Download presentation
Presentation is loading. Please wait.
Published byAlfred Clark Modified over 8 years ago
1
Fast A-key distribution with OTASP Copyright, 1996 © Dale Carnegie & Associates, Inc. Yiannis Tsiounis GTE Labs
2
Service Provisioning zManual entry yBy customer xSlow, not customer-friendly yAt POS xCostly for the seller, need to trust seller xStandard interfaces needed at POS zDistribution via backbone network xCostly, insecure, need to know phone destination zOTASP xPreferred for efficiency, convenience & security
3
OTASP zCurrent (Diffie-Hellman) method ySlow: 6 minutes per key exchange yNo authentication (security concerns) zRequirements: yAuthentication of S.P.s xPrevents man-in-the-middle attacks, false service provisioning ySecure key generation and exchange
4
Organization zIntroduction to OTASP zMethodology & Tools zCertification zSecure signatures (for authentication) zSecure encryption (for key exchange) zPutting it all together
5
Methodology zMobile Unit (M.U.) yAuthenticate Service Provider (S.P.) yGenerate & encrypt session key zService Provider yDecrypt & verify session key yGenerate A-key, encrypt using session key zM.U.: Decrypt & verify A-key
6
Tools zCertification for S.P.s zSignature scheme yFor certification zPublic key (asymmetric) encryption yFor sending the session key from MU to SP zPrivate key (symmetric) encryption yFor encrypting A-key using the session key
7
Certification zEstablish a Certification Authority (C.A.) yCA’s public key given to MU at manufacturing zCreate a certificate for each S.P. yThe C.A. signs the data (name) and public encryption key of each S.P. ySignature: Rabin-based yPublic encryption key: Rabin-based
8
Signature scheme zExistentially unforgeable under chosen plaintext attacks zInstantiation based on the squaring trapdoor (Rabin’s scheme) zPublic CA key: N = p·q zR(y) = y (mod N) zsig(M) = R [ w = H(M,r), F(w) r, G(w) M] __
9
Efficiency zVerification requires one modular squaring plus hash computations yCompared to 2|N|/3 modular multiplications used for a Diffie-Hellman key exchange zProcess is 320 times faster than D-H for 512 bit modulus y1.125” or 2.5” for 768 bit modulus* *Motorolla 68HC11 8-bit, 8MHz, 256 Bytes RAM
10
Encryption scheme zSemantically secure yA-priori knowledge provides no help yNo partial information is leaked zChosen ciphertext secure (plaintext aware) yThe sender “knows” what s/he is encrypting yNecessary for Rabin-based encryption xThe Rabin function is vulnerable to chosen ciphertext attacks
11
Rabin-based encryption zN = p·q zE(M) = [ w = (M, F(M)) G(r), r H(w) ]² (mod N) zr “randomizes” the encryption z[M, F(M)] authenticates the message zEfficiency: same as the Rabin signature
12
Symmetric encryption zGiven any symmetric encryption E zE(M) = [ w = (M, F(M)) G(r), r H(w) ] zCost equivalent to one symmetric key operation
13
Complete scheme zSP ySend certificate zMU yVerify Rabin signature on certificate ySend Rabin-encrypted session key zSP yDecrypt session key ySend A-key (encrypted with the session key)
14
Conclusion zEfficiency yAuthenticated key exchange is 160 times faster than current Diffie-Hellman yMinimal software/implementation requirements zSecurity yAuthentication of SPs yUnforgeable signatures ySemantically secure encryption schemes
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.