Key Establishment Protocols - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Key Establishment Protocols

Description:

... by the second party, or knowledge of such actual possession by the first party ... to avoid long-term storage of secret keys ... Example: OHP ... – PowerPoint PPT presentation

Number of Views:54
Avg rating:3.0/5.0
Slides: 16
Provided by: froderbe
Category:

less

Transcript and Presenter's Notes

Title: Key Establishment Protocols


1
Key Establishment Protocols
  • by
  • Frode Ørbeck Hansen

2
Suggested reading
  • Chapter 12 (p489-p542) in Handbook of Applied
    Cryptography (A. Menezes, P. van Oorschot, and S.
    Vanstone, CRC Press, 1996.)
  • Chapter 8 (p258-p281) in Cryptography Theory and
    Practice (D. Stinson, CRC Press, 1995)
  • Key Management Standards http//csrc.nist.gov/encr
    yption/kms/

3
Contents in Brief
  • Classification and framework
  • Key transport based on symmetric encryption
  • Key agreement based on symmetric techniques
  • Key transport based on public-key encryption
  • Key agreement based on asymmetric techniques
  • Secret Sharing
  • Conference Keying
  • Analysis of Key Establishment Protocols

4
Classification and framework
  • Key establishment a shared secret becomes
    available to two or more parties, for subsequent
    cryptographic use.
  • Key transport protocol
  • one party creates, and securely transfers a
    secret value to the other (s)
  • Key agreement protocol
  • a shared secret is derived by two (or more)
    parties as a function of information that is
    exchanged between the parties involved

5
Classification and framework
  • Key pre-distribution scheme
  • established keys are completely determined a
    priori by initial keying material
  • Dynamic key establishment scheme
  • established keys varies on subsequent execution
  • immune to known-key attack
  • Trusted servers
  • trusted third party, trusted server,
    authentication server, key distribution
    center(KDC), key translation center (KTC),
    certification authority (CA)
  • ? for initial system setup and/or on-line actions

6
Classification and framework
  • (implicit) Key authentication
  • one party is assured that no other party aside
    from a identified second party may gain access to
    a secret key
  • independent of the actual possession of such key
    by the second party, or knowledge of such actual
    possession by the first party
  • Key confirmation
  • one party is assured that a second party actually
    has possession of a particular secret key

7
Classification and framework
  • Explicit key authentication
  • implicit key authentication key confirmation
  • Session key
  • ephemeral secret
  • motivations
  • to limit available cipher text attack
  • to limit exposure
  • to avoid long-term storage of secret keys
  • to create independence across sessions or
    applications

8
Contents
  • Classification and framework
  • Key transport based on symmetric encryption
  • Key agreement based on symmetric techniques
  • Key transport based on public-key encryption
  • Key agreement based on asymmetric techniques
  • Secret Sharing
  • Conference Keying
  • Analysis of Key Establishment Protocols

9
Key transport based on sym. encryption
10
Symmetric key transport and derivation without a
server
  • Sharing of a long-term secret or not
  • (i) Point to point key update based on key
    transport (share a priori key)
  • A ? B EK(rA, tA, B) (one pass)
  • rA session key
  • Dont offer perfect forward secrecy
  • If the long-term K is compromised the above
    protocol fails completely
  • (ii) Point to point key update by key derivation
    (share a priori key)
  • The derived session key is based on per-session
    random input provided by one party
  • A? B rA (session key EK(rA))
  • (iii) Key transport without a priori shared keys
  • Key establishment over an open channel without
    shared or public keys

Prevent message replay attacks
Key freshness
11
Kerberos and related server-based protocols
  • The entities share a long term pairwise secret
    with the server
  • The server plays the role of a KDC or KTC
  • Needham-Schroeder protocol (historical
    importance)
  • Basis protocol for several other server related
    protocols (e.g. Kerberos)
  • Entity authentication (A to B)
  • Key establishment with key confirmation
  • Protocol Messages
  • A?T A, B, NA (1)
  • A?T EKAT (NA, B, k, EKBT (k, A)) (2)
  • A?B EKBT (k, A) (3) (A can
    securely cache this data if re-use of k is
    acceptable)
  • A?B Ek (NB) (4)
  • A?B Ek (NB - 1) (5)
  • REMARK B has no way of knowing if the key k is
    fresh ? if k is compromised, any party knowing it
    may resend message (3) and compute message (5).
    This particular situation is improved in the
    Kerberos protocol by a lifetime parameter that
    limits exposure to a fixed time interval.

Entity authentication
12
Kerberos and related server-based protocols
  • Kerberos authentication protocol
  • Client A interact with trusted server T and
    verifier B
  • Entity authentication of A to B (optionally
    mutual)
  • Protocol Messages
  • A?T A, B, NA (1)
  • A?T EKBT (k, A, L), EKAT (k, NA, L, B) (2)
  • A?B EKBT (k, A, L), Ek (A, TA, Asubkey) (3)
  • A?B Ek (TA, Bsubkey) (4) (Optional for
    mutual authentication)
  • NA nonce chosen by A
  • TA time stamp
  • k session key chosen by T
  • L lifetime

13
Contents
  • Classification and framework
  • Key transport based on symmetric encryption
  • Key agreement based on symmetric techniques
  • Key transport based on public-key encryption
  • Key agreement based on asymmetric techniques
  • Secret Sharing
  • Conference Keying
  • Analysis of Key Establishment Protocols

14
Key agreement based on sym. technique
  • Key distribution system(KDS)
  • a method whereby a trusted server generates and
    distributes secret data values to users
  • key pre-distribution scheme
  • unconditional security(perfect security)
  • large amount of storage required (n2 - problem)
  • k-secure KDS
  • if any coalition of k or fewer users can do no
    better at computing the key shared by the two
    than a party which guesses the key without any
    pieces
  • unconditionally secure against size k or smaller

15
Key agreement based on sym. technique
  • Bloms scheme
  • Each user is assigned a vector of initial secret
    keying material ? compute a pair wise secret key
    KU,V KV,U
  • Example
  • OHP
Write a Comment
User Comments (0)
About PowerShow.com