Creation: November 18 2017

Modified: November 26 2019

Conventions

- E(K,M): encrypt M using the key K.
- D(K,C): decrypt D using the key K.

- Alice: protocol first partecipant.
- Bob: protocol second partecipant.
- Eve: eavesdropper.
- Mallory: malicious active attacker.
- Trent: trusted arbitrator.

In the described attacks it is assumend that Mallory is an active attacker, that is an entity that is able to intercept, remove or modify the messages from the communication channel (e.g. Ethernet).

In a broadcast channel such as a radio network it is almost impossible to replace one message with another.

A Key Distribution Center (KDC), usually impersonated by Trent, is the actor in charge to hold and distribute, on demand, the keys (both public and session).

Alice and Bob both share a secret key with Trent, KA and KB respectively.

- Alice calls Trent and requests a session key to communicate with Bob.
- Trent generates a random key K. Trent sends to Alice: E(KA,K) and E(KB,K).
- Alice decrypts her copy of the session key.
- Alice sends to Bob E(KB,K).
- Bob decrypts his copy of the session key.
- Both Alice and Bob use K to communicate securely.

Public key cryptography can be used to encrypt the whole communication traffic: Alice encrypts using Bob's public key and Bob encrypts using Alice's public key. However, encrypt traffic using PKC (public key crypto) is computationally expensive, thus an hybrid scheme is often adopted.

Public key cryptography is used to exchange a session key that will be used by a symmetric cipher to encrypt the session traffic.

- Alice gets Bob's public key Bpub from the KDC.
- Alice generates a random session key K and sends to Bob E(Bpub, K).
- Bob decrypts E(Bpub, K) using his private key Kpvt.
- Both Alice and Bob use K to communicate securely.

The public key exchange protocol can be implemented without Trent's support. In this case Alice asks directly to Bob for his public key.

The protocol is passive to the Man in the Middle attack.

- In the step '1' Mallory intercepts the KDC reply and substitutes his public key in place of B's one.
- Mallory intercepts message 2. Decrypts it and gets K.
- Mallory encrypts the same message using the Bob's public key and sends it to Bob.
- Both Alice and Bob use K to communicate, but Mallory knows K.

The protocol allows Alice and Bot to jointly establish a shared secret key over an insecure channel. The peculiarity of the protocol is that the two parties could have no prior knowledge of each other.

- A public parameter G is shared between the parties.
- Alice computes
`X = f(G,Asec)`

, where Asec is secret, and sends it to Bob. - Bob computes
`Y = f(G,Bsec)`

, where Bsec is secret, and sends it to Alice. - Alice computes
`Z = f(Y,Asec)`

. - Bob computes
`Z = f(Y,Bsec)`

.

The protocol requirements are that:

- there is a function
`f`

such that`f(f(G,Asec),Bsec) = f(f(G,Bsec),Asec)`

. - it should be computationally infeasible to derive 'sec' from
`f(G,sec)`

.

The simplest, and original, implementation of the protocol uses the multiplicative group of integers modulo p, where p is prime and g is a primitive root modulo p. These two values are chosen in this way to ensure that the resulting shared secret can take on any value from 1 to p-1.

- Alice and Bob agree to use a certain modulus p and base g.
- Alice chooses a secret integer 'a', then sends
`X = g^a mod p`

to Bob. - Bob chooses a secret integer 'b', then sends
`Y = g^b mod p`

to Alice. - Alice computes
`Z = Y^a mod p`

. - Bob computes
`Z = X^b mod p`

. - K is derived from Z. Both Alice and Bob use K to communicate securely.

Unfortunately, "as-is", the protocol is vulnerable to MitM attack.

Trent sign both Alice's and Bob's public keys. When Alice and Bob receive the keys, they each verify Trent's signature. Now they know that the key belongs to the other person. Obviously, both parties must have received via a secure channel the Trent's public key to verify it's signature.

The only vulnerability in this architecture is constituted by Trent's private key. If is compromised then Mallory can sign it's own key as a key that belongs to another party, e.g. Alice.