Lecture 15 –PKI & Authenticated Key Exchange

COSC-260 Codes and CiphersAdam O’Neill

Adapted from http://cseweb.ucsd.edu/~mihir/cse107/

Today

• We will see how signatures are used to create public-key infrastructures and trust in public keys.

Today

• We will see how signatures are used to create public-key infrastructures and trust in public keys.

• We will study the problem of authenticated session key agreement, which is the core of protocols SSL, SSH, TLS, IPSEC, 802.11 …

Public-key SettingThe public key setting

Alice Bob

pk[A]

M Dsk[A](C ) C� C

$ Epk[A](M)

� $ Ssk[A](M) M,�- V

pk[A](M,�)

Bob can:

• send encrypted data to Alice

• verify her signatures

as long as he has Alice’s public key pk[A].

But how does he get pk[A]?

Mihir Bellare UCSD 2

jkiasatbsstneij

✓✓

Naive AttemptDistributing public keys

How about:

Alice Bob

(pk[A], sk[A]) $ K Alice, pk[A]-

M Dsk[A](C ) C� C

$ Epk[A](M)

� $ Ssk[A](M) M,� - V

pk[A](M,�)

Mihir Bellare UCSD 3

Man - in - the . middle

attack

ear" %

Certificates & PKI

• Bob needs to obtain an authentic copy of Alice’s public key.

Certificates & PKI

• Bob needs to obtain an authentic copy of Alice’s public key.

• The public-key infrastructure (PKI) is responsible for this. Usually realized via certificates.

8

Certificate ProcessCertificate Process

• Alice generates pk and sends it to CA

• CA does identity check

• Alice proves knowledge of secret key to CA

• CA issues certificate to Alice

• Alice sends certificate to Bob

• Bob verifies certificate and extracts Alice’s pk

Mihir Bellare UCSD 6

,Certificate

µauthority

Local key generationMice runs key

generation of

the scheme locally

=) secret key is only known

to Alice.

Identity Checksends Plane to CA

there needs to be some

' ' out of band"

check on Alice 's identity

Proof of KnowledgeZero - knowledge proofs of

knowledge .

In practice something weaker called

a"

proof of possession"

is typicallydone .

-

:gnature on a random

Challenge .

Certificate IssueCertificate Issuance

Once CA is convinced that pk belongs to Alice it forms a certificate

CERTA

= (CERTDATA,�),

where � is the CA’s signature on CERTDATA, computed under the CA’ssecret key sk[CA].

CERTDATA:

• pk , ID (Alice)

• Name of CA

• Expiry date of certificate

• Restrictions

• Security level

• ...

The certificate CERTA

is returned to Alice.Mihir Bellare UCSD 10

pk

; %s%:#:m¥m ,

her pk via A signatureCalled the Certificate

.

Certificate UsageCertificate usage

Alice can send CERTA

to Bob who will:

• (CERTDATA,�) CERTA

• Check Vpk[CA](CERTDATA,�) = 1 where pk[CA] is CA’s public key

• (pk ,Alice, expiry , . . .) CERTDATA

• Check certificate has not expired

• . . .

If all is well we are ready for usage.

Mihir Bellare UCSD 11

Obtaining CA’s PKPreloaded in your

browser.

CA Hierarchies# ICANM

ngr%¥*̂#

£÷4- my at

Why hierarchies?

• Easier for local CA’s to check identities of local users.

Why hierarchies?

• Easier for local CA’s to check identities of local users.

• Reduces workload of individual CA’s.

Why hierarchies?

• Easier for local CA’s to check identities of local users.

• Reduces workload of individual CA’s.

• Browsers only need to have root PK’s pre-loaded.

Revocation and CRLs

• Revocation needs to happen when e.g. a key is compromised.

Revocation and CRLs

• Revocation needs to happen when e.g. a key is compromised.

• CA maintains and disseminates a list of revoked certificates. CRL - Certificate revocation list

Revocation and CRLs

• Revocation needs to happen when e.g. a key is compromised.

• CA maintains and disseminates a list of revoked certificates.

• Something like 20% of certificates are revoked in practice — big problem with public-key crypto!

Session Key Exchange Session key exchange in public key setting

Apk[B] Bpk[A]

-�

-��

K

@@RK

Most important type of session key exchange in practice, used in allcommunication security protocols: SSL, SSH, TLS, IPSEC, 802.11, ...

Mihir Bellare UCSD 36

agreement

authenticated session key agreement

- -

0 D

Security-

privacy :adversary cannot distinguish

K from random

as authenticity : security against mltm attacks.

A Basic ProtocolProtocol KE1: Basic Exchange

Apk[B] Bpk[A]

A,RA -

RB

,C ,B , SignB

(A,B ,RA

,RB

,C )� C$ E

A

(K )A, Sign

A

(A,B ,RA

,RB

) -

Session key K is chosen by B .

RA

,RB

are random nonces.

Sign

P

(M) is P ’s signature of M under sk[P]. It is verifiable given pk[P].

EA

(·) is encryption under A’s public key pk[A], decryptable using sk[A].

Mihir Bellare UCSD 37

o.

To .IO

Forward SecrecyForward secrecy

Apk[B] Bpk[A]

A,RA -

RB

,C ,B , SignB

(A,B ,RA

,RB

,C )� C$ E

A

(K )A, Sign

A

(A,B ,RA

,RB

) -CB� C

B

$ EK

(M)

Nov. 20: Adversary E records above flows.Dec. 18: A’s, system compromised and sk[A] exposed.Dec. 19: A revokes pk[A] so that no further damage is done but cannotprevent E fromK D

sk[A](C );M DK

(CB

).

Can we achieve forward secrecy: Privacy of communication done prior toexposure of sk[A] is not compromised?

Mihir Bellare UCSD 38

•

An Improved ProtocolKE2: Adding forward secrecy

Apk[B] Bpk[A]

A, ga

-gb,B , Sign

B

(A,B , ga, gb)�A, Sign

A

(A,B , ga, gb) -

Session key is K = H( A,B , ga, gb , gab).

Adversary E records above flows on Nov. 20. On Dec. 18, sk[A] isexposed. This allows E to forge A’s signatures, but A can address this byrevoking pk[A]. But sk[A] does not help E obtain K .

There is no public-key encryption here, only signatures.

All standard protocols use DH to get forward security in ways like this.

Mihir Bellare UCSD 39

G-

:

Password-based Protocols

• Suppose Alice and Bob share not a cryptographic key but a (human memorizable) password pw.

Password - based authenticated key.Greenery( PAKE)

Password-based Protocols

• Suppose Alice and Bob share not a cryptographic key but a (human memorizable) password pw.

• They want to use this “long-lived” secret to agree on a session key.

Password-based Protocols

• Suppose Alice and Bob share not a cryptographic key but a (human memorizable) password pw.

• They want to use this “long-lived” secret to agree on a session key.

• The goal is security against dictionary attacks: should not reveal f(pw) for some public function f.

m.

Naive ProtocolDoesn’t prevent dictionary attacks

Apw Bpw

A, ga

-

B , gb,

�z }| {MAC

pw

(1,A,B , ga, gb)�A,MAC

pw

(0,A,B , ga, gb)-

Session key is K = H(A,B , ga, gb, gab).

Dictionary attack is possible: Let f be defined by

f (x) = MACx

(1,A,B , ga, gb)

Then, letting D be the dictionary of candidate passwords, get the targetpassword pw via

for all pw 0 2 D do

if f (pw 0) = � then return pw 0

Mihir Bellare UCSD 44

jeera

-7

Better ProtocolProtocol KE4: [BPR00]

Apw Bpw

A,Epw

(ga) -B ,E

pw

(gb),H(1,A,B , ga, gb, gab)�A,H(2,A,B , ga, gb, gab) -

E : PW ⇥ G ! G is a block cipher over group G and keyspace PW of allpossible passwords; the session key is K = H(0,A,B , ga, gb, gab).

This has been proven secure against dictionary attack [BPR00].

Mihir Bellare UCSD 45