Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.

Published byLesley Martin Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007."— Presentation transcript:

1 1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007

2 Rocky, K. C. Chang2 Outline  The secure key exchange problem  Recall the Diffie-Hellman protocol  Designing an authenticated Diffie-Hellman protocol Several versions  The perfect forward secrecy property

3 Rocky, K. C. Chang3 The secure key exchange problem  Before two users can use a private key for encryption or for message authentication, how did they come up the key? Out-of-band, in-band, or a hybrid  How do two IPSec nodes set up their security associations (SAs)? Encryption algorithms, authentication algorithms, session keys, etc.  In general, the problem is how to derive a secret (key, identity, etc) between two users over an insecure network? The second problem is how to use the secret (keys) to secure their messages from a certain layer up.

4 Rocky, K. C. Chang4 The secure key exchange problem  An acceptable solution (a secure key exchange protocol) to this problem is required to handle Source authentication Message authentication Data confidentiality Protection against denial-of-service attacks, such as, flooding of messages, replay messages, etc.

5 5 Recall from the DH slides

6 Rocky, K. C. Chang6 The basic DH protocol

7 Rocky, K. C. Chang7 The man in the middle attack

8 Rocky, K. C. Chang8 The final (unauthenticated) DH protocol

9 9 Designing an authenticated DH protocol

10 Rocky, K. C. Chang10 Authenticated DH protocol: v.1

11 Rocky, K. C. Chang11 Problems with v. 1  Let Alice and Bob choose the DH parameters (p, q, g).  The number of messages can be reduced.  The session key k is used as an argument in authentication. A good rule of thumb is to use a secret for a single thing.  The 2 authentication messages are too similar. Subject to the replay or similar attacks

12 Rocky, K. C. Chang12 Problems with v. 1  Fix the (p, q, g) in a key exchange protocol would shorten the protocol’s life. Management of versions  Can shorten the number of messages to 2.  The data in AUTH A and AUTH B consists of all the data exchanged so far.

13 Rocky, K. C. Chang13 Authenticated DH protocol: v.2

14 Rocky, K. C. Chang14 Problems with v. 2  What if Bob wants a larger prime than Alice? Bob will have to abort the protocol and send back an error message. Alice has to restart again with new DH parameters.  AUTH A in the first message cannot securely authenticate Alice. Why? The purpose of the nonce in the first message?

15 Rocky, K. C. Chang15 Authenticated DH protocol: v.3

16 Rocky, K. C. Chang16 The final authenticated DH protocol

17 Rocky, K. C. Chang17 Alice’s view  She receives a single message from Bob. She is sure that the message is from Bob because of the AUTH B which includes N a.  Alice checks that the DH parameters are properly chosen. When she sends out Y, she knows that only persons who know x such that X = g x mod p can compute k.  Bob authenticated X, and he does that when he is following the protocol. Thus, Bob knows the appropriate x.  Therefore, Alice is sure that only Bob knows the final key k that she derives.

18 Rocky, K. C. Chang18 Bob’s view  The first message that he receives gives him almost no useful information.  The third message is definitely from Alice based on the AUTH A which includes a random value chosen by Bob. Bob also knows that the first message was proper too.  Bob knows that the DH parameters are safe.  The rest is similar to the case for Alice.

19 Rocky, K. C. Chang19 Key compromise  If Alice loses her authentication key without it becoming known to an attacker, She loses the ability to run the key exchange protocol. She still can use the session keys that have been established.  If Alice loses the session key without it becoming known to an attacker, She will have to run the key exchange protocol to obtain a new session key.

20 Rocky, K. C. Chang20 Perfect forward secrecy  If Alice’s authentication key is compromised, the attacker can impersonate Alice. However, the past communications between Alice and Bob still remain secret. The attacker cannot recover the session key k even if he recorded all messages.  If the session key is compromised, It does not provide information about any other key, including the authentication keys.

21 Rocky, K. C. Chang21 Perfect forward secrecy  PFS: “disclosure of long-term secret keying material does not compromise the secrecy of exchanged keys from earlier runs.” For example, using public-key to exchange secret keys does not have PFS. There is currently no other solution to provide the PFS except for the Diffie-Hellman exchange.  As a result, the DH protocol has been included in all well-designed key exchange protocols.

22 Rocky, K. C. Chang22 Summary  We have strengthened the basic DH protocol to an authenticated DH protocol.  At the end of the protocol, each side is authenticated and come up a secret session key.  The DH protocol possesses the perfect forward secrecy property.  The DH protocol has been used in a number of key exchange protocols, such as Photuris, SKIP, and of course IKE.

23 Rocky, K. C. Chang23 Acknowledgments  The notes are prepared mostly based on N. Ferguson and B. Schneier, Practical Cryptography, Wiley, 2003.

Download ppt "1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007."

Similar presentations

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
IPsec – IKE CS 470 Introduction to Applied Cryptography

IPsec – IKE CS 470 Introduction to Applied Cryptography
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
Public Key Algorithms …….. RAIT M. Chatterjee.

Public Key Algorithms …….. RAIT M. Chatterjee.
Homework #4 Solutions Brian A. LaMacchia Portions © 2002-2006, Brian A. LaMacchia. This material is provided without.

Homework #4 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
1 Security analysis of an enhanced authentication key exchange protocol Authors : H.Y. Liu, G.B. Horng, F.Y. Hung Presented by F.Y. Hung Date : 2005/5/20.

1 Security analysis of an enhanced authentication key exchange protocol Authors : H.Y. Liu, G.B. Horng, F.Y. Hung Presented by F.Y. Hung Date : 2005/5/20.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.

Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

Similar presentations

Ads by Google