![Page 1: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/1.jpg)
Lecture 15 –PKI & Authenticated Key Exchange
COSC-260 Codes and CiphersAdam O’Neill
Adapted from http://cseweb.ucsd.edu/~mihir/cse107/
![Page 2: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/2.jpg)
Today
• We will see how signatures are used to create public-key infrastructures and trust in public keys.
![Page 3: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/3.jpg)
Today
• We will see how signatures are used to create public-key infrastructures and trust in public keys.
• We will study the problem of authenticated session key agreement, which is the core of protocols SSL, SSH, TLS, IPSEC, 802.11 …
![Page 4: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/4.jpg)
Public-key SettingThe public key setting
Alice Bob
pk[A]
M Dsk[A](C ) C� C
$ Epk[A](M)
� $ Ssk[A](M) M,�- V
pk[A](M,�)
Bob can:
• send encrypted data to Alice
• verify her signatures
as long as he has Alice’s public key pk[A].
But how does he get pk[A]?
Mihir Bellare UCSD 2
jkiasatbsstneij
✓✓
![Page 5: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/5.jpg)
Naive AttemptDistributing public keys
How about:
Alice Bob
(pk[A], sk[A]) $ K Alice, pk[A]-
M Dsk[A](C ) C� C
$ Epk[A](M)
� $ Ssk[A](M) M,� - V
pk[A](M,�)
Mihir Bellare UCSD 3
Man - in - the . middle
attack
ear" %
![Page 6: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/6.jpg)
Certificates & PKI
• Bob needs to obtain an authentic copy of Alice’s public key.
![Page 7: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/7.jpg)
Certificates & PKI
• Bob needs to obtain an authentic copy of Alice’s public key.
• The public-key infrastructure (PKI) is responsible for this. Usually realized via certificates.
8
![Page 8: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/8.jpg)
Certificate ProcessCertificate Process
• Alice generates pk and sends it to CA
• CA does identity check
• Alice proves knowledge of secret key to CA
• CA issues certificate to Alice
• Alice sends certificate to Bob
• Bob verifies certificate and extracts Alice’s pk
Mihir Bellare UCSD 6
,Certificate
µauthority
![Page 9: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/9.jpg)
Local key generationMice runs key
generation of
the scheme locally
=) secret key is only known
to Alice.
![Page 10: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/10.jpg)
Identity Checksends Plane to CA
there needs to be some
' ' out of band"
check on Alice 's identity
![Page 11: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/11.jpg)
Proof of KnowledgeZero - knowledge proofs of
knowledge .
In practice something weaker called
a"
proof of possession"
is typicallydone .
-
:gnature on a random
Challenge .
![Page 12: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/12.jpg)
Certificate IssueCertificate Issuance
Once CA is convinced that pk belongs to Alice it forms a certificate
CERTA
= (CERTDATA,�),
where � is the CA’s signature on CERTDATA, computed under the CA’ssecret key sk[CA].
CERTDATA:
• pk , ID (Alice)
• Name of CA
• Expiry date of certificate
• Restrictions
• Security level
• ...
The certificate CERTA
is returned to Alice.Mihir Bellare UCSD 10
pk
; %s%:#:m¥m ,
her pk via A signatureCalled the Certificate
.
![Page 13: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/13.jpg)
Certificate UsageCertificate usage
Alice can send CERTA
to Bob who will:
• (CERTDATA,�) CERTA
• Check Vpk[CA](CERTDATA,�) = 1 where pk[CA] is CA’s public key
• (pk ,Alice, expiry , . . .) CERTDATA
• Check certificate has not expired
• . . .
If all is well we are ready for usage.
Mihir Bellare UCSD 11
![Page 14: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/14.jpg)
Obtaining CA’s PKPreloaded in your
browser.
![Page 15: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/15.jpg)
CA Hierarchies# ICANM
ngr%¥*̂#
£÷4- my at
![Page 16: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/16.jpg)
Why hierarchies?
• Easier for local CA’s to check identities of local users.
![Page 17: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/17.jpg)
Why hierarchies?
• Easier for local CA’s to check identities of local users.
• Reduces workload of individual CA’s.
![Page 18: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/18.jpg)
Why hierarchies?
• Easier for local CA’s to check identities of local users.
• Reduces workload of individual CA’s.
• Browsers only need to have root PK’s pre-loaded.
![Page 19: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/19.jpg)
Revocation and CRLs
• Revocation needs to happen when e.g. a key is compromised.
![Page 20: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/20.jpg)
Revocation and CRLs
• Revocation needs to happen when e.g. a key is compromised.
• CA maintains and disseminates a list of revoked certificates. CRL - Certificate revocation list
![Page 21: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/21.jpg)
Revocation and CRLs
• Revocation needs to happen when e.g. a key is compromised.
• CA maintains and disseminates a list of revoked certificates.
• Something like 20% of certificates are revoked in practice — big problem with public-key crypto!
![Page 22: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/22.jpg)
Session Key Exchange Session key exchange in public key setting
Apk[B] Bpk[A]
-�
-��
K
@@RK
Most important type of session key exchange in practice, used in allcommunication security protocols: SSL, SSH, TLS, IPSEC, 802.11, ...
Mihir Bellare UCSD 36
agreement
authenticated session key agreement
- -
0 D
![Page 23: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/23.jpg)
Security-
privacy :adversary cannot distinguish
K from random
as authenticity : security against mltm attacks.
![Page 24: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/24.jpg)
A Basic ProtocolProtocol KE1: Basic Exchange
Apk[B] Bpk[A]
A,RA -
RB
,C ,B , SignB
(A,B ,RA
,RB
,C )� C$ E
A
(K )A, Sign
A
(A,B ,RA
,RB
) -
Session key K is chosen by B .
RA
,RB
are random nonces.
Sign
P
(M) is P ’s signature of M under sk[P]. It is verifiable given pk[P].
EA
(·) is encryption under A’s public key pk[A], decryptable using sk[A].
Mihir Bellare UCSD 37
o.
To .IO
![Page 25: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/25.jpg)
Forward SecrecyForward secrecy
Apk[B] Bpk[A]
A,RA -
RB
,C ,B , SignB
(A,B ,RA
,RB
,C )� C$ E
A
(K )A, Sign
A
(A,B ,RA
,RB
) -CB� C
B
$ EK
(M)
Nov. 20: Adversary E records above flows.Dec. 18: A’s, system compromised and sk[A] exposed.Dec. 19: A revokes pk[A] so that no further damage is done but cannotprevent E fromK D
sk[A](C );M DK
(CB
).
Can we achieve forward secrecy: Privacy of communication done prior toexposure of sk[A] is not compromised?
Mihir Bellare UCSD 38
•
![Page 26: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/26.jpg)
An Improved ProtocolKE2: Adding forward secrecy
Apk[B] Bpk[A]
A, ga
-gb,B , Sign
B
(A,B , ga, gb)�A, Sign
A
(A,B , ga, gb) -
Session key is K = H( A,B , ga, gb , gab).
Adversary E records above flows on Nov. 20. On Dec. 18, sk[A] isexposed. This allows E to forge A’s signatures, but A can address this byrevoking pk[A]. But sk[A] does not help E obtain K .
There is no public-key encryption here, only signatures.
All standard protocols use DH to get forward security in ways like this.
Mihir Bellare UCSD 39
G-
:
![Page 27: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/27.jpg)
Password-based Protocols
• Suppose Alice and Bob share not a cryptographic key but a (human memorizable) password pw.
Password - based authenticated key.Greenery( PAKE)
![Page 28: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/28.jpg)
Password-based Protocols
• Suppose Alice and Bob share not a cryptographic key but a (human memorizable) password pw.
• They want to use this “long-lived” secret to agree on a session key.
![Page 29: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/29.jpg)
Password-based Protocols
• Suppose Alice and Bob share not a cryptographic key but a (human memorizable) password pw.
• They want to use this “long-lived” secret to agree on a session key.
• The goal is security against dictionary attacks: should not reveal f(pw) for some public function f.
m.
![Page 30: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/30.jpg)
Naive ProtocolDoesn’t prevent dictionary attacks
Apw Bpw
A, ga
-
B , gb,
�z }| {MAC
pw
(1,A,B , ga, gb)�A,MAC
pw
(0,A,B , ga, gb)-
Session key is K = H(A,B , ga, gb, gab).
Dictionary attack is possible: Let f be defined by
f (x) = MACx
(1,A,B , ga, gb)
Then, letting D be the dictionary of candidate passwords, get the targetpassword pw via
for all pw 0 2 D do
if f (pw 0) = � then return pw 0
Mihir Bellare UCSD 44
jeera
-7
![Page 31: Lecture 15 –PKI & Authenticated Key Exchangepeople.cs.georgetown.edu/~adam/sp16260/cs260-lec15.pdfSession key exchange in public key settingSession Key Exchange Apk [B ] B pk [A]--K](https://reader033.vdocuments.mx/reader033/viewer/2022050208/5f5add3287c72d1d0c746e70/html5/thumbnails/31.jpg)
Better ProtocolProtocol KE4: [BPR00]
Apw Bpw
A,Epw
(ga) -B ,E
pw
(gb),H(1,A,B , ga, gb, gab)�A,H(2,A,B , ga, gb, gab) -
E : PW ⇥ G ! G is a block cipher over group G and keyspace PW of allpossible passwords; the session key is K = H(0,A,B , ga, gb, gab).
This has been proven secure against dictionary attack [BPR00].
Mihir Bellare UCSD 45