Cryptography Reference
In-Depth Information
Key Establishment Using a Key Distribution Center
Alice
KDC
Bob
KEK:
k
A
KEK:
k
A
,
k
B
KEK:
k
B
RQST
(
ID
A
,
ID
B
)
−−−−−−−−−→
generate random
k
ses
y
A
=
e
k
A
(
k
ses
)
y
B
=
e
k
B
(
k
ses
)
y
A
,
y
B
←−−−−−−−−
k
ses
=
e
−
1
k
A
(
y
A
)
y
=
e
k
ses
(
x
)
y
,
y
B
−−−−−−−−→
k
ses
=
e
−
1
k
B
(
y
B
)
x
=
e
−
1
k
ses
(
y
)
Alice receives the session key encrypted with both KEKs,
k
A
and
k
B
. She is able
to compute the session key
k
ses
from
y
A
and can use it subsequently to encrypt the
actual message she wants to send to Bob. The interesting part of the protocol is that
Bob receives both the encrypted message
y
as well as
y
B
. He needs to decrypt the
latter one in order to recover the session key which is needed for computing
x
.
Both of the KDC-based protocols have the advantage that there are only
n
long-
term symmetric key pairs in the system, unlike the first naıve scheme that we en-
countered, where about
n
2
/
2 key pairs were required. The
n
long-term KEKS only
need to be stored by the KDC, while each user only stores his or her own KEK. Most
importantly, if a new user Noah joins the network, a secure channel only needs to
be established once between the KDC and Noah to distribute the KEK
k
N
.
Security
Even though the two protocols protect against a passive attacker, i.e, an adversary
that can only eavesdrop, there are attacks if an adversary can actively manipulate
messages and create faked ones.
Replay Attack
One weakness is that a
replay attack
is possible. This attack makes
use of the fact that neither Alice nor Bob know whether the encrypted session key
they receive is actually a new one. If an old one is reused, key freshness is violated.
This can be a particularly serious issue if an old session key has become compro-
mised. This could happen if an old key is leaked, e.g., through a hacker, or if the
encryption algorithm used with an old key has become insecure due to cryptanalyt-
ical advances.
If Oscar gets hold of a previous session key, he can impersonate the KDC and
resend old messages
y
A
and
y
B
to Alice and Bob. Since Oscar knows the session
key, he can decipher the plaintext that will be encrypted by Alice or Bob.