Security protocols
0 likes325 views
The document summarizes four cryptographic protocols: 1. Needham-Schroeder protocol authenticates users (A and B) to each other over a network with the help of a trusted authority (Trent). 2. Kerberos protocol allows a client (A) to authenticate to a server (S) in two steps by first authenticating to the Kerberos server and then to the ticket granting service (TGS) of the target server. 3. Secret sharing protocol partitions a secret key (K) into shares and distributes them among trustees, requiring a minimum number of shares to reconstruct the key and preventing any single trustee from accessing the secret. 4. Zero knowledge proofs allow a
Security protocols
- 1. Security Protocols and Applications of Cryptography By: Abhijit Mondal Needham-Schroeder Protocol : Suppose A wants to talk with B over the network. How will B know that he is really talking to A. This protocol authenticates A to B at the same time allowing them to exchange session keys over the network. 1. A sends a message to Trent( a trusted individual or a computer program over the network) consisting of his name a, B's name b and a random number rA 2. Trent generates a random session key k . Trent then computes c2 = (beA , keA , rA eA , keAeB , aeAeB , teAeB ) mod p , where eA and eB are the secret keys that Trent shares with A and B respectively, and t is the current system time. Trent sends c2 to A. The time t is sent to prevent replay attacks, i.e. an adversary pretending to be A may sent an old message to Bob. 3. A decrypts the message with eA and extracts the session key k and confirms that rA is the same value that he sent to Trent. Then A sends to B, c3 = ( keB , aeB , teB ) mod p. 4. B decrypts the message with eB and extracts the session key k, generates a random value rB , and sends to A the message c4 = rBk mod p. 5. A decrypts the message with k and computes rB -1 and send to B the message c5 = (rB -1)k mod p. 6. B decrypts the message with k and verifies that it is rB -1 so A must have the same session key and he is the real person. Kerberos Protocol : Suppose A wants some service from a server S. Then A must authenicate himself to the server before using it's services. In this symmetric key cryptographic protocol (using DES as encryption algorithm) , there are 2 doors that needs to be opened before getting access to the server. The first door is guarded by Kerberos and the second is the Ticket Granting Service(TGS) of the server. 1. A sends a message to the Kerberos server with his identity/password 'a' and the identity of the Ticket Granting Service(TGS) of the server 'tgs'. 2. The Kerberos server generates a timestamp t, a lifetime for the timestamp l, a random session key Ka,tgs . It then computes Ta,tgs = {tgs, DES(a, N, l, Ka,tgs ) (etgs) } , where N is the network address of A, and etgs is the secret key of the TGS shared with Kerberos. The Kerberos then encrypts the following with A's secret key eA , c1 = DES(Ka,tgs)(eA) and the following with the TGS's secret key etgs : c2 = DES(Ta,tgs)(etgs). It then sends c1 and c2 to A. 3. A decrypts c1 and extracts Ka,tgs and computes the following Aa,tgs = {DES(a, t, key) (Ka,tgs) }, where key is an additional session key . Then A computes c3 = DES(Aa,tgs)(Ka,tgs ) and sends c2 and c3 to the TGS of the server. 4. The TGS then decrypts c2 using etgs and extracts Ta,tgs . Then uses Ta,tgs to extract Ka,tgs . The TGS then decrypt c3 using Ka,tgs and extracts Aa,tgs . The TGS then decrypts Aa,tgs and compares the information in Aa,tgs with the information in Ta,tgs . If they match then the TGS sends the following to the client A: c4 = {DES( Ka,s) (Ka,tgs )} and c5 = {DES(Ta,s) ( es )}, where Ta,s = {s, DES(a, N, l, Ka,s ) (es) }, Ka,s is the secret session key for A and the server and es is the secret key the TGS shares with the server. 5. A then decrypts c4 with Ka,tgs and computes the following Aa,s = {DES(a, t, key) (Ka,s) }and then c6 = {DES(Aa,s ) (Ka,s )}. A then sends c5 and c6 to the server for communication. Secret Sharing Protocol : Handing over the control of a missile to one military general or handing over the key of the locker
- 2. at the Swiss bank to any one individual would be a risky issue since he may turn out to be crooked. So to minimise risk of a missile disaster or a bankruptcy is to partition the single key into n parts and give each part to a trusted individual responsible for the control of the missile or the locker at Swiss Bank, such that no less than m individuals can recover the orginal key from their share of the keys. e.g. If the key is K and n = 3, and m =3 then choose k1 and k2 and compute K⊕k1⊕k2 = k3 . Then distribute k1 , k2 and k3 to three trusted individuals. To construct the original key K , they need all three keys such that k1⊕k1⊕k3 = K. Algorithm : 1. Construct a (m-1) degree polynomial f(x) = am-1xm-1 + am-2xm-2 +.....+ a1x + K, where K is the original secret key and ai ∈Zp for prime p, ai 's are the secrets that must be destroyed. 2. Evaluate f(1), f(2),....., f(n) (mod p) and distribute these values to the n trusted officials assigned for the execution of the task. 3. To find K atleast m officials must come together and disclose their values, then perform Gaussian elimination to solve the linear system of equations for ai 's and K. Less than m individual cannot find K without a brute force search over Zp . Zero Knowledge Proofs : How to prove someone your identity without revealing information about you? How do you prove someone that you know the proof of a problem without showing him/her the actual proof ? This is called Zero Knowledge Proofs since you are not revealing information about your secret to the verifier at the same time convincing him/her that you are the authentic person. The verifier may be a spy who is looking to know your secret and pass on that secret to his nation. e.g. Proving Graph Isomorphism to a verifier V. Problem : P wants to prove to V the isomorphism between graphs G1 and G2 . 1. P generates a random permutation H of G1 such that H is isomorphic to G1 . P knows the isomorphism between H and G2 . Finding the isomorphism between G1 and H or G2 and H is as hard as finding the isomorphism between G1 and G2 , hence nobody knows the relations between them. 2. P sends H to V. 3. V flips a coin and if its a head then V asks P to prove that H and G1 are isomorphic, else if its a tail then V asks P to prove that H and G2 are isomorphic. 4. P then complies and proves to V either H and G1 are isomorphic or H and G2 are isomorphic. 5. P then again generates a random permutation graph H' isomorphic to either G1 or G2 and both of them then follows the steps through 1 to 4. They do these n times until V is convinced that P knows the isomorphism between G1 and G2 . Here is how it works: If P knows the isomorphism between G1 and G2 : Then whether V asks P to prove H and G1 are isomorphic or H and G2 are isomorphic, P will be able to prove V everytime until V is convinced of P's identity. If P does not know the isomorphism between G1 and G2 : Then if V asks P to prove H and , the graph from which P generated H, are isomorphic then P will be able to fool V else P will be caught as some false guy. The probability that P will be able to fool V after n round is 1 in 2n because in one round P fools V with a chance of ½. For n large, the chances of a false P passing the test is very small. Here is another variant of Zero Knowledge Proof : Suppose P wants to prove to V that he knows the solution to the DLP : my = x (mod p) without telling V what is the value of y. 1. P sends to V the values m, x and p. 2. V generates a random number a and computes the four combinations{am, a-1m-1, a-1m, am-1}
- 3. (mod p) in any random order and sends the quadruple to P, but does not reveal to P what is the ordering of the values. V only sends {u,v,w,z} ∈ {am, a-1m-1, a-1m, am-1} (mod p) and asks P to compute {uy, vy, wy, zy} (mod p). 3. P computes {uy, vy, wy, zy} (mod p) and sends them to V. 4. V then sends a (mod p) to P and asks him to find ay (mod p). 5. P computes ay (mod p) and sends to V. 6. Now V checks : {uy, vy, wy, zy} (mod p) ∈{ayx, a-yx-1, a-yx, ayx-1} (mod p) expects to be in the correct order as he sent it before. 7. If all of the above relations hold and are in the correct order then V starts another round of computation from step 2 and continues until V is convinced that P truly knows the value of y. If any of the above results does not match then P is an impostor. If P knows the ordering of {am, a-1m-1, a-1m, am-1} (mod p), then P can compute a and P can construct values such that they give the same relations as when V computes them, thus V has no chance of knowing whether P really did the computation V desired or P just constructed values to fool him. Thus an impostor P has a chance of 1 in 24 of correctly guessing the exact permutation and thus fooling V. In n rounds the chances that an impostor P successfully passes the test is 1/(24)n, which is extremely small for large n. For n=10, chances that P fools V is of the order of 10-14. V can still decrease this probability by choosing s random numbers and sending a permutation of 2s+1 elements modulo p. In that case chances of P fooling V in n rounds is 1/(2s+1 !)n . But for large s the computation performed on the part of V increases exponentially, so s = 2 and n = 10 will be a good enough choice to catch even the most notorious masterminds.