Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.

Published byJasper Little Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002."— Presentation transcript:

1 1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002

2 2 The secure key exchange problem Before two users can use a private key for encryption or for message authentication, how did they come up the key? –Out-of-band, in-band, or a hybrid How do two IPSec nodes set up their security associations (SAs)? –Encryption algorithms, authentication algorithms, session keys, etc. In general, the problem is how to derive a secret (key, identity, etc) between two users over an insecure network? –The second problem is how to use the secret (keys) to secure their messages from a certain layer up.

3 3 The secure key exchange problem An acceptable solution (a secure key exchange protocol) to this problem is required to handle –Source authentication –Message authentication –Data confidentiality –Protection against denial-of-service attacks, such as, flooding of messages, replay messages, etc. Internet Key Exchange (IKE) protocol is the default method for IPSec. –IKE is an application-layer protocol using the well-known UDP port 500. –IKE is a general key exchange protocol.

4 4 Perfect forward secrecy One important requirement for key exchange protocols is perfect forward secrecy (PFS). –PFS: “disclosure of long-term secret keying material does not compromise the secrecy if exchanged keys from earlier runs.” –For example, using public-key to exchange secret keys does not have PFS. –There is currently no other solution to provide the PFS except for the Diffie-Hellman exchange. As a result, the Diffie-Hellman exchange has been included in all well-designed key exchange protocols.

5 5 Diffie-Hellman key exchange An initiator (I) and a responder (R) must agree on a Diffie-Hellman group that consists of a large prime number, p, and an integer g. I then generates a large random integer x, and computes X = g x mod p. –I sends X to R. Upon receiving the message, R then generates a large random integer y, and computes Y = g y mod p. –R sends Y to I. Both I and R compute a secret key k by –I: k = Y x mod p = (g y mod p) x mod p = g xy mod p –R: k = X y mod p = (g x mod p) y mod p = g xy mod p

6 6 Diffie-Hellman key exchange

7 7 Properties of D-H key exchange The group (p, g) is not a secret. x (or X) or y (or Y) is a half-secret. –To recover the key from p, g, X, and Y, one needs to compute the discrete logarithm to recover x or y. –Additional requirements for p: (p - 1)/2 is also a prime and must be large. –g is primitive mod n. –For example: p = 2 768 - 2 704 - 1 + 2 64 * { [2 638  + 149686 } and g = 2. There is no known tractable method for finding the discrete logarithm of an exponentiated number modulo a large prime number.

8 8 Problems with D-H key exchange It does not prevent replay or flooding attacks. –Sending a series of request packets with different spoofed source IP addresses –A partial solution: use of cookies It does not authenticate participants. –Man-in-the-middle attacks, such as third-party insertion, deletion, interception, or modification of messages. –Need to authenticate the Diffie-Hellman exchanges. It does not have a negotiation mechanism for specifying the particular encryption or authentication algorithms to use with the generated key. –Need additional mechanisms.

9 9 A man-in-the-middle attack

10 10 D-H + cookies A cookie exchange guards against simple flooding attacks sent with bogus IP sources addresses or UDP ports. I generates a cookie (of length between 64 and 128 bits) C I, and sends it to R. R then generates a cookie C R, and sends it with C I to I. To launch a flooding attack, the attacker has to –complete a cookie exchange with the victim for each spoofed source IP address (read the cookie sent by the victim for each cookie exchange.)

11 11 D-H + cookies

12 12 Requirements for cookie generation The cookie must depend on the specific parties. –This prevents an attacker from obtaining a cookie using a real IP address and UDP port, and –then using it to swamp the victim with requests from randomly chosen IP addresses or ports. It must not be possible for anyone other than the issuing entity to generate cookies that will be accepted by that entity. –This implies that the issuing entity will use local secret information in the generation and subsequent verification of a cookie. –It must not be possible to deduce this secret information from any particular cookie.

13 13 Requirements for cookie generation The cookie generation and verification methods must be fast to thwart attacks intended to sabotage CPU resources. A recommended technique is to use a cryptographic hashing function, such as MD5. –An incoming cookie can be verified by regenerating it locally from values contained in the incoming datagram and the local secret random value. –For example, cookie = PRF(secret, source and destination IP addresses, source and destination UDP port numbers)

14 14 Initiator and responder cookies The Initiator secret value should be different for each cookie exchange and the secret value is cached. –An alternative, of course, is to cache the cookie itself instead of the secret value. –It is recommended that the cookie be computed over the secret, source and destination IP addresses, and source and destination UDP port numbers. The responder secret value may be the same for many different initiators. –This secret value should be changed periodically. –It is recommended that the cookie be computed over the secret, the Initiator cookie, source and destination IP addresses, and UDP port numbers.

15 15 Authenticating D-H exchanges Symmetric-key based authentication –Use a pre-configured shared key, or each other’s public keys to establish a shared key. –Use a pseudo-random function (PRF), such as keyed MD5, for authentication: I includes PRF(shared key, ID I, X, Y, C I, C R ) in the message sent to R. The inclusion of X serves to authenticate (to R) that X came from I. The inclusion of Y serves to prove to R the freshness of the message (assuming Y was freshly chosen by R). ID I serves to reassure the parties about the correct binding between the exchanged key and I’s identity.

16 16 Authenticating based on symmetric keys

17 17 Authenticating based on symmetric keys Without knowing the shared key, the man-in-the- middle would not be able to compute the correct PRF values. The expensive Diffie-Hellman computation can be postponed after the authentication step. To conceal the identities of the parties, the last two messages may be encrypted (using a different key).

18 18 Authenticating based on asymmetric keys Use digital signatures or public key encryption. Some people are against the use of digital signatures because of its nonrepudiation property (e.g. SKEME). –If during a key exchange between I and R, I is required to sign R’s identity, then this signature can be re-used later by R for other purposes. –If digital signatures are used in a key exchange protocol, then these signatures should not be used to sign the identities. –Can we prevent R from inserting his identity in the information to be signed by I?

19 19 Acknowledgements These lecture notes are based on –M. S. Borella, “Methods and Protocols for Secure Key Negotiation Using IKE,” IEEE Network, pp. 18-29, July/Aug., 2000. –N. Doraswamy and D. Harkins, IPSec, Prentice Hall, 1999. –P. Karn and W. Simpson, “Photuris: Session-Key Management Protocol,” RFC 2522, March 1999. –H. Krawczyk, “SKEME: A Versatile Secure Key Exchange Mechanism for Internet,” Proc. Internet Society Symposium on Network and Distributed System Security,” Feb. 1996.

Download ppt "1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002."

Similar presentations

ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.

ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
L8. Reviews Rocky K. C. Chang, May 2011. Foci of this course 2 Rocky K. C. Chang  Understand the 3 fundamental cryptographic functions and how they are.

L8. Reviews Rocky K. C. Chang, May Foci of this course 2 Rocky K. C. Chang  Understand the 3 fundamental cryptographic functions and how they are.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
Public Key Algorithms …….. RAIT M. Chatterjee.

Public Key Algorithms …….. RAIT M. Chatterjee.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.

IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.
Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,

Internet Security CSCE 813 IPsec. CSCE Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,
Key Distribution CS 470 Introduction to Applied Cryptography

Key Distribution CS 470 Introduction to Applied Cryptography

Similar presentations

Ads by Google