👩🏾‍🤝‍👨🏼 🎢 👩🏽‍⚖️ Key distribution schemes with a trusted center: Giro and Bloma schemes 🔔 ♂️ 😛

Foreword

This text will be one of the rewritten chapters for the training manual on information protection of the Department of Radio Engineering and Control Systems, as well as, from this training code, the Department of Information Protection of the MIPT (GU). The full tutorial is available on github (see also draft releases ). On Habrir I plan to upload new "big" pieces, firstly, to collect useful comments and observations, and secondly, to give the community more overview material on useful and interesting topics. Previous sections of the Cryptographic Protocols chapter: 1 , 2 , 3 , 4

Key distribution schemes with a trusted center consist of three steps.

At the first stage, the trusted center creates a secret known only to him. This may be some secret matrix with special properties, as in the Blom scheme, or a pair of private and public keys, as in the Giraud scheme.
For each new legal member of the network, the trusted center, using its secret information, produces a fingerprint or certificate that allows the new member to generate session keys with other legal participants.
Finally, at the third stage, when the protocol of communication between the two legal participants begins, they present identifiers and / or additional information from the trusted center to each other. Using it, without additional access to the center, they can generate a secret session key for communication with each other.

Giro scheme

In the Giraud scheme ( French: Marc Girault ), reliability is built on the strength of the RSA cryptosystem (the difficulty of factorizing large numbers and computing a discrete root).

Preliminary:

Trust Center (Trent, ):
- selects a common module $n = p \ times q$ where $p$ and $q$ - large prime numbers;
- selects a pair of private and public keys $K_ {T, \ text {public}}: (e, n)$ and $K_ {T, \ text {private}}: (d, n)$ ;
- selects an item $g$ fields $\ mathbb {Z} _n ^ {\ times}$ maximum order;
- publishes schema parameters in a public place $n$ , $e$ and $g$ .
Each of the legal participants:
- chooses a private key $s_i$ and id $I_i$ ;
- computes and sends to a trusted center $v_i = g ^ {- s_i} \ bmod n$ ;
- Using the parties authentication protocol (see below), the legal participant proves to the trusted center that he owns the private key without disclosing its meaning;
- receives its public key from the trusted center:

As a result, for each participant, for example, Alice, who owns

P_{A}, I_{A}, s_{a}

$P_A, I_A, s_a$ The statement will be executed:

P_{A}^{e} + I_{A} = g^{- s_{A}} m o d n .

$P_A ^ e + I_A = g ^ {- s_A} \ mod n.$

The authentication protocol of the parties in the general case is as follows.

Interactions of participants in the Giro Identification Protocol

Alice picks a random $R_A$ .

$Alice \ to \ left \ {I_A, P_A, t = g ^ {R_A} \ right \} \ to Bob$
Bob picks random $R_B$ .

$Bob \ to \ left \ {R_B \ right \} \ to Alice$
$Alice \ to \ left \ {y = R_A + s_A \ times R_B \ right \} \ to Bob$
Bob is calculating $v_A = P_A ^ e + I_A$ ;

Bob checks that $g ^ y v_A ^ {R_B} = t$ .

The protocol for generating a session key, or just a Giraud scheme , like other schemes, consists of passes for exchanging open information and calculating a key.

The interaction of participants in the Giraud scheme

$Alice \ to \ left \ {P_A, I_A \ right \} \ to Bob$
Bob is calculating $K_ {BA} = (P_A ^ e + I_A) ^ {s_B} \ bmod n$ .

$Bob \ to \ left \ {P_B, I_B \ right \} \ to Alice$
Alice calculates $K_ {AB} = (P_B ^ e + I_B) ^ {s_A} \ bmod n$ .

As a result of the operation of the circuit, the parties generated the same common session key.

K_{A B} = (P_{A}^{e} + I_{A})^{s_{B}} = (g^{- s_{A}})^{s_{B}} = g^{- s_{A} s_{B}} m o d n;

$K_ {AB} = (P_A ^ e + I_A) ^ {s_B} = (g ^ {- s_A}) ^ {s_B} = g ^ {- s_As_B} \ mod n;$

K_{B A} = (P_{B}^{e} + I_{B})^{s_{A}} = (g^{- s_{B}})^{s_{A}} = g^{- s_{A} s_{B}} m o d n;

$K_ {BA} = (P_B ^ e + I_B) ^ {s_A} = (g ^ {- s_B}) ^ {s_A} = g ^ {- s_As_B} \ mod n;$

K = K_{A B} = K_{B A} = g^{- s_{A} s_{B}} m o d n .

$K = K_ {AB} = K_ {BA} = g ^ {- s_As_B} \ mod n.$

The scheme provides key authentication (target G7), since only legitimate users can calculate the correct value for the shared session key.

Blom's scheme

The Rolf Blom scheme is used in the HDCP protocol ( English High-bandwidth Digital Content Protection ) to prevent copying of high-quality video signal. It is assumed that some trusted center will distribute the keys in such a way that legal manufacturers of video cards, high-resolution monitors and other components will transmit video content through a secure channel, and pirated devices will not be able to intercept this data, and, for example, write to another medium.

At the initialization stage, the trusted center selects a symmetric matrix

D_{m, m}

$D_ {m, m}$ over the final field

m a t h b b G F p

$\ mathbb {GF} p$ . To join the key distribution network, a new participant either independently or through a trusted center selects a new public key (identifier)

I_{i}

$I_i$ representing a length vector

m

$m$ above

m a t h b b G F p

$\ mathbb {GF} p$ . The trusted center calculates the private key for the new member

K_{i}

$K_i$ :

K_{i} = D_{m, m} I_{i} .

$K_i = D_ {m, m} I_i.$

The symmetry of the matrix

D_{m, m}

$D_ {m, m}$ Trusted Center allows any two network participants to create a shared session key. Let Alice and Bob be legal network users, that is, they have public keys

I_{a}

$I_a$ and

I_{b}

$I_b$ respectively, and their private keys

K_{A}

$K_A$ and

K_{B}

$K_B$ were calculated by the same trusted center using the formula above. Then the protocol for generating a shared secret key is as follows.

Interaction of participants in the Blom scheme

$Alice \ to \ left \ {I_A \ right \} \ to Bob$
Bob is calculating $K_ {BA} = K ^ T_B I_A = I ^ T_B D_ {m, m} I_A$ .

$Bob \ to \ left \ {I_B \ right \} \ to Alice$
Alice calculates $K_ {AB} = K ^ T_A I_B = I ^ T_A D_ {m, m} I_B$ .

From the symmetry of the matrix

D_{m, m}

$D_ {m, m}$ it follows that the values

K_{A B}

$K_ {AB}$ and

K_{B A}

$K_ {BA}$ coincide, they will be the common secret key for Alice and Bob. This secret key will be unique for each pair of legal network users.

The accession of new participants to the scheme is strictly controlled by a trusted center, which allows you to protect the network from illegal users. The reliability of this scheme is based on the inability to restore the original matrix. However, to restore the matrix of the trusted center of size

m t i m e s m

$m \ times m$ necessary and enough

m

$m$ pairs of linearly independent public and private keys. In 2010, Intel, which is the “trusted center” for users of the HDCP security system, confirmed that cryptanalysts managed to find a secret matrix (more precisely, similar to it) used to generate keys in the mentioned system to prevent copying of high-quality video signal.

Afterword

The author will be grateful for factual and other comments on the text.

Key distribution schemes with a trusted center: Giro and Bloma schemes

Giro scheme

Blom's scheme

More articles: