Key Establishment¶
links: AC1 TOC - From Symmetric Encryption to Secure Channels - Index
Goals¶
- Key secrecy: Session keys must not be known by anyone else than Alice, Bob (and maybe some trusted third party). Mallory must not learn anything about session keys.
- Authenticity: One party can be assured about the identity of the other party it shares the session key with. That is, Alice knows that she has session key with Bob.
- Freshness of keys: Mallory must not be able to replay old session keys.
Protocols¶
Key establishment is realized by using protocols whereby a shared secret becomes available to two or more parties, for subsequent cryptographic use.
Key establishment protocols result in shared secrets which are typically called (or used to derive) session keys. Ideally, a session key is an ephemeral secret, i.e., one whose use is restricted to a short time period such as a single telecommunications connection (or session), after which all trace of it is eliminated.
Motivation for ephemeral keys includes the following:
- To limit available ciphertext (under a fixed key) for cryptanalytic attack
- To limit exposure, with respect to both time period and quantity of data, in the event of (session) key compromise
- To avoid long-term storage of a large number of distinct secret keys by creating keys only when actually required
- To create independence across communications sessions or applications.
Methods¶
- Key agreement (e.g. DH): Parties jointly generate a secret key. This option is almost always the best solution
- Key Transport: One party generates and distributes a secret key. This is needed in situations on unidirectional communication (online one party is only at a time or only one party can send and the other can only receive)
Private channels (authentic and confidential channel)¶
Symmetric key distribution is impossible without private channels. A private channel to exchange a key could be a USB stick given directly to the other party or a pre-installed key on a company laptop. Private channels are complicated, inefficient and expensive.
The goal is to reduce the number of private channels required to exchange keys. Ideally an initial private channel is used today to exchange a secret key that might be used at a later time to establish a secure channel over an insecure link.
Broken key establishment protocols¶
Neumann-Stubblebine¶
Attacker learns \(N_a / R_A\) from step 1 and \(E(K_{bt}, A, N_a, T_b) / E_B(A, R_A, T_B)\) from step 2. Bob does not check if the Nonce is the same as the established key. To solve this problem the protocol has to ensure that the Nonce (\(N_a / R_A\)) can't be confused with a key (\(K_{ab} / E_K\)).
Source: Link
Key establishment protocols¶
Denning-Sacco¶
Bob can impersonate Alice and send something to Carol with Alices key. It is not defined from who the key is and what it is used for.
Wide-Mouth Frog protocol¶
- The protocol requires a synchronized clocks to achieve freshness
- Bob has to trust Alice to correctly generate a key
Needham-Schroeder protocol¶
- Protocol introduced nonces and removed timestamps
- Keys are generated by TTP so Bob doesn't have to trust Alice with key generation
- Vulnerable to known session key attacks. The last 3 steps can be replayed by an attacker if he gets an old session key. Bob can't verify if the key is fresh
Kerberos¶
- Used in Windows since Windows 2000 for authentication, key establishment and authorization
- Similar to Needham-Schroeder but removes known session key attacks using synchronized clocks. Authentication fails if clocks are not synced.
Otway-Rees protocol¶
- Gürgens and Peralta describe an attack which they name an arity attack. In this attack the intruder intercepts the second message and replies to B using the two ciphertexts from message 2 in message 3. In the absence of any check to prevent it, M (or perhaps M,A,B) becomes the session key between A and B and is known to the intruder.
- Cole describes both the Gürgens and Peralta arity attack and another attack in his book Hackers Beware. In this the intruder intercepts the first message, removes the plaintext A,B and uses that as message 4 omitting messages 2 and 3. This leaves A communicating with the intruder using M (or M,A,B) as the session key.
Station to station key agreement protocol (STS)¶
- Basically DH but \(y_A\) and \(y_B\) are signed making it secure against man in the middle attacks. Exchange of authenticated signing keys is done using certificates
- STS is the basis of the practically important Internet Key Exchange protocol (IKE)
- The bottom line is: one cannot establish authenticated keys without bootstrapping the system using an “exterior authentication mechanism” (e.g., without first establishing public key certificates for Alice and Bob).
Source: Link
Lessons learned¶
- Do not try to be too clever, over-optimization is often the cause for vulnerabilities
- Which optimizations you can do (and which optimization actually matter) depends on your assumptions (adversary model, system capabilities)
- Which protocol to use depends on your performance goals and communications capabilities (all-to-all communication, trusted party, latency, bandwidth and computational constraints)
links: AC1 TOC - From Symmetric Encryption to Secure Channels - Index