Classification and framework

General classification and fundamental concepts

  • 12.1 Definition A protocol is a multi-party algorithm, defined by a sequence of steps precisely specifying the actions required of two or more parties in order to achieve a specified objective.
  • 12.2 Definition Key establishment is a process or protocol whereby a shared secret becomes available to two or more parties, for subsequent cryptographic use.

Key establishment may be broadly subdivided into key transport and key agreement, as defined below and illustrated in Figure 12.1.

  • 12.3 Definition A key transport protocol or mechanism is a key establishment technique where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s).
  • 12.4 Definition A key agreement protocol or mechanism is a key establishment technique in which a shared secret is derived by two (or more) parties as a function of information contributed by, or associated with, each of these, (ideally) such that no party can predetermine the resulting value.

Additional variations beyond key transport and key agreement exist, including various forms of key update, such as key derivation in §12.3.1.

Key establishment protocols involving authentication typically require a set-up phase whereby authentic and possibly secret initial keying material is distributed. Most protocols have as an objective the creation of distinct keys on each protocol execution. In some cases, the initial keying material pre-defines a fixed key which will result ever}' time the protocol is executed by a given pair or group of users. Systems involving such static keys are insecure under known-key attacks (Definition 12.17).

12.5 Definition Key pre-distribution schemes are key establishment protocols whereby the resulting established keys are completely determined a priori by initial keying material. In contrast, dynamic key establishment schemes are those whereby the key established by a fixed pair (or group) of users varies on subsequent executions.

Dynamic key establishment is also referred to as session key establishment. In this case the session keys are dynamic, and it is usually intended that the protocols are immune to known-key attacks.

Simplified classification of key establishment techniques

Figure 12.1: Simplified classification of key establishment techniques.

Use of trusted servers

Many key establishment protocols involve a centralized or trusted party, for either or both initial system setup and on-line actions (i.e., involving real-time participation). This party is referred to by a variety of names depending on the role played, including: trusted third party, trusted server, authentication server, key distribution center (KDC), key translation center (KTC), and certification authority (CA). The various roles and functions of such trusted parties are discussed in greater detail in Chapter 13. In the present chapter, discussion is limited to the actions required of such parties in specific key establishment protocols.

Entity authentication, key authentication, and key confirmation

It is generally desired that each party in a key establishment protocol be able to determine the tme identity of the other(s) which could possibly gam access to the resulting key, implying preclusion of any unauthorized additional parties from deducing the same key. In this case, the technique is said (informally) to provide secure key establishment. This requires both secrecy of the key, and identification of those parties with access to it. Furthermore, the identification requirement differs subtly, but in a very important manner, from that of entity authentication - here the requirement is knowledge of the identity of parties which may gain access to the key, rather than corroboration that actual communication has been established with such parties. Table 12.1 distinguishes various such related concepts, which are highlighted by the definitions which follow.

While authentication may be informally defined as the process of verifying that an identity is as claimed, there are many aspects to consider, including who, what, and when. Entity authentication is defined in Chapter 10 (Definition 10.1), which presents protocols providing entity authentication alone. Data origin authentication is defined in Chapter 9 (Definition 9.76), and is quite distinct.

Authentication term

Central focus

authentication entity authentication data origin authentication (implicit) key authentication key confirmation explicit key authentication

depends on context of usage

identity of a party, and aliveness at a given instant

identity of the source of data

identity of party which may possibly share a key

evidence that a key is possessed by some party

evidence an identified party possesses a given key

Table 12.1: Authentication summary - various terms and related concepts.

12.6 Definition Key authentication is the property whereby one party is assured that no other party aside from a specifically identified second party (and possibly additional identified trusted parties) may gain access to a particular secret key.

Key authentication is independent of the actual possession of such key by the second party, or knowledge of such actual possession by the first party; in fact, it need not involve any action whatsoever by the second party. For this reason, it is sometimes referred to more precisely as (implicit) key authentication.

  • 12.7 Definition Key confirmation is the property whereby one party is assured that a second (possibly unidentified) party actually has possession of a particular secret key.
  • 12.8 Definition Explicit key authentication is the property obtained when both (implicit) key authentication and key confirmation hold.

hi the case of explicit key authentication, an identified party is known to actually possess a specified key, a conclusion which cannot otherwise be drawn. Encryption applications utilizing key establishment protocols which offer only implicit key authentication often begin encryption with an initial known data unit serving as an integrity check-word, thus moving the burden of key confirmation from the establishment mechanism to the application.

The focus in key authentication is the identity of the second party rather than the value of the key, whereas in key confirmation the opposite is true. Key confirmation typically involves one party receiving a message from a second containing evidence demonstrating the latter’s possession of the key. In practice, possession of a key may be demonstrated by various means, including producing a one-way hash of the key itself, use of the key in a (keyed) hash function, and encryption of a known quantity using the key. These techniques may reveal some information (albeit possibly of no practical consequence) about the value of the key itself; in contrast, methods using zero-knowledge techniques (cf. §10.4.1) allow demonstration of possession of a key while providing no additional information (beyond that previously known) regarding its value.

Entity authentication is not a requirement in all protocols. Some key establishment protocols (such as unauthenticated Diffie-Hellman key agreement) provide none of entity authentication, key authentication, and key confirmation. Unilateral key confirmation may always be added e.g., by including a one-way hash of the derived key in a final message.

12.9 Definition An authenticated key establishment protocol is a key establishment protocol (Definition 12.2) which provides key authentication (Definition 12.6).

12.10 Remark (combining entity authentication and key establishment) In a key establishment protocol which involves entity authentication, it is critical that the protocol be constructed to guarantee that the party whose identity is thereby corroborated is the same party with which the key is established. When this is not so, an adversary may enlist the aid of an unsuspecting authorized party to carry out the authentication aspect, and then impersonate that party in key establishment (and subsequent communications).

Identity-based and non-interactive protocols

Motivation for identity-based systems is provided in §13.4.3.

12.11 Definition A key establishment protocol is said to be identity-based if identity information (e.g., name and address, or an identifying index) of the party involved is used as the party’s public key. A related idea (see §13.4.4) involves use of identity information as an input to the function which determines the established key.

Identity-based authentication protocols may be defined similarly.

12.12 Definition A two-party key establishment protocol is said to be message-independent if the messages sent by each party are independent of any per-session time-variant data (dynamic data) received from other parties.

Message-independent protocols which furthermore involve no dynamic data in the key computation are simply key pre-distribution schemes (Definition 12.5). In general, dynamic data (e.g., that received from another party) is involved in the key computation, even in message-independent protocols.

12.13 Remark (message-independent vs. non-interactive) Message-independent protocols include non-interactive protocols (zero-pass and one-pass protocols, i.e., those involving zero or one message but no reply), as well as some two-pass protocols. Regarding inter-party communications, some specification (explicit or otherwise) of the parties involved in key establishment is necessary even in zero-pass protocols. More subtlety, in protocols involving t users identified by a vector (ty,... , it), the ordering of indices may determine distinct keys. In other protocols (e.g., basic Diffie-Helhnan key agreement or Protocol 12.53), the cryptographic data in one party’s message is independent of both dynamic data in other parties’ messages and of all party-specific data including public keys and identity information.

< Prev   CONTENTS   Source   Next >