16974 ch 15 key management
-
Upload
debanjan-bhattacharya -
Category
Technology
-
view
207 -
download
2
Transcript of 16974 ch 15 key management
Key management
Key generation and key distributionA user must share the key for secure communication but if user want to communicate to million of users then he has to exchange the million keysAnother solution is KDCEach person shares the secret key with KDC
KDC
• 1. A request to KDC for communication to B• 2. KDC ask to B about the A request if he will
be agree then session key will be established.• • When the number of peoples increases then it
will be difficult for KDC to manage all peoples
Flat Multiple KDC
• Now multiple KDC will manage the people• Whole world is divided into domains and each
domain contains the multiple KDC
Hierarchical Multiple KDC
Simple protocol using a KDC for session KEY
Needam Schroeder Protocol
Diffie-Hellman key agreement
• User can create the session key between themselves without using KDC
Diffie-Hellman
• all users agree on global parameters:– large prime integer or polynomial q– a being a primitive root mod q
• each user (eg. A) generates their key– chooses a secret key (number): xA < q
– compute their public key: yA = axA mod q
• each user makes public that key yA
• shared session key for users A & B is KAB:
KAB = axA.xB mod q
= yA
xB mod q (which B can compute)
= yB
xA mod q (which A can compute)
• KAB is used as session key in private-key encryption scheme between Alice and Bob
• if Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys
• attacker needs an x, must solve discrete log
Diffie-Hellman Example
• users Alice & Bob who wish to swap keys:• agree on prime q=353 and a=3• select random secret keys:– A chooses xA=97, B chooses xB=233
• compute respective public keys:– yA=397
mod 353 = 40 (Alice)– yB=3233
mod 353 = 248 (Bob)• compute shared session key as:– KAB= yB
xA mod 353 = 24897 = 160 (Alice)
– KAB= yA
xB mod 353 = 40233 = 160 (Bob)
• Key is formed by 3 parameters g,x,y (g is public)
• Everyone knows one third of key • Other 2 parts must be added by 2 user to form
key
Man in middle attack or bucket brigade
• Protocol has other weakness (no need to find the secret of users x,y instead of that form 2 key with each user
Station to station key agreement
• It is a method based on DH• It uses digital signature with public key
certificate to establish a session key
• 1. calculate r1 and send to other user• 2. Calculate r2 and session key, concatenate
r1,r2 and id after that sign the result with private key. Bob then send r2,sig,public key
• 3. after calculate the session key if sig is verified now it will generate the sig by concatenate r1,r2 and bob id (encrypted with session key)
•
Security of station to station key agreement
• Attacker can not forge the signature of user or forged signature can not be verified by public key of user