Overview of Key Establishment Techniques: Key Distribution, Key Agreement and PKI

1
Overview of Key Establishment TechniquesKey
Distribution, Key Agreement and PKI

• Wade Trappe

2
Lecture Overview

• We now begin our look at building protocols using
  the basic tools that we have discussed.
• The discussion in this lecture will focus on
  issues of key establishment and the associated
  notion of authentication
• These protocols are not real, but instead are
  meant to serve just as a high-level survey
• Later lectures will go into specific protocols
  and will uncover practical challenges faced when
  implementing these protocols

3
Key Establishment The problem

• Securing communication requires that the data is
  encrypted before being transmitted.
• Associated with encryption and decryption are
  keys that must be shared by the participants.
• The problem of securing the data then becomes the
  problem of securing the establishment of keys.
• Task If the participants do not physically meet,
  then how do the participants establish a shared
  key?
• Two types of key establishment
• Key Agreement
• Key Distribution

4
Key Distribution

• Key Agreement protocols the key isnt determined
  until after the protocol is performed.
• Key Distribution protocols one party generates
  the key and distributes it to Bob and/or Alice
  (Shamirs 3pass, Kerberos).
• Shamirs Three-Pass Protocol
• Alice generates and Bob generates
  .
• A key K is distributed by

5
Basic TTP Key Distribution
KDC
Kb
Ka
1. A Sends Request IDA IDB N1
2. KDC Sends EKa KAB Request IDA IDB
N1EKb(KAB, IDA)
3. A Sends EKb(KAB, IDA)
4. B Sends EKAB(N2)
5. A Sends EKAB(f(N2))
6
Key Agreement

• In many scenarios, it is desirable for two
  parties to exchange messages in order to
  establish a shared secret that may be used to
  generate a key.
• The Diffie-Hellman (DH) protocol is a basic tool
  used to establish shared keys in two-party
  communication.
• Two parties, A and B, establish a shared secret
  by
• The security of the DH scheme is based upon the
  intractibility of the Diffie-Hellman Problem
• The Diffie-Hellman scheme can be extended to work
  on arbitrary groups (e.g. Elliptic Curves).

7
Intruder In The Middle

• The Intruder-in-the-Middle attack on
  Diffie-Hellman is based upon the following
  strategy to improve ones chess ranking
• Eve challenges two grandmasters, and uses GM1s
  moves against GM2. Eve can either win one game,
  or tie both games.
• Eve has and can perform the
  Intruder-in-the-Middle attack by

Alice
Bob
Eve
Decrypts data with KAE, uses data and encrypts
with KBE
Decrypts data with KBE
8
Station-to-Station Protocol

• Digital signatures can be used to prevent this
  protocol failure (STS Protocol).
• A digital signature is a scheme that ties a
  message and its author together.
• Private sig( ) function and Public ver( )
  function.

Verifies sig
Verifies sig
9
N-to-N Group Key Establishment

• Many group scenarios require contributory key
  establishment protocols.
• 1-to-1 Key Establishment Diffie-Hellman (DH)
  protocol
• Two parties, A and B, establish a shared secret
  by
• Extensions to multi-user scenarios
• Ingemarsson Requires N-1 rounds and O(N2)
  exponentiations
• Burmester-Desmedt Requires 2 rounds but full
  broadcast
• GDH (Steiner et al.) Requires N rounds and O(N)
  exp.

10
Butterfly Group Diffie-Hellman
Example
u1
u2
u3
u4

• Can be extended to arbitrary radix b using
  Ingemarsson as the basic building block.
• Total Rounds
• Total Messages
• Optimal radix in both cases is 2.

u5
u6
u7
u8
11
The Conference Tree

• Group key formation procedure is described by
• Communication flow diagram
• Conference Tree
• Conference tree describes the subgroups and
  subgroup keys.

u1
u2
u3
u4
u5
u6
u7
K101
K001
K011
K100
K110
K000
K010
K111
u8
12
Distribution of Public Keys

• There are several techniques proposed for the
  distribution of public keys
• Public announcement
• Publicly available directory
• Public key authority
• Public key certificates

13
Public Announcement

• Idea Each person can announce or broadcast their
  public key to the world.
• Example People attach their PGP or RSA keys at
  the end of their emails.
• Weakness
• No authenticity Anyone can forge such an
  announcement
• User B could pretend to be User A, but really
  announce User Bs public key.

14
Public Directory Service

• Idea Have a public directory or phone book of
  public keys. This directory is under the
  control/maintenance of a trusted third party
  (e.g. the government).
• Involves
• Authority maintains a directory of name, PK
• Each user registers public key. Registration
  should involve authentication.
• A user may replace or update keys.
• Authority periodically publishes directory or
  updates to directory.
• Participants can access directory through secure
  channel.
• Weaknesses
• If private key of directory service is
  compromised, then opponent can pretend to be
  directory service.
• Directory is a single point of failure.

15
Public Key Authority

• Idea More security is achieved if the authority
  has tighter control over who gets the keys.
• Assumptions
• Central authority maintains a dynamic directory
  of public keys of all users.
• Central authority only gives keys out based on
  requests.
• Each user knows the public key of the authority.
• Weaknesses
• Public Key Authority is a single point of
  failure.
• User has to contact PK Authority, thus the PK
  Authority can be a bottleneck for service.

16
Public Key Authority, protocol
PK Auth
B
A
6. B Sends EeA(N1N2)
1. A Sends Request Time1
2. PK Auth EdAuth eB Request Time1
7. A Sends EeB(N2)
3. A Sends B EeB(IDAN1)
4 and 5. B does steps 1 and 2.
17
Public Key Certificates

• Idea Use certificates! Participants exchange
  keys without contacting a PK Authority in a way
  that is reliable.
• Certificates contain
• A public key (created/verified by a certificate
  authority).
• Other information.
• Certificates are given to a participant using the
  authoritys private key.
• A participant conveys its key information to
  another by transmitting its certificate.
• Other parties can verify that the certificate was
  created/verified by the authority.
• Weakness
• Requires secure time synchronization.

18
Public Key Certificates, overview
Cert Auth
B
A

• Requirements
• Any participant can read a certificate to
  determine the name and public key of the
  certificates owner.
• Any participant can verify that the certificate
  originated from the certificate authority and is
  not counterfeit.
• Only the certificate authority can create and
  update certificates.
• Any participant can verify the currency of the
  certificate.

19
X.509 PK Certificates

• X.509 is a very commonly used public key
  certificate framework.
• The certificate structure and authentication
  protocols are used in
• IP SEC
• SSL
• SET
• X.509 Certificate Format
• Version 1/2/3
• Serial is unique within the CA
• First and last time of validity

Version
Cert Serial
Algorithm Parms
Issuer Name
Validity Time Not before/after
Subject Name
PK Info Algorithm, Parms, Key
. . .
Signature (w/ hash)
20
X.509 Certificate Chaining

• Its not feasible to have one CA for a large group
  of users.
• Suppose A knows CA X1, B knows CA X2. If A does
  not know X2s PK then CertX2(B) is useless to A.
• If X1 and X2 have certified each other then A can
  get Bs PK by
• A obtains CertX1(X2)
• A obtains CertX2(B)
• Because B has a trusted copy of X2s PK, A can
  verify Bs certificate and get Bs PK.
• Certificate Chain
• CertX1(X2) CertX2(B)
• Procedure can be generalized to more levels.

CertX1(X2)
CertX2(X1)
X1
X2
A
B
CertX1(X2) CertX2(B)