1 / 13

Key Distribution

Key Distribution. CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk. Alice. Bob. g a mod p. g b mod p. K = g ab mod p. Key Distribution/Establishment. How to have two parties agree on an encryption key securely?

xyla-thomas
Download Presentation

Key Distribution

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Key Distribution CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk Key Distribution

  2. Alice Bob ga mod p gb mod p K = gab mod p Key Distribution/Establishment • How to have two parties agree on an encryption key securely? • Public key encryption: Solves the problem against passive attackers.E.g. DH Key Exchange:Trudy can’t get gab mod p. Key Distribution

  3. Trudy Alice Bob ga mod p ga’ mod p gb’ mod p gb mod p K’ = gab’ mod p K’’ = ga’b mod p Active Attacks • Attacker can intercept, modify, insert, delete messages on the network. • E.g., Man-in-the-Middle attack against DH:Trudy can translate messages between Alice & Bob without being noticed • Similar attacks possible on RSA & other PKC protocols. Key Distribution

  4. Trusted Third Parties • Solution against active attackers: “Trusted Third Parties” (TTPs) • Symmetric key solution: KDC • Everyone registers with the KDC, shares a secret key. • When A & B want to communicate, they contact the KDC & obtain a session key. • Public key solution: CA • Everyone registers with the CA, obtains a “certificate” for his/her public key. • Certificate: A document signed by the CA, including the ID and the public key of the subject. • People obtain each other’s certificates thru a repository, a webpage, or at the beginning of the protocol, • and use the certified public keys in the protocols. Key Distribution

  5. KDC vs. CA • KDC • faster (being based on symmetric keys) • has to be online • CA • doesn’t have to be online • if crashes, doesn’t disable the network • much simpler • scales better • certificates are not disclosure-sensitive • a compromised CA can’t decrypt conversations • KDCs are preferred for LANs, CAs for WANs (e.g., the Internet). Key Distribution

  6. KDC A, B KB{A,B,KAB} KA{A,B,KAB} A B KAB Key Distribution with KDC A simple protocol:KA, KB: Long-term secret keys of Alice, Bob.KA{m}: Encryption of m with KA. Problems with this protocol: • possible delayed delivery of KB{A,B,KAB}. • No freshness guarantee for B (i.e., Trudy can replay KB{A,B,KAB} for a previously compromised KAB). (Both problems can be fixed easily.) Key Distribution

  7. { [ A, B, r, KAB ]A }B A B KAB{r} Key Distribution with CA A simple protocol: • certificates are obtained in advance • session key transport with public key encryption: • {m}X: Encryption of message m with the public key of X • [m]X: Signature on message m with the public key of X Problems with this protocol: • B doesn’t authenticate A. • No freshness guarantee for B. Key Distribution

  8. Alice Bob x cert(B), y, [x,y]B cert(A), [x,y]A “Station-to-Station” Protocol • Authenticated DH protocol; basis for many real-life app’s. • Certified PKs are used for signing the public DH parameters. A slightly simplified version:where x = ga mod p, y = gb mod p, k = gab mod p. • STS vs. encrypted key transport: STS (DH) provides “perfect forward secrecy”.(In encrypted transport, if the long-term RSA key is compromised, the session keys are also compromised.) Key Distribution

  9. KDCA KDCB B A Multiple Domains with KDC A to talk to B: • contacts KDCA • KDCA contacts KDCB, or tells A how to contact KDCB (e.g. generates a session key for A & KDCB) • KDCB generates a session key for A & B, passes it to them. Key Distribution

  10. certify each other CAA CAB B A Multiple Domains with CA • A, to authenticate the public key of B, • verifies B’s cert. issued by CAB, • verifies CAB’s cert. issued by CAA, • B does vice versa to authenticate A’s key Key Distribution

  11. ID-Based Crypto • Idea: Is a scheme possible where Alice’s public key is her ID? • Would solve the problem of authenticating a public key received. • Q: But if anyone can derive the public key from the ID, can’t they derive the private key as well? • Support from a trusted “private key generator”. • Private keys are generated from a unique secret S known by PKG. • Users know a one-way function of S, sufficient for public key generation. • Practical schemes exist for signature (Shamir) and encryption (Boneh-Franklin). Key Distribution

  12. ID-Based Crypto • Advantages: • There is no need for Alice to retrieve Bob’s certificate to send him an encrypted message. • Alice can send Bob an encrypted message even before he gets his decryption key. • Disadvantages: • Key revocation is (almost) impossible. • It is not so significant in interactive protocols. • “Feature”: • Inherent key escrow. Key Distribution

  13. Crypto-Based ID • Similar to ID-based crypto, ID and PK are inherently related. • But instead of generating PK from ID, do the opposite: IDA = h(PKA). • Useful in pseudonym systems where (part of) the ID can be given a random value. • P2P systems • IPv6 “cryptographically generated address” • No “big brother” is necessary. Key Distribution

More Related