Computer Security Cunsheng DING, HKUST COMP4631 Dr. Cunsheng DING - - PowerPoint PPT Presentation

▶

Mar 30, 2023 24 likes •181 views

Dr. Cunsheng DING Computer Security HKUST, Hong Kong Computer Security Cunsheng DING, HKUST COMP4631 Dr. Cunsheng DING Computer Security HKUST, Hong Kong Lecture 12: Key Distribution Protocols Outline of this Lecture 1.

SLIDE 1

❁

Dr. Cunsheng DING

HKUST, Hong Kong

Computer Security

Cunsheng DING, HKUST COMP4631

SLIDE 2

❁

Dr. Cunsheng DING

HKUST, Hong Kong

Computer Security

Lecture 12: Key Distribution Protocols

Outline of this Lecture

1. Merkel’s protocol.
2. The Needham-Schr¨
der protocol.
3. Shamir’s three-pass protocol.

Page 1 COMP4631

SLIDE 3

❁

Dr. Cunsheng DING

HKUST, Hong Kong

Computer Security

Secret Key Distribution with a PKC

Comments: Public key cryptosystems are usually not used for real encryption, as they are very slow. They are used for distributing secret keys of one-key ciphers and/or for signing messages. Question: How to use a PKC for distributing a secret key?

Page 2 COMP4631

SLIDE 4

❁

Dr. Cunsheng DING

HKUST, Hong Kong

Computer Security

Merkel’s Key Distribution Protocol

Scenario: A and B want to establish a session key.

1. A generates a key pair
k(A)

, k(A)

, and sends k(A)

||IDA to B, where IDA is an identifier of A.

2. B generates a secret key k, and sends Ek(A)

(k) to A.

3. A computes Dk(A)

Ek(A)

(k)

= k.
4. A discards
k(A)

, k(A)

, and B discards k(A)

.

Page 3 COMP4631

SLIDE 5

❁

Dr. Cunsheng DING

HKUST, Hong Kong

Computer Security

Merkel Key Distribution Protocol: Pictorial

✲ ✛

(1) k(A)

e

||IDA (2) Ek(A)

e (k)

B A

Comments: This protocol is vulnerable to an active attack. If an enemy E has control of the intervening communication channel, then E can “compromise” the communication without being detected. Question: What is the active attack?

Page 4 COMP4631

SLIDE 6

❁

Dr. Cunsheng DING

HKUST, Hong Kong

Computer Security

Active Attack on the Merkel Protocol

1. A generates a key pair
k(A)

, k(A)

, and sends k(A)

||IDA intended for B, where IDA is an identifier of A.

2. E intercepts the message, creates its own key pair
k(E)

, k(E)

, and

sends k(E)

||IDA to B.

3. B generates a secret key k, and sends Ek(E)

(k) (intended for A).

4. E intercepts the message, decrypts it to get k; then he computes and

sends Ek(A)

(k) to A. Comment: A and B are unaware that E has got k.

Page 5 COMP4631

SLIDE 7

❁

Dr. Cunsheng DING

HKUST, Hong Kong

Computer Security

The Intruder-in-the-Middle Attack: Pictorial

A B E

A

ID

(A)

e k

A

ID e k (E) Ek

e (E) (k)

Ek

e (k) (A)

(1) (3) (4) (2) Active attack on the Merkel Protocol attacker in the middle

Page 6 COMP4631

SLIDE 8

❁

Dr. Cunsheng DING

HKUST, Hong Kong

Computer Security

The Modified Needham-Schr¨

der Protocol

For both confidentiality and authentication: Assume that A and B have exchanged their public keys with some method. ❄ ✻ ❄

B Responder Initiator A (1) Ek(B)

[N1||IDA] (2) Ek(A)

[N1||N2] (3) Ek(B)

[N2||k]

Remarks: Nonce N1 is to identify this transaction uniquely.

Page 7 COMP4631

SLIDE 9

❁

Dr. Cunsheng DING

HKUST, Hong Kong

Computer Security

The Modified Needham-Schr¨

der Protocol
1. A sends Ek(B)

[N1||IDA] to B, where N1 is a nonce used to identify this transaction uniquely, and is generated by A.

2. B generates a new nonce N2, and sends Ek(A)

[N1||N2] to A. After decryption A gets N1, and is sure that the responder is B.

3. A selects a secret key k and sends Ek(B)

[N2||k] to B. (Encryption with B’s public key ensures confidentiality)

4. After decryption B gets N2 and k, and is sure that its correspondent is

A. Question: How does this protocol ensure both confidentiality and authenticity?

Page 8 COMP4631

SLIDE 10

❁

Dr. Cunsheng DING

HKUST, Hong Kong

Computer Security

Page 9 COMP4631

SLIDE 11

❁

Dr. Cunsheng DING

HKUST, Hong Kong

Computer Security

Page 10 COMP4631

SLIDE 12

❁

Dr. Cunsheng DING

HKUST, Hong Kong

Computer Security

Shamir’s Three-Pass Protocol

Objective: Alice wants to transfer a secret key k to Bob via a public communication channel. System Parameters:

A prime p is chosen so that the discrete logarithm problem mod p is
hard. p is a public knowledge.
Alice selects a random number a with gcd(a, p − 1) = 1. a−1 denotes

the inverse of a mod p − 1.

Bob selects a random number b with gcd(b, p − 1) = 1. b−1 denotes the

inverse of b mod p − 1.

Page 11 COMP4631

SLIDE 13

❁

Dr. Cunsheng DING

HKUST, Hong Kong

Computer Security

Shamir’s Three-Pass Protocol

First of all, Alice computes k1 = ka mod p.

1. Alice sends k1 = ka mod p to Bob.
2. Bob sends k2 = kb

1 mod p to Alice.

3. Alice sends k3 = ka−1

mod p to Bob. Finally, Bob computes k = kb−1

mod p. Question: Why k = kb−1

mod p?

Page 12 COMP4631

SLIDE 14

❁

Dr. Cunsheng DING

HKUST, Hong Kong

Computer Security

Why k = kb−1

3

mod p

By the definition of multiplicative inverse, a · a−1 = u1(p − 1) + 1, b · b−1 = u2(p − 1) + 1 If k = 0, it is obvious. If k = 0, by Fermat’s theorem kb−1

mod p = kaa−1bb−1 mod p = k[u1u2(p−1)+u1+u2](p−1)+1 mod p =

(k[u1u2(p−1)+u1+u2]))p−1 mod p
k mod p

= k mod p = k.

Page 13 COMP4631

SLIDE 15

❁

Dr. Cunsheng DING

HKUST, Hong Kong

Computer Security

The Security of the Protocol

1. Alice sends k1 = ka mod p to Bob.
2. Bob sends k2 = kb

1 mod p to Alice.

3. Alice sends k3 = ka−1

mod p to Bob. Security: security w.r.t. to passive attacks depends on the difficulty of solving the discrete logarithm problem. Not secure with respect to an active attack (the so-called intruder-in-the-middle attack).

Page 14 COMP4631