190 likes | 297 Vues
Learn about encryption, key sharing, and authentication methods to ensure secure communication between parties. Understand the importance of forward secrecy and considerations for efficient key distribution.
E N D
Problem • Alice and Bob wish to play the game Paper, Rock and Scissors. • What may be the problems with the game? • The requirements for the games are • Privacy of the choice (i.e. when someone chooses, the other party does not know his choice) • Non repudiation of the choice (i.e. when someone chooses, he can’t change his decision later) • Assume: known public keys for parties: eA, sA, eB,sB (for encryption, signature by Alice, Bob)
Solution – choice phase • Use Encrypt-Then-Sign scheme, i.e. sign the encrypted value. • Alice’s playout • Alice picks ephemeral PKCS keys etemp ,dtemp • Alice’s choice is denoted as Ca (“P”, “R” or “S”) • Alice choice: • SignsA(Encetemp(Ca),etemp). • Same goes for Bob.
Solution – Verification Phase • Alice provides • CA , randomness used for encryption • Why do we need to use randomized encryption? • Bob’s verification • VervA(Encetemp(CA),etemp) • If CA>CB (when > represents better) then Alice wins, otherwise Bob wins.
Problem • Why does Alice (and Bob) sign their public keys as well? Isn’t it sufficient to sign the encryption?
Solution • No!!! • From the lecture: • Anderson and Needham [AN95] • Key-spoofing attacks against EtS • Recipient chooses (special?) public encryption key e • Such that for some m, m’, e’ holds: Ee’(m’)=Ee(m) • E.g. RSA: m’=me/e’m’e’=me • With CRT, can compute e’ for any m, m’, e • `Collision` of encryption (inputs: public key and data) • Signing the public key ensures that this key was used and no other key.
Problem • Suggest a way for independent parties to share keys for sessions. • The parties may hold a long term key with only one party, for each other parties they can’t hold/generate a long term/short term key. • The parties may trust some other parties. • You may NOT use DH/RSA.
Solution • Use a key distribution center for generating the keys. • Each entity trusts the KDC and holds a symmetrical key with him. • The KDC shall generate the keys. • Example: • Party A wishes to communicate with party B. • A’s key is KA, B’s key is KB. The keys are shared with the KDC only.
Solution • KDC generates a key KAB • KDC transmits the keys using • ENCKA(KAB) to A • ENCKB(KAB) to B
Problem • What about authentication? • Should we use the same keys for encryption and authentication? • How may we derive keys for authentication?
Solution • The use of MAC is required for authentication. • We MUST NOT use same keys for MAC and ENC (possible key/message exposure) • We MAY Derive keys as follows • PRFKA(“Encryption”) for encryption • PRFKA(“Authentication”) for authentication
Problem • How may you refresh the keys of the KDC (and clients) to provide proactive security such that all clients are synchronized and their keys are refreshed?
Solution • We may use forward secrecy • At period t+1 client A shall replace his key KA likewise • PRFKA(“Refresh”||t+1) • The same shall be with the KDC (same protocol) • For each Ki in { A, B, …} do • PRFKi(“Refresh”||t+1) • done
Problem • Does this solution provide forward secrecy? • How would you change the protocol to accommodate the requirements for forward secrecy?
Solution • Using DH methods • Generate p a large prime and g a generator. • User A shall generate a number aand gawhich shall be his private and public numbers. • The KDC shall generate a number ka and gkafor each of the clients. • The protocol • Use DH between the client and server to generate the new keys • Show the protocol including authentication to provide secure key refresh without eve performing a man in the middle attack or discover the new key.
Problem • What may be the problem with a central KDC?
Solution • Performace may decrease when clients increase. Especially when multicast clients are present • Security may be a very big issue (single point of failure, master keys recovery).
Problem • How should you improve performance? • Is replication a good performance improvement? • How does it affects security?
Solution • A naïve approach may be to replicate the KDC • This may solve some performance issues when done properly • This may decrease security because of multiple exact copies of the same information.