Transcript security engineering - University of Sydney
CNS2010
ELEC5616 computer and network security
matt barrie [email protected]
lecture 6 :: key management 1
key management
• Suppose we have a symmetric key network:
k ab Alice Bob k ad k ac k bd k bc Carol Dave k cd
• Alice, Bob, Carol and Dave want to talk to each other • For secure communication, for n parties, we require ( ) = n(n-1) 2 keys • Key distribution and management becomes a major issue! CNS2010 lecture 6 :: key management 2
definitions
• Key establishment is any process whereby a shared secret
becomes available to two or more parties, for subsequent cryptographic use.
• Key management is the set of processes and mechanisms
which support key establishment and the maintenance of ongoing keying relationships between parties, including replacing older keys with newer ones:
– key agreement – key transport CNS2010 lecture 6 :: key management 3
key distribution centre
• Naïve solution:
Alice k a k b k c KDC k d Bob All parties share a key with the KDC Carol Dave
• Protocol: (1) Alice → (2) KDC → (3) Alice (4) Bob → KDC Alice Bob : “want to talk with Bob” : KDC picks random key k ab , sends Ek a [k ab ], Ek b [k ab , “ticket a-b”] : Alice decrypts Ek a [k ab ], sends ticket to Bob : Bob decrypts ticket • Alice and Bob now share secret key k
ab .
CNS2010 lecture 6 :: key management 4
problems with naïve approach
• Naïve solution:
Alice k a k b k c KDC k d Bob All parties share a key with the KDC Carol Dave
• Problems: – Single point of failure, the KDC (a juicy target to attack) – No authentication – Poor scalability – Slow CNS2010 lecture 6 :: key management 5
merkle’s puzzles
• Ralph Merkle (Stanford, 1974) • Merkle’s puzzles are a way of doing key exchange between
Alice and Bob without the need for a KDC
• Protocol: (1) (2) (3) Alice creates lots of puzzles P i = E pi [“This is puzzle #X i ”, k i ] where i = 1 .. 2 20 , |p i | = 20 bits (weak), |k i | = 128 bits (strong) X i , p i and k i are chosen randomly and different for each i.
Alice sends all puzzles P i to Bob.
Bob picks a random puzzle j є {1 … 2 20 } and solves P j (i.e. search on key p j ). This recovers X j and k j by brute force from the puzzle.
(4) Bob sends X j to Alice in the clear.
(5) Alice looks up the index j of X j (from a table) to get k j .
=> Alice and Bob now both share a secret key k j .
CNS2010 lecture 6 :: key management 6
merkle’s puzzles
Alice Makes 2 20 puzzles P 6 P 7 P 2 P 5 P 11 P 12 P 13 P 1 P 3 P 14 P 4 P 9 P i = Ep i [“This is puzzle #X i ”, k i ] Bob Picks a random puzzle P j and breaks it.
Alice looks up X Shared secret is k j j Eve ???
Only knows the puzzles and X j Sends X j back to Alice Shared secret is k j
CNS2010 lecture 6 :: key management 7
attack on merkle’s puzzles
• Eve must break on average half the puzzles to find
X j
– Time required to do so for 2 20 puzzles = 2 19 x 2 19 = 2 38
(hence k j )
• If Alice and Bob can try 10,000 keys/second : – It will take a minute for each of them to perform their steps (2 19 for Bob) – Plus another minute to communicate the puzzles on a 1.544MB (T1) link • With comparable resources, it will take Eve about a year to
break the system.
• Note: Merkle’s Puzzles uses a lot of bandwidth (impractical!) CNS2010 lecture 6 :: key management 8
diffie-hellman key exchange
• Diffie-Hellman (Stanford, 1976) • Worldwide standard used in smart cards, etc. • Protocol: (1) (2) (3) (4) (5) Consider the finite field Z p Let g є Z p (the generator) = <0, … p-1> where p is prime (p is about 300 digits long) Alice Bob Alice → Bob → Bob Alice Alice and Bob : Alice chooses a random large integer a є Z p : Bob choses a random large integer b є Z p : Alice sends Bob g a : Bob sends Alice g : compute g ab b (mod p) (mod p) : Alice computes (g b ) a = g ab (mod p) : Bob computes (g a ) b = g ab (mod p) => Alice and Bob now share secret g ab CNS2010 lecture 6 :: key management 9
diffie-hellman key exchange
Alice Computes g ab (mod p) p, g, g a (mod p) g b (mod p) Bob Computes g ab (mod p) Eve ???
Only knows p, g, g a , g b
CNS2010 lecture 6 :: key management 10
strength of diffie-hellman
• The strength of Diffie-Hellman is based upon two issues: – given p, g, g a , it is difficult to calculate a (the discrete logarithm problem) – given p, g, g problem) a , g b it is difficult for Eve to calculate g ab (the Diffie-Hellman – we know that DL DH but it is not known if DH DL.
• Essentially, the strength of the system is based on the
difficulty of factoring numbers the same size as p.
• The generator, g, can be small • Do not use the secret g
ab directly as a session key
– it is better to either hash it or use it as a seed for a PRNG – not all bits of the secret have a flat distribution CNS2010 lecture 6 :: key management 11
references
• Handbook of Applied Cryptography – read §1, §2-2.4.4, §2.5 - 2.5.3
• Stallings (3
rd
– 6.3 – 6.4
Ed)
CNS2010 lecture 6 :: key management 12