lecture 15 –pki & authenticated key...
TRANSCRIPT
Lecture 15 –PKI & Authenticated Key Exchange
COSC-260 Codes and CiphersAdam O’Neill
Adapted from http://cseweb.ucsd.edu/~mihir/cse107/
Today
• We will see how signatures are used to create public-key infrastructures and trust in public keys.
Today
• We will see how signatures are used to create public-key infrastructures and trust in public keys.
• We will study the problem of authenticated session key agreement, which is the core of protocols SSL, SSH, TLS, IPSEC, 802.11 …
Public-key SettingThe public key setting
Alice Bob
pk[A]
M Dsk[A](C ) C� C
$ Epk[A](M)
� $ Ssk[A](M) M,�- V
pk[A](M,�)
Bob can:
• send encrypted data to Alice
• verify her signatures
as long as he has Alice’s public key pk[A].
But how does he get pk[A]?
Mihir Bellare UCSD 2
jkiasatbsstneij
✓✓
Naive AttemptDistributing public keys
How about:
Alice Bob
(pk[A], sk[A]) $ K Alice, pk[A]-
M Dsk[A](C ) C� C
$ Epk[A](M)
� $ Ssk[A](M) M,� - V
pk[A](M,�)
Mihir Bellare UCSD 3
Man - in - the . middle
attack
ear" %
Certificates & PKI
• Bob needs to obtain an authentic copy of Alice’s public key.
Certificates & PKI
• Bob needs to obtain an authentic copy of Alice’s public key.
• The public-key infrastructure (PKI) is responsible for this. Usually realized via certificates.
8
Certificate ProcessCertificate Process
• Alice generates pk and sends it to CA
• CA does identity check
• Alice proves knowledge of secret key to CA
• CA issues certificate to Alice
• Alice sends certificate to Bob
• Bob verifies certificate and extracts Alice’s pk
Mihir Bellare UCSD 6
,Certificate
µauthority
Local key generationMice runs key
generation of
the scheme locally
=) secret key is only known
to Alice.
Identity Checksends Plane to CA
there needs to be some
' ' out of band"
check on Alice 's identity
Proof of KnowledgeZero - knowledge proofs of
knowledge .
In practice something weaker called
a"
proof of possession"
is typicallydone .
-
:gnature on a random
Challenge .
Certificate IssueCertificate Issuance
Once CA is convinced that pk belongs to Alice it forms a certificate
CERTA
= (CERTDATA,�),
where � is the CA’s signature on CERTDATA, computed under the CA’ssecret key sk[CA].
CERTDATA:
• pk , ID (Alice)
• Name of CA
• Expiry date of certificate
• Restrictions
• Security level
• ...
The certificate CERTA
is returned to Alice.Mihir Bellare UCSD 10
pk
; %s%:#:m¥m ,
her pk via A signatureCalled the Certificate
.
Certificate UsageCertificate usage
Alice can send CERTA
to Bob who will:
• (CERTDATA,�) CERTA
• Check Vpk[CA](CERTDATA,�) = 1 where pk[CA] is CA’s public key
• (pk ,Alice, expiry , . . .) CERTDATA
• Check certificate has not expired
• . . .
If all is well we are ready for usage.
Mihir Bellare UCSD 11
Obtaining CA’s PKPreloaded in your
browser.
CA Hierarchies# ICANM
ngr%¥*̂#
£÷4- my at
Why hierarchies?
• Easier for local CA’s to check identities of local users.
Why hierarchies?
• Easier for local CA’s to check identities of local users.
• Reduces workload of individual CA’s.
Why hierarchies?
• Easier for local CA’s to check identities of local users.
• Reduces workload of individual CA’s.
• Browsers only need to have root PK’s pre-loaded.
Revocation and CRLs
• Revocation needs to happen when e.g. a key is compromised.
Revocation and CRLs
• Revocation needs to happen when e.g. a key is compromised.
• CA maintains and disseminates a list of revoked certificates. CRL - Certificate revocation list
Revocation and CRLs
• Revocation needs to happen when e.g. a key is compromised.
• CA maintains and disseminates a list of revoked certificates.
• Something like 20% of certificates are revoked in practice — big problem with public-key crypto!
Session Key Exchange Session key exchange in public key setting
Apk[B] Bpk[A]
-�
-��
K
@@RK
Most important type of session key exchange in practice, used in allcommunication security protocols: SSL, SSH, TLS, IPSEC, 802.11, ...
Mihir Bellare UCSD 36
agreement
authenticated session key agreement
- -
0 D
Security-
privacy :adversary cannot distinguish
K from random
as authenticity : security against mltm attacks.
A Basic ProtocolProtocol KE1: Basic Exchange
Apk[B] Bpk[A]
A,RA -
RB
,C ,B , SignB
(A,B ,RA
,RB
,C )� C$ E
A
(K )A, Sign
A
(A,B ,RA
,RB
) -
Session key K is chosen by B .
RA
,RB
are random nonces.
Sign
P
(M) is P ’s signature of M under sk[P]. It is verifiable given pk[P].
EA
(·) is encryption under A’s public key pk[A], decryptable using sk[A].
Mihir Bellare UCSD 37
o.
To .IO
Forward SecrecyForward secrecy
Apk[B] Bpk[A]
A,RA -
RB
,C ,B , SignB
(A,B ,RA
,RB
,C )� C$ E
A
(K )A, Sign
A
(A,B ,RA
,RB
) -CB� C
B
$ EK
(M)
Nov. 20: Adversary E records above flows.Dec. 18: A’s, system compromised and sk[A] exposed.Dec. 19: A revokes pk[A] so that no further damage is done but cannotprevent E fromK D
sk[A](C );M DK
(CB
).
Can we achieve forward secrecy: Privacy of communication done prior toexposure of sk[A] is not compromised?
Mihir Bellare UCSD 38
•
An Improved ProtocolKE2: Adding forward secrecy
Apk[B] Bpk[A]
A, ga
-gb,B , Sign
B
(A,B , ga, gb)�A, Sign
A
(A,B , ga, gb) -
Session key is K = H( A,B , ga, gb , gab).
Adversary E records above flows on Nov. 20. On Dec. 18, sk[A] isexposed. This allows E to forge A’s signatures, but A can address this byrevoking pk[A]. But sk[A] does not help E obtain K .
There is no public-key encryption here, only signatures.
All standard protocols use DH to get forward security in ways like this.
Mihir Bellare UCSD 39
G-
:
Password-based Protocols
• Suppose Alice and Bob share not a cryptographic key but a (human memorizable) password pw.
Password - based authenticated key.Greenery( PAKE)
Password-based Protocols
• Suppose Alice and Bob share not a cryptographic key but a (human memorizable) password pw.
• They want to use this “long-lived” secret to agree on a session key.
Password-based Protocols
• Suppose Alice and Bob share not a cryptographic key but a (human memorizable) password pw.
• They want to use this “long-lived” secret to agree on a session key.
• The goal is security against dictionary attacks: should not reveal f(pw) for some public function f.
m.
Naive ProtocolDoesn’t prevent dictionary attacks
Apw Bpw
A, ga
-
B , gb,
�z }| {MAC
pw
(1,A,B , ga, gb)�A,MAC
pw
(0,A,B , ga, gb)-
Session key is K = H(A,B , ga, gb, gab).
Dictionary attack is possible: Let f be defined by
f (x) = MACx
(1,A,B , ga, gb)
Then, letting D be the dictionary of candidate passwords, get the targetpassword pw via
for all pw 0 2 D do
if f (pw 0) = � then return pw 0
Mihir Bellare UCSD 44
jeera
-7
Better ProtocolProtocol KE4: [BPR00]
Apw Bpw
A,Epw
(ga) -B ,E
pw
(gb),H(1,A,B , ga, gb, gab)�A,H(2,A,B , ga, gb, gab) -
E : PW ⇥ G ! G is a block cipher over group G and keyspace PW of allpossible passwords; the session key is K = H(0,A,B , ga, gb, gab).
This has been proven secure against dictionary attack [BPR00].
Mihir Bellare UCSD 45