Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trusted 3rd parties Basic key exchange

Published byAlize Brixey Modified over 9 years ago

Similar presentations

Presentation on theme: "Trusted 3rd parties Basic key exchange"— Presentation transcript:

1 Trusted 3rd parties Basic key exchange
Online Cryptography Course Dan Boneh Basic key exchange Trusted 3rd parties Now that we know how two users can protect data using a shared key, the next question is how these two users generate a shared key. This question will take us into the world of public-key crypto. In this module we will look at a few toy key exchange protocols as a way to introduce the main ideas of public-key crypto. We will come back to key exchange and design secure key exchange protocols after we build a few more public-key tools.

2 Key management Problem: n users. Storing mutual secret keys is difficult Total: O(n) keys per user

3 A better solution Online Trusted 3rd Party (TTP) TTP
Users u1, …, un. And alice and bob. They have shared keys Ka, Kb. Every user only remembers one key.

4 Generating keys: a toy protocol
Alice wants a shared key with Bob. Eavesdropping security only. Bob (kB) Alice (kA) TTP “Alice wants key with Bob” choose random kAB ticket kAB kAB (E,D) a CPA-secure cipher

5 Generating keys: a toy protocol
Alice wants a shared key with Bob. Eavesdropping security only. Eavesdropper sees: E(kA, “A, B” ll kAB ) ; E(kB, “A, B” ll kAB ) (E,D) is CPA-secure ⇒ eavesdropper learns nothing about kAB Note: TTP needed for every key exchange, knows all session keys. (basis of Kerberos system)

6 Toy protocol: insecure against active attacks
Example: insecure against replay attacks Attacker records session between Alice and merchant Bob For example a book order Attacker replays session to Bob Bob thinks Alice is ordering another copy of book

7 Key question Can we generate shared keys without an online trusted 3rd party? Answer: yes! Starting point of public-key cryptography: Merkle (1974), Diffie-Hellman (1976), RSA (1977) More recently: ID-based enc. (BF 2001), Functional enc. (BSW 2011)

8 End of Segment

9 Online Cryptography Course Dan Boneh
Basic key exchange Merkle Puzzles

10 Key exchange without an online TTP?
Goal: Alice and Bob want shared key, unknown to eavesdropper For now: security against eavesdropping only (no tampering) Alice Bob eavesdropper ?? Can this be done using generic symmetric crypto?

11 Merkle Puzzles (1974) Answer: yes, but very inefficient
Main tool: puzzles Problems that can be solved with some effort Example: E(k,m) a symmetric cipher with k ∈ {0,1}128 puzzle(P) = E(P, “message”) where P = 096 ll b1… b32 Goal: find P by trying all possibilities

12 Merkle puzzles Alice: prepare 232 puzzles
For i=1, …, 232 choose random Pi ∈{0,1}32 and xi, ki ∈{0,1}128 set puzzlei ⟵ E( 096 ll Pi , “Puzzle # xi” ll ki ) Send puzzle1 , … , puzzle to Bob Bob: choose a random puzzlej and solve it. Obtain ( xj, kj ) . Send xj to Alice Alice: lookup puzzle with number xj Use kj as shared secret

13 In a figure kj kj puzzle1 , … , puzzlen Alice Bob xj
Alice’s work: O(n) (prepare n puzzles) Bob’s work: O(n) (solve one puzzle) Eavesdropper’s work: O( n2 ) (e.g time)

14 Impossibility Result Can we achieve a better gap using a general symmetric cipher? Answer: unknown But: roughly speaking, quadratic gap is best possible if we treat cipher as a black box oracle [IR’89, BM’09] Any key exchange protocol where participants make n queries to the cipher oracle, can be broken with O(n^2) queries to the cipher oracle. 2009: Boaz Barak, Mohammad Mahmoody-Ghidary 1989: Impagliazzo and Rudich

15 End of Segment

16 The Diffie-Hellman protocol
Online Cryptography Course Dan Boneh Basic key exchange The Diffie-Hellman protocol

17 Key exchange without an online TTP?
Goal: Alice and Bob want shared secret, unknown to eavesdropper For now: security against eavesdropping only (no tampering) Alice Bob eavesdropper ?? Can this be done with an exponential gap?

18 The Diffie-Hellman protocol (informally)
Fix a large prime p (e.g. 600 digits) Fix an integer g in {1, …, p} Alice Bob choose random a in {1,…,p-1} choose random b in {1,…,p-1} Ba (mod p) = (gb)a = = (ga)b = Ab (mod p) “Alice”, A = ga (mod p) ; “Bob”, B = gb (mod p) kAB = gab (mod p)

19 Security (much more on this later)
Eavesdropper sees: p, g, A=ga (mod p), and B=gb (mod p) Can she compute gab (mod p) ?? More generally: define DHg(ga, gb) = gab (mod p) How hard is the DH function mod p?

20 How hard is the DH function mod p?
Suppose prime p is n bits long. Best known algorithm (GNFS): run time exp( ) cipher key size modulus size 80 bits 1024 bits 128 bits 3072 bits 256 bits (AES) bits As a result: slow transition away from (mod p) to elliptic curves Elliptic Curve size 160 bits 256 bits 512 bits

21 Elliptic curve Diffie-Hellman

22 Insecure against man-in-the-middle
As described, the protocol is insecure against active attacks Alice MiTM Bob

23 ⋯ Another look at DH ga gb gc gd Facebook Alice a Bob b Charlie c
David d KAC=gac KAC=gac For two users: DH For three users: Joux Beyond three users ???

24 ⋯ An open problem ga gb gc gd Facebook Alice a Bob b Charlie c David d
KABCD KABCD KABCD KABCD For two users: DH For three users: Joux Beyond three users ???

25 End of Segment

26 Public-key encryption
Online Cryptography Course Dan Boneh Basic key exchange Public-key encryption

27 Establishing a shared secret
Goal: Alice and Bob want shared secret, unknown to eavesdropper For now: security against eavesdropping only (no tampering) Alice Bob eavesdropper ?? This segment: a different approach

28 Public key encryption Alice Bob E D Picture of cipher

29 Public key encryption Def: a public-key encryption system is a triple of algs. (G, E, D) G(): randomized alg. outputs a key pair (pk, sk) E(pk, m): randomized alg. that takes m∈M and outputs c ∈C D(sk,c): det. alg. that takes c∈C and outputs m∈M or ⊥ Consistency: ∀(pk, sk) output by G : ∀m∈M: D(sk, E(pk, m) ) = m

30 Semantic Security For b=0,1 define experiments EXP(0) and EXP(1) as: b
Def: E =(G,E,D) is sem. secure (a.k.a IND-CPA) if for all efficient A: AdvSS [A,E] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | < negligible pk b Chal. Adv. A m0 , m1  M : |m0| = |m1| (pk,sk)G() c  E(pk, mb) b’  {0,1} EXP(b)

31 Establishing a shared secret
Alice Bob (pk, sk) ⟵ G() “Alice”, pk choose random x ∈ {0,1}128

32 Security (eavesdropping)
Adversary sees pk, E(pk, x) and wants x ∈M Semantic security ⇒ adversary cannot distinguish { pk, E(pk, x), x } from { pk, E(pk, x), rand∈M } ⇒ can derive session key from x. Note: protocol is vulnerable to man-in-the-middle

33 Insecure against man in the middle
As described, the protocol is insecure against active attacks Alice MiTM Bob (pk, sk) ⟵ G() (pk’, sk’) ⟵ G() “Alice”, pk choose random x ∈ {0,1}128 “Bob”, E(pk’, x) “Bob”, E(pk, x)

34 Public key encryption: constructions
Constructions generally rely on hard problems from number theory and algebra Next module: Brief detour to catch up on the relevant background

35 Further readings Merkle Puzzles are Optimal, B. Barak, M. Mahmoody-Ghidary, Crypto ’09 On formal models of key exchange (sections 7-9) V. Shoup, 1999

36 End of Segment

Download ppt "Trusted 3rd parties Basic key exchange"

Similar presentations

Merkle Puzzles Are Optimal

Merkle Puzzles Are Optimal
Public Key Cryptography Nick Feamster CS 6262 Spring 2009.

Public Key Cryptography Nick Feamster CS 6262 Spring 2009.
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Public Key Encryptions CS461/ECE422 Fall 2011. Reading Material Text Chapters 2 and 20 Handbook of Applied Cryptography, Chapter 8 –

Public Key Encryptions CS461/ECE422 Fall Reading Material Text Chapters 2 and 20 Handbook of Applied Cryptography, Chapter 8 –
Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.
CNS2010lecture 6 :: key management1 ELEC5616 computer and network security matt barrie

CNS2010lecture 6 :: key management1 ELEC5616 computer and network security matt barrie
ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Public Key Cryptography INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.

Public Key Cryptography INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.
Public Key Cryptography David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012 Coursera crypto class,

Public Key Cryptography David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012 Coursera crypto class,
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
Public Key Algorithms …….. RAIT M. Chatterjee.

Public Key Algorithms …….. RAIT M. Chatterjee.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.

Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.

Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Similar presentations

Ads by Google