?

Two types of key establishment:

Key Agreement

Key Distribution
Key Distribution
Key Distribution

Key Agreement protocols: the key isn’t determined until after
the protocol is performed.

Key Distribution protocols: one party generates the key and
distributes it to Bob and/or Alice (Shamir’s 3pass, Kerberos).

Shamir’s Three-Pass Protocol:

Alice generates and Bob generates .

A key K is distributed by:
Alice Bob
pmodKK
a
1
=

pmodKK
b
1
2
=
( )
pmodKK
1
a
23

=
( )
pmodKK
1
b
3

=
Bob Calculates:
*
p
Za

*
p
Zb

Basic TTP Key Distribution
Basic TTP Key Distribution

KDC
K
a
K
b
Step 1
Step 2
1. A Sends: {Request || ID
A
|| ID
B
|| N
1
}
2. KDC Sends: E
Ka
[ K
AB
|| {Request || ID
A
|| ID
B
|| N
1
}||E
Kb
(K
AB
, ID
A

)]
Step 3
Step 4
3. A Sends: E
Kb
(K
AB
, ID
A
)
Step 5
4. B Sends: E
KAB
(N
2
)
5. A Sends: E
KAB
(f(N
2
))
Key Agreement
Key Agreement

In many scenarios, it is desirable for two parties to exchange messages in order to establish a shared secret that may be
used to generate a key.

The Diffie-Hellman (DH) protocol is a basic tool used to establish shared keys in two-party communication.

Two parties, A and B, establish a shared secret by:


The security of the DH scheme is based upon the intractibility of the Diffie-Hellman Problem:

The Diffie-Hellman scheme can be extended to work on arbitrary groups (e.g. Elliptic Curves).
Given a prime p, a generator g of , and elements and ,
it is computationally difficult to find .
*
p
Z
pmodg
a
pmodg
b
pmodg
ab
( ) ( )
pmodgpmodg:Bpmodgpmodg:A
pmodg:ABpmodg:BA
ab
b
aab
a
b
ba
==
→→
Intruder In The Middle
Intruder In The Middle

The Intruder-in-the-Middle attack on Diffie-Hellman is based upon

the following strategy to improve one’s chess ranking:

Eve challenges two grandmasters, and uses GM1’s moves against GM2.
Eve can either win one game, or tie both games.

Eve has and can perform the Intruder-in-the-Middle attack by:
Alice BobEve
pmodg
a
pmodg
b
pmodg
z
pmodg
z
Calculates
( )
pmodgK
z
a
AE
=
( )
pmodgK
z
b
BE
=
Calculates
Calculates

BEAE
K,K
Decrypts data
with K
BE
Decrypts data
with K
AE
, uses
data and
encrypts with
K
BE
Encrypts data
with K
AE
( )
DATAE
AE
K
( )
DATAE
BE
K
Begins DH
Begins DH
*
p
Zz ∈
Station-to-Station Protocol

Station-to-Station Protocol

Digital signatures can be used to prevent this protocol failure (STS
Protocol).

A digital signature is a scheme that ties a message and its author
together.

Private sig( ) function and Public ver( ) function.
Alice Bob
pmodg
a
( )( )
ab
BK
b
g,gsigE,pmodg
( )( )
ba
AK
g,gsigE
( )
pmodgK
b
a
=
Calculates
( )
pmodgK
a

b
=
Calculates
Decrypts to get:
( )
ab
B
g,gsig
Verifies sig
Verifies sig
N-to-N Group Key Establishment
N-to-N Group Key Establishment

Many group scenarios require contributory key establishment protocols.

1-to-1 Key Establishment: Diffie-Hellman (DH) protocol

Two parties, A and B, establish a shared secret by:

Extensions to multi-user scenarios:

Ingemarsson: Requires N-1 rounds and O(N
2
) exponentiations

Burmester-Desmedt: Requires 2 rounds but full broadcast

GDH (Steiner et al.): Requires N rounds and O(N) exp.
( ) ( )
pmodgpmodg:Bpmodgpmodg:A

pmodg:ABpmodg:BA
ab
b
aab
a
b
ba
==
→→
Butterfly Group Diffie-Hellman
Butterfly Group Diffie-Hellman
u
1
u
2
u
3
u
4
u
5
u
6
u
7
u
8
Example:
pmodgx
pmodg:uu

pmodg:uu
21
2
1
1
1
12
21
αα
α
α
=


pmodgx
pmodg:uu
pmodg:uu
1
2
1
1
1
2
1
1
xx
2
1
x
13

x
31
=


pmodgx
pmodg:uu
pmodg:uu
2
2
2
1
2
2
2
1
xx
3
1
x
15
x
51
=



Can be extended to arbitrary radix b using
Ingemarsson as the basic building block.


Total Rounds:

Total Messages:

Optimal radix in both cases is 2.
 
Nlog)1b(TR
b
−=
NlogN)1b(TM
b
−≈
The Conference Tree
The Conference Tree

Group key formation procedure is described by:

Communication flow diagram

Conference Tree

Conference tree describes the subgroups and subgroup keys.
K
000
K
001
K
010
K
011

K
100
K
101
K
110
K
111
K
00
K
01
K
10
K
11
u
2
u
3
u
4
u
5
u
6
u
7
u
8

u
1
K
0
K
1
K
ε
Distribution of Public Keys
Distribution of Public Keys

There are several techniques proposed for the distribution of
public keys:

Public announcement

Publicly available directory

Public key authority

Public key certificates
Public Announcement
Public Announcement

Idea: Each person can announce or broadcast their public key to
the world.

Example: People attach their PGP or RSA keys at the end of
their emails.


Weakness:

No authenticity: Anyone can forge such an announcement

User B could pretend to be User A, but really announce User B’s
public key.
Public Directory Service
Public Directory Service

Idea: Have a public directory or “phone book” of public keys.
This directory is under the control/maintenance of a trusted third
party (e.g. the government).

Involves:

Authority maintains a directory of {name, PK}

Each user registers public key. Registration should involve
authentication.

A user may replace or update keys.

Authority periodically publishes directory or updates to directory.

Participants can access directory through secure channel.

Weaknesses:

If private key of directory service is compromised, then opponent
can pretend to be directory service.


Directory is a single point of failure.
Public Key Authority
Public Key Authority

Idea: More security is achieved if the authority has tighter
control over who gets the keys.

Assumptions:

Central authority maintains a dynamic directory of public keys of
all users.

Central authority only gives keys out based on requests.

Each user knows the public key of the authority.

Weaknesses:

Public Key Authority is a single point of failure.

User has to contact PK Authority, thus the PK Authority can be a
bottleneck for service.
Public Key Authority, protocol
Public Key Authority, protocol
PK Auth
A
B
Step 1
Step 2

1. A Sends: {Request || Time1}
2. PK Auth: E
dAuth
[ e
B
|| {Request || Time1}]
Step 3
Step 6
3. A Sends B: E
eB
(ID
A
||N
1
)
Step 7
4 and 5. B does steps 1 and 2.
6. B Sends: E
eA
(N
1
||N
2
)
Step 4
Step 5
7. A Sends: E
eB
(N
2

)
Public Key Certificates
Public Key Certificates

Idea: Use certificates! Participants exchange keys without
contacting a PK Authority in a way that is reliable.

Certificates contain:

A public key (created/verified by a certificate authority).

Other information.

Certificates are given to a participant using the authority’s
private key.

A participant conveys its key information to another by
transmitting its certificate.

Other parties can verify that the certificate was created/verified
by the authority.

Weakness:

Requires secure time synchronization.
Public Key Certificates, overview
Public Key Certificates, overview
Cert Auth
A
B

Give e
A
securely to CA
CertA = E
dAuth
{Time1||ID
A
||e
A
}
CertA
Cert B
Securely give e
B
to CA
CertB = E
dAuth
{Time2||ID
B
||e
B
}
Requirements:

Any participant can read a certificate to determine the name and public key of the certificate’s
owner.

Any participant can verify that the certificate originated from the certificate authority and is not
counterfeit.


Only the certificate authority can create and update certificates.

Any participant can verify the currency of the certificate.
X.509 PK Certificates
X.509 PK Certificates

X.509 is a very commonly used
public key certificate framework.

The certificate structure and
authentication protocols are used
in:

IP SEC

SSL

SET

X.509 Certificate Format:

Version 1/2/3

Serial is unique within the CA

First and last time of validity
Version
Cert Serial #
Algorithm & Parms
Issuer Name

Validity Time:
Not before/after
Subject Name
PK Info: Algorithm,
Parms, Key
. . .
Signature (w/ hash)
X.509 Certificate Chaining
X.509 Certificate Chaining

Its not feasible to have one CA for
a large group of users.

Suppose A knows CA X
1
, B knows
CA X
2
. If A does not know X
2
’s PK
then Cert
X2
(B) is useless to A.

If X1 and X2 have certified each
other then A can get B’s PK by:

A obtains CertX1(X2)


A obtains CertX2(B)

Because B has a trusted copy
of X2’s PK, A can verify B’s
certificate and get B’s PK.

Certificate Chain:

{CertX1(X2)|| CertX2(B)}

Procedure can be generalized to
more levels.
A B
X
1
X
2
{Cert
X1
(X2)|| Cert
X2
(B)}
Cert
X1
(X2)
Cert
X2
(X1)

×