Key Exchange Protocols

J. Mitchell

CS 259

Next few lectures

Today 1/17• Brief cryptography background• Key exchange protocols and properties

Thursday 1/19• Wireless security: 802.11i• Choose your project partner

Next Tues 1/24• Password authentication protocols

Next Thurs 1/26• Contract-signing protocols

Project presentation #1 2/2

Talk about protocols for a while before looking at more tools

Encryption scheme:• functions to encrypt, decrypt data • key generation algorithm

Secret key vs. public key• Public key: publishing key does not reveal key-1

• Secret key: more efficient, generally key = key-1

Hash function, MAC• Map input to short hash; ideally, no collisions• MAC (keyed hash) used for message integrity

Signature scheme• Functions to sign data, verify signature

Basic Concepts in Cryptography

Cryptosystem

A cryptosystem consists of five parts• A set P of plaintexts• A set C of ciphertexts• A set K of keys• A pair of functions encrypt: K P C decrypt: K C P such that for every key kK and plaintext pP decrypt(k, encrypt(k, p)) = p

What is a “secure” cryptosystem?

One idea• If enemy intercepts ciphertext, cannot recover plaintext

Issues in making this precise• What else might your enemy know?

– The kind of encryption function you are using– Some plaintext-ciphertext pairs from last year– Some information about how you choose keys

• What do we mean by “cannot recover plaintext” ?– Ciphertext contains no information about plaintext– No efficient computation could make a reasonable guess– Cannot use ciphertext for any nontrivial purpose

Passive Adversary

Challenger Attacker

m0, m1

E(mi)

guess 0 or 1

Chosen ciphertext CCA1

Challenger Attacker

m0, m1

E(mi)

guess 0 or 1

c

D(c)

Chosen ciphertext CCA2

Challenger Attacker

m0, m1

E(mi)

guess 0 or 1

c

D(c)

c E(mi)

D(c)

Different keys to encrypt and decrypt• encrypt(key, message)

• decrypt(key -1, encrypt(key, message)) = message

Encryption key does not help decrypt• Cannot compute m from encrypt(key, m) and

key, unless you have key-1

Public-key Cryptosystem

key pair

Example: RSA

Arithmetic modulo pq• Generate secret primes p, q • Generate secret numbers a, b with xab x mod pq

Public encryption key n, a• Encrypt(n, a, x) = xa mod n

Private decryption key n, b• Decrypt(n, b, y) = yb mod n

Main properties• This works• Cannot compute b from n,a

– Apparently, need to factor n = pq

n

Cryptographic hash functions

Length-reducing function h • Map arbitrary strings to strings of fixed length

One way (“preimage resistance”)• Given y, hard to find x with h(x)=y

Collision resistant• Hard to find any distinct m, m’ with h(m)=h(m’)

Also useful: 2nd preimage resistance• Given x and y=h(x) hard to find x’x with

h(x’)=h(x)• Collision resistance 2nd preimage resistance

Iterated hash functions

Repeat use of block cipher or custom function• Pad input to some multiple of block length• Iterate a length-reducing function f

– f : 22k -> 2k reduces bits by 2

– Repeat h0= some seed

hi+1 = f(hi, xi)

• Some final function g completes calculation

Pad to x=x1x2 …xk

f

g

xi

f(xi-1)

x

Applications of one-way hash

Password files (one way)

Digital signatures (collision resistant)

• Sign hash of message instead of entire message

Data integrity• Compute and store hash of some data• Check later by recomputing hash and comparing

Keyed hash for message authentication• MAC – Message Authentication Code

Digital Signatures

Public-key encryption• Alice publishes encryption key• Anyone can send encrypted message• Only Alice can decrypt messages with this

key

Digital signature scheme• Alice publishes key for verifying signatures• Anyone can check a message signed by

Alice• Only Alice can send signed messages

Properties of signatures

Functions to sign and verify• Sign(Key-1, message)

• Verify(Key, x, m) =

Resists forgery• Cannot compute Sign(Key-1, m) from m and Key• Resists existential forgery:

given Key, cannot produce Sign(Key-1, m) for any random or otherwise arbitrary m

true if x = Sign(Key-1, m)false otherwise

Encryption scheme:• functions to encrypt, decrypt data • key generation algorithm

Secret key vs. public key• Public key: publishing key does not reveal key-1

• Secret key: more efficient, generally key = key-1

Hash function, MAC• Map input to short hash; ideally, no collisions• MAC (keyed hash) used for message integrity

Signature scheme• Functions to sign data, verify signature

Basic Concepts in Cryptography

Key Management

Out of band• Can set up some keys this way (Kerberos)

Public-key infrastructure (PKI)• Leverage small # of public signing keys

Protocols for session keys• Generate short-lived session key• Avoid extended use of important secret• Don’t use same key for encryption and signing• Forward secrecy

Cryptography reduces many problems to key management

Key Distribution: Kerberos Idea

Client

KeyCenter

Server

Shared symmetric key Kc

Shared symmetric key Ks

{Kcs, {Kcs}Ks}Kc

{Kcs}Ks { msg }

Kcs

Key Center generates session key Kcs and distributes using shared long-term keys

Public-Key Infrastructure

Certificate Authority

Client Server

Known public signature verification key Ka

Sign(Ka, Ks), Sign(Ks, msg)

CertificateSign(Ka, Ks)

Ks

Server certificate can be verified by any client that has CA key Ka

Certificate authority is “off line”

Key Exchange

Parties may have initial information Generate and agree on session key

• Authentication – know ID of other party• Secrecy – key not known to any others• Avoid replay attack• Forward secrecy• Avoid denial of service• Identity protection – disclosure to others• Other properties you can think of???

Diffie-Hellman Key Exchange

Assume finite group G = S, • Generator g so every xS is x = gn

• Example: integers modulo prime p Protocol

ga mod p

gb mod p

A B

Alice, Bob share gab mod p not known to anyone else

Diffie-Hellman Key Exchange

Authentication?Secrecy?Replay attackForward secrecy?Denial of service?Identity protection?

ga mod p

gb mod p

A B

IKE subprotocol from IPSEC

A, (ga mod p)

B, (gb mod p)

Result: A and B share secret gab mod p

Signatures provide authentication, as long as signature verification keys are known

A B

m1

m2 ,

signB(m1,m2)

signA(m1,m2)

IPSec: Network Layer Security

Authentication Header (AH)• Access control and authenticate data origins• replay protection• No confidentiality

Encapsulated Secure Payload (ESP)• Encryption and/or authentication

Internet Key management (IKE)• Determine and distribute secret keys • Oakley + ISAKMP• Algorithm independent

Security policy database (SPD)• discarded, or bypass

IKE: Many modes

Main mode• Authentication by pre-shared keys• Auth with digital signatures• Auth with public-key encryption• Auth with revised public-key encryption

Quick mode• Compress number of messages• Also four authentication options

Aug 2001 Position Statement

In the several years since the standardization of the IPSEC protocols (ESP, AH, and ISAKMP/IKE), … several security problems…, most notably IKE.

Formal and semi-formal analyses by Meadows, Schneier et al, and Simpson, have shown … security problems in IKE stem directly from its complexity.

It seems … only a matter of time before serious *implementation* problems become apparent, again due to the complex nature of the protocol, and the complex implementation that must surely follow.

The Security Area Directors have asked the IPSEC working group to come up with a replacement for IKE.

How to study complex protocol

General Problem in Security

Divide-and-conquer is fundamental• Decompose system requirements into parts• Develop independent software modules• Combine modules to produce required

system

Common belief:• Security properties do not compose

Difficult system development problem

Example protocol

Protocol P1

A B : {message}KB

A B : KA-1

This satisfies basic requirements• Message is transmitted under encryption

• Revealing secret key KA-1 does not reveal message

Similar protocol

Protocol P2

B A : {message’}KA

B A : KB-1

Transmits msg securely from B to A• Message is transmitted under encryption

• Revealing secret key KB-1 does not reveal message

Composition P1; P2

Sequential composition of two protocols

A B : {message}KB

A B : KA-1

B A : {message’}KA

B B : KB-1

Definitely not secure• Eavesdropper learns both keys, decrypts

messages

STS family

m=gx, n=gy

k=gxy

STS0H

STSa STSaH

STSHSTS

STS0

STSPH

JFK1

distributecertificates

cookie

openresponder

JFK0

symmetrichash

JFK

protect identities

RFK

STSP

Example

Construct protocol with properties:• Shared secret • Authenticated• Identity Protection• DoS Protection

Design requirements for IKE, JFK, IKEv2 (IPSec key exchange protocol)

Component 1

Diffie-Hellman A B: ga

B A: gb

• Shared secret (with someone)– A deduces:

Knows(Y, gab) (Y = A) ۷ Knows(Y,b)

• Authenticated• Identity Protection• DoS Protection

Component 2

Challenge Response: A B: m, A B A: n, sigB {m, n, A}

A B: sigA {m, n, B}

• Shared secret (with someone)• Authenticated

– A deduces: Received (B, msg1) Λ Sent (B, msg2)

• Identity Protection• DoS Protection

Composition

ISO 9798-3 protocol: A B: ga, A B A: gb, sigB {ga, gb, A}

A B: sigA {ga, gb, B}

• Shared secret: gab• Authenticated• Identity Protection• DoS Protection

m := ga

n := gb

Refinement

Encrypt signatures: A B: ga, A B A: gb, EK {sigB {ga, gb, A}}

A B: EK {sigA {ga, gb, B}}

• Shared secret: gab• Authenticated• Identity Protection• DoS Protection

Transformation

Use cookie: JFK core protocolA B: ga, A

B A: gb, hashKB {gb, ga}

A B: ga, gb, hashKB {gb, ga}

EK {sigA {ga, gb, B}}

B A: gb, EK {sigB {ga, gb, A}}

• Shared secret: gab• Authenticated• Identity Protection• DoS Protection

(Here B must store b in step 2, but we’ll fix this later…)

Cookie transformation

Typical protocol• Client sends request to server• Server sets up connection, responds• Client may complete session or not (DOS)

Cookie version• Client sends request to server• Server sends hashed data back

– Send message #2 later after client confirms

• Client confirms by returning hashed data• Need extra step to send postponed message

Cookie in JFK

Protocol susceptible to DOS A B: ga, A B A: gb, EK {sigB {ga, gb, A}}

A B: EK {sigA {ga, gb, B}}

Use cookie: JFK core protocolA B: ga, A

B A: gb, hashKB {gb, ga}

A B: ga, gb, hashKB {gb, ga}, eh2

B A: gb, eh1

eh1

eh2

Efficiency: Reuse D-H key

Costly to compute ga, gb, gab

Solution• Keep medium-term ga, gb (change ~10 min)

• Replace ga by pair ga, nonce JFKi, JFKr protocols (except cert or grpinfo, …)

A B: Na, ga, A B A: Nb, gb, hashKB {Nb, Na, gb, ga}

A B: Na, Nb, ga, gb, hashKB {Nb, Na, gb, ga},

EK {sigA {Na, Nb, ga, gb, B}}

B A: gb, EK {sigB {Na, Nb, ga, gb, A}}Note: B does not need to store any short-term data in step 2

Conclusion

Many protocol properties• Authentication Secrecy• Prevent replay Forward secrecy• Denial of service Identity protection

Systematic understanding is possible• But be careful; easy to make mistakes• State of the art: need to analyze complete protocol

Block cipher modes (for DES, AES, …)

ECB – Electronic Code Book mode• Divide plaintext into blocks• Encrypt each block independently, with same key

CBC – Cipher Block Chaining• XOR each block with encryption of previous block• Use initialization vector IV for first block

OFB – Output Feedback Mode• Iterate encryption of IV to produce stream cipher

CFB – Cipher Feedback Mode• Output block yi = input xi encyrptK(yi-1)+

Electronic Code Book (ECB)

PlainPlain Text Text

t CipCiphe r Tex her T

Block Ciphe

r

Block Ciphe

r

Block Ciphe

r

Block Ciphe

r

Problem: Identical blocks encrypted identically No integrity check

Cipher Block Chaining (CBC)

PlainPlain Text Text

t CipCiphe r Tex her T

Block Ciphe

r

IV

Block Ciphe

r

Block Ciphe

r

Block Ciphe

r

Advantages: Identical blocks encrypted differently Last ciphertext block depends on entire input

Comparison (for AES, by Bart Preneel)

Similar plaintext blocks produce similar ciphertext (see outline

of head)No apparent pattern