Cryptography Reference
In-Depth Information
Basic Key Establishment Using a Key Distribution Center
Alice
KDC
Bob
KEK:
k
A
KEK:
k
A
,
k
B
KEK:
k
B
RQST
(
ID
A
,
ID
B
)
−−−−−−−−−→
generate random
k
ses
y
A
=
e
k
A
(
k
ses
)
y
B
=
e
k
B
(
k
ses
)
y
A
←−−−−−−−−
y
B
−−−−−−→
k
ses
=
e
−
1
k
ses
=
e
−
1
k
A
(
y
A
)
k
B
(
y
B
)
y
−−−−−−−−→
x
=
e
−
1
y
=
e
k
ses
(
x
)
k
ses
(
y
)
The protocol begins with a request message RQST(
ID
A
,
ID
B
), where
ID
A
and
ID
B
simply indicate the users involved in the session. The actual key establishment
protocol is executed subsequently in the upper part of the drawing. Below the solid
line is, as an example, shown how Alice and Bob can now communicate with each
other securely using the session key.
It is important to note that two types of keys are involved in the protocol. The
KEKs
k
A
and
k
B
are long-term keys that do not change. The session key
k
ses
is an
ephemeral key that changes frequently, ideally for every communication session.
In order to understand this protocol more intuitively, one can view the predis-
tributed KEKs as forming a secret channel between the KDC and each user.
With this interpretation, the protocol is straightforward: The KDC simply sends a
session key to Alice and Bob via the two respective secret channels.
Since the KEKs are long-term keys, whereas the session keys have typically a
much shorter lifetime, in practice sometimes different encryption algorithms are
used with both. Let's consider the following example. In a pay-TV system AES
might be used with the long-term KEKs
k
U
for distributing session keys
k
ses
.The
session keys might only have a lifetime of, say, one minute. The session keys are
used to encrypt the actual plaintext (the digital TV signal in this example) with a fast
stream cipher. A stream cipher might be required to assure real-time decryption. The
advantage of this arrangement is that even if a session key becomes compromised,
only one minute's worth of multimedia data can be decrypted by an adversary. Thus,
the cipher that is used with the session key does not necessarily need to have the
same cryptographic strength as the algorithm which is used for distributing the ses-
sion keys. On the other hand, if one of the KEKs becomes compromised, all prior
and future traffic can be decrypted by an eavesdropper.
It is easy to modify the above protocol such that we save one communication
session. This is shown in the following:
