Key distribution schemes with a trusted center: Giro and Bloma schemes

Foreword
This text will be one of the rewritten chapters for the training manual on information protection of the Department of Radio Engineering and Control Systems, as well as, from this training code, the Department of Information Protection of the MIPT (GU). The full tutorial is available on github (see also draft releases ). On Habrir I plan to upload new "big" pieces, firstly, to collect useful comments and observations, and secondly, to give the community more overview material on useful and interesting topics. Previous sections of the Cryptographic Protocols chapter: 1 , 2 , 3 , 4


Key distribution schemes with a trusted center consist of three steps.



  1. At the first stage, the trusted center creates a secret known only to him. This may be some secret matrix with special properties, as in the Blom scheme, or a pair of private and public keys, as in the Giraud scheme.
  2. For each new legal member of the network, the trusted center, using its secret information, produces a fingerprint or certificate that allows the new member to generate session keys with other legal participants.
  3. Finally, at the third stage, when the protocol of communication between the two legal participants begins, they present identifiers and / or additional information from the trusted center to each other. Using it, without additional access to the center, they can generate a secret session key for communication with each other.


Giro scheme



In the Giraud scheme ( French: Marc Girault ), reliability is built on the strength of the RSA cryptosystem (the difficulty of factorizing large numbers and computing a discrete root).



Preliminary:



As a result, for each participant, for example, Alice, who owns PA,IA,sa The statement will be executed:





PAe+IA=gβˆ’sA modn.







The authentication protocol of the parties in the general case is as follows.







  1. Alice picks a random RA .

    Alice \ to \ left \ {I_A, P_A, t = g ^ {R_A} \ right \} \ to Bob
  2. Bob picks random RB .

    Bob \ to \ left \ {R_B \ right \} \ to Alice
  3. Alice \ to \ left \ {y = R_A + s_A \ times R_B \ right \} \ to Bob
  4. Bob is calculating vA=PAe+IA ;

    Bob checks that gyvARB=t .


The protocol for generating a session key, or just a Giraud scheme , like other schemes, consists of passes for exchanging open information and calculating a key.







  1. Alice \ to \ left \ {P_A, I_A \ right \} \ to Bob
  2. Bob is calculating KBA=(PAe+IA)sB bmodn .

    Bob \ to \ left \ {P_B, I_B \ right \} \ to Alice
  3. Alice calculates KAB=(PBe+IB)sA bmodn .


As a result of the operation of the circuit, the parties generated the same common session key.





KAB=(PAe+IA)sB=(gβˆ’sA)sB=gβˆ’sAsB modn;











KBA=(PBe+IB)sA=(gβˆ’sB)sA=gβˆ’sAsB modn;











K=KAB=KBA=gβˆ’sAsB modn.







The scheme provides key authentication (target G7), since only legitimate users can calculate the correct value for the shared session key.



Blom's scheme



The Rolf Blom scheme is used in the HDCP protocol ( English High-bandwidth Digital Content Protection ) to prevent copying of high-quality video signal. It is assumed that some trusted center will distribute the keys in such a way that legal manufacturers of video cards, high-resolution monitors and other components will transmit video content through a secure channel, and pirated devices will not be able to intercept this data, and, for example, write to another medium.



At the initialization stage, the trusted center selects a symmetric matrix Dm,m over the final field  mathbbGFp . To join the key distribution network, a new participant either independently or through a trusted center selects a new public key (identifier) Ii representing a length vector m above  mathbbGFp . The trusted center calculates the private key for the new member Ki :





Ki=Dm,mIi.







The symmetry of the matrix Dm,m Trusted Center allows any two network participants to create a shared session key. Let Alice and Bob be legal network users, that is, they have public keys Ia and Ib respectively, and their private keys KA and KB were calculated by the same trusted center using the formula above. Then the protocol for generating a shared secret key is as follows.







  1. Alice \ to \ left \ {I_A \ right \} \ to Bob
  2. Bob is calculating KBA=KBTIA=IBTDm,mIA .

    Bob \ to \ left \ {I_B \ right \} \ to Alice
  3. Alice calculates KAB=KATIB=IATDm,mIB .


From the symmetry of the matrix Dm,m it follows that the values KAB and KBA coincide, they will be the common secret key for Alice and Bob. This secret key will be unique for each pair of legal network users.



The accession of new participants to the scheme is strictly controlled by a trusted center, which allows you to protect the network from illegal users. The reliability of this scheme is based on the inability to restore the original matrix. However, to restore the matrix of the trusted center of size m timesm necessary and enough m pairs of linearly independent public and private keys. In 2010, Intel, which is the β€œtrusted center” for users of the HDCP security system, confirmed that cryptanalysts managed to find a secret matrix (more precisely, similar to it) used to generate keys in the mentioned system to prevent copying of high-quality video signal.

Afterword
The author will be grateful for factual and other comments on the text.



All Articles