CNS2010

### matt barrie [email protected]

lecture 6 :: key management 1

### key management

Suppose we have a symmetric key network:

k ab Alice Bob k ad k ac k bd k bc Carol Dave k cd

Alice, Bob, Carol and Dave want to talk to each otherFor secure communication, for n parties, we require ( ) = n(n-1) 2 keys • Key distribution and management becomes a major issue! CNS2010 lecture 6 :: key management 2

### definitions

Key establishment is any process whereby a shared secret

becomes available to two or more parties, for subsequent cryptographic use.

Key management is the set of processes and mechanisms

which support key establishment and the maintenance of ongoing keying relationships between parties, including replacing older keys with newer ones:

– key agreement – key transport CNS2010 lecture 6 :: key management 3

### key distribution centre

Naïve solution:

Alice k a k b k c KDC k d Bob All parties share a key with the KDC Carol Dave

Protocol: (1) Alice → (2) KDC → (3) Alice (4) Bob → KDC Alice Bob : “want to talk with Bob” : KDC picks random key k ab , sends Ek a [k ab ], Ek b [k ab , “ticket a-b”] : Alice decrypts Ek a [k ab ], sends ticket to Bob : Bob decrypts ticket • Alice and Bob now share secret key k

ab .

CNS2010 lecture 6 :: key management 4

### problems with naïve approach

Naïve solution:

Alice k a k b k c KDC k d Bob All parties share a key with the KDC Carol Dave

Problems: – Single point of failure, the KDC (a juicy target to attack) – No authentication – Poor scalability – Slow CNS2010 lecture 6 :: key management 5

### merkle’s puzzles

Ralph Merkle (Stanford, 1974)Merkle’s puzzles are a way of doing key exchange between

Alice and Bob without the need for a KDC

Protocol: (1) (2) (3) Alice creates lots of puzzles P i = E pi [“This is puzzle #X i ”, k i ] where i = 1 .. 2 20 , |p i | = 20 bits (weak), |k i | = 128 bits (strong) X i , p i and k i are chosen randomly and different for each i.

Alice sends all puzzles P i to Bob.

Bob picks a random puzzle j є {1 … 2 20 } and solves P j (i.e. search on key p j ). This recovers X j and k j by brute force from the puzzle.

(4) Bob sends X j to Alice in the clear.

(5) Alice looks up the index j of X j (from a table) to get k j .

=> Alice and Bob now both share a secret key k j .

CNS2010 lecture 6 :: key management 6

### merkle’s puzzles

Alice Makes 2 20 puzzles P 6 P 7 P 2 P 5 P 11 P 12 P 13 P 1 P 3 P 14 P 4 P 9 P i = Ep i [“This is puzzle #X i ”, k i ] Bob Picks a random puzzle P j and breaks it.

Alice looks up X Shared secret is k j j Eve ???

Only knows the puzzles and X j Sends X j back to Alice Shared secret is k j

CNS2010 lecture 6 :: key management 7

### attack on merkle’s puzzles

Eve must break on average half the puzzles to find

X j

– Time required to do so for 2 20 puzzles = 2 19 x 2 19 = 2 38

(hence k j )

If Alice and Bob can try 10,000 keys/second : – It will take a minute for each of them to perform their steps (2 19 for Bob) – Plus another minute to communicate the puzzles on a 1.544MB (T1) link • With comparable resources, it will take Eve about a year to

break the system.

Note: Merkle’s Puzzles uses a lot of bandwidth (impractical!) CNS2010 lecture 6 :: key management 8

### diffie-hellman key exchange

Diffie-Hellman (Stanford, 1976)Worldwide standard used in smart cards, etc.Protocol: (1) (2) (3) (4) (5) Consider the finite field Z p Let g є Z p (the generator) = <0, … p-1> where p is prime (p is about 300 digits long) Alice Bob Alice → Bob → Bob Alice Alice and Bob : Alice chooses a random large integer a є Z p : Bob choses a random large integer b є Z p : Alice sends Bob g a : Bob sends Alice g : compute g ab b (mod p) (mod p) : Alice computes (g b ) a = g ab (mod p) : Bob computes (g a ) b = g ab (mod p) => Alice and Bob now share secret g ab CNS2010 lecture 6 :: key management 9

### diffie-hellman key exchange

Alice Computes g ab (mod p) p, g, g a (mod p) g b (mod p) Bob Computes g ab (mod p) Eve ???

Only knows p, g, g a , g b

CNS2010 lecture 6 :: key management 10

### strength of diffie-hellman

The strength of Diffie-Hellman is based upon two issues: – given p, g, g a , it is difficult to calculate a (the discrete logarithm problem) – given p, g, g problem) a , g b it is difficult for Eve to calculate g ab (the Diffie-Hellman – we know that DL  DH but it is not known if DH  DL.

Essentially, the strength of the system is based on the

difficulty of factoring numbers the same size as p.

The generator, g, can be smallDo not use the secret g

ab directly as a session key

– it is better to either hash it or use it as a seed for a PRNG – not all bits of the secret have a flat distribution CNS2010 lecture 6 :: key management 11

### references

Handbook of Applied Cryptography – read §1, §2-2.4.4, §2.5 - 2.5.3

Stallings (3

rd

– 6.3 – 6.4

Ed)

CNS2010 lecture 6 :: key management 12