1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.

Slides:



Advertisements
Similar presentations
ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.
Advertisements

Internet Protocol Security (IP Sec)
L8. Reviews Rocky K. C. Chang, May Foci of this course 2 Rocky K. C. Chang  Understand the 3 fundamental cryptographic functions and how they are.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
Public Key Algorithms …….. RAIT M. Chatterjee.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.
Internet Security CSCE 813 IPsec. CSCE Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,
Key Distribution CS 470 Introduction to Applied Cryptography
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Computer Science Public Key Management Lecture 5.
Public Key Model 8. Cryptography part 2.
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester ITGD 2202 University of Palestine.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
IPsec: IKE, Internet Key Exchange IPsec does not use Public Key Infrastructure and exchanging keys before an IPsec connection is established is a problem.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
1 Lecture 14: Real-Time Communication Security real-time communication – two parties interact in real time (as opposed to delayed communication like )
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
COEN 351 E-Commerce Security Essentials of Cryptography.
Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security.
CSCE 715: Network Systems Security
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Chapter 21 Public-Key Cryptography and Message Authentication.
Cryptography and Network Security (CS435) Part Eight (Key Management)
23-1 Last time □ P2P □ Security ♦ Intro ♦ Principles of cryptography.
Karlstad University IP security Ge Zhang
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427)
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
ECE509 Cyber Security : Concept, Theory, and Practice Key Management Spring 2014.
TCP/IP Protocol Suite 1 Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit.
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
COEN 351 E-Commerce Security
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.
Key Management Network Systems Security Mort Anvari.
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Cryptography and Network Security Chapter 10 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.
Diffie-Hellman Key Exchange first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts – note:
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
1 Internet Key Exchange Rocky K. C. Chang 20 March 2007.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
@Yuan Xue CS 285 Network Security Key Distribution and Management Yuan Xue Fall 2012.
Cryptography CSS 329 Lecture 13:SSL.
1 Network Security Maaz bin ahmad.. 2 Outline Attacks, services and mechanisms Security attacks Security services Security Mechanisms A model for Internetwork.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Reviews Rocky K. C. Chang 20 April 2007.
Presentation transcript:

1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002

2 The secure key exchange problem Before two users can use a private key for encryption or for message authentication, how did they come up the key? –Out-of-band, in-band, or a hybrid How do two IPSec nodes set up their security associations (SAs)? –Encryption algorithms, authentication algorithms, session keys, etc. In general, the problem is how to derive a secret (key, identity, etc) between two users over an insecure network? –The second problem is how to use the secret (keys) to secure their messages from a certain layer up.

3 The secure key exchange problem An acceptable solution (a secure key exchange protocol) to this problem is required to handle –Source authentication –Message authentication –Data confidentiality –Protection against denial-of-service attacks, such as, flooding of messages, replay messages, etc. Internet Key Exchange (IKE) protocol is the default method for IPSec. –IKE is an application-layer protocol using the well-known UDP port 500. –IKE is a general key exchange protocol.

4 Perfect forward secrecy One important requirement for key exchange protocols is perfect forward secrecy (PFS). –PFS: “disclosure of long-term secret keying material does not compromise the secrecy if exchanged keys from earlier runs.” –For example, using public-key to exchange secret keys does not have PFS. –There is currently no other solution to provide the PFS except for the Diffie-Hellman exchange. As a result, the Diffie-Hellman exchange has been included in all well-designed key exchange protocols.

5 Diffie-Hellman key exchange An initiator (I) and a responder (R) must agree on a Diffie-Hellman group that consists of a large prime number, p, and an integer g. I then generates a large random integer x, and computes X = g x mod p. –I sends X to R. Upon receiving the message, R then generates a large random integer y, and computes Y = g y mod p. –R sends Y to I. Both I and R compute a secret key k by –I: k = Y x mod p = (g y mod p) x mod p = g xy mod p –R: k = X y mod p = (g x mod p) y mod p = g xy mod p

6 Diffie-Hellman key exchange

7 Properties of D-H key exchange The group (p, g) is not a secret. x (or X) or y (or Y) is a half-secret. –To recover the key from p, g, X, and Y, one needs to compute the discrete logarithm to recover x or y. –Additional requirements for p: (p - 1)/2 is also a prime and must be large. –g is primitive mod n. –For example: p = * { [2 638  } and g = 2. There is no known tractable method for finding the discrete logarithm of an exponentiated number modulo a large prime number.

8 Problems with D-H key exchange It does not prevent replay or flooding attacks. –Sending a series of request packets with different spoofed source IP addresses –A partial solution: use of cookies It does not authenticate participants. –Man-in-the-middle attacks, such as third-party insertion, deletion, interception, or modification of messages. –Need to authenticate the Diffie-Hellman exchanges. It does not have a negotiation mechanism for specifying the particular encryption or authentication algorithms to use with the generated key. –Need additional mechanisms.

9 A man-in-the-middle attack

10 D-H + cookies A cookie exchange guards against simple flooding attacks sent with bogus IP sources addresses or UDP ports. I generates a cookie (of length between 64 and 128 bits) C I, and sends it to R. R then generates a cookie C R, and sends it with C I to I. To launch a flooding attack, the attacker has to –complete a cookie exchange with the victim for each spoofed source IP address (read the cookie sent by the victim for each cookie exchange.)

11 D-H + cookies

12 Requirements for cookie generation The cookie must depend on the specific parties. –This prevents an attacker from obtaining a cookie using a real IP address and UDP port, and –then using it to swamp the victim with requests from randomly chosen IP addresses or ports. It must not be possible for anyone other than the issuing entity to generate cookies that will be accepted by that entity. –This implies that the issuing entity will use local secret information in the generation and subsequent verification of a cookie. –It must not be possible to deduce this secret information from any particular cookie.

13 Requirements for cookie generation The cookie generation and verification methods must be fast to thwart attacks intended to sabotage CPU resources. A recommended technique is to use a cryptographic hashing function, such as MD5. –An incoming cookie can be verified by regenerating it locally from values contained in the incoming datagram and the local secret random value. –For example, cookie = PRF(secret, source and destination IP addresses, source and destination UDP port numbers)

14 Initiator and responder cookies The Initiator secret value should be different for each cookie exchange and the secret value is cached. –An alternative, of course, is to cache the cookie itself instead of the secret value. –It is recommended that the cookie be computed over the secret, source and destination IP addresses, and source and destination UDP port numbers. The responder secret value may be the same for many different initiators. –This secret value should be changed periodically. –It is recommended that the cookie be computed over the secret, the Initiator cookie, source and destination IP addresses, and UDP port numbers.

15 Authenticating D-H exchanges Symmetric-key based authentication –Use a pre-configured shared key, or each other’s public keys to establish a shared key. –Use a pseudo-random function (PRF), such as keyed MD5, for authentication: I includes PRF(shared key, ID I, X, Y, C I, C R ) in the message sent to R. The inclusion of X serves to authenticate (to R) that X came from I. The inclusion of Y serves to prove to R the freshness of the message (assuming Y was freshly chosen by R). ID I serves to reassure the parties about the correct binding between the exchanged key and I’s identity.

16 Authenticating based on symmetric keys

17 Authenticating based on symmetric keys Without knowing the shared key, the man-in-the- middle would not be able to compute the correct PRF values. The expensive Diffie-Hellman computation can be postponed after the authentication step. To conceal the identities of the parties, the last two messages may be encrypted (using a different key).

18 Authenticating based on asymmetric keys Use digital signatures or public key encryption. Some people are against the use of digital signatures because of its nonrepudiation property (e.g. SKEME). –If during a key exchange between I and R, I is required to sign R’s identity, then this signature can be re-used later by R for other purposes. –If digital signatures are used in a key exchange protocol, then these signatures should not be used to sign the identities. –Can we prevent R from inserting his identity in the information to be signed by I?

19 Acknowledgements These lecture notes are based on –M. S. Borella, “Methods and Protocols for Secure Key Negotiation Using IKE,” IEEE Network, pp , July/Aug., –N. Doraswamy and D. Harkins, IPSec, Prentice Hall, –P. Karn and W. Simpson, “Photuris: Session-Key Management Protocol,” RFC 2522, March –H. Krawczyk, “SKEME: A Versatile Secure Key Exchange Mechanism for Internet,” Proc. Internet Society Symposium on Network and Distributed System Security,” Feb

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.