Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

Published byGregory Willis Modified over 9 years ago

Similar presentations

Presentation on theme: "CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography."— Presentation transcript:

1 CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography

2 CS555Spring 2012/Topic 162 Outline and Readings Outline Private key management between two parties Key management with multiple parties Public key cryptography Readings: Katz and Lindell: Chapter 9

3 CS555Spring 2012/Topic 163 Need for Key Establishment  When Alice and Bob share secret keys, they can communicate securely.  How to establish the shared key?  How to refresh it (not a good idea to encrypt a lot of data with the same key) Secure Communication?

4 CS555Spring 2012/Topic 164 Key Transport vs. Key Agreement Key establishment : process to establish a shared secret key available to two or more parties; –key transport: one party creates, and securely transfers it to the other(s). –key agreement: key establishment technique in which a shared secret is derived by two (or more) parties

5 CS555Spring 2012/Topic 165 Long-Term Key vs. Session Key Session key : temporary key, used for a short time period. –Assumed to be compromisible after some time Long-term key : used for a long term period, public/private keys are typically long-term. Using session keys to: –limit available cipher-text encrypted with the same key –limit exposure in the event of key compromise –avoid long-term storage of a large number of distinct secret keys –create independence across communications sessions or applications

6 CS555Spring 2012/Topic 166 Basic Key Transport Protocol Assumes a long term symmetric key K shared between A and B Basic: A chooses a random r A and sends it encrypted to B; A and B use it for the next session A  B: E K (r A ) –Subject to replay attack: when attacker replays the message to B, B will be using an old session key r A ; defeating the purpose of using session keys Enhancements to prevent replay: uses time t A new key is r A A  B: E K (r A, t A, B) Key transport with challenge/response: A  B: n B A  B: E K (r A, n B, B)

7 CS555Spring 2012/Topic 167 Authenticated Key Exchange Protocol 2 (AKEP2) rArA (B, A, r A, r B ), MAC K (B, A, r A, r B ) (A, r B ), MAC K (A, r B )  Setup: A and B share long-term keys K and K’  MAC K is a MAC  F K’ is a pseudo-random permutation (a block cipher)  Both A and B compute session key = F K’ (r B ) Protocol ensures that r B is a fresh random number chosen by B, intended to use with A for this session.

8 Key Agreement among Multiple Parties For a group of N parties, every pair needs to share a different key –Needs to establish N(N-1)/2 keys, which are too many Solution: Uses a Key Distribution Center (KDC), which is a central authority, a.k.a., Trusted Third Party (TTP) –Every party shares a key with a central server. –In an organization with many users, often times already every user shares a secret with a central TTP, e.g., password for an organization-wide account CS555Spring 2012/Topic 168

9 CS555Spring 2012/Topic 169 Needham-Schroeder Shared-Key Protocol: Parties: A, B, and trusted server T Setup: A and T share K AT, B and T share K BT Goal: Mutual entity authentication between A and B; key establishment Messages: A  T: A, B, N A (1) A  T: E[K AT ] (N A, B, k, E[K BT ](k,A))(2) A  B: E[K BT ] (k, A) (3) A  B: E[k] (N B ) (4) A  B: E[k] (N B -1)(5) What bad things can happen if there is no N A ? Another subtle flaw in Step 3.

10 CS555Spring 2012/Topic 1610 Kerberos Implement the idea of Needham- Schroeder protocol Kerberos is a network authentication protocol Provides authentication and secure communication Relies entirely on symmetric cryptography Developed at MIT: two versions, Version 4 and Version 5 (specified as RFC1510) http://web.mit.edu/kerberos/www Used in many systems, e.g., Windows 2000 and later as default authentication protocol

11 CS555Spring 2012/Topic 1611 Kerberos Overview One issue of Needham-Schroeder –Needs the key each time a client talks with a service –Either needs to store the secret, or ask user every time Solution: Separates TTP into an AS and a TGS. The client authenticates to AS using a long-term shared secret and receives a TGT. –supports single sign-on Later the client can use this TGS to get additional tickets from TGS without resorting to using the shared secret. These tickets can be used to prove authentication to SS. AS = Authentication Server SS = Service Server TGS = Ticket Granting Server TGT = Ticket Granting Ticket

12 CS555Spring 2012/Topic 1612 Overview of Kerberos

13 CS555Spring 2012/Topic 1613 Kerberos Drawback Single point of failure: –Requires online Trusted Third Party: Kerberos server Security partially depends on tight clock synchronization. Convenience requires loose clock synchronization –Use timestamp in the protocol –Hosts typically run Network Time Protocol to synchronize clocks Useful primarily inside an organization –Does it scale to Internet? What is the main difficulty?

14 CS555Spring 2012/Topic 1614 Concept of Public Key Encryption Each party has a pair (K, K -1 ) of keys: –K is the public key, and used for encryption –K -1 is the private key, and used for decryption –Satisfies D K -1 [E K [M]] = M Knowing the public-key K, it is computationally infeasible to compute the private key K -1 –How to check (K,K -1 ) is a pair? –Offers only computational security. Secure PK Encryption impossible when P=NP, as deriving K -1 from K is in NP. The public-key K may be made publicly available, e.g., in a publicly available directory –Many can encrypt, only one can decrypt Public-key systems aka asymmetric crypto systems

15 CS555Spring 2012/Topic 1615 Public Key Cryptography Early History Proposed by Diffie and Hellman, documented in “New Directions in Cryptography” (1976) 1.Public-key encryption schemes 2.Key distribution systems Diffie-Hellman key agreement protocol 3.Digital signature Public-key encryption was proposed in 1970 in a classified paper by James Ellis –paper made public in 1997 by the British Governmental Communications Headquarters Concept of digital signature is still originally due to Diffie & Hellman

16 CS555Spring 2012/Topic 1616 Diffie-Hellman Key Agreement Protocol Not a Public Key Encryption system, but can allow A and B to agree on a shared secret in a public channel (with passive, i.e., eavesdropping adversaries) Setup: p prime and g generator of Z p *, p and g public. K = (g b mod p) a = g ab mod p g a mod p g b mod p K = (g a mod p) b = g ab mod p Pick random, secret a Compute and send g a mod p Pick random, secret b Compute and send g b mod p

17 Diffie-Hellman Example: Let p=11, g=2, then A chooses 4, B chooses 3, then shared secret is (2 3 ) 4 = (2 4 ) 3 = 2 12 = 4 (mod 11) Adversaries sees 2 3 =8 and 2 4 =5, needs to solve one of 2 x =8 and 2 y =5 to figure out the shared secret. CS555Spring 2012/Topic 1617 a1234567891011 gaga 24816326412825651210242048 g a mod p248510973612

18 Three Problems Believed to be Hard to Solve Discrete Log (DLG) Problem: Given, computes a such that g a = h mod p. Computational Diffie Hellman (CDH) Problem: Given (without a, b) compute g ab mod p. Decision Diffie Hellman (DDH) Problem: distinguish (g a,g b,g ab ) from (g a,g b,g c ), where a,b,c are randomly and independently chosen If one can solve the DL problem, one can solve the CDH problem. If one can solve CDH, one can solve DDH. CS555Spring 2012/Topic 1618

19 Assumptions DDH Assumption: DDH is hard to solve. CDH Assumption: CDH is hard to solve. DLG Assumption: DLG is hard to solve DDH assumed difficult to solve for large p (e.g., at least 1024 bits). CS555Spring 2012/Topic 1619

20 CS555Spring 2012/Topic 1620 Authenticated Diffie-Hellman g a mod n g b mod n g c mod n Alice computes g ac mod n and Bob computes g bc mod n !!! Is C Alice Alice’s certificate? C Alice, g a mod n, Sign Alice (g a mod n) C Bob, g b mod n, Sign Bob (g b mod n) Is C Bob Bob’s certificate?

21 CS555Spring 2012/Topic 1621 Coming Attractions … Textbook RSA encryption, number theory Reading: Katz & Lindell: 7.2

Download ppt "CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography."

Similar presentations

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication & Kerberos

Authentication & Kerberos
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.

1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.

SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

Similar presentations

Ads by Google