DOCSLIB.ORG

FLAT: Federated Lightweight Authentication for the Internet of Things

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
FLAT: Federated Lightweight Authentication for the Internet of Things Ad Hoc Networks 107 (2020) 102253 Contents lists available at ScienceDirect Ad Hoc Networks journal homepage: www.elsevier.com/locate/adhoc FLAT: Federated lightweight authentication for the Internet of Things Maria L.B.A. Santos a, Jéssica C. Carneiro a, Antônio M.R. Franco a, Fernando A. Teixeira b, ∗ Marco A .A . Henriques c, Leonardo B. Oliveira a, a UFMG, Belo Horizonte, Brazil b UFSJ, Ouro Branco, Brazil c Unicamp, Campinas, Brazil a r t i c l e i n f o a b s t r a c t Article history: Federated Identity Management schemes (FIdMs) are of great help for traditional systems as they improve Received 3 March 2020 user authentication and privacy. In this paper, we claim that traditional FIdMs are mostly cumbersome Revised 2 June 2020 and then ill-suited for IoT. As a solution to this problem, we came up with Federated Lightweight Au- Accepted 16 June 2020 thentication of Things (FLAT), namely a federated identity authentication protocol exclusively tailored to Available online 26 June 2020 IoT. FLAT replaces weighty protocols and public-key cryptographic primitives used in traditional FIdMs by Keywords: lighter ones, like symmetric cryptographic primitives and Implicit Certificates. Our results show that FLAT Internet of Things can reduce the data exchange overhead by around 31% when compared to a baseline solution. Also, the security FLAT Client, the role played by an IoT device in the protocol, is more efficient than the baseline Client authentication in terms of data exchange, storage, memory, and computation time. Our results indicate that FLAT runs federated identity management efficiently, even on top of resource-constrained devices like Arduino. ©2020 Elsevier B.V. All rights reserved. 1. Introduction Federated Identity Management (FIdM) [7] , in turn, improves the IdM idea by enabling a domain to control accesses to its re- The development of the Internet of Things (IoT) [1–3] is a na- sources from external users. For instance, it allows an external tional priority in several countries around the world and is signif- user to authenticate to a local server and utilize its services with- icantly impacting our society. Studies suggest that we are already out having to create an identity or register credentials locally. In- surrounded by 20 billion IoT devices. 1 The IoT development has en- stead, the authentication process between the user and the Ser- abled a diverse number of applications in academy and industry. vice Provider (SP) is mediated by the Identity Provider (IdP) of the When it comes to IoT, one of the most significant challenges user’s home domain. FIdM, hence: to its full realization lies in the field of Identity Management • enables applications like Single-Sign-On (SSO); (IdM) [4]. IdM refers to the identification of users in a given system • increases privacy by limiting the amount of information shared; (e.g., a network, application, or service) and controlling their ac- • and improves the end-user experience and security by elimi- cess to resources within that system. (Here, the term identification nating the need for new accounts registration and restricting means the process for authenticating the identity of a user [5]). the number of entities that hold their password. Ideally, IdM provides administrators with the tools to manage the full user’s identity life-cycle (e.g., setup, maintenance, and tear Fig. 1 illustrates how traditional FIdM works. The Client initi- down) and, thus, are vital to the security and productivity of or- ates communication with the SP ( Fig. 1 , step 1). The SP, in turn, ganizations. redirects the Client to the IdP (step 2). Next, the Client requests an assertion (or token) to the IdP (step 3) and authenticates itself to the IdP by presenting its credentials (steps 4 and 5). The IdP, in ∗ Corresponding author. exchange, sends the assertion to the Client (step 6). This assertion E-mail addresses: [email protected] (M.L.B.A. Santos), is then used by the Client to get access to the SP service (steps [email protected] (J.C. Carneiro), [email protected] (A.M.R. Franco), 7 and 8). All these steps are normally protected and authenticated [email protected] (F.A. Teixeira), [email protected] (M.A.A. Henriques), by public key infrastructure certificates, which have to be validated [email protected] (L.B. Oliveira). by all participants. 1 https://www.gartner.com/en/newsroom/press-releases/ 2017- 02- 07- gartner- says- 8- billion- connected- things- will- be- in- use- in- 2017 So far, unfortunately, IoT technology cannot fully enjoy the ben- - up- 31- percent- from- 2016 efits of either IdM or FIdM. This is so because both IdM or FIdM https://doi.org/10.1016/j.adhoc.2020.102253 1570-8705/© 2020 Elsevier B.V. All rights reserved. 2 M.L.B.A. Santos, J.C. Carneiro and A.M.R. Franco et al. / Ad Hoc Networks 107 (2020) 102253 Fig. 1. Traditional FIdM (adapted from Birrell and Schneider [6] , Figure 2). widely adopted approaches are inadequate to IoT [8] . First and We describe FLAT development Section 7 , discuss its per- foremost, there is no such thing as IdM for IoT devices. Instead, formance figures ( Section 8 ), and then sum up our findings in existing (F)IdM schemes, IoT devices make use of credentials ( Section 9 ). of individual (human) users to log on and enjoy domain services. However, this is both insecure and inappropriate as devices should 2. Background not have the same clearance level as users, and some IoT devices just cannot be naturally linked to any individual user. For exam- This section introduces some necessary concepts related to ple, what user should a light traffic system be running as?). Sec- FLAT, including the characterization of IoT devices, fundamental ond, the IoT mobile nature and dynamics urge a higher level of concepts in FIdM, and some cryptosystems used in the solution. scalability and interoperability across multiple domains when com- pared to conventional network elements [8] . And last but not least, 2.1. IoT the authentication process on existing (F)IdM schemes typically build upon the login/password paradigm, which is usually okay Society is experiencing an increasing number of connected de- for humans but ill-suited for devices [9] , and leverage expensive vices: smartphones, sensors, and computers can communicate and RSA/DSA cryptosystems, hence, incurring significant computational cooperate to perform specific tasks [1] . In this sense, IoT is a net- resources overhead [10] . So, there is patently a dire need for a work of everyday objects with certain capabilities communicating FIdM able to meet IoT special needs. to reach a specific goal [13] . As a solution to this problem, we propose a FIdM protocol ex- There are numerous possibilities in IoT, including applications clusively tailored to IoT called Federated Lightweight Authentica- in several different domains such as healthcare, transportation, tion of Things (FLAT) 2. In short, we design, developed, and eval- smart cities, smart homes, agriculture, and traffic management [2] . uate a lightweight authentication protocol well-suited for IoT-like Undoubtedly, IoT can bring a series of advantages and enhance- devices based on Federated Identity. By lightweight, we mean FLAT ments to businesses and also increase the comfort and quality of replaces cumbersome protocols and costly public-key cryptosystem services. The possibilities brought by IoT have caught the attention operations used in traditional FIdM by more efficient ones. This of the scientific community, hence making IoT a research topic of lightnness , in turn, enables even highly resource-constrained IoT general interest. devices to participate in a federation and then to enjoy its ben- Among several open research topics in IoT, there are privacy, efits. Our key insight while conceiving FLAT was to combine sym- standardization, and authentication [1] . FLAT approaches exactly metric cryptosystems and Implicit Certificates [12] synergistically. the authentication issue in IoT, considering the lack of computa- Additionally, we built a prototype of FLAT and evaluated its perfor- tional resources and the potential mobility of devices, as well as mance and security. Our results indicate that FLAT runs efficiently other inherent aspects of IoT that are not present in the traditional on top of constrained devices like Arduino Due. Internet. This paper is organized as follows. We first present the concepts necessary to understand the authentication solution ( Section 2 ) and discuss the related work ( Section 3 ). 2.2. IoT Devices Next, we argue the need for lightweight cross-domain authen- tication schemes ( Section 4 ). As the IoT devices contemplate environments with very differ- Then, we present how FLAT meet this need ( Section 5 ) and ent needs, these devices also have diverse characteristics, varying evaluate the security of the protocol ( Section 6 ). in size, type, and computational capabilities. Some devices have very low computational and storage capa- bilities, so protocols and processes executed by these devices must 2 Santos et al. [11] introduced FLAT first concepts and preliminary results. be lightweight. Here, this kind of IoT devices is referred to as re- M.L.B.A. Santos, J.C. Carneiro and A.M.R. Franco et al. / Ad Hoc Networks 107 (2020) 102253 3 Fig. 2. IdM main operations. Table 1 users and devices to these resources and manages the entire life- Examples of IoT devices. cycle of users’ (and devices’) digital identities [14] . Digital iden- Class Device CPU(GHz) SRAM(MB) Flash(GB) tity, in turn, is a set of attributes or any other data that together − − − can uniquely identify one entity (user, device, institution), usually restricted Memsic IRIS 8.0 x 10 3 7.8 x 10 3 1.2 x 10 4 − − − Arduino Mega 1.6 x 10 2 7.8 x 10 3 2.4 x 10 4 proven through the use of credentials [14].
Load more

Recommended publications
  • Authentication in Key-Exchange: Definitions, Relations and Composition
    Authentication in Key-Exchange: Definitions, Relations and Composition Cyprien Delpech de Saint Guilhem1;2, Marc Fischlin3, and Bogdan Warinschi2 1 imec-COSIC, KU Leuven, Belgium 2 Dept Computer Science, University of Bristol, United Kingdom 3 Computer Science, Technische Universit¨atDarmstadt, Germany [email protected], [email protected], [email protected] Abstract. We present a systematic approach to define and study authentication notions in authenti- cated key-exchange protocols. We propose and use a flexible and expressive predicate-based definitional framework. Our definitions capture key and entity authentication, in both implicit and explicit vari- ants, as well as key and entity confirmation, for authenticated key-exchange protocols. In particular, we capture critical notions in the authentication space such as key-compromise impersonation resis- tance and security against unknown key-share attacks. We first discuss these definitions within the Bellare{Rogaway model and then extend them to Canetti{Krawczyk-style models. We then show two useful applications of our framework. First, we look at the authentication guarantees of three representative protocols to draw several useful lessons for protocol design. The core technical contribution of this paper is then to formally establish that composition of secure implicitly authenti- cated key-exchange with subsequent confirmation protocols yields explicit authentication guarantees. Without a formal separation of implicit and explicit authentication from secrecy, a proof of this folklore result could not have been established. 1 Introduction The commonly expected level of security for authenticated key-exchange (AKE) protocols comprises two aspects. Authentication provides guarantees on the identities of the parties involved in the protocol execution.
    [Show full text]
  • Implicit and Explicit Certificates-Based Encryption Scheme Tomasz Hyla, Witold Maćków, Jerzy Pejaś
    Implicit and Explicit Certificates-Based Encryption Scheme Tomasz Hyla, Witold Maćków, Jerzy Pejaś To cite this version: Tomasz Hyla, Witold Maćków, Jerzy Pejaś. Implicit and Explicit Certificates-Based Encryption Scheme. 13th IFIP International Conference on Computer Information Systems and Industrial Man- agement (CISIM), Nov 2014, Ho Chi Minh City, Vietnam. pp.651-666, 10.1007/978-3-662-45237- 0_59. hal-01405660 HAL Id: hal-01405660 https://hal.inria.fr/hal-01405660 Submitted on 30 Nov 2016 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Distributed under a Creative Commons Attribution| 4.0 International License Implicit and Explicit Certificates-based Encryption Scheme Tomasz Hyla1, Witold Maćków1, Jerzy Pejaś1, 1 West Pomeranian University of Technology, Szczecin Faculty of Computer Science and Information Technology, Poland {thyla, wmackow, jpejas}@zut.edu.pl Abstract. Certificate-based encryption (CBE) combines traditional public-key encryption and certificateless encryption. However, it does suffer to the Denial of Decryption (DoD) attack called by Liu and Au. To capture this attack, they introduced a new paradigm called self-generated-certificate public key cryptog- raphy. In this paper we show that the problem of DoD attack can be solved with a new implicit and explicit certificates-based public key cryptography paradigm.
    [Show full text]
  • 2.3 Diffie–Hellman Key Exchange
    2.3. Di±e{Hellman key exchange 65 q q q q q q 6 q qq q q q q q q 900 q q q q q q q qq q q q q q q q q q q q q q q q q 800 q q q qq q q q q q q q q q qq q q q q q q q q q q q 700 q q q q q q q q q q q q q q q q q q q q q q q q q q qq q 600 q q q q q q q q q q q q qq q q q q q q q q q q q q q q q q q qq q q q q q q q q 500 q qq q q q q q qq q q q q q qqq q q q q q q q q q q q q q qq q q q 400 q q q q q q q q q q q q q q q q q q q q q q q q q 300 q q q q q q q q q q q q q q q q q q qqqq qqq q q q q q q q q q q q 200 q q q q q q q q q q q q q q q q q q q q q q q q q q q q q q q q qq q q qq q q 100 q q q q q q q q q q q q q q q q q q q q q q q q q 0 q - 0 30 60 90 120 150 180 210 240 270 Figure 2.2: Powers 627i mod 941 for i = 1; 2; 3;::: any group and use the group law instead of multiplication.
    [Show full text]
  • Towards a Hybrid Public Key Infrastructure (PKI): a Review
    Towards a Hybrid Public Key Infrastructure (PKI): A Review Priyadarshi Singh, Abdul Basit, N Chaitanya Kumar, and V. Ch. Venkaiah School of Computer and Information Sciences, University of Hyderabad, Hyderabad-500046, India Abstract. Traditional Certificate- based public key infrastructure (PKI) suffers from the problem of certificate overhead like its storage, verification, revocation etc. To overcome these problems, idea of certificate less identity-based public key cryptography (ID-PKC) was proposed by Shamir. This is suitable for closed trusted group only. Also, this concept has some inherent problems like key escrow problem, secure key channel problem, identity management overhead etc. Later on, there had been several works which tried to combine both the cryptographic techniques such that the resulting hybrid PKI framework is built upon the best features of both the cryptographic techniques. It had been shown that this approach solves many problems associated with an individual cryptosystem. In this paper, we have reviewed and compared such hybrid schemes which tried to combine both the certificate based PKC and ID-based PKC. Also, the summary of the comparison, based on various features, is presented in a table. Keywords: Certificate-based PKI; Identity-based public key cryptography (ID-PKC); Hybrid PKI 1 INTRODUCTION Public key infrastructure (PKI) and public key cryptography (PKC) [12] plays a vital role with four major components of digital security: authentication, integrity, confidentiality and non-repudiation. Infact, PKI enables the use of PKC through key management. The ”efficient and secure management of the key pairs during their whole life cycle" is the purpose of PKI, which involves key generation, key distribution, key renewal, key revocation etc [11].
    [Show full text]
  • Elliptic Curves in Public Key Cryptography: the Diffie Hellman
    Elliptic Curves in Public Key Cryptography: The Diffie Hellman Key Exchange Protocol and its relationship to the Elliptic Curve Discrete Logarithm Problem Public Key Cryptography Public key cryptography is a modern form of cryptography that allows different parties to exchange information securely over an insecure network, without having first to agree upon some secret key. The main use of public key cryptography is to provide information security in computer science, for example to transfer securely email, credit card details or other secret information between sender and recipient via the internet. There are three steps involved in transferring information securely from person A to person B over an insecure network. These are encryption of the original information, called the plaintext, transfer of the encrypted message, or ciphertext, and decryption of the ciphertext back into plaintext. Since the transfer of the ciphertext is over an insecure network, any spy has access to the ciphertext and thus potentially has access to the original information, provided he is able to decipher the message. Thus, a successful cryptosystem must be able encrypt the original message in such a way that only the intended receiver can decipher the ciphertext. The goal of public key cryptography is to make the problem of deciphering the encrypted message too difficult to do in a reasonable time (by say brute-force) unless certain key facts are known. Ideally, only the intended sender and receiver of a message should know these certain key facts. Any certain piece of information that is essential in order to decrypt a message is known as a key.
    [Show full text]
  • Study on the Use of Cryptographic Techniques in Europe
    Study on the use of cryptographic techniques in Europe [Deliverable – 2011-12-19] Updated on 2012-04-20 II Study on the use of cryptographic techniques in Europe Contributors to this report Authors: Edward Hamilton and Mischa Kriens of Analysys Mason Ltd Rodica Tirtea of ENISA Supervisor of the project: Rodica Tirtea of ENISA ENISA staff involved in the project: Demosthenes Ikonomou, Stefan Schiffner Agreements or Acknowledgements ENISA would like to thank the contributors and reviewers of this study. Study on the use of cryptographic techniques in Europe III About ENISA The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU leg- islation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Contact details For contacting ENISA or for general enquiries on cryptography, please use the following de- tails: E-mail: [email protected] Internet: http://www.enisa.europa.eu Legal notice Notice must be taken that this publication represents the views and interpretations of the au- thors and editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the ENISA Regulation (EC) No 460/2004 as lastly amended by Regulation (EU) No 580/2011.
    [Show full text]
  • PUF Based Authentication Protocol for Iot
    S S symmetry Article PUF Based Authentication Protocol for IoT An Braeken Vrije Universiteit Brussel, Pleinlaan 2, 1050 Brussel, Belgium; [email protected]; Tel.: +32-468-104-767 Received: 11 July 2018; Accepted: 11 August 2018; Published: 20 August 2018 Abstract: Key agreement between two constrained Internet of Things (IoT) devices that have not met each other is an essential feature to provide in order to establish trust among its users. Physical Unclonable Functions (PUFs) on a device represent a low cost primitive exploiting the unique random patterns in the device and have been already applied in a multitude of applications for secure key generation and key agreement in order to avoid an attacker to take over the identity of a tampered device, whose key material has been extracted. This paper shows that the key agreement scheme of a recently proposed PUF based protocol, presented by Chatterjee et al., for Internet of Things (IoT) is vulnerable for man-in-the-middle, impersonation, and replay attacks in the Yao–Dolev security model. We propose an alternative scheme, which is able to solve these issues and can provide in addition a more efficient key agreement and subsequently a communication phase between two IoT devices connected to the same authentication server. The scheme also offers identity based authentication and repudiation, when only using elliptic curve multiplications and additions, instead of the compute intensive pairing operations. Keywords: physical unclonable function; authentication; elliptic curve cryptography; internet of things 1. Introduction Internet of Things (IoT) is experiencing worldwide growth. Not only classical computing and communication devices are connected, but also a whole range of other gadgets that are used in our daily life, such as thermostats, light switches, door locks, refrigerators, etc.
    [Show full text]
  • Public Key Infrastructure (PKI)
    Public Key Infrastructure Public Key Infrastructure (PKI) Neil F. Johnson [email protected] http://ise.gmu.edu/~csis Assumptions • Understanding of – Fundamentals of Public Key Cryptosystems – Hash codes for message digests and integrity check – Digital Signatures Copyright 1999, Neil F. Johnson 1 Public Key Infrastructure Overview • Public Key Cryptosystems – Quick review – Cryptography – Digital Signatures – Key Management Issues • Certificates – Certificates Information – Certificate Authority – Track Issuing a Certificate • Putting it all together – PKI applications – Pretty Good Privacy (PGP) – Privacy Enhanced Mail (PEM) Public Key Cryptosystems – Quick Review • Key distribution problem of secret key systems – You must share the secret key with another party before you can initiate communication – If you want to communicate with n parties, you require n different keys • Public Key cryptosystems solve the key distribution problem in secret key systems (provided a reliable channel for communication of public keys can be implemented) • Security is based on the unfeasibility of computing B’s private key given the knowledge of – B’s public key, – chosen plaintext, and – maybe chosen ciphertext Copyright 1999, Neil F. Johnson 2 Public Key Infrastructure Key Distribution (n)(n-1) 2 Bob Bob Alice 1 Alice 2 Chris Chris 7 5 8 9 Ellie 3 Ellie 6 David 4 David Secret Key Distribution Directory of Public Keys (certificates) Public Key Cryptosystem INSECURE CHANNEL Plaintext Ciphertext Plaintext Encryption Decryption Algorithm Algorithm Bob’s PUBLIC
    [Show full text]
  • Analysing and Patching SPEKE in ISO/IEC
    1 Analysing and Patching SPEKE in ISO/IEC Feng Hao, Roberto Metere, Siamak F. Shahandashti and Changyu Dong Abstract—Simple Password Exponential Key Exchange reported. Over the years, SPEKE has been used in several (SPEKE) is a well-known Password Authenticated Key Ex- commercial applications: for example, the secure messaging change (PAKE) protocol that has been used in Blackberry on Blackberry phones [11] and Entrust’s TruePass end-to- phones for secure messaging and Entrust’s TruePass end-to- end web products. It has also been included into international end web products [16]. SPEKE has also been included into standards such as ISO/IEC 11770-4 and IEEE P1363.2. In the international standards such as IEEE P1363.2 [22] and this paper, we analyse the SPEKE protocol as specified in the ISO/IEC 11770-4 [24]. ISO/IEC and IEEE standards. We identify that the protocol is Given the wide usage of SPEKE in practical applications vulnerable to two new attacks: an impersonation attack that and its inclusion in standards, we believe a thorough allows an attacker to impersonate a user without knowing the password by launching two parallel sessions with the victim, analysis of SPEKE is both necessary and important. In and a key-malleability attack that allows a man-in-the-middle this paper, we revisit SPEKE and its variants specified in (MITM) to manipulate the session key without being detected the original paper [25], the IEEE 1363.2 [22] and ISO/IEC by the end users. Both attacks have been acknowledged by 11770-4 [23] standards.
    [Show full text]
  • Lecture 19: Public-Key Cryptography (Diffie-Hellman Key Exchange & Elgamal Encryption)
    Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access to the secret key sk For example, consider a private-key encryption scheme $ 1 The Alice and Bob generate sk Gen() ahead of time 2 Later, when Alice wants to encrypt and send a message to Bob, she computes the cipher-text c = Encsk(m) 3 The eavesdropping adversary see c but gains no additional information about the message m 4 Bob can decrypt the message me = Decsk(c) 5 Note that the knowledge of sk distinguishes Bob from the eavesdropping adversary Public-key Cryptography Perspective If jskj >jmj, then we can construct private-key encryption schemes (like, one-time pad) that is secure even against adversaries with unbounded computational power If jskj = O(jmj"), where " 2 (0; 1) is a constant, then we can construction private-key encryption schemes using pseudorandom generators (PRGs) What if, jskj = 0? That is, what if Alice and Bob never met? How is “Bob” any different from an “adversary”? Public-key Cryptography In this Lecture We shall introduce the Decisional Diffie-Hellmann (DDH) Assumption and the Diffie-Hellman key-exchange protocol, We shall introduce the El Gamal (public-key) Encryption Scheme, and Finally, abstract out the principal design principles learned. Public-key Cryptography Decisional Diffie-Hellman (DDH) Computational Hardness AssumptionI Let (G; ◦) be a group of size N that is generated by g.
    [Show full text]
  • Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels
    Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels Ran Canetti1 and Hugo Krawczyk2, 1 IBM T.J. Watson Research Center, Yorktown Heights, New York 10598. [email protected] 2 EE Department, Technion, Haifa, Israel. [email protected] Abstract. We present a formalism for the analysis of key-exchange pro- tocols that combines previous definitional approaches and results in a definition of security that enjoys some important analytical benefits: (i) any key-exchange protocol that satisfies the security definition can be composed with symmetric encryption and authentication functions to provide provably secure communication channels (as defined here); and (ii) the definition allows for simple modular proofs of security: one can design and prove security of key-exchange protocols in an idealized model where the communication links are perfectly authenticated, and then translate them using general tools to obtain security in the realistic setting of adversary-controlled links. We exemplify the usability of our results by applying them to obtain the proof of two classes of key-exchange protocols, Diffie-Hellman and key-transport, authenticated via symmetric or asymmetric techniques. 1 Introduction Key-exchange protocols (ke, for short) are mechanisms by which two parties that communicate over an adversarially-controlled network can generate a com- mon secret key. ke protocols are essential for enabling the use of shared-key cryptography to protect transmitted data over insecure networks. As such they are a central piece for building secure communications (a.k.a “secure channels”), and are among the most commonly used cryptographic protocols (contemporary examples include SSL, IPSec, SSH, among others).
    [Show full text]
  • Public Key Cryptography
    Public Key Cryptography CSS 322 – Security and Cryptography History of Public Key Systems • Until public-key cryptosystems were discovered, cryptography relied on permutations and substitutions: – Caesar cipher, rotor machines, DES, … • Diffie and Hellman published a public key system in 1976. Their motivation: – Symmetric key systems rely heavily on KDC being trustworthy and secure – Digital signatures are important • Others (intelligence communities) claim to have discovered public key in 1960’s and early 1970’s CSS 322 - Public Key Cryptography 2 Public Key Encryption • Public key uses two different keys • Main concept: – Given the encryption key and algorithm, too hard to determine the decryption key CSS 322 - Public Key Cryptography 3 Public Key Encryption • Public key – Key used by sender to encrypt plaintext – Owned by the receiver – Anyone can know the public key • Private (Secret) Key – Key used to decrypt ciphertext – Must be kept secret by the receiver • The public key and private key are related – The pair belong to the receiver: (Public, Secret) or (P, S) CSS 322 - Public Key Cryptography 4 Symmetric vs Public Key Encryption •Symmetric • Public • Same algorithm with same key • One algorithm used for both used for encrypt and decrypt encrypt and decrypt • Sender and receiver must • One key used for encrypt and share algorithm and key another for decrypt • Key must be kept secret • Only one key must be secret CSS 322 - Public Key Cryptography 5 Privacy with Public Key Encryption Y = E(PUb,X) X = D(PRb,Y) CSS 322 - Public Key
    [Show full text]