Key Establishment Techniques: Key Distribution and Key Agreement
description
Transcript of Key Establishment Techniques: Key Distribution and Key Agreement
Key Establishment Techniques:Key Establishment Techniques:Key Distribution and Key AgreementKey Distribution and Key Agreement
Wade Trappe
Key Establishment: The problemKey Establishment: The problem
Securing communication requires that the data is encrypted before being transmitted.
Associated with encryption and decryption are keys that must be shared by the participants.
The problem of securing the data then becomes the problem of securing the establishment of keys.
Task: If the participants do not physically meet, then how do the participants establish a shared key?
Two types of key establishment:– Key Agreement
– Key Distribution
Key DistributionKey Distribution
Key Agreement protocols: the key isn’t determined until after the protocol is performed.
Key Distribution protocols: one party generates the key and distributes it to Bob and/or Alice (Shamir’s 3pass, Kerberos).
Shamir’s Three-Pass Protocol:– Alice generates and Bob generates . – A key K is distributed by:
Alice BobpmodKK a1
pmodKK b12
pmodKK1a
23
pmodKK1b
3
Bob Calculates:
*pZa *
pZb
Basic TTP Key Distribution Basic TTP Key Distribution
KDC
Ka
Kb
Step 1Step 2
1. A Sends: {Request || IDA || IDB || N1}
2. KDC Sends: EKa[ KAB|| {Request || IDA || IDB || N1}||EKb(KAB, IDA)]
Step 3
Step 4
3. A Sends: EKb(KAB, IDA)
Step 5
4. B Sends: EKAB(N2) 5. A Sends: EKAB(f(N2))
Key AgreementKey Agreement
In many scenarios, it is desirable for two parties to exchange messages in order to establish a shared secret that may be used to generate a key.
The Diffie-Hellman (DH) protocol is a basic tool used to establish shared keys in two-party communication. Two parties, A and B, establish a shared secret by:
The security of the DH scheme is based upon the intractibility of the Diffie-Hellman Problem:
The Diffie-Hellman scheme can be extended to work on arbitrary groups (e.g. Elliptic Curves).
Given a prime p, a generator g of , and elements and ,
it is computationally difficult to find .
*pZ pmodga pmodgb
pmodgab
pmodgpmodg:Bpmodgpmodg:A
pmodg:ABpmodg:BA
abbaabab
ba
Intruder In The MiddleIntruder In The Middle
The Intruder-in-the-Middle attack on Diffie-Hellman is based upon the following strategy to improve one’s chess ranking:– Eve challenges two grandmasters, and uses GM1’s moves against GM2.
Eve can either win one game, or tie both games.
Eve has and can perform the Intruder-in-the-Middle attack by:
Alice BobEvepmodga pmodgb
pmodgz pmodgzCalculates
pmodgKza
AE pmodgKzb
BE
Calculates
Calculates
BEAE K,K
Decrypts data with KBE
Decrypts data with KAE, uses data and encrypts with KBE
Encrypts data with KAE
DATAEAEK DATAE
BEK
Begins DH Begins DH
*pZz
Station-to-Station ProtocolStation-to-Station Protocol
Digital signatures can be used to prevent this protocol failure (STS Protocol).
A digital signature is a scheme that ties a message and its author together.– Private sig( ) function and Public ver( ) function.
Alice Bobpmodga
abBK
b g,gsigE,pmodg
baAK g,gsigE
pmodgKba
Calculates
pmodgKab
Calculates
Decrypts to get:
abB g,gsig
Verifies sigVerifies sig
N-to-N Group Key EstablishmentN-to-N Group Key Establishment
Many group scenarios require contributory key establishment protocols. 1-to-1 Key Establishment: Diffie-Hellman (DH) protocol Two parties, A and B, establish a shared secret by:
Extensions to multi-user scenarios:– Ingemarsson: Requires N-1 rounds and O(N2) exponentiations– Burmester-Desmedt: Requires 2 rounds but full broadcast– GDH (Steiner et al.): Requires N rounds and O(N) exp.
pmodgpmodg:Bpmodgpmodg:A
pmodg:ABpmodg:BA
abbaabab
ba
Butterfly Group Diffie-HellmanButterfly Group Diffie-Hellman
u1
u2
u3
u4
u5
u6
u7
u8
Example:
pmodgx
pmodg:uu
pmodg:uu
21
2
1
11
12
21
pmodgx
pmodg:uu
pmodg:uu
12
11
12
11
xx21
x13
x31
pmodgx
pmodg:uu
pmodg:uu
22
21
22
21
xx31
x15
x51
Can be extended to arbitrary radix b using Ingemarsson as the basic building block.
Total Rounds:
Total Messages:
Optimal radix in both cases is 2.
Nlog)1b(TR b
NlogN)1b(TM b
The Conference TreeThe Conference Tree
Group key formation procedure is described by:– Communication flow diagram
– Conference Tree
Conference tree describes the subgroups and subgroup keys.
K000 K001 K010 K011 K100 K101 K110 K111
K00K01 K10 K11
u2
u3
u4
u5
u6
u7
u8
u1
K0 K1
K
Making PrimesMaking Primes
Fact: Let n be an odd prime and let , where r is odd. Let a be any integer such that gcd(a,n)=1. Then either or for some .
Definition: Let n be an odd composite with . Let
. If either or , for some then n is a strong pseudoprime base a, and a is a strong liar for n.
Fact: If n is an odd composite integer, then at most 1/4 of the numbers a are strong liars for n.
We can use this in a Monte-Carlo algorithm to produce “primes”:– Test t different a’s.
– Probability of falsely identifying a prime is
r21n s nmod1a r
nmod1a r2 j 1sj0
r21n s
1n,1a nmod1a r2 j nmod1a r
1sj0
t41