1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.

Slides:



Advertisements
Similar presentations
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Advertisements

Off-the-Record Communication, or, Why Not To Use PGP
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
IPsec – IKE CS 470 Introduction to Applied Cryptography
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
Public Key Algorithms …….. RAIT M. Chatterjee.
Homework #4 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
1 Security analysis of an enhanced authentication key exchange protocol Authors : H.Y. Liu, G.B. Horng, F.Y. Hung Presented by F.Y. Hung Date : 2005/5/20.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls.
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T IKE Tutorial.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Key Distribution CS 470 Introduction to Applied Cryptography
CMSC 414 Computer (and Network) Security Lecture 25 Jonathan Katz.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
The RSA Algorithm Rocky K. C. Chang, March
1 ECE453 – Introduction to Computer Networks Lecture 19 – Network Security (II)
1 Lecture 14: Real-Time Communication Security real-time communication – two parties interact in real time (as opposed to delayed communication like )
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Symmetric versus Asymmetric Cryptography. Why is it worth presenting cryptography? Top concern in security Fundamental knowledge in computer security.
COEN 351 E-Commerce Security Essentials of Cryptography.
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Key Management Celia Li Computer Science and Engineering York University.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
1 Lecture 16: IPsec IKE history of IKE Photurus IKE phases –phase 1 aggressive mode main mode –phase 2.
Cryptography and Network Security (CS435) Part Eight (Key Management)
Week 4 - Wednesday.  What did we talk about last time?  RSA algorithm.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
1 Lecture 9: Cryptographic Authentication objectives and classification one-way –secret key –public key mutual –secret key –public key establishing session.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
Digital Signatures, Message Digest and Authentication Week-9.
1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.
6 June Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
COEN 351 E-Commerce Security
Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Computer and Network Security - Message Digests, Kerberos, PKI –
Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.
Key Management Network Systems Security Mort Anvari.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Cryptography and Network Security Chapter 10 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.
Homework #2 J. H. Wang Oct. 31, 2012.
1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.
Diffie-Hellman Key Exchange first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts – note:
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
@Yuan Xue CS 285 Network Security Key Distribution and Management Yuan Xue Fall 2012.
Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.
Network Security and It’s Issues
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Presentation transcript:

1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007

Rocky, K. C. Chang2 Outline  The secure key exchange problem  Recall the Diffie-Hellman protocol  Designing an authenticated Diffie-Hellman protocol Several versions  The perfect forward secrecy property

Rocky, K. C. Chang3 The secure key exchange problem  Before two users can use a private key for encryption or for message authentication, how did they come up the key? Out-of-band, in-band, or a hybrid  How do two IPSec nodes set up their security associations (SAs)? Encryption algorithms, authentication algorithms, session keys, etc.  In general, the problem is how to derive a secret (key, identity, etc) between two users over an insecure network? The second problem is how to use the secret (keys) to secure their messages from a certain layer up.

Rocky, K. C. Chang4 The secure key exchange problem  An acceptable solution (a secure key exchange protocol) to this problem is required to handle Source authentication Message authentication Data confidentiality Protection against denial-of-service attacks, such as, flooding of messages, replay messages, etc.

5 Recall from the DH slides

Rocky, K. C. Chang6 The basic DH protocol

Rocky, K. C. Chang7 The man in the middle attack

Rocky, K. C. Chang8 The final (unauthenticated) DH protocol

9 Designing an authenticated DH protocol

Rocky, K. C. Chang10 Authenticated DH protocol: v.1

Rocky, K. C. Chang11 Problems with v. 1  Let Alice and Bob choose the DH parameters (p, q, g).  The number of messages can be reduced.  The session key k is used as an argument in authentication. A good rule of thumb is to use a secret for a single thing.  The 2 authentication messages are too similar. Subject to the replay or similar attacks

Rocky, K. C. Chang12 Problems with v. 1  Fix the (p, q, g) in a key exchange protocol would shorten the protocol’s life. Management of versions  Can shorten the number of messages to 2.  The data in AUTH A and AUTH B consists of all the data exchanged so far.

Rocky, K. C. Chang13 Authenticated DH protocol: v.2

Rocky, K. C. Chang14 Problems with v. 2  What if Bob wants a larger prime than Alice? Bob will have to abort the protocol and send back an error message. Alice has to restart again with new DH parameters.  AUTH A in the first message cannot securely authenticate Alice. Why? The purpose of the nonce in the first message?

Rocky, K. C. Chang15 Authenticated DH protocol: v.3

Rocky, K. C. Chang16 The final authenticated DH protocol

Rocky, K. C. Chang17 Alice’s view  She receives a single message from Bob. She is sure that the message is from Bob because of the AUTH B which includes N a.  Alice checks that the DH parameters are properly chosen. When she sends out Y, she knows that only persons who know x such that X = g x mod p can compute k.  Bob authenticated X, and he does that when he is following the protocol. Thus, Bob knows the appropriate x.  Therefore, Alice is sure that only Bob knows the final key k that she derives.

Rocky, K. C. Chang18 Bob’s view  The first message that he receives gives him almost no useful information.  The third message is definitely from Alice based on the AUTH A which includes a random value chosen by Bob. Bob also knows that the first message was proper too.  Bob knows that the DH parameters are safe.  The rest is similar to the case for Alice.

Rocky, K. C. Chang19 Key compromise  If Alice loses her authentication key without it becoming known to an attacker, She loses the ability to run the key exchange protocol. She still can use the session keys that have been established.  If Alice loses the session key without it becoming known to an attacker, She will have to run the key exchange protocol to obtain a new session key.

Rocky, K. C. Chang20 Perfect forward secrecy  If Alice’s authentication key is compromised, the attacker can impersonate Alice. However, the past communications between Alice and Bob still remain secret. The attacker cannot recover the session key k even if he recorded all messages.  If the session key is compromised, It does not provide information about any other key, including the authentication keys.

Rocky, K. C. Chang21 Perfect forward secrecy  PFS: “disclosure of long-term secret keying material does not compromise the secrecy of exchanged keys from earlier runs.” For example, using public-key to exchange secret keys does not have PFS. There is currently no other solution to provide the PFS except for the Diffie-Hellman exchange.  As a result, the DH protocol has been included in all well-designed key exchange protocols.

Rocky, K. C. Chang22 Summary  We have strengthened the basic DH protocol to an authenticated DH protocol.  At the end of the protocol, each side is authenticated and come up a secret session key.  The DH protocol possesses the perfect forward secrecy property.  The DH protocol has been used in a number of key exchange protocols, such as Photuris, SKIP, and of course IKE.

Rocky, K. C. Chang23 Acknowledgments  The notes are prepared mostly based on N. Ferguson and B. Schneier, Practical Cryptography, Wiley, 2003.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.