Lecture 16: Key Establishment

Question 1

What does key establishment in TLS use to allow clients and servers to share a new communication key?

Answer 1

public keys

Question 2

What is Kerberos?

Answer 2

A widely used system for secure communications which achieves key establishment without using public keys

Question 3

What are the four phases of key management?

Answer 3

generation
distribution
protection
destruction

Question 4

Comment on the key generation phase in key management

Answer 4

keys should be generated s.t. they are equally like to occur

Question 5

Comment on the key distribution phase in key management

Answer 5

keys should be distributed in a secure fashion

Question 6

Comment on the key protection phase in key management

Answer 6

keys should be accessible for use in relevant cryptographic algorithms, but not accessible to unauthorised parties

Question 7

Comment on the key destruction phase in key management

Answer 7

once a key has performed its function, it should be destroyed s.t. it is of no value to an attacker

Question 8

What are the two keys involved in the simple 2-level hierarchy?

Answer 8

Long-term keys

Short-term keys

Question 9

What are long-term keys also called?

Answer 9

static keys

Question 10

How long are long-term keys intended to be used for?

Answer 10

a long time

depending on the application, from few hours to few years

Question 11

What are long-term keys used to protect

Answer 11

used to protect distribution of session keys

Question 12

What are short-term keys also called?

Answer 12

session keys

Question 13

How long are short-term keys intended to be used for?

Answer 13

a short period

depending upon the application, from a few seconds to a few hours

Question 14

What are short-term/session keys used to protect?

Answer 14

protect communications in a session (e.g. with authenticated encryption)

Question 15

In practice, what are session keys? Why?

Answer 15

symmetric keys used with ciphers (e.g. AES, MAC)

–> due to their greater efficiency over public key algorithms

Question 16

What type of keys can long-term keys be?

Answer 16

Either symmetric or asymmetric keys, depending on how they are used

Question 17

What is does key establishment involved figuring out?

Answer 17

how to establish secrete session keys among communication parties using the long-term keys

Question 18

What are common approaches to do key establishment? (3)

Answer 18

1) key pre-distribution
2) using an online server with symmetric long-term keys
3) using asymmetric long-term keys

Question 19

What are the two key distribution security goals?

Answer 19

1) authentication

2) confidentiality

Question 20

Explain the authentication key distribution security goal

Answer 20

if Alice completes the protocol and believes that the key is shared with Bob, then it should not be the case that the key is actually shared with another party

Question 21

Explain the confidentiality key distribution security goal

Answer 21

the adversary is unable to obtain the session key accepted by a particular party

Question 22

In formal models, how has the key establishment protocol been seen as broken?

Answer 22

if the adversary can distinguish the session key from a random string

Question 23

When does the key establishment protocol provide mutual authentication?

Answer 23

if both parties achieve the authentication goal

Question 24

When does the key establishment protocol provide unilateral authentication

Answer 24

if only one party achieves the authentication goal

Question 25

What are the four adversary capabilities of a strong adversary who knows the details of the cryptographic algorithms involved

Answer 25

1) eavesdrop on all messages sent in a protocol 2) alter all messages sent in a protocol using any info available to them 3) re-route any messages (including new ones) to any other party 4) obtain the value of the session key used in any previous run of the protocol

Question 26

Who generates and distributes long-term keys to all users when they join the system?

Answer 26

a trusted authority (TA)

Question 27

Explain the simple schemes for distribution of pre-shared keys

Answer 27

* Assigning a secrete key for each pair of uses * The number of keys thus grows quadratically • The TA only operates in the pre-distribution phase --> does not need to be online afterwards • poor scalability

Question 28

Explain the probabilistic scheme for distribution of pre-shared keys

Answer 28

* reducing key material at each party * but only guaranteeing a secure channel between any 2 users with some (high) probability * suitable for sensor networks

Question 29

Explain the key distribution process using symmetric keys

Answer 29

* key distribution with an online server * TA shares a long-term shares a long-term shared key with each user * An online TA generates and distributes session keys for users when requested --> secure fashion using long-term keys

Question 30

What is a single point of attack in key distribution using symmetric keys?

Answer 30

the TA (highly trusted)

Question 31

Comment on scalability for key distribution using symmetric keys

Answer 31

can be problematic

Question 32

Explain key distribution for asymmetric cryptography

Answer 32

* no online TA required * public keys used for authentication * public keys managed by PKI (certificates and CAs) • users are trusted to generate good session keys --> a good pseudo-random number generator required at each party

Question 33

What are the two types of key distribution using asymmetric cryptography?

Answer 33

1) key transport | 2) key agreement

Question 34

What happens when a long-term key is compromised?

Answer 34

* the attacker can now act as the owner of the long-term key * previous session keys kay also be compromised - -> this can be the case with key transport - -> prevent with key agreement

Question 35

What is required for a protocol to provide (perfect) key secrecy

Answer 35

if compromise of long-term secrete keys does NOT reveal session keys previously agreed using those long-term keys

Question 36

What is key transport?

Answer 36

user chooses key material and sends it encrypted to another party --> sometimes message is also signed by sender

Question 37

Does TLS include the option for key transport?

Answer 37

yes

Question 38

Does key transport provide forward secrecy

Answer 38

NO

Question 39

What is key agreement?

Answer 39

• 2 parties each provide input to the key material • prodiving authentication with public keys --> by signing the exchanged messages

Question 40

What is an example of key agreement?

Answer 40

Diffie-Hellman protocol (widely used)

Question 41

Does TLS include options for key agreement?

Answer 41

yes

Question 42

Does key agreement provide forward secrecy?

Answer 42

yes

Question 43

What is the notation for signed Diffie-Hellman?

Answer 43

See slide 18 in set 16

Question 44

In signed Diffie-Hellman, do Alice and Bob both know each other's public verification key?

Answer 44

yes

Question 45

In signed Diffie-Hellman, is there forward secrecy?

Answer 45

yes, since long-term signing keys are only used for authentication

Question 46

Explain the signed Diffie-Hellman protocol process

Answer 46

See slide 19 in set 16

Question 47

When was the Needham-Schroeder protocol published?

Answer 47

1978

Question 48

What is the Needham-Schroeder protocol?

Answer 48

widely known key establishment protocol

Question 49

What is an example of where the Needham-Schroeder protocol is used?

Answer 49

Kerberos

Question 50

What is the Needham-Schroeder protocol vulnerable to?

Answer 50

replay attacks | --> attacker can replay old protocol message s.t. an honest party will accept an old session key

Question 51

What are the parties and their notation in the Needham-Schroeder protocol?

Answer 51

* 2 parties A and B want to establish a shared secrete key | * S is the TA

Question 52

What are the shared secret keys and their notation in the Needham-Schroeder protocol?

Answer 52

A and S share the long-term key KAS B and S share the long-term key KBS New session key KAB generated by S

Question 53

What are the involved nonces and their notation in the Needham-Schroeder protocol?

Answer 53

NA, NB are randomly generated for one-time use

Question 54

In terms of the Needham-Schroeder protocol, what does S -> A:M mean?

Answer 54

that S sends a message M to A

Question 55

What does {M}k denote?

Answer 55

the authenticated encryption of message M using the key K

Question 56

Give and explain the diagram for the Needham-Schroeder protocl

Answer 56

See slide 23 in set 16

Question 57

Explain how a replay attack occurs on the Needham-Schroeder protocol and give the diagram

Answer 57

See slide 24 in set 16

Question 58

To defend against replay attacks what is required for each session i.t.o Needham-Schroeder protocol?

Answer 58

established key must be fresh (new)

Question 59

What are some of the freshness mechanisms i.t.o Needham-Schroeder protocol?

Answer 59

1) random challenges (nonces) 2) timestamps (string on the current time) 3) counters (increased for each new message)

Question 60

What does the repaired Needham-Schroeder protocol use for freshness?

Answer 60

random challenges | -> it can be adapted to use timestamps and counters

Question 61

Explain the process for the repaired protocol using random challenges i.t.o Needham-Schroeder protocol and give the diagram

Answer 61

See slide 26 in set 16

Question 62

What are tickets i.t.o the Needham-Schroeder protocol?

Answer 62

another way to fix the Needham-Schroeder protocol

Question 63

Explain how tickets work for the Needham-Schroeder protocol

Answer 63

See slide 27 in set 16

Question 64

Explain the repaired protocol which uses tickets for i.t.o Needham-Schroeder protocol and given diagram

Answer 64

See slide 28 in set 16

Question 65

What is the latest version of Kerberos?

Answer 65

version 5

Question 66

What standard is Kerberos in ?

Answer 66

RFC 4120 (2005)

Question 67

Who uses Kerberos as their defualt?

Answer 67

Default Windows domain authentication method from Windows 2000

Question 68

What are the goals of Kerberos?

Answer 68

* Secure network authentication service in an insecure network environment * Single sign-on (SSO) solution * providing access selectively for a number of different online services, using individual tickets * establishing session keys to deliver confidentiality and integrity services for each service access

Question 69

What is a single sign-on SSO?

Answer 69

users only need to enter usernames and passwords once for a session

Question 70

How many levels does the Kerberos protocol have?

Answer 70

3

Question 71

Explain the first level of the Kerberos protocol

Answer 71

client C interacts with authentication server AS in order to obtain a ticket-granting ticket --> happening once for a session (e.g. one day long) --> C only authenticates once at the start of a session

Question 72

Explain the second level of the Kerberos protocol

Answer 72

C interacts with ticket-granting server TGS in order to obtain a service-granting ticket --> happening once for each server during the session

Question 73

Explain the third level of the Kerberos protocol

Answer 73

C interacts with application server V in order to obtain a service --> happening once for each time C requires service during the session

Question 74

Give and explain the diagram for level 1 of Kerberos

Answer 74

See slide 32 in set 16

Question 75

What is the key K_C in level 1 of Kerberos?

Answer 75

* symmetric key shared between AS and C | * typically generated by the workstation of C from a password entered by C at logon time

Question 76

What is the key K_C,TGS in level 1 of Kerberos?

Answer 76

• new symmetric key generated by AS and shared between TGS and C

Question 77

What is the nonce N_1 in level 1 of Kerberos?

Answer 77

nonce used by C to check that key K_C,TGS is fresh

Question 78

What is the key K_TGS in level 1 of Kerberos?

Answer 78

long-term key shared between AS and TGS

Question 79

Give and explain the diagram for level 2 of Kerberos

Answer 79

See slide 34 in set 16

Question 80

What is the ticket_TGS in level 2 of Kerberos?

Answer 80

the same as the one sent in level 1

Question 81

What is the key K_C,V in level 2 of Kerberos?

Answer 81

session key shared between V and C

Question 82

What is the nonce N_2 in level 2 of Kerberos?

Answer 82

nonce used by C to check that key K_C,V is fresh

Question 83

Why must TGS first get K_C,TGS from ticket_TGS and then check the fileds in the authenticator_TGS are valid in level 2 of Kerberos?

Answer 83

* checking that TS_1 is recent | * checking that C is authorized by access V

Question 84

In practice, are AS and TGS the same machine i.t.o level 2 of Kerberos?

Answer 84

yes

Question 85

Give and explain the diagram for level 2 of Kerberos

Answer 85

See slide 36 in set 16

Question 86

What is the ticket ticket_v in level 3 of Kerberos?

Answer 86

the same as the one sent in level 2

Question 87

What is K_C,V, contained in ticket_V, in level 3 of Kerberos?

Answer 87

same as the one sent in level 2

Question 88

What is the reply from V intend to provide in level 3 of Kerberos?

Answer 88

mutual authentication --> C can check that it is using the right application server V

Question 89

Define timestamp i.t.o Kerberos

Answer 89

* includes start and end times | * can be suggested by C in the latest version of Kerberos (v5)

Question 90

Define realm i.t.o Kerberos

Answer 90

a domain over which an authenticated server has the authority to authenticate a user

Question 91

Define flag i.t.o Kerberos

Answer 91

used in tickets to indicate when and how tickets should be used

Question 92

Defined sequence number i.t.o. Kerberos

Answer 92

optional, initiated during the client-server exchange

Question 93

Define subkey i.t.o Kerberos

Answer 93

derived from the key K_C,V

Question 94

Comment on the scalability of Kerberos

Answer 94

limited • even though different realms are supported, one realm needs to share a key with each other realm * Kerberos best suited for corporate environments with shared trust * public-key variants exist

Question 95

Comment on the attack limitations of Kerberos

Answer 95

* offline password guessing | * when the key K_C derived from a human memorable password

Question 96

Comment on the limitations of the standard for Kerberos

Answer 96

does not specify how to sue the session key once it is established