Key Establishment Techniques:Key Establishment Techniques:Key Distribution and Key AgreementKey Distribution and Key Agreement

Wade Trappe

Key Establishment: The problemKey Establishment: The problem

Securing communication requires that the data is encrypted before being transmitted.

Associated with encryption and decryption are keys that must be shared by the participants.

The problem of securing the data then becomes the problem of securing the establishment of keys.

Task: If the participants do not physically meet, then how do the participants establish a shared key?

Two types of key establishment:– Key Agreement

– Key Distribution

Key DistributionKey Distribution

Key Agreement protocols: the key isn’t determined until after the protocol is performed.

Key Distribution protocols: one party generates the key and distributes it to Bob and/or Alice (Shamir’s 3pass, Kerberos).

Shamir’s Three-Pass Protocol:– Alice generates and Bob generates . – A key K is distributed by:

Alice BobpmodKK a1

pmodKK b12

pmodKK1a

23

pmodKK1b

3

Bob Calculates:

*pZa *

pZb

Basic TTP Key Distribution Basic TTP Key Distribution

KDC

Ka

Kb

Step 1Step 2

1. A Sends: {Request || IDA || IDB || N1}

2. KDC Sends: EKa[ KAB|| {Request || IDA || IDB || N1}||EKb(KAB, IDA)]

Step 3

Step 4

3. A Sends: EKb(KAB, IDA)

Step 5

4. B Sends: EKAB(N2) 5. A Sends: EKAB(f(N2))

Key AgreementKey Agreement

In many scenarios, it is desirable for two parties to exchange messages in order to establish a shared secret that may be used to generate a key.

The Diffie-Hellman (DH) protocol is a basic tool used to establish shared keys in two-party communication. Two parties, A and B, establish a shared secret by:

The security of the DH scheme is based upon the intractibility of the Diffie-Hellman Problem:

The Diffie-Hellman scheme can be extended to work on arbitrary groups (e.g. Elliptic Curves).

Given a prime p, a generator g of , and elements and ,

it is computationally difficult to find .

*pZ pmodga pmodgb

pmodgab

pmodgpmodg:Bpmodgpmodg:A

pmodg:ABpmodg:BA

abbaabab

ba

Intruder In The MiddleIntruder In The Middle

The Intruder-in-the-Middle attack on Diffie-Hellman is based upon the following strategy to improve one’s chess ranking:– Eve challenges two grandmasters, and uses GM1’s moves against GM2.

Eve can either win one game, or tie both games.

Eve has and can perform the Intruder-in-the-Middle attack by:

Alice BobEvepmodga pmodgb

pmodgz pmodgzCalculates

pmodgKza

AE pmodgKzb

BE

Calculates

Calculates

BEAE K,K

Decrypts data with KBE

Decrypts data with KAE, uses data and encrypts with KBE

Encrypts data with KAE

DATAEAEK DATAE

BEK

Begins DH Begins DH

*pZz

Station-to-Station ProtocolStation-to-Station Protocol

Digital signatures can be used to prevent this protocol failure (STS Protocol).

A digital signature is a scheme that ties a message and its author together.– Private sig( ) function and Public ver( ) function.

Alice Bobpmodga

abBK

b g,gsigE,pmodg

baAK g,gsigE

pmodgKba

Calculates

pmodgKab

Calculates

Decrypts to get:

abB g,gsig

Verifies sigVerifies sig

N-to-N Group Key EstablishmentN-to-N Group Key Establishment

Many group scenarios require contributory key establishment protocols. 1-to-1 Key Establishment: Diffie-Hellman (DH) protocol Two parties, A and B, establish a shared secret by:

Extensions to multi-user scenarios:– Ingemarsson: Requires N-1 rounds and O(N2) exponentiations– Burmester-Desmedt: Requires 2 rounds but full broadcast– GDH (Steiner et al.): Requires N rounds and O(N) exp.

pmodgpmodg:Bpmodgpmodg:A

pmodg:ABpmodg:BA

abbaabab

ba

Butterfly Group Diffie-HellmanButterfly Group Diffie-Hellman

u1

u2

u3

u4

u5

u6

u7

u8

Example:

pmodgx

pmodg:uu

pmodg:uu

21

2

1

11

12

21

pmodgx

pmodg:uu

pmodg:uu

12

11

12

11

xx21

x13

x31

pmodgx

pmodg:uu

pmodg:uu

22

21

22

21

xx31

x15

x51

Can be extended to arbitrary radix b using Ingemarsson as the basic building block.

Total Rounds:

Total Messages:

Optimal radix in both cases is 2.

Nlog)1b(TR b

NlogN)1b(TM b

The Conference TreeThe Conference Tree

Group key formation procedure is described by:– Communication flow diagram

– Conference Tree

Conference tree describes the subgroups and subgroup keys.

K000 K001 K010 K011 K100 K101 K110 K111

K00K01 K10 K11

u2

u3

u4

u5

u6

u7

u8

u1

K0 K1

K

Making PrimesMaking Primes

Fact: Let n be an odd prime and let , where r is odd. Let a be any integer such that gcd(a,n)=1. Then either or for some .

Definition: Let n be an odd composite with . Let

. If either or , for some then n is a strong pseudoprime base a, and a is a strong liar for n.

Fact: If n is an odd composite integer, then at most 1/4 of the numbers a are strong liars for n.

We can use this in a Monte-Carlo algorithm to produce “primes”:– Test t different a’s.

– Probability of falsely identifying a prime is

r21n s nmod1a r

nmod1a r2 j 1sj0

r21n s

1n,1a nmod1a r2 j nmod1a r

1sj0

t41