Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology...

Chapter 9 Cryptographic Protocol

Cryptography-Principles and PracticeHarbin Institute of TechnologySchool of Computer Science and Technology

Zhijun Lihttp://cst.hit.edu.cn/~lizhijun

[email protected]

Zhijun Li S1034040/Autumn08/HIT 2

Outline

• Structure of Cryptographic Protocol

• Cryptographic Protocols– Key Establishment Protocols– Authentication Protocols

• Zero Knowledge Protocol


Protocol Review

• Protocol: – Rules that detail the interaction between parties in a

communication

• Note:– A series of steps – At least two Parties (normally 2 or 3 parties) – In Communication

• Cryptographic protocol:– Using cryptography for security


Requirements of Protocol

• Every parties know the steps to complete the protocol primarily

• Every parties must follow the protocol

• Each step must be defined explicitly and can not be misunderstood

• The protocol must be complete, and define the actions for every possible cases


Arbitration Protocol

• Note:– The protocol can work only with arbitrator– Arbitrator is always trusted (condition)

– Example: Alice car Lawyer; Bob money Lawyer; Lawyer money Alice; Lawyer car Bob;

Alice Bob

TrentArbitrator


Verdict Protocol

• Note:– The protocol work without judge– Verdict is introduced if disputation arisen

– Example: Alice, Bob self Lawyer; Bob evidence Lawyer; Alice evidence Lawyer; Judge decide

Alice Bob Trent

JudgeEvidence Evidence


Self-enforcing Protocol

• Note:– The protocol work only with Alice and Bob– Security is assured by protocol design

– Example: Alice A Bob; Bob B Alice; Alice compute; Bob compute; Alice AB Bob; Bob BA Alice;

Alice Bob


Attack to the Protocol

• Passive attack– Can eavesdrop the information in communication– Can eavesdrop the information in computer

• Active attack– Can modify the information in communication– Can modify the information in computer

– Can personate the parties – Some parties may not abide the protocol


Outline





Key Establishment Protocols

• Key distribution protocols– Distributed by a trusted authority (TA)– Example: Needham-Schroeder protocol

• Key agreement protocols– Key can be established without TA – Example: Diffie-Hellman key agreement protocol


Needham-Schroeder Protocol

• Alice Trent: A, B, RA

– A is Alice’s name, B is the name of Bob, RA is a random number

• Trent Alice: EA(RA, B, K, EB(K, A)) – K is the session key

– EA and EB is the encryption using A’s key and B’s key

• Alice Bob: EB(K, A)– After decrypt above message

• Bob Alice : EK(RB)

– RB is a random number

• Alice Bob: EB(RB-1)

• Bob verify the RB -1


Needham-Schroeder Remark

• RA,RB, and RB-1 can prevent replay attack

• BUT Mallory can store old K– Mallory Bob: EB(K, A)– Bob “Alice”(Mallory) : EK(RB)

• RB is a random number

– Mallory Bob: EB(RB-1)– Bob verify the RB -1– Mallory can impersonate the Alice


Otway-Rees Protocol

• Idea: add timestamp

• Alice Bob: I, A, B, EA(RA, I, A, B) – I the index number

• Bob Trent: I, A, B, EA(RA, I, A, B), EB(RA, I, A, B)• Trent Bob: I, EA(RA, K), EB(RB, K)

– After decrypt above message

• Bob Alice : I, EA(RA, K)– RB is a random number

• Alice verify the I and RB


Diffie-Hellman key Agreement

• Exchanging secret key over public channel • Key Exchange protocol

– Select public parameters p, and n• p is prime and is of order n in Zp

*

– Alice selects random b privately and

Alice Bob [b mod p] – Bob selects random c privately and

Bob Alice [c mod p] – Alice and Bob compute bc mod p (shared secret key)

Bob, Alice’s key is bc


Example of DH Exchange

• Global known P=2147483659 and =2

• Alice choose b=12345 and send Bob [B=b mod p=428647416]• Bob choose c=654323 and send Alice [C=c mod p=450904856]• Alice compute the secret key as Cb mod p=1333327162• Bob compute the secret key as Bc mod p=1333327162

• So the secret key between Alice and Bob is 1333327162


Security of DH

• Security of the Diffie-Hellman key exchange protocol based on the CDH problem

• Computational Diffie-Hellman (CDH)– Given group (G, *), an element g with order

q, given gx and gy, find gxy

• DLP is at least as hard as CDH• Solves CDH can be used to decrypt ElGamal


CDH and ElGamal

• Any algorithm that solves CDH can be used to decrypt ElGamal ciphertexts

• Intuition: – Decrypt (c1=gk,c2= mk) is equivalent to compute k

– Knows c1=gk, =ga, and needs to compute gka

• Proof: – Assume that algorithm OracleCHD solves CDH– Let (c1, c2) be an ElGamal ciphertext– Let = ga, c2 = gk mod p, c2= m(ga)k mod p– y = OracleCDH(g, , c1)– m = c2y-1


Man-in-the-middle Attack

• There is a Man in the middle attack• Need to be careful who you are agreeing a key

withAlice BobEvea ga

gm m

n gn

gb b

gamgam

gbngbn


Diffie-Hellman is NOT Enough

• How does Alice know who she is agreeing a key with, is it Bob or Eve?

• Using signature:– Alice signs her message to Bob– Bob signs his message to Alice– In that way both parties know who they are

talking to


For Public Key Establishment

• Above is private key establishment• For public key establishment:

– Intuition: the distribution of public is secure– But: there is man-in-the-middle attack

Alice BobMalloryKPA KPA

KPM KPM

KPB KPB

KPM KPM

KDC


Interlock Protocol

• Alice Bob: KPA • Bob Alice: KPB

• Alice Bob: Half1(EKPB(M))

– After decrypt above message

• Bob Alice : Half1(EKPA(M))

• Alice Bob: Half2(EKPB(M))

• Bob combine the Half1 and Half2 and decrypt

• Bob Alice : Half2(EKPA(M))

• Alice combine the Half1 and Half2 and decrypt


Outline





Authentication Protocol

• Goal: two parties authenticate each other

• Example: – Alice want to login into a computer

• Hashing + salt• SKEY

– Alice and Bob want to authenticate each other• SKID (MAC) Protocol• DASS Protocol


SKEY

• Computer compute f(R), f(f(R)), … 100 times • In computer’s database: Alice+x101

• Alice store x1, x2, x3 , …, x100

• 1th login: – Alice input her name and x100

– Computer compute f(x100)

– Computer replace the x101 by x100 in database

– Alice delete x100 from her list

• 2th login:– Alice input the last xi in her list


SKID

• Alice Bob: RA – RA is Random number

• Bob Alice: RB, HK(RA, RB, B) – HK is the MAC

• Alice compute HK(RA, RB, B) and check – At this step, Alice can authenticate Bob

• Alice Bob: HK(RB, A) • Bob compute HK(RB, A) and check

– At this step, Bob can authenticate Alice– Also exist man-in-the-middle attack


DASS

• DASS: Distributed Authentication Security Service• Alice Trent: B

• Trent Alice: KPB, SigKST(B, KPB)

• Alice Bob: EK(TA), EKPB(L, A, KPP), SigKSA

(L, A, KPP), EKPB

(K), SigKSP(EKPB

(K)) – K is the session key; TA is the timestamp; L is the life of key, KPP/KSP

are a pair of public/private key

• Bob Trent: A

• Trent Alice: KPA, SigKST(A, KPA)

• Bob verifies them• Bob Alice: EK(TB)• Alice check TB


Outline





Zero Knowledge Protocol

• Motivation:– When Alice authenticates to a server, she gives her p

assword, but the server can then impersonate her– Alice can prove her is “Alice”, but she gives the comp

uter zero knowledge– Zero-knowledge protocol:

• Allows a prover to prove that he posses a secret without revealing any information when verifying

– Normally use challenge-response protocol


Zero Knowledge Proof of Identity

• Alice’s secret key is the function of her “Identity”– Through zero-knowledge proof, she can prov

e that she knows her secret key– Fiat-Shamir Identity Protocol


Fiat-Shamir Identity Protocol

• System parameter: n=pq• Public identity: v (v is a quadratic residue mod n)• Private authenticator: ssqrt(v-1) mod n• Protocol (repeat t times):

– Alice picks random r in Zn*– Alice Bob: x=r2 mod n – Bob checks x0– Bob Alice: random c in {0,1} – Bob Alice: y, if c=0, y=r; if c=1, y=rs mod n– Bob accept: if c=0, x=r2 mod n; if c=1, xy2v mod n

Identity

Know Identity


Security Fiat-Shamir Protocol

• If Alice does not know s, she can cheat Bob with prob. ½– t times: the probability is 1/2t

• r can not be used twice– If used, Bob may be compute the s by s=r-1y – Not zero-knowledge

• Bob can impersonate Alice with prob. ½– t times: the probability is 1/2t


Parallel Fiat-Shamir Protocol

• System parameter: n=pq• Public identity: v1,…,vk(vi is a quadratic residue m

od n)• Private authenticator: sisqrt(vi

-1) mod n• Protocol (repeat t times):

– Alice picks random r in Zn*– Alice Bob: x=r2 mod n – Bob checks x0– Bob Alice: a random {0,1} bit string b0,b1,…,bk

– Bob Alice: y=r(s1b1s2

b2…skbk) mod n

– Bob accept: if xy2 (v1b1v2

b2…vkbk) mod n


Fiat-Shamir Protocol Example

• N=35=57

– Alice Bob: x=r2=162 mod 35 =11– Bob Alice: {0,1} string {1, 1, 0, 1} – Bob Alice: y=16(31419081) mod 35 = 31– Bob accept: if 11 312 (41111160291) mod 35

v v-1 s=sqrt(v-1)

4 9 3

11 16 4

16 11 9

29 29 8


Summary

• Structure of Cryptographic Protocol– Arbitration Protocol – Verdict Protocol– Self-enforcing Protocol

• Cryptographic Protocols– Key Establishment Protocols– Authentication Protocols– Zero Knowledge Protocol

Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology...

Documents

Transcript of Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology...