?a???s?as? t?? PowerPoint

1
Recent developments in group key exchange
Mike Burmester Information Security Summer School
2005 Florida State University
2
Outline

• 1. Secure Communication
• 2. Key Distribution
• the Diffie-Hellman protocol
• variants, attacks
• authentication
• conference protocols
• 3. Public Key Certificates
• trust-graphs
• hierarchical vs horizontal structures
• security
• 4. Conclusion

3
1. Secure Communication
message
Sender (Alice)
Receiver (Bob)
Adversary
Security issues

• authenticity

• privacy

• denial of service, etc.

4
Symmetric keys (privacy)
Bob
Alice
plaintext
ciphertext
plaintext
private channel
E
D
SK
SK

• Security issue
• How to distribute the secret key SK

5
Public Keys (privacy)
Alice
Bob
ciphertext
plaintext
plaintext
E
D
SKB
PKB
Authentication channel
f
Security issues

• It should be hard to compute SKB from PKB
• How do we distribute PKB

6
Public Keys (digital signatures)
Bob
Alice
a
m, sigSKA m
m
or
r
V
S
SKA
PKA
Authentication channel
f
Security issues

• It should be hard to compute SKA from PKA
• How to distribute PKA

7
2. Key Exchange protocols the
Diffie-Hellman protocol
Zp 0,1,,p-1, p prime, g a generator of Zp
Alices Public Key gsa 0 lt salt p-1, private
key sa
Bobs Public Key gsb 0 lt salt p-1, private
key sb
gsa mod p
Alice
Bob
gsb mod p
Key Exchanged SK gsasb
mod p
8
Security
It should be hard to compute SK from PK.
Freshness of keys
If the same key is used many times then the
security of the system may be undermined.
9
What if 3 or more parties want to sha re a
common secret key?
A

• Use DH to get SKAB , SKBD ,
• SKBE , SKAC , SKCF .

K/SKAC
K/SKAB
C
B

• .A selects the secret key K
• at random from Zp.

K/SKBD

• .A sends K/SKAB to
• B and K/SKAC to C.

E
D
F
4. B gets K from K /SKAB and sends K/SKAC to D,
etc.

10
Group Key Exchange contributory
schemes
U2
U3
U1
Round 1 Use DH Ui broadcasts zi gri
Un
Un-1
11
Group Key Exchange
U2
U3
K23
Round 1 Each Ui computes the DH key
Ki gri ri1
Ki2

U1
Kn-1n
Un
Knn-1

Un-1
12
Group Key Exchange
U2
U3
K23
Ki2

Round 1 end Group Key K K1K2 Kn Where
Ki Ki,i1 But how????
U1
Kn-1n
Un
Knn-1

Un-1
13
Group Key Exchange
U2
U3
K2
Ki

Round 2 Ui broadcasts xi Ki/Ki-1
U1
Kn
Un
Kn-1

Un-1
14
Group Key Exchange
U2
U3
K2
Ki

U1
Kn
Round 2
Each Ui computes the key
K Ki-1n zin-1 zi1n-2 zi-2 Ki-1n
(Ki/Ki-1)n-1(Ki1/Ki)n-2 (Ki-1/Ki-2)
Un
Kn-1

Un-1
15
Authentication 1
How does Alice know that the shared secret key
has been distributed to all the parties in the
conference?
16
Group Key Exchange authentication

• Each Ui authenticates (digitally signs) its
• randomness ri
• its zi and xi
• and after checking them authenticates
• the string
• Ui ri zi xi

17
Authentication 2
How can Alice be certain which key is Bobs
public key?
1. They may have met earlier and exchanged public
keys.
2. They may have mutual friends who know
their public keys Alice Carol
Bob, or Alice Carol
. . . Bob
Case 1 establishes an a priori trust
relationship
Case 2 establishes an induced trust
relationship
18
3. Public Key Certificates
Who is who?
PK CERTIFICATE The public key of Bob is
010010010 .. Signed by a Certifying Authority
A PK Certificate establishes authenticity
and provides a means by which a public key can
be stored in partially insecure repositories, or
transmitted over insecure channels.
19
Trust-graphs
A
Certificates can be used to Model the confidence
of a network in its public keys by a directed
trust-graph, with vertices the entities and
edges the certificates.
CAB
CAC

C
B
CBE
CCF
CBD
D
F
E
20
Trust-graphs
A priori confidence This is corroborated by the
certificates.
Induced confidence This is established by
trust-paths that link the entities in the
trust-graph.
21
A hierarchical infrastructure
RCA
CA2
CA1
U4
U3
U1
U2
The public key of U4 is certified by the
trust-path RCA CA2
U4
22
Security issues
A hacker can penetrate a CA or its computer
system and forge certificates or get certificates
for unauthorized users.
23
Threats
1. Whom should we trust (and for what)?
2. Which Bob is it?
3. Organizational (insider) attacks
4. Computer system threats How secure is
the computer system of the Certifying
Authority? How secure is the computer
system of Bob?
24
PGP an unstructured approach
Pretty Good Privacy is a freeware electronic mail
system that uses an unstructured authentication
framework.
Users are free to decide whom they trust. PGP
does not specify any specific structure for the
trust-graph and for this reason is quite
vulnerable.
A A1 . . . An B
25
A horizontal approach multiple connectivity
If the trust-graph is (2k1)-connected then there
are 2k1 vertex disjoint trust-paths which
connect any two of its vertices
26
A 3-connected trust-graph

A
B
27
Combining horizontal and hierarchical structures
U1
U2
U3

U4
28
Security
A secure authentication infrastructure must be,
reliable, robust and survivable.
Reliability deals with faults that occur in
a random manner, and is achieved by replication.
Robustness deals with maliciously induced faults.
29
Survivability deals with the destruction of
parts of the infrastructure.
The destruction may affect the entities (e.g.
the CAs) as well as stored data, and may be
malicious.
For survivability, the remaining entities should
be able to recover enough of the infrastructure
to guarantee secure communication.
30
Survivability
Reconstruction of a corrupted trust-graph
Adversary
faulty
U1 U2 U3 . . . . . . . . . .
. . Un
A
Entity A asks all its neighbors for a list of
their neighbors, the neighbors of their
neighbors, etc
31
Survivability
Problem
Some of the neighbors are under the control of
the Adversary and may send fake certificates,
relating to other entities, real or bogus.
Is it possible to reconstruct a sufficiently good
approximation of the trust-graph?
32
Survivability
Answer
Yes, provided that there is a bound on the number
of penetrated or destroyed cites, and that the
trust-graph is sufficiently connected.

33
Reconstructing a corrupted trust-graph
The reconstruction involves several stages.

• Round Robin flooding

• a Halting routine

• a Clean-up routine

34
Conclusion
Secure key exchange can be achieved in several
ways by using cryptographic mechanisms.
Clearly there is a trade off between the
security requirements and the complexity.
35
Conclusion
If the public keys are authenticated via
single trust paths then the system is vulnerable
to any penetration.
By having several vertex disjoint
authentication paths linking the entities we get
robustness against penetration and survivability.