real world authenticated key exchange
play

Real-World Authenticated Key Exchange Tibor Jager Paderborn - PowerPoint PPT Presentation

Nov 19, 2022 •223 likes •1.09k views

Real-World Authenticated Key Exchange Tibor Jager Paderborn University Summer School on Real-World Crypto and Privacy ibenik, Croatia June 17 th , 2019 Outline Security of the Diffie-Hellman Key Exchange Man-in-the-Middle attacks

  1. Real-World Authenticated Key Exchange Tibor Jager Paderborn University Summer School on Real-World Crypto and Privacy Šibenik, Croatia June 17 th , 2019

  2. Outline • Security of the Diffie-Hellman Key Exchange – Man-in-the-Middle attacks – Forward Security • TLS 1.3 – Overview – The cryptographic core of TLS 1.3 • Real-World Problems – Problems arising from backwards compatibility – Middleboxes and ETS • Further reading, open research problems 2

  3. Diffie-Hellman Key Exchange Public parameters: Group description (G,g,q) a ß {0, …, q-1} b ß {0, …, q-1} t A := g a t B = g b t A t B k AB := t Ab k AB := t Ba 3

  4. Man-in-the-middle Attack on DH a ß {0, …, q-1} b ß {0, …, q-1} t A := g a t B = g b a’ ß {0, …, q-1} t A t A ’ := g a’ t A ’ 4

  5. Man-in-the-middle Attack on DH a ß {0, …, q-1} b ß {0, …, q-1} t A := g a t B = g b a’ ß {0, …, q-1} t A t A ’ := g a’ t A ’ t B ’ t B b’ ß {0, …, q-1} t B ’ := g b’ 5

  6. Man-in-the-middle Attack on DH a ß {0, …, q-1} b ß {0, …, q-1} t A := g a t B = g b a’ ß {0, …, q-1} t A t A ’ := g a’ t A ’ t B ’ t B b’ ß {0, …, q-1} t B ’ := g b’ k AB’ = g ab’ k A’B = g a’b 6

  7. Man-in-the-middle Attack on DH a ß {0, …, q-1} b ß {0, …, q-1} t A := g a t B = g b a’ ß {0, …, q-1} t A t A ’ := g a’ t A ’ t B ’ t B b’ ß {0, …, q-1} t B ’ := g b’ k AB’ = g ab’ k A’B = g a’b • This is an active attack • DH is provably secure against passive (”eavesdropping”) attacks 7

  8. Signed Diffie-Hellman Public parameters: (pk B , sk B ) ß SigKeyGen() Group description (G,g,q) (pk A , sk A ) ß SigKeyGen() pk A , pk B 8

  9. Signed Diffie-Hellman Public parameters: (pk B , sk B ) ß SigKeyGen() Group description (G,g,q) (pk A , sk A ) ß SigKeyGen() pk A , pk B a ß {0, …, q-1} t A := g a s A := Sign(sk A ,t A ) t A , s A 9

  10. Signed Diffie-Hellman Public parameters: (pk B , sk B ) ß SigKeyGen() Group description (G,g,q) (pk A , sk A ) ß SigKeyGen() pk A , pk B a ß {0, …, q-1} b ß {0, …, q-1} t A := g a t B = g b s A := Sign(sk A ,t A ) s B := Sign(sk B ,t B ) t A , s A t B , s B 10

  11. Signed Diffie-Hellman Public parameters: (pk B , sk B ) ß SigKeyGen() Group description (G,g,q) (pk A , sk A ) ß SigKeyGen() pk A , pk B a ß {0, …, q-1} b ß {0, …, q-1} t A := g a t B = g b s A := Sign(sk A ,t A ) s B := Sign(sk B ,t B ) t A , s A t B , s B If Vfy(pk A , t A , s A ) = TRUE then: If Vfy(pk B , t B , s B ) = TRUE then: k AB := t Ab k AB := t Ba 11

  12. Signed Diffie-Hellman Public parameters: (pk B , sk B ) ß SigKeyGen() Group description (G,g,q) (pk A , sk A ) ß SigKeyGen() pk A , pk B a ß {0, …, q-1} b ß {0, …, q-1} t A := g a t B = g b s A := Sign(sk A ,t A ) s B := Sign(sk B ,t B ) t A , s A t B , s B If Vfy(pk A , t A , s A ) = TRUE then: If Vfy(pk B , t B , s B ) = TRUE then: k AB := t Ab k AB := t Ba Security of the signature scheme prevents the MITM attack 12

  13. Forward Security Objective: Make large-scale collection of encrypted data useless 13

  14. Forward Security Objective: Make large-scale collection of encrypted data useless Session 1 Session 3 Session 2 Session 4 with Alice with Charlie with Bob with Alice Time 14

  15. Forward Security Objective: Make large-scale collection of encrypted data useless Secret key Session 1 Session 3 Session 2 Session 4 with Alice with Charlie with Bob with Alice Time 15

  16. Forward Security Objective: Make large-scale collection of encrypted data useless Secret key Session 1 Session 3 Session 2 Session 4 with Alice with Charlie with Bob with Alice Time 16

  17. Forward Security Objective: Make large-scale collection of encrypted data useless Secret key Session 1 Session 3 Session 2 Session 4 with Alice with Charlie with Bob with Alice Time 17

  18. Forward Security Objective: Make large-scale collection of encrypted data useless Secret key Session 1 Session 3 Session 2 Session 4 with Alice with Charlie with Bob with Alice Time • Widely used : • Standard security goal of modern protocols 18

  19. Forward Security of Signed DH Public parameters: Group description (G,g,q) (pk A , sk A ) ß SigKeyGen() (pk B , sk B ) ß SigKeyGen() pk A , pk B a ß {0, …, q-1} b ß {0, …, q-1} t A := g a t B = g b s A := Sign(sk A ,t A ) s B := Sign(sk B ,t B ) t A , s A t B , s B If Vfy(pk Alice , t A , s A ) = TRUE then: If Vfy(pk Bob , t B , s B ) = TRUE then: k AB := t Ab k AB := t Ba Forward secure (if ephemeral exponents are not stored) 19

  20. Are we done? • Signed DH is a beautiful protocol… – Clean and simple – Easy to implement and analyze – Forward Security • … but lacking features considered important in the real world, for instance: – How are public keys distributed? – No key confirmation – Fixed DH groups and signature schemes – Protocol for encryption of payload data not specified 20

  21. Are we done? • Signed DH is a beautiful protocol… – Clean and simple – Easy to implement and analyze – Forward Security • … but lacking features considered important in the real world, for instance: – How are public keys distributed? – No key confirmation – Fixed DH groups and signature schemes – Protocol for encryption of payload data not specified 21

  22. Are we done? • Signed DH is a beautiful protocol… – Clean and simple – Easy to implement and analyze Further issues: – Forward Security • How to deal with errors – Alert messages – Protocol spec. • … but lacking features considered important in • Interoperability the real world, for instance: – Message formats – How are public keys distributed? – Protocol headers • Possible extensions – No key confirmation • Implementational issues – Fixed DH groups and signature schemes • … – Protocol for encryption of payload data not specified 22

  23. Outline • Security of the Diffie-Hellman Key Exchange – Man-in-the-Middle attacks – Forward Security • TLS 1.3 – Overview – The cryptographic core of TLS 1.3 • Real-World Problems – Problems arising from backwards compatibility – Middleboxes and ETS • Further reading, open research problems 23

  24. Transport Layer Security (TLS) Client Server http, smtp, imap, Application Application pop3, ftp, sip, … Transport Transport TLS Network Network Link Link Physical communication Goal: provide confidential , authenticated , integrity-protected channel 24

  25. Transport Layer Security (TLS) Client Server http, smtp, imap, Application Application pop3, ftp, sip, … Transport Transport TLS Network Network Link Link Network communication Goal: provide confidential , authenticated , integrity-protected channel 25

  26. TLS vs. SSL 2006 2008 2018 1994 1995 1999 SSL 1.0 and 2.0 TLS 1.0 (=SSL 3.1) TLS 1.3 (Netscape) TLS 1.1 (IETF standard) TLS 1.2 SSL 3.0 (Netscape & Microsoft PCT) 26

  27. Use of SSL/TLS Versions in Practice June 2019 27 https://www.ssllabs.com/ssl-pulse/

  28. Use of SSL/TLS Versions in Practice June 2019 Standardized in 1999! 28 https://www.ssllabs.com/ssl-pulse/

  29. Use of SSL/TLS Versions in Practice June 2019 Standardized in 1999! Security protocols have an extremely long life time 29 https://www.ssllabs.com/ssl-pulse/

  30. TLS Sessions: Handshake + Record Layer Encryption Server Client 1. Handshake Handshake: • Negotiation of cryptographic algorithms (KE, Sig., Cipher Suite ) • Authentication of comm. partners • Establishment of session key k 30

  31. TLS Sessions: Handshake + Record Layer Encryption Server Client 1. Handshake 2. Record Layer Handshake: Record Layer Encryption: • Negotiation of cryptographic • Data encryption and algorithms (KE, Sig., Cipher Suite ) authentication using key k • Authentication of comm. partners • Establishment of session key k 31

  32. The Cryptographic Core of the The Cryptographic Core of the TLS 1.3 Handshake TLS 1.3 Handshake Optional Server S pk Client pk C Server S pk Client 35 32

  33. The Cryptographic Core of the The Cryptographic Core of the TLS 1.3 Handshake TLS 1.3 Handshake Server S pk Client Server S pk Client 35 33

  34. The Cryptographic Core of the TLS 1.3 Handshake Server S pk ClientHello: Client • Supported cipher suites, sigs, (DH groups) • Client random r C • Diffie-Hellman share g c 34

  35. The Cryptographic Core of the TLS 1.3 Handshake Server S pk ClientHello: Client • Supported cipher suites, sigs, (DH groups) • Client random r C • Diffie-Hellman share g c ServerHello: • Selected Cipher Suite • Server random r S • Diffie-Hellman share g s 35

  36. The Cryptographic Core of the TLS 1.3 Handshake Server S pk ClientHello: Client • Supported cipher suites, sigs, (DH groups) • Client random r C • Diffie-Hellman share g c ServerHello: • Selected Cipher Suite • Server random r S • Diffie-Hellman share g s Replaced with HelloRetryRequest , if necessary 36

  37. The Cryptographic Core of the TLS 1.3 Handshake Server S pk ClientHello: Client • Supported cipher suites, sigs, (DH groups) • Client random r C • Diffie-Hellman share g c ServerHello: k = KDF(g cs , r C , r S ) • Selected Cipher Suite k = KDF(g cs , r C , r S ) • Server random r S k’ = KDF’(g cs , r C , r S ) k’ = KDF’(g cs , r C , r S ) • Diffie-Hellman share g s 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

PAKE Game-based Security Universal Composability LAKE Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1 David Pointcheval Ecole Normale Sup erieure Game-based Security 2 Universal

927 views • 10 slides
AKE via 2-key KEM Haiyang Xue, Xianhui Lu, Bao Li, Bei Liang Jingnan He Outline Authenticated

AKE via 2-key KEM Haiyang Xue, Xianhui Lu, Bao Li, Bei Liang Jingnan He Outline Authenticated

Understanding and Constructing AKE via 2-key KEM Haiyang Xue, Xianhui Lu, Bao Li, Bei Liang Jingnan He Outline Authenticated key exchange Motivations & our contributions AKE 2-key KEM AKE in a post quantum world

821 views • 36 slides
CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1

CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1

Diffie-Hellman key exchange Secure against passive eavesdropping but insecure against a man-in-the-middle attack CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1 2 Adding key

492 views • 5 slides
Authenticated Key Exchange from Ring Learning with Errors Jiang Zhang Zhenfeng Zhang Jintai

Authenticated Key Exchange from Ring Learning with Errors Jiang Zhang Zhenfeng Zhang Jintai

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Authenticated Key Exchange from Ring Learning with Errors Jiang Zhang Zhenfeng Zhang Jintai Ding Michael Snook zgr Dagdelen DIMACS Workshop on the Mathematics of

339 views • 33 slides
To truly know the world, look deeply within your own being; to truly know yourself, take real

To truly know the world, look deeply within your own being; to truly know yourself, take real

To truly know the world, look deeply within your own being; to truly know yourself, take real interest in the world. Rudolf Steiner INFO Waldorf Exchange Seasonal Program by Adazi Free Waldorf School this summer provides well-rounded, healthy

493 views • 32 slides
Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 Sven Schge, Jrg Schwenk,

Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 Sven Schge, Jrg Schwenk,

Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 Sven Schge, Jrg Schwenk, Sebastian Lauer Ruhr-University Bochum Classical Key Exchange Setting m1 Bob Alice m2 skA skB pkB pkA mq-1 mq derive K derive K 2

185 views • 18 slides
Hot Spaces How to Pack More Valuable Human Exchange into Real World Marketplaces Hot Spaces

Hot Spaces How to Pack More Valuable Human Exchange into Real World Marketplaces Hot Spaces

Hot Spaces How to Pack More Valuable Human Exchange into Real World Marketplaces Hot Spaces How to Pack More Valuable Human Exchange into Real World Marketplaces Def. Hot: In the Marshall McLuhan sense rich. Def. Marketplace: Where

336 views • 17 slides
Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben

Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben

Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben Hamouda Olivier Blazy Cline Chevalier David Pointcheval Damien Vergnaud Horst Grtz Institute for IT Security / Ruhr-University Bochum ENS /

914 views • 45 slides
Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale sup erieure/PSL & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA David

319 views • 14 slides
The low-call diet: Authenticated Encryption for call counting HSM users Gaven J. Watson

The low-call diet: Authenticated Encryption for call counting HSM users Gaven J. Watson

The low-call diet: Authenticated Encryption for call counting HSM users Gaven J. Watson University of Bristol Joint work with: Mike Bond (Cryptomathic), George French (Barclays Bank Plc) and Nigel P. Smart (UoB) Real World Cryptography

1.23k views • 104 slides
Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier

Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier

Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier Chevassut Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Key Agreement and

299 views • 19 slides
XML in the real world XML in the real world XML agentzh ( )

XML in the real world XML in the real world XML agentzh ( )

XML in the real world XML in the real world XML agentzh ( ) 2006.10 RSS is cool ! RSS RSS Really Simple Syndication Tired of checking your favorite news and blogs sites everyday?

786 views • 75 slides
IPAKE IPAKE Summary Summary Isomorphisms for Password-based Isomorphisms for Password-based

IPAKE IPAKE Summary Summary Isomorphisms for Password-based Isomorphisms for Password-based

IPAKE IPAKE Summary Summary Isomorphisms for Password-based Isomorphisms for Password-based Authenticated Key Exchange Authenticated Key Exchange Dario Catalano David Pointcheval Password-based CNRS-ENS France Authenticated Key

291 views • 5 slides
ITU Kaleidoscope 2016 ICTs for a Sustainable World TOWARD AUTHENTICATED CALLER ID TRANSMISSION:

ITU Kaleidoscope 2016 ICTs for a Sustainable World TOWARD AUTHENTICATED CALLER ID TRANSMISSION:

ITU Kaleidoscope 2016 ICTs for a Sustainable World TOWARD AUTHENTICATED CALLER ID TRANSMISSION: THE NEED FOR A STANDARDIZED AUTHENTICATION SCHEME IN Q.731.3 CALLING LINE IDENTIFICATION PRESENTATION Huahong Tu, Adam Doup, Ziming Zhao, and

388 views • 36 slides
ITU Kaleidoscope 2016 ICTs for a Sustainable World TOWARD AUTHENTICATED CALLER ID TRANSMISSION:

ITU Kaleidoscope 2016 ICTs for a Sustainable World TOWARD AUTHENTICATED CALLER ID TRANSMISSION:

ITU Kaleidoscope 2016 ICTs for a Sustainable World TOWARD AUTHENTICATED CALLER ID TRANSMISSION: THE NEED FOR A STANDARDIZED AUTHENTICATION SCHEME IN Q.731.3 CALLING LINE IDENTIFICATION PRESENTATION Huahong Tu, Adam Doup, Ziming Zhao, and

721 views • 35 slides
Introduction Application Layer Transport Layer Network Layer Remote Procedure Calls 2 Basic

Introduction Application Layer Transport Layer Network Layer Remote Procedure Calls 2 Basic

Networking CS 4410 Operating Systems [R. Agarwal, L. Alvisi, A. Bracy, M. George, Kurose, Ross, E. Sirer, R. Van Renesse] Introduction Application Layer Transport Layer Network Layer Remote Procedure Calls 2 Basic Network Abstraction

1.55k views • 150 slides
EECS 373 Im not Prabal Design of Microprocessor-Based Systems You probably noticed

EECS 373 Im not Prabal Design of Microprocessor-Based Systems You probably noticed

Announcements EECS 373 Im not Prabal Design of Microprocessor-Based Systems You probably noticed Homework 1 is due No office hours this week Branden Ghena University of Michigan Projects Continue thinking about them

369 views • 5 slides
Toward Integration of Policies into DSMLs Frank Hernandez Peter J. Clarke Motivation Take a

Toward Integration of Policies into DSMLs Frank Hernandez Peter J. Clarke Motivation Take a

Toward Integration of Policies into DSMLs Frank Hernandez Peter J. Clarke Motivation Take a Domain-Specific Modeling Language (DSML). Take an Event-Condition-Action (ECA) Policy language ( feature ) not previously foreseen during the

405 views • 29 slides
LLD from a users perspective Peter Smith, Linaro Introduction and assumptions What we

LLD from a users perspective Peter Smith, Linaro Introduction and assumptions What we

LLD from a users perspective Peter Smith, Linaro Introduction and assumptions What we are covering Today What is lld and why might I want to use it? How to build and use lld as a substitute for GNU ld or Gold. What can

268 views • 22 slides
Parallel Programming Patterns Overview and Concepts Funding Partners bioexcel.eu Reusing this

Parallel Programming Patterns Overview and Concepts Funding Partners bioexcel.eu Reusing this

Parallel Programming Patterns Overview and Concepts Funding Partners bioexcel.eu Reusing this material This work is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 4.0 International License.

358 views • 23 slides
5. Examples for MAS MAS are often used in the following application areas: Internet/E-commerce

5. Examples for MAS MAS are often used in the following application areas: Internet/E-commerce

5. Examples for MAS MAS are often used in the following application areas: Internet/E-commerce Surveillance of objects / Distributed Sensing Groups of robots working together Manufacturing Transportation Multi-Agent Systems

394 views • 27 slides
Key Establishment Chester Rebeiro IIT Madras CR Stinson : Chapter 10 Multi Party secure

Key Establishment Chester Rebeiro IIT Madras CR Stinson : Chapter 10 Multi Party secure

Key Establishment Chester Rebeiro IIT Madras CR Stinson : Chapter 10 Multi Party secure communication C D A B E F N parties want to communicate securely with each other (N=6 in this figure) If U sends a message to V (U V

771 views • 54 slides
Assessing the Performance of Multi- Layer Path Computation Algorithms for different PCE

Assessing the Performance of Multi- Layer Path Computation Algorithms for different PCE

Assessing the Performance of Multi- Layer Path Computation Algorithms for different PCE Architectures, Anaheim, 2013, March 20 th , S. Martinez, V. Lpez, M. Chamania, . Gonzlez de Dios, A. Jukan and J. P. Fernndez-Palacios 0

607 views • 23 slides

More recommend