CS470, A.SelcukKey Distribution1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin...
-
Upload
lambert-curtis -
Category
Documents
-
view
226 -
download
0
Transcript of CS470, A.SelcukKey Distribution1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin...
CS470, A.Selcuk Key Distribution 1
Key Distribution
CS 470
Introduction to Applied Cryptography
Instructor: Ali Aydin Selcuk
CS470, A.Selcuk Key Distribution 2
Key Distribution/Establishment
• How to have two parties agree on an encryption key securely?
• Public key encryption: Solves the problem against passive attackers.E.g. DH Key Exchange:
Trudy can’t get gab mod p.
BobAlice ga mod p
gb mod p
K = gab mod p
CS470, A.Selcuk Key Distribution 3
Active Attacks
• Attacker can intercept, modify, insert, delete messages on the network.
• E.g., Man-in-the-Middle attack against DH:
Trudy can translate messages between Alice & Bob without being noticed
• Similar attacks possible on RSA & other PKC protocols.
BobAlice ga mod p
gb’ mod p
K’ = gab’ mod p
ga’ mod p
gb mod p
Trudy
K’’ = ga’b mod p
CS470, A.Selcuk Key Distribution 4
Trusted Third Parties
• Solution against active attackers: “Trusted Third Parties” (TTPs)
• Symmetric key solution: KDC– Everyone registers with the KDC, shares a secret key.– When A & B want to communicate, they contact the KDC &
obtain a session key.
• Public key solution: CA– Everyone registers with the CA, obtains a “certificate” for his/her
public key.– Certificate: A document signed by the CA, including the ID and
the public key of the subject.– People obtain each other’s certificates thru a repository, a
webpage, or at the beginning of the protocol,– and use the certified public keys in the protocols.
CS470, A.Selcuk Key Distribution 5
KDC vs. CA
• KDC – faster (being based on symmetric keys)– has to be online
• CA– doesn’t have to be online – if crashes, doesn’t disable the network– much simpler– scales better– certificates are not disclosure-sensitive– a compromised CA can’t decrypt conversations
• KDCs are preferred for LANs, CAs for WANs (e.g., the Internet).
CS470, A.Selcuk Key Distribution 6
Key Distribution with KDC
A simple protocol:
KA, KB: Long-term secret keys of Alice, Bob.KA{m}: Encryption of m with KA.
Problems with this protocol:– possible delayed delivery of KB{A,B,KAB}.– No freshness guarantee for B (i.e., Trudy can replay KB{A,B,KAB}
for a previously compromised KAB).
(Both problems can be fixed easily.)
BA
A, B
KA{A,B,KAB}
KDCKB{A,B,KAB}
KAB
CS470, A.Selcuk Key Distribution 7
Key Distribution with CA
A simple protocol:– certificates are obtained in advance– session key transport with public key encryption:
– {m}X: Encryption of message m with the public key of X
– [m]X: Signature on message m with the public key of X
Problems with this protocol:– B doesn’t authenticate A.– No freshness guarantee for B.
BA { [ A, B, r, KAB ]A }B
KAB{r}
CS470, A.Selcuk Key Distribution 8
“Station-to-Station” Protocol
• Authenticated DH protocol; basis for many real-life app’s.• Certified PKs are used for signing the public DH
parameters. A slightly simplified version:
where x = ga mod p, y = gb mod p, k = gab mod p.• STS vs. encrypted key transport: STS (DH) provides
“perfect forward secrecy”.(In encrypted transport, if the long-term RSA key is compromised, the session keys are also compromised.)
BobAlice x
cert(B), y, [x,y]B
cert(A), [x,y]A
CS470, A.Selcuk Key Distribution 9
Multiple Domains with KDC
A to talk to B:– contacts KDCA
– KDCA contacts KDCB, or tells A how to contact KDCB (e.g. generates a session key for A & KDCB)
– KDCB generates a session key for A & B, passes it to them.
BA
KDCA KDCB
CS470, A.Selcuk Key Distribution 10
Multiple Domains with CA
• A, to authenticate the public key of B,– verifies B’s cert. issued by CAB,
– verifies CAB’s cert. issued by CAA,
• B does vice versa to authenticate A’s key
BA
CAA CAB
certify each other
CS470, A.Selcuk Key Distribution 11
ID-Based Crypto
• Idea: Is a scheme possible where Alice’s public key is her ID?
• Would solve the problem of authenticating a public key received.
• Q: But if anyone can derive the public key from the ID, can’t they derive the private key as well?
• Support from a trusted “private key generator”.– Private keys are generated from a unique secret S known by PKG.– Users know a one-way function of S, sufficient for public key
generation.
• Practical schemes exist for signature (Shamir) and encryption (Boneh-Franklin).
CS470, A.Selcuk Key Distribution 12
ID-Based Crypto
• Advantages:– There is no need for Alice to retrieve Bob’s certificate
to send him an encrypted message.– Alice can send Bob an encrypted message even
before he gets his decryption key.
• Disadvantages:– Key revocation is (almost) impossible.– It is not so significant in interactive protocols.
• “Feature”:– Inherent key escrow.
CS470, A.Selcuk Key Distribution 13
Crypto-Based ID
• Similar to ID-based crypto, ID and PK are inherently related.
• But instead of generating PK from ID, do the opposite: IDA = h(PKA).
• Useful in pseudonym systems where (part of) the ID can be given a random value.– P2P systems– IPv6 “cryptographically generated address”
• No “big brother” is necessary.