J. Kohl and C. Neuman. The Kerberos network authentication service (V5). Internet RFC 1510, September 1993.
Primary purpose: Mutual authentication of two parties
Secondary purpose: Session key establishment between two parties
Uses only symmetric key cryptography (no public key cryptography)
Relies on timestamps
Therefore, requires participants to have synchronized clocks
Three participants
Alice, typically a user
Bob, typically a network service like a network file system
Kirby, the Kerberos KDC
Preparation
Alice and Kirby share a secret key, KAK
Bob and Kirby share a secret key, KBK
Authentication and key establishment protocol: Four steps
Step 1
Alice generates a random nonce, NA
Alice sends a message to Kirby with:
Her own identity, Alice (A)
Identity of the party she wants to talk to, Bob (B)
Her nonce, NA
Step 2
Kirby generates a random Alice-Bob authentication key, KAB
Kirby specifies a lifetime for the authentication key, L
L = time at which the authentication key will expire
Typically, L = now + 5 minutes
Kirby generates a ticket for Bob by encrypting the following with KBK:
Authentication key, KAB
Alice's identity, A
Lifetime, L
Kirby generates a response for Alice by encrypting the following with KAK:
Authentication key, KAB
Nonce, NA
Lifetime, L
Bob's identity, B
Kirby sends the encrypted ticket and the encrypted response to Alice
Alice decrypts the response and verifies that:
The nonce is correct
Bob's identity is correct
Step 3
Alice generates an authenticator for Bob by encrypting the following with KAB:
Alice's identity, A
Alice's timestamp (current system time), TA
Randomly-chosen subkey, RA
Alice sends the ticket and the authenticator to Bob
Bob decrypts the ticket using KBK
Bob decrypts the authenticator using KAB from the ticket
Bob verifies that:
Alice's identity in the ticket = Alice's identity in the authenticator
The difference between Bob's current system time and Alice's timestamp in the authenticator is less than a maximum threshold
To account for network latency, clock skew, etc.
The ticket has not expired (Bob's current system time < L)
At this point, Alice has authenticated herself to Bob, but not Bob to Alice
Step 4
Bob generates a message for Alice by encrypting the following with KAB:
Alice's timestamp, TA
Randomly-chosen subkey, RB
Bob sends the message to Alice
Alice decrypts the message using KAB
Alice verifies that:
TA in Bob's message is correct
At this point, Bob has authenticated himself to Alice
Alice and Bob both compute a shared secret session key as f (RA,RB)
Alice and Bob use shared secret session key for further secure communication
Variation:
Omit subkeys RA and RB
Alice and Bob use KAB as the session key for further secure communication
However, Kirby also knows KAB, so Eve might be able to learn the session key by attacking Kirby
Variation:
Omit Step 4 and omit subkey RA in Step 3
Alice and Bob use KAB as the session key for further secure communication
Bob has not authenticated to Alice as part of the key establishment protocol
Subsequent secure messages between Alice and Bob must include authentication
Eve cannot masquerade as Bob because Eve cannot decrypt the ticket to obtain KAB
Again, Kirby also knows KAB, so Eve might be able to learn the session key by attacking Kirby
Variation:
Alice can re-authenticate herself to Bob within the lifetime of the ticket by repeating just Step 3 (and maybe Step 4)
Public Key Infrastructure (PKI)
Certificate Authority (CA)
Trusted by everyone
Everyone knows the CA's public digital signature verification key without having to look it up
Alice's certificate
Alice travels physically to the CA's office and proves her identity
The CA puts together a certificate containing Alice's public information
Alice's identity
Validity dates for the certificate
Alice's public digital signature verification key
Alice's public encryption key
The CA digitally signs Alice's certificate
Alice can now publish her CA-signed certificate
Alice sends a signed message to Bob
E.g., one of the Diffie-Hellman key exchange messages
Bob gets Alice's certificate, by looking it up, or by Alice including it in the message
Bob verifies the CA's signature on Alice's certificate; now Bob knows Alice's certificate is genuine
Bob uses Alice's digital signature verification key from Alice's certificate to verify Alice's signature on the message; now Bob knows the message really came from Alice
Certificate revocation
Certificate revocation list (CRL)
Fast revocation
Authorization with certificates
Authentication: Who are you?
Authorization: Are you allowed to do that?
Indirect authorization: Use certificates to authenticate identity, use something else (e.g. access control list (ACL)) to authorize actions for that identity
Direct authorization: Use certificates to authorize actions directly
Transport Layer Security (TLS)
Transport Layer Security (TLS) key establishment (many details omitted)
TLS is the Internet standard version of Netscape's proprietary Secure Socket Layer (SSL)
T. Dierks and C. Allen. The TLS Protocol Version 1.0. Internet RFC 2246, January 1999.
Used for secure web browsing with the HTTPS protocol
Client and server first negotiate which algorithms they will use for public key encryption, digital signatures, and block cipher encryption
Client sends (unencrypted) a 32-byte number R1 to server
4-byte timestamp (seconds since midnight 01-Jan-1970), to detect replays
28-byte random number
Server sends (unencrypted) a 32-byte number R2 to client
4-byte timestamp (seconds since midnight 01-Jan-1970), to detect replays
28-byte random number
Server sends its certificate to client; client verifies certificate
To authenticate the server to the client
(Optional) Client sends its certificate to server; server verifies certificate
For HTTPS, the client almost never has a certificate
The client authenticates to the server outside of TLS, e.g. by logging into their account on the web site
Client generates a 48-byte random pre-master secret PMS
Client encrypts PMS using server's public encryption key and sends the ciphertext to server
Server decrypts PMS using server's private decryption key
Both client and server compute 48-byte master secret MS
MS = PRF (PMS, "master secret", R1 | R2)
PRF is a pseudorandom function that uses hash functions to mix its arguments and generate a sequence of random bytes
Client computes 12-byte value = PRF (MS, "client finished", hash(all previous messages)) and sends that to server; server checks whether it is correct
To detect intruders and replays
This proves to the server that the thing on the other end:
Knows the master secret,
Sent R1, and
Received the server's R2
Server computes 12-byte value = PRF (MS, "server finished", hash(all previous messages)) and sends that to client; client checks whether it is correct
To detect intruders and replays
This proves to the client that the thing on the other end:
Knows the master secret,
Sent R2, and
Received the client's R1
Both client and server use the PRF to compute authentication keys, encryption keys, and keystream generator initialization vectors in both directions from the master secret
Thereafter, each message is authenticated using HMAC and encrypted using a keystream generated from a block cipher
PGP Web of Trust
There is no centralized CA; users sign certificates for each other
Alice meets Bob in a dark alley, each signs the other's certificate:
"Alice's public verifying key is K1; signed by Bob"
"Bob's public verifying key is K2; signed by Alice"
Alice adds Bob's certificate to her key ring
Alice receives a message signed by Carol, who she doesn't know
Carol includes her certificate with the message:
"Carol's public verifying key is K3; signed by Bob"
If Alice trusts Bob only to sign certificates for good people:
Alice uses K2 to verify Bob's signature on Carol's certificate
Alice uses K3 to verify Carol's signature on the message
Alice adds Carol's certificate to her key ring
Certificate chains of any length are possible:
Alice receives a message signed by Ted
"Ted's public verifying key is K4; signed by Carol"
"Carol's public verifying key is K3; signed by Bob"
"Bob's public verifying key is K2; signed by Alice"
PGP only verifies certificate chains; the users have to decide for themselves whether to trust each link in the chain
M. Steiner, G. Tsudik, and M. Waidner.
Diffie-Hellman key distribution extended to group communication.
In Proceedings of the Third ACM Conference on Computer and Communications Security,
pages 31-37, 1996.
Same as Diffie-Hellman, with more than two parties
Publicly known parameters
p, the modulus, a large prime (2048 bits or more)
q, a 256-bit prime
g, a generator for an order-q subgroup of Zp*
Goal: Generate a secret value shared by all parties, e.g. Bob and Carol and Ted and Alice
The secret value is K = gbcta (mod p)
b is a secret random number in the range 1 .. q−1 known only to Bob
c is a secret random number in the range 1 .. q−1 known only to Carol
t is a secret random number in the range 1 .. q−1 known only to Ted
a is a secret random number in the range 1 .. q−1 known only to Alice
Technique
Each party receives g to the power (everyone else's secret random numbers) (mod p)
Bob receives gcta (mod p)
Carol receives gbta (mod p)
Ted receives gbca (mod p)
Alice receives gbct (mod p)
Each party computes K = (what they received) to the power (their own secret random number) (mod p)
Bob computes K = (gcta)b (mod p)
Carol computes K = (gbta)c (mod p)
Ted computes K = (gbca)t (mod p)
Alice computes K = (gbct)a (mod p)
Steiner et al.'s GDH.1 protocol
(All powers of g are calculated (mod p))
Bob sends {gb} to Carol
Carol sends {gb, gbc} to Ted
Ted sends {gb, gbc, gbct} to Alice
Alice computes K = gbcta
Alice sends {ga, gba, gbca} to Ted
Ted computes K = gbcat
Ted sends {gat, gbat} to Carol
Carol computes K = gbatc
Carol sends {gatc} to Bob
Bob computes K = gatcb
Drawbacks of GDH.1: large number of messages, large total message size
But it only requires point-to-point messages
Steiner et al.'s GDH.2 protocol
(All powers of g are calculated (mod p))
Bob sends {gb} to Carol
Carol sends {gb, gc, gbc} to Ted
Ted sends {gbc, gbt, gct, gbct} to Alice
Alice computes K = gbcta
Alice broadcasts {gbca, gbta, gcta} to everyone
Bob computes K = gctab
Carol computes K = gbtac
Ted computes K = gbcat
Advantages of GDH.2 over GDH.1: smaller number of messages, smaller total message size
But it does require a broadcast
Drawback of GDH.1 and GDH.2: large number of modular exponentiations per participant
Steiner et al.'s GDH.3 protocol
(All powers of g are calculated (mod p))
Bob sends {gb} to Carol
Carol sends {gbc} to Ted
Ted sends {gbct} to Alice
Alice computes K = gbcta
Alice broadcasts {gbct} to everyone
Bob computes 1/b = b−1 (mod q), computes (gbct)1/b = gct, sends {gct} to Alice
Carol computes 1/c = c−1 (mod q), computes (gbct)1/c = gbt, sends {gbt} to Alice
Ted computes 1/t = t−1 (mod q), computes (gbct)1/t = gbc, sends {gbc} to Alice
Alice broadcasts {gcta, gbta, gbca} to everyone
Bob computes K = gctab
Carol computes K = gbtac
Ted computes K = gbcat
As with two-party Diffie-Hellman, all messages must be authenticated, otherwise group Diffie-Hellman falls to a man-in-the-middle attack
Must re-run the group key exchange protocol to generate a new session key whenever the group membership changes
Backward secrecy -- New group members cannot decrypt messages previously sent in the old group
Forward secrecy -- Former group members cannot decrypt new messages sent in the new group
Literature
There are lots of variations of the above schemes in the literature
Many papers do not address the authentication issue
Jisoo Kim's project showed that group key exchange protocols are unusable in practice -- they take too long
The need for authentication creates a chicken-and-egg problem -- where do the authentication keys come from?
What I would do
Forget group key exchange protocols
Use a public key cipher to encrypt session keys
Use digital signatures for authentication
Use a PKI to authenticate each party's public keys
The first party to arrive, Alice, generates a random session key
When Bob arrives, he sends a request for the session key, including a nonce, along with his certificate, and signs the message (the nonce is to prevent replay attacks)
Alice verifies Bob's certificate, verifies Bob's signature on the message, sets up a message containing (session key, Bob's nonce), signs the message, encrypts the signed message with Bob's public encryption key, and sends the result to Bob, along with her certificate
Bob decrypts the message, verifies Alice's certificate, verifies Alice's signature on the message, verifies the nonce, and retrieves the session key
To hinder eavesdroppers, every so often one of the parties generates and disseminates a new random session key
When the group membership changes, everyone in the new group must get a new certificate with new public keys, and the session key must be changed (backward and forward secrecy)
Other authors would object that this scheme does not let each party "contribute" to the shared value, as group Diffie-Hellman does
I would reply that if you trust the PKI, you can just use the session key generated by any authentic group member without needing to "contribute" your own piece
This scheme only addresses group session key management, it does not address the actual secure group communication
Secure Group Communication
This is an unsolved and relatively unexplored problem
Secure point-to-point communication: easy
The TCP connection model -- set up security when you set up the connection
Two-party session key establishment
Confidentiality via encryption
Authentication and integrity via MAC or digital signature
Replay defense via nonces -- message sequence numbers
Secure one-to-many communication: not too bad
One sender, many receivers
Just set up a separate secure point-to-point channel from sender to each receiver
N participants, O(N) secure channels
Secure group (many-to-many) communication: hard
Everyone sends every message to everyone
Using secure point-to-point channels doesn't scale
N participants, O(N2) secure channels
Secure ad hoc group (many-to-many) communication: harder
Everyone sends every message to everyone, and participants come and go all the time
Now the key management also doesn't scale -- you'd be spending all your time establishing session keys
Parameters of a solution
Broadcast messages, not point-to-point connections
Lightweight group key establishment
Replay detection without needing to keep a history of messages for each participant