Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
16974 ch 15 key management
1. Key management
Key generation and key distribution
A user must share the key for secure
communication but if user want to
communicate to million of users then he has
to exchange the million keys
Another solution is KDC
Each person shares the secret key with KDC
3. • 1. A request to KDC for communication to B
• 2. KDC ask to B about the A request if he will
be agree then session key will be established.
•
• When the number of peoples increases then it
will be difficult for KDC to manage all peoples
4. Flat Multiple KDC
• Now multiple KDC will manage the people
• Whole world is divided into domains and each
domain contains the multiple KDC
9. Diffie-Hellman
• all users agree on global parameters:
– large prime integer or polynomial q
– a being a primitive root mod q
• each user (eg. A) generates their key
– chooses a secret key (number): xA < q
xA
– compute their public key: yA = a
mod q
• each user makes public that key yA
10. • shared session key for users A & B is KAB:
xA.xB
KAB = a
= y
xB
A
xA
B
mod q
mod q
(which B can compute)
= y mod q (which A can compute)
• KAB is used as session key in private-key encryption
scheme between Alice and Bob
• if Alice and Bob subsequently communicate, they will
have the same key as before, unless they choose
new public-keys
• attacker needs an x, must solve discrete log
11. Diffie-Hellman Example
• users Alice & Bob who wish to swap keys:
• agree on prime q=353 and a=3
• select random secret keys:
– A chooses xA=97, B chooses xB=233
• compute respective public keys:
97
– yA=3 mod 353 = 40 (Alice)
– yB=3
233
mod 353 = 248
(Bob)
• compute shared session key as:
x
97
– KAB= yB A mod 353 = 248 = 160 (Alice)
– KAB= y
xB
A
mod 353 = 40
233
= 160 (Bob)
12. • Key is formed by 3 parameters g,x,y (g is
public)
• Everyone knows one third of key
• Other 2 parts must be added by 2 user to form
key
13.
14. Man in middle attack or bucket
brigade
• Protocol has other weakness (no need to find
the secret of users x,y instead of that form 2
key with each user
15. Station to station key agreement
• It is a method based on DH
• It uses digital signature with public key
certificate to establish a session key
16. • 1. calculate r1 and send to other user
• 2. Calculate r2 and session key, concatenate
r1,r2 and id after that sign the result with
private key. Bob then send r2,sig,public key
• 3. after calculate the session key if sig is
verified now it will generate the sig by
concatenate r1,r2 and bob id (encrypted with
session key)
•
17.
18. Security of station to station key
agreement
• Attacker can not forge the signature of user or
forged signature can not be verified by public
key of user