Presentation is loading. Please wait.

Presentation is loading. Please wait.

Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.

Published byKyler Baller Modified over 9 years ago

Similar presentations

Presentation on theme: "Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005."— Presentation transcript:

1 Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005

2 Key Management Options uOut of band Can set up some keys this way (Kerberos) uPublic-key infrastructure (PKI) Leverage small # of public signing keys uProtocols for session keys Generate short-lived session key Avoid extended use of important secret Don’t use same key for encryption and signing Forward secrecy Cryptography reduces many problems to key management

3 Internet Standardization Process uAll standards published as RFC (Request for Comment) Available: http://www.ietf.org Not all RFCs are Internet Standards ! uTypical path to standardization Internet Drafts RFC Proposed Standard Draft Standard (requires 2 working implementation) Internet Standard (declared by IAB) uDavid Clark, MIT, 1992: "We reject: kings, presidents, and voting. We believe in: rough consensus and running code.”

4 Key Distribution: Kerberos Idea Client KeyCenter Server Shared symmetric key Kc Shared symmetric key Ks {Kcs, {Kcs} Ks } Kc {Kcs} Ks { msg } Kcs Key Center generates session key Kcs and distributes using shared long-term keys

5 Ticket 2 Ticket 1 Kerberos Protocol Client KDC Service TGS {Kt} Kc C TGS {Ks} Kt {C} Kt S {C} Ks Ktgs Kc Kv {C, Ks} Kv {C, Kt} Ktgs {C, Ks} Kv {C, Kt} Ktgs

6 Public-Key Infrastructure Certificate Authority ClientServer Known public signature verification key Ka Sign(Ka, Ks), Sign(Ks, msg) Certificate Sign(Ka, Ks) Ks Server certificate can be verified by any client that has CA key Ka Certificate authority is “off line”

7 Key Exchange uParties may have initial information uGenerate and agree on session key Authentication – know ID of other party Secrecy – key not known to any others Avoid replay attack Forward secrecy Avoid denial of service Identity protection – disclosure to others Other properties you can think of???

8 Diffie-Hellman Key Exchange uAssume finite group G =  S,   Generator g so every x  S is x = g n Example: integers modulo prime p uProtocol g a mod p g b mod p A B Alice, Bob share g ab mod p not known to anyone else

9 Diffie-Hellman Key Exchange Authentication? Secrecy? Replay attack Forward secrecy? Denial of service? Identity protection? g a mod p g b mod p A B

10 IKE subprotocol from IPSEC A, (g a mod p) B, (g b mod p) Result: A and B share secret g ab mod p Signatures provide authentication, as long as signature verification keys are known AB m1 m2, signB(m1,m2) signA(m1,m2)

11 IPSec: Network Layer Security uAuthentication Header (AH) Access control and authenticate data origins replay protection No confidentiality uEncapsulated Secure Payload (ESP) Encryption and/or authentication uInternet Key management (IKE) Determine and distribute secret keys Oakley + ISAKMP Algorithm independent uSecurity policy database (SPD) discarded, or bypass

12 IKE: Many modes uMain mode Authentication by pre-shared keys Auth with digital signatures Auth with public-key encryption Auth with revised public-key encryption uQuick mode Compress number of messages Also four authentication options

13 Aug 2001 Position Statement u In the several years since the standardization of the IPSEC protocols (ESP, AH, and ISAKMP/IKE), … several security problems…, most notably IKE. uFormal and semi-formal analyses by Meadows, Schneier et al, and Simpson, have shown … security problems in IKE stem directly from its complexity. uIt seems … only a matter of time before serious *implementation* problems become apparent, again due to the complex nature of the protocol, and the complex implementation that must surely follow. uThe Security Area Directors have asked the IPSEC working group to come up with a replacement for IKE.

14 How to study complex protocol

15 General Problem in Security uDivide-and-conquer is fundamental Decompose system requirements into parts Develop independent software modules Combine modules to produce required system uCommon belief: Security properties do not compose Difficult system development problem

16 Example protocol Protocol P1 A  B : {message} KB A  B : KA -1 uThis satisfies basic requirements Message is transmitted under encryption Revealing secret key KA -1 does not reveal message

17 Similar protocol Protocol P2 B  A : {message’} KA B  A : KB -1 uTransmits msg securely from B to A Message is transmitted under encryption Revealing secret key KB -1 does not reveal message

18 Composition P1; P2 uSequential composition of two protocols A  B : {message} KB A  B : KA -1 B  A : {message’} KA B  B : KB -1 uDefinitely not secure Eavesdropper learns both keys, decrypts messages

19 Protocol Derivation Framework uProtocols are constructed from: components by applying a series of: composition, refinement and transformation operations. uIncrementally achieve design goals Properties accumulate as a derivation proceeds uExamples in papers: STS, ISO-9798-3, JFKi, JFKr, IKE, … Acknowledgement: Dusko Pavlovic [Kestrel]

20 STS family m=g x, n=g y k=g xy STS 0H STS a STS aH STS H STS 0 STS PH JFK 1 distribute certificates cookie open responder JFK 0 symmetric hash JFK protect identities RFK STS P JFK (Just Fast Keying) and RFK (our name) were proposed successors to IKE

21 Example uConstruct protocol with properties: Shared secret Authenticated Identity Protection DoS Protection uDesign requirements for IKE, JFK, IKEv2 (IPSec key exchange protocol)

22 Component 1 uDiffie-Hellman A  B: g a B  A: g b Shared secret (with someone) –A deduces: Knows(Y, g ab)  (Y = A) ۷ Knows(Y,b) Authenticated Identity Protection DoS Protection

23 Component 2 uChallenge Response: A  B: m, A B  A: n, sig B {m, n, A} A  B: sig A {m, n, B} Shared secret (with someone) Authenticated –A deduces: Received (B, msg1) Λ Sent (B, msg2) Identity Protection DoS Protection

24 Composition uISO 9798-3 protocol: A  B: g a, A B  A: g b, sig B {g a, g b, A} A  B: sig A {g a, g b, B} Shared secret: gab Authenticated Identity Protection DoS Protection m := g a n := g b

25 Refinement uEncrypt signatures: A  B: g a, A B  A: g b, E K {sig B {g a, g b, A}} A  B: E K {sig A {g a, g b, B}} Shared secret: gab Authenticated Identity Protection DoS Protection

26 Transformation uUse cookie: JFK core protocol A  B: g a, A B  A: g b, hash KB {g b, g a } A  B: g a, g b, hash KB {g b, g a } E K {sig A {g a, g b, B}} B  A: g b, E K {sig B {g a, g b, A}} Shared secret: gab Authenticated Identity Protection DoS Protection (Here B must store b in step 2, but we’ll fix this later…)

27 Cookie transformation uTypical protocol Client sends request to server Server sets up connection, responds Client may complete session or not (DOS) uCookie version Client sends request to server Server sends hashed data back –Send message #2 later after client confirms Client confirms by returning hashed data Need extra step to send postponed message

28 Cookie in JFK uProtocol susceptible to DOS A  B: g a, A B  A: g b, E K {sig B {g a, g b, A}} A  B: E K {sig A {g a, g b, B}} uUse cookie: JFK core protocol A  B: g a, A B  A: g b, hash KB {g b, g a } A  B: g a, g b, hash KB {g b, g a }, eh2 B  A: g b, eh1 eh1 eh2

29 Efficiency: Reuse D-H key uCostly to compute g a, g b, g ab uSolution Keep medium-term g a, g b (change ~10 min) Replace g a by pair g a, nonce uJFKi, JFKr protocols (except cert or grpinfo, …) A  B: Na, g a, A B  A: Nb, g b, hash KB {Nb, Na, g b, g a } A  B: Na, Nb, g a, g b, hash KB {Nb, Na, g b, g a }, E K {sig A {Na, Nb, g a, g b, B}} B  A: g b, E K {sig B {Na, Nb, g a, g b, A}} Note: B does not need to store any short-term data in step 2

30 Conclusion uMany protocol properties Authentication Secrecy Prevent replay Forward secrecy Denial of service Identity protection uSystematic understanding is possible But be careful; easy to make mistakes State of the art –need to analyze complete protocol –research will produce compositional methods

Download ppt "Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005."

Similar presentations

The Diffie-Hellman Algorithm

The Diffie-Hellman Algorithm
ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.

ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Key Exchange Protocols J. Mitchell CS 259. Next few lectures uToday Key exchange protocols and properties uThursday Cathy Meadows: GDOI uNext Tues Contract-signing.

Key Exchange Protocols J. Mitchell CS 259. Next few lectures uToday Key exchange protocols and properties uThursday Cathy Meadows: GDOI uNext Tues Contract-signing.
L8. Reviews Rocky K. C. Chang, May 2011. Foci of this course 2 Rocky K. C. Chang  Understand the 3 fundamental cryptographic functions and how they are.

L8. Reviews Rocky K. C. Chang, May Foci of this course 2 Rocky K. C. Chang  Understand the 3 fundamental cryptographic functions and how they are.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
IP Security and Key Establishment CS 395T. Plan for the Next Few Lectures uToday: “systems” lecture on IP Security and design of key exchange protocols.

IP Security and Key Establishment CS 395T. Plan for the Next Few Lectures uToday: “systems” lecture on IP Security and design of key exchange protocols.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.

Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.
IPsec – IKE CS 470 Introduction to Applied Cryptography

IPsec – IKE CS 470 Introduction to Applied Cryptography
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Similar presentations

Ads by Google