Presentation is loading. Please wait.

Presentation is loading. Please wait.

Key Establishment Protocols ~

Similar presentations


Presentation on theme: "Key Establishment Protocols ~"β€” Presentation transcript:

1 Key Establishment Protocols - 12.6 ~ 12.9 -
Seunggyu BYEON

2 Contents 12.6 Key agreement based on asymmetric techniques
12.7 Secret sharing 12.8 Conference keying 12.9 Analysis of key establishment protocols

3 12.6 Key agreement based on asymmetric techniques
Diffie-Hellman and related key agreement protocols (i) Basic version of Diffie-Hellman key agreement (Exponential key exchange) The first practical solution to the key distribution problem Allowing two parties, never having met in advance or shared keying material To establish a shared secret by exchanging messages over an open channel

4 12.6 Key agreement based on asymmetric techniques
Diffie-Hellman and related key agreement protocols (i) Diffie-Hellman key agreement (Exponential key exchange) Alice Bob 𝑝=23, 𝛼=5 𝐴= 5 6 π‘šπ‘œπ‘‘ 23 𝐡= π‘šπ‘œπ‘‘ 23 𝐴=8 𝐡=19 𝐾= π‘šπ‘œπ‘‘ 23 𝐾= π‘šπ‘œπ‘‘ 23 𝐾=2 π‘₯=6 𝑦=15 𝛼 π‘₯ 𝛼 𝑦 1. One-time Setup 3. (a)(b) random π‘₯ and 𝑦 and sends 𝛼 π‘₯ and 𝛼 𝑦 2. Protocol Message Aοƒ B : 𝛼 π‘₯ 3. (c)(d) receives 𝛼 𝑦 and 𝛼 π‘₯ and shares 𝛼 𝑦 π‘₯ = 𝛼 π‘₯ 𝑦

5 12.6 Key agreement based on asymmetric techniques
Diffie-Hellman and related key agreement protocols (i) Diffie-Hellman key agreement (Exponential key exchange) 12.48 Note. Time-invariant Nature 12.49 Remark.

6 12.6 Key agreement based on asymmetric techniques
Diffie-Hellman and related key agreement protocols (i) Diffie-Hellman key agreement (Exponential key exchange)

7 12.6 Key agreement based on asymmetric techniques
Diffie-Hellman and related key agreement protocols (i) Diffie-Hellman key agreement (Exponential key exchange) 12.50 Note. Vulnerableness to not authenticated exponentials Alice Bob 𝑝=23, 𝛼=5 1. One-time Setup π‘₯=6 𝑦=15 𝑝=π‘…π‘ž+1 3. (a)(b) Choose random π‘₯ and 𝑦 and sends 𝛼 π‘₯ and 𝛼 𝑦 𝐴= 5 6 π‘šπ‘œπ‘‘ 23 𝛼 π‘ž = 𝛼 π‘βˆ’1 /𝑹(𝟐) 𝐡= π‘šπ‘œπ‘‘ 23 𝐴=8 𝛼 π‘₯ =8 𝛼 𝑦 =19 𝐡=19 2. Protocol Message Aοƒ B : 𝛼 π‘₯ 𝛼 π‘¦π‘ž 𝛼 π‘₯π‘ž 𝐾= π‘βˆ’ = βˆ’1 6 =1 𝐾= 8 π‘βˆ’ = βˆ’1 15 =βˆ’1 Β±1 Β±1 3. (c)(d) receives 𝛼 𝑦 and 𝛼 π‘₯ and shares 𝛼 π‘¦π‘ž π‘₯ = 𝛼 π‘₯π‘ž 𝑦 𝛼 π‘₯π‘¦π‘ž 𝛼 π‘₯π‘¦π‘ž

8 12.6 Key agreement based on asymmetric techniques
Diffie-Hellman and related key agreement protocols (ii) ElGamal key agreement in one-pass (half-certificated Diffie-Hellman) Diffie-Hellman variant providing a one-pass protocol with unilateral key authentication More simply Diffie-Hellman key agreement wherein the public exponential of the recipient is fixed and has verifiable authenticity

9 12.6 Key agreement based on asymmetric techniques
Diffie-Hellman and related key agreement protocols (ii) ElGamal key agreement in one-pass (half-certificated Diffie-Hellman) Alice Bob 1. One-time Setup random 𝑏 and 𝛼 𝑏 Included its public key 𝑝=23, 𝛼=5, 𝛼 𝑏 =19 𝑏=15 π‘₯=6 3. (a) A obtains B’s public key A choose a random integer π‘₯ sends 2 𝐴= 5 6 π‘šπ‘œπ‘‘ 23 𝐴=8 𝛼 π‘₯ 2. Protocol Message Aοƒ B : 𝛼 π‘₯ 𝐾= 𝛼 𝑏 6 π‘šπ‘œπ‘‘ 23 𝐾= π‘šπ‘œπ‘‘ 23 𝐾= π‘šπ‘œπ‘‘ 23 3. (a) 𝛼 𝑏 π‘₯ = (b) 𝛼 𝑏 π‘₯ 𝐾=2 𝐾=2

10 12.6 Key agreement based on asymmetric techniques
Diffie-Hellman and related key agreement protocols (iii) MTI two-pass key agreement protocols As in ElGamal key agreement, A sends to B a single message, resulting in the shared key K B independently initiates an analogous protocol with A, resulting in the shared key K’ Each of A and B then computes k=KK’ mod p

11 12.6 Key agreement based on asymmetric techniques
Diffie-Hellman and related key agreement protocols (iii) MTI two-pass key agreement protocols Alice Bob Alice Bob 𝑝, 𝛼, 𝛼 𝑏 = 𝑧 𝐡 1. One-time Setup random 𝑏 and 𝛼 𝑏 Included its public key 𝑝, 𝛼, 𝛼 π‘Ž = 𝑧 𝐴 π‘₯ 𝑏 π‘Ž 𝑦 3. (a) A obtains B’s public key A choose a random integer π‘₯ sends 2 𝛼 π‘₯ 2. Protocol Message Aοƒ B : 𝛼 π‘₯ 𝛼 𝑦 𝑧 𝐡 π‘₯ 𝛼 𝑏π‘₯ 𝛼 π‘Žπ‘¦ 𝑧 𝐴 𝑦 3. (a) 𝛼 𝑏 π‘₯ = (b) 𝛼 𝑏 π‘₯ 𝐾 𝐾 𝐾′ 𝐾′ = = 𝛼 π‘Žπ‘¦ 𝑧 𝐡 π‘₯ 𝛼 𝑏π‘₯ 𝑧 𝐴 𝑦 π’Œ=𝐾 𝐾 β€² π‘šπ‘œπ‘‘ 𝑝 = 𝛼 𝑏π‘₯+π‘Žπ‘¦

12 12.6 Key agreement based on asymmetric techniques
Diffie-Hellman and related key agreement protocols (iii) MTI two-pass key agreement protocols

13 12.6 Key agreement based on asymmetric techniques
Diffie-Hellman and related key agreement protocols (iii) MTI two-pass key agreement protocols – 12.54 Alice Charlie Bob 1. One-time Setup random 𝑏 and 𝛼 𝑏 Included its public key 𝑝, 𝛼, 𝛼 π‘Ž = 𝑧 𝐴 π‘₯ 𝑝, 𝛼, 𝛼 π‘Ž = 𝑧 𝑐 3. (a) A obtains B’s public key A choose a random integer π‘₯ and sends 𝑦 𝑝, 𝛼, 𝛼 𝑏 = 𝑧 𝐡 𝛼 π‘₯ Change Source Indication 𝛼 π‘₯ 2. Protocol Message Aοƒ B : 𝛼 π‘₯ 𝛼 𝑦 𝑧 𝐡 π‘₯ 𝛼 𝑦 𝑧 𝐴 𝑦 3. (a) 𝛼 𝑏 π‘₯ = (b) 𝛼 𝑏 π‘₯ 𝐾 𝐾 = 𝛼 π‘Žπ‘¦ 𝑧 𝐡 π‘₯ π’Œ=𝐾 𝐾 β€² π‘šπ‘œπ‘‘ 𝑝

14 12.6 Key agreement based on asymmetric techniques
Diffie-Hellman and related key agreement protocols (iii) MTI two-pass key agreement protocols – 12.54 Alice Charlie Bob 1. One-time Setup random π‘Ž and 𝛼 π‘Ž Included its public key 𝑦 𝑝, 𝛼, 𝛼 π‘Ž = 𝑧 𝐴 𝑝, 𝛼, 𝛼 π‘Žπ‘’ = 𝑧 𝐢 3. (a) A obtains B’s public key A choose a random integer 𝑦 and sends 𝛼 𝑦 𝛼 𝑒𝑦 2. Protocol Message Bοƒ A : 𝛼 𝑦 𝐾 𝐾= 𝛼 π‘Žπ‘’π‘¦ 𝐾 believes that it’s shared with Bob believes that it’s shared with Charlie 3. (a) 𝛼 𝑏 π‘₯ = (b) 𝛼 𝑏 π‘₯ π’Œ= 𝛼 π‘Žπ‘’π‘¦+𝑏π‘₯

15 12.6 Key agreement based on asymmetric techniques
Diffie-Hellman and related key agreement protocols (iii) MTI two-pass key agreement protocols 12.55 Remark 12.56 Remark.

16 12.6 Key agreement based on asymmetric techniques
Diffie-Hellman and related key agreement protocols (iv) Station-to-Station Protocol (STS) the establishment of a shared secret key between two parties with mutual entity authentication and mutual explicit key authentication The protocol also facilitates anonymity – the identities of A and B may be protected from Eaves

17 12.6 Key agreement based on asymmetric techniques
Diffie-Hellman and related key agreement protocols (iv) Station-to-Station Protocol (STS) Alice Bob 1. One-time Setup 𝑝=23, 𝛼=5 , 𝑒 𝐴 , 𝑛 𝐴 π‘Žπ‘›π‘‘ 𝑑 𝐴 π‘₯=6 𝑦=15 4. (a) A obtains B’s public key A choose a random integer π‘₯ sends B 𝐴= 5 6 π‘šπ‘œπ‘‘ 23 4. (b) computes 𝛼 𝑦 and signs the concatenates of both exp., encrypts it using the key 𝐴=8 3. Protocol Message Aοƒ B : 𝛼 π‘₯ AοƒŸB : 𝛼 𝑦 , 𝐸 π‘˜ 𝑆 𝐡 𝛼 𝑦 , 𝛼 π‘₯ Aοƒ B : 𝐸 π‘˜ 𝑆 𝐴 𝛼 π‘₯ , 𝛼 𝑦 𝛼 π‘₯ π‘˜= π‘šπ‘œπ‘‘ 23 𝛼 𝑦 = π‘šπ‘œπ‘‘ 23 =19 𝛼 𝑦 , 𝐸 π‘˜ 𝑆 𝐡 𝛼 𝑦 , 𝛼 π‘₯ 4. (c) computes the shared key, Decrypts the encrypted data, uses B’s public key to verify… π‘˜= π‘šπ‘œπ‘‘ 23 4. (d) Decrypts the encrypted data, uses A’s public key to verify… Verification of 𝑆 𝐡 𝐸 π‘˜ 𝑆 𝐴 𝛼 π‘₯ , 𝛼 𝑦 Verification of 𝑆 𝐴 4. (a) 𝛼 𝑏 π‘₯ = (b) 𝛼 𝑏 π‘₯ π‘˜=2 π‘˜=2

18 12.6 Key agreement based on asymmetric techniques
Diffie-Hellman and related key agreement protocols (iv) Station-to-Station Protocol (STS) 12.58 Remark

19 12.7 Secret Sharing 12.7 Secret Sharing γ„΄γ„·γ…Š

20 12.7.1 Simple shared control schemes
12.7 Secret Sharing Simple shared control schemes (i) Dual control by modular addition

21 12.7.1 Simple shared control schemes
12.7 Secret Sharing Simple shared control schemes (ii) Unanimous consent control by modular addition 12.68 Remark

22 12.7 Secret Sharing 12.7.2 Threshold schemes 12.69 Definition
12.70 Remark

23 12.7 Secret Sharing Threshold schemes Shamir’s threshold scheme

24 12.7.3 Generalized secret sharing

25 12.7.3 Generalized secret sharing

26 12.8 Conference keying Generalized secret sharing

27 12.7.3 Generalized secret sharing
12.8 Conference keying Generalized secret sharing Burmester-Desmedt conference keying protocol

28 12.7.3 Generalized secret sharing
12.8 Conference keying Generalized secret sharing Burmester-Desmedt conference keying protocol

29 12.7.3 Generalized secret sharing
12.8 Conference keying Generalized secret sharing Unconditionally secure conference keying

30 12.9 Analysis of key establishment protocols
Attack strategies and classic protocol flaws Attack 1: Intruder-in-the-middle

31 12.9 Analysis of key establishment protocols
Attack strategies and classic protocol flaws Attack 2: Reflection attack

32 12.9 Analysis of key establishment protocols
Attack strategies and classic protocol flaws Attack 3: Interleaving attack

33 12.9 Analysis of key establishment protocols
Attack strategies and classic protocol flaws Attack 4: Misplaced trust in server

34 12.9 Analysis of key establishment protocols
Analysis objectives and methpds Definition

35 12.9 Analysis of key establishment protocols
Analysis objectives and methpds Definition

36 I appreciate your deep interest


Download ppt "Key Establishment Protocols ~"

Similar presentations


Ads by Google