Authentication and Key

Establishment Protocols
LAKSHMY K.V
Amrita Vishwa Vidyapeetham
Roadmap
 Intorduction

 Background and Definitions

 Authentication
 Key Establishment

 Case Study: Attempt to design a secure key establishment

protocol
 Example protocols 1-5
 Security Assumptions
Why do we have Protocols for
Authentication and Key Establishment?

 Modern cryptography is based on keys

 Kerckhoffsprinciple:
 a cryptosystem should be secure even if everything about the system, except the
key, is public knowledge

 If the keys are not secure, the whole system is not secure, even if secure
crypto algorithms are used

 Cryptographic algorithms for encryption and integrity cannot

perform their function unless
 secure keys have been established, and
 the users know which party share these keys
Importance
 Authentication and key establishment are fundamental
building blocks for securing electronic communications
 The notions
 “Establishing a secure channel”, or
 “Starting up a secure session”

means that the keys have been established and the involved parties have been
authenticated

 So, protocols for authentication and key establishment are performed at

the beginning of the each session
Roadmap
 Intorduction
 Background and Definitions
 Authentication
 Key Establishment

 Case Study: Attempt to design a secure key establishment protocol

 Example protocols 1-5
 Security Assumptions

 Goals of Authentication and Key Establishment

 Basic Goals
 Enhanced Goals
Authentication
 The notion authentication depends on the context of usage
 It applies to both entities and information itself

 Entity authentication (EA)

 Process of verifying that an identity is as claimed

 Message authentication (MA)

 A message delivered over a channel should be authenticated as to origin (who sent the
data) and data content.
 Methods of providing message authentication
 Message Authentication Codes (MACs)
 Digital signatures

 In this course we focus on entity authentication!

Entity Authentication (EA)
 Definition: Entity authentication is the process whereby one party (verifier)
 is assured of the identity of the second party involved in the protocol through
acquisition of corroborative evidence (PROOF), and
 that the second party has actually participated in the protocol (FRESHNESS!)

 Difference “Identification” and “Authentication”

 Identification: Claimed or stated identity
 Example: Access to a computer system

Enter your user name; User = “Lakshmy” (stated identity)

 Authentication: Proved identity

 Example: Enter your password (prove that you are user “Lakshmy” ), or scan your
fingerprint
More Notions about Authentication
 Unilateral/mutual authentication
 Unilateral: One party proves its identity to the other
 Mutual: Both parties prove their identities to each other

 Authentication can be based on

 what you have (e.g., hardware token)
 what you are (biometrical data e.g., fingerprint, face, iris)
 what you know (e.g., password, key)

 Authentication can be realized with interactive challenge‐

response protocols
Key Establishment
 Definition
 Key establishment is a process or protocol whereby a shared
secret (key) becomes available to two or more parties, for
subsequent cryptographic use

 Basic idea of a key establishment protocol

Types of Key Establishment
 A key establishment protocol can be
 Key agreement
 A shared key is derived by two or more parties as a function of the contributions (inputs) of all parties
 No party can predetermine the resulting value

 Key transport
 One party creates or otherwise obtains the secret key, and securely transfers it to the other(s)
 The trust model is very important

 Hybrid key establishment

 Key agreement protocol for some parties
 Key transport protocol for the others

 All types of key establishment can be realized by both symmetric and asymmetric
cryptographic techniques
Types of Cryptographic Keys
 Long term keys (LTK)
 Key shared between the parties with validity of “long” time period (e.g., 1 month, 1 year)

 Typically used for authentication purposes

 Short term keys (STK, session keys)

 Session key is a short lived secret, i.e., its usage is restricted to a short time period (e.g., single

telecommunication session), after which all trace of it is eliminated

 Advantages of session keys

 Limiting available ciphertext for cryptanalysis

 Limiting exposure in the case of key compromise

 Avoiding long‐term storage of large number of distinct secret keys by creating keys only when they are actually

required

 Creating independence across communication sessions and applications

Key Management
 Key management is more general notion then a key
establishment
 Once keys have been established, they should be managed in order
to provide a secure communication

 Key management consists of establishment, update, storage,

backup, recovery, and revocation of cryptographic keys
 Although one of the most important aspects of any
cryptographic system, key management is most often
neglected
Authenticated Key Establishment
(AKE)
 What does “secure” key establishment mean?
 Each party in a KE protocol should be able
 to determine the true identity of the other(s) which could possibly gain access
to the resulting key,
 implying preclusion of any unauthorized additional parties from deducing the
same key

 Authenticated key establishment (AKE)

 Combines authentication and key establishment in one protocol
 After an AKE, each party is assured that no unauthorized party has
access to the established session key (key authentication)
General Principle
 Establishment of authenticated session keys is not possible
without the availability of secure channels!
Possibilities to establish a new session key:

1. All parties already share a cryptographic key

2. A trusted online server must be accessible

 Each party must share a key with the trusted online server
 To transfer information between the parties it might be necessary to pass it
through a chain of online servers

3. A trusted offline server must be available

 E.g., via certified public keys
Roadmap
 Intorduction
 Background and Definitions
 Authentication
 Key Establishment

 Case Study: Attempt to design a secure key establishment

protocol
 Example protocols 1-V
 Security Assumptions
Assumptions
 We assume that all cryptographic primitives used in the protocols are secure
 In the protocols we analyze, some of the best state ‐of ‐the art algorithms for
encryption, digital signatures, message authentication codes (MACs) or hash
functions

 We search the security problem in the protocol itself, not in the used
primitives
 We want to show that secure cryptographic primitives are not enough for secure
protocols
 Protocols fail often because their messages are not good composed
 We analyze the protocol messages and the operation done by each protocol party, as well as
the trust model
Non-maleable Encryption Schemes
 Requirements to the encryption scheme: We assume that it
should not be possible to specifically alter the content of
encrypted messages
 Feature: Non‐malleability of the underlying encryption scheme
 E. g., Adversary should not be able to change the encrypted
identifier in the message encK(KAB, IB )
Model and Main Requirements
 Model:
 Involved parties: A and B
 Goal: A and B want to obtain a new session key KAB
 A and B do not share a long term key

A trusted third party T must be involved

 T always acts as it is intended to
 Role of T here:

to generate the new key and to transport it to A and B

 Main goals / requirements

 MR1:KAB is only known to A and B and A (B)are assured that only the other party B (A)
knows the key (except T)
 MR2:A and B should be assured that the key KAB is newly generated
Protocol I
 IA is the identity of the party A
 IB is the identity of the party B
 Identity: e.g., network address
or name, certificate

 Alternative of Protocol I:
To disburden T, the key KAB may
be passed from A to B
(This spares one connection
between T and B)
Protocol I: Description
 Step 1:
 A starts the protocol by telling T the identifiers IA and IB of the
communicating parties
 T creates a session key KAB to be used for the secure communication
between A and B

 Step 2:
 T sends KAB to A as plaintext

 Step 3:
 T sends KAB to B as plaintext
Protocol I: Analysis
 Adversary Model
 The adversary is able to eavesdrop all messages on the communication
channel

 Problems/Attacks:
 Obviously anyone has access to the session key KAB

 Countermeasure:
 Establish a secure channel using the long ‐term secret keys
 KAT between A and T and,

 KBT between B and T

 Next attempt: Protocol II

Protocol II: Flow

 Fe

 Features
 Adversary should not be able learn K since we assume the underlying
AB
encryption scheme to be secure
 Adversary only sees encrypted messages and thus does not learn K
AB
Protocol II: Description
 Step 1:
 A starts by sending identifiers IA and IB of the communicating parties to T

 T then generates a session key KAB and encrypts it with KAT and KBT
respectively

 Step 2:
 T sends both ciphertexts to A

 Step 3:
 A forwards the ciphertext encrypted with KBT to B

 A adds its identifier IA to inform B about who else has the key
Protocol II: Analysis
 Adversary Model:
 In addition to eavesdropping, the adversary can control the
communication channel and thus is able to alter messages or
their destination

 Problems:
 All kinds of man‐in‐the‐middle‐attacks
 see next slides…
Protocol II: First Attack

 Adv masquerades as C to B
Protocol II: Analysis of the First Attack
 Attack (man‐in‐the‐middle)
 Adv intercepts message intended for B and replaces IA with IC
 Adv masquerades as C to B
 C might be an arbitrary identity chosen by the adversary

 B now believes it shares the key KAB with C

 in fact, B shares KAB with A!

 Violated requirements
 Depends on application
 B might give information to A which only should have been revealed to C

 Adv does not necessarily obtain the session key

 however, the requirement MR1 is not fulfilled since B does not know with whom it shares the session
key
Protocol II: Second Attack

 Adv interferes in the communication between A and T

Protocol II: Analysis of the Second
Attack
 This attack is successful when Adv is known to T
 Adv is an insider and known by T as C and thus shares KCT with T

 Adversary Model
 The adversary is allowed to be an insider or a collusion of an insider and an outsider

 Attack (man‐in‐the‐middle)
 Adv intercepts message 1 intended for T and replaces IB with IC
 Adv masquerades as C to T
 C might be an arbitrary identity chosen by the adversary

 Result: A now believes it shares the key KAC with B

 in fact, A shares KAC with C!

 MR1 is not fulfilled

Protocol II: Analysis of the Second
Attack (cntd.)
 Consequences
 At the end of the attack Adv masquerades as B to A
 A believes to share the session key with B but actually shares it with Adv
 KAC represents the session key accepted by A

 A cannot distinguish encrypted messages and thus does not notice the manipulation

 Adv knows the session key KAC

 Adv is able to capture all information intended for B

 Possible countermeasure
 Cryptographically bind IDs of the entities to the corresponding session key
 see example protocol III
Protocol III: Flow

Comparison with Protocol II: Here, the identities of the

participants are bound to the session key!
Protocol III: Description
 Step 1:
 A starts by sending identifiers IA and IB to T

 T then generates a session key KAB and encrypts KAB together with the identity of the peer party

 For A : encKAT(KAB, IB )

 For B : encKBT(KAB, IA )

 Step 2:
 T sends both ciphertexts to A

 A decrypts encKAT(KAB, IB ) and obtains the key KAB

 Step 3:
 A forwards the ciphertext encrypted with KBT to B

 B decrypts encKBT(KAB, IA ) and obtains the key KAB

Protocol III: Discussion
 Features
 IDs of the participants are cryptographically bound to the
session key

 Both previous attacks do not work anymore

 Because of the non‐malleability of the underlying encryption
scheme it is not possible to alter the content of encrypted
messages, i.e., the adversary is not able to change the encrypted
identifiers in message 2 and 3: encKAT(KAB, IB ), encKBT(KAB, IA )
Protocol III: Discussion (cntd.)
 Role of the encryption encKAT(KAB, IB ):The encryption scheme enc here should

achieve much more that confidentiality

 Confidentiality
 The encryption should hide the new session key KAB

 Authenticity:
 A can be sure that this message have been generated by T, since only T knows the key KAT and can

encrypt with it

 Cryptographically binding
 The encrypted message parts KAB and IB are bound to each other

 Integrity
 If the encryption scheme enc has the feature of non ‐malleability, it is not possible to manipulate the

ciphertextand change it in order to achieve some desired plaintext (e.g. to change IB in IC)
Protocol III: Problems
 Adversary Model
 The adversary is allowed
 to use messages recorded in any previous run of the protocol
 to obtain the session key of any previous run of the protocol
 Problems
 Reuse of old protocol messages or message fields from
pervious protocol runs (replay attack)
 Adversary might also be in possession of old session keys
 Old session keys are vulnerable to attacks because
 they may be used with a variety of regular data formats (might make
cryptanalysis easier)
 they may be stored at insecure locations (e.g., RAM) or discarded
carelessly after the session
Protocol III: Replay Attack

 The adversary Adv :

-intercepts the message 1 intended for T
-injects an old message 2 containing an old session key K’AB
Protocol III: Analysis of the Attack
 Consequence of the replay attack
 Adv makes A and B to use an old session key K’AB

 Adversary might know K’AB

 Then Adv is able to decrypt or alter all messages encrypted with K’AB

 Remarks
 The attack is successful even if K’AB is unknown to Adv since Adv forces A and B
to accept an old session key
 If the attack has been successful, the adversary might
 obtain more ciphertext created with K’AB for crypt‐analysis or even

 decrypt sessions protected by K’AB

Protocol III: Possible Countermeasures
against Replay Attacks
 There are several possible measures against replay attacks
(see the coming slides):
 each party has its fresh own input to the key generation
 nonces
 timestamps
 sequence numbers
 One possible solution: Use of nonces
 Nonce: A (random) value N which is generated by one party
and returned by the other party and which is cryptographically
bound (e.g., via encryption) to a message m
Basic Idea of Using Nonces
 Assumption: Only A and B share key
KAB
1. A randomly chooses nonce N and
sends it to B
2. B cryptographically binds it to its
message m, e.g., by encrypting it
with KAB
3. If message 2 contains N, A knows,
that B must have participated in the
current protocol run (since only B
knows KAB and thus only B was able
to include N into message 2)
Protocol IV (Needham‐Schroeder
Protocol): Flow
Neednam‐Schr. Protocol: Description
(1)
 Step 1:

 A starts the protocol by sending its own identifier IA and the identifier IB of its intended communication partner B to T

 T creates a session key KAB for the secure communication between A and B

 T first encrypts the session key KAB and IA with KBT

 then T encrypts KAB, NA, IB and the message encrypted with KBT with KAT

 Step 2:

 Upon receipt of message 2, A decrypts with KAT and obtains KAB

 T is trusted ⇒only T(and A) knows KAT required to create message 2

 Therefore, if message 2 contains

 Nonce NA, A can deduce that the message, and thus KAB must have been recently created by T(T is trusted ⇒KAB has been

newly created)

 Identifier IB, A can deduce that T has correctly received the identifier IB of A’s intended communication partner B ⇒ only

B(except A and T) will be able to get KAB(since T only encrypts KAB with KBT and KAT)
Neednam‐Schr. Protocol: Description
(2)
 Step 3:
 A forwards the message encrypted with KBT to B
 Upon receipt of message 3 party B
 knows that A must have known this message (since only A knows KAT to
decrypt message 2)
 knows that A must have obtained KAB(since message 2 also included KAB)
 decrypts it with KBT and obtains KAB
 If message 3 contains IA, B knows that KAB is to be shared with A
 T is trusted ⇒only T(and B) knows KBT required to include IA into message
3
 ⇒B knows, that only A can get KAB(since T only encrypts it with KAT and KBT)
Neednam‐Schr. Protocol: Description
(3)
 Step 4:
 B generates a nonce NB, encrypts it with KAB and sends the
corresponding ciphertext to A
 A decrypts NB using KAB, decrements it, re‐encrypts it with KAB
and sends the corresponding ciphertext to B
 Step 5:
 Upon receipt of message 5, B decrypts with KAB
 If message 5 contains NB‐1, then B can deduce that the current
communication partner must be in possession of KAB in order to
create this message
 Note that B has no assurance of the freshness of KAB(see next slides…)
NS Protocol: Problems
 Situation about key freshness:
 A is assured that KAB has been newly generated if message 2
contains its nonce NA
 What about B ?
 Question: How is B able to get confidence in key
freshness of KAB?
B does not directly communicate with T
 A should transfer this confidence in the challenge ‐and ‐response
part between A and B(messages 4 and 5)
 However, this assumes that only A is able to create message 5
 This assumption is not reasonable since an adversary might be
in possession of an old session key (replay attack)!
Denning‐Sacco Attack on NS‐Protocol

 Assumption: Adv knows an old session key K’AB between A and B

 Attack: Adv masquerades as A to B and makes B to accept an old session key
Avoiding the Attack on the NS‐
Protocol
 Countermeasure
 Both A and B send their nonces to T, so that the key generated
by T can be cryptographically bound also with B’s nonce
⇒Freshness assurance for B
 Protocol modification
 B sends nonce NB to A
 A adds its nonce NA and queries T
 Reply from T can be checked on key freshness by A and B
⇒Bauer‐Berson‐Feiertag(BBF) protocol
Protocol V: Bauer‐Berson‐Feiertag(BBF)
Protocol
BBF Protocol: Discussion
 The Denning‐Sacco Replay attack is not possible any
more
 ⇒Freshness assurance for B
 The BBF Protocol does not provide key-confirmation
 This means, that A and B cannot be sure whether the other party
has correctly received KAB after a successful protocol‐run
 Exercise
 Extend the BBF protocol such that A and B can be sure that the other
party has received KAB correctly!
 Other problems with the BBF Protocol?
Summary: Adversary Model
 Assumption 1: The adversary is able to eavesdrop all
messages on the communication channel
 Assumption 2:The adversary can control the
communication channel and thus is able to alter
messagesor their destination
 Assumption 3:The adversary is allowed to be an insider or
a collusion of an insider and an outsider
 Assumption 4:The adversary is allowed
 to use messages recorded in any previous run of the protocol
 to obtain the session key of any previous run of the protocol