Administrator

Lecture 6: Cryptographic key management. Cryptographic protocols.

1. Questions:

2. Cryptographic protocols.

3. Distribution of secret keys.

4. Distribution of public keys.

Distributing secret keys using a public key system.

1 Cryptographic protocols. Cryptographic protocol

– a set of formalized rules that describe the sequence of actions performed by two or more parties to solve the problem of protecting information using cryptography. That is, the cryptographic protocol includes some cryptographic algorithm.

· In everyday life, informal protocols are used almost everywhere:

· when playing cards;

when ordering goods by phone.

These protocols have been developed over a long period of time and work quite reliably.

Computer protocols are a completely different matter. To do what humans do without thinking, computers need formal protocols.

· To make it easier to demonstrate how the protocols work, several participants are used:

· Alice is the first participant.

· Bob is the second participant.

· Carol is a participant in tripartite protocols.

· Dave is a four-way protocol.

· Eve is a message interceptor.

· Mallory is an active burglar.

· Trant is a trusted intermediary.

· Walter is the warden (guarding Alice and Bob).

· Peggy is a challenger (trying to prove something).

Victor is a verifier (checks Peggy).

· There are:;

· self-contained protocols;

· protocols with an intermediary

protocols with the arbitrator. In self-contained protocols

the integrity of the parties is guaranteed by the protocol itself. No third party is needed to implement the protocol. The absence of disputes is ensured by the design of the protocol. This is the best type of protocol, but unfortunately such protocols are not suitable for every situation.

Alice Bob

Protocols with an intermediary.Mediator called uninterested third party, which entrusted

complete the execution of the protocol. “Disinterest” means that the intermediary is indifferent to both the outcome of the protocol and any of its participants. All participants in the protocol perceive the mediator’s words as truth, and all his actions are recognized as correct.

In everyday life, an intermediary can be a lawyer, agency, bank, etc. With computer networks the situation is more complicated.

Protocols with the arbitrator.Arbitrator - a special type of intermediary. This Third side. Unlike a mediator, he is not necessarily involved in the execution of every protocol, but only when disagreements arise between the parties.

An example would be judges.

Arbitration computer protocols are known. These protocols rely on the assumption that the parties are honest. However, if someone suspects fraud, a trusted third party can expose the fraud based on the existing dataset. In addition, a good arbitration protocol allows the arbitrator to determine the identity of the attacker. Thus, the arbitration protocols do not prevent, A detect fraud. In this case, the inevitability of detection acts as a preventive measure that discourages the attacker.

Organization of communication using symmetric cryptography.

Model of a symmetric cryptosystem:

1. Alice and Bob choose a cryptosystem.

2. Alice and Bob choose a key.

3. Alice encrypts the plaintext of the message using an encryption algorithm and a key.

4. Alice sends the ciphertext to Bob.

5. Bob decrypts the ciphertext using the key and obtains the plaintext.

Eve, being between Alice and Bob, can only overhear the transmission at stage 4, then she will have to subject the ciphertext to cryptanalysis. This is a passive attack using only ciphertext.

Eve can overhear steps 1 and 2. In a good cryptosystem, security depends on knowing the key. This is why key management is so important in cryptography.

Active burglar Mallory can go further. At stage 4, he may disrupt the communication line. Or intercept Alice's message and replace it with your own. Bob has no way of recognizing that the message was not sent by Alice.

Alice or Bob can give a copy of the key to Eve, etc.

To summarize, we list disadvantages of symmetric cryptosystems:

1. Keys are only as valuable as the messages they encrypt, so it follows key distribution problem.

2. When receiving the key, it is possible to create false messages.

3. If each pair of network users uses a separate key, the total number of keys increases rapidly with the number of users.

n users - n (n – 1) / 2 – keys,

10 users - 45 keys,

100 users - 4950 keys, etc.

Organization of communication using public key cryptography.

1. Alice and Bob agree to use a public key cryptosystem.

2. Bob sends Alice his public key.

3. Alice encrypts her message using Bob's public key and sends it to Bob.

4. Bob decrypts the message with his private key.

This eliminates the problem of key distribution, which is painful for symmetric cryptosystems.

2. Distribution of secret keys.

With traditional encryption, both parties must receive the same key. For security reasons, frequent key changes are required.

That's why The strength of any symmetric cryptographic system depends significantly on the type of cryptographic system used. key distribution systems (i.e. means of delivering keys to two parties).

For two parties A and B, key distribution can be organized in various ways:

1. The key is selected by party A and physically delivered to B.

2. The key is selected by a third party and physically delivered to A and B.

3. One of the parties transmits the new key in encrypted form using the old key.

4. The third party C delivers the key to A and B via secure communication channels, i.e. a certain one is used Key distribution center (KDC).

The key distribution scheme (protocol) can be centralized and distributed(with an intermediary and self-sufficient).

Let's consider point 4.

The use of a key key implies the organization of a hierarchy of keys (at least two levels). Communications between end users are encrypted using a temporary key called session key . The session key is received from the DRC via the same communication channels that are used for data delivery. Session keys are transmitted in encrypted form, and they are encrypted using master key , common for the DRC and this user.

Master keys required N (by number of users). They are distributed in a non-cryptographic way (by physical delivery to the recipient).

Key distribution scenario (Centralized scheme).

Let's assume that user A intends to transfer information to user B and a one-time session key is required to protect the data.

In this case, user A has a secret key K a , known only to him and the TsRK, and user B has K b (K a and K b – main keys, K s – one-time session key).

Information exchange occurs as follows:

1. User A sends a request to the DRC to obtain a session key to protect communication with B.

The request sent must include:

- information that allows one to unambiguously determine A and B ( ID A, ID B);

- some identifier N 1 , unique for each request and called opportunity. The opportunity can be time, a counter, a random number.

2. The CRC responds to the request of user A, encrypting the answer with key K a(main A). The only user who will be able to read the response is A (hence, A is sure that the message came from the CRC).

The response message includes the following elements:

· Designed for A :

S (to connect A to B).

- Opportunity request N 1 so that User A can match the response with the request.

In this way, A can make sure that his request was not changed on the way to the Central Control Commission, and the opportunity does not allow him to confuse the response to this request with the response to previous requests.

· Designed for B .

One-time session key K s.

User ID A - ID A (for example, network address A).

Both elements are encrypted using the key KB (master key TsRK and B). They are supposed to be subsequently sent to B in order to establish a connection and identify A.

E Ka [ K S ||Request|| N 1 || E Kb (K S , ID A )]

3. User A saves his session key and forwards to party B information from the DRC intended for B.

User B receives K s and knows that the information received came from the TsRK (since it is encrypted by KB, which only B and the TsRK know).

Thus, A and B have the session key. But before exchanging data, it is advisable to do the following:

4. Using the received session key K s user B sends user A a new opportunity N 2.

5. Using K s user A responds with f (N 2 ). This is necessary to convince B that the message he originally received was not reproduced by an attacker.

This ensures not only key transfer, but also authentication (steps 4 and 5).

It is not necessary to assign the key distribution function to one key distribution center. It is more advantageous to use some hierarchy of the DRC. The more frequently session keys are changed, the more reliable they are, but distributing session keys delays the start of a communication session and increases network load.

The use of the CRC implies that the CRC must inspire confidence and be reliably protected from attacks. These requirements can be waived if you use a decentralized (self-sufficient) key distribution scheme.

Decentralized key distribution scheme.

The session key can be determined as a result of the following sequence of actions:

1) A sends a request to receive K s + opportunity N 1.

2) B responds by encrypting the answer using the master key E MK common to A and B m.

3) A returns f (N 2 ), encrypting with K s.

3. Distribution of public keys.

One of the main applications of the public key encryption scheme is is a solution to the key distribution problem. There are two very different uses of public key encryption in this area:

1. distribution of public keys;

2. using public key encryption to distribute secret keys.

Several methods have been proposed for public key distribution. In fact, they can be grouped into the following general classes:

1. public announcement;

2. publicly accessible directory;

4. public key certificates.

1) Public announcement of public keys (Uncontrolled distribution) .

Any party involved in the exchange of data can provide its public key to any other party or transmit the key via communications to everyone at all - an uncontrolled distribution of public keys.

This approach is convenient, but has one drawback: Such a public announcement can be made by anyone, including an attacker. This means that someone will pretend to be user A and send the public key to another user on the network or offer such a public key for public use. While user A opens the forgery and warns other users, the counterfeiter will be able to read all encrypted messages, arrived during this time for A, and will be able to use falsified keys for authentication.

2) Publicly accessible directory (Centralized scheme).

A higher degree of security can be achieved by using a publicly available dynamic public key directory. The maintenance and distribution of the public directory must be the responsibility of some trusted center or organization. Such a scheme should include the following elements:

1. An authoritative object that maintains a directory with entries of the form (name, public key) for each of the participants.

2. Each participant registers their own public key. Such registration must occur either during the personal appearance of the participant or through secure communication channels.

3. Any participant can replace the existing key with a new one at any time using authentication tools. (Perhaps the private key has been compromised in some way, or a lot of information has already been transmitted using it.)

4. The entire catalog or updates to it are published periodically.

This scheme is more secure than individual public announcements, but it is also vulnerable . If an adversary manages to obtain the private key of an entity authorized to maintain the directory, he will be able issue falsified public keys and, therefore, act on behalf of any of the participants in the communication and read messages intended for any participant. Same result the enemy can achieve with changes to entries stored in a directory.

Best protectionpublic key distribution can be achieved through stricter control over the distribution of public keys.

A typical scenario is shown below. The scenario assumes the presence of a certain digital distribution center authorized to maintain a dynamic directory of public keys of all participants in the data exchange. In addition, each of the participants reliably knows the public key of the center, but only the center knows the corresponding private key. The following actions are performed:

(1) Initiator A sends a message with a date/time stamp (opportunity N 1 ) to an authoritative source of public keys with a request for the current public key of participant B.

(2) The authority responds with a message that is encrypted using the authority's private key KR auth . Initiator A can decrypt this message using the public key of an authoritative source. Therefore, sender A can be confident that the message comes from a reputable source. This message should include the following:

· Participant B's public key , KU b ;

· Original request , so that Party A can verify that the request has not been modified on its way to an authoritative source.

· Original date/time stamp (opportunity No. 1 ) so that sender A can verify that this is a response to this particular request.

(3) Originator A stores B's public key and uses it to encrypt a message sent to recipient B containing sender A's identifier ( ID A) and opportunity N 1.

(4) (5) Responder B receives A's public key from an authoritative source in exactly the same way that sender A obtained recipient B's public key.

At this point, the public keys have been delivered to participants A and B, so that now A and B can begin secure communication. But before that it is advisable to do two the following additional actions.

(6) Responder B sends a message to initiator A, encrypted using KU A and containing the sender's statement A ( N 1 ), as well as a new opportunity generated by participant B ( N 2). Presence No. 1 in message (6) convinces participant A that the sender of the received message was B.

(7) Initiator A returns N2 encrypted using B's public key so that he can verify that the sender of the response is A.

So, a total of seven messages will be required. However sending the first four messages is rarely required, since both parties can save each other's public keys for later use, which is usually called caching.

4) Public key certificates .

An alternative approach was proposed by Confelder. It is based on certificates.

Each certificate contains public key and other information is generated by an authoritative certificate source and issued to the participant.

System requirements :

1. Any participant must be able to read the certificate to determine the name and public key of the certificate owner.

2. Any participant must be able to verify that the certificate comes from a reputable certificate source and is not counterfeit.

4. Denningadded the following requirement - any participant must be able to check the validity period of the certificate.

Rice. Exchange of public key certificates.

Each participant accesses the AIS by providing a public key and requesting a certificate for it via a secure form of communication.

AIS sends certificates C A and C B, containing 1) the validity period of the certificate; 2) owner ID; 3) public key of the certificate owner. The certificates are encrypted using the private key of an authoritative source.

Or it can forward the certificate to any participant.

The recipient uses the public key KU auth AIS to read the certificate. This guarantees that the certificate came from him.

D KU [ C A ]= D KU [ E KR [ T , ID A , KU A ]]=(T , ID A , KU )

4. Distribution of secret keys using a public key system.

Some users will choose to use public key encryption only in exceptional circumstances due to the relatively slow data transfer rate when encryption is used. Therefore, public key encryption must be viewed more as a means of distributing the secret keys used for traditional encryption.

1)Merkle scheme (self-sufficient protocol)

If initiator A intends to exchange data with user B, the following procedure is assumed:

1. Party A generates a public/private key pair ( KU A, KR A ) and sends a message to party B containing KU A and sender ID A, ID A .

2. Recipient B generates a secret key KS and transmits this key to the initiator of the message A, encrypted using the public key of the initiator A.

3. User A calculates D KRa [ E KUa [ K S ]] to recover the private key. Since only participant A can decrypt this message, only exchange participants A and B will know the meaning K S .

Now both parties, A and B, can use communication protected by traditional session key encryption K S . At the end of the data exchange, both A and B are thrown away K S . Despite its simplicity, this protocol is very attractive.

Dignity: No keys exist before the communication begins and no keys remain after the communication ends. Therefore, the risk of compromise is minimal. At the same time, the connection is protected from eavesdropping.

Flaw: This protocol is vulnerable to active attacks. If adversary E has the ability to infiltrate the communication channel, then he can compromise the communication without being detected in the following way.

1. Participant A generates a public/private key pair ( KU A, KR A KU A and participant ID A, ID A .

2. Adversary E intercepts the message, creates his own public/private key pair ( KU E, KR E ) and sends a message to addressee B containing KU E || ID A .

3. B generates a secret key K S and transmits E KUe [ K S ].

4. Adversary E intercepts this message and finds out K S , calculating D KRe [ E KUe [ K S ]].

5. Opponent E sends a message to participant A E KU a [K S].

As a result, both participants, A and B, will know K S , but will not suspect that K S also known to enemy E . Thus, this simple the protocol turns out to be useful only when the only possible threat is passive message interception.

2) Distribution of secret keys ensuring confidentiality and authentication.

The scheme provides protection against both active and passive forms of attack. As a starting point, assume that A and B have already exchanged public keys using one of the schemes described above.

(1) Party A uses Party B's public key to send Party B an encrypted message containing Party A's ID ( ID A) and opportunity (N 1 ) used to identify that particular transaction.

(2) User B decrypts (1) using KR B . User B sends a message to user A, encrypted with KU A and containing the opportunity received from him ( N 1) and a new opportunity (N 2 ). Due to the fact that only participant B could decrypt message (1), the presence N 1 in message (2) convinces party A that the respondent is party B.

( 3) Side A returns N 2 , encrypting the message with party B's public key to assure it that its respondent is party A.

(4) Participant A chooses a secret key K S and sends a message to participant B M = E KUb [ E KRa [ K S ]]. Encrypting this message with B's public key ensures that only B can read it, and encrypting it with A's private key ensures that only A can send it.

(5) Party B calculates B KU a [ E KRb [ K S ]] to recover the private key.

When exchanging secret keys, this scheme guarantees both confidentiality and authentication.

3) Hybrid scheme (three-level).

Represents a hybrid approach applied on mainframes IBM . This brokered scheme involves the participation of a key distribution center (KDC), with which each user shares his own master secret key, and the distribution of secret session keys, encrypted with the master key. A public key encryption scheme is used to distribute master keys. This three-level approach is based on the following logic:

· Procedure speed .

There are many applications where session keys must change very frequently. Distributing session keys using a public key scheme could make the system performance too poor due to the relatively high computational requirements of encryption and decryption using such a scheme. In the case of a three-level hierarchy, public key encryption is used only occasionally to change the master key.

· backward compatibility .

The hybrid scheme can be easily implemented as an extension of an existing scheme that involves the use of DRC, with minimal changes to the provided procedure and software.

The addition of a public key encryption layer provides a secure and efficient means of distributing master keys. This is an advantage in a configuration where one digital distribution center serves a large number of users located at a considerable distance from each other.

5. Key exchange using the Diffie-Hellman scheme.

First published public key algorithm appeared in the work of Diffie and Hellman, in which the very concept of public key cryptography was defined. Usually this algorithm is called Diffie-Hellman key exchange. This key exchange technology is implemented in a number of commercial products .

Purpose of the scheme– provide a secure way for two users to communicate a key to each other so that they can use it to encrypt subsequent messages.

The cryptographic strength of the Diffie-Hellman algorithm relies on the difficulty of calculating discrete logarithms . Formally, the discrete logarithm can be defined as follows. First, the antiderivative root of a prime number is determined p– the number a, the powers of which are generated by all integers from 1 to p-1. This means that if a is a primitive root of a prime number p , then all numbers

a mod p, a 2 mod p,…, a p-1 mod p

must be different and represent all integers from 1 to p -1 in some permutation.

The Diffie-Hellman key exchange is illustrated in the figure. In this scheme there are two open numbers: a prime number q and an integer a, which is a primitive root q . Suppose users A and B intend to exchange keys.

User A chooses a random integer X A< q and calculates Y A =a XA mod q . Similarly, user B independently chooses a random integer X B< q и вычисляет Y B = a XB mod q . Each party keeps the value of X secret and makes the value Y free to the other side. User A calculates the key using the formula K = ( Y B ) XA mod q , and user B according to the formula K = ( Y A ) X B mod q . These two calculation formulas give the same results.

So, both parties exchanged secret keys. And since X A and X B were only for personal use and therefore kept secret, the enemy will have to work only with q , a , X A, X B . Thus, he will have to calculate the discrete logarithm to determine the key. For example, to define a key.

He will then be able to calculate key K in the same way as user B does.

The security of the Diffie-Hellman key exchange actually rests on the fact that while powers modulo a prime number are relatively easy to calculate, discrete logarithms are very difficult to calculate. For large prime numbers, the latter is considered a practically unsolvable problem.

The enemy knows: q, a, Y A, Y B. To determine the key, you need to calculate the discrete logarithm.

With traditional encryption, both parties involved in the data exchange must receive the same key, to which other users are denied access. This usually requires frequent changes of keys to reduce the amount of data lost in the event that one of the keys becomes known to the enemy.

Therefore, the reliability of any cryptographic system largely depends on the key distribution systems, which is a means of delivering keys to two parties planning to exchange data without allowing others to see those keys.

For two sides, A and IN, As indicated below, key distribution can be organized in various ways:

• 1. The key can be selected by party A and physically delivered to party IN.
• 2. The key can be selected by a third party and physically delivered to participants A and IN.
• 3. If exchange participants A and IN already use some shared key, one of the parties can transmit the new key to the other party in encrypted form using the old key.
• 4. If both sides A and IN have cryptographically secure communication channels with a third party C, then the latter can deliver the key to participants A and IN through these secure channels.

Options 1 and 2 involve transferring the key from hand to hand. With channel encryption, this requirement may be quite reasonable, since any channel encryption device involves exchanging data only with the corresponding device at the other end of the channel.

But in the case of end-to-end encryption, physical delivery of the key is practically unacceptable. In any distributed system, each master node or terminal may engage in communication with many other master nodes and terminals. Therefore, each such device will require many keys, which will have to be supplied dynamically. The problem turns out to be very difficult to solve, especially in the case of large, globally distributed systems.

The scale of the problem depends on the number of contact pairs that have to be serviced. If end-to-end encryption is implemented at the network or IP level, then one key will be required for each pair of master nodes on the network communicating. Therefore, if there is N leading nodes, the number of required keys will be equal to / 2. If encryption is carried out at the application level, then each pair of users or processes communicating will need its own key. In this case, the network can have hundreds of leading nodes and thousands of users and processes. In Fig. 6.2 for the case of end-to-end encryption shows the dependence of the complexity of the key distribution problem on the number of pairs participating in the data exchange. For example, on a network of 1,000 nodes where encryption is done at the node level, there would likely be about half a million keys to distribute. And if such a network supports about 10,000 applications, then application-level encryption may require the distribution of about 50 million keys.

Rice. 6.2.

Returning to the list of key distribution methods, we note that method 3 is possible both for channel encryption and for end-to-end encryption, but if an adversary ever manages to gain access to one of the keys, then he will be able to obtain all subsequent ones. Additionally, the initial distribution of potentially millions of keys must still be completed.

For end-to-end encryption, a scheme that is some variation of method 4 is widely used. In this scheme, some key distribution center is responsible for delivering keys to pairs of users (master nodes, processes, applications). Each user must receive his own unique key, which he uses together with the key distribution center in order to organize the delivery of keys.

Rice. 6.3.

Using a key distribution center involves organizing a certain hierarchy of keys. In a minimal configuration, such a hierarchy includes two levels (Fig. 6.3). Communication between end systems is encrypted using a temporary key, often called a session key. Typically, a session key is used only for a specific logical connection, such as a virtual circuit, or for data transport, after which the key is no longer used. The session key is obtained from the key distribution center using the same means of data delivery on the network that serve to organize communications between end users. Accordingly, session keys are transmitted in encrypted form, and the master key, common to the key distribution center and the given end system or specific user, is used for encryption.

A unique master key is created for each end system or end user and shared with a key distribution center. Of course, these master keys must also be distributed somehow. However, this problem is much simpler in complexity. As mentioned, N objects communicating in pairs require /2 session keys. And only N master keys are required, one for each object. Therefore, master keys may be distributed in some non-cryptographic manner, such as by physical delivery to the recipient.

Key distribution can be implemented in different ways. A typical scenario is shown in Fig. 6.4. This scenario assumes that each user has a unique master key shared with a key distribution center (KDC).

Let's assume that user A intends to create a logical connection with user B, and to protect the data that is supposed to be transferred during this connection, a one-time session key is required.

In this case, user A has a secret key K a, known only to him and the DRC, and in the same way B uses the master key K c, common with the DRC.

The information exchange system looks like this:

• 1. Initiator A sends a request to the DRC to obtain a session key to protect the logical connection with B. The message sent in this case must include information that allows one to uniquely identify A and B, as well as some identifier N1, unique for this request, usually called opportunity (popse - given case, given time (English)). Such identifiers could be the current time, some counter, or a random number - at a minimum, this identifier must be unique for each request. In addition, to prevent the adversary from falsifying the message, it must be difficult for the adversary to guess this identifier. Therefore, a random number can be considered a good choice for an opportunity.
• 2. The CRC responds to the request with a message encrypted using the Ka key. The only user who can receive and read this message is A, and therefore A can be sure that this message came from the CRC. The message contains two elements intended for A:
  • - one-time session key Ks, which will be used in the communication session;
  • - the original request message, including the opportunity, so that user A has the opportunity to match the response with the corresponding request.
• 3. In this way, A can make sure that his original request was not changed on the way to the CRC, and the opportunity will not allow him to confuse the answer to this request with the answer to any of the previous requests.

Rice. 6.4.

• 1. In addition, the message also includes two elements intended for IN:
  • - one-time session key K. y, which will be used in the communication session;
  • - identifier GO A of user A (for example, his network address).
• 2. Both elements are encrypted using the key K b(the main key used jointly by the TsK and IN), and it is intended that they should subsequently be sent IN, to establish a connection and identify A.
• 3. Party A saves the session key for the upcoming communication session and forwards it to the party IN information received from the CRC and intended for IN(namely, information Ek[K L ||GO A ]). Since this information is encrypted using K b, she finds herself protected. Now the recipient IN knows the session key (K s) and knows that the received information came from the DRC (since this information is encrypted using the key Kb).

At this point, the session key has been delivered to both party A and party IN, and so they can begin to exchange data securely. But before that, it is advisable to perform two more operations.

• 1. Using the newly received session key K for encryption, the party IN sends party A a new opportunity L/
• 2. Using the same key K s, side A returns /(N2 ), where / is a function that performs some transformation N2 (for example, adding one).

These actions are intended to convince the addressee IN is that the message he originally received (clause 3) was not reproduced.

It should be noted that the process of transferring the key itself is actually performed in steps 1-3, and steps 4 and 5, as well as partly step 3, are designed to provide an authentication function.

Key distribution is the most critical process in key management. The following requirements apply to it:

• efficiency and accuracy of distribution;
• secrecy of distributed keys. Distribution of keys between users of a computer network is implemented in two ways:

1. Using one or more key distribution centers;
2. Direct exchange of session keys between network users.

The disadvantage of the first approach is that the key distribution center knows which keys are distributed to whom, and this allows all messages transmitted over the network to be read. Possible abuses have a significant impact on protection. In the second approach, the challenge is to reliably authenticate the identity of network entities. In both cases, the authenticity of the communication session must be ensured. This can be done using a request-response mechanism or a timestamp mechanism.

The request-response mechanism is as follows. User A includes an unpredictable element (for example, a random number) in the message (request) sent to user B. When responding, user B must perform some operation with this element (for example, add one), which cannot be done in advance, since it is not known what random number will come in the request. After receiving the result of User B's actions (response), User A can be confident that the session is genuine.

The timestamp mechanism involves recording the time for each message. This allows each network entity to determine how old an incoming message is and reject it if there is doubt about its authenticity. When using timestamps, you must set an acceptable delay time interval. In both cases, encryption is used to protect the control to ensure that the response was not sent by an attacker and that the timestamp has not been tampered with.

The key distribution problem comes down to constructing a key distribution protocol that provides:

• mutual confirmation of the authenticity of session participants;
• confirmation of the validity of the session by a mechanism for requesting a response or timestamp;
• using a minimum number of messages when exchanging keys;
• the possibility of eliminating abuse on the part of the key distribution center (up to and including abandoning it).

It is advisable to base the solution to the problem of key distribution on the principle of separating the procedure for confirming the authenticity of partners from the procedure for distributing keys itself. The purpose of this approach is to create a method in which, after authentication, the participants themselves generate a session key without the participation of a key distribution center, so that the key distributor has no way of revealing the contents of messages.

Key distribution with the participation of the key distribution center. When distributing keys between participants in the upcoming information exchange, the authenticity of the communication session must be guaranteed. For mutual authentication of partners, the handshake model is acceptable. In this case, none of the participants will receive any sensitive information during the authentication procedure.

Mutual authentication ensures that the correct entity is called with a high degree of confidence that the connection has been established with the required recipient and that no spoofing attempts have been made. The actual procedure for organizing a connection between participants in an information exchange includes both the distribution stage and the stage of confirming the authenticity of partners.

When a key distribution center (KDC) is included in the key distribution process, it interacts with one or both session participants in order to distribute secret or public keys for use in subsequent communication sessions.

The next step, authenticating the participants, involves exchanging authentication messages to be able to detect any substitution or replay of one of the previous calls.

Key distribution protocol A key establishment protocol is a cryptographic protocol in which a shared secret becomes available to two or more parties for subsequent use for cryptographic purposes.

Key distribution protocols are divided into two classes:

Key transportation protocols;

Key exchange protocols.

Key transport protocols(key transport) are key distribution protocols in which one participant creates or otherwise acquires a secret and transmits it securely to other participants.

Key exchange protocols(key agreement, key exchange) are key distribution protocols in which a shared secret is worked out by two or more participants as a function of the information contributed by (or associated with) each of them in such a way that (ideally) no other party can predetermine their common secret.

There are two additional forms of key distribution protocols. A protocol is said to perform a key update if the protocol generates a completely new key that is independent of the keys generated in previous sessions of the protocol. The protocol generates derivative keys (key derivation) if a new key is “derived” from those already existing among participants in the cryptosystem.

The main properties of key distribution protocols include the properties of key authentication, key confirmation and explicit key authentication.

(Implicit) key authentication(implicit key authentication) - a property by which one participant in a protocol ensures that no other party other than a specifically identified second participant in the protocol (and possibly a trust authority) can access the secret keys obtained in the protocol. There is no guarantee here that the second participant actually gained access to the key, but no one else but him could get it. Implicit key authentication is independent of the other party's actual ownership of the key and does not require any action from the other party.

Key confirmation(key confirmation) - a property by which one participant in the protocol is convinced that another participant (possibly unidentified) actually possesses the secret keys obtained in the protocol.

Explicit Key Authentication(explicit key authentication) - a property that is executed when (implicit) key authentication and key confirmation take place simultaneously.

1. Needham-Schroeder protocol on symmetric keys

This protocol underlies a large number of key distribution protocols that use trusted centers. There are two types of this protocol:

Needham-Schroeder protocol on symmetric keys;

Needham-Schroeder protocol on asymmetric keys.

The symmetric key protocol works as follows:

Preliminary stage:

No matter how complex and reliable the cryptosystem itself is, it is based on the use of keys. If the key exchange process is trivial to ensure confidential exchange of information between two users, then in a system where the number of users is tens or hundreds, key management is a serious problem.

Key information is understood as the totality of all keys active in the system. If sufficiently reliable management of key information is not ensured, then, having taken possession of it, the attacker gains unlimited access to all information.

Key management is an information process that includes three elements:

key generation;

accumulation of keys;

key distribution.

Key generation. In real systems, special hardware and software methods are used to generate random keys. As a rule, random number sensors are used. However, the degree of randomness of their generation should be quite high. Ideal generators are devices based on “natural” random processes. For example, generating keys based on white radio noise. Another random mathematical object is the decimals of irrational numbers, such as  or e, which are calculated using standard mathematical methods.

In systems with average security requirements, software key generators that calculate random numbers as a complex function of the current time and (or) the number entered by the user are quite acceptable.

Accumulation of keys. The accumulation of keys refers to the organization of their storage, accounting and removal.

Since the key is the most attractive object for an attacker, opening the way to confidential information, special attention should be paid to the accumulation of keys.

Private keys should never be written explicitly on a medium that can be read or copied.

In a fairly complex system, one user can work with a large amount of key information, and sometimes there is even a need to organize mini-databases of key information. Such databases are responsible for accepting, storing, recording and deleting used keys.

Each information about the keys used must be stored in encrypted form. Keys that encrypt key information are called master keys.

It is desirable that each user knows the master keys by heart and does not store them on any tangible media at all.

A very important condition for information security is the periodic updating of key information in the system. In this case, both regular keys and master keys must be reassigned. In critical systems, key information must be updated daily.

The issue of updating key information is also related to the third element of key management – ​​key distribution. Key distribution.

Key distribution is the most critical process in key management. There are two requirements for it:

efficiency and accuracy of distribution;

secrecy of distributed keys.

Recently, there has been a noticeable shift towards the use of public key cryptosystems, in which the problem of key distribution is eliminated. However, the distribution of key information in the system requires new effective solutions.

Distribution of keys between users is implemented in two different approaches:

1 By creating one or more key distribution centers. The disadvantage of this approach is that the distribution center knows who is assigned which keys, and this allows all messages circulating in the system to be read. Possible abuses have a significant impact on protection.

2 Direct exchange of keys between system users. In this case, the challenge is to reliably authenticate the subjects.

1 The request-response mechanism, which is as follows. If user A wants to be sure that the messages he receives from user B are not false, he includes an unpredictable element (request) in the message he sends to B. When responding, user B must perform some operation on this element (for example, add 1). This cannot be done in advance, since it is not known what random number will come in the request. After receiving a response with the results of the actions, User A can be sure that the session is genuine. The disadvantage of this method is the possibility of establishing, albeit complex, patterns between the request and the response.

2 Time stamp mechanism. It involves recording the time for each message. In this case, each user of the system can know how “old” the incoming message is.

In both cases, encryption should be used to ensure that the response was not sent by an attacker and that the timestamp has not been altered.

When using timestamps, there is a problem with the acceptable amount of delay to verify the authenticity of a session. After all, a message with a time stamp, in principle, cannot be transmitted instantly. In addition, the computer clocks of the recipient and the sender cannot be absolutely synchronized.

Public key cryptosystems can be used to exchange keys using the same RSA algorithm.

But the Diffie-Hellman algorithm turned out to be very effective, allowing two users to exchange a key without intermediaries, which can then be used for symmetric encryption.

Diffie-Hellman algorithm. Diffie and Hellman proposed a discrete exponentiation function for creating public-key cryptographic systems.

The irreversibility of the transformation in this case is ensured by the fact that it is quite easy to calculate the exponential function in a finite Galois field consisting of p elements ( p– either a prime number or prime to any degree). Calculating logarithms in such fields is a much more labor-intensive operation.

To exchange information, the first user selects a random number x 1, equally probable of integers from 1 to p– 1. He keeps this number secret, and sends the number to another user y 1 = , where α is a fixed element of the Galois field GF(p), which, together with p, is distributed in advance among users.

The second user does the same, generating x 2 and calculating y 2, sending it to the first user. As a result of this, both of them can calculate the shared secret key k 12 =
.

In order to calculate k 12, first user erects y 2 to the power x 1 and finds the remainder when divided by p. The second user does the same, only using y 1 and x 2. Thus, both users have a common key k 12, which can be used to encrypt information using conventional algorithms. Unlike the RSA algorithm, this algorithm does not allow the actual information to be encrypted.

Not knowing x 1 and x 2, an attacker can try to calculate k 12, knowing only intercepted y 1 and y 2. The equivalence of this problem to the problem of calculating a discrete logarithm is a major and open question in public key systems. A simple solution has not been found to date. So, if the direct conversion of 1000-bit prime numbers requires 2000 operations, then the inverse conversion (calculating the logarithm in the Galois field) will require about 1030 operations.

As you can see, despite the simplicity of the Diffie-Hellman algorithm, its disadvantage compared to the RSA system is the lack of a guaranteed lower bound for the complexity of key discovery.

In addition, although the described algorithm circumvents the problem of hidden key transfer, the need for authentication remains. Without additional means, one of the users cannot be sure that he exchanged keys with exactly the user he needs.