NCC 2009, January 16-18, IIT Guwahati
190
Hash Algorithm Based A New Secret Key Agreement Algorithm Shivakrishna K. and S.S.Pathak
[email protected] [email protected] Department of Electronics and Electrical Communication Engineering Indian Institute of Technology Kharagpur, Kharagpur 721302. ABSTRACT
In cryptography a critical type of attack known as Sampling Attack, where by an outsider Eve obtains more sequences than the genuine users Alice and Bob, is quite serious. Because channel is specified as public in the definition of sampling attack, Eve has full access to the channel as it is for Alice and Bob. The channel can not be made private as such. A set of rules and regulations exist in literature to prevent sampling attack. This paper intends to present the rules to counter the sampling attack and to develop accordingly a suitable new protocol for protection against such attack. One way of designing the new protocol is that only some of the messages or parameters that are used in calculating the key should be sent over the channel. As Eve is having full access to the channel he can tap all the messages of AliceBob pair. The basic algorithm to find session key which uses exponentiation property to generate key is that of Diffie-Hellman Key exchange protocol but it suffers from the Man-In-Middle attack. In the new algorithm only some part of the messages or parameters, which are used in calculating the key, need to be sent over the channel. Security analysis of the new algorithm serves as a proof of correctness of the algorithm.
INTRODUCTION
Public-key cryptography, also known as asymmetric cryptography, is a form of cryptography in which a user has a pair of cryptographic keys—a public key and a private key. The private key is kept secret, while the public key may be widely distributed. The keys are related mathematically, but the private key cannot be practically derived from the public key
[1]. A message encrypted with the public key can be decrypted only with the corresponding private key. Mathematical explanation of above statements is as follows. D(E(P)) = P, It is exceedingly difficult to deduce D from E., and E can not be broken (derived) by chosen plain text attack. Here ‘E’ is encryption key and ‘D’ is decryption key. In general, encryption key E and encryption algorithms are publicly known where as only decryption algorithm is known publicly but decryption key D is not known. Conversely, secret key cryptography, also known as symmetric cryptography uses a single secret key for both encryption and decryption [2]. The two well known techniques of public key cryptography are Public Key Encryption and Digital Signatures. A message encrypted with a recipient's public key cannot be decrypted by anyone except the recipient possessing the corresponding private key in the first case. This is used to ensure confidentiality and authenticity. In the second case, on the other hand, a message signed with a sender's private key can be verified by someone who has access to the sender's public key, thereby proving that the sender signed it and that the message has not been tampered with. This is used to ensure authenticity. Public key techniques are more computationally intensive than purely symmetric algorithms. Judicious use of these techniques enables a wide variety of applications. In practice, public key cryptography is used in combination with secret-key methods for efficient security reasons. For encryption, the sender encrypts the message with a secret-key algorithm using a randomly generated key, and that random key is then encrypted with the recipient's public key. For digital signatures, the sender hashes the message (using a cryptographic hash function) and then signs the resulting "hash value". Before verifying the signature, the recipient also computes the hash of
NCC 2009, January 16-18, IIT Guwahati the message, and compares this hash value with the signed hash value to check that the message has not been tampered with. The rules indicated for parameters used in RSA Algorithm [3] have some limitations. Choice of large values for the encryption key e, decryption key d, and a suitable product of two prime numbers N involves significant computation time. However once converged to the required parameters, the security is assured. For small values of these parameters Eve can derive the key with less effort. A digital signature scheme typically consists of three algorithms[3]: A key generation algorithm G, a signing algorithm S, and a signature verifying algorithm V. A key generation algorithm G that randomly produces a "key pair" (PK, SK) for the signer. PK is the verifying key, which is to be public, and SK is the signing key, to be kept private. The key generation algorithm G randomly produces a "key pair" (PK, SK) for the signer. The signing algorithm S, produces a signature σ on input of a message M and a signing key SK,. A signature verifying algorithm V is the one that on input of a message M, a verifying key PK and a signature σ, either accepts or rejects the message. Two main properties are required for signatures: First, signatures computed honestly should always verify. That is, V should accept (m, PK, S (m, SK)) where SK is the secret key related to PK, for any message M. Secondly, it should be hard for any adversary, knowing only PK, to create valid signature(s). Hash algorithms[3] also work in the same fashion. Input message will be taken into chunks of fixed number of bits and applied to the hash algorithm. The generated hash will be sent along with the original message. At the receiver end the other party takes the received message and calculates the hash of the message and checks with the received hash value. If both the hashes match then the received message is valid other wise not. There are several reasons to sign such a hash or message digest instead of signing the whole document. Symmetric-key algorithms or shared secret key algorithms are a class of algorithms for cryptography that use trivially related, often identical, cryptographic keys for both decryption and encryption. The encryption key is trivially related to the decryption key, in that they may be identical or there is a simple transform to go between the two keys [4,5]. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. Normally the shared
191 secret keys are long enough for protection against sampling attacks. Therefore, it is difficult to manage secure transaction and/or generation of keys at the sender and recipient both the sites. In this paper a new algorithm for shared key generation is proposed which can be communicated with less complexity but high security, and is resistant to sampling attacks. PROBLEM FORMULATION
Let X, Y, Z be three stationary memoryless sources available to Alice, Bob and Eve, respectively. Here each of these random variables has alphabet size of n, i.e. X ={X1, X2…. Xn}, Y = {Y1, Y2… Yn} and Z = {Z1, Z2… Zn}. Alice and Bob use a protocol in which at each step Alice sends messages to Bob depending either on X and all previously received ones Y from Bob, or vice versa (with X replaced by Y). Without loss of generality, we can consider a protocol in which Alice sends messages at odd steps (C1,C3…) and Bob sends messages at even steps ( C2,C4…) [5]. At the end of t-step protocol Alice computes a key S as a function of X and Ct while Bob computes a key S’ as a function of Y and Ct. Their goal is to maximize entropy H(S) under the condition that (S , S’) agree with very high probability and that Eve has very little information about either S or S’. Formally, protocol given by, (C, S, S’ ) for (X, Y, Z) with t-steps is composed of a sequence of random variables Ct= (C1, C2….Ct ), which represent authenticated communication between Alice and Bob, and random variables (S, S’), which are generated by the computations of Alice and Bob, respectively [4]. Alice sends messages at odd steps, and similarly Bob sends at even steps using all the previous messages Ct. So these equations dictate us that Alice and Bob should exchange the messages one by one in an alternative fashion. After exchange of such tmessages Alice and Bob calculate the keys individually S, S’ with their individual formulae. Here ‘t’ indicates the depth of secrecy which means that for worse channels more number of messages can be exchanged with more complicated transformation used. This requires more computations and renders much time taken for Eve to guess the key. The session keys developed should match even if their formulae don’t match. The channel being public Eve is fully allowed to tap the channel, so she will get total Ct set. These formulae should be such that
NCC 2009, January 16-18, IIT Guwahati even in such extreme cases also the guess of key is intractable. In this paper, an algorithm to increase the size of key set is worked out which, in turn, renders very low probability of finding the sampling algorithm for deriving the key. A large shared key is assumed to ensure the authenticity and data integrity of the communication over insecure public channel. So, the purpose of the protocol is to stretch rather than to generate a secret key unconditionally secure. As Eve got more information, an alternative method for Alice and Bob to acquire random variables X and Y is to receive the signal of a satellite broadcasting kind of random bits at a very low signal power, so that even if Eve uses a much better receiving antenna she cannot avoid at least a small bit error probability. THE PROPOSED ALGORITHM
Alice and Bob are considered as client– server pair. First, Alice enters a password. Then a verifier ‘v’ is computed from the password and a random password salt ‘s’ is generated by Bob, the server. Next the user name, salt and verifier are stored in the database on the server Bob. This happens every time whenever Alice changes his password. Now Alice is ready to authenticate to Bob. In cryptography, a salt consists of random bits used as one of the inputs to a key derivation function. In some applications the initialization vector is used as a salt. The randomly selected salt combined with selected password gives additional security than simply using password alone. Here one can say that instead of sending a password on insecure public channel, a verifier is used, which is generated from hashing password and salt. So, even Eve taps salt bits she can not get verifier other than guessing a password. In this algorithm both the parties should exchange the password on the private channel before the secret key request from Alice arrives. When password is shared by them on the private channel Bob assumes a salt ‘s’, calculates ‘x’ and verifier ‘v’ form the following formulae x = Hash (s, p), v=gx mod(N), and stores salt and password in his database along with username of Alice. Whenever Alice sends username to Bob, Bob looks up in the table of verifiers available with him, and sends corresponding salt ‘s’ along with the arithmetic modulus ‘N’ needed for further message exchanges. Alice also calculates x=Hash(s, p), and verifier v=gx mod(N). Subsequently the
192 verifier ‘v’ is returned to the server for proof of authentication. Now let us consider the shared key generation problem. Alice selects a random number ‘m’ and calculates A=gm mod(N). Bob receives ‘A’ from Alice, selects a random number ‘n’, calculates public key B=(v+gn) mod(N) and then sends ‘B’ to Alice. Now both parties calculate a common c = Hash (A, B). This ‘c’ is used in calculating Session key. Now Alice calculates session key as S1=(B–gx)(m+cx) mod(N) and Hash of S1 as K1=Hash (S1). Similarly Bob calculates his session key as S2=(A*vc)n mod(N) and Hash of S2 as K2=Hash (S2). By now challenges are sent to each other but verification remains as yet. Alice should send verification first and Bob responds later. Instead of sending session keys (S1,S2) directly, hashes of (S1, S2) are exchanged to ensure security. This step is needed because hashes of keys give uncorrelated results to Eve. Alice and Bob consider S1 = S2 = S as their Session key for actual data transfer, else Bob stops communicating with the client thinking that she is Eve. Hashing can be done using any of the algorithms available in literature like SHA and/or MD5. The MD5 has 128 bit digest size whereas the SHA results in a hash of 160 bit which are long enough to ensure security. EXAMPLES OF ATTACKS AND SECURITY ANALYSIS
Eve intercepts (g,N) from Bob: She can not find ‘v’ because password is not known. Eve intercepts and interrupts (v,A) from Alice: She can not find S1 or S2 because (m,n) are not available to her. Eve injects (v,gK) in the channel to Bob pretending herself as Alice: The S1 does not match with S2 due to the fact that (x,m,n) are not available on the channel for her to intercept. Authentic Verification of Session Key: The Hash_value_Alice depends upon (v,m,B) while the Hash_value_Bob depends upon (v,n,A). Also, it is considered that ‘m’ and ‘n’ are never directly available on the channel while ‘v’ is sent through a secure private channel as it is done for the exchange of password ‘p’. CONCLUSIONS
The proposed algorithm is not only robust against to Man-In-Middle Attack but it also robust to other shared secret key attacks like
NCC 2009, January 16-18, IIT Guwahati Reflection Attack, Replay Attack. Much of the care is taken in developing the algorithm to ensure that Eve can not break the algorithm. REFERENCES [1] Whitfield Diffie and Martin E. Hellman, “New Directions in Cryptography”, IEEE Transactions on Information Theory, vol. 22, pp. 644-654, Nov 1976. [2] U. M. Maurer, “Secret key agreement by public discussion from common information”, IEEE Transactions on Information Theory, vol. 39, pp. 733–742, May 1993.
The Message Exchange
The Mathematical Verification
193 [3] H. Delfs and H. Knebl, Introduction to Cryptography, Springer-Verlag, 2002, New York. [4] Jun Muramatsu, Kazuyuki Yoshimura, Ken’ichi Arai and Peter Davis, “Secret Key Agreement under Sampling Attack”, Proceedings International Symposium Information Theor, 2005. ISIT 2005, pp. 2147 – 2151, 4-9 Sept. 2005. [5] Jun Muramatsu, Kazuyuki Yoshimura, Kenichi Arai, and Peter Davis, “Secret Key Capacity for Optimally Correlated Sources Under Sampling Attack”, IEEE Transactions on Information Theory, vol. 52, no.11, pp. 5140-5151, Nov 2006.
