Key Establishment Protocols

1
Key Establishment Protocols

• by
• Frode Ørbeck Hansen

2
Suggested reading

• Chapter 12 (p489-p542) in Handbook of Applied
  Cryptography (A. Menezes, P. van Oorschot, and S.
  Vanstone, CRC Press, 1996.)
• Chapter 8 (p258-p281) in Cryptography Theory and
  Practice (D. Stinson, CRC Press, 1995)
• Key Management Standards http//csrc.nist.gov/encr
  yption/kms/

3
Contents in Brief

• Classification and framework
• Key transport based on symmetric encryption
• Key agreement based on symmetric techniques
• Key transport based on public-key encryption
• Key agreement based on asymmetric techniques
• Secret Sharing
• Conference Keying
• Analysis of Key Establishment Protocols

4
Classification and framework

• Key establishment a shared secret becomes
  available to two or more parties, for subsequent
  cryptographic use.
• Key transport protocol
• one party creates, and securely transfers a
  secret value to the other (s)
• Key agreement protocol
• a shared secret is derived by two (or more)
  parties as a function of information that is
  exchanged between the parties involved

5
Classification and framework

• Key pre-distribution scheme
• established keys are completely determined a
  priori by initial keying material
• Dynamic key establishment scheme
• established keys varies on subsequent execution
• immune to known-key attack
• Trusted servers
• trusted third party, trusted server,
  authentication server, key distribution
  center(KDC), key translation center (KTC),
  certification authority (CA)
• ? for initial system setup and/or on-line actions

6
Classification and framework

• (implicit) Key authentication
• one party is assured that no other party aside
  from a identified second party may gain access to
  a secret key
• independent of the actual possession of such key
  by the second party, or knowledge of such actual
  possession by the first party
• Key confirmation
• one party is assured that a second party actually
  has possession of a particular secret key

7
Classification and framework

• Explicit key authentication
• implicit key authentication key confirmation
• Session key
• ephemeral secret
• motivations
• to limit available cipher text attack
• to limit exposure
• to avoid long-term storage of secret keys
• to create independence across sessions or
  applications

8
Contents

• Classification and framework
• Key transport based on symmetric encryption
• Key agreement based on symmetric techniques
• Key transport based on public-key encryption
• Key agreement based on asymmetric techniques
• Secret Sharing
• Conference Keying
• Analysis of Key Establishment Protocols

9
Key transport based on sym. encryption
10
Symmetric key transport and derivation without a
server

• Sharing of a long-term secret or not
• (i) Point to point key update based on key
  transport (share a priori key)
• A ? B EK(rA, tA, B) (one pass)
• rA session key
• Dont offer perfect forward secrecy
• If the long-term K is compromised the above
  protocol fails completely
• (ii) Point to point key update by key derivation
  (share a priori key)
• The derived session key is based on per-session
  random input provided by one party
• A? B rA (session key EK(rA))
• (iii) Key transport without a priori shared keys
• Key establishment over an open channel without
  shared or public keys

Prevent message replay attacks
Key freshness
11
Kerberos and related server-based protocols

• The entities share a long term pairwise secret
  with the server
• The server plays the role of a KDC or KTC
• Needham-Schroeder protocol (historical
  importance)
• Basis protocol for several other server related
  protocols (e.g. Kerberos)
• Entity authentication (A to B)
• Key establishment with key confirmation
• Protocol Messages
• A?T A, B, NA (1)
• A?T EKAT (NA, B, k, EKBT (k, A)) (2)
• A?B EKBT (k, A) (3) (A can
  securely cache this data if re-use of k is
  acceptable)
• A?B Ek (NB) (4)
• A?B Ek (NB - 1) (5)
• REMARK B has no way of knowing if the key k is
  fresh ? if k is compromised, any party knowing it
  may resend message (3) and compute message (5).
  This particular situation is improved in the
  Kerberos protocol by a lifetime parameter that
  limits exposure to a fixed time interval.

Entity authentication
12
Kerberos and related server-based protocols

• Kerberos authentication protocol
• Client A interact with trusted server T and
  verifier B
• Entity authentication of A to B (optionally
  mutual)
• Protocol Messages
• A?T A, B, NA (1)
• A?T EKBT (k, A, L), EKAT (k, NA, L, B) (2)
• A?B EKBT (k, A, L), Ek (A, TA, Asubkey) (3)
• A?B Ek (TA, Bsubkey) (4) (Optional for
  mutual authentication)
• NA nonce chosen by A
• TA time stamp
• k session key chosen by T
• L lifetime

13
Contents

• Classification and framework
• Key transport based on symmetric encryption
• Key agreement based on symmetric techniques
• Key transport based on public-key encryption
• Key agreement based on asymmetric techniques
• Secret Sharing
• Conference Keying
• Analysis of Key Establishment Protocols

14
Key agreement based on sym. technique

• Key distribution system(KDS)
• a method whereby a trusted server generates and
  distributes secret data values to users
• key pre-distribution scheme
• unconditional security(perfect security)
• large amount of storage required (n2 - problem)
• k-secure KDS
• if any coalition of k or fewer users can do no
  better at computing the key shared by the two
  than a party which guesses the key without any
  pieces
• unconditionally secure against size k or smaller

15
Key agreement based on sym. technique

• Bloms scheme
• Each user is assigned a vector of initial secret
  keying material ? compute a pair wise secret key
  KU,V KV,U
• Example
• OHP