Download - 09 Basic Key Exchange Annotated
-
7/30/2019 09 Basic Key Exchange Annotated
1/36
Basickeyexchan
Trusted3rdpar7
Online Cryptography Course
-
7/30/2019 09 Basic Key Exchange Annotated
2/36
Keymanagement
Problem:nusers.Storingmutualsecretkeysisdiffi
Total:O(n)keysperuser
-
7/30/2019 09 Basic Key Exchange Annotated
3/36
AbeFersolu7on
OnlineTrusted3rdParty(TTP)
TTP
-
7/30/2019 09 Basic Key Exchange Annotated
4/36
Genera7ngkeys:atoyproto
AlicewantsasharedkeywithBob.Eavesdroppingse
Bob(kB) Alice(kA)
7cket
kAB kAB
AlicewantskeywithBo
(E,D)aCPA-s
-
7/30/2019 09 Basic Key Exchange Annotated
5/36
Genera7ngkeys:atoyproto
AlicewantsasharedkeywithBob.Eavesdroppingsec
Eavesdroppersees:E(kA,A,BllkAB);E(kB,A,
(E,D)isCPA-secure
eavesdropperlearnsnothingabou
Note:TTPneededforeverykeyexchange,knowsallse
(basisofKerberossystem)
-
7/30/2019 09 Basic Key Exchange Annotated
6/36
Toyprotocol:insecureagainstac7vea
Example:insecureagainstreplayaFacks
AFackerrecordssessionbetweenAliceandmercha
orexampleabookorder
AFackerreplayssessiontoBob
BobthinksAliceisorderinganothercopyofbook
-
7/30/2019 09 Basic Key Exchange Annotated
7/36
Keyques7on
Canwegeneratesharedkeyswithoutanonlinetrusted3
Answer:yes!
Star7ngpointofpublic-keycryptography:
Merkle(194),Diffie-Hellman(196),RSA(19 Morerecently:ID-basedenc.(B2001),unc7onalen
-
7/30/2019 09 Basic Key Exchange Annotated
8/36
EndofSegment
-
7/30/2019 09 Basic Key Exchange Annotated
9/36
Basickeyexchan
MerklePuzzles
Online Cryptography Course
-
7/30/2019 09 Basic Key Exchange Annotated
10/36
Keyexchangewithoutanonline
Alice
Goal:AliceandBobwantsharedkey,unknowntoeav
ornow:securityagainsteavesdroppingonly(no
eavesdropper??
Canthisbedoneusinggenericsymmetriccrypto?
-
7/30/2019 09 Basic Key Exchange Annotated
11/36
MerklePuzzles(194)
Answer:yes,butveryinefficient
Maintool:puzzles
Problemsthatcanbesolvedwithsomeeffort Example:E(k,m)asymmetriccipherwithk{0,
puzzle(P)=E(P,message)whereP=096l Goal:findPbytryingall232possibili7es
M kl l
-
7/30/2019 09 Basic Key Exchange Annotated
12/36
Merklepuzzles
Alice:prepare232puzzles
ori=1,,232chooserandomPi
{0,1}32
andxi
,
set puzzleiE(096llPi,Puzzle#xill
Sendpuzzle1,,puzzle232toBob
Bob:choosearandompuzzlejandsolveit.Obtain SendxjtoAliceAlice:lookuppuzzlewithnumberxj.Usekjassha
I fi
-
7/30/2019 09 Basic Key Exchange Annotated
13/36
Inafigure
Aliceswork:O(n) (preparenpuzzles)Bobswork:O(n) (solveonepuzzle)
Eavesdropperswork:O(n2)
Alice
puzzle1,,puzzlen
xj
kj
(e.g.2647me
-
7/30/2019 09 Basic Key Exchange Annotated
14/36
ImpossibilityResult
CanweachieveabeFergapusingageneralsymmetric
Answer:unknown
But:roughlyspeaking,
quadra7cgapisbestpossibleifwetreatcipheras
ablackboxoracle[IR89,BM09]
-
7/30/2019 09 Basic Key Exchange Annotated
15/36
EndofSegment
-
7/30/2019 09 Basic Key Exchange Annotated
16/36
Basickeyexchan
TheDiffie-Hellm
protocol
Online Cryptography Course
-
7/30/2019 09 Basic Key Exchange Annotated
17/36
Keyexchangewithoutanonline
Alice
Goal:AliceandBobwantsharedsecret,unknowntoea
ornow:securityagainsteavesdroppingonly(not
eavesdropper??
Canthisbedonewithanexponen7algap?
Th Diffi H ll t l
-
7/30/2019 09 Basic Key Exchange Annotated
18/36
TheDiffie-Hellmanprotocol(i
ixalargeprimep(e.g.600digits)
ixanintegergin{1,,p}
Alice
chooserandomain{1,,p-1} chooserandom
kAB=gab(modp) =(g
a)b
Ba(modp)=(gb)a=
-
7/30/2019 09 Basic Key Exchange Annotated
19/36
Security(muchmoreonthislate
Eavesdroppersees:p,g,A=ga(modp),andB=gb
Canshecomputegab(modp)??
Moregenerally:defineDHg(ga,gb)=gab(modp
HowhardistheDHfunc7onmodp?
How hard is the DH func7on mo
-
7/30/2019 09 Basic Key Exchange Annotated
20/36
HowhardistheDHfunc7onmo
Supposeprimepisnbitslong.
Bestknownalgorithm(GNS):run7meexp(
cipherkeysize modulussize
80bits 1024bits
128bits 302bits
256bits(AES) 15360bits
Asaresult:slowtransi7onawayfrom(modp)toellip
Ellip7csi
160
256
512
-
7/30/2019 09 Basic Key Exchange Annotated
21/36
Ellip7ccurv
Diffie-Hellm
-
7/30/2019 09 Basic Key Exchange Annotated
22/36
Insecureagainstman-in-the-mi
Asdescribed,theprotocolisinsecureagainstacJveaF
Alice MiTM
Another look at DH
-
7/30/2019 09 Basic Key Exchange Annotated
23/36
AnotherlookatDH
Facebook
Alice
a
Bob
b
Charlie
c
Davd
ga gb gc gd
KAC=gac KAC=g
ac
An open problem
-
7/30/2019 09 Basic Key Exchange Annotated
24/36
Anopenproblem
Facebook
Alice
a
Bob
b
Charlie
c
Davd
ga gb gc gd
KABCD KABCD KABCD KA
-
7/30/2019 09 Basic Key Exchange Annotated
25/36
EndofSegment
O li C t h C
-
7/30/2019 09 Basic Key Exchange Annotated
26/36
Basickeyexchan
Public-keyencry
Online Cryptography Course
E t bli hi h d
-
7/30/2019 09 Basic Key Exchange Annotated
27/36
Establishingasharedsecre
Alice
Goal:AliceandBobwantsharedsecret,unknowntoea
ornow:securityagainsteavesdroppingonly(not
eavesdropper??
Thissegment:adifferentapproach
P bli k 7
-
7/30/2019 09 Basic Key Exchange Annotated
28/36
Publickeyencryp7on
E D
Alice Bob
P bli k 7
-
7/30/2019 09 Basic Key Exchange Annotated
29/36
Publickeyencryp7on
Def:apublic-keyencryp7onsystemisatripleofalgs.
G():randomizedalg.outputsakeypair(pk,sk) E(pk,m):randomizedalg.thattakesmMandoutp D(sk,c):det.alg.thattakescCandoutputsmMConsistency:(pk,sk)outputbyG:
mM:D(sk,E(pk,m
S 7 S it
-
7/30/2019 09 Basic Key Exchange Annotated
30/36
Seman7cSecurityorb=0,1defineexperimentsEXP(0)andEXP(1)as:
Def:E =(G,E,D)issem.secure(a.k.aIND-CPA)ifforalle
AdvSS[A,E]=|Pr[EXP(0)=1]Pr[EXP(1)=1]|