Sie sind auf Seite 1von 47

# CS 259

## Key Exchange Protocols

J. Mitchell
Next few lectures
Today 1/17
• Brief cryptography background
• Key exchange protocols and properties
Thursday 1/19
• Wireless security: 802.11i
Next Tues 1/24
Next Thurs 1/26
• Contract-signing protocols
Project presentation #1 2/2

## Talk about protocols for a while before looking at more tools

Basic Concepts in Cryptography
 Encryption scheme:
• functions to encrypt, decrypt data
• key generation algorithm
 Secret key vs. public key
• Public key: publishing key does not reveal key-1
• Secret key: more efficient, generally key = key-1
 Hash function, MAC
• Map input to short hash; ideally, no collisions
• MAC (keyed hash) used for message integrity
 Signature scheme
• Functions to sign data, verify signature
Cryptosystem
A cryptosystem consists of five parts
• A set P of plaintexts
• A set C of ciphertexts
• A set K of keys
• A pair of functions
encrypt: K  P  C
decrypt: K  C  P
such that for every key kK and plaintext pP
decrypt(k, encrypt(k, p)) = p
What is a “secure” cryptosystem?

One idea
• If enemy intercepts ciphertext, cannot recover
plaintext
Issues in making this precise
• What else might your enemy know?
– The kind of encryption function you are using
– Some plaintext-ciphertext pairs from last year
– Some information about how you choose keys
• What do we mean by “cannot recover plaintext” ?
– Ciphertext contains no information about plaintext
– No efficient computation could make a reasonable guess
– Cannot use ciphertext for any nontrivial purpose

m0, m1

E(mi)
Challenger Attacker

guess 0 or 1
Chosen ciphertext CCA1

c
D(c)

m0, m1
Challenger E(mi) Attacker
guess 0 or 1
Chosen ciphertext CCA2

c
D(c)

m0, m1
E(mi)
Challenger Attacker
c  E(mi)
D(c)

guess 0 or 1
Public-key Cryptosystem
Different keys to encrypt and decrypt
• encrypt(key, message)

key pair

## Encryption key does not help decrypt

• Cannot compute m from encrypt(key, m) and key,
unless you have key-1
Example: RSA
Arithmetic modulo pq
• Generate secret primes p, q n
• Generate secret numbers a, b with xab  x mod pq
Public encryption key n, a
• Encrypt(n, a, x) = xa mod n
Private decryption key n, b
• Decrypt(n, b, y) = yb mod n
Main properties
• This works
• Cannot compute b from n,a
– Apparently, need to factor n = pq
Cryptographic hash functions
Length-reducing function h
• Map arbitrary strings to strings of fixed length
One way (“preimage resistance”)
• Given y, hard to find x with h(x)=y
Collision resistant
• Hard to find any distinct m, m’ with h(m)=h(m’)
Also useful: 2nd preimage resistance
• Given x and y=h(x) hard to find x’x with
h(x’)=h(x)
• Collision resistance  2nd preimage resistance
Iterated hash functions
Repeat use of block cipher or custom
function
• Pad input to some multiple of block length
• Iterate a length-reducing function f x
– f : 22k -> 2k reduces bits by 2 Pad to x=x1x2 …xk
– Repeat h0= some seed
hi+1 = f(hi, xi) xi
• Some final function g f(xi-1) f
completes calculation

g
Applications of one-way hash

## Digital signatures (collision resistant)

• Sign hash of message instead of entire message
Data integrity
• Compute and store hash of some data
• Check later by recomputing hash and comparing
Keyed hash for message authentication
• MAC – Message Authentication Code
Digital Signatures
Public-key encryption
• Alice publishes encryption key
• Anyone can send encrypted message
• Only Alice can decrypt messages with this key
Digital signature scheme
• Alice publishes key for verifying signatures
• Anyone can check a message signed by Alice
• Only Alice can send signed messages
Properties of signatures
Functions to sign and verify
• Sign(Key-1, message)

true if x = Sign(Key-1, m)
• Verify(Key, x, m) =
false otherwise

Resists forgery
• Cannot compute Sign(Key-1, m) from m and Key
• Resists existential forgery:
given Key, cannot produce Sign(Key-1, m)
for any random or otherwise arbitrary m
Basic Concepts in Cryptography
 Encryption scheme:
• functions to encrypt, decrypt data
• key generation algorithm
 Secret key vs. public key
• Public key: publishing key does not reveal key-1
• Secret key: more efficient, generally key = key-1
 Hash function, MAC
• Map input to short hash; ideally, no collisions
• MAC (keyed hash) used for message integrity
 Signature scheme
• Functions to sign data, verify signature
Key Management
Out of band
• Can set up some keys this way (Kerberos)
Public-key infrastructure (PKI)
• Leverage small # of public signing keys
Protocols for session keys
• Generate short-lived session key
• Avoid extended use of important secret
• Don’t use same key for encryption and signing
• Forward secrecy

## Cryptography reduces many problems to key management

Key Distribution: Kerberos Idea
Shared symmetric key Kc

KeyCenter

Shared
Client symmetric
key Ks

Server
Key Center generates session key Kcs and
distributes using shared long-term keys
Public-Key Infrastructure
Known public signature verification key Ka
Certificate
Certificate
Sign(Ka, Ks)
Authority
Ks

## Server certificate can be verified

by any client that has CA key Ka
Certificate authority is “off line”
Key Exchange
Parties may have initial information
Generate and agree on session key
• Authentication – know ID of other party
• Secrecy – key not known to any others
• Avoid replay attack
• Forward secrecy
• Avoid denial of service
• Identity protection – disclosure to others
• Other properties you can think of???
Diffie-Hellman Key Exchange

## Assume finite group G = S, 

• Generator g so every xS is x = gn
• Example: integers modulo prime p
Protocol
ga mod p

A gb mod p
B

## Alice, Bob share gab mod p not known to anyone else

Diffie-Hellman Key Exchange

ga mod p

A gb mod p B

Authentication?
Secrecy?
Replay attack
Forward secrecy?
Denial of service?
Identity protection?
IKE subprotocol from IPSEC

m1
A, (ga mod p)

A B
m2
signA(m1,m2)

## Result: A and B share secret gab mod p

Signatures provide authentication, as long as signature
verification keys are known
IPSec: Network Layer Security
• Access control and authenticate data origins
• replay protection
• No confidentiality
• Encryption and/or authentication
 Internet Key management (IKE)
• Determine and distribute secret keys
• Oakley + ISAKMP
• Algorithm independent
 Security policy database (SPD)
IKE: Many modes

Main mode
• Authentication by pre-shared keys
• Auth with digital signatures
• Auth with public-key encryption
• Auth with revised public-key encryption
Quick mode
• Compress number of messages
• Also four authentication options
Aug 2001 Position Statement
 In the several years since the standardization of
the IPSEC protocols (ESP, AH, and ISAKMP/IKE),
… several security problems…, most notably IKE.
 Formal and semi-formal analyses by Meadows,
Schneier et al, and Simpson, have shown … security
problems in IKE stem directly from its complexity.
 It seems … only a matter of time before serious
*implementation* problems become apparent, again
due to the complex nature of the protocol, and the
complex implementation that must surely follow.
 The Security Area Directors have asked the
IPSEC working group to come up with a
replacement for IKE.
How to study complex protocol
General Problem in Security
Divide-and-conquer is fundamental
• Decompose system requirements into parts
• Develop independent software modules
• Combine modules to produce required system

Common belief:
• Security properties do not compose

## Difficult system development problem

Example protocol

Protocol P1
A  B : {message}KB
A  B : KA-1

## This satisfies basic requirements

• Message is transmitted under encryption
• Revealing secret key KA-1 does not reveal
message
Similar protocol

Protocol P2
B  A : {message’}KA
B  A : KB-1

## Transmits msg securely from B to A

• Message is transmitted under encryption
• Revealing secret key KB-1 does not reveal
message
Composition P1; P2
Sequential composition of two protocols
A  B : {message}KB
A  B : KA-1
B  A : {message’}KA
B  B : KB-1

## Definitely not secure

• Eavesdropper learns both keys, decrypts
messages
STS family

STS0 STS0H

distribute
certificates
open
responder
STSa STSaH JFK0
m=gx, n=gy
k=gxy

protect
identities

symmetric
hash
RFK
Example

## Construct protocol with properties:

• Shared secret
• Authenticated
• Identity Protection
• DoS Protection
Design requirements for IKE, JFK,
IKEv2 (IPSec key exchange protocol)
Component 1
Diffie-Hellman
A  B: ga
B  A: gb

## • Shared secret (with someone)

– A deduces:
Knows(Y, gab)  (Y = A) ۷ Knows(Y,b)
• Authenticated
• Identity Protection
• DoS Protection
Component 2
Challenge Response:
A  B: m, A
B  A: n, sigB {m, n, A}
A  B: sigA {m, n, B}

## • Shared secret (with someone)

• Authenticated
– A deduces: Received (B, msg1) Λ Sent (B, msg2)
• Identity Protection
• DoS Protection
m := ga
Composition n := gb

## ISO 9798-3 protocol:

A  B: ga, A
B  A: gb, sigB {ga, gb, A}
A  B: sigA {ga, gb, B}

## • Shared secret: gab

• Authenticated
• Identity Protection
• DoS Protection
Refinement
Encrypt signatures:
A  B: ga, A
B  A: gb, EK {sigB {ga, gb, A}}
A  B: EK {sigA {ga, gb, B}}

## • Shared secret: gab

• Authenticated
• Identity Protection
• DoS Protection
Transformation
A  B: ga, A
B  A: gb, hashKB {gb, ga}
A  B: ga, gb, hashKB {gb, ga}
EK {sigA {ga, gb, B}}
B  A: gb, EK {sigB {ga, gb, A}}
• Shared secret: gab
• Authenticated
• Identity Protection
• DoS Protection
(Here B must store b in step 2, but we’ll fix this later…)
Typical protocol
• Client sends request to server
• Server sets up connection, responds
• Client may complete session or not (DOS)
• Client sends request to server
• Server sends hashed data back
– Send message #2 later after client confirms
• Client confirms by returning hashed data
• Need extra step to send postponed message
Protocol susceptible to DOS
A  B: ga, A eh1

## B  A: gb, EK {sigB {ga, gb, A}}

A  B: EK {sigA {ga, gb, B}}
eh2
A  B: ga, A
B  A: gb, hashKB {gb, ga}
A  B: ga, gb, hashKB {gb, ga}, eh2
B  A: gb, eh1
Efficiency: Reuse D-H key
Costly to compute ga, gb, gab
Solution
• Keep medium-term ga, gb (change ~10 min)
• Replace ga by pair ga, nonce
JFKi, JFKr protocols (except cert or grpinfo, …)
A  B: Na, ga, A
B  A: Nb, gb, hashKB {Nb, Na, gb, ga}
A  B: Na, Nb, ga, gb, hashKB {Nb, Na, gb, ga},
EK {sigA {Na, Nb, ga, gb, B}}
B  A: gb, EK {sigB {Na, Nb, ga, gb, A}}
Note: B does not need to store any short-term data in step 2
Conclusion

## Many protocol properties

• Authentication Secrecy
• Prevent replay Forward secrecy
• Denial of service Identity protection
Systematic understanding is possible
• But be careful; easy to make mistakes
• State of the art:
need to analyze complete protocol
Block cipher modes (for DES, AES, …)

##  ECB – Electronic Code Book mode

• Divide plaintext into blocks
• Encrypt each block independently, with same key
 CBC – Cipher Block Chaining
• XOR each block with encryption of previous block
• Use initialization vector IV for first block
 OFB – Output Feedback Mode
• Iterate encryption of IV to produce stream cipher
 CFB – Cipher Feedback Mode
• Output block yi = input xi + encyrptK(yi-1)
Electronic Code Book (ECB)

## Block Block Block Block

Cipher Cipher Cipher Cipher

## Problem: Identical blocks encrypted identically

No integrity check
Cipher Block Chaining (CBC)
Plain Text Plain Text

IV

## Block Block Block Block

Cipher Cipher Cipher Cipher

## Advantages: Identical blocks encrypted differently

Last ciphertext block depends on entire input
Comparison (for AES, by Bart Preneel)

## Similar plaintext blocks

produce similar ciphertext