Key-agreement protocol
Encyclopedia
In cryptography
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...

, a key-agreement protocol is a protocol whereby two or more parties can agree on a key in such a way that both influence the outcome. If properly done, this precludes undesired third-parties from forcing a key choice on the agreeing parties. Protocols that are useful in practice also do not reveal to any eavesdropping party what key has been agreed upon.

Exponential key exchange

The first publicly known public-key agreement protocol that meets the above criteria was the Diffie-Hellman exponential key exchange, in which two parties jointly exponentiate
Exponentiation
Exponentiation is a mathematical operation, written as an, involving two numbers, the base a and the exponent n...

 a generator with random numbers, in such a way that an eavesdropper has no way of guessing what the key is.

However, exponential key exchange in and of itself does not specify any prior agreement or subsequent authentication between the participants. It has thus been described as an anonymous key agreement protocol.

Authentication

Anonymous key exchange, like Diffie-Hellman, does not provide authentication of the parties, and is thus vulnerable to Man-in-the-middle attack
Man-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...

s.

A wide variety of cryptographic authentication schemes and protocols have been developed to provide authenticated key agreement to prevent man-in-the-middle and related attacks. These methods generally mathematically bind the agreed key to other agreed-upon data, such as the following:
  • Public/private key pairs
  • Shared secret keys
  • Passwords

Public keys

A widely used mechanism for defeating such attacks is the use of digitally signed
Digital signature
A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...

 keys that must be integrity-assured: if Bob's key is signed by a trusted third party
Trusted third party
In cryptography, a trusted third party is an entity which facilitates interactions between two parties who both trust the third party; The Third Party reviews all critical transaction communications between the parties, based on the ease of creating fraudulent digital content. In TTP models, the...

 vouching for his identity, Alice can have considerable confidence that a signed key she receives is not an attempt to intercept by Eve. When Alice and Bob have a public-key infrastructure, they may digitally sign an agreed Diffie-Hellman agreed key, or exchanged Diffie-Hellman public keys. Such signed keys, sometimes signed by a certificate authority
Certificate authority
In cryptography, a certificate authority, or certification authority, is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate...

, are one of the primary mechanisms used for secure web traffic
Web traffic
Web traffic is the amount of data sent and received by visitors to a web site. It is a large portion of Internet traffic. This is determined by the number of visitors and the number of pages they visit...

 (including HTTPS
Https
Hypertext Transfer Protocol Secure is a combination of the Hypertext Transfer Protocol with SSL/TLS protocol to provide encrypted communication and secure identification of a network web server...

, SSL or Transport Layer Security
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...

 protocols). Other specific examples are MQV
MQV
MQV is an authenticated protocol for key agreement based on the Diffie–Hellman scheme. Like other authenticated Diffie-Hellman schemes, MQV provides protection against an active attacker...

, YAK
YAK (cryptography)
The YAK is a public-key authenticated key agreement protocol. It is considered the simplest among the related protocols, including MQV, HMQV, Station-to-Station protocol, SSL/ TLS etc. The authentication is based on public key pairs. As with other protocols, YAK normally requires a Public Key...

 and the ISAKMP
Internet Security Association and Key Management Protocol
ISAKMP is a protocol defined by RFC 2408 for establishing Security Associations and cryptographic keys in an Internet environment...

 component of the IPsec protocol suite for securing Internet Protocol communications. However, these systems require care in endorsing the match between identity information and public keys by certificate authorities in order to work properly.

Hybrid systems

Hybrid systems use public-key cryptography to exchange secret keys, which are then used in a symmetric-key cryptography systems. Most practical applications of cryptography use a combination of cryptographic functions to implement an overall system that provides all of the four desirable features of secure communications (Confidentiality, Integrity, Authentication, and Non-repudiation).

Passwords

Password-authenticated key agreement
Password-authenticated key agreement
In cryptography, a password-authenticated key agreement method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password.-Types:...

 protocols require the separate establishment of a password (which may be smaller than a key) in a manner that is both private and integrity-assured. These are designed to resist MITM and other active attacks on the password and the established keys. For example, DH-EKE
Encrypted key exchange
Encrypted Key Exchange is a family of password-authenticated key agreement methods described by Steven M. Bellovin and Michael Merritt...

, SPEKE
SPEKE (cryptography)
SPEKE is a cryptographic method for password-authenticated key agreement.-Description:The protocol consists of little more than a Diffie-Hellman key exchange where the Diffie-Hellman generator g is created from a hash of the password.Here is one simple form of SPEKE:# Alice and Bob agree to use an...

, and SRP
Secure remote password protocol
The Secure Remote Password protocol is a password-authenticated key agreement protocol.- Overview :The SRP protocol has a number of desirable properties: it allows a user to authenticate themselves to a server, it is resistant to dictionary attacks mounted by an eavesdropper, and it does not...

 are password-authenticated variations of Diffie-Hellman.

Other tricks

If one has an integrity-assured way to verify a shared key over a public channel, one may engage in a Diffie-Hellman key exchange
Diffie-Hellman key exchange
Diffie–Hellman key exchange Synonyms of Diffie–Hellman key exchange include:*Diffie–Hellman key agreement*Diffie–Hellman key establishment*Diffie–Hellman key negotiation...

 to derive a one-time shared key, and then subsequently authenticate that the keys match. One way is to use a voice-authenticated read-out of the key, as in PGPfone
PGPfone
PGPfone was a secure voice telephony system developed by Philip Zimmermann in 1995. The PGPfone protocol had little in common with Zimmermann's popular PGP email encryption package, except for the use of the name. It used ephemeral Diffie-Hellman protocol to establish a session key, which was...

. Voice authentication, however, presumes that it is infeasible for a MITM to spoof one participant's voice to the other in real-time, which may be an undesirable assumption. Such protocols may be designed to work with even a small public value, such as a password. Variations on this theme have been proposed for Bluetooth
Bluetooth
Bluetooth is a proprietary open wireless technology standard for exchanging data over short distances from fixed and mobile devices, creating personal area networks with high levels of security...

 pairing protocols.

In an attempt to avoid using any additional out-of-band authentication factors, Davies and Price proposed the use of the Interlock Protocol
Interlock Protocol
The interlock protocol, as described by Ron Rivest and Adi Shamir, was designed to frustrate eavesdropper attack against two parties that use an anonymous key exchange protocol to secure their conversation...

 of Ron Rivest
Ron Rivest
Ronald Linn Rivest is a cryptographer. He is the Andrew and Erna Viterbi Professor of Computer Science at MIT's Department of Electrical Engineering and Computer Science and a member of MIT's Computer Science and Artificial Intelligence Laboratory...

 and Adi Shamir
Adi Shamir
Adi Shamir is an Israeli cryptographer. He is a co-inventor of the RSA algorithm , a co-inventor of the Feige–Fiat–Shamir identification scheme , one of the inventors of differential cryptanalysis and has made numerous contributions to the fields of cryptography and computer...

, which has been subject to both attack and subsequent refinement.

Shared secret keys

Secret-key (symmetric) cryptography requires the initial exchange of a shared key in a manner that is private and integrity-assured. When done right, MITM attack is prevented. However, without the use of public-key cryptography, one may be left with undesirable key-management problems.

See also

  • Key (cryptography)
    Key (cryptography)
    In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa...

  • Computer security
    Computer security
    Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...

  • Cryptanalysis
    Cryptanalysis
    Cryptanalysis is the study of methods for obtaining the meaning of encrypted information, without access to the secret information that is normally required to do so. Typically, this involves knowing how the system works and finding a secret key...

  • Secure channel
    Secure channel
    In cryptography, a secure channel is a way of transferring data that is resistant to interception and tampering.A confidential channel is a way of transferring data that is resistant to interception, but not necessarily resistant to tampering....

  • Digital signature
    Digital signature
    A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...

  • Key encapsulation
    Key encapsulation
    Key encapsulation mechanisms are a class of encryption techniques designed to secure symmetric cryptographic key material for transmission using asymmetric algorithms. In practice, public key systems are clumsy to use in transmitting long messages. Instead they are often used to exchange...

  • Key management
    Key management
    Key management is the provisions made in a cryptography system design that are related to generation, exchange, storage, safeguarding, use, vetting, and replacement of keys. It includes cryptographic protocol design, key servers, user procedures, and other relevant protocols.Key management concerns...

  • Password-authenticated key agreement
    Password-authenticated key agreement
    In cryptography, a password-authenticated key agreement method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password.-Types:...

  • Interlock Protocol
    Interlock Protocol
    The interlock protocol, as described by Ron Rivest and Adi Shamir, was designed to frustrate eavesdropper attack against two parties that use an anonymous key exchange protocol to secure their conversation...

  • zero-knowledge password proof
    Zero-knowledge password proof
    In cryptography, a zero-knowledge password proof is an interactive method for one party to prove to another party that it knows a value of a password, without revealing anything other than the fact that it knows that password to the verifier...

  • neural cryptography#Neural key exchange protocol
The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK