Cryptography Reference
In-Depth Information
key is exposed. Also, an attacker has less ciphertext available that was generated un-
der one key, which can make cryptographic attacks much more difficult. Moreover,
an attacker is forced to recover several keys if he is interested in decrypting larger
parts of plaintext. Real-world examples where session keys are frequently gener-
ated include voice encryption in GSM cell phones and video encryption in pay-TV
satellite systems; in both cases new keys are generated within a matter of minutes
or sometimes even seconds.
The security advantages of
key freshness
are fairly obvious. However, the ques-
tion now is, how can key updates be realized? The first approach is to simply execute
the key establishment protocols shown in this chapter over and over again. However,
as we see later, there are always certain costs associated with key establishment, typ-
ically with respect to additional communication connections and computations. The
latter holds especially in the case of public-key algorithms which are very compu-
tationally intensive.
The second approach to key update uses an already established joint secret key
to
derive
fresh session keys. The principal idea is to use a key derivation function
(KDF) as shown in Fig. 13.2. Typically, a non-secret parameter
r
is processed to-
gether with the joint secret
k
AB
between the users Alice and Bob.
Fig. 13.2
Principle of key derivation
An important characteristic of the key derivation function is that it should be a
one-way function. The one-way property prevents an attacker from deducing
k
AB
should any of the session keys become compromised, which in turn would allow the
attacker to compute all other session keys.
One possible way of realizing the key derivation function is that one party sends
a nonce, i.e., a numerical value that is used only once, to the other party. Both users
encrypt the nonce using the shared secret key
k
AB
by means of a symmetric cipher
such as AES. The corresponding protocol is shown below.
