Security protocols Lecture 8 Key Agreement 2 Diffie-Hellman Key Agreement
* • Shared prime p and generator g of Zp ; ra, rb – private random • 1. A -> B: gra mod p • 2. B -> A: grb mod p K = (gra)rb mod p = (grb)ra mod p =gra*rb mod p
• intractability of Diffie-Hellman problem (DDH)
KRP ZS 2020/2021 Key agreement 2 Diffie-Hellman Key Agreement
* • Shared prime p and generator g of Zp ; ra, rb – private random • 1. A -> B: gra mod p • 2. B -> A: grb mod p K = (gra)rb mod p = (grb)ra mod p =gra*rb mod p
• intractability of Diffie-Hellman problem (DDH) • man-in-the-middle attack ra • 1. A -> CB : g mod p rc • 1.’ CA -> B : g mod p rb • 2.’ B -> CA : g mod p rc • 2. CB -> A : g mod p ra*rc rc*rb KAC = g mod p ; KCB = g mod p
KRP ZS 2020/2021 Key agreement 3 One-Pass Key Establishment with ElGamal encr.
• xa, xb – private DH long-term keys • ya = gxa mod p ; yb = gxb mod p
• A -> B : gra mod p
K = gra*xb mod p = ybra mod p freshness of gra mod p ?
KRP ZS 2020/2021 Key agreement 4 One-Pass Key Establishment with ElGamal encr.
• xa, xb – private DH long-term keys • ya = gxa mod p ; yb = gxb mod p (Agnew, Mullin, Vanstone) • A -> B : gra mod p, s = t*ybra mod p t = s* inv(gra*xb) mod p ; K = st mod p = (gxa*xb)t mod p (Nyberg, Rueppel) t - time • A -> B : gra mod p, s = ra – xa*#(t, ybra mod p) mod p K = gra*xb mod p ; verify gra mod p ?=? gs ya#(t, K) (Lim, Lee) 1. A -> B: {Na}S 2. B -> A: {A, Nb}(S xor Na) 3. A -> B: {Na}(S xor Na) S = f(gxa*xb mod p) ; K = Na xor Nb
KRP ZS 2020/2021 Key agreement 5 Diffie-Hellman Authenticated Key Exchange
• xa, xb – private long-term keys • ya = gxa mod p ; yb = gxb mod p
MTI (Matsumoto-Takashima-Imai) (1986) • A -> B: gra mod p • B -> A: grb mod p K = (grb)xa ybra mod p = (gra)xb yarb mod p = (gra*xb+rb*xa) mod p
KEA (Key Exchange Algorithm) – NSA (1998) • A -> B: gra mod p • B -> A: grb mod p K = (grb)xa + ybra mod p = (gra)xb + yarb mod p + check grb, yb in subgroup G of order q q | (p-1)
KRP ZS 2020/2021 Key agreement 6 Diffie-Hellman Authenticated Key Exchange
xa, xb – private long-term keys; ya = gxa mod p ; yb = gxb mod p
Unified Model Protocol (NIST SP-800)
• A -> B: gra mod p • B -> A: grb mod p K = ((grb)ra mod p || gxa*xb mod p) = ((gra)rb mod p || gxa*xb mod p)
MQV protocol (IEEE P1363-2000)
ra ra • A -> B: g mod p ta = (g mod p)w low w bits rb rb • B -> A: g mod p tb = (g mod p)w sa = (ra + ta*xa) mod q ; sb = (rb+ tb*xb) mod q q | (p-1) K = (grb ybtb)sa mod p = (grb yata)sb mod p + check -> forward secrecy
KRP ZS 2020/2021 Key agreement 7 STS protocol (with explicit authentication)
• Station-to-Station protocol – forward secrecy (compromise of the long-term keys does not compromise the session keys established in previous protocol runs) * (Diffie) shared prime p and generator g of Zp • 1. A -> B : ta = gra mod p rb • 2. B -> A : tb = g mod p, {SigB(tb, ta)}K’ • 3. A -> B : {SigA(ta, tb)}K’ verify K = (ta)rb mod p = (tb)ra mod p K’ = f(K) (ra, rb – ephemeral keys) (Lowe’s attack) ra • 1. A -> CB : Cert(A), Cert(B), ta = g mod p • 1’. C -> B : Cert(C), Cert(B), ta = gra mod p rb • 2’. B -> C : Cert(B), Cert(C), tb = g mod p, {SigB(tb, ta)}K’ rb • 2. CB -> A : Cert(B), Cert(A), tb = g mod p, {SigB(tb, ta)}K’
• 3. A -> CB : Cert(A), Cert(B), {SigA(ta, tb)}K’
KRP ZS 2020/2021 Key agreement 8 STS protocol modified (avoid Lowe’s attack) • 1. A -> B : ta = gra mod p rb • 2. B -> A : tb = g mod p, SigB(tb, ta, A)
• 3. A -> B : SigA(ta, tb, B) verify K = (ta)rb mod p = (tb)ra mod p
STS protocol using MAC • 1. A -> B : ta = gra mod p rb • 2. B -> A : tb = g mod p, SigB(tb, ta), [tb, ta]K’ • 3. A -> B : SigA(ta, tb), [ta, tb]K’ K = (ta)rb mod p = (tb)ra mod p K’ = f(K)
KRP ZS 2020/2021 Key agreement 9 Oakley protocol (RFC 2412)
• aggressive mode ra • 1. A -> B: CKA, ta = g mod p, list, A, B, Na, SigA(A,B,Na,ta,list) rb • 2. B -> A: CKB, CKA, tb = g mod p, algo, B, A, Nb, Na, SigB(B,A,Nb,Na,tb,ta,algo) verify • 3. A -> B: CKA, CKB, ta, algo, A, B, Na, Nb, SigA(A,B,Na,Nb,ta,tb,algo) verify rb ra Z = (ta) mod p = (tb) mod p K = [CKA, CKB, Z](Na,Nb)
• conservative mode
• 1. A -> B: OK CKA, CKB - cookies (to mitigate DoS attacs) • 2. B -> A: CKB ra • 3. A -> B : CKA, CKB, ta = g mod p, list rb • 4. B -> A : CKB, CKA, tb = g mod p, algo KE = #(Z) • 5. A -> B : CKA, CKB, ta, {A, B, {|Na|}Kb}KE KM = #(Na, Nb) • 6. B -> A : CKB, CKA, { {|Nb, Na|}Ka, B, A, [B, A, tb, ta, algo]KM }KE • 7. A -> B : CKA, CKB, { [A, B, ta, tb, algo]KM }KE verify MAC rb ra Z = (ta) mod p = (tb) mod p K = [CKA, CKB, Z](Na,Nb)
KRP ZS 2020/2021 Key agreement 10 Oakley protocol with encryption
• aggressive mode ra • 1. A -> B: CKA, ta = g mod p, list, B, {|A, B, EncB(Na)|}KB’ rb • 2. B -> A: CKB, CKA, tb = g mod p, algo, {|B, A, Nb|}KA ,
[B,A,Nb,Na,tb,ta,algo]K
• 3. A -> B: CKA, CKB, [A, B, ta, tb, algo]K verify MAC rb ra K = [CKA, CKB, (ta) mod p = (tb) mod p](Na,Nb)
KRP ZS 2020/2021 Key agreement 11 SKEME protocol
• SKEME (for IPsec)
• 1. A -> B: {|A, Na|}Kb , ta = gra mod p • 2. B -> A: {|Nb|}Ka, tb = grb mod p, [ta, tb, B, A]K’ • 3. A -> B : [tb, ta, A, B]K’ K = (ta)rb mod p = (tb)ra mod p ; K’ = #(Na, Nb)
• SKEME without DH • 1. A -> B: {|A, Na|}Kb , ra • 2. B -> A: {|Nb|}Ka, rb, [ra, rb, B, A]K’ • 3. A -> B : [rb, ra, A, B]K’ K = [[rb, ra, A, B]K’]K’ ; K’ = #(Na, Nb)
KRP ZS 2020/2021 Key agreement 12 SKEME and IKE protocol
• IKE (Internet Key Exchange) main IPSec
• 1. A -> B: CKA, list CKA, CKB - cookies (to mitigate DoS attacs)
• 2. B -> A: CKB, algo
ra • 3. A -> B: CKA, CKB, ta = g mod p, Na |Na|, |Nb| ϵ <64,2048> rb • 4. B -> A: CKA, CKB, tb = g mod p, Nb
• 5. A -> B : CKA, CKB, {A, SigA([ta, tb, CKA, CKB, list, A]K’)}K
• 6. B -> A : CKA, CKB, {B, SigB([tb, ta, CKB, CKA, list, B]K’)}K
Z = (ta)rb mod p = (tb)ra mod p K’ = [Z]NaNb K = SKDF(K’) symmetric key derivation function
KRP ZS 2020/2021 Key agreement 13 SIGMA and IKEv2 protocol
• SIGMA-I (Krawczyk, Canetti Sign-and-MAC) 1. A -> B : ta = gra mod p rb 2. B -> A : tb = g mod p, {B, SigB(ta, tb), [B]KM }KE 3. A -> B : {A, SigA(tb, ta), [A]KM }KE rb ra Z = (ta) mod p = (tb) mod p KM = fM(Z); KE = fE(Z)
• IKEv2 (Internet Key Exchange) IPSec RFC 7296 (simplified)
IKE_INIT • A -> B: list, ta = gra mod p, Na |Na|, |Nb| ϵ <64,2048> • B -> A: algo, tb = grb mod p, Nb
IKE_AUTH • A -> B : {A, SigA(list, ta, Na, Nb, [A]KM )}KE verify MAC • B -> A : {B, SigB(algo, tb, Nb, [B]KM )}KE verify MAC
rb ra Z = (ta) mod p = (tb) mod p; KM = [Z]NaNb; KE = f(KM); K = SKDF(KM) CK – on demand (DoS)
KRP ZS 2020/2021 Key agreement 14 JFK – Just Fast Keying
KRP ZS 2020/2021 Key agreement 15 ISO/IEC 11770-3 Key agreement
• 12 key agreement mechanisms • analyzed using the Scyther tool • mechanism 11 (TLS handshake) • the RSA version has problems in authentication, • protocol does not provide forward secrecy
KRP ZS 2020/2021 Key agreement 16 TLS – Transport Layer Security
• 1995 SSL (Netscape Communications) • 1999 TLS 1.0 RFC 2246 • 2006 TLS 1.1 RFC 4346 • 2008 TLS 1.2 RFC 5246 • 2018 TLS 1.3 RFC 8446
• reliable transport protocol (over TCP)
KRP ZS 2020/2021 Key agreement 17 protocol model for TLS
• 0. A -> B: A, Na, Sid, Pa • 1. B -> A: Nb, Sid, Pb • 2. B -> A: {|B, Kb|}inv(Ks) • (Ks := pubkey of the certification authority – this is a certificate) • 3. A -> B: {|A, Ka|}inv(Ks) • 4. A -> B: {|PMS|}Kb • 5. A -> B: {|#(Nb,B,PMS)|}inv(Ka) • 6. A -> B: {Finished}Keygen(A, Na, Nb, M) • where M = PRF(PMS,Na,Nb) (PseudoRandomFunction) • Finished = H(M,messages) for all messages 0 - 5 • 7. B -> A: {Finished}Keygen(B, Na, Nb, M)
KRP ZS 2020/2021 Key agreement 18 KRP ZS 2020/2021 Key agreement 19 Simplified TLS
• 1. A -> B: Na • 2. B -> A: Nb PMK – Pre-master key from A
• 3. A -> B: {|PMK|}Kb, SigA(Mess_Seq1), {Mess_Seq2}K • 4. B -> A: {Mess_Seq3}K K = [Na, Nb]PMK Mess_Seq1 = #(Na, Nb, {|PMK|}Kb) ...
• simplified (based on Diffie-Hellman) • 1. A -> B: Na • 2. B -> A: Nb PMK = ga*b mod p
• 3. A -> B: SigA(Mess_Seq1), {Mess_Seq2}K • 4. B -> A: {Mess_Seq3}K K = [Na, Nb]PMK
KRP ZS 2020/2021 Key agreement 20 TLS with Perfect Forward Secrecy
• TLS with forward secrecy • 1. A -> B: Na rb • 2. B -> A: Nb, g mod p, SigB(Na, Nb, p, g, A)) • 3. A -> B: gra mod p Z = gra*rb mod p delete ra, rb (ephemeral keys)
MasterK = [Na, Nb]Z SessK = #(MasterK expansion, Na, Nb)
ECDHE – ephemeral DH with elliptic curve cryptography PFS – perfect forware secrecy - previous session keys are not compromised even if the long term keys are
KRP ZS 2020/2021 Key agreement 21 KRP ZS 2020/2021 Key agreement 22 KEM - key encapsulation mechanisms
• encryption of new random number -1 • public K ϵ KE , private K ϵ KD
• encapsulation EncapK() = (c, k) k – new sym. key , c ϵ C
• decapsulation DecapK-1(c) = k
• A: (cA, kA) = EncapB() A -> B: cA • B: kA = DecapB(cA), (cB, kB) = EncapA() B -> A: cB • A: kB = DecapA(cB)
K = f(kA, kB); forward secrecy
KRP ZS 2020/2021 Key agreement 23 Identity based key agreement
• based on the identification information of the owner • real name, physical description ... • without public key infrastructure • KGC – Key Generation Centre – generates private keys • f(ID) – master secret + identity information • private key – by key extraction • forward secrecy
KRP ZS 2020/2021 Key agreement 24 Okamoto’s Scheme – identity-based agreement
KGC public n = pq, e, private d, ed ≡ 1 (mod 휙(푝푞)) * * public g – generator Zp and Zq
-d e -1 si = IDi mod n (IDi identification string of I) si = IDi mod n registration - KGC securely sends si to user I
ra • 1. A -> B: (sa.g ) mod n rb • 2. B -> A: (sb.g ) mod n ra e rb rb e ra e rb.e ra Z = ((sa. g ) IDa) mod n = ((sb. g ) IDb) mod n = (sb . g .IDb) mod n -1 rb.e ra e.ra.rb = (IDb .g .IDb) mod n = g mod n
• forward secrecy
• sensitive to compromise ephemeral key – sa can calculate using ra
KRP ZS 2020/2021 Key agreement 25 Elliptic Curve Pairing
• BDH - Billinear Diffie-Hellman problem given g1 ϵ G1 g2 ϵ G2 x, y, z ϵ Zq xyz x Y z z is hard to compute e(g1, g2) given g1, g2, g1 , g2 , g1 , g2
KRP ZS 2020/2021 Key agreement 26 Password-authenticated key exchange - PAKE
• password with small entropy • trusted server - sharing passwords + asymm. cryptography • Kerberos (symmetric cryptography) • without server – Bellovin-Merritt scheme (1992) • random ephemeral keys encrypted by shared password • forward secrecy • offline dictionary attacks should not be feasible • online dictionary attacks should not be feasible • smooth projective hash function (only owners allow to obtain the share secret)
KRP ZS 2020/2021 Key agreement 27 EKE – Encrypted Key Exchange (Bellowin-Merritt)
* π – shared password, public p, g – generator Zp
• A -> B : A , {gra mod p}π K = f(gra * rb mod p) • B -> A : {grb mod p}π , {Nb}K • A -> B : {Na, Nb}K • B -> A : {Na}K ra, rb – ephemeral keys
KRP ZS 2020/2021 Key agreement 28 Augmented EKE
* π – shared password, public p, g – generator Zp H1(π) H2(π) – two images of password (with salt)
ra ra * rb • A -> B : A , { g mod p}H1(π) K = f(g mod p) rb • B -> A : { g mod p}H1(π) , {Nb}K • A -> B : {Na, Nb}K • B -> A : {Na}K
• A -> B : {Sig(K)}K K signed using H2(π) ra, rb – ephemeral keys smooth projective hash function password hash (Argon2)
KRP ZS 2020/2021 Key agreement 29 RSA-based EKE
π – shared password, ephemeral n = p*q, d*e mod (p-1)*(q-1) = 1
• A -> B : A , n, {e}π • B -> A : {Ke mod n}π
KRP ZS 2020/2021 Key agreement 30 PAK – Password Authenticated Key exchange
π – shared password g – generator Zq (p-1)=q*t
ra t • A -> B : (g mod q) * H1(A,B,π) = m ra * rb t Z = g mod p P = H1(A,B,π) rb rb • B -> A : g mod q , H2(A,B, m, g , Z, P) Z = ... check rb • A -> B : H3(A, B, m, g , Z, P) Z = ... check rb K = H4(A, B, m, g , Z, P)
KRP ZS 2020/2021 Key agreement 31 PPK – Password Protected Key exchange
π – shared password g – generator Zq (p-1)=q*t
ra t • A -> B : (g mod q) * H1(A, B, π) = m rb t • B -> A : (g mod q) * H2(A, B, π) = m’ ra * rb t Z = g mod p P = H1(A,B,π) K = H3(A, B, m, m’, Z, P)
KRP ZS 2020/2021 Key agreement 32 SPEKE - Secure Password Exponential Key Exchange
* π – shared password; p-1 = 2q; g – generator of order q in Zp P = π2 mod p
• A -> B : Pra mod p Z = P2*ra*rb mod p rb ra rb • B -> A : P mod p , H1( P , P , Z, π) Z = ... verify ra rb • A -> B : H2( P , P , Z, π) Z = ... verify
K = H3(Z)
KRP ZS 2020/2021 Key agreement 33 SRP - Secure Remote Password protocol
* g – generator Zq p-1=q*2 A : π – password B: pass. image V = gH(s,π) s - salt
• A -> B : A, gra mod p Z = ((gra mod p).Vu)rb mod p = (gra.gu.H(s,π))rb mod p • B -> A : s, u - random, (V + grb) mod p = S Z = (S - V)ra+u.H(s,π) mod p = (grb)ra+u.H(s,π) mod p • A -> B : H( gra mod p, S, Z) = m Z = ... verify • B -> A : H(gra mod p, m, Z) Z = ... verify K = H(Z) RFC 2945
KRP ZS 2020/2021 Key agreement 34 SRP-6 RFC 5054 ISO IEC 11770-4
* g – generator Zq p-1=q*2 A : π – password B: pass. image V = gH(s,A,π) s - salt
• A -> B : A, gra mod p Z = ((gra mod p)*Vu)rb mod p • B -> A : s, (c.V + grb) mod p = S Z = (S – c.V)ra+u*H(s,A,π) mod p • A -> B : H( gra mod p, S, Z) = m Z = ... verify • B -> A : H(gra mod p, m, Z) Z = ... verify K = H(Z)
KRP ZS 2020/2021 Key agreement 35 KRP ZS 2020/2021 Key agreement 36 Group Key Establishment
• mutual authentication • key compromise impersonation • contributiveness • robustness
KRP ZS 2020/2021 Key agreement 37 Generalised Diffie-Hellman
A B C A
1. ga mod p gb mod p gc mod p 2. (gc)a mod p (ga)b mod p (gb)c mod p
K = ((gb)c)a mod p = ((gc)a)b mod p = ((ga)b)c mod p = gb*c*a mod p
KRP ZS 2020/2021 Key agreement 38 Generalised Diffie-Hellman
A B C A 1. ga mod p gb mod p gc mod p 2. (gc)a mod p (ga)b mod p (gb)c mod p K = ((gb)c)a mod p = ((gc)a)b mod p = ((ga)b)c mod p = gb*c*a mod p
Ui-1 Ui Ui+1 𝑔푟푖−1 푚표푑 푝 𝑔푟푖 푚표푑 푝 𝑔푟푖−1푟푖−2 푚표푑 푝 𝑔푟푖푟푖−1 푚표푑 푝 … … 𝑔푟푖−1푟푟−2…푟푖−(푚−1) 푚표푑 푝 𝑔푟푖푟푖−1…푟푖−(푚−2) 푚표푑 푝
K = (𝑔푟푖−1푟푟−2…푟푖−(푚−1))푟푖 푚표푑 푝 = 𝑔푟1푟2…푟푚 푚표푑 푝 m-1 rounds, m*(m-1) messages, m2 exponentiations
KRP ZS 2020/2021 Key agreement 39 Steiner-Tsudik-Waidner GDH.1
Ui-1 Ui Ui+1
𝑔푟1, 𝑔푟1푟2, … , 𝑔푟1푟2…푟푖−1 𝑔푟1, 𝑔푟1푟2, … , 𝑔푟1푟2…푟푖
푟푖+1푟푖+2…푟푚 ℎ푖+1 = 𝑔 푟푖푟푖+1…푟푚 ℎ푖 = 𝑔 ℎ푟1 , ℎ푟1푟2 , … , ℎ푟1푟2…푟푖−1 푟1 푟1푟2 푟1푟2…푟푖−2 푖+1 푖+1 푖+1 ℎ푖 , ℎ푖 , … , ℎ푖
푟 푟 …푟 푟 푟 …푟 1 2 푖−1 푟푖 1 2 푖−2 푟푖−1 푟1푟2…푟푚 K = (ℎ푖+1 ) 푚표푑 푝 = (ℎ푖 ) 푚표푑 푝 = 𝑔 푚표푑 푝 2(m-1) rounds, 2(m-1) messages, ≈ m2/2 exponentiations
KRP ZS 2020/2021 Key agreement 40 Steiner-Tsudik-Waidner GDH.2
Ui-1 Ui Ui+1
푟1푟2…푟푖−1 ℎ푖−1 = 𝑔 , 푟−1 푟−1 푟−1 1 2 푖−1 푟1푟2…푟푖 ℎ푖−1 , ℎ푖−1 , … , ℎ푖−1 ℎ푖 = 𝑔 , −1 −1 −1 푟1 푟2 푟푖 ℎ푖 , ℎ푖 , … , ℎ푖
−1 −1 −1 푟1푟2…푟푚 푟1 푟1푟2…푟푚 푟2 푟1푟2…푟푚 푟푚 Um broadcasts (𝑔 ) , (𝑔 ) , …, (𝑔 ) −1 K = ((𝑔푟1푟2…푟푚)푟1 )푟1 푚표푑 푝 = … = 𝑔푟1푟2…푟푚 푚표푑 푝 m rounds, m-1 messages, 1 broadcast, ≈ m2/2 exponentiations
KRP ZS 2020/2021 Key agreement 41 Steiner-Tsudik-Waidner GDH.1 , GDH.2
A B C D E ga ga, gab ga, gab, gabc ga, gab, gabc, gabcd A B C D E gbcde gcde, gacde gde, gade, gabde ge, gae, gabe, gabce
K = gabcde mod p
A B C D E ga gab, gb, ga gabc, gbc, gac, gab gabcd, gbcd, gacd, gabd, gabc E broadcasts gbcde, gacde, gabde, gabce K = gabcde mod p
KRP ZS 2020/2021 Key agreement 42 Steiner-Tsudik-Waidner GDH.3
Ui-1 Ui Ui+1
𝑔푟1푟2…푟푖−1 mod p 𝑔푟1푟2…푟푖 mod p
푟1푟2…푟푚−1 Um-1 broadcasts 𝑔 mod p −1 푟1푟2…푟푚−1 푟푖 Ui sends to Um (𝑔 ) mod p −1 −1 −1 푟1푟2…푟푚 푟1 푟1푟2…푟푚 푟2 푟1푟2…푟푚 푟푚 Um broadcasts (𝑔 ) , (𝑔 ) , …, (𝑔 ) −1 K = ((𝑔푟1푟2…푟푚)푟1 )푟1 푚표푑 푝 = … = 𝑔푟1푟2…푟푚 푚표푑 푝 m+1 rounds, 2m-3 messages, 2 broadcasts, 4m exponentiations
KRP ZS 2020/2021 Key agreement 43 Octopus protocol
A B AB: 1 round, 2 messages, ab g mod p 2 exponentiations
C D gcd mod p
KRP ZS 2020/2021 Key agreement 44 Octopus protocol
A B
gab mod p 푎푏 푐푑 K = 𝑔푔 푔 mod p
C D gcd mod p m = 2n log m rounds, m*(log m) messages, m*(log m) exponentiations
KRP ZS 2020/2021 Key agreement 45 Authenticated GDH protocols
KRP ZS 2020/2021 Key agreement 46 Identity based conference key protocols
KRP ZS 2020/2021 Key agreement 47 Prenos kľúča kvantovou kryptografiou
• prenos tajomstva kvantovým kanálom bezpečnosť vyplýva z nemožnosti odpočutia bez ovplyvnenia toku údajov
Alica Bob kvantový kanál
KRP ZS 2020/2021 Key agreement 48 Prenos kľúča kvantovou kryptografiou
• prenos fotónov – polarizované vlnenie – cez polarizačný filter buď prejde celý, alebo neprejde vôbec • cez horizontálno-vertikálnu bázu H prejdú fotóny polarizácie ↑ alebo ⟶ - ostatné len s pravdep. 1/2 • cez diagonálnu bázu D prejdú fotóny polarizácie ↗ alebo ↘ • kódujeme ↑ alebo ↗ ako 0 a polarizované fotóny ↘ a → ako 1 • Alica zvolí náhodnú postupnosť bitov a postupnosť báz
Alicin náhodný bit 0 1 1 0 1 0 0 1 Alicina náhodná báza + + × + × × × + Polarizácia fotónov ↑ ⟶ ↘ ↑ ↘ ↗ ↗ ⟶
KRP ZS 2020/2021 Key agreement 49 QKD (quantum key distribution) Bennett-Brassard 1984
• Bob môže zachytiť len tie fotóny, ktoré prejdú jeho filtrami nepozná však rozmiestnenie filtrov Alice, zvolí náhodnú
Alicin náhodný bit 0 1 1 0 1 0 0 1 Alicina náhodná báza + + × + × × × + Polarizácia fotónov ↑ ⟶ ↘ ↑ ↘ ↗ ↗ ⟶ Bobová náhodná báza merania + × × × + × + + Bobové namerané fotóny ↑ ↗ ↘ ↗ ⟶ ↗ ⟶ ⟶ Spoločný kľúč 0 1 0 1 niektoré neodpovedajú Aliciným - výsledok bude náhodný prepošle preto Alici nastavenie svojich báz • Alica už vie určiť, ktoré bázy boli správne, pošle zoznam Bobovi
KRP ZS 2020/2021 Key agreement 50 QKD (Bennett-Brassard 1984)
• každý zásah do systému spôsobí zníženie pravdepodobnosti úspešnosti prenosu a môže byť vyhodnotený ako útok (ak chcem odpočuť fotón, musím ho tiež zmerať na filtri – čo s 1/2 pravdepodobnosťou zmení jeho polarizáciu) • nejakú časť prenesených bitov (polovicu) je možné použiť na autentifikáciu
KRP ZS 2020/2021 Key agreement 51 Ďakujem za pozornosť. [email protected]