Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li
Zhijun LiS /Autumn08/HIT2 Outline Structure of Cryptographic Protocol Cryptographic Protocols –Key Establishment Protocols –Authentication Protocols Zero Knowledge Protocol
Zhijun LiS /Autumn08/HIT3 Protocol Review Protocol: –Rules that detail the interaction between parties in a communication Note: –A series of steps –At least two Parties (normally 2 or 3 parties) –In Communication Cryptographic protocol: –Using cryptography for security
Zhijun LiS /Autumn08/HIT4 Requirements of Protocol Every parties know the steps to complete the protocol primarily Every parties must follow the protocol Each step must be defined explicitly and can not be misunderstood The protocol must be complete, and define the actions for every possible cases
Zhijun LiS /Autumn08/HIT5 Arbitration Protocol Note: –The protocol can work only with arbitrator –Arbitrator is always trusted (condition) –Example: Alice car Lawyer; Bob money Lawyer; Lawyer money Alice; Lawyer car Bob; Alice Bob Trent Arbitrator
Zhijun LiS /Autumn08/HIT6 Verdict Protocol Note: –The protocol work without judge –Verdict is introduced if disputation arisen –Example: Alice, Bob self Lawyer; Bob evidence Lawyer; Alice evidence Lawyer; Judge decide Alice Bob Trent Judge Evidence
Zhijun LiS /Autumn08/HIT7 Self-enforcing Protocol Note: –The protocol work only with Alice and Bob –Security is assured by protocol design –Example: Alice A Bob; Bob B Alice; Alice compute; Bob compute; Alice AB Bob; Bob BA Alice; Alice Bob
Zhijun LiS /Autumn08/HIT8 Attack to the Protocol Passive attack –Can eavesdrop the information in communication –Can eavesdrop the information in computer Active attack –Can modify the information in communication –Can modify the information in computer –Can personate the parties –Some parties may not abide the protocol
Zhijun LiS /Autumn08/HIT9 Outline Structure of Cryptographic Protocol Cryptographic Protocols –Key Establishment Protocols –Authentication Protocols Zero Knowledge Protocol
Zhijun LiS /Autumn08/HIT10 Key Establishment Protocols Key distribution protocols –Distributed by a trusted authority (TA) –Example: Needham-Schroeder protocol Key agreement protocols –Key can be established without TA –Example: Diffie-Hellman key agreement protocol
Zhijun LiS /Autumn08/HIT11 Needham-Schroeder Protocol Alice Trent: A, B, R A –A is Alice’s name, B is the name of Bob, R A is a random number Trent Alice: E A (R A, B, K, E B (K, A)) –K is the session key –E A and E B is the encryption using A’s key and B’s key Alice Bob: E B (K, A) –After decrypt above message Bob Alice : E K (R B ) –R B is a random number Alice Bob: E B (R B -1) Bob verify the R B -1
Zhijun LiS /Autumn08/HIT12 Needham-Schroeder Remark R A,R B, and R B -1 can prevent replay attack BUT Mallory can store old K –Mallory Bob: E B (K, A) –Bob “Alice”(Mallory) : E K (R B ) R B is a random number –Mallory Bob: E B (R B -1) –Bob verify the R B -1 –Mallory can impersonate the Alice
Zhijun LiS /Autumn08/HIT13 Otway-Rees Protocol Idea: add timestamp Alice Bob: I, A, B, E A (R A, I, A, B) –I the index number Bob Trent: I, A, B, E A (R A, I, A, B), E B (R A, I, A, B) Trent Bob: I, E A (R A, K), E B (R B, K) –After decrypt above message Bob Alice : I, E A (R A, K) –R B is a random number Alice verify the I and R B
Zhijun LiS /Autumn08/HIT14 Diffie-Hellman key Agreement Exchanging secret key over public channel Key Exchange protocol –Select public parameters p, and n p is prime and is of order n in Z p * –Alice selects random b privately and Alice Bob [ b mod p] –Bob selects random c privately and Bob Alice [ c mod p] –Alice and Bob compute bc mod p (shared secret key) Bob, Alice’s key is bc
Zhijun LiS /Autumn08/HIT15 Example of DH Exchange Global known P= and =2 Alice choose b=12345 and send Bob [B= b mod p= ] Bob choose c= and send Alice [C= c mod p= ] Alice compute the secret key as C b mod p= Bob compute the secret key as B c mod p= So the secret key between Alice and Bob is
Zhijun LiS /Autumn08/HIT16 Security of DH Security of the Diffie-Hellman key exchange protocol based on the CDH problem Computational Diffie-Hellman (CDH) –Given group (G, *), an element g with order q, given g x and g y, find g xy DLP is at least as hard as CDH Solves CDH can be used to decrypt ElGamal
Zhijun LiS /Autumn08/HIT17 CDH and ElGamal Any algorithm that solves CDH can be used to decrypt ElGamal ciphertexts Intuition: –Decrypt (c 1 =g k,c 2 = m k ) is equivalent to compute k –Knows c 1 =g k, =g a, and needs to compute g ka Proof: –Assume that algorithm OracleCHD solves CDH –Let (c 1, c 2 ) be an ElGamal ciphertext –Let = g a, c 2 = g k mod p, c 2 = m(g a ) k mod p –y = OracleCDH(g, , c 1 ) –m = c 2 y -1
Zhijun LiS /Autumn08/HIT18 Man-in-the-middle Attack There is a Man in the middle attack Need to be careful who you are agreeing a key with Alice Bob Eve a gaga gmgm m n gngn gbgb b g am g bn
Zhijun LiS /Autumn08/HIT19 Diffie-Hellman is NOT Enough How does Alice know who she is agreeing a key with, is it Bob or Eve? Using signature: –Alice signs her message to Bob –Bob signs his message to Alice –In that way both parties know who they are talking to
Zhijun LiS /Autumn08/HIT20 For Public Key Establishment Above is private key establishment For public key establishment: –Intuition: the distribution of public is secure –But: there is man-in-the-middle attack Alice Bob Mallory K PA K PM K PB K PM KDC
Zhijun LiS /Autumn08/HIT21 Interlock Protocol Alice Bob: K PA Bob Alice: K PB Alice Bob: Half 1 (E K PB (M)) –After decrypt above message Bob Alice : Half 1 (E K PA (M)) Alice Bob: Half 2 (E K PB (M)) Bob combine the Half 1 and Half 2 and decrypt Bob Alice : Half 2 (E K PA (M)) Alice combine the Half 1 and Half 2 and decrypt
Zhijun LiS /Autumn08/HIT22 Outline Structure of Cryptographic Protocol Cryptographic Protocols –Key Establishment Protocols –Authentication Protocols Zero Knowledge Protocol
Zhijun LiS /Autumn08/HIT23 Authentication Protocol Goal: two parties authenticate each other Example: –Alice want to login into a computer Hashing + salt SKEY –Alice and Bob want to authenticate each other SKID (MAC) Protocol DASS Protocol
Zhijun LiS /Autumn08/HIT24 SKEY Computer compute f(R), f(f(R)), … 100 times In computer’s database: Alice+x 101 Alice store x 1, x 2, x 3, …, x th login: –Alice input her name and x 100 –Computer compute f(x 100 ) –Computer replace the x 101 by x 100 in database –Alice delete x 100 from her list 2 th login: –Alice input the last x i in her list
Zhijun LiS /Autumn08/HIT25 SKID Alice Bob: R A –R A is Random number Bob Alice: R B, H K (R A, R B, B) –H K is the MAC Alice compute H K (R A, R B, B) and check –At this step, Alice can authenticate Bob Alice Bob: H K (R B, A) Bob compute H K (R B, A) and check –At this step, Bob can authenticate Alice –Also exist man-in-the-middle attack
Zhijun LiS /Autumn08/HIT26 DASS DASS: Distributed Authentication Security Service Alice Trent: B Trent Alice: K PB, Sig K ST (B, K PB ) Alice Bob: E K (T A ), E K PB (L, A, K PP ), Sig K SA (L, A, K PP ), E K PB (K), Sig K SP (E K PB (K)) –K is the session key; T A is the timestamp; L is the life of key, K PP /K SP are a pair of public/private key Bob Trent: A Trent Alice: K PA, Sig K ST (A, K PA ) Bob verifies them Bob Alice: E K (T B ) Alice check T B
Zhijun LiS /Autumn08/HIT27 Outline Structure of Cryptographic Protocol Cryptographic Protocols –Key Establishment Protocols –Authentication Protocols Zero Knowledge Protocol
Zhijun LiS /Autumn08/HIT28 Zero Knowledge Protocol Motivation: –When Alice authenticates to a server, she gives her password, but the server can then impersonate her –Alice can prove her is “Alice”, but she gives the computer zero knowledge –Zero-knowledge protocol: Allows a prover to prove that he posses a secret without revealing any information when verifying –Normally use challenge-response protocol
Zhijun LiS /Autumn08/HIT29 Zero Knowledge Proof of Identity Alice’s secret key is the function of her “Identity” –Through zero-knowledge proof, she can prove that she knows her secret key –Fiat-Shamir Identity Protocol
Zhijun LiS /Autumn08/HIT30 Fiat-Shamir Identity Protocol System parameter: n=pq Public identity: v (v is a quadratic residue mod n) Private authenticator: s sqrt(v -1 ) mod n Protocol (repeat t times): –Alice picks random r in Z n * –Alice Bob: x=r 2 mod n –Bob checks x 0 –Bob Alice: random c in {0,1} –Bob Alice: y, if c=0, y=r; if c=1, y=rs mod n –Bob accept: if c=0, x=r 2 mod n; if c=1, x y 2 v mod n Identity Know Identity
Zhijun LiS /Autumn08/HIT31 Security Fiat-Shamir Protocol If Alice does not know s, she can cheat Bob with prob. ½ –t times: the probability is 1/2 t r can not be used twice –If used, Bob may be compute the s by s=r -1 y –Not zero-knowledge Bob can impersonate Alice with prob. ½ –t times: the probability is 1/2 t
Zhijun LiS /Autumn08/HIT32 Parallel Fiat-Shamir Protocol System parameter: n=pq Public identity: v 1,…,v k (v i is a quadratic residue mod n) Private authenticator: s i sqrt(v i -1 ) mod n Protocol (repeat t times): –Alice picks random r in Z n * –Alice Bob: x=r 2 mod n –Bob checks x 0 –Bob Alice: a random {0,1} bit string b 0,b 1,…,b k –Bob Alice: y=r (s 1 b 1 s 2 b 2 … s k b k ) mod n –Bob accept: if x y 2 (v 1 b 1 v 2 b 2 … v k b k ) mod n
Zhijun LiS /Autumn08/HIT33 Fiat-Shamir Protocol Example N=35=5 7 –Alice Bob: x=r 2 =16 2 mod 35 =11 –Bob Alice: {0,1} string {1, 1, 0, 1} –Bob Alice: y=16 (3 1 4 1 9 0 8 1 ) mod 35 = 31 –Bob accept: if 11 31 2 (4 1 11 1 16 0 29 1 ) mod 35 vv -1 s=sqrt(v -1 )
Zhijun LiS /Autumn08/HIT34 Summary Structure of Cryptographic Protocol –Arbitration Protocol –Verdict Protocol –Self-enforcing Protocol Cryptographic Protocols –Key Establishment Protocols –Authentication Protocols –Zero Knowledge Protocol