29
Cryptographic Protocols Lecture 11 Supakorn Kungpisdan [email protected] NETE4630 1

Cryptographic Protocols

Embed Size (px)

DESCRIPTION

Cryptographic Protocols. Lecture 11 Supakorn Kungpisdan [email protected]. Outlines. Authentication Key Exchange Secret Splitting Key Escrow. SKEY. SKEY relies on one-way function Alice enters a random number R to the computer - PowerPoint PPT Presentation

Citation preview

Page 1: Cryptographic Protocols

Cryptographic Protocols

Lecture 11

Supakorn [email protected]

NETE4630 1

Page 2: Cryptographic Protocols

Outlines

• Authentication • Key Exchange• Secret Splitting• Key Escrow

NETE4630 2

Page 3: Cryptographic Protocols

SKEY• SKEY relies on one-way function1.Alice enters a random number R to the

computer2.Computer computes f(R), f(f(R)), f(f(f(R))),

and so on, about 100 times– Called X1, x2, …, x100

3.The computer prints out the list of x1 to x100 to Alice. It also computes x101 and store in DB associated with Alice’s name, and removes x1 to x100 from the system

NETE4630 3

Page 4: Cryptographic Protocols

SKEY (cont.)

4. Alice first enter her name and x100. The computer calculates f(x100) and compares with x101

5. Then the computer replaces x101 with x100. Alice also erases x100 from her list

NETE4630 4

Page 5: Cryptographic Protocols

SKID2• SKID2 and SKID3 are symmetric identification

protocol that uses MAC to provide security• In SKID2, assume that Alice and Bob share a

secret key K

Alice Bob: RA

Bob Alice: RB, HK(RA, RB, IDB)

RA and RB are random numbers generated by Alice and Bob, respectively

NETE4630 5

Page 6: Cryptographic Protocols

SKID3• Provide mutual authentication between

Alice and Bob

Alice Bob: RA

Bob Alice: RB, HK(RA, RB, IDB)

Alice Bob: HK(RB, IDA)

NETE4630 6

Page 7: Cryptographic Protocols

Outlines

• Authentication • Key Exchange• Secret Splitting• Key Escrow

NETE4630 7

Page 8: Cryptographic Protocols

Encrypted Key Exchange Protocol• Alice and Bob share a common password

P. Using this protocol, they can authenticate to each other and generate a common session key K

A B: A, EP(K’)

B A: EP(EK’ (K))

A B: EK(RA)

B A: EK(RA, RB)

A B: EK(RB)

NETE4630 8

Page 9: Cryptographic Protocols

Problems of Online Key Generation• A shared key has been used for various purposes:

– As authentication token– As a key for cryptographic operation e.g.

symmetric encryption or keyed-hash function.• However, a number of message passes must be

performed in order to generate a new session key.

• The more frequent the messages are passed, the higher chance it can be attacked

• Offline key distribution is preferred.• It also reduces frequency of secret key update

process.

NETE4630 9

Page 10: Cryptographic Protocols

Rubin’s Approach1. A client shares K with a bank.2. The client generates a token T, where

T = {fifty-dollars-book-Bob’s-store}K

3. The client sends T to the bank to authenticate herself to the bank.

4. The bank decrypts T to receive the information and verify the client.

• The value of T changes in every transaction depending on purchase details. However, the collision might occur.

NETE4630 10

Page 11: Cryptographic Protocols

Li et al.’s Approach1. A client and a bank share a long-term secret S

and initial token Tinit.

2. The client generates a token Tnew and sends it to authenticate herself to the bank, where

Tnew = h(Tcur, S)

3. The bank verifies Tnew from {Tinit, S}.

• Security of the system is based on the length of T and S and security of hash function.

NETE4630 11

Page 12: Cryptographic Protocols

Kungpisdan et al.’s Approach

1.A client and a bank share a long-term secret CCI. Also they shares a secret Y which has to be updated periodically.

2.The client generates Yi, i = 1,…,n.

Yi = h(i-bit-shift-of-(CCI,Y))

3. The client sends {Yi, i} to the bank. i is randomly chosen.

• Yi is then used as a key for encryption and MAC.

• As Yi is not sent in order, it is difficult to retrieve both Y and CCI.

NETE4630 12

Page 13: Cryptographic Protocols

Limited-Use Key Generation

{K1,…,Km}

Select KMid1 and KMid2

{SK1,…,SKn}

KAB, DK 1. Alice shares KAB with Bob. DK is distributed between them.

2. Alice generates the set of Ki, i=1,…,m from KAB and DK

3. Alice selects two preference keys from the set of Ki.

SIK, DK 4. Calculate SIK from KMid1 and KMid2.

5. Calculate SKj, j=1,…,n, from SIK and DK.

6. To update SKj, Alice returns to step 3.

NETE4630 13

Page 14: Cryptographic Protocols

Limited-Use Key Generation (cont.)

{K1,…,Km}

Select KMid1 and KMid2

{SK1,…,SKn}

KAB, DK

SIK, DK

K1 = h(DK, KAB)K2 = h(DK, K1)…Km = h(DK, Km-1)

- Generate a random number r- KMid1 = middle key of {K1,…,Kr}- KMid2 = middle key of {K1,…,KMid1}

SIK = h(KMid1, KMid2)

SK1 = h(SIK, DK)SK2 = h(SIK, SK1)…SKn = h(SIK, SKn-1)SK1, r

NETE4630 14

Page 15: Cryptographic Protocols

Session Key Generation

KK11 = h(DK, K = h(DK, KABAB))KK22 = h(DK, K = h(DK, K11))……KKmm = h(DK, K = h(DK, Km-1m-1))

SKSK11 = h(SIK, DK) = h(SIK, DK)SKSK22 = h(SIK, SK = h(SIK, SK11))……SKSKnn = h(SIK, SK = h(SIK, SKn-1n-1))

NETE4630 15

Page 16: Cryptographic Protocols

Session Key Update

• rmrm = size of set of = size of set of remaining remaining KKii

NETE4630 16

Page 17: Cryptographic Protocols

Outlines

• Authentication • Key Exchange• Secret Splitting• Key Escrow

NETE4630 17

Page 18: Cryptographic Protocols

Secret Splitting• Sometimes we need to keep our

information secret• You could tell company’s secret to the

most trusted employee, but what if he/she defects to the competition?

• Secret Splitting: take a message and divide it up into pieces. Each piece by itself means nothing, but put them together and the message appears

NETE4630 18

Page 19: Cryptographic Protocols

Secret Splitting – 2 people

1. Trent generates a random-bit string R, the same length as the message M.

2. Trent XORs M with R to generate S.M R = S

3. Trent gives R to Alice and S to Bob4. To construct the message, Alice and Bob has to

XOR their pieces together:R S = M

NETE4630 19

Page 20: Cryptographic Protocols

Secret Splitting – 4 people1. Trent generates 3 random strings, R, S, and T, the

same length as the message M2. Trent XORs M with the three strings to generate P

M R S T = U3. Trent gives R to Alice, S to Bob, T to Carol, and U to

Dave4. Alice, Bob, Carol, and Dave get together and

computeR S T U = M

• What happens if Carol is fired, and Trent is not around?

NETE4630 20

Page 21: Cryptographic Protocols

Secret Sharing

• What happens if any one of the people who holds secret is not around?

• Threshold scheme: take any message and divide it into n pieces, called shadows or shares, such that any m of them can be used to reconstruct the message

• This is called an (m, n)-threshold scheme

NETE4630 21

Page 22: Cryptographic Protocols

(m, n)-Threshold Scheme• Choose a prime p, which is larger then the number

of possible shadows and larger than the largest possible secret.

• To share a secret , generate an arbitrary polynomial of degree m-1.

• If you want to create a (3, n)-threshold scheme, generate a quadratic polynomial:

(ax2 + bx + M) mod p• a and b are chosen randomly. They are kept secret

and are discarded after the shadows are handed out. M is the message. p must be made public

NETE4630 22

Page 23: Cryptographic Protocols

(m, n)-Threshold Scheme (cont.)• The shadows are obtained by evaluating

the polynomial at n different points:ki = F(xi)

• Any three shadows can be used to create three equations

NETE4630 23

Page 24: Cryptographic Protocols

(m, n)-Threshold Scheme (cont.)• For example, M = 11. We want to construct (3,

5)-threshold scheme• Generate a quadratic equation (a =7, b = 8,

chosen randomly)F(x) = (7x2 + 8x + 11) mod 13

• The five shadows are:– K1 = F(1) = 7 + 8 + 1 0 (mod 13)

– K2 = F(2) = 28 + 16 + 1 3 (mod 13)

– K3 = F(3) = 63 + 24 + 1 7 (mod 13)

– K4 = F(4) = 112 + 32 + 1 12 (mod 13)

– K5 = F(5) = 175 + 40 + 1 5 (mod 13)

NETE4630 24

Page 25: Cryptographic Protocols

(m, n)-Threshold Scheme (cont.)• To reconstruct M from 3 out of the

shadows, k2, k3, and k5 solve the set of linear equations:

a * 22 + b * 2 + M 3 (mod 13)a * 32 + b * 3 + M 7 (mod 13)a * 52 + b * 5 + M 5 (mod 13)

• The solution is a = 7, b = 8, and M = 11. So, M is recovered.

NETE4630 25

Page 26: Cryptographic Protocols

Outlines

• Authentication • Key Exchange• Secret Splitting• Key Escrow

NETE4630 26

Page 27: Cryptographic Protocols

Key Escrow1. Alice creates her private/public-key pair. She splits

the private key into several public and private pieces2. She sends a public piece and corresponding private

piece to each trustee in an encrypted form. She also sends the public key to KDC

3. Each trustee perform calculation on the received information to confirm that it is correct. Each trustee stores the private piece somewhere secure and sends the public piece to KDC

4. KDC performs the calculation on the public pieces and the public key. If everything is correct, it signs the public key and returns the signed public key to Alice

NETE4630 27

Page 28: Cryptographic Protocols

Fair DH (5 trustees)

• In basic DH, a group of users share a prime p, and a generator g. Alice’s private key is s, and her public key is t = gs mod p

1. Alice chooses five intergers s1, s2, s3, s4, and s5, each less than p-1. Alice’s private key is

s = (s1 + s2 + s3 + s4 + s5) mod p-1

Alice’s public key is: t = gs mod pAlice also computes

ti = gsi mod p, for i = 1 to 5.

Alice’s public key shares are ti and private key share are si

NETE4630 28

Page 29: Cryptographic Protocols

Fair DH(cont.)2. Alice sends a private key piece and corresponding

public key piece to each trustee.– Send s1 and t1 to trustee 1, and send t to KDC

3. Each trustee verifies thatti = gsi mod p

If so, the trustee signs ti and sends it to KDC. The trustee stores si in a secure place.

4. After receiving all five public pieces, KDC verifies that

t = (t1 * t2 * t3 * t4 * t5) mod p

If so, KDC approves the public key.

NETE4630 29