CSCE 313 Lecture 26

« previous | Thursday, April 26, 2012 | next »

Private Key Exchange: Diffie Hellman

Alice and Bob agree on a large prime $m$ and "primitive root" $g{\pmod {m}}$ (these need not be secret)
Alice and Bob privately pik random integer $x$ and $y$ , respectively
Alice and Bob exchange $X=g^{x}{\pmod {m}}$ and $Y=g^{y}{\pmod {m}}$ , respectively
Alice and Bob privately compute $k=Y^{x}{\pmod {m}}$ and $k'=X^{y}{\pmod {m}}$ , respectively

$k=k'{\pmod {m}}$ since $k'=x^{y}=(g^{x})^{y}=g^{xy}=g^{yx}=(g^{y})^{x}=Y^{x}=k{\pmod {m}}$

Scheme can be broken if Eve succeeds to solve the equation $g^{x}=X{\pmod {m}}$ for $x$ ("the discrete logarithm base $g$ of $X$ modulo $m$ "). The only way to do this is to brute fore it, and even then, there are an infinite number of solutions.

Authentication

Primitives: sign() and verify()

Who is making the request? (authentication)
Is the received message the same as the sent message? (integrity)
How do I build an audit trail (accountability)

all of these are different problems to solve

Integrity Attacks

Alice wants to "Transfer $100 from account $X$ to account $Y$ "

Man in middle can modify, replay, reorder, or append.

Model

Sign uses $k_{1}$ and Verify uses $k_{2}$ Message $m$ and authentication $A(m)$ are sent together.

Symmetric Encryption ( $k_{1}=k_{2}$ ): $A(m)$ is "message authenticator"
Asymmetric Encryption ( $k_{1}\neq k_{2}$ $k_{1}\neq k_{2}$ ): $A(m)$ $A(m)$ is "signature"
- $A(m)=\mathrm {Hash} (m)^{k_{A,priv}}$

Public Key Distribution

How does Bob learn Alice's key? (public, shared)

Certificates

Alice sends a message and a signature to Bob: { m, sign(m, k[A][priv]) }
Bob wonders What is Alice's public key (to verify signature) and asks Charles (certificate authority such as VeriSign, Comodo, GoDaddy, etc.)
Charles looks up Alice's public key and sends it in its own message: { m="k[A][pub] = X", sign(m, k[C][priv])
Bob already has Charles' public key and is able to verify that the key is actually Alice's key.

Closer Look

Alice tells Charles that she is going to talk to Bob.
Charles sends certificates for Alice and Bob: { A, k[A][pub], TS }^k[C][priv] and { B, k[B][pub], TS }^k[c][priv]
Alice sends certificate and the proposed key to Bob: {A, k[A][pub], TS }^k[C][priv] (certificate), { {kAB, TS}^k[A][priv] }^k[B][pub] (proposed key)

Problem:

We assume Bob has Charles' key { C, k[C][pub], TS }^k[C][priv]
Bob masquerades as Alice for Charles: { A, k[A][pub], TS }^k[C][priv]

Message 3 from above does not specify the recipient.

SSL

Secure Socket Layer

One of the most widely used encryption protocols; used in HTTP, IMAP, FTP, etc. (add "S" for "secure" or "over SSL": HTTPS, IMAPS, SFTP)

Client and server negotiate a symmetric key that they will use for the length of the data session.

connection establishment phase (← SSL happens here)
data transfer

Connection Establishment Procedure

Client sends request to server containing
- SSL version
- connection preferences
- nonce (i.e. a random number)
Server chooses among preferences and sends reply containing
- chosen preferences
- nonce
- public-key certificate (signed by trusted authority)
Client uses certification authority's public key to check authenticity of server's public key
Server requests public key of client and similarly verifies it (optional)
Client chooses randeom number (premaster secret), encrypts it with server's public key, and sends it to server.
Both parties compute session key (used during data transfer) based on premaster secret and the two nonces.
- This session key is never transferred between the client and the server.