270 likes | 288 Views
Explore how certificateless public key cryptography can improve key agreement security. Detailed analysis of proposed protocol and comparisons with traditional PKI. Addressing efficiency and security issues in current approaches.
E N D
Certificateless Authenticated Two-Party Key Agreement Protocols Master Thesis Tarjei K. Mandt 09.06.2006
Agenda • Introduction • Certificateless Public Key Cryptography • Key Agreement Protocols • Proposed Protocol • Security and Efficiency Analysis
Problems • Certificate management in traditional public key infrastructure (PKI) is inefficient • Key escrow in identity-based public key cryptography (ID-PKC) Can certificateless public key cryptography (CL-PKC) be used to design more efficient and secure key agreement schemes?
Contribution • A new efficient certificateless authenticated two-party key agreement protocol • A protocol that can be used to establish keys between users of distinct domains • Security- and adversary model for certificateless authenticated key agreement
Why Certificateless Public Key Cryptography? • No certificates used (PKI) • Low storage and communication bandwidth • No need to verify certificates (certificate chains) • Higher degree of privacy • Public keys are always valid • No need for revocation (CRLs) • No key escrow (ID-PKC) • Trusted authority cannot recover session keys • Trusted authority cannot forge signatures
Certificateless Public Key Cryptography (1) Certificateless PublicKey Cryptography Public KeyInfrastructure Identity-basedCryptography
Certificateless Public Key Cryptography (2) Key Generation Center (KGC) Alice’s identity Alice Partial private key secret value Bob master-key partial private key + secret value Private Key secret value × public generator Public Key
Key Agreement (1) • Two or more parties agree on a shared key • Both parties contribute with input • Diffie-Hellman model used today • Authenticated Key Agreement ensures that only the intended parties can compute the session key • Bilinear pairings of elliptic curve groups used extensively today (provides shorter keys)
Key Agreement (2) Alice Bob Alice’s private key Bob’s public key Alice’s public key Bob’s private key Key Agreement Key Agreement Shared Secret
Diffie-Hellman Key Exchange Alice Bob a gb ga b Alice’s private key Bob’s public key Alice’s public key Bob’s private key gba gab secret key secret key Shared Secret
Man-in-the-Middle Attackon Diffie-Hellman Alice Eve Bob ga gc gcb gb gc gca • Signing exchanged keys is inconvenient (size, computation) • Including identities can achieve proper authentication
Computational Problems • Discrete Logarith problem (DLP)Given <g,q>, find an element a, such that ga = q • EC Discrete Logarithm problemGiven <P,Q>, find an element a, such that aP = Q • EC Computational Diffie-Hellman (CDH) problemGiven <P,aP,bP>, compute abP • Bilinear Diffie-Hellman (BDH) problemGiven <P,aP,bP,cP>, compute ê(P,P)abc • DLP > CDHP > BDHPexample: ê(abP,cP) = ê(P,cP)ab = ê(P,P)abc
Proposed protocol Key Generation Center Master-key: s KGC public key: sP
Proposed protocol Key Generation Center Master-key: s KGC public key: sP Partial private key DA = sQA Alice Private key SA = <DA,xA> Public key PA = xAP
Proposed protocol Key Generation Center Master-key: s KGC public key: sP Partial private key DA = sQA Partial private key DB = sQB Alice Bob Private key SA = <DA,xA> Private key SB = <DB,xB> Public key PA = xAP Public key PB = xBP
Proposed protocol Key Generation Center Master-key: s KGC public key: sP Partial private key DA = sQA Partial private key DB = sQB Alice TA, PA Bob Private key SA = <DA,xA> Private key SB = <DB,xB> a TA = aP b TB = bP TB, PB Public key PA = xAP Public key PB = xBP
Proposed protocol Key Generation Center Master-key: s KGC public key: sP Partial private key DA = sQA Partial private key DB = sQB Alice TA, PA Bob Private key SA = <DA,xA> Private key SB = <DB,xB> a TA = aP b TB = bP TB, PB Public key PA = xAP Public key PB = xBP KA = ê(QB, PB + sP)a· ê(xAQA + DA,TB) KB = ê(QA, PA + sP)b· ê(xBQB + DB,TA) K = ê(QB, P)a(s+xB)· ê(QA,P)b(s+xA)
Proposed protocol with multiple KGCs KGC 1 Master-key: s1 KGC public key: s1P KGC 2 Master-key: s2 KGC public key: s2P standardized elliptic curve parameters Partial private key DA = s1QA Partial private key DB = s2QB Alice TA, PA Bob Private key SA = <DA,xA> Private key SB = <DB,xB> a TA = aP b TB = bP TB, PB Public key PA = xAP Public key PB = xBP KA = ê(QB, PB + s2P)a· ê(xAQA + DA,TB) KB = ê(QA, PA + s1P)b· ê(xBQB + DB,TA) K = ê(QB, P)a(s2+xB)· ê(QA,P)b(s1+xA)
(Final) Session Key • Need to use a Key Derivation Function (KDF) • To ensure forward secrecy • To prevent the key reveal attack • To ensure compromise of short-term private values does not break the protocol • A secure hash function H is an ideal KDF FKA = H(K, abP, xAxBP) FKB = H(K, baP, xBxAP) long-term public key session key short-term public key (long-term) secret value short-term private key
Protocol’s Security • Security reduces to the BDH/CDH problem • A KGC who replaces public keys (long-term and short-term) can attack the protocol • Can be addressed by incorporating public keys into the identity elements: QA = H1(IDA,PA) • Thus, we define two adversaries: • Type I: replaces public keys, does not know master-key • Type II: knows master-key, does not replace public keys
Security Attributes • Known-key security • Each run should produce a different session key • Forward secrecy • Leaked private keys should not reveal a session key • KGC forward secrecy • Key-compromise impersonation • An adversary should not be able to impersonate other entities to A using A’s private key • Unknown key share • A should not share a key with C, when believing she is sharing a key with B • Known session-specific temporary information security • Leaked short-term keys should not reveal a session key
Example: Forward Secrecy Alice Bob establishes n session keys
Example: Forward Secrecy Alice Bob establishes n session keys Eve Alice’s private key Bob’s private key
Example: Forward Secrecy Alice Bob establishes n session keys • Eve can compute K, but not H(K,abP,xAxBP) • Specifically, Eve must know a or b of a given session to compute a · bP = b · aP = abP Eve Alice’s private key Bob’s private key
Protocol’s Efficiency p = pairing, m = point multiplication, e = pairing exponentiation Precomputation: known values are computed before the key agreement
Conclusions • More efficient than previous protocol • Only 2 pairings • Public keys only comprise one group element • Possible to adapt to a multi-TA setting • For instance, ideal in VoIP networks • Efficiency competitive with ID-PKC when many keys are agreed (public keys are known)