1 / 27

Certificateless Authenticated Two-Party Key Agreement Protocols

Certificateless Authenticated Two-Party Key Agreement Protocols. Master Thesis Tarjei K. Mandt 09.06.2006. Agenda. Introduction Certificateless Public Key Cryptography Key Agreement Protocols Proposed Protocol Security and Efficiency Analysis. Problems.

dewey
Télécharger la présentation

Certificateless Authenticated Two-Party Key Agreement Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Certificateless Authenticated Two-Party Key Agreement Protocols Master Thesis Tarjei K. Mandt 09.06.2006

  2. Agenda • Introduction • Certificateless Public Key Cryptography • Key Agreement Protocols • Proposed Protocol • Security and Efficiency Analysis

  3. Problems • Certificate management in traditional public key infrastructure (PKI) is inefficient • Key escrow in identity-based public key cryptography (ID-PKC) Can certificateless public key cryptography (CL-PKC) be used to design more efficient and secure key agreement schemes?

  4. Contribution • A new efficient certificateless authenticated two-party key agreement protocol • A protocol that can be used to establish keys between users of distinct domains • Security- and adversary model for certificateless authenticated key agreement

  5. Why Certificateless Public Key Cryptography? • No certificates used (PKI) • Low storage and communication bandwidth • No need to verify certificates (certificate chains) • Higher degree of privacy • Public keys are always valid • No need for revocation (CRLs) • No key escrow (ID-PKC) • Trusted authority cannot recover session keys • Trusted authority cannot forge signatures

  6. Certificateless Public Key Cryptography (1) Certificateless PublicKey Cryptography Public KeyInfrastructure Identity-basedCryptography

  7. Certificateless Public Key Cryptography (2) Key Generation Center (KGC) Alice’s identity Alice Partial private key secret value Bob master-key partial private key + secret value Private Key secret value × public generator Public Key

  8. Key Agreement (1) • Two or more parties agree on a shared key • Both parties contribute with input • Diffie-Hellman model used today • Authenticated Key Agreement ensures that only the intended parties can compute the session key • Bilinear pairings of elliptic curve groups used extensively today (provides shorter keys)

  9. Key Agreement (2) Alice Bob Alice’s private key Bob’s public key Alice’s public key Bob’s private key Key Agreement Key Agreement Shared Secret

  10. Diffie-Hellman Key Exchange Alice Bob a gb ga b Alice’s private key Bob’s public key Alice’s public key Bob’s private key gba gab secret key secret key Shared Secret

  11. Man-in-the-Middle Attackon Diffie-Hellman Alice Eve Bob ga gc gcb gb gc gca • Signing exchanged keys is inconvenient (size, computation) • Including identities can achieve proper authentication

  12. Computational Problems • Discrete Logarith problem (DLP)Given <g,q>, find an element a, such that ga = q • EC Discrete Logarithm problemGiven <P,Q>, find an element a, such that aP = Q • EC Computational Diffie-Hellman (CDH) problemGiven <P,aP,bP>, compute abP • Bilinear Diffie-Hellman (BDH) problemGiven <P,aP,bP,cP>, compute ê(P,P)abc • DLP > CDHP > BDHPexample: ê(abP,cP) = ê(P,cP)ab = ê(P,P)abc

  13. Proposed protocol Key Generation Center Master-key: s KGC public key: sP

  14. Proposed protocol Key Generation Center Master-key: s KGC public key: sP Partial private key DA = sQA Alice Private key SA = <DA,xA> Public key PA = xAP

  15. Proposed protocol Key Generation Center Master-key: s KGC public key: sP Partial private key DA = sQA Partial private key DB = sQB Alice Bob Private key SA = <DA,xA> Private key SB = <DB,xB> Public key PA = xAP Public key PB = xBP

  16. Proposed protocol Key Generation Center Master-key: s KGC public key: sP Partial private key DA = sQA Partial private key DB = sQB Alice TA, PA Bob Private key SA = <DA,xA> Private key SB = <DB,xB> a TA = aP b TB = bP TB, PB Public key PA = xAP Public key PB = xBP

  17. Proposed protocol Key Generation Center Master-key: s KGC public key: sP Partial private key DA = sQA Partial private key DB = sQB Alice TA, PA Bob Private key SA = <DA,xA> Private key SB = <DB,xB> a TA = aP b TB = bP TB, PB Public key PA = xAP Public key PB = xBP KA = ê(QB, PB + sP)a· ê(xAQA + DA,TB) KB = ê(QA, PA + sP)b· ê(xBQB + DB,TA) K = ê(QB, P)a(s+xB)· ê(QA,P)b(s+xA)

  18. Proposed protocol with multiple KGCs KGC 1 Master-key: s1 KGC public key: s1P KGC 2 Master-key: s2 KGC public key: s2P standardized elliptic curve parameters Partial private key DA = s1QA Partial private key DB = s2QB Alice TA, PA Bob Private key SA = <DA,xA> Private key SB = <DB,xB> a TA = aP b TB = bP TB, PB Public key PA = xAP Public key PB = xBP KA = ê(QB, PB + s2P)a· ê(xAQA + DA,TB) KB = ê(QA, PA + s1P)b· ê(xBQB + DB,TA) K = ê(QB, P)a(s2+xB)· ê(QA,P)b(s1+xA)

  19. (Final) Session Key • Need to use a Key Derivation Function (KDF) • To ensure forward secrecy • To prevent the key reveal attack • To ensure compromise of short-term private values does not break the protocol • A secure hash function H is an ideal KDF FKA = H(K, abP, xAxBP) FKB = H(K, baP, xBxAP) long-term public key session key short-term public key (long-term) secret value short-term private key

  20. Protocol’s Security • Security reduces to the BDH/CDH problem • A KGC who replaces public keys (long-term and short-term) can attack the protocol • Can be addressed by incorporating public keys into the identity elements: QA = H1(IDA,PA) • Thus, we define two adversaries: • Type I: replaces public keys, does not know master-key • Type II: knows master-key, does not replace public keys

  21. Security Attributes • Known-key security • Each run should produce a different session key • Forward secrecy • Leaked private keys should not reveal a session key • KGC forward secrecy • Key-compromise impersonation • An adversary should not be able to impersonate other entities to A using A’s private key • Unknown key share • A should not share a key with C, when believing she is sharing a key with B • Known session-specific temporary information security • Leaked short-term keys should not reveal a session key

  22. Example: Forward Secrecy Alice Bob establishes n session keys

  23. Example: Forward Secrecy Alice Bob establishes n session keys Eve Alice’s private key Bob’s private key

  24. Example: Forward Secrecy Alice Bob establishes n session keys • Eve can compute K, but not H(K,abP,xAxBP) • Specifically, Eve must know a or b of a given session to compute a · bP = b · aP = abP Eve Alice’s private key Bob’s private key

  25. Protocol’s Efficiency p = pairing, m = point multiplication, e = pairing exponentiation Precomputation: known values are computed before the key agreement

  26. Conclusions • More efficient than previous protocol • Only 2 pairings • Public keys only comprise one group element • Possible to adapt to a multi-TA setting • For instance, ideal in VoIP networks • Efficiency competitive with ID-PKC when many keys are agreed (public keys are known)

  27. Questions?

More Related