Transcript Recent developments in group key exchange Mike Burmester Information Security Summer School 2005

Recent developments in
group key exchange
Mike Burmester
Information Security Summer School 2005
Florida State University
1
Outline
1. Secure Communication
2. Key Distribution
the Diffie-Hellman protocol
variants, attacks
authentication
conference protocols
3. Public Key Certificates
trust-graphs
hierarchical vs horizontal structures
security
4. Conclusion
2
1. Secure Communication
Sender
(Alice)
message
Receiver
(Bob)
Adversary
Security issues
• privacy
• authenticity
• denial of service, etc.
3
Symmetric keys (privacy)
Bob
Alice
plaintext
SK
E
ciphertext
D
plaintext
SK
Security issue
• How to distribute the secret key SK
4
Public Keys (privacy)
Alice
plaintext
Bob
ciphertext
E
PKB
Authentication channel
D
plaintext
SKB
f
Security issues
• It should be hard to compute SKB from PKB
• How do we distribute PKB
5
Public Keys (digital signatures)
Bob
Alice
m, sigSKA m
m
S
SKA
f
Authentication channel
V
a
or r
PKA
Security issues
• It should be hard to compute SKA from PKA
• How to distribute PKA
6
2. Key Exchange protocols
the Diffie-Hellman protocol
Zp = {0,1,…,p-1}, p prime, g a generator of Zp*
s
Alice’s Public Key g a: 0 < sa< p-1, private key sa
s
Bob’s Public Key g b: 0 < s < p-1, private key s
a
Alice
Key Exchanged:
gsa mod p
s
g b mod p
s
s
a
SK = g b mod p
b
Bob
7
Security
It should be hard to compute SK from PK.
Freshness of keys
If the same key is used many times then the
security of the system may be undermined.
8
What if 3 or more parties want to
sha re a common secret key?
A
1. Use DH to get: SKAB , SKBD ,
SKBE , SKAC , SKCF .
K/SKAB
K/SKAC
B
2. .A selects the secret key K
at random from Zp*.
K/SKBD
3. .A sends K/SKAB to
B and K/SKAC to C.
D
C
E
F
4. B gets K from K/SKAB and sends K/SKAC to D, etc.
9
Group Key Exchange
– contributory schemes
U2
U3
Round 1: Use DH
U1
Ui broadcasts zi = gri
Un
Un-1
10
Group Key Exchange
U2
K23
U3
…
Ki2
Round 1:
Each Ui computes
the DH key:
Ki = gri ri+1
U1
Kn-1n
Un
Knn-1
Un-1
…
11
Group Key Exchange
U2
K23
U3
…
Ki2
Round 1: end
Group Key
U1
K = K1K2 … Kn
Where Ki = Ki,i+1
Kn-1n
But how????
Un
Knn-1
Un-1
…
12
Group Key Exchange
U2
K2
U3
…
Ki
U1
Round 2:
Ui broadcasts
xi = Ki/Ki-1
Kn
Un
Kn-1
Un-1
…
13
Group Key Exchange
U2
U3
K2
…
Ki
U1
Kn
Round 2:
Un Kn-1
Un-1
…
Each Ui computes
the key:
K = Ki-1n zin-1 zi+1n-2 … zi-2
= Ki-1n (Ki/Ki-1)n-1(Ki+1/Ki)n-2… (K14i-1/Ki-2
Authentication 1
How does Alice know that the “shared”
secret key has been distributed to all the
parties in the conference?
15
Group Key Exchange
– authentication
Each Ui authenticates (digitally signs) its
• randomness ri
• its zi and xi
and after checking them authenticates
the string:
• {Ui}|| {ri} || {zi} || {xi}
16
Authentication 2
How can Alice be certain which key is
Bob’s public key?
1. They may have met earlier and exchanged public
keys.
2. They may have mutual friends who know their
public keys:
Alice
Carol
Bob, or
Alice
Carol
...
Bob
Case 1 establishes an a priori trust relationship
17
Case 2 establishes an induced trust relationship
3. Public Key Certificates
Who is who?
PK CERTIFICATE
The public key of Bob is: 010010010 …..
Signed by a Certifying Authority
A PK Certificate establishes authenticity and
provides a means by which a public key can
be stored in partially insecure repositories, or
18
transmitted over insecure channels.
Trust-graphs
Certificates can be used to
Model the confidence of
a network in its public
keys by a directed
B
trust-graph, with
vertices the entities
and edges the
CBD
certificates.
D
A
CAB
CAC
C
CBE
CCF
E
F
19
Trust-graphs
A priori confidence:
This is corroborated by the certificates.
Induced confidence:
This is established by trust-paths that link
the entities in the trust-graph.
20
A hierarchical infrastructure
RCA
CA2
CA1
U1
U2
U3
U4
The public key of U4 is certified by the trust-path:
RCA
CA2
U4
21
Security issues
A hacker can penetrate a CA or its
computer system and forge certificates
or get certificates for unauthorized
users.
22
Threats
1. Whom should we trust (and for what)?
2. Which Bob is it?
3. Organizational (insider) attacks
4. Computer system threats:
How secure is the computer system
of the Certifying Authority?
How secure is the computer system
of Bob?
23
PGP: an unstructured approach
Pretty Good Privacy is a freeware electronic
mail system that uses an unstructured
authentication framework.
Users are free to decide whom they trust.
PGP does not specify any specific structure
for the trust-graph and for this reason is
quite vulnerable.
A
A1
...
An
B
24
A horizontal approach: multiple
connectivity
If the trust-graph is (2k+1)-connected then
there are 2k+1 vertex disjoint trust-paths
which connect any two of its vertices
25
A 3-connected trust-graph
A
B
26
Combining horizontal and hierarchical
structures
U1
U2
U3
U4
27
Security
A secure authentication infrastructure
must be, reliable, robust and survivable.
Reliability deals with faults that occur in a
random manner, and is achieved by replication.
Robustness deals with maliciously induced
faults.
28
Survivability deals with the destruction of
parts of the infrastructure.
The destruction may affect the entities
(e.g. the CA’s) as well as stored data, and
may be malicious.
For survivability, the remaining entities should
be able to recover enough of the infrastructure
to guarantee secure communication.
29
Survivability
Reconstruction of a corrupted trust-graph
Adversary
faulty
U1
U2
U3
. . . . . . . . . . . . Un
A
Entity A asks all its neighbors for a list of their neighbors,
30
the neighbors of their neighbors, etc
Survivability
Problem
Some of the neighbors are under the control of
the Adversary and may send fake certificates,
relating to other entities, real or bogus.
Is it possible to reconstruct a sufficiently good
approximation of the trust-graph?
31
Survivability
Answer
Yes, provided that there is a bound on the number
of penetrated or destroyed cites, and that the
trust-graph is sufficiently connected.
32
Reconstructing a corrupted
trust-graph
The reconstruction involves several stages.
• Round Robin flooding
• a Halting routine
• a Clean-up routine
33
Conclusion
Secure key exchange can be achieved in
several ways by using cryptographic
mechanisms.
Clearly there is a trade off between the security
requirements and the complexity.
34
Conclusion
If the public keys are authenticated via single
trust paths then the system is vulnerable to any
penetration.
By having several vertex disjoint authentication
paths linking the entities we get robustness
against penetration and survivability.
35