This question is from Understanding Cryptography (Applied cryptography) In this

Question

This question is from Understanding Cryptography (Applied cryptography)

In this exercise, we want to analyze some variants of key derivation. In practice, one masterkey kMK is exchanged in a secure way (e.g. certificate-based DHKE) between the involved parties. Afterwards, the session keys are regularly updated by use of key derivation. For this purpose, three different methods are at our disposal: (1) k0 = kMK; ki+1 = ki +1 (2) k0 = h(kMK); ki+1 = h(ki) (3) k0 = h(kMK); ki+1 = h(kMK||i||ki) where h() marks a (secure) hash function, and ki is the ith session key.

1. What are the main differences between these three methods?

2. Which method provides Perfect Forward Secrecy?

3. Assume Oscar obtains the nth session key (e.g., via brute-force). Which sessions can he now decrypt (depending on the chosen method)? .

4. Which method remains secure if the masterkey kMK is compromised? Give a rationale

Explanation / Answer

Perfect Forward Secrecy (PFS): is basically designed to prevent the compromised master key from affecting the confidentiality of the past communication. However, PFS cannot prevent against a successful cryptanalysis of the ciphers being used, since a cryptanalysis basically involves finding a way to decrypt an encrypted message without the key, a PFS only protects keys, not the ciphers themselves.

(1). The Main differences between these three methods are:

In method (1) the next session key is generated directly using previous session key with simple addition of some constant 1 which is easy to break, and also if at any stage Oscar obtains the session key, he can decrypt all past keys and hence messages as well.

The methods (2) and (3) are more secure than method (1) as they are using a secure hash function to generate next session key.

The main difference between three is the way of generating next session key.

(2). The method (3) provides Perfect Forward Secrecy (PFS). IF hash function is secure then method (2) can also provide PFS but depends upon the hash function.

(3). If Oscar obtains the nth session key (e.g., via brute-force) then for method (1) he can decrypt all the past and future conversation as key generation mechanism is simple linear function.

For Method (2) and Method (3) he cannot decrypt the past conversation and also depends upon hash function. If he knows the hash function the he can decrypt future conversation in both methods (2) and (3).

(4). As the hash function you used is secure so it will not be possible to recreate the input data from its hash value alone. So in method (2) K0 is generated directly applying h(kMK), so if kMK is compromised so Oscar can generate all session keys using Master key and Method (1) is very easy for him.

In Method (3) Oscar can obtain k0=h(kMK) but further keys cannot be obtained as ki+1=h(kMK||i||ki) where it is not sure what is applied inside the hash function. So this is not deterministic in nature.

And So Method(3) will remain more secure than others even if master key is compromised.

Related Questions

Navigate

• Browse (All)
• Browse T
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.