DOCSLIB.ORG

Key Management Protocol with Implicit Certificates for Iot Systems

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Key Management Protocol with Implicit Certificates for Iot Systems Key Management Protocol with Implicit Certificates for IoT systems Savio Sciancalepore Angelo Capossele Giuseppe Piro Dep. of Electrical and Dep. of Computer Science Dep. of Electrical and Information Engineering (DEI) Sapienza Information Engineering (DEI) Politecnico di Bari, Italy University of Rome, Italy Politecnico di Bari, Italy [email protected] [email protected] [email protected] Gennaro Boggia Giuseppe Bianchi Dep. of Electrical and Dep. of Electronic Engineering Information Engineering (DEI) University of Rome 2 Tor Politecnico di Bari, Italy Vergata, Italy [email protected] [email protected] ABSTRACT tication, integrity, and availability services in mobile and This paper proposes a Key Management Protocol for mo- industrial IoT systems [24][9]. bile and industrial Internet of Things systems, targeting, at Secure communication mainly grounds its roots in the im- the same time, robust key negotiation, lightweight node au- plementation of robust Key Management Protocols (KMPs) thentication, fast re-keying, and efficient protection against [15]. About a decade ago, there was considerable skepti- replay attacks. The proposed approach pragmatically lever- cism on the feasibility of Public Key Cryptographic tech- ages widely accepted Elliptic Curve Cryptography construc- niques over sensor devices, with the community largely in tions, specifically the (Elliptic Curve)\Fixed"Diffie Hellman favor of symmetric techniques such as key pre-distribution key exchange and the (Elliptic Curve) Qu-Vanstone implicit [8]. Nowadays, many works, among which [7, 4, 19, 3] and certificates. Our value added is their suitable integration many more, have duly assessed the viability of Elliptic Curve into a security protocol exchange, designed at layer 2, in the Cryptography (ECC) implementations even over severely 802.15.4 protocol stack, which permits to i) avoid Elliptic constrained devices. What however remains surprising is Point multiplications upon rekeying of previously paired de- the fact that, at the time of writing and to the best of our vices, and ii) support mutual authentication while securing knowledge, most of the proposed approaches in both the the protocol exchange. To prove its viability, the proposed standard bodies as well as from the scientific community Key Management Protocol has been implemented and as- (for more details see Sec. 2) still handle key negotiation sessed on severely constrained devices. As expected, but and peer authentication via large X.509 certificates, indeed made explicit and quantified by our experimental perfor- extremely expensive in terms of transmission requirements. mance evaluation, the usage of implicit certificates in con- In this work, we describe a KMP, integrated at the layer-2 junction with an optimized message exchange yields impres- of the protocol stack, which aims at maximal airtime sav- sive gains in terms of airtime consumption with respect to ings by natively exploiting the Elliptic Curve Qu-Vanstone state of the art schemes. (ECQV) technique for generating ultra-lightweight\implicit" certificates [6]. More specifically, our proposed protocol leverages a\fixed"Elliptic Curve Diffie Hellman (ECDH) ex- change [10], with (statically assigned) public coefficients im- 1. INTRODUCTION plicitly certified using ECQV. The protocol is complemented The revolutionary Internet of Things (IoT) paradigm is by the exchange of nonces along with the (lightweight) au- enabling the interaction among smart objects, pervasively thentication of the exchanged message sequence, so as to diffused across the Internet [9]. In this evolving context, guarantee mutual authentication and freshness in the key security risks and threats are ever more critical; as such derivation (and very fast re-keying, when necessary). Our the research community and the standardization bodies are KMP has been implemented in the open source OpenWSN currently working to define novel methodologies, protocols, protocol stack [27], and its performance are preliminarily and algorithms, in order to provide confidentiality, authen- assessed in the remainder of the paper. The rest of the paper is structured as it follows: back- ground material is reported in Sec. 2 along with a brief dis- Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed cussion of related work; Sec. 3 describes the conceived KMP for profit or commercial advantage and that copies bear this notice and the full cita- mechanism and provides some implementation details; Sec. tion on the first page. Copyrights for components of this work owned by others than 4 illustrates the theoretical and experimental evaluation of ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re- the described solution; finally, Sec. 5 closes the paper and publish, to post on servers or to redistribute to lists, requires prior specific permission outlines directions for future work. and/or a fee. Request permissions from [email protected]. IoT-Sys 2015, May 19-22, 2015, Florence, Italy. Copyright c 2015 ACM 978-1-4503-3502-7/15/05 ...$15.00. http://dx.doi.org/10.1145/2753476.2753477 . 2. A BACKGROUND ON SECURE DEVICE the private keys of the CA, respectively. Before asking for a PAIRING certificate, the device IA generates a random positive inte- ger r ; then, it computes a point R on the chosen elliptic The literature background presented in this section re- A A curve, RA = rA ·G, and sends it to the CA. The CA extracts marks pros and cons of the most important solutions pro- a random positive integer k, computes k ·G (another point posed so far. Moreover, it sheds some lights on powerful on the elliptic curve), generates the implicit certificate,P , approaches that can be considered for designing key nego- A and the implicit signature, γ , by using: tiation schemes more suitable in mobile and industrial IoT A ( systems. P = R + k · G A A (1) 2.1 Reference key negotiation algorithms γA = c + k · H(PA;IA) The pre-distribution of cryptographic keys represents the Now, it sends them to the device. Then, it can generate its simplest approach that can be adopted for enabling security private key, sv;A, and its public key, Pb;A, by: services in the IoT. It presents two main limitations: (i) in a ( scenario, where the same key is shared among all the nodes, s = γ + r · H(P ;I ) v;A A A A A (2) the impairment of a single device compromise the security Pb;A = sv;A · G of the whole network; (ii) the idea to configure a dedicate key for each couple of devices does not scale with the net- As well-known, the most important strength of ECQV is work size [8]. Key agreement mechanisms may solve these that the public key of a given device can be computed by issues. Most proposals are based on Diffie-Hellman (DH) any other third-party starting from the knowledge of the and ECDH approaches [15]. As well known, built on the implicit certificate and the public key of the authority: multiplicative group of integers modulo p, the DH algorithm founds its potentiality on the difficulty to solve the discrete Pb;A = sv;A · G = C + PA · H(PA;IA): (3) logarithm problem. In ECDH, instead, the secret is negoti- At the time of this writing, implicit certificates are only ated through Elliptic Curve Cryptography (ECC) primitives used in the Certificate Based Key Establishment (CBKE) and same security levels offered by DH can be achieved with protocol, integrated in the ZigBee IP specifications, for man- shorter keys. aging the authentication of nodes during the join procedure 2.2 Authentication of communicating peers [1]. Node authentication techniques are introduced for pre- 2.3 Re-keying mechanisms venting Man-In-The-Middle (MITM) attacks during the key Re-keying mechanisms are generally adopted when it is negotiation procedure. To this aim, devices involved in a necessary to reduce the lifetime of a specific key during a KMP session need to exchange specific data structures (i.e., communication session. Despite lightweight mechanisms for a certificate) to bind and authenticate their identities with the IoT have been proposed in [7] and [13], their jointly public keys. adoption with ECC and ECQV has been not yet discussed All the contributions discussed in both research commu- in literature. nity and IETF standardization bodies (like [4] [16] [17] [19] [20][25][22] ) make use of X.509 certificates [11], that contain, among other parameters, the device identity, its public key, 3. THE PROPOSED KMP ALGORITHM and an explicit signature, provided by a trusted Certification Without loss of generality, we suppose that implicit cer- Authority (CA). Unfortunately, the size of such certificates tificates are preloaded in each device by the network admin- is too large. As example, focusing on a 40 bytes long ECC istrator before the deployment of the network. public key, the OpenSSL tool 1 generates a X.509 certificate In its main rational, the developed KMP scheme is based with a size equal to 864 byts; of course, this value tends on the exchange of four different logical messages. The first to increase with the length of the key. As a consequence, two messages carry the key materials (i.e., the ECQV im- their transmission requires significant bandwidth usage and plicit certificate and a nonce). ECQV implicit certificates brings to high latencies and notably energy wastefullness; jointly offer authentication and key agreement services in thus it cannot be considered well suitable for networks made the sense that each node is able to compute, through a fixed up of constrained devices. ECDH mechanism, a shared secret starting from an authen- An effective alternative can be the adoption of implicit ticated public key. The latest two messages, instead, are certificates, that bind the identity of a node and its public exchanged for finalizing the mutual authentication.
Load more

Recommended publications
  • Authentication in Key-Exchange: Definitions, Relations and Composition
    Authentication in Key-Exchange: Definitions, Relations and Composition Cyprien Delpech de Saint Guilhem1;2, Marc Fischlin3, and Bogdan Warinschi2 1 imec-COSIC, KU Leuven, Belgium 2 Dept Computer Science, University of Bristol, United Kingdom 3 Computer Science, Technische Universit¨atDarmstadt, Germany [email protected], [email protected], [email protected] Abstract. We present a systematic approach to define and study authentication notions in authenti- cated key-exchange protocols. We propose and use a flexible and expressive predicate-based definitional framework. Our definitions capture key and entity authentication, in both implicit and explicit vari- ants, as well as key and entity confirmation, for authenticated key-exchange protocols. In particular, we capture critical notions in the authentication space such as key-compromise impersonation resis- tance and security against unknown key-share attacks. We first discuss these definitions within the Bellare{Rogaway model and then extend them to Canetti{Krawczyk-style models. We then show two useful applications of our framework. First, we look at the authentication guarantees of three representative protocols to draw several useful lessons for protocol design. The core technical contribution of this paper is then to formally establish that composition of secure implicitly authenti- cated key-exchange with subsequent confirmation protocols yields explicit authentication guarantees. Without a formal separation of implicit and explicit authentication from secrecy, a proof of this folklore result could not have been established. 1 Introduction The commonly expected level of security for authenticated key-exchange (AKE) protocols comprises two aspects. Authentication provides guarantees on the identities of the parties involved in the protocol execution.
    [Show full text]
  • Implicit and Explicit Certificates-Based Encryption Scheme Tomasz Hyla, Witold Maćków, Jerzy Pejaś
    Implicit and Explicit Certificates-Based Encryption Scheme Tomasz Hyla, Witold Maćków, Jerzy Pejaś To cite this version: Tomasz Hyla, Witold Maćków, Jerzy Pejaś. Implicit and Explicit Certificates-Based Encryption Scheme. 13th IFIP International Conference on Computer Information Systems and Industrial Man- agement (CISIM), Nov 2014, Ho Chi Minh City, Vietnam. pp.651-666, 10.1007/978-3-662-45237- 0_59. hal-01405660 HAL Id: hal-01405660 https://hal.inria.fr/hal-01405660 Submitted on 30 Nov 2016 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Distributed under a Creative Commons Attribution| 4.0 International License Implicit and Explicit Certificates-based Encryption Scheme Tomasz Hyla1, Witold Maćków1, Jerzy Pejaś1, 1 West Pomeranian University of Technology, Szczecin Faculty of Computer Science and Information Technology, Poland {thyla, wmackow, jpejas}@zut.edu.pl Abstract. Certificate-based encryption (CBE) combines traditional public-key encryption and certificateless encryption. However, it does suffer to the Denial of Decryption (DoD) attack called by Liu and Au. To capture this attack, they introduced a new paradigm called self-generated-certificate public key cryptog- raphy. In this paper we show that the problem of DoD attack can be solved with a new implicit and explicit certificates-based public key cryptography paradigm.
    [Show full text]
  • 2.3 Diffie–Hellman Key Exchange
    2.3. Di±e{Hellman key exchange 65 q q q q q q 6 q qq q q q q q q 900 q q q q q q q qq q q q q q q q q q q q q q q q q 800 q q q qq q q q q q q q q q qq q q q q q q q q q q q 700 q q q q q q q q q q q q q q q q q q q q q q q q q q qq q 600 q q q q q q q q q q q q qq q q q q q q q q q q q q q q q q q qq q q q q q q q q 500 q qq q q q q q qq q q q q q qqq q q q q q q q q q q q q q qq q q q 400 q q q q q q q q q q q q q q q q q q q q q q q q q 300 q q q q q q q q q q q q q q q q q q qqqq qqq q q q q q q q q q q q 200 q q q q q q q q q q q q q q q q q q q q q q q q q q q q q q q q qq q q qq q q 100 q q q q q q q q q q q q q q q q q q q q q q q q q 0 q - 0 30 60 90 120 150 180 210 240 270 Figure 2.2: Powers 627i mod 941 for i = 1; 2; 3;::: any group and use the group law instead of multiplication.
    [Show full text]
  • Towards a Hybrid Public Key Infrastructure (PKI): a Review
    Towards a Hybrid Public Key Infrastructure (PKI): A Review Priyadarshi Singh, Abdul Basit, N Chaitanya Kumar, and V. Ch. Venkaiah School of Computer and Information Sciences, University of Hyderabad, Hyderabad-500046, India Abstract. Traditional Certificate- based public key infrastructure (PKI) suffers from the problem of certificate overhead like its storage, verification, revocation etc. To overcome these problems, idea of certificate less identity-based public key cryptography (ID-PKC) was proposed by Shamir. This is suitable for closed trusted group only. Also, this concept has some inherent problems like key escrow problem, secure key channel problem, identity management overhead etc. Later on, there had been several works which tried to combine both the cryptographic techniques such that the resulting hybrid PKI framework is built upon the best features of both the cryptographic techniques. It had been shown that this approach solves many problems associated with an individual cryptosystem. In this paper, we have reviewed and compared such hybrid schemes which tried to combine both the certificate based PKC and ID-based PKC. Also, the summary of the comparison, based on various features, is presented in a table. Keywords: Certificate-based PKI; Identity-based public key cryptography (ID-PKC); Hybrid PKI 1 INTRODUCTION Public key infrastructure (PKI) and public key cryptography (PKC) [12] plays a vital role with four major components of digital security: authentication, integrity, confidentiality and non-repudiation. Infact, PKI enables the use of PKC through key management. The ”efficient and secure management of the key pairs during their whole life cycle" is the purpose of PKI, which involves key generation, key distribution, key renewal, key revocation etc [11].
    [Show full text]
  • Elliptic Curves in Public Key Cryptography: the Diffie Hellman
    Elliptic Curves in Public Key Cryptography: The Diffie Hellman Key Exchange Protocol and its relationship to the Elliptic Curve Discrete Logarithm Problem Public Key Cryptography Public key cryptography is a modern form of cryptography that allows different parties to exchange information securely over an insecure network, without having first to agree upon some secret key. The main use of public key cryptography is to provide information security in computer science, for example to transfer securely email, credit card details or other secret information between sender and recipient via the internet. There are three steps involved in transferring information securely from person A to person B over an insecure network. These are encryption of the original information, called the plaintext, transfer of the encrypted message, or ciphertext, and decryption of the ciphertext back into plaintext. Since the transfer of the ciphertext is over an insecure network, any spy has access to the ciphertext and thus potentially has access to the original information, provided he is able to decipher the message. Thus, a successful cryptosystem must be able encrypt the original message in such a way that only the intended receiver can decipher the ciphertext. The goal of public key cryptography is to make the problem of deciphering the encrypted message too difficult to do in a reasonable time (by say brute-force) unless certain key facts are known. Ideally, only the intended sender and receiver of a message should know these certain key facts. Any certain piece of information that is essential in order to decrypt a message is known as a key.
    [Show full text]
  • Study on the Use of Cryptographic Techniques in Europe
    Study on the use of cryptographic techniques in Europe [Deliverable – 2011-12-19] Updated on 2012-04-20 II Study on the use of cryptographic techniques in Europe Contributors to this report Authors: Edward Hamilton and Mischa Kriens of Analysys Mason Ltd Rodica Tirtea of ENISA Supervisor of the project: Rodica Tirtea of ENISA ENISA staff involved in the project: Demosthenes Ikonomou, Stefan Schiffner Agreements or Acknowledgements ENISA would like to thank the contributors and reviewers of this study. Study on the use of cryptographic techniques in Europe III About ENISA The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU leg- islation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Contact details For contacting ENISA or for general enquiries on cryptography, please use the following de- tails: E-mail: [email protected] Internet: http://www.enisa.europa.eu Legal notice Notice must be taken that this publication represents the views and interpretations of the au- thors and editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the ENISA Regulation (EC) No 460/2004 as lastly amended by Regulation (EU) No 580/2011.
    [Show full text]
  • PUF Based Authentication Protocol for Iot
    S S symmetry Article PUF Based Authentication Protocol for IoT An Braeken Vrije Universiteit Brussel, Pleinlaan 2, 1050 Brussel, Belgium; [email protected]; Tel.: +32-468-104-767 Received: 11 July 2018; Accepted: 11 August 2018; Published: 20 August 2018 Abstract: Key agreement between two constrained Internet of Things (IoT) devices that have not met each other is an essential feature to provide in order to establish trust among its users. Physical Unclonable Functions (PUFs) on a device represent a low cost primitive exploiting the unique random patterns in the device and have been already applied in a multitude of applications for secure key generation and key agreement in order to avoid an attacker to take over the identity of a tampered device, whose key material has been extracted. This paper shows that the key agreement scheme of a recently proposed PUF based protocol, presented by Chatterjee et al., for Internet of Things (IoT) is vulnerable for man-in-the-middle, impersonation, and replay attacks in the Yao–Dolev security model. We propose an alternative scheme, which is able to solve these issues and can provide in addition a more efficient key agreement and subsequently a communication phase between two IoT devices connected to the same authentication server. The scheme also offers identity based authentication and repudiation, when only using elliptic curve multiplications and additions, instead of the compute intensive pairing operations. Keywords: physical unclonable function; authentication; elliptic curve cryptography; internet of things 1. Introduction Internet of Things (IoT) is experiencing worldwide growth. Not only classical computing and communication devices are connected, but also a whole range of other gadgets that are used in our daily life, such as thermostats, light switches, door locks, refrigerators, etc.
    [Show full text]
  • Public Key Infrastructure (PKI)
    Public Key Infrastructure Public Key Infrastructure (PKI) Neil F. Johnson [email protected] http://ise.gmu.edu/~csis Assumptions • Understanding of – Fundamentals of Public Key Cryptosystems – Hash codes for message digests and integrity check – Digital Signatures Copyright 1999, Neil F. Johnson 1 Public Key Infrastructure Overview • Public Key Cryptosystems – Quick review – Cryptography – Digital Signatures – Key Management Issues • Certificates – Certificates Information – Certificate Authority – Track Issuing a Certificate • Putting it all together – PKI applications – Pretty Good Privacy (PGP) – Privacy Enhanced Mail (PEM) Public Key Cryptosystems – Quick Review • Key distribution problem of secret key systems – You must share the secret key with another party before you can initiate communication – If you want to communicate with n parties, you require n different keys • Public Key cryptosystems solve the key distribution problem in secret key systems (provided a reliable channel for communication of public keys can be implemented) • Security is based on the unfeasibility of computing B’s private key given the knowledge of – B’s public key, – chosen plaintext, and – maybe chosen ciphertext Copyright 1999, Neil F. Johnson 2 Public Key Infrastructure Key Distribution (n)(n-1) 2 Bob Bob Alice 1 Alice 2 Chris Chris 7 5 8 9 Ellie 3 Ellie 6 David 4 David Secret Key Distribution Directory of Public Keys (certificates) Public Key Cryptosystem INSECURE CHANNEL Plaintext Ciphertext Plaintext Encryption Decryption Algorithm Algorithm Bob’s PUBLIC
    [Show full text]
  • Analysing and Patching SPEKE in ISO/IEC
    1 Analysing and Patching SPEKE in ISO/IEC Feng Hao, Roberto Metere, Siamak F. Shahandashti and Changyu Dong Abstract—Simple Password Exponential Key Exchange reported. Over the years, SPEKE has been used in several (SPEKE) is a well-known Password Authenticated Key Ex- commercial applications: for example, the secure messaging change (PAKE) protocol that has been used in Blackberry on Blackberry phones [11] and Entrust’s TruePass end-to- phones for secure messaging and Entrust’s TruePass end-to- end web products. It has also been included into international end web products [16]. SPEKE has also been included into standards such as ISO/IEC 11770-4 and IEEE P1363.2. In the international standards such as IEEE P1363.2 [22] and this paper, we analyse the SPEKE protocol as specified in the ISO/IEC 11770-4 [24]. ISO/IEC and IEEE standards. We identify that the protocol is Given the wide usage of SPEKE in practical applications vulnerable to two new attacks: an impersonation attack that and its inclusion in standards, we believe a thorough allows an attacker to impersonate a user without knowing the password by launching two parallel sessions with the victim, analysis of SPEKE is both necessary and important. In and a key-malleability attack that allows a man-in-the-middle this paper, we revisit SPEKE and its variants specified in (MITM) to manipulate the session key without being detected the original paper [25], the IEEE 1363.2 [22] and ISO/IEC by the end users. Both attacks have been acknowledged by 11770-4 [23] standards.
    [Show full text]
  • Lecture 19: Public-Key Cryptography (Diffie-Hellman Key Exchange & Elgamal Encryption)
    Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access to the secret key sk For example, consider a private-key encryption scheme $ 1 The Alice and Bob generate sk Gen() ahead of time 2 Later, when Alice wants to encrypt and send a message to Bob, she computes the cipher-text c = Encsk(m) 3 The eavesdropping adversary see c but gains no additional information about the message m 4 Bob can decrypt the message me = Decsk(c) 5 Note that the knowledge of sk distinguishes Bob from the eavesdropping adversary Public-key Cryptography Perspective If jskj >jmj, then we can construct private-key encryption schemes (like, one-time pad) that is secure even against adversaries with unbounded computational power If jskj = O(jmj"), where " 2 (0; 1) is a constant, then we can construction private-key encryption schemes using pseudorandom generators (PRGs) What if, jskj = 0? That is, what if Alice and Bob never met? How is “Bob” any different from an “adversary”? Public-key Cryptography In this Lecture We shall introduce the Decisional Diffie-Hellmann (DDH) Assumption and the Diffie-Hellman key-exchange protocol, We shall introduce the El Gamal (public-key) Encryption Scheme, and Finally, abstract out the principal design principles learned. Public-key Cryptography Decisional Diffie-Hellman (DDH) Computational Hardness AssumptionI Let (G; ◦) be a group of size N that is generated by g.
    [Show full text]
  • Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels
    Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels Ran Canetti1 and Hugo Krawczyk2, 1 IBM T.J. Watson Research Center, Yorktown Heights, New York 10598. [email protected] 2 EE Department, Technion, Haifa, Israel. [email protected] Abstract. We present a formalism for the analysis of key-exchange pro- tocols that combines previous definitional approaches and results in a definition of security that enjoys some important analytical benefits: (i) any key-exchange protocol that satisfies the security definition can be composed with symmetric encryption and authentication functions to provide provably secure communication channels (as defined here); and (ii) the definition allows for simple modular proofs of security: one can design and prove security of key-exchange protocols in an idealized model where the communication links are perfectly authenticated, and then translate them using general tools to obtain security in the realistic setting of adversary-controlled links. We exemplify the usability of our results by applying them to obtain the proof of two classes of key-exchange protocols, Diffie-Hellman and key-transport, authenticated via symmetric or asymmetric techniques. 1 Introduction Key-exchange protocols (ke, for short) are mechanisms by which two parties that communicate over an adversarially-controlled network can generate a com- mon secret key. ke protocols are essential for enabling the use of shared-key cryptography to protect transmitted data over insecure networks. As such they are a central piece for building secure communications (a.k.a “secure channels”), and are among the most commonly used cryptographic protocols (contemporary examples include SSL, IPSec, SSH, among others).
    [Show full text]
  • Public Key Cryptography
    Public Key Cryptography CSS 322 – Security and Cryptography History of Public Key Systems • Until public-key cryptosystems were discovered, cryptography relied on permutations and substitutions: – Caesar cipher, rotor machines, DES, … • Diffie and Hellman published a public key system in 1976. Their motivation: – Symmetric key systems rely heavily on KDC being trustworthy and secure – Digital signatures are important • Others (intelligence communities) claim to have discovered public key in 1960’s and early 1970’s CSS 322 - Public Key Cryptography 2 Public Key Encryption • Public key uses two different keys • Main concept: – Given the encryption key and algorithm, too hard to determine the decryption key CSS 322 - Public Key Cryptography 3 Public Key Encryption • Public key – Key used by sender to encrypt plaintext – Owned by the receiver – Anyone can know the public key • Private (Secret) Key – Key used to decrypt ciphertext – Must be kept secret by the receiver • The public key and private key are related – The pair belong to the receiver: (Public, Secret) or (P, S) CSS 322 - Public Key Cryptography 4 Symmetric vs Public Key Encryption •Symmetric • Public • Same algorithm with same key • One algorithm used for both used for encrypt and decrypt encrypt and decrypt • Sender and receiver must • One key used for encrypt and share algorithm and key another for decrypt • Key must be kept secret • Only one key must be secret CSS 322 - Public Key Cryptography 5 Privacy with Public Key Encryption Y = E(PUb,X) X = D(PRb,Y) CSS 322 - Public Key
    [Show full text]