Revision as of 02:47, 6 August 2022 editDavidCary (talk | contribs)Extended confirmed users7,118 edits link to yet another algorithm where both parties influence the process of creating a shared secret key← Previous edit | Latest revision as of 17:20, 14 January 2025 edit undoQuondum (talk | contribs)Extended confirmed users37,006 edits →Types of key agreement: rm redundant 'secret' | ||
(28 intermediate revisions by 19 users not shown) | |||
Line 1: | Line 1: | ||
{{Short description|Protocol for agreeing on a cryptographic key}} | |||
In cryptography, a '''key-agreement protocol''' is a protocol whereby two or more parties can agree on a key in such a way that both influence the outcome. If properly done, this precludes undesired third parties from forcing a key choice on the agreeing parties. Protocols that are useful in practice also do not reveal to any eavesdropping party what key has been agreed upon. | |||
{{More citations needed|date=March 2024}} | |||
In cryptography, a '''key-agreement protocol''' is a protocol whereby two (or more) parties generate a cryptographic ] as a function of information provided by each honest party so that no party can predetermine the resulting value.<ref>{{cite book|last1=Menezes|first1=A.|last2=Oorschot|first2=P. van|last3=Vanstone|first3=S.|title=Handbook of Applied Cryptography|year=1997|publisher=CRC Press|isbn=0-8493-8523-7|edition=5th|url-access=registration|url=https://archive.org/details/handbookofapplie0000mene}}</ref> | |||
In particular, all honest participants influence the outcome. A key-agreement protocol is a specialisation of a key-exchange protocol.<ref name="Canetti2001">{{cite journal |last1=Canetti |first1=Ran |last2=Krawczyk |first2=Hugo |title=Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels |journal=Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology |date=6 May 2001 |pages=453–474 |url=https://dl.acm.org/doi/abs/10.5555/647086.715688 |publisher=Springer-Verlag|isbn=978-3-540-42070-5 }}</ref> | |||
At the completion of the protocol, all parties share the same key. A key-agreement protocol precludes undesired third parties from forcing a key choice on the agreeing parties. A secure key agreement can ensure ] and ]<ref>{{cite book |last1=Bellare |first1=Mihir |last2=Canetti |first2=Ran |last3=Krawczyk |first3=Hugo |chapter=A modular approach to the design and analysis of authentication and key exchange protocols (Extended abstract) |title=Proceedings of the thirtieth annual ACM symposium on Theory of computing - STOC '98 |date=23 May 1998 |pages=419–428 |doi=10.1145/276698.276854 |chapter-url=https://doi.org/10.1145/276698.276854 |publisher=Association for Computing Machinery|isbn=0-89791-962-9 }}</ref> in communications systems, ranging from simple messaging applications to complex banking transactions. | |||
⚫ | |||
Using a key-agreement protocol avoids some of the key distribution problems associated with such systems. | |||
Secure agreement is defined relative to a security model, for example the Universal Model.<ref name="Canetti2001"/> More generally, when evaluating protocols, it is important to state security goals and the security model.<ref>{{cite book |last1=Gollmann |first1=D. |chapter=What do we mean by entity authentication? |title=Proceedings 1996 IEEE Symposium on Security and Privacy |date=6 May 1996 |pages=46–54 |chapter-url=https://dl.acm.org/doi/10.5555/525080.884256 |publisher=IEEE Computer Society|doi=10.1109/SECPRI.1996.502668 |isbn=978-0-8186-7417-4 }}</ref> For example, it may be required for the session key to be ]. A protocol can be evaluated for success only in the context of its goals and attack model.<ref>{{cite book |last1=Katz |first1=Jonathan |last2=Lindell |first2=Yehuda |title=Introduction to modern cryptography |date=2021 |publisher=CRC Press Taylor & Francis Group |location=Boca Raton London New York |isbn=978-0815354369 |page=49 |edition=Third}}</ref> An example of an adversarial model is the ]. | |||
Protocols where both parties influence the final derived key are the only way to implement perfect forward secrecy. | |||
⚫ | In many key exchange systems, one party generates the key, and sends that key to the other party;<ref name=":0" /> the other party has no influence on the key. | ||
⚫ | ==Exponential key exchange== | ||
⚫ | The first publicly known<ref name=":0">See ] for a more complete history of both the secret and public development of public-key cryptography.</ref> public-key agreement protocol that meets the above criteria was the ], in which two parties jointly ] a generator with random numbers, in such a way that an eavesdropper cannot feasibly determine what the resultant |
||
⚫ | == Exponential key exchange == | ||
⚫ | Exponential key |
||
⚫ | The first publicly known<ref name=":0">See ] for a more complete history of both the secret and public development of public-key cryptography.</ref> public-key agreement protocol that meets the above criteria was the ], in which two parties jointly ] a generator with random numbers, in such a way that an eavesdropper cannot feasibly determine what the resultant shared key is. | ||
⚫ | ==Authentication== | ||
⚫ | Exponential key agreement in and of itself does not specify any prior agreement or subsequent authentication between the participants. It has thus been described as an anonymous key agreement protocol. | ||
== Symmetric key agreement == | |||
Symmetric key agreement (SKA) is a method of key agreement that uses solely ] and ]s as ]s. It is related to symmetric authenticated key exchange.<ref name="Boyd2021">{{cite book |last1=Boyd |first1=Colin |last2=Davies |first2=Gareth T. |last3=de Kock |first3=Bor |last4=Gellert |first4=Kai |last5=Jager |first5=Tibor |last6=Millerjord |first6=Lise |chapter=Symmetric Key Exchange with Full Forward Security and Robust Synchronization |series=Lecture Notes in Computer Science |title=Advances in Cryptology – ASIACRYPT 2021 |date=2021 |volume=13093 |pages=681–710 |doi=10.1007/978-3-030-92068-5_23 |chapter-url=https://hdl.handle.net/handle/11250/2989781 |publisher=Springer International Publishing |hdl=11250/2989781 |isbn=978-3-030-92067-8 |language=en}}</ref> | |||
SKA may assume the use of initial ]<ref name="Boyd2021"/> or a ] with whom the agreeing parties share a secret is assumed.<ref>{{cite journal |last1=Pagnia |first1=Henning |last2=Gaertner |first2=Felix |title=On the impossibility of fair exchange without a trusted third party |journal=Echnical Report TUD-BS-1999-02 |date=1999 |pages=1–15 |url=https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=208b22c7a094ada20736593afcc8c759c7d1b79c}}</ref> If no third party is present, then achieving SKA can be trivial: we tautologically assume that two parties that share an initial secret and have achieved SKA. | |||
SKA contrasts with key-agreement protocols that include techniques from ], such as ]s. | |||
The initial exchange of a shared key must be done in a manner that is private and integrity-assured. Historically, this was achieved by physical means, such as by using a trusted ]. | |||
An example of a SKA protocol is the ]. It establishes a ] between two parties on the same ], using a ] as a trusted third party. | |||
The original Needham–Schroeder protocol is vulnerable to a replay attack. ]s and ] are included to fix this attack. It forms the basis for the ]. | |||
=== Types of key agreement === | |||
Boyd et al.<ref name="Boyd2020">{{cite book |last1=Boyd |first1=Colin |last2=Mathuria |first2=Anish |last3=Stebila |first3=Douglas |title=Protocols for Authentication and Key Establishment |series=Information Security and Cryptography |date=2020 |doi=10.1007/978-3-662-58146-9 |isbn=978-3-662-58145-2 |url=https://link.springer.com/book/10.1007/978-3-662-58146-9 |language=en}}</ref> classify two-party key agreement protocols according to two criteria as follows: | |||
# whether a pre-shared key already exists or not | |||
# the method of generating the ]. | |||
The pre-shared key may be shared between the two parties, or each party may share a key with a trusted third party. If there is no secure channel (as may be established via a pre-shared key), it is impossible to create an authenticated session key.<ref>{{cite journal |last1=Boyd |first1=C. |title=Security architectures using formal methods |journal=IEEE Journal on Selected Areas in Communications |date=June 1993 |volume=11 |issue=5 |pages=694–701 |doi=10.1109/49.223872 |url=https://gnusha.org/~nmz787/pdf/Security%20Architectures%20Using%20Formal%20Methods.pdf}}</ref> | |||
The session key may be generated via: key transport, key agreement and hybrid. If there is no trusted third party, then the cases of key transport and hybrid session key generation are indistinguishable. SKA is concerned with protocols in which the session key is established using only symmetric primitives. | |||
⚫ | == Authentication == | ||
{{main|Authenticated key agreement}} | {{main|Authenticated key agreement}} | ||
Anonymous key exchange, like Diffie–Hellman, does not provide ] of the parties, and is thus vulnerable to ]s. | Anonymous key exchange, like Diffie–Hellman, does not provide ] of the parties, and is thus vulnerable to ]s. | ||
A wide variety of cryptographic authentication schemes and protocols have been developed to provide authenticated key agreement to prevent man-in-the-middle and related attacks. These methods generally mathematically bind the agreed key to other agreed-upon data, such as the following: | A wide variety of cryptographic authentication schemes and protocols have been developed to provide authenticated key agreement to prevent man-in-the-middle and related attacks. These methods generally mathematically bind the agreed key to other agreed-upon data, such as the following: | ||
* |
* public–private key pairs | ||
* |
* shared secret keys | ||
* passwords | |||
* Passwords | |||
===Public keys=== | === Public keys === | ||
A widely used mechanism for defeating such attacks is the use of ] keys that must be integrity-assured: if Bob's key is signed by a ] vouching for his identity, Alice can have considerable confidence that a signed key she receives is not an attempt to intercept by Eve. When ] have a public-key infrastructure, they may digitally sign an agreed Diffie–Hellman key, or exchanged Diffie–Hellman public keys. Such signed keys, sometimes signed by a ], are one of the primary mechanisms used for secure ] (including ], ] or ] protocols). Other specific examples are ], ] and the ] component of the IPsec protocol suite for securing Internet Protocol communications. However, these systems require care in endorsing the match between identity information and public keys by certificate authorities in order to work properly. | A widely used mechanism for defeating such attacks is the use of ] keys that must be integrity-assured: if Bob's key is signed by a ] vouching for his identity, Alice can have considerable confidence that a signed key she receives is not an attempt to intercept by Eve. When ] have a public-key infrastructure, they may digitally sign an agreed Diffie–Hellman key, or exchanged Diffie–Hellman public keys. Such signed keys, sometimes signed by a ], are one of the primary mechanisms used for secure ] (including ], ] or ] protocols). Other specific examples are ], ] and the ] component of the IPsec protocol suite for securing Internet Protocol communications. However, these systems require care in endorsing the match between identity information and public keys by certificate authorities in order to work properly. | ||
===Hybrid systems=== | === Hybrid systems === | ||
Hybrid systems use public-key cryptography to exchange secret keys, which are then used in a symmetric-key cryptography systems. Most practical applications of cryptography use a combination of cryptographic functions to implement an overall system that provides all of the four desirable features of secure communications (confidentiality, integrity, authentication, and non-repudiation). | Hybrid systems use public-key cryptography to exchange secret keys, which are then used in a symmetric-key cryptography systems. Most practical applications of cryptography use a combination of cryptographic functions to implement an overall system that provides all of the four desirable features of secure communications (confidentiality, integrity, authentication, and non-repudiation). | ||
=== |
=== Passwords === | ||
] protocols require the separate establishment of a password (which may be smaller than a key) in a manner that is both private and integrity-assured. These are designed to resist man-in-the-middle and other active attacks on the password and the established keys. For example, DH-], ], and ] are password-authenticated variations of Diffie–Hellman. | ] protocols require the separate establishment of a ] (which may be smaller than a key) in a manner that is both private and integrity-assured. These are designed to resist man-in-the-middle and other active attacks on the password and the established keys. For example, DH-], ], and ] are password-authenticated variations of Diffie–Hellman. | ||
===Other tricks=== | === Other tricks === | ||
If one has an integrity-assured way to verify a shared key over a public channel, one may engage in a ] to derive a short-term shared key, and then subsequently authenticate that the keys match. One way is to use a voice-authenticated read-out of the key, as in ]. Voice authentication, however, presumes that it is infeasible for a man-in-the-middle to spoof one participant's voice to the other in real-time, which may be an undesirable assumption. Such protocols may be designed to work with even a small public value, such as a password. Variations on this theme have been proposed for ] pairing protocols. | If one has an integrity-assured way to verify a shared key over a public channel, one may engage in a ] to derive a short-term shared key, and then subsequently authenticate that the keys match. One way is to use a voice-authenticated read-out of the key, as in ]. Voice authentication, however, presumes that it is infeasible for a man-in-the-middle to spoof one participant's voice to the other in real-time, which may be an undesirable assumption. Such protocols may be designed to work with even a small public value, such as a password. Variations on this theme have been proposed for ] pairing protocols. | ||
In an attempt to avoid using any additional out-of-band authentication factors, Davies and Price proposed the use of the ] of ] and ], which has been subject to both attack and subsequent refinement. | In an attempt to avoid using any additional out-of-band authentication factors, Davies and Price proposed the use of the ] of ] and ], which has been subject to both attack and subsequent refinement. | ||
== |
== See also == | ||
] (symmetric) cryptography requires the initial exchange of a shared key in a manner that is private and integrity-assured. When done right, man-in-the-middle attack is prevented. However, without the use of public-key cryptography, one may be left with undesirable key-management problems. | |||
==See also== | |||
* ] | * ] | ||
* ] | * ] | ||
Line 43: | Line 68: | ||
* ] | * ] | ||
* ] | * ] | ||
* ] | * ] | ||
* ] | * ] | ||
* ] | * ] | ||
* ] | * ] | ||
* ] | * ] | ||
* |
* {{section link|Neural cryptography|Neural key exchange protocol}} | ||
* ] | * ] | ||
==References== | == References == | ||
{{ |
{{reflist}} | ||
] | ] |
Latest revision as of 17:20, 14 January 2025
Protocol for agreeing on a cryptographic keyThis article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Key-agreement protocol" – news · newspapers · books · scholar · JSTOR (March 2024) (Learn how and when to remove this message) |
In cryptography, a key-agreement protocol is a protocol whereby two (or more) parties generate a cryptographic key as a function of information provided by each honest party so that no party can predetermine the resulting value. In particular, all honest participants influence the outcome. A key-agreement protocol is a specialisation of a key-exchange protocol.
At the completion of the protocol, all parties share the same key. A key-agreement protocol precludes undesired third parties from forcing a key choice on the agreeing parties. A secure key agreement can ensure confidentiality and data integrity in communications systems, ranging from simple messaging applications to complex banking transactions.
Secure agreement is defined relative to a security model, for example the Universal Model. More generally, when evaluating protocols, it is important to state security goals and the security model. For example, it may be required for the session key to be authenticated. A protocol can be evaluated for success only in the context of its goals and attack model. An example of an adversarial model is the Dolev–Yao model.
In many key exchange systems, one party generates the key, and sends that key to the other party; the other party has no influence on the key.
Exponential key exchange
The first publicly known public-key agreement protocol that meets the above criteria was the Diffie–Hellman key exchange, in which two parties jointly exponentiate a generator with random numbers, in such a way that an eavesdropper cannot feasibly determine what the resultant shared key is.
Exponential key agreement in and of itself does not specify any prior agreement or subsequent authentication between the participants. It has thus been described as an anonymous key agreement protocol.
Symmetric key agreement
Symmetric key agreement (SKA) is a method of key agreement that uses solely symmetric cryptography and cryptographic hash functions as cryptographic primitives. It is related to symmetric authenticated key exchange.
SKA may assume the use of initial shared secrets or a trusted third party with whom the agreeing parties share a secret is assumed. If no third party is present, then achieving SKA can be trivial: we tautologically assume that two parties that share an initial secret and have achieved SKA.
SKA contrasts with key-agreement protocols that include techniques from asymmetric cryptography, such as key encapsulation mechanisms.
The initial exchange of a shared key must be done in a manner that is private and integrity-assured. Historically, this was achieved by physical means, such as by using a trusted courier.
An example of a SKA protocol is the Needham–Schroeder protocol. It establishes a session key between two parties on the same network, using a server as a trusted third party. The original Needham–Schroeder protocol is vulnerable to a replay attack. Timestamps and nonces are included to fix this attack. It forms the basis for the Kerberos protocol.
Types of key agreement
Boyd et al. classify two-party key agreement protocols according to two criteria as follows:
- whether a pre-shared key already exists or not
- the method of generating the session key.
The pre-shared key may be shared between the two parties, or each party may share a key with a trusted third party. If there is no secure channel (as may be established via a pre-shared key), it is impossible to create an authenticated session key.
The session key may be generated via: key transport, key agreement and hybrid. If there is no trusted third party, then the cases of key transport and hybrid session key generation are indistinguishable. SKA is concerned with protocols in which the session key is established using only symmetric primitives.
Authentication
Main article: Authenticated key agreementAnonymous key exchange, like Diffie–Hellman, does not provide authentication of the parties, and is thus vulnerable to man-in-the-middle attacks.
A wide variety of cryptographic authentication schemes and protocols have been developed to provide authenticated key agreement to prevent man-in-the-middle and related attacks. These methods generally mathematically bind the agreed key to other agreed-upon data, such as the following:
- public–private key pairs
- shared secret keys
- passwords
Public keys
A widely used mechanism for defeating such attacks is the use of digitally signed keys that must be integrity-assured: if Bob's key is signed by a trusted third party vouching for his identity, Alice can have considerable confidence that a signed key she receives is not an attempt to intercept by Eve. When Alice and Bob have a public-key infrastructure, they may digitally sign an agreed Diffie–Hellman key, or exchanged Diffie–Hellman public keys. Such signed keys, sometimes signed by a certificate authority, are one of the primary mechanisms used for secure web traffic (including HTTPS, SSL or TLS protocols). Other specific examples are MQV, YAK and the ISAKMP component of the IPsec protocol suite for securing Internet Protocol communications. However, these systems require care in endorsing the match between identity information and public keys by certificate authorities in order to work properly.
Hybrid systems
Hybrid systems use public-key cryptography to exchange secret keys, which are then used in a symmetric-key cryptography systems. Most practical applications of cryptography use a combination of cryptographic functions to implement an overall system that provides all of the four desirable features of secure communications (confidentiality, integrity, authentication, and non-repudiation).
Passwords
Password-authenticated key agreement protocols require the separate establishment of a password (which may be smaller than a key) in a manner that is both private and integrity-assured. These are designed to resist man-in-the-middle and other active attacks on the password and the established keys. For example, DH-EKE, SPEKE, and SRP are password-authenticated variations of Diffie–Hellman.
Other tricks
If one has an integrity-assured way to verify a shared key over a public channel, one may engage in a Diffie–Hellman key exchange to derive a short-term shared key, and then subsequently authenticate that the keys match. One way is to use a voice-authenticated read-out of the key, as in PGPfone. Voice authentication, however, presumes that it is infeasible for a man-in-the-middle to spoof one participant's voice to the other in real-time, which may be an undesirable assumption. Such protocols may be designed to work with even a small public value, such as a password. Variations on this theme have been proposed for Bluetooth pairing protocols.
In an attempt to avoid using any additional out-of-band authentication factors, Davies and Price proposed the use of the interlock protocol of Ron Rivest and Adi Shamir, which has been subject to both attack and subsequent refinement.
See also
- Key (cryptography)
- Computer security
- Cryptanalysis
- Secure channel
- Digital signature
- Key encapsulation mechanism
- Key management
- Password-authenticated key agreement
- Interlock protocol
- Zero-knowledge password proof
- Neural cryptography § Neural key exchange protocol
- Quantum key distribution
References
- Menezes, A.; Oorschot, P. van; Vanstone, S. (1997). Handbook of Applied Cryptography (5th ed.). CRC Press. ISBN 0-8493-8523-7.
- ^ Canetti, Ran; Krawczyk, Hugo (6 May 2001). "Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels". Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology. Springer-Verlag: 453–474. ISBN 978-3-540-42070-5.
- Bellare, Mihir; Canetti, Ran; Krawczyk, Hugo (23 May 1998). "A modular approach to the design and analysis of authentication and key exchange protocols (Extended abstract)". Proceedings of the thirtieth annual ACM symposium on Theory of computing - STOC '98. Association for Computing Machinery. pp. 419–428. doi:10.1145/276698.276854. ISBN 0-89791-962-9.
- Gollmann, D. (6 May 1996). "What do we mean by entity authentication?". Proceedings 1996 IEEE Symposium on Security and Privacy. IEEE Computer Society. pp. 46–54. doi:10.1109/SECPRI.1996.502668. ISBN 978-0-8186-7417-4.
- Katz, Jonathan; Lindell, Yehuda (2021). Introduction to modern cryptography (Third ed.). Boca Raton London New York: CRC Press Taylor & Francis Group. p. 49. ISBN 978-0815354369.
- ^ See Diffie–Hellman key exchange for a more complete history of both the secret and public development of public-key cryptography.
- ^ Boyd, Colin; Davies, Gareth T.; de Kock, Bor; Gellert, Kai; Jager, Tibor; Millerjord, Lise (2021). "Symmetric Key Exchange with Full Forward Security and Robust Synchronization". Advances in Cryptology – ASIACRYPT 2021. Lecture Notes in Computer Science. Vol. 13093. Springer International Publishing. pp. 681–710. doi:10.1007/978-3-030-92068-5_23. hdl:11250/2989781. ISBN 978-3-030-92067-8.
- Pagnia, Henning; Gaertner, Felix (1999). "On the impossibility of fair exchange without a trusted third party". Echnical Report TUD-BS-1999-02: 1–15.
- Boyd, Colin; Mathuria, Anish; Stebila, Douglas (2020). Protocols for Authentication and Key Establishment. Information Security and Cryptography. doi:10.1007/978-3-662-58146-9. ISBN 978-3-662-58145-2.
- Boyd, C. (June 1993). "Security architectures using formal methods" (PDF). IEEE Journal on Selected Areas in Communications. 11 (5): 694–701. doi:10.1109/49.223872.