# על מפתחות ופרוטוקולים

• View
33

0

Embed Size (px)

DESCRIPTION

. . - PowerPoint PPT Presentation

Transcript

• **

Prof. Ehud Gudes Security Ch 4

• *Prof. Ehud Gudes Security Ch 3*

Prof. Ehud Gudes Security Ch 3

• *Prof. Ehud Gudes Security Ch 3* -work factor

Prof. Ehud Gudes Security Ch 3

• *Prof. Ehud Gudes Security Ch 3* ( -) ( ) . . -Certificate

Prof. Ehud Gudes Security Ch 3

• *Prof. Ehud Gudes Security Ch 3* () , , , Revocation - , . .CRL Certificate Revocation List

Prof. Ehud Gudes Security Ch 3

• *Prof. Ehud Gudes Security Ch 3* , , Diffie-Hellman

Prof. Ehud Gudes Security Ch 3

• *Prof. Ehud Gudes Security Ch 3*Diffie-Hellman p g *(GF(p, (GF(p

Prof. Ehud Gudes Security Ch 3

• *Prof. Ehud Gudes Security Ch 3*DH Protocol (agree on secret symmetric key)

Prof. Ehud Gudes Security Ch 3

• Diffie-Hellman Algorithm

• Diffie-Hellman Examplehaveprime number q = 353 primitive root = 3A and B each compute their public keysA computes YA = 397 mod 353 = 40B computes YB = 3233 mod 353 = 248then exchange and compute secret key:for A: K = (YB)XA mod 353 = 24897 mod 353 = 160for B: K = (YA)XB mod 353 = 40233 mod 353 = 160attacker must solve:3a mod 353 = 40 which is harddesired answer is 97, then compute key as B does

• *Prof. Ehud Gudes Security Ch 3* Diffie-Hellman ( ) : -Certificates DH (RSA DSA)

Prof. Ehud Gudes Security Ch 3

• *Prof. Ehud Gudes Security Ch 3*- Authentication Authentication ( ) - Authenticity - Integrity

Prof. Ehud Gudes Security Ch 3

• *Prof. Ehud Gudes Security Ch 3* AuthenticationAuthentication ()Authentication (, IP, URL )Authentication -MAC . .

Prof. Ehud Gudes Security Ch 3

• *Prof. Ehud Gudes Security Ch 4*Protocols for Authentication and Key Distribution

The goal of the protocol is usually the mutual authentication of the two parties and the exchange of a new symmetric key

The particular algorithm is usually not important

Prof. Ehud Gudes Security Ch 4

• *Prof. Ehud Gudes Security Ch 4*Protocols for Key DistributionSymmetric, only Two Parties.Secure channel or Diffie-Helman 2. Symmetric, using third party Key Distribution Center KDC (Needham protocol next) P likes to communicate with R KP and KR are symmetric keys with KDC P sends to KDC (P, R, ID) KDC to P: E((ID, R, KPR, E((KPR,P),KR)), KP) P sends to R Disadvantage: every new session needs KDC, replay.

Prof. Ehud Gudes Security Ch 4

• *Prof. Ehud Gudes Security Ch 3*Needham Protocol (symmetric)Problem - replay step 3

Prof. Ehud Gudes Security Ch 3

• *Prof. Ehud Gudes Security Ch 3*Dennings Protocol1. A KDC:IDAIDB2. KDC A:Eka[KSIDBTEKb[KSIDAT]]3. A B:Ekb[KSIDAT]4. B A:Eks[N1] - Challenge5. A B:Eks[f(N1)] - Response

B can check the difference between his clock and the timestamp in step 3Problem synchronizing clocks

Prof. Ehud Gudes Security Ch 3

• *Prof. Ehud Gudes Security Ch 3*Protocol Newman1. A B:IDANa2. B KDC:IDBNbEkb[IDANaTb]3. KDC A:Eka[IDBNaKsTb]EKb[IDA KSTb]Nb4. A B:Ekb[IDAKsTb]Eks[Nb]All protocols until now used symmetric keys

Prof. Ehud Gudes Security Ch 3

• *Prof. Ehud Gudes Security Ch 3*Protocols For Key Distribution3. Asymmetric, without third partyP to R: ER (DP(K)R to P: E(n, K)P to R E(n+1, K) disadvantage: need to know public keys! Solution send your key? No! man in the middle problem!

Prof. Ehud Gudes Security Ch 3

• *Prof. Ehud Gudes Security Ch 4*4. Using third party to get public keys. KDC to P: EP(DC(R public key)) KDC to R: ER(DC(P public key))continue as before!

How both P and R know that Dc is the signature of KDC?Answer: Certificates!Protocols For Key Distribution

Prof. Ehud Gudes Security Ch 4

• *Prof. Ehud Gudes Security Ch 3*Protocol Woo-Lam1. A -> KDC: IDA IDBA B " KDC2. KDC-> A: EKRauth [IDB KUb]

A -3. A -> B: EKUb [Na || IDa ] B

4. B-> KDC: IDBIDAEKUauth[NA]5. KDC-> B: EKRauth[IDAKua]EKUb[EKRauth[NaKsIDB]]B - KDC A 6. B -> A: EKUa[EKRauth[NaKsIDB]Nb]B - A A 7. A -> B: Eks[Nb]A - B 6, 5, 4, 3 - A B - KDC - A - B.

Prof. Ehud Gudes Security Ch 3

• *Prof. Ehud Gudes Security Ch 3*Other Protocols1. Mental poker2. Electronic voting3. Oblivious transfer4. Secret sharing

Prof. Ehud Gudes Security Ch 3

• *Prof. Ehud Gudes Security Ch 3*Mental Poker

Prof. Ehud Gudes Security Ch 3

• *Prof. Ehud Gudes Security Ch 3*Mental Poker Key DistributionSuppose Bill wants to update its public key Without the KDC knowing the pair((Kb,Kb-1KDC will send a stream of encrypted pairs.Bill will select a pair encrypt it with old key and send to KDC. KDC will decrypt it and send back to Bill who will decrypt it

Prof. Ehud Gudes Security Ch 3

• *Prof. Ehud Gudes Security Ch 3*Electronic Voting

Prof. Ehud Gudes Security Ch 3

• *Prof. Ehud Gudes Security Ch 3*Oblivious Transfer

Prof. Ehud Gudes Security Ch 3

• *Prof. Ehud Gudes Security Ch 4*Zero Knowledge proofsZero knowledge example Fiat-Shamir proof of identity A trusted center chooses n=pq, and publishes n but keeps p and q secret. 2. Each prover A chooses a secret s with gcd(s,n)=1, and publishes v=s2 mod n. 3. A proves knowledge of s to B by repeating: (a) A chooses random r and sends r2 mod n to B. (b) B chooses random e in {0,1}, and sends it to A. (c) A responds with a=rse mod n. (d) B checks if a2 = ve r2 mod n. 1. if A follows the protocol and knows s, then B's check will always work 2. if A does not know s, then they can only answer the question with probability 1/2. x

Prof. Ehud Gudes Security Ch 4

*Prof. Ehud Gudes Security Ch 3Prof. Ehud Gudes Security Ch 3*Prof. Ehud Gudes Security Ch 3Prof. Ehud Gudes Security Ch 3*Prof. Ehud Gudes Security Ch 3Prof. Ehud Gudes Security Ch 3*Prof. Ehud Gudes Security Ch 3Prof. Ehud Gudes Security Ch 3*Prof. Ehud Gudes Security Ch 3Prof. Ehud Gudes Security Ch 3* - Diffie-HellmanProf. Ehud Gudes Security Ch 3Prof. Ehud Gudes Security Ch 3*Prof. Ehud Gudes Security Ch 3Prof. Ehud Gudes Security Ch 3*Prof. Ehud Gudes Security Ch 3Prof. Ehud Gudes Security Ch 3*The Diffie-Hellman key exchange algortihm is summarized in Figure 20.7. For this scheme, there are two publicly known numbers: a prime number q and an integer that is a primitive root of q. Suppose the users A and B wish to exchange a key. User A selects a random integer XA < q and computes . Similarly, user B independently selects a random integer XB < q and computes . Each side keeps the X value private and makes the Y value available publicly to the other side. Users A and B compute the key as shown. These two calculations produce identical results, as shown in the text. The result is that the two sides have exchanged a secret value. Furthermore, because XA and XB are private, an adversary only has the following ingredients to work with: q, , YA, and YB. Thus, the adversary is forced to take a discrete logarithm to determine the key. For example, to determine the private key of user B, an adversary must compute: XB = dlogq(YB). The adversary can then calculate the key K in the same manner as user B calculates it.The security of the Diffie-Hellman key exchange lies in the fact that, while it is relatively easy to calculate exponentials modulo a prime, it is very difficult to calculate discrete logarithms. For large primes, the latter task is considered infeasible.Prof. Ehud Gudes Security Ch 3*Here is an example. Key exchange is based on the use of the prime number q = 353 and a primitive root of 353, in this case = 3. A and B select secret keys XA = 97 and XB = 233, respectively. Each computes its public key:A computes YA = 397 mod 353 = 40.B computes YB = 3233 mod 353 = 248.After they exchange public keys, each can compute the common secret key:A computes K = (YB)XA mod 353 = 24897 mod 353 = 160. B computes K = (YA)XB mod 353 = 40233 mod 353 = 160.We assume an attacker would have available the following information:q = 353; = 3; YA = 40; YB = 248In this simple example, it would be possible by brute force to determine the secret key 160. In particular, an attacker E can determine the common key by discovering a solution to the equation 3a mod 353 = 40 or the equation 3b mod 353 = 248. The brute-force approach is to calculate powers of 3 modulo 353, stopping when the result equals either 40 or 248. The desired answer is reached with the exponent value of 97, which provides 397 mod 353 = 40. With larger numbers, the problem becomes impractical.Prof. Ehud Gudes Security Ch 3Prof. Ehud Gudes Security Ch 3*Prof. Ehud Gudes Security Ch 3Prof. Ehud Gudes Security Ch 3*Prof. Ehud Gudes Security Ch 3Prof. Ehud Gudes Security Ch 3*Prof. Ehud Gudes Security Ch 3Prof. Ehud Gudes Security Ch 3