Key Exchange Protocols: J. Mitchell
Key Exchange Protocols: J. Mitchell
J. Mitchell
Next few lectures
Today 1/17
• Brief cryptography background
• Key exchange protocols and properties
Thursday 1/19
• Wireless security: 802.11i
• Choose your project partner
Next Tues 1/24
• Password authentication protocols
Next Thurs 1/26
• Contract-signing protocols
Project presentation #1 2/2
One idea
• If enemy intercepts ciphertext, cannot recover plaintext
Issues in making this precise
• What else might your enemy know?
– The kind of encryption function you are using
– Some plaintext-ciphertext pairs from last year
– Some information about how you choose keys
• What do we mean by “cannot recover plaintext” ?
– Ciphertext contains no information about plaintext
– No efficient computation could make a reasonable guess
– Cannot use ciphertext for any nontrivial purpose
Passive Adversary
m 0, m 1
E(mi)
Challenger Attacker
guess 0 or 1
Chosen ciphertext CCA1
c
D(c)
m 0, m 1
Challenger E(mi) Attacker
guess 0 or 1
Chosen ciphertext CCA2
c
D(c)
m 0, m 1
E(mi)
Challenger Attacker
c E(mi)
D(c)
guess 0 or 1
Public-key Cryptosystem
Different keys to encrypt and decrypt
• encrypt(key, message)
key pair
g
Applications of one-way hash
Password files (one way)
Digital signatures (collision resistant)
• Sign hash of message instead of entire message
Data integrity
• Compute and store hash of some data
• Check later by recomputing hash and comparing
Keyed hash for message authentication
• MAC – Message Authentication Code
Digital Signatures
Public-key encryption
• Alice publishes encryption key
• Anyone can send encrypted message
• Only Alice can decrypt messages with this key
Digital signature scheme
• Alice publishes key for verifying signatures
• Anyone can check a message signed by Alice
• Only Alice can send signed messages
Properties of signatures
Functions to sign and verify
• Sign(Key-1, message)
true if x = Sign(Key-1, m)
• Verify(Key, x, m) =
false otherwise
Resists forgery
• Cannot compute Sign(Key-1, m) from m and Key
• Resists existential forgery:
given Key, cannot produce Sign(Key-1, m)
for any random or otherwise arbitrary m
Basic Concepts in Cryptography
Encryption scheme:
• functions to encrypt, decrypt data
• key generation algorithm
Secret key vs. public key
• Public key: publishing key does not reveal key-1
• Secret key: more efficient, generally key = key-1
Hash function, MAC
• Map input to short hash; ideally, no collisions
• MAC (keyed hash) used for message integrity
Signature scheme
• Functions to sign data, verify signature
Key Management
Out of band
• Can set up some keys this way (Kerberos)
Public-key infrastructure (PKI)
• Leverage small # of public signing keys
Protocols for session keys
• Generate short-lived session key
• Avoid extended use of important secret
• Don’t use same key for encryption and signing
• Forward secrecy
KeyCenter
s} } Kc
cs , {Kc Ks
{K Shared
Client symmetric
{Kc key Ks
s}
K s {m
sg }
Kcs
Server
Key Center generates session key Kcs and
distributes using shared long-term keys
Public-Key Infrastructure
Known public signature verification key Ka
Certificate
Certificate
Sign(Ka, Ks)
Authority
Ks
ga mod p
A B
gb mod p
Authentication?
Secrecy?
Replay attack
Forward secrecy?
Denial of service?
Identity protection?
IKE subprotocol from IPSEC
m1
A, (ga mod p)
Common belief:
• Security properties do not compose
Protocol P1
A B : {message}KB
A B : KA-1
Protocol P2
B A : {message’}KA
B A : KB-1
B B : KB-1
cookie
STS0 STS0H
distribute
certificates
open
responder
STSa STSaH JFK0
m=gx, n=gy
k=gxy
protect
identities
symmetric
hash
RFK
Example
Construct protocol with properties:
• Shared secret
• Authenticated
• Identity Protection
• DoS Protection
Design requirements for IKE, JFK,
IKEv2 (IPSec key exchange protocol)
Component 1
Diffie-Hellman
A B: ga
B A: gb
IV
No apparent pattern