Post on 09-Jan-2016
description
1
Recent developments in
group key exchange
Mike Burmester
Information Security Summer School 2005Florida State University
2
Outline 1. Secure Communication2. Key Distribution the Diffie-Hellman protocol
variants, attacks authentication conference protocols
3. Public Key Certificates trust-graphs hierarchical vs horizontal structures security
4. Conclusion
3
1. Secure Communication
Sender(Alice)
Receiver(Bob)
message
Adversary
Security issues
• authenticity• denial of service, etc.
• privacy
4
Symmetric keys (privacy)
Alice Bob
E D
private channel
SK SK
Security issue• How to distribute the secret key SK
plaintext ciphertext plaintext
5
Public Keys (privacy)
Alice Bob
E D
• It should be hard to compute SKB from PKB
• How do we distribute PKB
plaintext ciphertext plaintext
Security issues
SKBPKB
Authentication channelf
6
Public Keys (digital signatures)
Alice Bob
S V
SKA PKA
• It should be hard to compute SKA from PKA
• How to distribute PKA
m m, sigSKA m or
Authentication channel
Security issues
f
7
2. Key Exchange protocols the Diffie-Hellman protocol
Zp = {0,1,…,p-1}, p prime, g a generator of Zp*
Alice Bobgsa mod p
gsb mod p
Bob’s Public Key gsb: 0 < sa< p-1, private key sb
Alice’s Public Key gsa: 0 < sa< p-1, private key sa
Key Exchanged: SK = gsasb mod p
8
Freshness of keys
If the same key is used many times then the security of the system may be undermined.
It should be hard to compute SK from PK.
Security
9
What if 3 or more parties want to sha re a common secret key?
A
C
ED
B
F
K/SKAB
K/SKBD
1. Use DH to get: SKAB , SKBD , SKBE , SKAC , SKCF .
2. .A selects the secret key K at random from Zp*.
K/SKAC
4. B gets K from K /SKAB and sends K/SKAC to D, etc.
3. .A sends K/SKAB to B and K/SKAC to C.
10
Group Key Exchange – contributory schemes
Un-1
Un
U2 U3
U1 Round 1: Use DH
Ui broadcasts zi = gri
11
Group Key Exchange
Un-1
Un
U2 U3
U1
Round 1:
Each Ui computes the DH key:
Ki = gri ri+1
Ki2
Kn-1n
K23
Knn-1
…
…
12
Group Key Exchange
Un-1
Un
U2 U3
U1
Ki2
Kn-1n
K23
Knn-1
…
…
Round 1: endGroup Key K = K1K2 … Kn
Where Ki = Ki,i+1
But how????
13
Group Key Exchange
Un-1
Un
U2 U3
U1
Ki
Kn
K2
Kn-1
…
…
Round 2:
Ui broadcasts xi = Ki/Ki-1
14
Group Key Exchange
Un-1
Un
U2 U3
U1
Ki
Kn
K2
Kn-1
…
…
Round 2:
Each Ui computes
the key:
K = Ki-1n zi
n-1 zi+1n-2 … zi-2
= Ki-1n
(Ki/Ki-1)n-1(Ki+1/Ki)n-2… (Ki-1/Ki-2)
15
Authentication 1
How does Alice know that the “shared” secret key has been distributed to all the parties in the conference?
16
Group Key Exchange – authentication
Each Ui authenticates (digitally signs) its
• randomness ri
• its zi and xi
and after checking them authenticates the string: • {Ui}|| {ri} || {zi} || {xi}
17
Authentication 2
How can Alice be certain which key is Bob’s public key?
2. They may have mutual friends who know theirpublic keys:
Alice Carol Bob, orAlice Carol . . . Bob
Case 1 establishes an a priori trust relationshipCase 2 establishes an induced trust relationship
1. They may have met earlier and exchanged public keys.
18
3. Public Key Certificates
Who is who?
PK CERTIFICATEThe public key of Bob is: 010010010 …..
Signed by a Certifying Authority
A PK Certificate establishes authenticity andprovides a means by which a public key can be stored in partially insecure repositories, or transmitted over insecure channels.
19
Trust-graphs
A
C
ED
B
F
CAB
CBD
CAC
Certificates can be used to Model the confidence of a network in its public keys by a directed trust-graph, with vertices the entities and edges the certificates.
CBE CCF
20
A priori confidence:This is corroborated by the certificates.
Trust-graphs
Induced confidence:This is established by trust-paths that link the entities in the trust-graph.
21
A hierarchical infrastructure
U1 U2U3
U4
CA1CA2
RCA
The public key of U4 is certified by the trust-path: RCA CA2 U4
22
Security issues
A hacker can penetrate a CA or its
computer system and forge certificates or
get certificates for unauthorized users.
23
Threats
1. Whom should we trust (and for what)?2. Which Bob is it?
3. Organizational (insider) attacks
4. Computer system threats: How secure is the computer system of the Certifying Authority? How secure is the computer system of Bob?
24
PGP: an unstructured approach
Pretty Good Privacy is a freeware electronicmail system that uses an unstructuredauthentication framework.Users are free to decide whom they trust.PGP does not specify any specific structure for the trust-graph and for this reason is quite vulnerable.
A A1 . . . An B
25
A horizontal approach: multiple connectivity
If the trust-graph is (2k+1)-connected thenthere are 2k+1 vertex disjoint trust-paths which connect any two of its vertices
26
A 3-connected trust-graph
A B
27
Combining horizontal and hierarchical structures
U1
U2
U3
U4
28
Security
A secure authentication infrastructure must be, reliable, robust and survivable.
Reliability deals with faults that occur in a
random manner, and is achieved by replication.
Robustness deals with maliciously inducedfaults.
29
Survivability deals with the destruction of parts of the infrastructure.
The destruction may affect the entities (e.g. the CA’s) as well as stored data, and may be malicious.
For survivability, the remaining entities should be able to recover enough of the infrastructure to guarantee secure communication.
30
Survivability
Reconstruction of a corrupted trust-graph
Entity A asks all its neighbors for a list of their neighbors,
the neighbors of their neighbors, etc
U1 U2 U3 . . . . . . . . . . . . Un
A
faultyAdversary
31
Survivability
Some of the neighbors are under the control of the Adversary and may send fake certificates, relating to other entities, real or bogus.
Is it possible to reconstruct a sufficiently good approximation of the trust-graph?
Problem
32
Survivability
AnswerYes, provided that there is a bound on the number of penetrated or destroyed cites, and that the trust-graph is sufficiently connected.
33
Reconstructing a corrupted trust-graph
The reconstruction involves several stages.
• Round Robin flooding
• a Halting routine
• a Clean-up routine
34
Conclusion
Secure key exchange can be achieved in several ways by using cryptographic mechanisms.
Clearly there is a trade off between the securityrequirements and the complexity.
35
Conclusion
If the public keys are authenticated via singletrust paths then the system is vulnerable to anypenetration.
By having several vertex disjoint authenticationpaths linking the entities we get robustness against penetration and survivability.