Key Distribution
-
Upload
nicole-morton -
Category
Documents
-
view
52 -
download
0
description
Transcript of Key Distribution
![Page 1: Key Distribution](https://reader035.fdocuments.us/reader035/viewer/2022072016/56813164550346895d97dac6/html5/thumbnails/1.jpg)
1 © Information Security Group, ICU
Key DistributionKey Distribution
![Page 2: Key Distribution](https://reader035.fdocuments.us/reader035/viewer/2022072016/56813164550346895d97dac6/html5/thumbnails/2.jpg)
2 © Information Security Group, ICU
Problem
Two different types of keyLong-term key
Set up initial key for each entityKey Pre-distribution System
Session (short-term) key After long-term key set up, share secret information among
2 or multi entitiesKey Establishment System
Key Distribution CenterHighly trustful entity, easy but maintenance cost
overheadWithout online KDC, extremely hard to establish
(agree)
![Page 3: Key Distribution](https://reader035.fdocuments.us/reader035/viewer/2022072016/56813164550346895d97dac6/html5/thumbnails/3.jpg)
3 © Information Security Group, ICU
Key Establishment
“A process or protocol whereby a shared secret becomes available to two or more parties for subsequent cryptographic use.” Key transport: one party creates and transfers it
to the other(s) Key agreement: a shared secret is derived by
two or more parties as a function of information contributed by. No party can determine the resulting value.
Use symmetric or asymmetric cryptosystem under PKI
![Page 4: Key Distribution](https://reader035.fdocuments.us/reader035/viewer/2022072016/56813164550346895d97dac6/html5/thumbnails/4.jpg)
4 © Information Security Group, ICU
Key Pre-distribution System
Diffie-Hellman Key Pre-distribution (Key Agreement scheme)Under DDH is hard, passive attacker can’t compute a
shared secretIntruder-in-the middle attack
Unconditionally Secure Key Pre-distributionSecure against any attackersUsing off-band transfer, we can achieve unconditiona
l-secure KPS need n2 complexityBlom Key Pre-distribution System (p.400)
![Page 5: Key Distribution](https://reader035.fdocuments.us/reader035/viewer/2022072016/56813164550346895d97dac6/html5/thumbnails/5.jpg)
5 © Information Security Group, ICU
Authenticated Key distribution
(Implicit) key authentication: identity of party which may possibly share a key (No other party may gain access to a particular secret key)
(Implicit) Key confirmation: evidence that a key is possessed by some party (He actually has possession of a particular secret key)
Explicit key authentication: evidence an identified party can possess a key and any other party can’t create this.
Perfect forward secrecy: compromise of long-term keys does not compromise past session keys
![Page 6: Key Distribution](https://reader035.fdocuments.us/reader035/viewer/2022072016/56813164550346895d97dac6/html5/thumbnails/6.jpg)
6 © Information Security Group, ICU
Needham-Schroeder
Notation E: symm. encyption NA, NB: nonces chosen by A and B resp.
Setup A and TA share a symm. key KAT; B and TA share KBT
Protocol A sends to TA: A,B,NA
TA sends to A: EAT(NA,B,k,EBT(k,A)) ; k : shared key to A&B A sends to B: EBT(k,A) B sends to A: Ek(NB) A sends to B: Ek(NB-1)
Properties Entity Authentication Key Confirmation Denning-Sacco attack(p.416)
![Page 7: Key Distribution](https://reader035.fdocuments.us/reader035/viewer/2022072016/56813164550346895d97dac6/html5/thumbnails/7.jpg)
7 © Information Security Group, ICU
Station-to-Station(STS) Protocol
Notation E: symm. encryption SA(m): A’s signature on m
Setup System select and publish a prime p and generator g of GF(p) Each user selects a public and private signature keys (eA,nA) and
dA.
Protocol actions A chooses a random secret x and sends gx
B chooses a random secret y and sends k=(gx)y and Ek(SB(gy,gx)) A computes k=(gy)x, decrypt, verify and sends Ek(SA(gx,,
gy)) B decrypts and verify A’s signature
Properties Mutual key confirmation
![Page 8: Key Distribution](https://reader035.fdocuments.us/reader035/viewer/2022072016/56813164550346895d97dac6/html5/thumbnails/8.jpg)
8 © Information Security Group, ICU
MTI key agreement protocol
Key generation System select and publish a prime p and generator g of GF(p) Alice /Bob selects a long-term private key a/b and publish a publi
c key A=ga mod p , B= gb mod p
Protocol actions Alice chooses a random secret x and send gx
Bob chooses a random secret y and send gy
Alice computes k=(gy)aBx (=gay+bx) Bob computes k=(gx)bAy (=gbx+ay)
Properties Two-pass key agreement secure against passive attacks
![Page 9: Key Distribution](https://reader035.fdocuments.us/reader035/viewer/2022072016/56813164550346895d97dac6/html5/thumbnails/9.jpg)
9 © Information Security Group, ICU
Summary
Key transport based on symmetric encryption Shamir’s no-key protocol: none Kerberos: Use KDC Needham-Schroeder: Use KDC Otway-Rees: Use KDC
Key transport based on asymmetric encryption Needham-Schroeder : mutual entity authentication X.509: mutual entity authentication Beller-Yacobi: mutual entity authentication
Key agreement based on asymmetric encryption Diffie-Hellman: none ElGamal: unilateral key authentication MTI: mutual implicit key authentication STS: mutual explicit key and entity authentication