6.857 Computer and Network Security November 12, 2002Lecture Notes 19 : Key Establishment MethodsLecturer: R. Rivest Scribe: Hamler/Hu/Lee/Sanchala1 IntroductionToday we discuss how to establish a shared secret key between two parties that establish securecommunication over an untrusted network. The method used to establish a shared secret key mustensure that the key is ”fresh”, that is the key is not a replay of a previous key, and ”ephemeral”, thatit will go away after the session. This part of the process has many names, such as key establishment,key transport, key agreement, etc.... In addition, the method also includes authentication such thata party knows that the shared key is indeed shared with the desired counter-party.2 Outline• Sessions• Challenge Response• Kerberos• RSA Transport• Needham-Schroeder• Diffie-Hellman• Station-To-Station (STS)• Identity Based Encryption (IBE)Note: Rivest found an article on CNN news on-line regarding a new law in California where break-ins will have to be disclosed when they disclose confidential information. The following is an exceptfrom the article describing the law:In April, 2002, hackers broke into the payroll database for the state of California. Formore than a month, cybercriminals rooted around in the personal information of 265,000Golden State employees, ranging from Governor Gray Davis to maintenance workers andclerks.Worse, the California Controller’s Office, which ran the database, failed to notifystate employees for more than two weeks after the breach was discovered. Althoughofficials with the Controller’s office insisted the break-in probably hadn’t resulted in anysignificant harm, the incident enraged Golden State pols and employees, whose Social0May be freely reproduced for educational or personal use.12 3 KEY ESTABLISHMENT METHODSSecurity numbers, bank account information, and home addresses were fair game for thehackers.This lapse sparked what may mark a dramatic shift in legal policy toward cybersecu-rity. Over strenuous objections from the business lobby, on Sept. 26 California enacteda sweeping measure that mandates public disclosure of computer-security breaches inwhich confidential information may have been compromised. The law covers not juststate agencies but private enterprises doing business in California. Come July 1, 2003,those who fail to disclose that a breach has occurred could be liable for civil damages orface class actions.1A lot of break-ins are not reported and are swept under the floor. It will be interesting to see theeffect of this law on attitudes toward security as the number of break-ins reported increase.3 Key Establishment MethodsThe different key establishment methods assume that the parties involved already have certaincapabilities or access to information. The variation of assumptions that each protocol makes for theparties includes:• Both parties may already have a shared secret key, for long term use, or a short secret such asa password.• PK of other party, PK of Certificate Authority (many log-in protocols assume this)• Trusted Third Party (TTP) (Kerberos)• Asymmetry of computation power (Smart Card vs. bank terminal)• Mathematical assumptions (IBE)We begin our inspection of key establishment methods from the ground up.3.1 Session Key EstablishmentThe barebones approach to authenticating a user is simple password authentication, originating fromthe ways when A initiates a session by logging in to B, does her work, and logs out. B just has toensure that h(pw) ∈ DBB; no shared secret is used to encrypt communication.A Bpw//As expected, this method offers no security, as the password is sent in the clear. It is vulnerable toeavesdropping, hijacking, and replay attacks.1Available via: http://www.itsecure.com.au/news/story.htm?StoryID=2723.2 Challenge Response 33.2 Challenge ResponseWe improve on the simple approach slightly by having the server send the user a challenge (nonce)x and Alice responds with a hash of x and her password.Alice Bobchallenge xoof(x,pw)//Note: f can denote a function such as SHA-1By sending a challenge, Bob can ensure that Alice is initiating the session, and avoid a replay attack.This method, however, is still vulnerable to eavesdropping for the duration of the session, as well ashijacking. The above is presented for historical purposes, as it offers no forward secure line, whichis the problem we are trying to solve.3.3 KerberosKerberos, which is used at MIT, assumes use of a Trusted Third Party T which shares secret keyswith all parties.We assume that A and T share a shared symmetric key KA, and B and T share a shared secret KB,such that A and T , and B and T can communicate securely. A and B have no prior relationship,but A can use T to help establish a shared secret between A and B.1. A → T : A, B, NA(where NAis a nonce of non-repeating value)2. T → A : EKB(K, A, L), EKA(K, NA, L, B) (where L is the lifetime of the key)3. A → B : EKB(K, A, L), EK(time)4. B → A : EK(time + 1)4 3 KEY ESTABLISHMENT METHODSA sends a message to T requesting a key for communication with B. T responds with two messages:a message encrypted with KBfor A to send to B notifying B of the communication and a ”ticket”to use for the communication, and a message encrypted with the key of A to notify A of the sharedsecret. B receives key K and understands that it is a key for communication from A, as endorsedby T . A also wants to make sure that B is there, so she sends EK(time) as a challenge, the firsttime EKis used for secure communication. A and B can use this key for now on.Note that Step 3 could be T → B as well, though it is usually implemented as A → B.This method assumes that the Trusted Third Party has a good random number generator for gener-ating secrets, and is not corrupt, since T knows the secret keys being used. Also, note that the A →T notation makes many assumptions that are not explicitly stated, such has taking care to ensurenon-malleability, etc... that we acknowledge by intuition, but may not always be acknowledgedduring implementation.Ideally, we would also want to protect against reflection attacks and have two keys rather than one,since a message sent by A could be reflected back to A, and the protocol does not have enoughexplicitness to distinguish between her own message or B’s.3.4 RSA TransportIn the case of there not being Trusted Third Parties, we use Public Keys for key transport (thoughthere is still a
View Full Document
Unlocking...