Key Agreement

Key Agreement

Guilin Wang School of Computer Science

12 Nov. 2007

1. Motivations

Due to the efficiency of symmetric encryption, the the following diagram is often used to send a (large) message M.

Here: ■ A, B: Identities of Alice and Bob, respectively. ■ EncB: Public key encryption.

■ EK: Symmetric key encryption.

)( ),( : .1 MEKEncBA KB

1. Motivations

However, this simple approach has two limitations:

a). If Bob does not have a public key at all, how to agree on a session key K?

b). Any non-trivial solution for a group of people?

2. Introduction: Basic Concepts

Def. 1. Key establishment is a process or protocol that enables two or more parties to share a secret session key, which can be used for subsequent secure communications.

■ Session key can be used to encrypt data, authenticate messages, and/or identify users’ identities etc.

■ Key establishment schemes can be classified into key transport and key agreement.

2. Introduction: Basic Concepts

Def. 2. A key transport protocol or mechanism is a key establishment technique where one party creates or obtains a secret key, and then securely transfers it to the other(s).

Def. 3. A key agreement protocol or mechanism is a key establishment technique in which a shared secret key is derived by two (or more) parties as a function of information contributed by, or associated with, each of these, (ideally) such that no party can predetermine the resulting value.

2. Introduction: DH Protocol

System Parameters: - p, q: two large primes s.t. q|p-1; - g: an element of order q in Zp*.

The Diffie-Hellman (DH) protocol:

pgKKK

pgKABpgKBA

xyyx

xyxy

yy

xx

mod)()( :Output

mod : .2mod : .1

2. Introduction: DH Protocol

The security of DH protocol relies on the following computational assumption.

Def. 4. The computational Diffie-Hellman (CDH) assumption: Deriving gxy from gx and gy is infeasible, where x and y are random secrets.

■ Discrete Logarithm (DL) assumption: Deriving x from gx, where x is a random secret.

■ Open Question: Whether the DL problem is as difficult as the CDH problem?

2. Introduction: DH Protocol

Question: Two cryptosystems C1 and C2 are totally same, except their security proofs are shown to rely on DL and CDH assumptions, respectively. Which one is better?

CDH assumption looks nice and intractable, but the Diffie-Hellman protocol is not secure in practice.

2. Introduction: MITM Attack

An attacker Cindy, who can control the communications between Alice and Bob, can mount the following man-in-the-middle (MITM) attack:

The consequence is serious: ■ A and C share Kxa=gxa, while B and C share Kyb=gyb. ■ C can decrypt and re-encrypt all the coming secure

communications btw A and B.

ACB

BCAay

bx

gg

gg

.2

.1

2. Introduction: STS Protocol

The DH protocol is insecure, since it does not encompass any authentication mechanism. The station-to-station (STS) protocol is proposed to avoid the MITM attack.

■ Assumptions: SigB, SigA, and Ek.

■ No such assumptions in the DH protocol.

3. More Concepts and Protocols

To know more about key agreement, we now study:

■ What are the security requirements?

■ Which kinds of actions are allowed for an attacker, whose goal is to break one or more security requirements?

3. More Concepts and Protocols

Def. 5. A key agreement protocol satisfies key authentication, if one party is assured that only specifically identified parties can derive a particular secret key.

Note: We also call this implicit key authentication, since it does not guarantee that those parities actually possess the secret key.

3. More Concepts and Protocols

Def. 6. A key agreement protocol satisfies key confirmation, if one party is assured that all other parties (possibly unidentified) actually have possession of a particular secret key.

Def. 7. A key agreement protocol satisfies explicit key authenctication, if both (implicit) key authentication and key confirmation hold.

3. More Concepts and Protocols

Target of an attacker against a security protocol: Subverting the protocol, instead of cryptanalyzing the

underlying cryptographic algorithms (assumed to be secure).

Passive attacker: Simply eavesdrop, record, and then analyze the data.

Active attacker: Completely control the communication channel, so it is able to record, alter, delete, insert, redirect, reorder, and reuse past or current messages, and inject new messages.

3. More Concepts and Protocols

■ Ideally, we expect a protocol is efficient, and secure against active attacks under weakest assumptions.

■ The DH protocol only satisfies implicit key authen-tication against passive attack under the CDH assumption.

■ The STS protocol satisfies explicit key authentication against active attack under the CDH assumption plus secure digital signatures.

3.1. AKEP2

AKEP2 (Authenticated Key Exchange Protocol 2):

■ Na, Nb: nonces.

■ k, k’: two long-term keys shared btw A and B. ■ Hk(.), H’k’(.): two secure keyed hash functions.

■ Implicit key authentication against active attack.

3.1. AKEP2

AKEP2 looks good & very efficient, but it has two limitations:

■ Two parties are required to share some secrets in advance. Sometimes, this is impractical.

■ If one user has communications with a lot of people, he/she has to maintain a table for the secrets.

A new solution is to introduce a trusted server S by requiring each party to share a single secret with the server, as in the following protocol.

3.2. The NS Protocol

The symmetric Needham-Schroeder (NS) protocol:

■ Na, Nb: nonces.

■ Kas, Kbs: shared keys btw A & S, B & S, respectively.

■ First 3 messages are used to transfer K.

3.2. The NS Protocol

The NS protocol is vulnerable to a replay attack, in which an attacker Cindy can impersonate A to cheat B by using a compromised old session key K.

■ The above attack implies that the NS protocol does not provide key freshness. Namely, K may be not a newly generated key in the viewpoint of B.

■ Repairing: Insert a timestamp T into the key certificate for Bob.

3.2. The NS Protocol

■ The above discussed symmetric NS protocol has been extended to Kerberos, a system developed at MIT within the project Athena in the 1980s.

■ The public key version of NS protocol is also interesting, especially due to an attack by Gavin Lowe after 17 years of publication of the NS protocol. This is also a good example showing that security protocols are notoriously error prone.

3.3. Password-based Protocols

■ In the NS protocol, both parties need to share long-term secrets with the server. For humans, long secret keys are not easy to memorize.

■ One naïve approach is to set long-term secrets as passwords. For example, let Kbs=Pbs,, a password shared btw B and S in the NS protocol.

■ However, this approach suffers off-line dictionary attack, since passwords are short strings with low entropy. That is, an attacker can try each possible P’ to decrypt EP-bs (K, A). If the resulting plaintext has suffix A, P’ is likely the correct password.

3.3. Password-based Protocols

The following Encrypted Key Exchange (EKE) protocol can resist the off-line dictionary attack:

■ PK is an ephemeral public key generated by A. ■ B transfers K to A by using double encryption. ■ Why EKE protocol is immune to the off-line dictionary

attack?

3.4. Group Key Agreement

The Burmester-Desmedt (BD) protocol for n parties:

■ The index are taken in a cycle. ■ The BD protocol meets implicit key authentication

against passive attacker under the CDH assumption.

.)()( :Output)),(( : .3

)),(( , : .2 : .1

xyyxxyxy

yxAK

xyBK

yx

gggKggSigEBA

ggSigEgABgBA

4. Summary

■ Introduced the basic concepts and mechanisms for key agreement.

■ Addressed security requirements, such as key confirmation, (implicit and explicit) key authentication, and key freshness.

■ Reviewed a number of well-know protocols and discussed their security features and weaknesses.

■ Illustrated the man-in-the-middle-attack, replay attack, and off-line dictionary attack.

Questions and Comments?