2/24/2012 1 IT Faculty – DaLat University February - 2012 Key Exchange Protocols Encryption For a plaintext M, a crypto algorithm A and a cryptographic key K , the ciphertext M‟ is calculated as follows: M‟ = A(K,M) = {M} K Perfect Encryption i) Without the key K (in the case of a symmetric cryptosystem), or the matching private key of K (in the case of an asymmetric cryptosystem), the ciphertext {M} K does not provide any cryptanalytic means for finding the plaintext message M.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
2/24/2012
1
LOGO
IT Faculty – DaLat University
February - 2012
Key Exchange Protocols
Encryption
For a plaintext M, a crypto algorithm A
and a cryptographic key K , the ciphertext
M‟ is calculated as follows:
M‟ = A(K,M) = {M}K
Perfect Encryption
i) Without the key K (in the case of a
symmetric cryptosystem), or the matching
private key of K (in the case of an
asymmetric cryptosystem), the ciphertext
{M}K does not provide any cryptanalytic
means for finding the plaintext message
M.
2/24/2012
2
Perfect Encryption
ii) The ciphertext {M}K and maybe together
with some known information about the
plaintext message M do not provide any
cryptanalytic means for finding the key K
(in the case of a symmetric cryptosystem),
or the matching private key of K (in the
case of an asymmetric cryptosystem).
The Dolev-Yao Threat Model
In that model
Malice (can ):
• can obtain any message passing through the
network
• is a legitimate user of the network, and thus in
particular can initiate a conversation with any other
user
• will have the opportunity to become a receiver to
any principal
• can send messages to any principal by
impersonating any other principal
The Dolev-Yao Threat Model
Malice (cannot ):
• cannot guess a random number which is chosen from a
sufficiently large space
• without the correct secret (or private) key, cannot retrieve
plaintext from given ciphertext, and cannot create valid
ciphertext from given plaintext, wrt. the perfect encryption
algorithm
• cannot find the private component, i.e., the private key,
matching a given public key
• while he may have control of a large public part of our
computing and communication environment, in general,
he is not in control of many private areas of the
computing environment, such as accessing the memory
of a principal's offline computing device
2/24/2012
3
The Dolev-Yao Threat Model
Suppose that two principals Alice and Bob wish
to communicate with each other in a secure
manner
ƒ Suppose also that Alice and Bob have never
met before, so they do not already share a
secret key between them and do not already
know for sure the other party's public key
ƒ Then how can they communicate securely over
completely insecure networks?
The Dolev-Yao Threat Model
The Dolev-Yao Threat Model
2/24/2012
4
The Dolev-Yao Threat Model
1. Alice generates K at random, creates
{K}KAT, and sends to Trent: Alice, Bob,
{K}KAT
2. Trent finds keys KAT, KBT, decrypts
{K}KAT to reveal K, creates {K}KBT and
sends to Bob: Alice, Bob, {K}KBT
3. Bob decrypts {K}KBT to reveal K, forms
and sends to Alice: {Hello Alice, I'm
Bob!}K
.
The Dolev-Yao Threat Model
Problem: K created by Alice is not strong
enough Bob is unhappy about this
� New protocol: “Session key from Trent”
2/24/2012
5
An attack
The Dolev-Yao Threat Model
This attack will only succeed if Malice is a
legitimate user known to Trent a realistic
assumption – an insider attacker is often
more of a threat than outsiders
A fix: 1. Alice sends to Trent: Alice, {Bob}KAT;
2/24/2012
6
The Dolev-Yao Threat Model
Another attack
1. Alice sends to Trent: Alice, {Bob}KAT;
1. Malice("Alice") sends to Trent: Alice,
{Malice}KAT
The Dolev-Yao Threat Model
Instead, Malice can alter the message
from Trent to Alice (message line 2 in
Protocol "Session Key From Trent) into the
following:
Malice("Trent") sends to Alice: {K'}KAT
The Dolev-Yao Threat Model
Malice can alter some protocol messages
without detection.
This suggests that the protocol needs a
security service which can guard against
tampering of messages.
This brings us to the following security
service “Protocol with message
authentication”
2/24/2012
7
Protocol with Message Authentication
Malice has always been able to alter some
protocol messages without detection
None of the protocols designed so far has
provided any cryptographic protection
against message alteration.
Thus, one way to fix these protocols is to
provide such protection
Protocol with Message Authentication
The protection should enable legitimate
principals who have the right cryptographic
keys to detect any unauthorized alteration
of any protected protocol messages.
Such protection or security service is
called message authentication (is also
called data integrity)
Protocol with Message Authentication
We observe that Malice‟s alteration of the
protocol messages has caused the
following two effects:
a session key is shared between wrong
principals
a wrong session key get established
message authentication protection should
provide a cryptographic binding between
the session key to be established and its
intended users.
2/24/2012
8
Protocol with Message Authentication
This lead to a new protocol: “Message
Authentication”, where the identities of
Alice and Bob are included in the
encrypted message parts sent by Trent.
Perfect encryption for message authentication service