Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology...
-
Upload
jasmine-bradley -
Category
Documents
-
view
237 -
download
3
Transcript of Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology...
Chapter 9 Cryptographic Protocol
Cryptography-Principles and PracticeHarbin Institute of TechnologySchool of Computer Science and Technology
Zhijun Lihttp://cst.hit.edu.cn/~lizhijun
Zhijun Li S1034040/Autumn08/HIT 2
Outline
• Structure of Cryptographic Protocol
• Cryptographic Protocols– Key Establishment Protocols– Authentication Protocols
• Zero Knowledge Protocol
Zhijun Li S1034040/Autumn08/HIT 3
Protocol Review
• Protocol: – Rules that detail the interaction between parties in a
communication
• Note:– A series of steps – At least two Parties (normally 2 or 3 parties) – In Communication
• Cryptographic protocol:– Using cryptography for security
Zhijun Li S1034040/Autumn08/HIT 4
Requirements of Protocol
• Every parties know the steps to complete the protocol primarily
• Every parties must follow the protocol
• Each step must be defined explicitly and can not be misunderstood
• The protocol must be complete, and define the actions for every possible cases
Zhijun Li S1034040/Autumn08/HIT 5
Arbitration Protocol
• Note:– The protocol can work only with arbitrator– Arbitrator is always trusted (condition)
– Example: Alice car Lawyer; Bob money Lawyer; Lawyer money Alice; Lawyer car Bob;
Alice Bob
TrentArbitrator
Zhijun Li S1034040/Autumn08/HIT 6
Verdict Protocol
• Note:– The protocol work without judge– Verdict is introduced if disputation arisen
– Example: Alice, Bob self Lawyer; Bob evidence Lawyer; Alice evidence Lawyer; Judge decide
Alice Bob Trent
JudgeEvidence Evidence
Zhijun Li S1034040/Autumn08/HIT 7
Self-enforcing Protocol
• Note:– The protocol work only with Alice and Bob– Security is assured by protocol design
– Example: Alice A Bob; Bob B Alice; Alice compute; Bob compute; Alice AB Bob; Bob BA Alice;
Alice Bob
Zhijun Li S1034040/Autumn08/HIT 8
Attack to the Protocol
• Passive attack– Can eavesdrop the information in communication– Can eavesdrop the information in computer
• Active attack– Can modify the information in communication– Can modify the information in computer
– Can personate the parties – Some parties may not abide the protocol
Zhijun Li S1034040/Autumn08/HIT 9
Outline
• Structure of Cryptographic Protocol
• Cryptographic Protocols– Key Establishment Protocols– Authentication Protocols
• Zero Knowledge Protocol
Zhijun Li S1034040/Autumn08/HIT 10
Key Establishment Protocols
• Key distribution protocols– Distributed by a trusted authority (TA)– Example: Needham-Schroeder protocol
• Key agreement protocols– Key can be established without TA – Example: Diffie-Hellman key agreement protocol
Zhijun Li S1034040/Autumn08/HIT 11
Needham-Schroeder Protocol
• Alice Trent: A, B, RA
– A is Alice’s name, B is the name of Bob, RA is a random number
• Trent Alice: EA(RA, B, K, EB(K, A)) – K is the session key
– EA and EB is the encryption using A’s key and B’s key
• Alice Bob: EB(K, A)– After decrypt above message
• Bob Alice : EK(RB)
– RB is a random number
• Alice Bob: EB(RB-1)
• Bob verify the RB -1
Zhijun Li S1034040/Autumn08/HIT 12
Needham-Schroeder Remark
• RA,RB, and RB-1 can prevent replay attack
• BUT Mallory can store old K– Mallory Bob: EB(K, A)– Bob “Alice”(Mallory) : EK(RB)
• RB is a random number
– Mallory Bob: EB(RB-1)– Bob verify the RB -1– Mallory can impersonate the Alice
Zhijun Li S1034040/Autumn08/HIT 13
Otway-Rees Protocol
• Idea: add timestamp
• Alice Bob: I, A, B, EA(RA, I, A, B) – I the index number
• Bob Trent: I, A, B, EA(RA, I, A, B), EB(RA, I, A, B)• Trent Bob: I, EA(RA, K), EB(RB, K)
– After decrypt above message
• Bob Alice : I, EA(RA, K)– RB is a random number
• Alice verify the I and RB
Zhijun Li S1034040/Autumn08/HIT 14
Diffie-Hellman key Agreement
• Exchanging secret key over public channel • Key Exchange protocol
– Select public parameters p, and n• p is prime and is of order n in Zp
*
– Alice selects random b privately and
Alice Bob [b mod p] – Bob selects random c privately and
Bob Alice [c mod p] – Alice and Bob compute bc mod p (shared secret key)
Bob, Alice’s key is bc
Zhijun Li S1034040/Autumn08/HIT 15
Example of DH Exchange
• Global known P=2147483659 and =2
• Alice choose b=12345 and send Bob [B=b mod p=428647416]• Bob choose c=654323 and send Alice [C=c mod p=450904856]• Alice compute the secret key as Cb mod p=1333327162• Bob compute the secret key as Bc mod p=1333327162
• So the secret key between Alice and Bob is 1333327162
Zhijun Li S1034040/Autumn08/HIT 16
Security of DH
• Security of the Diffie-Hellman key exchange protocol based on the CDH problem
• Computational Diffie-Hellman (CDH)– Given group (G, *), an element g with order
q, given gx and gy, find gxy
• DLP is at least as hard as CDH• Solves CDH can be used to decrypt ElGamal
Zhijun Li S1034040/Autumn08/HIT 17
CDH and ElGamal
• Any algorithm that solves CDH can be used to decrypt ElGamal ciphertexts
• Intuition: – Decrypt (c1=gk,c2= mk) is equivalent to compute k
– Knows c1=gk, =ga, and needs to compute gka
• Proof: – Assume that algorithm OracleCHD solves CDH– Let (c1, c2) be an ElGamal ciphertext– Let = ga, c2 = gk mod p, c2= m(ga)k mod p– y = OracleCDH(g, , c1)– m = c2y-1
Zhijun Li S1034040/Autumn08/HIT 18
Man-in-the-middle Attack
• There is a Man in the middle attack• Need to be careful who you are agreeing a key
withAlice BobEvea ga
gm m
n gn
gb b
gamgam
gbngbn
Zhijun Li S1034040/Autumn08/HIT 19
Diffie-Hellman is NOT Enough
• How does Alice know who she is agreeing a key with, is it Bob or Eve?
• Using signature:– Alice signs her message to Bob– Bob signs his message to Alice– In that way both parties know who they are
talking to
Zhijun Li S1034040/Autumn08/HIT 20
For Public Key Establishment
• Above is private key establishment• For public key establishment:
– Intuition: the distribution of public is secure– But: there is man-in-the-middle attack
Alice BobMalloryKPA KPA
KPM KPM
KPB KPB
KPM KPM
KDC
Zhijun Li S1034040/Autumn08/HIT 21
Interlock Protocol
• Alice Bob: KPA • Bob Alice: KPB
• Alice Bob: Half1(EKPB(M))
– After decrypt above message
• Bob Alice : Half1(EKPA(M))
• Alice Bob: Half2(EKPB(M))
• Bob combine the Half1 and Half2 and decrypt
• Bob Alice : Half2(EKPA(M))
• Alice combine the Half1 and Half2 and decrypt
Zhijun Li S1034040/Autumn08/HIT 22
Outline
• Structure of Cryptographic Protocol
• Cryptographic Protocols– Key Establishment Protocols– Authentication Protocols
• Zero Knowledge Protocol
Zhijun Li S1034040/Autumn08/HIT 23
Authentication Protocol
• Goal: two parties authenticate each other
• Example: – Alice want to login into a computer
• Hashing + salt• SKEY
– Alice and Bob want to authenticate each other• SKID (MAC) Protocol• DASS Protocol
Zhijun Li S1034040/Autumn08/HIT 24
SKEY
• Computer compute f(R), f(f(R)), … 100 times • In computer’s database: Alice+x101
• Alice store x1, x2, x3 , …, x100
• 1th login: – Alice input her name and x100
– Computer compute f(x100)
– Computer replace the x101 by x100 in database
– Alice delete x100 from her list
• 2th login:– Alice input the last xi in her list
Zhijun Li S1034040/Autumn08/HIT 25
SKID
• Alice Bob: RA – RA is Random number
• Bob Alice: RB, HK(RA, RB, B) – HK is the MAC
• Alice compute HK(RA, RB, B) and check – At this step, Alice can authenticate Bob
• Alice Bob: HK(RB, A) • Bob compute HK(RB, A) and check
– At this step, Bob can authenticate Alice– Also exist man-in-the-middle attack
Zhijun Li S1034040/Autumn08/HIT 26
DASS
• DASS: Distributed Authentication Security Service• Alice Trent: B
• Trent Alice: KPB, SigKST(B, KPB)
• Alice Bob: EK(TA), EKPB(L, A, KPP), SigKSA
(L, A, KPP), EKPB
(K), SigKSP(EKPB
(K)) – K is the session key; TA is the timestamp; L is the life of key, KPP/KSP
are a pair of public/private key
• Bob Trent: A
• Trent Alice: KPA, SigKST(A, KPA)
• Bob verifies them• Bob Alice: EK(TB)• Alice check TB
Zhijun Li S1034040/Autumn08/HIT 27
Outline
• Structure of Cryptographic Protocol
• Cryptographic Protocols– Key Establishment Protocols– Authentication Protocols
• Zero Knowledge Protocol
Zhijun Li S1034040/Autumn08/HIT 28
Zero Knowledge Protocol
• Motivation:– When Alice authenticates to a server, she gives her p
assword, but the server can then impersonate her– Alice can prove her is “Alice”, but she gives the comp
uter zero knowledge– Zero-knowledge protocol:
• Allows a prover to prove that he posses a secret without revealing any information when verifying
– Normally use challenge-response protocol
Zhijun Li S1034040/Autumn08/HIT 29
Zero Knowledge Proof of Identity
• Alice’s secret key is the function of her “Identity”– Through zero-knowledge proof, she can prov
e that she knows her secret key– Fiat-Shamir Identity Protocol
Zhijun Li S1034040/Autumn08/HIT 30
Fiat-Shamir Identity Protocol
• System parameter: n=pq• Public identity: v (v is a quadratic residue mod n)• Private authenticator: ssqrt(v-1) mod n• Protocol (repeat t times):
– Alice picks random r in Zn*– Alice Bob: x=r2 mod n – Bob checks x0– Bob Alice: random c in {0,1} – Bob Alice: y, if c=0, y=r; if c=1, y=rs mod n– Bob accept: if c=0, x=r2 mod n; if c=1, xy2v mod n
Identity
Know Identity
Zhijun Li S1034040/Autumn08/HIT 31
Security Fiat-Shamir Protocol
• If Alice does not know s, she can cheat Bob with prob. ½– t times: the probability is 1/2t
• r can not be used twice– If used, Bob may be compute the s by s=r-1y – Not zero-knowledge
• Bob can impersonate Alice with prob. ½– t times: the probability is 1/2t
Zhijun Li S1034040/Autumn08/HIT 32
Parallel Fiat-Shamir Protocol
• System parameter: n=pq• Public identity: v1,…,vk(vi is a quadratic residue m
od n)• Private authenticator: sisqrt(vi
-1) mod n• Protocol (repeat t times):
– Alice picks random r in Zn*– Alice Bob: x=r2 mod n – Bob checks x0– Bob Alice: a random {0,1} bit string b0,b1,…,bk
– Bob Alice: y=r(s1b1s2
b2…skbk) mod n
– Bob accept: if xy2 (v1b1v2
b2…vkbk) mod n
Zhijun Li S1034040/Autumn08/HIT 33
Fiat-Shamir Protocol Example
• N=35=57
– Alice Bob: x=r2=162 mod 35 =11– Bob Alice: {0,1} string {1, 1, 0, 1} – Bob Alice: y=16(31419081) mod 35 = 31– Bob accept: if 11 312 (41111160291) mod 35
v v-1 s=sqrt(v-1)
4 9 3
11 16 4
16 11 9
29 29 8
Zhijun Li S1034040/Autumn08/HIT 34
Summary
• Structure of Cryptographic Protocol– Arbitration Protocol – Verdict Protocol– Self-enforcing Protocol
• Cryptographic Protocols– Key Establishment Protocols– Authentication Protocols– Zero Knowledge Protocol