09 basic key exchange annotated

7/30/2019 09 Basic Key Exchange Annotated

1/36

Basickeyexchan

Trusted3rdpar7

Online Cryptography Course


2/36

Keymanagement

Problem:nusers.Storingmutualsecretkeysisdiffi

Total:O(n)keysperuser


3/36

AbeFersolu7on

OnlineTrusted3rdParty(TTP)

TTP


4/36

Genera7ngkeys:atoyproto

AlicewantsasharedkeywithBob.Eavesdroppingse

Bob(kB) Alice(kA)

7cket

kAB kAB

AlicewantskeywithBo

(E,D)aCPA-s


5/36

Genera7ngkeys:atoyproto

AlicewantsasharedkeywithBob.Eavesdroppingsec

Eavesdroppersees:E(kA,A,BllkAB);E(kB,A,

(E,D)isCPA-secure

eavesdropperlearnsnothingabou

Note:TTPneededforeverykeyexchange,knowsallse

(basisofKerberossystem)


6/36

Toyprotocol:insecureagainstac7vea

Example:insecureagainstreplayaFacks

AFackerrecordssessionbetweenAliceandmercha

orexampleabookorder

AFackerreplayssessiontoBob

BobthinksAliceisorderinganothercopyofbook


7/36

Keyques7on

Canwegeneratesharedkeyswithoutanonlinetrusted3

Answer:yes!

Star7ngpointofpublic-keycryptography:

Merkle(194),Diffie-Hellman(196),RSA(19 Morerecently:ID-basedenc.(B2001),unc7onalen


8/36

EndofSegment


9/36

Basickeyexchan

MerklePuzzles



10/36

Keyexchangewithoutanonline

Alice

Goal:AliceandBobwantsharedkey,unknowntoeav

ornow:securityagainsteavesdroppingonly(no

eavesdropper??

Canthisbedoneusinggenericsymmetriccrypto?


11/36

MerklePuzzles(194)

Answer:yes,butveryinefficient

Maintool:puzzles

Problemsthatcanbesolvedwithsomeeffort Example:E(k,m)asymmetriccipherwithk{0,

puzzle(P)=E(P,message)whereP=096l Goal:findPbytryingall232possibili7es

M kl l


12/36

Merklepuzzles

Alice:prepare232puzzles

ori=1,,232chooserandomPi

{0,1}32

andxi

,

set puzzleiE(096llPi,Puzzle#xill

Sendpuzzle1,,puzzle232toBob

Bob:choosearandompuzzlejandsolveit.Obtain SendxjtoAliceAlice:lookuppuzzlewithnumberxj.Usekjassha

I fi


13/36

Inafigure

Aliceswork:O(n) (preparenpuzzles)Bobswork:O(n) (solveonepuzzle)

Eavesdropperswork:O(n2)

Alice

puzzle1,,puzzlen

xj

kj

(e.g.2647me


14/36

ImpossibilityResult

CanweachieveabeFergapusingageneralsymmetric

Answer:unknown

But:roughlyspeaking,

quadra7cgapisbestpossibleifwetreatcipheras

ablackboxoracle[IR89,BM09]


15/36

EndofSegment


16/36

Basickeyexchan

TheDiffie-Hellm

protocol



17/36

Keyexchangewithoutanonline

Alice

Goal:AliceandBobwantsharedsecret,unknowntoea

ornow:securityagainsteavesdroppingonly(not

eavesdropper??

Canthisbedonewithanexponen7algap?

Th Diffi H ll t l


18/36

TheDiffie-Hellmanprotocol(i

ixalargeprimep(e.g.600digits)

ixanintegergin{1,,p}

Alice

chooserandomain{1,,p-1} chooserandom

kAB=gab(modp) =(g

a)b

Ba(modp)=(gb)a=


19/36

Security(muchmoreonthislate

Eavesdroppersees:p,g,A=ga(modp),andB=gb

Canshecomputegab(modp)??

Moregenerally:defineDHg(ga,gb)=gab(modp

HowhardistheDHfunc7onmodp?

How hard is the DH func7on mo


20/36

HowhardistheDHfunc7onmo

Supposeprimepisnbitslong.

Bestknownalgorithm(GNS):run7meexp(

cipherkeysize modulussize

80bits 1024bits

128bits 302bits

256bits(AES) 15360bits

Asaresult:slowtransi7onawayfrom(modp)toellip

Ellip7csi

160

256

512


21/36

Ellip7ccurv

Diffie-Hellm


22/36

Insecureagainstman-in-the-mi

Asdescribed,theprotocolisinsecureagainstacJveaF

Alice MiTM

Another look at DH


23/36

AnotherlookatDH

Facebook

Alice

a

Bob

b

Charlie

c

Davd

ga gb gc gd

KAC=gac KAC=g

ac

An open problem


24/36

Anopenproblem

Facebook

Alice

a

Bob

b

Charlie

c

Davd

ga gb gc gd

KABCD KABCD KABCD KA


25/36

EndofSegment

O li C t h C


26/36

Basickeyexchan

Public-keyencry


E t bli hi h d


27/36

Establishingasharedsecre

Alice

Goal:AliceandBobwantsharedsecret,unknowntoea

ornow:securityagainsteavesdroppingonly(not

eavesdropper??

Thissegment:adifferentapproach

P bli k 7


28/36

Publickeyencryp7on

E D

Alice Bob

P bli k 7


29/36

Publickeyencryp7on

Def:apublic-keyencryp7onsystemisatripleofalgs.

G():randomizedalg.outputsakeypair(pk,sk) E(pk,m):randomizedalg.thattakesmMandoutp D(sk,c):det.alg.thattakescCandoutputsmMConsistency:(pk,sk)outputbyG:

mM:D(sk,E(pk,m

S 7 S it


30/36

Seman7cSecurityorb=0,1defineexperimentsEXP(0)andEXP(1)as:

Def:E =(G,E,D)issem.secure(a.k.aIND-CPA)ifforalle

AdvSS[A,E]=|Pr[EXP(0)=1]Pr[EXP(1)=1]|

09 basic key exchange annotated

Documents