#### Transcript security engineering - University of Sydney

CNS2010

### ELEC5616 computer and network security

**matt barrie [email protected]**

lecture 6 :: key management 1

### key management

• **Suppose we have a symmetric key network:**

**k ab Alice Bob k ad k ac k bd k bc Carol Dave k cd**

• **Alice, Bob, Carol and Dave want to talk to each other** • **For secure communication, for n parties, we require** ( ) = n(n-1) 2 keys • **Key distribution and management becomes a major issue!** CNS2010 lecture 6 :: key management 2

### definitions

• **Key establishment is any process whereby a shared secret **

**becomes available to two or more parties, for subsequent cryptographic use.**

• **Key management is the set of processes and mechanisms **

**which support key establishment and the maintenance of ongoing keying relationships between parties, including replacing older keys with newer ones:**

– key agreement – key transport CNS2010 lecture 6 :: key management 3

### key distribution centre

• **Naïve solution:**

**Alice k a k b k c KDC k d Bob All parties share a key with the KDC Carol Dave**

• **Protocol:** (1) Alice → (2) KDC → (3) Alice (4) Bob → KDC Alice Bob : “want to talk with Bob” : KDC picks random key k ab , sends Ek a [k ab ], Ek b [k ab , “ticket a-b”] : Alice decrypts Ek a [k ab ], sends ticket to Bob : Bob decrypts ticket • **Alice and Bob now share secret key k**

**ab .**

CNS2010 lecture 6 :: key management 4

### problems with naïve approach

• **Naïve solution:**

**Alice k a k b k c KDC k d Bob All parties share a key with the KDC Carol Dave**

• **Problems:** – Single point of failure, the KDC (a juicy target to attack) – No authentication – Poor scalability – Slow CNS2010 lecture 6 :: key management 5

### merkle’s puzzles

• **Ralph Merkle (Stanford, 1974)** • **Merkle’s puzzles are a way of doing key exchange between **

**Alice and Bob without the need for a KDC**

• **Protocol:** (1) (2) (3) Alice creates lots of puzzles P i = E pi [“This is puzzle #X i ”, k i ] where i = 1 .. 2 20 , |p i | = 20 bits (weak), |k i | = 128 bits (strong) X i , p i and k i are chosen randomly and different for each i.

Alice sends all puzzles P i to Bob.

Bob picks a random puzzle j є {1 … 2 20 } and solves P j (i.e. search on key p j ). This recovers X j and k j by brute force from the puzzle.

(4) Bob sends X j to Alice in the clear.

(5) Alice looks up the index j of X j (from a table) to get k j .

=> Alice and Bob now both share a secret key k j .

CNS2010 lecture 6 :: key management 6

### merkle’s puzzles

**Alice Makes 2 20 puzzles P 6 P 7 P 2 P 5 P 11 P 12 P 13 P 1 P 3 P 14 P 4 P 9 P i = Ep i [“This is puzzle #X i ”, k i ] Bob Picks a random puzzle P j and breaks it.**

**Alice looks up X Shared secret is k j j Eve ???**

**Only knows the puzzles and X j Sends X j back to Alice Shared secret is k j**

CNS2010 lecture 6 :: key management 7

### attack on merkle’s puzzles

• **Eve must break on average half the puzzles to find **

**X j**

– Time required to do so for 2 20 puzzles = 2 19 x 2 19 = 2 38

**(hence k j )**

• **If Alice and Bob can try 10,000 keys/second :** – It will take a minute for each of them to perform their steps (2 19 for Bob) – Plus another minute to communicate the puzzles on a 1.544MB (T1) link • **With comparable resources, it will take Eve about a year to **

**break the system.**

• **Note: Merkle’s Puzzles uses a lot of bandwidth (impractical!)** CNS2010 lecture 6 :: key management 8

### diffie-hellman key exchange

• **Diffie-Hellman (Stanford, 1976)** • **Worldwide standard used in smart cards, etc.** • **Protocol:** (1) (2) (3) (4) (5) Consider the finite field Z p Let g є Z p (the generator) = <0, … p-1> where p is prime (p is about 300 digits long) Alice Bob Alice → Bob → Bob Alice Alice and Bob : Alice chooses a random large integer a є Z p : Bob choses a random large integer b є Z p : Alice sends Bob g a : Bob sends Alice g : compute g ab b (mod p) (mod p) : Alice computes (g b ) a = g ab (mod p) : Bob computes (g a ) b = g ab (mod p) => Alice and Bob now share secret g ab CNS2010 lecture 6 :: key management 9

### diffie-hellman key exchange

**Alice Computes g ab (mod p) p, g, g a (mod p) g b (mod p) Bob Computes g ab (mod p) Eve ???**

**Only knows p, g, g a , g b**

CNS2010 lecture 6 :: key management 10

### strength of diffie-hellman

• **The strength of Diffie-Hellman is based upon two issues:** – given p, g, g a , it is difficult to calculate a (the discrete logarithm problem) – given p, g, g problem) a , g b it is difficult for Eve to calculate g ab (the Diffie-Hellman – we know that DL DH but it is not known if DH DL.

• **Essentially, the strength of the system is based on the **

**difficulty of factoring numbers the same size as p.**

• **The generator, g, can be small** • **Do not use the secret g**

**ab directly as a session key**

– it is better to either hash it or use it as a seed for a PRNG – not all bits of the secret have a flat distribution CNS2010 lecture 6 :: key management 11

### references

• **Handbook of Applied Cryptography** – read §1, §2-2.4.4, §2.5 - 2.5.3

• **Stallings (3**

**rd**

– 6.3 – 6.4

**Ed)**

CNS2010 lecture 6 :: key management 12