Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect.

Published byBritton Tate Modified over 8 years ago

Similar presentations

Presentation on theme: "Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect."— Presentation transcript:

1 Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect Forward Secrecy IV. Adversary Attacks Presented By: Ashley Bruno & Blayne White

2 Key Establishment Protocols I. Cryptographic protocols that establish keys for use by other protocols I. examples: AKEP2, MAP1, Diffie-Hellman, Station- to-station

3 Definitions I. Principal: a party wishing to establish shared keys II. Nonce: a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks

4 Definitions (cont'd) III. MAC (ie. Message Authentication Code): the result of a hash function that combines a message with a key IV. Freshness: a key is fresh if it can be guaranteed to be new (Menezes, van Oorschot and Vanstone, 1997) (probably no longer fresh)

5 Oracles I. An I/O device that responds to every query with a random response chosen uniformly from it's output domain. if given the same input query, the same output response is given.

6 Oracle Freshness I. An oracle is fresh if : I. It has accepted a session key II. Its session key has not been given a Reveal query (oracle is “unopened”) III. There is no opened oracle with whom it has a matching conversation that has accepted the session key.

7 Mutual Entity Authentication I. Provides assurance to both entities of the identity of the other entity involved I. If a pair of oracles has matching conversations, then both oracles accept. II. The probability of an oracle accepting when it does not have a matching conversation with another oracle is negligible.

8 Matching Conversations I. A conversation consists of all messages sent and received by an oracle. II. Matching Conversations occur when the conversations of both parties are the same when all messages are faithfully delivered from the sender oracle to the receiver oracle, with the exception of the last message, since the initiator cannot know if this last message was received by its partner.

9 (Implicit) Key Authentication I. Provides assurance that no entity other than a specifically identified entity can gain access to the key. II. Independent of the actual possession of such key by the second party, or knowledge of such actual possession by the first party

10 Perfect Forward Secrecy It is still desirable to design protocols where past sessions remain secure. Perfect forward secrecy: compromise of long-term keys does not compromise past session keys. “Forward secrecy” indicates that the secrecy of old keys is carried forward into the future.

11 Authenticated Key Exchange Protocol 2 I. A three-pass protocol II. Uses symmetric authentication III. Uses keyed hash functions instead of encryption IV. Does not rely on a trusted third party (TTP) V. Provides mutual entity authentication and (implicit) key authentication VI. Provides Perfect Forward Secrecy

12 AKEP2 I. A and B are principals II. A and B share two long term symmetric keys: K, K' III. each protocol run generates fresh nonces: n a, n b IV. uses a keyed hash function (MAC): h k and a keyed one-way function: h' k'

13 AKEP2 A B A B A B A sends a challenge nonce to B. nana B resonds with h k (B,A,n a,n b ) and sends it's own challenge nonce. ● k is the shared key; k = h' k' (n b ) h k (B,A, n a,n b ), n b A responds to the challenge nonce with h k (A,n b ) to B h k (A, n b )

14 AKEP2 Security I. The intent is to authenticate the principals involved and distribute a session key which will consist of a principal's private output II. At the end of a secure AKE any adversary should not be able to distinguish a fresh session key from a random element.

15 AKE Security: Session Keys I. The compromise of one of these keys should have minimal consequences. I. It should not subvert subsequent authentication. II.It should not leak information about other session keys.

16 AKEP2 Security I. Protocol II is secure if it is a secure mutual authentication protocol. This requires: a)That two oracles, in the absence of an active adversary, always accept b)The advantage of a probabilistic polynomial adversary is negligible. II. The current security definitions give the adversary very strong abilities in corrupting the parties, but they limit his ability to utilize those powers.

17 Attacks allowed by current definitions I. Key-compromise impersonation: the adversary reveals a long-term secret key of a party and then impersonates others to this party. II. An adversary reveals the ephemeral secret key of a party who initiates an AKE session and impersonates the other participant of this session.

18 Attacks allowed (cont'd) III. Two honest parties execute matching sessions, while the adversary reveals ephemeral secret keys of both parties and tries to learn the session key. IV. Two honest parties execute matching sessions, while the adversary reveals long-term keys of both parties prior to the session execution and tries to learn the session key. However, all four of these attacks are not considered violations of protocol security!

19 Authenticated Key Exchange I. M. Bellare and P. Rogaway.Entity Authentication and key distribution Advances in Cryptology - Crypto 93 Proceedings, Lecture Notes in Computer Science Vol. 773, D. Stinson ed, Springer-Verlag, 1994. II. Brian LaMacchia, Kristen Lauter, Anton Mityagin. ”Stronger Security of Authenticated Key Exchange.”

Download ppt "Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect."

Similar presentations

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Topic 7: Using cryptography in mobile computing. Cryptography basics: symmetric, public-key, hash function and digital signature Cryptography, describing.

Topic 7: Using cryptography in mobile computing. Cryptography basics: symmetric, public-key, hash function and digital signature Cryptography, describing.
From: Cryptographers’ Track of the RSA Conference 2008 Date:2011-11-29 Reporter: Yi-Chun Shih 1.

From: Cryptographers’ Track of the RSA Conference 2008 Date: Reporter: Yi-Chun Shih 1.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Environmental Key Generation towards Clueless Agents James Riordan School of Mathematics University of Minnesota. Bruce Schneier Counterpane Systems. Published:

Environmental Key Generation towards Clueless Agents James Riordan School of Mathematics University of Minnesota. Bruce Schneier Counterpane Systems. Published:
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.

Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.

Similar presentations

Ads by Google