Network and Communications
Network Security
Department of Computer Science
Virginia Commonwealth University
Key Distribution
How to deliver a key to two parties A and B
wishing to exchange data

Key selected by A, Physically delivered to B
 Key selected by third party C, Physically
Delivered to A and B
 Key encrypted by either A or B using an existing
secret key and sent to the other
 Key delivered by Third Party C on Encrypted
links to A and B
How many keys are necessary?

A given host needs to do message exchange with
many other hosts
 A key needed for each pair of hosts
 Many keys need to be supplied dynamically
 Number of required keys depends on level of
network where encryption is done:
– Node-level encryption for 1000 nodes: half million
keys
– Application-level encryption (for 1000 nodes, 10000
applications): 50 million keys
(A key for every pair of users or processes)
Center approach?

Responsible for distributing keys to pairs of users:
– Hosts, processes, applications


Each user shares a unique key with center
based on a hierarchy of keys:
– Session key (temporary key) used to Encrypt End-
systems Communication;
– Master Key (Shared by KDC and end user) used to
encrypt Session keys (a unique Master key for each end
user)

Question: How many master keys are required for
N users?
 Question: How to distribute master keys?
In Symmetric Cryptography
This protocol assumes that Alice and Bob, users on a network, each share
a secret key with the Key Distribution Center, which is Trent.






Alice requests Trent a session key to communicate with
Bob.
Trent generates a random session key. He encrypts two
copies of it: one in Alice’s key and the other in Bob’s
key. Trent sends both copies to Alice.
Alice decrypts her copy of the session key.
Alice sends Bob his copy of the session key.
Bob decrypts his copy of the session key.
Both Alice and Bob use this session key to communicate
securely.
SKEY




Relies on a one-way function for its security.
Alice enters a random number, R. The computer computes f(R),
f(f(R)), f(f(f(R))), and so on, about a hundred times. Call these
numbers x1, x2, …x100. The Computer gives these to Alice for
safekeeping.
When Alice wants to log in, she types her name and x100. The
computer calculates f(x100) and compares it with x101; if they match,
Alice is authenticated. Then, the computer replaces x101, with x100 in
the database. Alice crosses x100 off her list.
Every time Alice logs in, she enters the last uncrossed number on her
list: x1. The computer calculates f(x1) and compares it with xi+1 stored
in its database. Eve cant get useful information because each number is
only used once, and the function is one-way. Similarly, the database is
not useful to an attacker. Of course, when Alice runs out of numbers on
her list, she has to reinitialize the system.
A Key Distribution Scenario





Connection between users A and B is required
Session key needs to be generated and transmitted to A and B
Ka(Kb) Secret key of A(B) known only to A(B) and KDC
IDA(IDB): Identity of A(B)
N1, N2: Nonce
Steps in Previous Key Distribution
1.
A requests KDC for a session key for a logical connection to
B:
–
A sends IDA, IDB, N1 to KDC
(N1: timestamp, counter, or random number, that is different each
time)
2.
KDC responds with a message consisting of two parts:
1. Session key KS and Original request of A
2. KS and IDA encrypted using Kb
Both of the above are encrypted using Ka
A stores Ks and sends Ekb[KS || IDA] to B
4. B receives message from A and sends N2 encrypted using KS
to A
5. A responds by sending f(N2) encrypted using KS to B
(After step 3, KS has been securely delivered to A and B)
Steps 1-3: Key Distribution; Steps 3-5 Authentication
3.
Hierarchical key control

For large networks, single KDC is
impractical; Hierarchy of KDCs better
suited
 Local KDCs for each of the Domains
 Global KDC facilitates key transfers across
domains
 Minimizes effort in distributing Master keys
Lifetime of Session key

For connection-oriented protocols:
– Same Session key is used for the duration the
connection is open (session)
– For long-duration logical connections, session key is
changed periodically

For connectionless protocols (no explicit
connection initiation/termination)
– New Session key for each exchange

More overhead
– Use Session key for a fixed period or for a certain
number of transactions
Decentralized Key Control


KDC: bottleneck and target of attacks
One solution: Decentralization
–
requires each end system be able to send session key securely
with any other end system
Steps:
1.
A sends request R to B for session key (by including N1)
2.
B generates KS; Sends KS, R, IDB, f(N1), N2 to A
encrypted using shared master key
3.
A returns f(N2) to B, encrypted using KS
Controlling Key Usage

Impose controls on ways keys are used
 Separation of master keys from session keys
 Define different types of session keys:
– Data Encrypting key (for general communication)
– PIN Encrypting key (for EFT, POS applications)
– File Encrypting Key (for files in publicly accessible
locations)
Limiting Ways of Usage of Keys

Based on Key characteristics
 Associate ‘tag’ with each key
 In DES, 8 nonkey bits reserved for parity can be
used as tag
–
–
–
–

One bit: Indicates master key or session key
One bit: Indicates use in encryption
One bit: Indicates use in decryption
Remaining bits: for future use
Tag is embedded in the key
Key Management Using
Public-key Encryption
Key Management
Two distinct issues:
 Distribution of Public Keys
 Distribution of Secret Keys (of
Conventional Encryption) using Public-key
Encryption
Distribution of Public Keys
Broad Schemes:
 Public Announcement
– Each participant broadcasts the public key

Publicly Available Directory
 Public-key Authority
 Public-key Certificate
Publicly Available Directory

A central authority maintains directory
– One entry for each participant: {name, public
key}

Each participant registers the public key
– Secure, authenticated communication needed

Participant may replace existing key
 Secrecy of authority’s private key is critical
Public Key Distribution Using Public
Key Authority
For Distribution of public keys for directory to users A and B
IDA(IDB): Id of A(B); KUa(KUb): Public key of A(B);
KRauth: Private key of authority; N1, N2: nonce
1. A sends time stamped request for KUb
2. Authority sends KUb together with time stamped request
encrypted using KRauth to A
2b. A decrypts using KUauth and stores KUb
3. A sends IDA and N1 encrypted using KUb to B
4,5. B requests for and receives KUa from the authority (Similar
to 1,2,2b)
6. B sends N1||N2 encrypted using KUa to A
7.
A returns N2 encrypted using KUb to B
After steps 1-5: Keys have been delivered
Public Key Distribution using Key
Authority
Public Keys Certificates

Overcomes bottleneck in Public Key Authority
– Each user requesting authority for the public key of every other
user





Certificates facilitate exchange of keys without contacting
key authority
Certificate created by certificate authority
Certificate contains Public Key plus some other
information
Certificate given to user with matching private key
Certificate: Timestamp, ID, Public Key encrypted using
certificate authority’s Private key
Exchange of Public Key Certificates



Certificate: CA=EKRauth[T, IDA, KUa]
Verification: DKUauth[CA]=DKUauth[CA=EKRauth[T, IDA, KUa]]=(T, IDA, KUa)
Decryption of Certificate using Public key of authority provides
authentication
Public Key Infrastructure (PKI)

For commercial applications, there is need for
infrastructure to keep track of public keys.
 PKI is a framework consisting of policies:
– Define rules of operation of cryptographic
systems
– Define procedures for generating and
publishing keys and certificates
 PKI consists of certification and validation
operations
– Certification binds public key to an entity
– Validation guarantees that certificates are valid
Public Key Certificate

Certificate: information that has been validated (signed) by
a certification authority (CA)
 Two popular types: Identity Certificates and Credential
certificates
 Identity Certificate: Contain ID (ex. email address) and a
list of public keys for the entity
 Credential Certificates: contain information about access
rights
 Data in certificates (usually) encrypted using CA’s private
key
X.509 PKI

International Standard (ISO and ITU)
 Provides authentication for directory
services on large computer networks
 Used in Visa and Mastercard’s SET (Secure
Electronic Transaction) Standard
 Allows inclusion of trust policies within
certificates.
Secret Key Distribution Using
Public-key Systems
Distribution of Secret keys using
Public-key Systems
Diffie – Hellman Key Exchange
 Merkle’s Simple Scheme
 Key Distribution with confidentiality and
Authentication (Needham and Schroeder)
 Hybrid Scheme (A. Le, et. al.)
Last three of the above schemes assume that
the public keys have already been
exchanged

Diffie - Hellman Key Exchange
Scheme

First published public-key algorithm (1976)
 Based on difficulty of computing Discrete
Logarithms
 Enables two users to exchange a key
securely to be used for subsequent message
encryption
 Several commercial products based on this
technique
Diffie - Hellman Key Exchange
Algorithm
Diffie – Hellman Key Exchange
Operation

q, α are required to be known ahead of time ( or A could
pick q and α and include in the first message)
Merkle’s Secret Key Distribution
Scheme
1.
2.
3.
4.
A generates a public/private key pair [KUa, KRa] and
transmits a message to B consisting of KUa and an
identifier of A, IDA
B generates a secret key, KS, and transmits it to A,
encrypted with A’s public key.
A computes DKRa[EKUa[KS]] to recover the secret key.
Because only A can decrypt the message, only A and B
will know the identity of KS.
A discards KUa and KRa and B discards KUa
Key Exchange with Public-Key
Cryptography
1.
2.
3.
4.
Alice gets Bob’s public key from the KDC.
Alice generates a random session key, encrypts it
using Bob’s public key, and sends it to Bob.
Bob them decrypts Alice’s message using his
private key.
Both of them encrypt their communications
using the same session key.
Man-in-the-middle Attack
1.
2.
3.
4.
Alice sends Bob her public key. Mallory intercepts this
key and sends Bob his own public key.
Bob sends Alice his public key. Mallory intercepts this
key and sends Alice his own public key.
When Alice sends a message to Bob, encrypted in
“Bob’s” public key, Mallory intercepts it. Since the
message is really encrypted with his own public key, he
decrypts it with his private key, re-encrypts it with Bob’s
public key an sends it on to Bob.
When Bob sends a message to Alice, encrypted in
“Alice’s” public key, Mallory intercepts it. Since the
message is really encrypted with his own public key, he
decrypts it with his private key, re-encrypts it with
Alice’s public key an sends it on to Alice.
Interlock Protocol
(Foils Man-in-the-middle attack)







Alice sends Bob her public key.
Bob sends Alice his public key.
Alice encrypts her message using Bob’s public key. She
sends half of the encrypted message to Bob.
Bob encrypts his message using Alice’s public key. He
sends half of the encrypted message to Alice.
Alice sends the other half of her encrypted message to
Bob.
Bob puts the two halves of Alice’s message together and
decrypts with his private key . Bob sends the other half of
his encrypted message to Alice.
Alice puts the two halves of Bob’s message together and
encrypts it with her private key.
Key and Message Transmission
Alice and Bob need not complete the key-exchange protocol before
exchanging messages. In this protocol, Alice sends Bob the message, M,
without any previous key exchange protocol:
1.
2.
3.
4.
5.
6.
Alice generates a random session key , K and
encrypts M using K. EK(M)
Alice gets Bob’s public key from the database
Alice encrypts K with Bob’s public key. EB(K)
Alice sends both the encrypted message and
encrypted session key to Bob. EK(M), EB(K)
Bob decrypts Alice’s session key, K using his
private key.
Bob decrypts Alice’s message using the session key.
Key and Message Broadcast
Alice sending encrypted message to several people (ex. to Bob,
Carol, and Dave)
1.
2.
3.
4.
5.
6.
Alice generates a random session key, K, and encrypts M
using K. EK(M)
Alice gets Bob’s Carol’s and Dave’s public keys from
the database.
Alice encrypts K with Bob’s public key, encrypts K with
Carol’s public key, and then encrypts K with Dave’s
public key. EB(K), EC(K), ED(K)
Alice broadcasts the encrypted message and all the
encrypted keys to anybody who cares to receive it.
EB(K), EC(K), ED(K), EK(M)
Only Bob, Carol, and Dave can decrypt the key, K, using
his or private key.
Only Bob, Carol, and Dave can decrypt Alice’s message
using K.
Needham & Schroeder Scheme with
Confidentiality and Authentication
1.
2.
3.
4.
A uses B’s public key to encrypt a message to B
containing an identifier of A (IDA) and a nonce (N1) which
is used to identify this transaction uniquely.
B sends a message of A encrypted with KUa and
containing A’s nonce (N1) as well as a new nonce
generated by B (N2). Because only B could have decrypted
message (1), the presence of N1 in message (2) assures A
that the correspondent is A.
A selects a secret key KS and sends M=EKUb[EKRa[KS]] to
B. Encryption of this message with B’s public key ensures
that only B can read it; encryption with A’s private key
ensures that only A could have sent it.
B Computes DKUa[DKRb[M]] to recover the secret key.
Needham & Schroeder Scheme with
Confidentiality and Authentication
Hybrid Scheme (for Secret Key
Distribution)
KDC
. . .



Users
KDC Shares a secret master key with each user
Secret Session keys encrypted using master key
Public-key Scheme used to distribute master keys
End of semester
Thank you!
Chapter 5 & 6
Chapter 8 (7,8,11,14,15,17,18,24,31)