1. 2/24/2012
LOGO
Key Exchange Protocols
IT Faculty – DaLat University
February - 2012
Encryption
 For a plaintext M, a crypto algorithm A
and a cryptographic key K , the ciphertext
M‟ is calculated as follows:
 M‟ = A(K,M) = {M}K
Perfect Encryption
i) Without the key K (in the case of a
symmetric cryptosystem), or the matching
private key of K (in the case of an
asymmetric cryptosystem), the ciphertext
{M}K does not provide any cryptanalytic
means for finding the plaintext message
M.
1

2. 2/24/2012
Perfect Encryption
ii) The ciphertext {M}K and maybe together
with some known information about the
plaintext message M do not provide any
cryptanalytic means for finding the key K
(in the case of a symmetric cryptosystem),
or the matching private key of K (in the
case of an asymmetric cryptosystem).
The Dolev-Yao Threat Model
 In that model
 Malice (can ):
• can obtain any message passing through the
network
• is a legitimate user of the network, and thus in
particular can initiate a conversation with any other
user
• will have the opportunity to become a receiver to
any principal
• can send messages to any principal by
impersonating any other principal
The Dolev-Yao Threat Model
 Malice (cannot ):
• cannot guess a random number which is chosen from a
sufficiently large space
• without the correct secret (or private) key, cannot retrieve
plaintext from given ciphertext, and cannot create valid
ciphertext from given plaintext, wrt. the perfect encryption
algorithm
• cannot find the private component, i.e., the private key,
matching a given public key
• while he may have control of a large public part of our
computing and communication environment, in general,
he is not in control of many private areas of the
computing environment, such as accessing the memory
of a principal's offline computing device
2

3. 2/24/2012
The Dolev-Yao Threat Model
Suppose that two principals Alice and Bob wish
to communicate with each other in a secure
manner
ƒSuppose also that Alice and Bob have never
met before, so they do not already share a
secret key between them and do not already
know for sure the other party's public key
ƒThen how can they communicate securely over
completely insecure networks?
The Dolev-Yao Threat Model
The Dolev-Yao Threat Model
3

4. 2/24/2012
The Dolev-Yao Threat Model
1. Alice generates K at random, creates
{K}KAT, and sends to Trent: Alice, Bob,
{K}KAT
2. Trent finds keys KAT, KBT, decrypts
{K}KAT to reveal K, creates {K}KBT and
sends to Bob: Alice, Bob, {K}KBT
3. Bob decrypts {K}KBT to reveal K, forms
and sends to Alice: {Hello Alice, I'm
Bob!}K
.
The Dolev-Yao Threat Model
Problem: K created by Alice is not strong
enough  Bob is unhappy about this
ƒNew protocol: “Session key from Trent”
4

5. 2/24/2012
An attack
The Dolev-Yao Threat Model
This attack will only succeed if Malice is a
legitimate user known to Trent  a realistic
assumption – an insider attacker is often
more of a threat than outsiders
 A fix: 1. Alice sends to Trent: Alice, {Bob}KAT;
5

6. 2/24/2012
The Dolev-Yao Threat Model
 Another attack
1. Alice sends to Trent: Alice, {Bob}KAT;
1. Malice("Alice") sends to Trent: Alice,
{Malice}KAT
The Dolev-Yao Threat Model
Instead, Malice can alter the message
from Trent to Alice (message line 2 in
Protocol "Session Key From Trent) into the
following:
 Malice("Trent") sends to Alice: {K'}KAT
The Dolev-Yao Threat Model
Malice can alter some protocol messages
without detection.
This suggests that the protocol needs a
security service which can guard against
tampering of messages.
 This brings us to the following security
service “Protocol with message
authentication”
6

7. 2/24/2012
Protocol with Message Authentication
Malice has always been able to alter some
protocol messages without detection
 None of the protocols designed so far has
provided any cryptographic protection
against message alteration.
 Thus, one way to fix these protocols is to
provide such protection
Protocol with Message Authentication
The protection should enable legitimate
principals who have the right cryptographic
keys to detect any unauthorized alteration
of any protected protocol messages.
 Such protection or security service is
called message authentication (is also
called data integrity)
Protocol with Message Authentication
We observe that Malice‟s alteration of the
protocol messages has caused the
following two effects:
 a session key is shared between wrong
principals
 a wrong session key get established
 message authentication protection should
provide a cryptographic binding between
the session key to be established and its
intended users.
7

8. 2/24/2012
Protocol with Message Authentication
 This lead to a new protocol: “Message
Authentication”, where the identities of
Alice and Bob are included in the
encrypted message parts sent by Trent.
Perfect encryption for message
authentication service
 Perfect Encryption with Notation {M}K (for
message authentication service)
iii) Without the key K, even with the knowledge
of the plaintext M, it should be impossible for
someone to alter {M}K without being detected
by the recipient during the time of decryption
8

9. 2/24/2012
Attack on Protocol "Message Authentication"
Problem: message replay attack.
ƒMalice intercepts Alice's request, then:
 1. Alice sends to Malice(“Trent”)
 2. Malice(“Trent”) sends to Alice: {Bob,K'}KAT
,{Alice,K'} KBT
ƒTwo ciphertext blocks containing K' are a
replay of old messages which Malice has
recorded from a previous run of the
protocol (between Alice and Bob)
Attack on Protocol "Message Authentication"
This attack will cause Alice & Bob to reuse
the old session key K„
ƒSince K' is old, it may be possible for
Malice to have discovered its value
Protocol “challenge-response"
 Using this method Alice will generate a
new random number NA at the start of the
protocol and send this to Trent with the
request for a new session key
The random number NA created by Alice
for enabling the challenge-response
mechanism is called a nonce which stands
for a number used once
9

10. 2/24/2012
Protocol “challenge-response"
 An attack on the Needham-Schroeder
symmetric key authentication protocol:
 Bob thinks he is sharing a new session key
with Alice while actually the key is an old one
and may be known to Malice
10

11. 2/24/2012
Solution
A Protocol Using Public-key Cryptosystems
 Called the Needham-Schroeder Public-
key Authentication Protocol
 Alice public key is KA, Alice private key is
K-1A
11

12. 2/24/2012
A Protocol Using Public-key Cryptosystems
An attack on public key authentication
protocol
 Found after 17 years
 Result: Bob thinks he is sharing secrets NA,
NB with Alice while actually sharing them with
Malice
 Method: Malice makes use of Alice as she is
trying to establish a connection with him
A Protocol Using Public-key Cryptosystems
 Malice may ask for a session key and
Bob may believe that this request is from
Alice
ƒThen, an example if Bob is a bank,
Malice(“Alice”) sends to Bob the following
command:
 { NA, NB, Transfer 5000$ from my account to
Malice's“}KB
12

13. 2/24/2012
A Protocol Using Public-key Cryptosystems
It is fairly easy to change the protocol so
as to prevent the attack. If we include the
responder's identity in message 6 of the
protocol
 2-6. Bob sends to Malice("Alice"): {Bob, NA,
NB}KA
A Protocol Using Public-key Cryptosystems
 This is what we are using nowadays
13