Re: [Cfrg] question on secure key distribution
David McGrew <mcgrew@cisco.com> Tue, 17 October 2006 16:31 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GZrqH-0001OF-I9; Tue, 17 Oct 2006 12:31:01 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GZrqG-0001N2-PG for cfrg@ietf.org; Tue, 17 Oct 2006 12:31:00 -0400
Received: from sj-iport-6.cisco.com ([171.71.176.117]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GZrqD-0003ym-H3 for cfrg@ietf.org; Tue, 17 Oct 2006 12:31:00 -0400
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-6.cisco.com with ESMTP; 17 Oct 2006 09:30:57 -0700
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-1.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k9HGUuf1008859; Tue, 17 Oct 2006 09:30:56 -0700
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id k9HGUuAq023920; Tue, 17 Oct 2006 09:30:56 -0700 (PDT)
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 17 Oct 2006 09:30:34 -0700
Received: from [192.168.1.100] ([10.32.254.210]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 17 Oct 2006 09:30:33 -0700
In-Reply-To: <39855.69.12.173.8.1160629744.squirrel@www.trepanning.net>
References: <39855.69.12.173.8.1160629744.squirrel@www.trepanning.net>
Mime-Version: 1.0 (Apple Message framework v752.2)
X-Priority: 3 (Normal)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <D0A85177-1FAD-4024-9285-AFB232E67DE7@cisco.com>
Content-Transfer-Encoding: 7bit
From: David McGrew <mcgrew@cisco.com>
Subject: Re: [Cfrg] question on secure key distribution
Date: Tue, 17 Oct 2006 09:30:32 -0700
To: Dan Harkins <dharkins@lounge.org>
X-Mailer: Apple Mail (2.752.2)
X-OriginalArrivalTime: 17 Oct 2006 16:30:34.0042 (UTC) FILETIME=[91BE19A0:01C6F209]
DKIM-Signature: a=rsa-sha1; q=dns; l=3727; t=1161102656; x=1161966656; c=relaxed/simple; s=sjdkim1002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@cisco.com; z=From:David=20McGrew=20<mcgrew@cisco.com> |Subject:Re=3A=20[Cfrg]=20question=20on=20secure=20key=20distribution; X=v=3Dcisco.com=3B=20h=3DRtV4rC/Ufmy62MPchx5Wbt7R1hk=3D; b=S1yU8h4H+H75khjZ04LGEugGzcgtNMP90DRA1bxv7HEdTr9PQV0eedQzeeQlK9jhJijarvB2 YRE22QD8QjmFG8xzcGSXXzdcqTlJrDlWVGkexFzuESdsyE5cNo14nT7p;
Authentication-Results: sj-dkim-1.cisco.com; header.From=mcgrew@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 14582b0692e7f70ce7111d04db3781c8
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org
Hi Dan,
this is a complex question! I have a few comments anyway, which I
hope can be useful.
On Oct 11, 2006, at 10:09 PM, Dan Harkins wrote:
>
> Hi,
>
> I have a question on a technique to distrubute a secret key. This
> technique is being proposed in an 802.11 task group (task group r)
> to have a centralized key holder distribute keys to wireless access
> points.
>
> Assuming Alice, and a set of {Bob, Bill, Brian}, and Trent.
> Alice shares some secret with Trent, Kat, and wants Trent to
> distribute
> keys to Bob, Bill, and Brian. Further, Trent has a "secure session"
> with each of {Bob, Bill, and Brian}-- the B's-- such that their
> identities
> have been authenticated and communication between Trent and each of
> the B's have the properties of confidentiality, data integrity
> protection, and data source authentication. Also there is a key
> confirmation handshake HS(Alice, B) that will indicate whether Alice
> and B (one of the B's) share a key.
>
> Is it adequate for Trent to use Kat as a master key to derive
> specific keys to each of {Bob, Bill, Brian} using some pseudo-random
> function that takes a key, k, and a message, m-- prf(k, m)-- namely,
>
> key for Bob: Kbob = prf(Kat, "Bob"...)
> key for Bill: Kbill = prf(Kat, "Bill"...)
> key for Brian: Kbrian = prf(Kat, "Brian"...)
>
> and have each of those delivered over the "secure session" by Trent
> to the appropriate recipient? Alice derives the keys herself and then
> uses HS(Alice, B) to confirm that B has the right key.
I expect that, if the key distribution method met some security goals
as long as the derived keys { Kbob, Kbill, Kbrian, ... } were random,
plus the function prf() was indistinguishable from random to entities
not knowing the key Kat, then the key distribution method would still
meet those same goals, with respect to adversaries that don't know
the key Kat. (That's pretty vague, but it's not clear to me what
all of the goals are, and there are lots of different goals, like
those outlined in http://citeseer.ist.psu.edu/boyd97towards.html)
>
> The idea being promoted is that Trent is giving a key that is based
> on a particular identity to an entity that has proven it is that
> identity.
An obvious comment: the management of the identities needs to be
under the control of Trent. Otherwise, we could put together attacks
that would work by having Bob's identity get revoked, then get re-
assigned to another user. If the key Kat didn't change, then Bob
could masquerade as the new user, and the new user could potentially
disrupt Bob's sessions (or subvert confidentiality that used Kbob).
> Furthermore, Trent would not give Bill's key to Bob or Brian.
> If Alice is able to successfully perform HS(Alice, B) with one of the
> B's then she can assume that B is a trusted and authorized entity
> since
> it got the correct key from Trent (whom she trusts). Is this adequate?
> Is there a flaw here anywhere?
You mentioned that Alice derives the keys { Kbob, Kbill,
Kbrian, ... } herself - does this mean that she knows Kat? In that
case, she could impersonate Bob or one of the other entities.
Beyond these observations, I don't see any potential flaws, in the
sense that it seems possible to build a secure system along the lines
you describe. But of course the system deserves a security analysis
far better than what I've given here! :-)
Best regards,
David
>
> thanks,
>
> Dan.
>
>
>
>
>
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg
_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] question on secure key distribution Dan Harkins
- Re: [Cfrg] question on secure key distribution David McGrew