1/25/11
  Public
key (asymmetric) cryptography
o  Modular exponentiation for encryption/
decryption
  Efficient algorithms for this
o  Attacker needs to factor large numbers to
extract key
  Must use brute-force
  One-way
hash functions
o  Collision-free, collision-resistant
o  MD5, SHA
  DES, AES (not on exams)
  Confidentiality,
integrity, non-repudiation
o  M, E(M), H(M), E(H(M)), H(E(M))
o  M + H(M) – integrity, H(M) must be stored not sent
o  M + E(H(M)) – integrity, non-repudiation (PK)
o  M + H(E(M)) – no sense
o  E(M) + H(M) – integrity, confidentiality
o  E(M) + E(H(M)) – integrity, confidentiality, nonrepudiation (use different keys)
o  E(M) + H(E(M)) – integrity, confidentiality
  Key
management is where much security
weakness lies
o  Choosing keys
o  Storing keys
o  Communicating keys
  Technically
easy
o  Distribute shared keys to each entity we want to
communicate with
  But
it doesn’t scale
o  Hundreds of servers…
o  Times thousands of users…
o  Yields ~ million keys
 Alice
creates a secret key, encrypts it with
Bob’s public key and sends it off
 Bob
decrypts the message with his private
 Use
shared key for further communication
key
 This
is how many applications work
 Could
communicate using public key
cryptography but it’s slow
1
1/25/11
  Exchange
a secret with someone you never
met while shouting in a room full of people
  Alice
and Bob agree on g and large n
  Alice
chooses random a, sends
  Bob
chooses random b, sends
  Alice
takes Bob’s message and calculates
  Bob
does the same; now they both know
shared secret
  First
four steps are the same
o Alice sends to Bob her public key Pub(A)
o Mallory captures this and sends to Bob Pub(M)
o Bob sends to Alice his public key Pub(B)
o Mallory captures this and sends to Alice Pub(M)
  Alice encrypts a message in Pub(M) but
sends half to Bob – Mallory cannot recover
this message and duplicate it
  This works if Mallory cannot mimic Alice’s
and Bob’s messages
  Step
toward Needham-Schroeder and
Kerberos mechanisms
  Key-distribution tied to authentication
o  If you know who you share a key with,
authentication is easy – they just send you
something encrypted with that key (must be
something you’ve chosen)
  Alice
sends to Bob her public key Pub(A)
captures this and sends to Bob Pub(M)
  Bob sends to Alice his public key Pub(B)
  Mallory captures this and sends to Alice
Pub(M)
  Now Alice and Bob correspond through
Mallory who can read all their messages
  Mallory
  Alice
and Bob need not exchange keys
directly to communicate
o Alice generates a random session key K
o She obtains Bob’s public key from a database
and encrypts K with that EB(K)
o She sends both the message encrypted with K,
EK(M) and a key EB(K) to Bob
  This
is how most real-world protocols work
 Proving
knowledge of shared key
o Nonce = Non repeating, random value
Alice
NA
Bob
KAB(NA)
NB
KAB(NB)
But where does KAB come from?
2
1/25/11
  KDC
= Key Distribution Center
o  Everyone shares a key with KDC, e.g., C shares KC
  User C sends request to KDC that they want
to communicate with the server S – need KCS
  KDC generates a key: Kcs
o Encrypted for each participant: Kc (Kcs), Ks(Kcs)
o Ks(Kcs) called ticket
o Ticket plus Kcs called credentials
o Ticket is opaque and forwarded with
application request
  No
keys ever traverse net in the clear
Third-party authentication service
o Distributes session keys for authentication,
confidentiality, and integrity
Problem: replay attack
KDC
in step 3
Fix: use timestamps
2. KC(NC, KCS, S, KS (KCS, C ))
1. C, S, NC
C
3.KS (KCS, C )
S
4.KCS (NS )
5.KCS (NS-1)
  What
happens if attacker does get session
key KCS?
o  Answer: Can reuse old session key to answer
challenge-response, generate new requests, etc
  Server
has no guarantee that KCS is fresh
an attacker gets hold of KC key he can
impersonate C to anyone
o  The only solution is for KDC to tell everyone that
  If
KC was revoked
  Protocol
guys
assumes all users of it are good
  Replace
(or supplement) nonce in request/
reply with timestamp
o  KC(KCS, S, NC, t) and KS(KCS, C, t) in steps 2,3
  Introduce
Ticket Granting Server (TGS)
o  Issues timed keys to resources
  Users log on to authentication server (AS)
  AS+TGS = KDC
  Uses timestamps with a lifetime instead of
nonces
o  Fixes freshness problem from Needham-Shroeder
3
1/25/11
  Chosen
paper must talk about
cryptography, authentication, authorization
or policy
o  Select from venues listed on the class Web page
o  Email me your chosen paper to verify it fits the
topic
  Write
2-4 page report
o  Summary of problem, why is it important and
hard, solution summary, evaluation and results,
your opinion and your ideas
o  Originality, clearness, writing style
o  Proof-read!!
o  Start now!
4