Overview of Key Establishment Techniques Key Distribution Key

Overview of Key Establishment Techniques: Key Distribution, Key Agreement and PKI Wade Trappe

Lecture Overview l We now begin our look at building protocols using the basic tools that we have discussed. l The discussion in this lecture will focus on issues of key establishment and the associated notion of authentication l These protocols are not real, but instead are meant to serve just as a high-level survey l Later lectures will go into specific protocols and will uncover practical challenges faced when implementing these protocols

Key Establishment: The problem l Securing communication requires that the data is encrypted before being transmitted. l Associated with encryption and decryption are keys that must be shared by the participants. l The problem of securing the data then becomes the problem of securing the establishment of keys. l Task: If the participants do not physically meet, then how do the participants establish a shared key? l Two types of key establishment: – Key Agreement – Key Distribution

Key Distribution l Key Agreement protocols: the key isn’t determined until after the protocol is performed. l Key Distribution protocols: one party generates the key and distributes it to Bob and/or Alice (Shamir’s 3 pass, Kerberos). l Shamir’s Three-Pass Protocol: – Alice generates and Bob generates – A key K is distributed by: Alice . Bob Calculates:

Basic TTP Key Distribution KDC Kb Ka Step 1 Step 2 Step 3 Step 4 Step 5 1. A Sends: {Request || IDA || IDB || N 1} 2. KDC Sends: EKa[ KAB|| {Request || IDA || IDB || N 1}||EKb(KAB, IDA)] 3. A Sends: EKb(KAB, IDA) 4. B Sends: EKAB(N 2) 5. A Sends: EKAB(f(N 2))

Key Agreement l l In many scenarios, it is desirable for two parties to exchange messages in order to establish a shared secret that may be used to generate a key. The Diffie-Hellman (DH) protocol is a basic tool used to establish shared keys in two-party communication. Two parties, A and B, establish a shared secret by: The security of the DH scheme is based upon the intractibility of the Diffie-Hellman Problem: Given a prime p, a generator g of , and elements it is computationally difficult to find. and ,

Intruder In The Middle l The Intruder-in-the-Middle attack on Diffie-Hellman is based upon the following strategy to improve one’s chess ranking: – Eve challenges two grandmasters, and uses GM 1’s moves against GM 2. Eve can either win one game, or tie both games. l Eve has Alice Begins DH and can perform the Intruder-in-the-Middle attack by: Eve Calculates Encrypts data with KAE Bob Begins DH Calculates Decrypts data with KAE, uses data and encrypts with KBE Decrypts data with KBE

Station-to-Station Protocol l Digital signatures can be used to prevent this protocol failure (STS Protocol). l A digital signature is a scheme that ties a message and its author together. – Private sig( ) function and Public ver( ) function. Alice Bob Calculates Decrypts to get: Verifies sig

N-to-N Group Key Establishment l Many group scenarios require contributory key establishment protocols. 1 -to-1 Key Establishment: Diffie-Hellman (DH) protocol Two parties, A and B, establish a shared secret by: l Extensions to multi-user scenarios: l l – Ingemarsson: Requires N-1 rounds and O(N 2) exponentiations – Burmester-Desmedt: Requires 2 rounds but full broadcast – GDH (Steiner et al. ): Requires N rounds and O(N) exp.

Butterfly Group Diffie-Hellman Example: u 1 u 2 u 3 u 4 u 5 l Can be extended to arbitrary radix b using Ingemarsson as the basic building block. l Total Rounds: l Total Messages: l Optimal radix in both cases is 2. u 6 u 7 u 8

The Conference Tree l Group key formation procedure is described by: – Communication flow diagram – Conference Tree l Conference tree describes the subgroups and subgroup keys. u 1 u 2 Ke u 3 u 4 K 0 u 5 u 6 u 7 u 8 K 00 K 1 K 01 K 10 K 11 K 000 K 001 K 010 K 011 K 100 K 101 K 110 K 111

Distribution of Public Keys l There are several techniques proposed for the distribution of public keys: – – Public announcement Publicly available directory Public key authority Public key certificates

Public Announcement l Idea: Each person can announce or broadcast their public key to the world. l Example: People attach their PGP or RSA keys at the end of their emails. l Weakness: – No authenticity: Anyone can forge such an announcement – User B could pretend to be User A, but really announce User B’s public key.

Public Directory Service l l Idea: Have a public directory or “phone book” of public keys. This directory is under the control/maintenance of a trusted third party (e. g. the government). Involves: – Authority maintains a directory of {name, PK} – Each user registers public key. Registration should involve authentication. – A user may replace or update keys. – Authority periodically publishes directory or updates to directory. – Participants can access directory through secure channel. l Weaknesses: – If private key of directory service is compromised, then opponent can pretend to be directory service. – Directory is a single point of failure.

Public Key Authority l Idea: More security is achieved if the authority has tighter control over who gets the keys. l Assumptions: – Central authority maintains a dynamic directory of public keys of all users. – Central authority only gives keys out based on requests. – Each user knows the public key of the authority. l Weaknesses: – Public Key Authority is a single point of failure. – User has to contact PK Authority, thus the PK Authority can be a bottleneck for service.

Public Key Authority, protocol PK Auth Step 4 A Step 1 Step 2 Step 5 Step 3 Step 6 Step 7 1. A Sends: {Request || Time 1} 2. PK Auth: Ed. Auth[ e. B|| {Request || Time 1}] 3. A Sends B: Ee. B(IDA||N 1) 4 and 5. B does steps 1 and 2. 6. B Sends: Ee. A(N 1||N 2) 7. A Sends: Ee. B(N 2) B

Public Key Certificates l l Idea: Use certificates! Participants exchange keys without contacting a PK Authority in a way that is reliable. Certificates contain: – A public key (created/verified by a certificate authority). – Other information. l l Certificates are given to a participant using the authority’s private key. A participant conveys its key information to another by transmitting its certificate. Other parties can verify that the certificate was created/verified by the authority. Weakness: – Requires secure time synchronization.

Public Key Certificates, overview Cert Auth Give e. A securely to CA A Securely give e. B to CA Cert. B = Ed. Auth{Time 2||IDB||e. B} Cert. A = Ed. Auth{Time 1||IDA||e. A} Cert. A Cert B Requirements: • Any participant can read a certificate to determine the name and public key of the certificate’s owner. • Any participant can verify that the certificate originated from the certificate authority and is not counterfeit. • Only the certificate authority can create and update certificates. • Any participant can verify the currency of the certificate. B

X. 509 PK Certificates l l X. 509 is a very commonly used public key certificate framework. Version The certificate structure and authentication protocols are used in: Algorithm & Parms – IP SEC – SSL – SET l X. 509 Certificate Format: – Version 1/2/3 – Serial is unique within the CA – First and last time of validity Cert Serial # Issuer Name Validity Time: Not before/after Subject Name PK Info: Algorithm, Parms, Key . . . Signature (w/ hash)

X. 509 Certificate Chaining l l l Its not feasible to have one CA for a large group of users. Suppose A knows CA X 1, B knows CA X 2. If A does not know X 2’s PK then Cert. X 2(B) is useless to A. If X 1 and X 2 have certified each other then A can get B’s PK by: – A obtains Cert. X 1(X 2) – A obtains Cert. X 2(B) – Because B has a trusted copy of X 2’s PK, A can verify B’s certificate and get B’s PK. l Certificate Chain: – {Cert. X 1(X 2)|| Cert. X 2(B)} l Procedure can be generalized to more levels. Cert. X 1(X 2) Cert. X 2(X 1) X 1 X 2 A B {Cert. X 1(X 2)|| Cert. X 2(B)}