Part04 key exchange protocols

2/24/2012

1

LOGO

IT Faculty – DaLat University

February - 2012

Key Exchange Protocols

Encryption

For a plaintext M, a crypto algorithm A

and a cryptographic key K , the ciphertext

M‟ is calculated as follows:

M‟ = A(K,M) = {M}K

Perfect Encryption

i) Without the key K (in the case of a

symmetric cryptosystem), or the matching

private key of K (in the case of an

asymmetric cryptosystem), the ciphertext

{M}K does not provide any cryptanalytic

means for finding the plaintext message

M.

2/24/2012

2

Perfect Encryption

ii) The ciphertext {M}K and maybe together

with some known information about the

plaintext message M do not provide any

cryptanalytic means for finding the key K

(in the case of a symmetric cryptosystem),

or the matching private key of K (in the

case of an asymmetric cryptosystem).

The Dolev-Yao Threat Model

In that model

Malice (can ):

• can obtain any message passing through the

network

• is a legitimate user of the network, and thus in

particular can initiate a conversation with any other

user

• will have the opportunity to become a receiver to

any principal

• can send messages to any principal by

impersonating any other principal

The Dolev-Yao Threat Model

Malice (cannot ):

• cannot guess a random number which is chosen from a

sufficiently large space

• without the correct secret (or private) key, cannot retrieve

plaintext from given ciphertext, and cannot create valid

ciphertext from given plaintext, wrt. the perfect encryption

algorithm

• cannot find the private component, i.e., the private key,

matching a given public key

• while he may have control of a large public part of our

computing and communication environment, in general,

he is not in control of many private areas of the

computing environment, such as accessing the memory

of a principal's offline computing device

2/24/2012

3

The Dolev-Yao Threat Model

Suppose that two principals Alice and Bob wish

to communicate with each other in a secure

manner

ƒ Suppose also that Alice and Bob have never

met before, so they do not already share a

secret key between them and do not already

know for sure the other party's public key

ƒ Then how can they communicate securely over

completely insecure networks?

The Dolev-Yao Threat Model

The Dolev-Yao Threat Model

2/24/2012

4

The Dolev-Yao Threat Model

1. Alice generates K at random, creates

{K}KAT, and sends to Trent: Alice, Bob,

{K}KAT

2. Trent finds keys KAT, KBT, decrypts

{K}KAT to reveal K, creates {K}KBT and

sends to Bob: Alice, Bob, {K}KBT

3. Bob decrypts {K}KBT to reveal K, forms

and sends to Alice: {Hello Alice, I'm

Bob!}K

.

The Dolev-Yao Threat Model

Problem: K created by Alice is not strong

enough Bob is unhappy about this

� New protocol: “Session key from Trent”

2/24/2012

5

An attack

The Dolev-Yao Threat Model

This attack will only succeed if Malice is a

legitimate user known to Trent a realistic

assumption – an insider attacker is often

more of a threat than outsiders

A fix: 1. Alice sends to Trent: Alice, {Bob}KAT;

2/24/2012

6

The Dolev-Yao Threat Model

Another attack

1. Alice sends to Trent: Alice, {Bob}KAT;

1. Malice("Alice") sends to Trent: Alice,

{Malice}KAT

The Dolev-Yao Threat Model

Instead, Malice can alter the message

from Trent to Alice (message line 2 in

Protocol "Session Key From Trent) into the

following:

Malice("Trent") sends to Alice: {K'}KAT

The Dolev-Yao Threat Model

Malice can alter some protocol messages

without detection.

This suggests that the protocol needs a

security service which can guard against

tampering of messages.

This brings us to the following security

service “Protocol with message

authentication”

2/24/2012

7

Protocol with Message Authentication

Malice has always been able to alter some

protocol messages without detection

None of the protocols designed so far has

provided any cryptographic protection

against message alteration.

Thus, one way to fix these protocols is to

provide such protection

Protocol with Message Authentication

The protection should enable legitimate

principals who have the right cryptographic

keys to detect any unauthorized alteration

of any protected protocol messages.

Such protection or security service is

called message authentication (is also

called data integrity)

Protocol with Message Authentication

We observe that Malice‟s alteration of the

protocol messages has caused the

following two effects:

a session key is shared between wrong

principals

a wrong session key get established

message authentication protection should

provide a cryptographic binding between

the session key to be established and its

intended users.

2/24/2012

8

Protocol with Message Authentication

This lead to a new protocol: “Message

Authentication”, where the identities of

Alice and Bob are included in the

encrypted message parts sent by Trent.

Perfect encryption for message authentication service

Perfect Encryption with Notation {M}K (for

message authentication service)

iii) Without the key K, even with the knowledge

of the plaintext M, it should be impossible for

someone to alter {M}K without being detected

by the recipient during the time of decryption

2/24/2012

9

Attack on Protocol "Message Authentication"

Problem: message replay attack.

ƒ Malice intercepts Alice's request, then:

1. Alice sends to Malice(“Trent”)

2. Malice(“Trent”) sends to Alice: {Bob,K'}KAT

,{Alice,K'} KBT

ƒ Two ciphertext blocks containing K' are a

replay of old messages which Malice has

recorded from a previous run of the

protocol (between Alice and Bob)

Attack on Protocol "Message Authentication"

This attack will cause Alice & Bob to reuse

the old session key K„

ƒ Since K' is old, it may be possible for

Malice to have discovered its value

Protocol “challenge-response"

Using this method Alice will generate a

new random number NA at the start of the

protocol and send this to Trent with the

request for a new session key

The random number NA created by Alice

for enabling the challenge-response

mechanism is called a nonce which stands

for a number used once

2/24/2012

10

Protocol “challenge-response"

An attack on the Needham-Schroeder

symmetric key authentication protocol:

Bob thinks he is sharing a new session key

with Alice while actually the key is an old one

and may be known to Malice

2/24/2012

11

Solution

A Protocol Using Public-key Cryptosystems

Called the Needham-Schroeder Public-

key Authentication Protocol

Alice public key is KA, Alice private key is

K-1A

2/24/2012

12

A Protocol Using Public-key Cryptosystems

An attack on public key authentication

protocol

Found after 17 years

Result: Bob thinks he is sharing secrets NA,

NB with Alice while actually sharing them with

Malice

Method: Malice makes use of Alice as she is

trying to establish a connection with him

A Protocol Using Public-key Cryptosystems

Malice may ask for a session key and

Bob may believe that this request is from

Alice

ƒ Then, an example if Bob is a bank,

Malice(“Alice”) sends to Bob the following

command:

{ NA, NB, Transfer 5000$ from my account to

Malice's“}KB

2/24/2012

13

A Protocol Using Public-key Cryptosystems

It is fairly easy to change the protocol so

as to prevent the attack. If we include the

responder's identity in message 6 of the

protocol

2-6. Bob sends to Malice("Alice"): {Bob, NA,

NB}KA

A Protocol Using Public-key Cryptosystems

This is what we are using nowadays