Cryptography Reference
In-Depth Information
13.3 Key Establishment Using Asymmetric Techniques
Public-key algorithms are especially suited for key establishment protocols since
they don't share most of the drawbacks that symmetric key approaches have. In fact,
next to digital signatures, key establishment is the other major application domain
of public-key schemes. They can be used for both key transport and key agreement.
For the former, Diffie-Hellman key exchange, elliptic curve Diffie-Hellman or re-
lated protocols are often used. For key transport, any of the public-key encryption
schemes, e.g., RSA or Elgamal, is often used. We recall at this point that public-key
primitives are quite slow, and that for this reason actual data encryption is usually
done with symmetric primitives like AES or 3DES, after a key has been established
using asymmetric techniques.
At this moment it looks as though public-key schemes solve all key establishment
problems. It turns out, however, that they all require what is termed an
authenticated
channel
to distribute the public keys. The remainder of this chapter is chiefly devoted
to solving the problem of authenticated public key distribution.
13.3.1 Man-in-the-Middle Attack
The
man-in-the-middle attack
1
is a serious attack against public-key algorithms.
The basic idea of the attack is that the adversary, Oscar, replaces the public keys
sent out by the participants with his own keys. This is possible whenever public
keys are not authenticated. The man-in-the-middle (MIM) attack has far-reaching
consequences for asymmetric cryptography. For didactical reasons we will study
the MIM attack against the Diffie-Hellman key exchange (DHKE). However, it is
extremely important to bear in mind that the attack is applicable against any asym-
metric scheme unless the public-keys are protected, e.g., through certificates, a topic
that is discussed in Sect. 13.3.2.
We recall that the DHKE allows two parties who never met before to agree on a
shared secret by exchanging messages over an insecure channel. For convenience,
we restate the DHKE protocol here:
1
The “man-in-the-middle attack” should not be confused with the similarly sounding but in
fact entirely different “meet-in-the-middle attack” against block ciphers which was introduced in
Sect. 5.3.1.
