Key Establishment Protocols - 12.6 ~ 12.9 - Seunggyu BYEON
Contents 12.6 Key agreement based on asymmetric techniques 12.7 Secret sharing 12.8 Conference keying 12.9 Analysis of key establishment protocols
12.6 Key agreement based on asymmetric techniques 12.6.1 Diffie-Hellman and related key agreement protocols (i) Basic version of Diffie-Hellman key agreement (Exponential key exchange) The first practical solution to the key distribution problem Allowing two parties, never having met in advance or shared keying material To establish a shared secret by exchanging messages over an open channel
12.6 Key agreement based on asymmetric techniques 12.6.1 Diffie-Hellman and related key agreement protocols (i) Diffie-Hellman key agreement (Exponential key exchange) Alice Bob 𝑝=23, 𝛼=5 𝐴= 5 6 𝑚𝑜𝑑 23 𝐵= 5 15 𝑚𝑜𝑑 23 𝐴=8 𝐵=19 𝐾= 19 6 𝑚𝑜𝑑 23 𝐾= 8 15 𝑚𝑜𝑑 23 𝐾=2 𝑥=6 𝑦=15 𝛼 𝑥 𝛼 𝑦 1. One-time Setup 3. (a)(b) random 𝑥 and 𝑦 and sends 𝛼 𝑥 and 𝛼 𝑦 2. Protocol Message AB : 𝛼 𝑥 3. (c)(d) receives 𝛼 𝑦 and 𝛼 𝑥 and shares 𝛼 𝑦 𝑥 = 𝛼 𝑥 𝑦
12.6 Key agreement based on asymmetric techniques 12.6.1 Diffie-Hellman and related key agreement protocols (i) Diffie-Hellman key agreement (Exponential key exchange) 12.48 Note. Time-invariant Nature 12.49 Remark.
12.6 Key agreement based on asymmetric techniques 12.6.1 Diffie-Hellman and related key agreement protocols (i) Diffie-Hellman key agreement (Exponential key exchange)
12.6 Key agreement based on asymmetric techniques 12.6.1 Diffie-Hellman and related key agreement protocols (i) Diffie-Hellman key agreement (Exponential key exchange) 12.50 Note. Vulnerableness to not authenticated exponentials Alice Bob 𝑝=23, 𝛼=5 1. One-time Setup 𝑥=6 𝑦=15 𝑝=𝑅𝑞+1 3. (a)(b) Choose random 𝑥 and 𝑦 and sends 𝛼 𝑥 and 𝛼 𝑦 𝐴= 5 6 𝑚𝑜𝑑 23 𝛼 𝑞 = 𝛼 𝑝−1 /𝑹(𝟐) 𝐵= 5 15 𝑚𝑜𝑑 23 𝐴=8 𝛼 𝑥 =8 𝛼 𝑦 =19 𝐵=19 2. Protocol Message AB : 𝛼 𝑥 𝛼 𝑦𝑞 𝛼 𝑥𝑞 𝐾= 19 𝑝−1 2 6 = −1 6 =1 𝐾= 8 𝑝−1 2 15 = −1 15 =−1 ±1 ±1 3. (c)(d) receives 𝛼 𝑦 and 𝛼 𝑥 and shares 𝛼 𝑦𝑞 𝑥 = 𝛼 𝑥𝑞 𝑦 𝛼 𝑥𝑦𝑞 𝛼 𝑥𝑦𝑞
12.6 Key agreement based on asymmetric techniques 12.6.1 Diffie-Hellman and related key agreement protocols (ii) ElGamal key agreement in one-pass (half-certificated Diffie-Hellman) Diffie-Hellman variant providing a one-pass protocol with unilateral key authentication More simply Diffie-Hellman key agreement wherein the public exponential of the recipient is fixed and has verifiable authenticity
12.6 Key agreement based on asymmetric techniques 12.6.1 Diffie-Hellman and related key agreement protocols (ii) ElGamal key agreement in one-pass (half-certificated Diffie-Hellman) Alice Bob 1. One-time Setup random 𝑏 and 𝛼 𝑏 Included its public key 𝑝=23, 𝛼=5, 𝛼 𝑏 =19 𝑏=15 𝑥=6 3. (a) A obtains B’s public key A choose a random integer 𝑥 sends 2 𝐴= 5 6 𝑚𝑜𝑑 23 𝐴=8 𝛼 𝑥 2. Protocol Message AB : 𝛼 𝑥 𝐾= 𝛼 𝑏 6 𝑚𝑜𝑑 23 𝐾= 8 15 𝑚𝑜𝑑 23 𝐾= 19 6 𝑚𝑜𝑑 23 3. (a) 𝛼 𝑏 𝑥 = (b) 𝛼 𝑏 𝑥 𝐾=2 𝐾=2
12.6 Key agreement based on asymmetric techniques 12.6.1 Diffie-Hellman and related key agreement protocols (iii) MTI two-pass key agreement protocols As in ElGamal key agreement, A sends to B a single message, resulting in the shared key K B independently initiates an analogous protocol with A, resulting in the shared key K’ Each of A and B then computes k=KK’ mod p
12.6 Key agreement based on asymmetric techniques 12.6.1 Diffie-Hellman and related key agreement protocols (iii) MTI two-pass key agreement protocols Alice Bob Alice Bob 𝑝, 𝛼, 𝛼 𝑏 = 𝑧 𝐵 1. One-time Setup random 𝑏 and 𝛼 𝑏 Included its public key 𝑝, 𝛼, 𝛼 𝑎 = 𝑧 𝐴 𝑥 𝑏 𝑎 𝑦 3. (a) A obtains B’s public key A choose a random integer 𝑥 sends 2 𝛼 𝑥 2. Protocol Message AB : 𝛼 𝑥 𝛼 𝑦 𝑧 𝐵 𝑥 𝛼 𝑏𝑥 𝛼 𝑎𝑦 𝑧 𝐴 𝑦 3. (a) 𝛼 𝑏 𝑥 = (b) 𝛼 𝑏 𝑥 𝐾 𝐾 𝐾′ 𝐾′ = = 𝛼 𝑎𝑦 𝑧 𝐵 𝑥 𝛼 𝑏𝑥 𝑧 𝐴 𝑦 𝒌=𝐾 𝐾 ′ 𝑚𝑜𝑑 𝑝 = 𝛼 𝑏𝑥+𝑎𝑦
12.6 Key agreement based on asymmetric techniques 12.6.1 Diffie-Hellman and related key agreement protocols (iii) MTI two-pass key agreement protocols
12.6 Key agreement based on asymmetric techniques 12.6.1 Diffie-Hellman and related key agreement protocols (iii) MTI two-pass key agreement protocols – 12.54 Alice Charlie Bob 1. One-time Setup random 𝑏 and 𝛼 𝑏 Included its public key 𝑝, 𝛼, 𝛼 𝑎 = 𝑧 𝐴 𝑥 𝑝, 𝛼, 𝛼 𝑎 = 𝑧 𝑐 3. (a) A obtains B’s public key A choose a random integer 𝑥 and sends 𝑦 𝑝, 𝛼, 𝛼 𝑏 = 𝑧 𝐵 𝛼 𝑥 Change Source Indication 𝛼 𝑥 2. Protocol Message AB : 𝛼 𝑥 𝛼 𝑦 𝑧 𝐵 𝑥 𝛼 𝑦 𝑧 𝐴 𝑦 3. (a) 𝛼 𝑏 𝑥 = (b) 𝛼 𝑏 𝑥 𝐾 𝐾 = 𝛼 𝑎𝑦 𝑧 𝐵 𝑥 𝒌=𝐾 𝐾 ′ 𝑚𝑜𝑑 𝑝
12.6 Key agreement based on asymmetric techniques 12.6.1 Diffie-Hellman and related key agreement protocols (iii) MTI two-pass key agreement protocols – 12.54 Alice Charlie Bob 1. One-time Setup random 𝑎 and 𝛼 𝑎 Included its public key 𝑦 𝑝, 𝛼, 𝛼 𝑎 = 𝑧 𝐴 𝑝, 𝛼, 𝛼 𝑎𝑒 = 𝑧 𝐶 3. (a) A obtains B’s public key A choose a random integer 𝑦 and sends 𝛼 𝑦 𝛼 𝑒𝑦 2. Protocol Message BA : 𝛼 𝑦 𝐾 𝐾= 𝛼 𝑎𝑒𝑦 𝐾 believes that it’s shared with Bob believes that it’s shared with Charlie 3. (a) 𝛼 𝑏 𝑥 = (b) 𝛼 𝑏 𝑥 𝒌= 𝛼 𝑎𝑒𝑦+𝑏𝑥
12.6 Key agreement based on asymmetric techniques 12.6.1 Diffie-Hellman and related key agreement protocols (iii) MTI two-pass key agreement protocols 12.55 Remark 12.56 Remark.
12.6 Key agreement based on asymmetric techniques 12.6.1 Diffie-Hellman and related key agreement protocols (iv) Station-to-Station Protocol (STS) the establishment of a shared secret key between two parties with mutual entity authentication and mutual explicit key authentication The protocol also facilitates anonymity – the identities of A and B may be protected from Eaves
12.6 Key agreement based on asymmetric techniques 12.6.1 Diffie-Hellman and related key agreement protocols (iv) Station-to-Station Protocol (STS) Alice Bob 1. One-time Setup 𝑝=23, 𝛼=5 , 𝑒 𝐴 , 𝑛 𝐴 𝑎𝑛𝑑 𝑑 𝐴 𝑥=6 𝑦=15 4. (a) A obtains B’s public key A choose a random integer 𝑥 sends B 𝐴= 5 6 𝑚𝑜𝑑 23 4. (b) computes 𝛼 𝑦 and signs the concatenates of both exp., encrypts it using the key 𝐴=8 3. Protocol Message AB : 𝛼 𝑥 AB : 𝛼 𝑦 , 𝐸 𝑘 𝑆 𝐵 𝛼 𝑦 , 𝛼 𝑥 AB : 𝐸 𝑘 𝑆 𝐴 𝛼 𝑥 , 𝛼 𝑦 𝛼 𝑥 𝑘= 8 15 𝑚𝑜𝑑 23 𝛼 𝑦 = 5 15 𝑚𝑜𝑑 23 =19 𝛼 𝑦 , 𝐸 𝑘 𝑆 𝐵 𝛼 𝑦 , 𝛼 𝑥 4. (c) computes the shared key, Decrypts the encrypted data, uses B’s public key to verify… 𝑘= 19 6 𝑚𝑜𝑑 23 4. (d) Decrypts the encrypted data, uses A’s public key to verify… Verification of 𝑆 𝐵 𝐸 𝑘 𝑆 𝐴 𝛼 𝑥 , 𝛼 𝑦 Verification of 𝑆 𝐴 4. (a) 𝛼 𝑏 𝑥 = (b) 𝛼 𝑏 𝑥 𝑘=2 𝑘=2
12.6 Key agreement based on asymmetric techniques 12.6.1 Diffie-Hellman and related key agreement protocols (iv) Station-to-Station Protocol (STS) 12.58 Remark
12.7 Secret Sharing 12.7 Secret Sharing ㄴㄷㅊ
12.7.1 Simple shared control schemes 12.7 Secret Sharing 12.7.1 Simple shared control schemes (i) Dual control by modular addition
12.7.1 Simple shared control schemes 12.7 Secret Sharing 12.7.1 Simple shared control schemes (ii) Unanimous consent control by modular addition 12.68 Remark
12.7 Secret Sharing 12.7.2 Threshold schemes 12.69 Definition 12.70 Remark
12.7 Secret Sharing 12.7.2 Threshold schemes Shamir’s threshold scheme
12.7.3 Generalized secret sharing
12.7.3 Generalized secret sharing
12.8 Conference keying 12.7.3 Generalized secret sharing
12.7.3 Generalized secret sharing 12.8 Conference keying 12.7.3 Generalized secret sharing Burmester-Desmedt conference keying protocol
12.7.3 Generalized secret sharing 12.8 Conference keying 12.7.3 Generalized secret sharing Burmester-Desmedt conference keying protocol
12.7.3 Generalized secret sharing 12.8 Conference keying 12.7.3 Generalized secret sharing Unconditionally secure conference keying
12.9 Analysis of key establishment protocols 12.9.1 Attack strategies and classic protocol flaws Attack 1: Intruder-in-the-middle
12.9 Analysis of key establishment protocols 12.9.1 Attack strategies and classic protocol flaws Attack 2: Reflection attack
12.9 Analysis of key establishment protocols 12.9.1 Attack strategies and classic protocol flaws Attack 3: Interleaving attack
12.9 Analysis of key establishment protocols 12.9.1 Attack strategies and classic protocol flaws Attack 4: Misplaced trust in server
12.9 Analysis of key establishment protocols 12.9.2 Analysis objectives and methpds Definition
12.9 Analysis of key establishment protocols 12.9.2 Analysis objectives and methpds Definition
I appreciate your deep interest