Lecture 16: Key Establishment Flashcards
What does key establishment in TLS use to allow clients and servers to share a new communication key?
public keys
What is Kerberos?
A widely used system for secure communications which achieves key establishment without using public keys
What are the four phases of key management?
generation
distribution
protection
destruction
Comment on the key generation phase in key management
keys should be generated s.t. they are equally like to occur
Comment on the key distribution phase in key management
keys should be distributed in a secure fashion
Comment on the key protection phase in key management
keys should be accessible for use in relevant cryptographic algorithms, but not accessible to unauthorised parties
Comment on the key destruction phase in key management
once a key has performed its function, it should be destroyed s.t. it is of no value to an attacker
What are the two keys involved in the simple 2-level hierarchy?
Long-term keys
Short-term keys
What are long-term keys also called?
static keys
How long are long-term keys intended to be used for?
a long time
depending on the application, from few hours to few years
What are long-term keys used to protect
used to protect distribution of session keys
What are short-term keys also called?
session keys
How long are short-term keys intended to be used for?
a short period
depending upon the application, from a few seconds to a few hours
What are short-term/session keys used to protect?
protect communications in a session (e.g. with authenticated encryption)
In practice, what are session keys? Why?
symmetric keys used with ciphers (e.g. AES, MAC)
–> due to their greater efficiency over public key algorithms
What type of keys can long-term keys be?
Either symmetric or asymmetric keys, depending on how they are used
What is does key establishment involved figuring out?
how to establish secrete session keys among communication parties using the long-term keys
What are common approaches to do key establishment? (3)
1) key pre-distribution
2) using an online server with symmetric long-term keys
3) using asymmetric long-term keys
What are the two key distribution security goals?
1) authentication
2) confidentiality
Explain the authentication key distribution security goal
if Alice completes the protocol and believes that the key is shared with Bob, then it should not be the case that the key is actually shared with another party
Explain the confidentiality key distribution security goal
the adversary is unable to obtain the session key accepted by a particular party
In formal models, how has the key establishment protocol been seen as broken?
if the adversary can distinguish the session key from a random string
When does the key establishment protocol provide mutual authentication?
if both parties achieve the authentication goal
When does the key establishment protocol provide unilateral authentication
if only one party achieves the authentication goal
What are the four adversary capabilities of a strong adversary who knows the details of the cryptographic algorithms involved
1) eavesdrop on all messages sent in a protocol
2) alter all messages sent in a protocol using any info available to them
3) re-route any messages (including new ones) to any other party
4) obtain the value of the session key used in any previous run of the protocol
Who generates and distributes long-term keys to all users when they join the system?
a trusted authority (TA)
Explain the simple schemes for distribution of pre-shared keys
- Assigning a secrete key for each pair of uses
- The number of keys thus grows quadratically
• The TA only operates in the pre-distribution phase
–> does not need to be online afterwards
• poor scalability
Explain the probabilistic scheme for distribution of pre-shared keys
- reducing key material at each party
- but only guaranteeing a secure channel between any 2 users with some (high) probability
- suitable for sensor networks
Explain the key distribution process using symmetric keys
- key distribution with an online server
- TA shares a long-term shares a long-term shared key with each user
- An online TA generates and distributes session keys for users when requested –> secure fashion using long-term keys
What is a single point of attack in key distribution using symmetric keys?
the TA (highly trusted)
Comment on scalability for key distribution using symmetric keys
can be problematic
Explain key distribution for asymmetric cryptography
- no online TA required
- public keys used for authentication
- public keys managed by PKI (certificates and CAs)
• users are trusted to generate good session keys
–> a good pseudo-random number generator required at each party
What are the two types of key distribution using asymmetric cryptography?
1) key transport
2) key agreement
What happens when a long-term key is compromised?
- the attacker can now act as the owner of the long-term key
- previous session keys kay also be compromised
- -> this can be the case with key transport
- -> prevent with key agreement
What is required for a protocol to provide (perfect) key secrecy
if compromise of long-term secrete keys does NOT reveal session keys previously agreed using those long-term keys
What is key transport?
user chooses key material and sends it encrypted to another party
–> sometimes message is also signed by sender
Does TLS include the option for key transport?
yes
Does key transport provide forward secrecy
NO
What is key agreement?
• 2 parties each provide input to the key material
• prodiving authentication with public keys
–> by signing the exchanged messages
What is an example of key agreement?
Diffie-Hellman protocol (widely used)
Does TLS include options for key agreement?
yes
Does key agreement provide forward secrecy?
yes
What is the notation for signed Diffie-Hellman?
See slide 18 in set 16
In signed Diffie-Hellman, do Alice and Bob both know each other’s public verification key?
yes
In signed Diffie-Hellman, is there forward secrecy?
yes, since long-term signing keys are only used for authentication
Explain the signed Diffie-Hellman protocol process
See slide 19 in set 16
When was the Needham-Schroeder protocol published?
1978
What is the Needham-Schroeder protocol?
widely known key establishment protocol
What is an example of where the Needham-Schroeder protocol is used?
Kerberos
What is the Needham-Schroeder protocol vulnerable to?
replay attacks
–> attacker can replay old protocol message s.t. an honest party will accept an old session key
What are the parties and their notation in the Needham-Schroeder protocol?
- 2 parties A and B want to establish a shared secrete key
* S is the TA
What are the shared secret keys and their notation in the Needham-Schroeder protocol?
A and S share the long-term key KAS
B and S share the long-term key KBS
New session key KAB generated by S
What are the involved nonces and their notation in the Needham-Schroeder protocol?
NA, NB are randomly generated for one-time use
In terms of the Needham-Schroeder protocol, what does S -> A:M mean?
that S sends a message M to A
What does {M}k denote?
the authenticated encryption of message M using the key K
Give and explain the diagram for the Needham-Schroeder protocl
See slide 23 in set 16
Explain how a replay attack occurs on the Needham-Schroeder protocol and give the diagram
See slide 24 in set 16
To defend against replay attacks what is required for each session i.t.o Needham-Schroeder protocol?
established key must be fresh (new)
What are some of the freshness mechanisms i.t.o Needham-Schroeder protocol?
1) random challenges (nonces)
2) timestamps (string on the current time)
3) counters (increased for each new message)
What does the repaired Needham-Schroeder protocol use for freshness?
random challenges
-> it can be adapted to use timestamps and counters
Explain the process for the repaired protocol using random challenges i.t.o Needham-Schroeder protocol and give the diagram
See slide 26 in set 16
What are tickets i.t.o the Needham-Schroeder protocol?
another way to fix the Needham-Schroeder protocol
Explain how tickets work for the Needham-Schroeder protocol
See slide 27 in set 16
Explain the repaired protocol which uses tickets for i.t.o Needham-Schroeder protocol and given diagram
See slide 28 in set 16
What is the latest version of Kerberos?
version 5
What standard is Kerberos in ?
RFC 4120 (2005)
Who uses Kerberos as their defualt?
Default Windows domain authentication method from Windows 2000
What are the goals of Kerberos?
- Secure network authentication service in an insecure network environment
- Single sign-on (SSO) solution
- providing access selectively for a number of different online services, using individual tickets
- establishing session keys to deliver confidentiality and integrity services for each service access
What is a single sign-on SSO?
users only need to enter usernames and passwords once for a session
How many levels does the Kerberos protocol have?
3
Explain the first level of the Kerberos protocol
client C interacts with authentication server AS in order to obtain a ticket-granting ticket
–> happening once for a session (e.g. one day long)
–> C only authenticates once at the start of a session
Explain the second level of the Kerberos protocol
C interacts with ticket-granting server TGS in order to obtain a service-granting ticket
–> happening once for each server during the session
Explain the third level of the Kerberos protocol
C interacts with application server V in order to obtain a service
–> happening once for each time C requires service during the session
Give and explain the diagram for level 1 of Kerberos
See slide 32 in set 16
What is the key K_C in level 1 of Kerberos?
- symmetric key shared between AS and C
* typically generated by the workstation of C from a password entered by C at logon time
What is the key K_C,TGS in level 1 of Kerberos?
• new symmetric key generated by AS and shared between TGS and C
What is the nonce N_1 in level 1 of Kerberos?
nonce used by C to check that key K_C,TGS is fresh
What is the key K_TGS in level 1 of Kerberos?
long-term key shared between AS and TGS
Give and explain the diagram for level 2 of Kerberos
See slide 34 in set 16
What is the ticket_TGS in level 2 of Kerberos?
the same as the one sent in level 1
What is the key K_C,V in level 2 of Kerberos?
session key shared between V and C
What is the nonce N_2 in level 2 of Kerberos?
nonce used by C to check that key K_C,V is fresh
Why must TGS first get K_C,TGS from ticket_TGS and then check the fileds in the authenticator_TGS are valid in level 2 of Kerberos?
- checking that TS_1 is recent
* checking that C is authorized by access V
In practice, are AS and TGS the same machine i.t.o level 2 of Kerberos?
yes
Give and explain the diagram for level 2 of Kerberos
See slide 36 in set 16
What is the ticket ticket_v in level 3 of Kerberos?
the same as the one sent in level 2
What is K_C,V, contained in ticket_V, in level 3 of Kerberos?
same as the one sent in level 2
What is the reply from V intend to provide in level 3 of Kerberos?
mutual authentication
–> C can check that it is using the right application server V
Define timestamp i.t.o Kerberos
- includes start and end times
* can be suggested by C in the latest version of Kerberos (v5)
Define realm i.t.o Kerberos
a domain over which an authenticated server has the authority to authenticate a user
Define flag i.t.o Kerberos
used in tickets to indicate when and how tickets should be used
Defined sequence number i.t.o. Kerberos
optional, initiated during the client-server exchange
Define subkey i.t.o Kerberos
derived from the key K_C,V
Comment on the scalability of Kerberos
limited
• even though different realms are supported, one realm needs to share a key with each other realm
- Kerberos best suited for corporate environments with shared trust
- public-key variants exist
Comment on the attack limitations of Kerberos
- offline password guessing
* when the key K_C derived from a human memorable password
Comment on the limitations of the standard for Kerberos
does not specify how to sue the session key once it is established