Presentation is loading. Please wait.

Presentation is loading. Please wait.

Recent developments in group key exchange

Published byΧαράλαμπος Ελευθερίου Modified over 6 years ago

Similar presentations

Presentation on theme: "Recent developments in group key exchange"— Presentation transcript:

1 Recent developments in group key exchange
Mike Burmester Information Security Summer School 2005 Florida State University

2 Outline 1. Secure Communication 2. Key Distribution
the Diffie-Hellman protocol variants, attacks authentication conference protocols 3. Public Key Certificates trust-graphs hierarchical vs horizontal structures security 4. Conclusion

3 1. Secure Communication Security issues authenticity privacy
message Sender (Alice) Receiver (Bob) Adversary Security issues authenticity privacy denial of service, etc.

4 Symmetric keys (privacy)
Bob Alice plaintext ciphertext plaintext private channel E D SK SK Security issue How to distribute the secret key SK

5 Public Keys (privacy) E D Alice Bob Authentication channel f
plaintext ciphertext plaintext E D SKB PKB Authentication channel f Security issues It should be hard to compute SKB from PKB How do we distribute PKB

6 Public Keys (digital signatures)
Bob Alice m, sigSKA m a m or r S V SKA Authentication channel PKA f Security issues It should be hard to compute SKA from PKA How to distribute PKA

7 2. Key Exchange protocols
the Diffie-Hellman protocol Zp = {0,1,…,p-1}, p prime, g a generator of Zp* Alice’s Public Key gsa: 0 < sa< p-1, private key sa Bob’s Public Key gsb: < sa< p-1, private key sb gsa mod p Alice Bob gsb mod p Key Exchanged: SK = gsasb mod p

8 Security Freshness of keys It should be hard to compute SK from PK.
If the same key is used many times then the security of the system may be undermined.

9 What if 3 or more parties want to sha re a common secret key?
Use DH to get: SKAB , SKBD , SKBE , SKAC , SKCF . K/SKAB K/SKAC B C .A selects the secret key K at random from Zp*. K/SKBD .A sends K/SKAB to B and K/SKAC to C. D E F 4. B gets K from K /SKAB and sends K/SKAC to D, etc.

10 – contributory schemes
Group Key Exchange – contributory schemes U2 U3 U1 Round 1: Use DH Ui broadcasts zi = gri Un Un-1

11 Group Key Exchange U2 U3 K23 Ki2 … Round 1: U1 Kn-1n Un Knn-1 … Un-1
Each Ui computes the DH key: Ki = gri ri+1 U1 Kn-1n Un Knn-1 Un-1

12 Group Key Exchange U2 U3 K23 Ki2 … Round 1: end U1 But how???? Kn-1n
K = K1K2 … Kn Where Ki = Ki,i+1 But how???? U1 Kn-1n Un Knn-1 Un-1

13 Group Key Exchange U2 U3 K2 Ki … Round 2: Ui broadcasts U1
xi = Ki/Ki-1 U1 Kn Un Kn-1 Un-1

14 Group Key Exchange U2 U3 K2 Ki … U1 Kn Round 2: Each Ui computes
the key: K = Ki-1n zin-1 zi+1n-2 … zi-2 = Ki-1n (Ki/Ki-1)n-1(Ki+1/Ki)n-2… (Ki-1/Ki-2) Un Kn-1 Un-1

15 Authentication 1 How does Alice know that the “shared”
secret key has been distributed to all the parties in the conference?

16 Group Key Exchange – authentication
Each Ui authenticates (digitally signs) its randomness ri its zi and xi and after checking them authenticates the string: {Ui}|| {ri} || {zi} || {xi}

17 Authentication 2 How can Alice be certain which key is Bob’s public key? 1. They may have met earlier and exchanged public keys. 2. They may have mutual friends who know their public keys: Alice Carol Bob, or Alice Carol Bob Case 1 establishes an a priori trust relationship Case 2 establishes an induced trust relationship

18 3. Public Key Certificates
Who is who? PK CERTIFICATE The public key of Bob is: ….. Signed by a Certifying Authority A PK Certificate establishes authenticity and provides a means by which a public key can be stored in partially insecure repositories, or transmitted over insecure channels.

19 Trust-graphs A B C D E F Certificates can be used to
Model the confidence of a network in its public keys by a directed trust-graph, with vertices the entities and edges the certificates. CAB CAC B C CBD CBE CCF D E F

20 Trust-graphs A priori confidence: Induced confidence:
This is corroborated by the certificates. Induced confidence: This is established by trust-paths that link the entities in the trust-graph.

21 A hierarchical infrastructure
RCA CA2 CA1 U4 U3 U1 U2 The public key of U4 is certified by the trust-path: RCA CA U4

22 Security issues A hacker can penetrate a CA or its
computer system and forge certificates or get certificates for unauthorized users.

23 Threats 1. Whom should we trust (and for what)? 2. Which Bob is it?
3. Organizational (insider) attacks 4. Computer system threats: How secure is the computer system of the Certifying Authority? of Bob?

24 PGP: an unstructured approach
Pretty Good Privacy is a freeware electronic mail system that uses an unstructured authentication framework. Users are free to decide whom they trust. PGP does not specify any specific structure for the trust-graph and for this reason is quite vulnerable. A A An B

25 A horizontal approach: multiple connectivity
If the trust-graph is (2k+1)-connected then there are 2k+1 vertex disjoint trust-paths which connect any two of its vertices

26 A 3-connected trust-graph
B

27 Combining horizontal and hierarchical structures

28 Security A secure authentication infrastructure must be, reliable, robust and survivable. Reliability deals with faults that occur in a random manner, and is achieved by replication. Robustness deals with maliciously induced faults.

29 Survivability deals with the destruction of
parts of the infrastructure. The destruction may affect the entities (e.g. the CA’s) as well as stored data, and may be malicious. For survivability, the remaining entities should be able to recover enough of the infrastructure to guarantee secure communication.

30 Survivability Reconstruction of a corrupted trust-graph
Adversary faulty U U U Un A Entity A asks all its neighbors for a list of their neighbors, the neighbors of their neighbors, etc

31 Survivability Problem Some of the neighbors are under the control of
the Adversary and may send fake certificates, relating to other entities, real or bogus. Is it possible to reconstruct a sufficiently good approximation of the trust-graph?

32 Survivability Answer Yes, provided that there is a bound on the number
of penetrated or destroyed cites, and that the trust-graph is sufficiently connected.

33 Reconstructing a corrupted
trust-graph The reconstruction involves several stages. Round Robin flooding a Halting routine a Clean-up routine

34 Conclusion Secure key exchange can be achieved in
several ways by using cryptographic mechanisms. Clearly there is a trade off between the security requirements and the complexity.

35 Conclusion If the public keys are authenticated via single
trust paths then the system is vulnerable to any penetration. By having several vertex disjoint authentication paths linking the entities we get robustness against penetration and survivability.

Download ppt "Recent developments in group key exchange"

Similar presentations

A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.

Pairwise Key Agreement in Broadcasting Networks Ik Rae Jeong.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Cryptographic Security CS5204 – Operating Systems1.

Cryptographic Security CS5204 – Operating Systems1.
Trust and the Public Key Infrastructure (PKI) Sangyoon Oh Florida State University Computer Security Projects GS5891-01 Spring 2001.

Trust and the Public Key Infrastructure (PKI) Sangyoon Oh Florida State University Computer Security Projects GS Spring 2001.
Computer Security Key Management. Introduction We distinguish between a session key and a interchange key ( long term key ). The session key is associated.

Computer Security Key Management. Introduction We distinguish between a session key and a interchange key ( long term key ). The session key is associated.
Computer Security Key Management

Computer Security Key Management
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.

MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.

Similar presentations

Ads by Google