Lecture 10: Key Distribution for Symmetric Key Lecture ...

1 Lecture 10: Key Distribution for Symmetric KeyCryptography and Generating Random NumbersLecture Notes on Computer and Network Security by Avi Kak 13, 20206:22amc 2020 Avinash Kak, Purdue UniversityGoals: Why might we needkey Distribution centers? Master key TheNeedham-SchroederandKerberosProtocols Generatingpseudorandomnumbers Generatingcryptograhically secure pseudorandomnumbers Hardware and software entropy sources fortruly randomnum-bers A word of caution regarding software entropy sourcesCONTENTSS ection Need for Key Distribution Needham-Schroeder Key Variations on the KDC Approach to Number are Random Numbers Truly Random?

2 Number Generators (PRNG):28 Linear Congruential Secure PRNGs: The Secure PRNGs: The Blum38 Blum Shub Generator (BBS) Sources for Generating True Entropy Sources of50 Random Entropy Gathering (Pseudo Random Number Generator Daemon) Word of Caution Regarding Software Sources of Problems642 Computer and Network Security by Avi KakLecture 10 Back to THE NEED FOR KEYDISTRIBUTION CENTERS Let s say we have a large number of people, processes, or systemsthat want to communicate with one another in a secure s further add that this group of people/processes/systems isnot static, meaning that the individual entities may join orleavethe group at any time.

3 A simple-minded solution to this problem would consist of eachparty physically exchanging an encryption key with every one ofthe other parties. Subsequently, any two parties would be ableto establish a secure communication link using the encryptionkey they possess for each approach is obviously notfeasible for large groups of people/processes/systems, especiallywhen group membership is ever changing. A more efficient alternative consists of providing every groupmember with a single key for securely communicate with akeydistribution center (KDC). This key would be called amasterkey. When A wants to establish a secure communication linkwith B, A requests asession keyfrom KDC for communicatingwith and Network Security by Avi KakLecture 10 In implementation, this approach must address the following is-sues: Assuming thatAis the initiator of a session-key request to KDC,whenAreceives a response from KDC, how canAbe sure that thesending party for the response is indeed the KDC?

4 Assuming thatAis the initiator of a communication link withB, howdoesBknow that some other party is not masquerading asA? How doesAknow that the response received fromBis indeed fromBand not from someone else masquerading asB? What should be the lifetime of the session key acquired byAforcommunicating withB? The next section presents how the Needham-Schroeder protocoladdresses the issues listed above. A more elaborate versionofthis protocol, known as the Kerberos protocol, will be presentedin Section and Network Security by Avi KakLecture 10 Back to THE NEEDHAM-SCHROEDER KEYDISTRIBUTION PROTOCOLA party namedAwants to establish a secure communication linkwith another partyB.

5 Both the partiesAandBpossessmasterkeysKAandKB, respectively, for communicating privately with akey Distribution center (KDC). [In a university setting, there is almost never a need foruser-to-user secure communication links. So for folks likeus in a university, all we need is a password to log into thecomputers. However, consider an organization like the U. Department where people working in embassies abroad may have a need for user-to-user secure communication links. Now, in addition to the masterkey, a user namedAmay request a session key for establishing a direct communication link with another usernamedB.]

6 This session key, specific to one particular communicationlink, would be valid only for a limited timeduration. This is where Needham-Schroeder protocol can be useful.] NowAengages in thefollowing protocol (Figure 1): Using the keyKAfor encryption, userAsends a request toKDC for asession keyintended specifically forcommunicating with userB. The message sent byAto KDC includesA s network address(IDA),B s network address (IDB), anda unique sessionidentifier. The session identifier is anonce short for a number used once and we will denoted itN1. The primaryrequirement on a nonce a random number is that it be5 Computer and Network Security by Avi KakLecture 10 KDCP artyBAE( K , [ ID , ID , N1 ] )BAPartyAE( K , [K , ID ] )BSAE( K , N2 )SE( K , N2 + 1 )S1E( K , [ K , ID , ID , N1, E( K , [ K , ID ] ) ] )ASBBAS A23 As encrypted by KDC for delivery to B45 Figure 1:A pictorial depiction of the Needham-Schroderprotocol.

7 (This figure is from Lecture 10 of Computer and Network Security by Avi Kak)6 Computer and Network Security by Avi KakLecture 10unique to each request sent byAto KDC. The message sent byAto KDC can be expressed in shorthand byE(KA,[IDA, IDB, N1])whereE(., .) stands for encryption of the second-argument datablock with a key that is in the first argument. KDC responds toAwith a message encrypted using the keyKA. The various components of this message are The session-keyKSthat A can use for communicating with B. The original message received fromA, including the nonce used byA. This is to allowAto match the response received from KDCwith the request sent.

8 Note thatAmay be trying to establishmultiple simultaneous sessions withB. A packet of information meant forAto be sent toB. This packetof information, encrypted usingB s master keyKBincludes, again,the session keyKS, andA s identifierIDA. (Note thatAcannotlook inside this packet becauseAdoesnothave access toB smaster will sometimes refer to this packet ofinformation as aticketthatAreceives for sending toB. The message that KDC sends back toAcan be expressed asE(KA,[KS, IDA, IDB, N1, E(KB,[KS, IDA]) ])7 Computer and Network Security by Avi KakLecture 10 Using the master keyKA, A decrypts the message received fromKDC.)

9 Because onlyAand KDC have access to the master keyKA,Ais certain that the message received is indeed from KDC. Akeeps the session keyKSand sends the packet intended forBtoB. This message is sent toBunencrypted byA. But notethat it was previously encrypted by KDC usingB s master , this first contact fromAtoBis protectedfrom eavesdropping. Bdecrypts the message received fromAusing the master theIDAin the decrypted message with thesender identifier associated with the message received matching the two,Bmakes certain that no one ismasquerading asA. Bnow has the session key for communicating securely withA.

10 Using the session keyKS,Bsends back toAa back withN2 + 1, using, of course, the same sessionkeyKS. This serves as a confirmation that the session keyKSworks for the ongoing session this requires that whatAencrypts withKSbe different from whatBencrypted part of the handshake also ensures thatBknowsthat it did not receive a first contact fromAthatAis no longerinterested in. An additional benefit of this step is that it8 Computer and Network Security by Avi KakLecture 10provides some protection against a replay attack. [A replay attacktakes different forms in different contexts. For example, in the situation here, ifAwasallowed to send back toBthe same nonce that it received from the latter, thenBcould suspect that some other partyCposing asAwas merely replaying backB smessage that it had obtained by, say, eavesdropping.]