Overview
- message integrity
- key management
- identification
- reliable transmission
- kerberos
- PGP
Message Integrity
- attacker could modify part of a message P
- to prevent this, Alice can send Bob a hash
H(P) concatenated to the message
- hash does not need a key to compute
- must prevent attacker from modifying hash:
- authentic channel (transmissions cannot be corrupted)
- given shared secret keys K1, K2, send H(K2.H(K1.P))
- digital signatures: Alice sends M = D(P.H(P)), bob encrypts
M with Alice's public key to recover P.H(P).
Key Management
how do Alice and Bob get to share a secret key?
- hand delivery
- use a secret key to encrypt and distribute other secret keys
(used by kerberos)
- use a public key to encrypt and distribute secret keys (PGP, SSL)
- Diffie-Hellman key exchange:
- Alice and Bob agree on public numbers (z, p)
- Alice chooses a and Bob chooses b
- Alice to Bob: alpha = z^a mod p
- Bob to Alice: alpha = z^b mod p
- Alice: K = beta^a mod p = z^{ab} mod p
- Bob: K = alpha^b mod p = z^{ab} mod p
Diffie-Hellman attacks
- easy to defeat if modulo roots are easy to compute
- man-in-the-middle ("Eve") attack:
- Eve does the exchange with both Alice and Bob, decrypting and re-encrypting
- Eve replaces alpha with alpha^q, beta with beta^q,
key will be K^q (easier to guess)
Identification
- passwords (but sent in the clear)
- challenge-response:
Bob to Alice: X
Alice to Bob: F(X,K)
(Bob must know K)
- public key:
Bob to Alice: E(X)
Alice to Bob: X
- digital signature: Alice signs X and returns it to Bob
- zero-knowledge proof: Alice and Bob exchange messages that
convince Bob that Alice has the key, without
- transmitting the key
- Bob knowing the key
Reliability
security protocols can be attacked by:
- replaying messages (so, always include sequence number and/or
timestamp)
- deleting messages (so, always include sequence number)
Kerberos
- each client shares a secret key K[client] with an authentication
server
- kerberos clients establish with server sessions of up to 25 hours
- Alice requests a session key:
- Alice to S: give me session key SA
- S to Alice: E(SA . T, KA), with T=E(A . SA . time, KS)
- to connect to Bob, Alice requests a ticket and provides it to Bob:
- Alice to S: (T, Bob)
- S to Alice: E(S[AB],SA).E(Alice. S[AB], KB)
- Alice to Bob: E(Alice. S[AB], KB)
- DES used for encryption
PGP
- e-mail, file transfer
- no "a priori" shared secret key
- RSA (public-key cryptography) used to encrypt a secret key
- IDEA (secret-key cryptography) used to encrypt the message
using the secret key
- example:
- plaintext P sent from A to B (public key KB, private
key Kb)
- A picks a random message key Km
- A to B: E[RSA](Km, KB).E[IDEA](P, Km)
- B decodes Km, uses it to decode P