Overview of Key Establishment
Overview of Key Establishment
Techniques:
Techniques:
Key Distribution, Key Agreement and PKI
Key Distribution, Key Agreement and PKI
Wade Trappe
Lecture Overview
Lecture Overview

We now begin our look at building protocols using the basic
tools that we have discussed.

The discussion in this lecture will focus on issues of key
establishment and the associated notion of authentication

These protocols are not real, but instead are meant to serve just
as a high-level survey

Later lectures will go into specific protocols and will uncover
practical challenges faced when implementing these protocols
Key Establishment: The problem
Key Establishment: The problem

Securing communication requires that the data is encrypted
before being transmitted.

Associated with encryption and decryption are keys that must be
shared by the participants.


The problem of securing the data then becomes the problem of
securing the establishment of keys.

Task: If the participants do not physically meet, then how do the
participants establish a shared key?

Two types of key establishment:
–
Key Agreement
–
Key Distribution
Key Distribution
Key Distribution

Key Agreement protocols: the key isn’t determined until after
the protocol is performed.

Key Distribution protocols: one party generates the key and
distributes it to Bob and/or Alice (Shamir’s 3pass, Kerberos).

Shamir’s Three-Pass Protocol:
–
Alice generates and Bob generates .
–
A key K is distributed by:
Alice Bob
pmodKK
a
1
=

pmodKK
b
1
2
=
( )
pmodKK
1
a
23
−
=
( )
pmodKK
1
b
3
−
=
Bob Calculates:
*
p
Za
∈
*
p
Zb
∈
Basic TTP Key Distribution
Basic TTP Key Distribution

KDC
K
a
K
b
Step 1
Step 2
1. A Sends: {Request || ID
A
|| ID
B
|| N
1
}
2. KDC Sends: E
Ka
[ K
AB
|| {Request || ID
A
|| ID
B
|| N
1
}||E
Kb
(K
AB
, ID
A

)]
Step 3
Step 4
3. A Sends: E
Kb
(K
AB
, ID
A
)
Step 5
4. B Sends: E
KAB
(N
2
)
5. A Sends: E
KAB
(f(N
2
))
Key Agreement
Key Agreement

In many scenarios, it is desirable for two parties to exchange messages in order to establish a shared secret that may be
used to generate a key.

The Diffie-Hellman (DH) protocol is a basic tool used to establish shared keys in two-party communication.

Two parties, A and B, establish a shared secret by:


The security of the DH scheme is based upon the intractibility of the Diffie-Hellman Problem:

The Diffie-Hellman scheme can be extended to work on arbitrary groups (e.g. Elliptic Curves).
Given a prime p, a generator g of , and elements and ,
it is computationally difficult to find .
*
p
Z
pmodg
a
pmodg
b
pmodg
ab
( ) ( )
pmodgpmodg:Bpmodgpmodg:A
pmodg:ABpmodg:BA
ab
b
aab
a
b
ba
==
→→
Intruder In The Middle
Intruder In The Middle

The Intruder-in-the-Middle attack on Diffie-Hellman is based upon

the following strategy to improve one’s chess ranking:
–
Eve challenges two grandmasters, and uses GM1’s moves against GM2.
Eve can either win one game, or tie both games.

Eve has and can perform the Intruder-in-the-Middle attack by:
Alice BobEve
pmodg
a
pmodg
b
pmodg
z
pmodg
z
Calculates
( )
pmodgK
z
a
AE
=
( )
pmodgK
z
b
BE
=
Calculates
Calculates

BEAE
K,K
Decrypts data
with K
BE
Decrypts data
with K
AE
, uses
data and
encrypts with
K
BE
Encrypts data
with K
AE
( )
DATAE
AE
K
( )
DATAE
BE
K
Begins DH
Begins DH
*
p
Zz ∈
Station-to-Station Protocol

Station-to-Station Protocol

Digital signatures can be used to prevent this protocol failure (STS
Protocol).

A digital signature is a scheme that ties a message and its author
together.
–
Private sig( ) function and Public ver( ) function.
Alice Bob
pmodg
a
( )( )
ab
BK
b
g,gsigE,pmodg
( )( )
ba
AK
g,gsigE
( )
pmodgK
b
a
=
Calculates
( )
pmodgK
a

b
=
Calculates
Decrypts to get:
( )
ab
B
g,gsig
Verifies sig
Verifies sig
N-to-N Group Key Establishment
N-to-N Group Key Establishment

Many group scenarios require contributory key establishment protocols.

1-to-1 Key Establishment: Diffie-Hellman (DH) protocol

Two parties, A and B, establish a shared secret by:

Extensions to multi-user scenarios:
–
Ingemarsson: Requires N-1 rounds and O(N
2
) exponentiations
–
Burmester-Desmedt: Requires 2 rounds but full broadcast
–
GDH (Steiner et al.): Requires N rounds and O(N) exp.
( ) ( )
pmodgpmodg:Bpmodgpmodg:A

pmodg:ABpmodg:BA
ab
b
aab
a
b
ba
==
→→
Butterfly Group Diffie-Hellman
Butterfly Group Diffie-Hellman
u
1
u
2
u
3
u
4
u
5
u
6
u
7
u
8
Example:
pmodgx
pmodg:uu

pmodg:uu
21
2
1
1
1
12
21
αα
α
α
=
→
→
pmodgx
pmodg:uu
pmodg:uu
1
2
1
1
1
2
1
1
xx
2
1
x
13

x
31
=
→
→
pmodgx
pmodg:uu
pmodg:uu
2
2
2
1
2
2
2
1
xx
3
1
x
15
x
51
=
→
→

Can be extended to arbitrary radix b using
Ingemarsson as the basic building block.


Total Rounds:

Total Messages:

Optimal radix in both cases is 2.
 
Nlog)1b(TR
b
−=
NlogN)1b(TM
b
−≈
The Conference Tree
The Conference Tree

Group key formation procedure is described by:
–
Communication flow diagram
–
Conference Tree

Conference tree describes the subgroups and subgroup keys.
K
000
K
001
K
010
K
011

K
100
K
101
K
110
K
111
K
00
K
01
K
10
K
11
u
2
u
3
u
4
u
5
u
6
u
7
u
8

u
1
K
0
K
1
K
ε
Distribution of Public Keys
Distribution of Public Keys

There are several techniques proposed for the distribution of
public keys:
–
Public announcement
–
Publicly available directory
–
Public key authority
–
Public key certificates
Public Announcement
Public Announcement

Idea: Each person can announce or broadcast their public key to
the world.

Example: People attach their PGP or RSA keys at the end of
their emails.


Weakness:
–
No authenticity: Anyone can forge such an announcement
–
User B could pretend to be User A, but really announce User B’s
public key.
Public Directory Service
Public Directory Service

Idea: Have a public directory or “phone book” of public keys.
This directory is under the control/maintenance of a trusted third
party (e.g. the government).

Involves:
–
Authority maintains a directory of {name, PK}
–
Each user registers public key. Registration should involve
authentication.
–
A user may replace or update keys.
–
Authority periodically publishes directory or updates to directory.
–
Participants can access directory through secure channel.

Weaknesses:
–
If private key of directory service is compromised, then opponent
can pretend to be directory service.

–
Directory is a single point of failure.
Public Key Authority
Public Key Authority

Idea: More security is achieved if the authority has tighter
control over who gets the keys.

Assumptions:
–
Central authority maintains a dynamic directory of public keys of
all users.
–
Central authority only gives keys out based on requests.
–
Each user knows the public key of the authority.

Weaknesses:
–
Public Key Authority is a single point of failure.
–
User has to contact PK Authority, thus the PK Authority can be a
bottleneck for service.
Public Key Authority, protocol
Public Key Authority, protocol
PK Auth
A
B
Step 1
Step 2

1. A Sends: {Request || Time1}
2. PK Auth: E
dAuth
[ e
B
|| {Request || Time1}]
Step 3
Step 6
3. A Sends B: E
eB
(ID
A
||N
1
)
Step 7
4 and 5. B does steps 1 and 2.
6. B Sends: E
eA
(N
1
||N
2
)
Step 4
Step 5
7. A Sends: E
eB
(N
2

)
Public Key Certificates
Public Key Certificates

Idea: Use certificates! Participants exchange keys without
contacting a PK Authority in a way that is reliable.

Certificates contain:
–
A public key (created/verified by a certificate authority).
–
Other information.

Certificates are given to a participant using the authority’s
private key.

A participant conveys its key information to another by
transmitting its certificate.

Other parties can verify that the certificate was created/verified
by the authority.

Weakness:
–
Requires secure time synchronization.
Public Key Certificates, overview
Public Key Certificates, overview
Cert Auth
A
B

Give e
A
securely to CA
CertA = E
dAuth
{Time1||ID
A
||e
A
}
CertA
Cert B
Securely give e
B
to CA
CertB = E
dAuth
{Time2||ID
B
||e
B
}
Requirements:
•
Any participant can read a certificate to determine the name and public key of the certificate’s
owner.
•
Any participant can verify that the certificate originated from the certificate authority and is not
counterfeit.
•

Only the certificate authority can create and update certificates.
•
Any participant can verify the currency of the certificate.
X.509 PK Certificates
X.509 PK Certificates

X.509 is a very commonly used
public key certificate framework.

The certificate structure and
authentication protocols are used
in:
–
IP SEC
–
SSL
–
SET

X.509 Certificate Format:
–
Version 1/2/3
–
Serial is unique within the CA
–
First and last time of validity
Version
Cert Serial #
Algorithm & Parms
Issuer Name

Validity Time:
Not before/after
Subject Name
PK Info: Algorithm,
Parms, Key
. . .
Signature (w/ hash)
X.509 Certificate Chaining
X.509 Certificate Chaining

Its not feasible to have one CA for
a large group of users.

Suppose A knows CA X
1
, B knows
CA X
2
. If A does not know X
2
’s PK
then Cert
X2
(B) is useless to A.

If X1 and X2 have certified each
other then A can get B’s PK by:
–
A obtains CertX1(X2)
–

A obtains CertX2(B)
–
Because B has a trusted copy
of X2’s PK, A can verify B’s
certificate and get B’s PK.

Certificate Chain:
–
{CertX1(X2)|| CertX2(B)}

Procedure can be generalized to
more levels.
A B
X
1
X
2
{Cert
X1
(X2)|| Cert
X2
(B)}
Cert
X1
(X2)
Cert
X2
(X1)