SYMMETRIC KEY DISTRIBUTION USING
ASYMMETRIC ENCRYPTION
Because of the inefficiency of public key
cryptosystems, they are almost never used for the direct encryption of sizable
block of data, but are limited to relatively small blocks. One of the most
important uses of a public-key cryptosystem is to encrypt secret keys for
distribution. We see many specific
examples of this in Part Five. Here,
we discuss general principles and typical
approaches.
Simple Secret Key
Distribution
An extremely simple scheme was put forward
by Merkle [MERK79],
as illustrated in Figure 14.7.
If A wishes to communicate with B, the following procedure is employed:
1.
A generates a public/private key
pair {PUa, PRa} and transmits a message to B
consisting of PUa and an identifier of A, IDA.
2.
B generates a secret key, Ks, and transmits
it to A, which is encrypted with A’s public
key.
3.
A computes D(PRa, E(PUa, Ks)) to recover
the secret key. Because
only A can decrypt the message,
only A and B will know the identity of Ks.
4.
A discards PUa and
PRa and
B discards PUa.
A and B can now securely communicate using
conventional encryption and the session key Ks. At the completion of the
exchange, both A and B discard Ks.
Despite its simplicity, this is an attractive protocol.
No keys exist before the start of the
communication and none exist after
the completion of communication. Thus, the risk of compromise of the keys is minimal.
At the same time, the communication is secure
from eavesdropping.
The protocol depicted
in Figure 14.7 is insecure
against an adversary
who can intercept messages and then either relay the intercepted
message or substitute another message
(see Figure 1.3c).
Such an attack
is known as a man-in-the-middle attack [RIVE84]. In this case,
if an adversary, E, has control of the intervening com- munication channel, then E can compromise the
communication in the following fashion without being detected.
1.
A generates a public/private key pair {PUa,
PRa}
and transmits a message intended for B consisting of PUa and an identifier of A, IDA.
2.
E intercepts
the message, creates its own public/private key pair {PUe, PRe} and transmits PUe
|| IDA to B.
3.
B generates a secret
key, Ks, and transmits E(PUe, Ks) .
4.
E intercepts the message
and learns Ks by computing
D(PRe, E(PUe, Ks)).
5.
E transmits E(PUa,
Ks)
to A.
The result is that both A and B know Ks and are unaware that Ks has also been revealed to
E. A and B can now exchange messages using Ks. E no longer actively
interferes with the communications channel but simply
eavesdrops. Knowing Ks, E can decrypt all messages, and both A and B are unaware of the problem. Thus, this
simple protocol is only useful
in an environment where the only
threat is eavesdropping.
Secret Key Distribution with Confidentiality and
Authentication
Figure 14.8,
based on an approach suggested in
[NEED78], provides protection against both active and passive attacks.
We begin at a point when it is assumed
that A and B have exchanged
public keys by one of the schemes
described subsequently in this chapter. Then the following
steps occur.
1. A uses B’s public key to encrypt a message to B containing an identifier of A(IDA) and a nonce (N1), which is used to identify this transaction uniquely.
B sends a message to A encrypted with PUa and containing A’s nonce
(N1) as ell
as a
new nonce generated by B (N2). Because
only B could have (N2). Because
only B could have decrypted message (1), the
presence of N1 in message (2) assures A that the correspondent is B.
2.
A returns
N2, encrypted using
B’s public key, to assure B that its correspondent
is A.
A selects
a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this message with B’s public key ensures that only B can read it; encryption
with A’s private key ensures that only A
could have sent it.
3.
B computes
D(PUa, D(PRb, M)) to recover the secret key.
4.
The result is that this scheme
ensures both confidentiality and authentication in the exchange of a secret key.
A Hybrid Scheme
Yet another way to use public-key encryption to distribute
secret keys is a hybrid approach in use on IBM mainframes [LE93]. This scheme
retains the use of a key distribution center
(KDC) that shares a secret master key with
each user and distributes secret
session keys encrypted with the master
key. A public key
scheme is used to distribute the master keys. The following rationale is provided
for using this three-level approach:
•
Performance: There are many applications, especially transaction-oriented
applications, in which the session
keys change frequently. Distribution of ses- sion
keys by public-key encryption could degrade overall
system performance because of
the relatively high computational load of public-key encryption and decryption.
With a three-level hierarchy, public-key encryption is used only occasionally to update the master key between a user and the KDC.
•
Backward compatibility: The hybrid scheme is
easily overlaid on an existing KDC scheme with minimal disruption or software changes.
The addition of a public-key layer provides a secure, efficient means of distrib- uting master keys. This is an
advantage in a configuration in which a single KDC serves a widely distributed set of users.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.