fbpx
Wikipedia

Key exchange

December 18, 2023

For the film, see Key Exchange.
"Kex" redirects here. For other uses, see KEX (disambiguation) and KEXS (disambiguation).

Key exchange (also key establishment) is a method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm.

In the Diffie–Hellman key exchange scheme, each party generates a public/private key pair and distributes the public key. After obtaining an authentic copy of each other's public keys, Alice and Bob can compute a shared secret offline. The shared secret can be used, for instance, as the key for a symmetric cipher.

If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received. The nature of the equipping they require depends on the encryption technique they might use. If they use a code, both will require a copy of the same codebook. If they use a cipher, they will need appropriate keys. If the cipher is a symmetric key cipher, both will need a copy of the same key. If it is an asymmetric key cipher with the public/private key property, both will need the other's public key.

Channel of exchange edit

Key exchange is done either in-band or out-of-band.[1]

The key exchange problem edit

The key exchange problem describes ways to exchange whatever keys or other information are needed for establishing a secure communication channel so that no one else can obtain a copy. Historically, before the invention of public-key cryptography (asymmetrical cryptography), symmetric-key cryptography utilized a single key to encrypt and decrypt messages. For two parties to communicate confidentially, they must first exchange the secret key so that each party is able to encrypt messages before sending, and decrypt received ones. This process is known as the key exchange.

The overarching problem with symmetrical cryptography, or single-key cryptography, is that it requires a secret key to be communicated through trusted couriers, diplomatic bags, or any other secure communication channel. If two parties cannot establish a secure initial key exchange, they won't be able to communicate securely without the risk of messages being intercepted and decrypted by a third party who acquired the key during the initial key exchange.

Public-key cryptography uses a two-key system, consisting of the public and the private keys, where messages are encrypted with one key and decrypted with another. It depends on the selected cryptographic algorithm which key—public or private—is used for encrypting messages, and which for decrypting. For example, in RSA, the private key is used for decrypting messages, while in the Digital Signature Algorithm (DSA), the private key is used for authenticating them. The public key can be sent over non-secure channels or shared in public; the private key is only available to its owner.

Known as the Diffie-Hellman key exchange, the encryption key can be openly communicated as it poses no risk to the confidentiality of encrypted messages. One party exchanges the keys to another party where they can then encrypt messages using the key and send back the cipher text. Only the decryption key—in this case, it's the private key—can decrypt that message. At no time during the Diffie-Hellman key exchange is any sensitive information at risk of compromise, as opposed to symmetrical key exchange.

Identification edit

In principle, the only remaining problem was to be sure (or at least confident) that a public key actually belonged to its supposed owner. Because it is possible to 'spoof' another's identity in any of several ways, this is not a trivial or easily solved problem, particularly when the two users involved have never met and know nothing about each other.

Diffie–Hellman key exchange edit

In 1976, Whitfield Diffie and Martin Hellman published a cryptographic protocol called the Diffie–Hellman key exchange (D–H) based on concepts developed by Hellman's PhD student Ralph Merkle. The protocol enables users to securely exchange secret keys even if an opponent is monitoring that communication channel. The D–H key exchange protocol, however, does not by itself address authentication (i.e. the problem of being sure of the actual identity of the person or 'entity' at the other end of the communication channel). Authentication is crucial when an opponent can both monitor and alter messages within the communication channel (AKA man-in-the-middle or MITM attacks) and was addressed in the fourth section of the paper.[2]

Public key infrastructure edit

Public key infrastructures (PKIs) have been proposed as a workaround for the problem of identity authentication. In their most usual implementation, each user applies to a “certificate authority” (CA), trusted by all parties, for a digital certificate which serves for other users as a non-tamperable authentication of identity. The infrastructure is safe, unless the CA itself is compromised. In case it is, though, many PKIs provide a way to revoke certificates so other users will not trust them. Revoked certificates are usually put in certificate revocation lists which any certificate can be matched against.

Several countries and other jurisdictions have passed legislation or issued regulations encouraging PKIs by giving (more or less) legal effect to these digital certificates (see digital signature). Many commercial firms, as well as a few government departments, have established such certificate authorities.

This does nothing to solve the problem though, as the trustworthiness of the CA itself is still not guaranteed for any particular individual. It is a form of argument from authority fallacy. For actual trustworthiness, personal verification that the certificate belongs to the CA and establishment of trust in the CA are required. This is usually not possible.

There are known cases where authoritarian governments proposed establishing so-called “national CAs” whose certificates would be mandatory to install on citizens’ devices and, once installed and trusted, could be used for monitoring, intercepting, modifying, or blocking the encrypted internet traffic.[3][4][5]

For those new to such things, these arrangements are best thought of as electronic notary endorsements that “this public key belongs to this user”. As with notary endorsements, there can be mistakes or misunderstandings in such vouchings. Additionally, the notary itself can be untrusted. There have been several high-profile public failures by assorted certificate authorities. [6] [7]

Web of trust edit

At the other end of the conceptual range is the web of trust system, which avoids central Certificate Authorities entirely. Each user is responsible for getting a certificate from another user before using that certificate to communicate with the user. PGP and GPG (an implementation of the OpenPGP Internet Standard) employ just such a web of trust mechanism.

Password-authenticated key agreement edit

Password-authenticated key agreement algorithms can perform a cryptographic key exchange utilizing knowledge of a user's password.

Quantum key exchange edit

Main article: quantum key distribution

Quantum key distribution exploits certain properties of quantum physics to ensure its security. It relies on the fact that observations (or measurements) of a quantum state introduces perturbations in that state. Over many systems, these perturbations are detectable as noise by the receiver, making it possible to detect man-in-the-middle attacks. Beside the correctness and completeness of quantum mechanics, the protocol assumes the availability of an authenticated channel between Alice and Bob.

See also edit

References edit

  1. ^ Emmett Dulaney, Chuck Easttom (October 5, 2017). CompTIA Security+ Study Guide: Exam SY0-501. John Wiley & Sons. ISBN 9781119416906.
  2. ^ Diffie, Whitfield; Hellman, Martin E. (November 1976). "New Directions in Cryptography" (PDF). IEEE Transactions on Information Theory. IT-22 (6): 644–654. doi:10.1109/TIT.1976.1055638.
  3. ^ Wolff, Josephine (2015-12-14). "Kazakhstan's Unsettling New Cybersecurity Plan". Slate. Retrieved 2019-01-09.
  4. ^ Shapovalova, Natalia (2016-01-05). "Security Certificate Of The Republic Of Kazakhstan: The State Will Be Able To Control The Encrypted Internet Traffic Of Users". Mondaq. Retrieved 2019-01-09.
  5. ^ "The Kremlin reportedly wants to create a state-operated center for issuing SSL certificates". Meduza. 2016-02-15. Retrieved 2019-01-09.
  6. ^ CA/Symantec Issues
  7. ^ Symantec caught once again improperly issuing illegitimate HTTPS certificates

December 18, 2023
exchange, film, exchange, redirects, here, other, uses, disambiguation, kexs, disambiguation, this, article, needs, additional, citations, verification, please, help, improve, this, article, adding, citations, reliable, sources, unsourced, material, challenged. For the film see Key Exchange Kex redirects here For other uses see KEX disambiguation and KEXS disambiguation This article needs additional citations for verification Please help improve this article by adding citations to reliable sources Unsourced material may be challenged and removed Find sources Key exchange news newspapers books scholar JSTOR November 2014 Learn how and when to remove this template message Key exchange also key establishment is a method in cryptography by which cryptographic keys are exchanged between two parties allowing use of a cryptographic algorithm In the Diffie Hellman key exchange scheme each party generates a public private key pair and distributes the public key After obtaining an authentic copy of each other s public keys Alice and Bob can compute a shared secret offline The shared secret can be used for instance as the key for a symmetric cipher If the sender and receiver wish to exchange encrypted messages each must be equipped to encrypt messages to be sent and decrypt messages received The nature of the equipping they require depends on the encryption technique they might use If they use a code both will require a copy of the same codebook If they use a cipher they will need appropriate keys If the cipher is a symmetric key cipher both will need a copy of the same key If it is an asymmetric key cipher with the public private key property both will need the other s public key Contents 1 Channel of exchange 2 The key exchange problem 2 1 Identification 2 2 Diffie Hellman key exchange 2 3 Public key infrastructure 2 4 Web of trust 2 5 Password authenticated key agreement 2 6 Quantum key exchange 3 See also 4 ReferencesChannel of exchange editKey exchange is done either in band or out of band 1 The key exchange problem editThe key exchange problem describes ways to exchange whatever keys or other information are needed for establishing a secure communication channel so that no one else can obtain a copy Historically before the invention of public key cryptography asymmetrical cryptography symmetric key cryptography utilized a single key to encrypt and decrypt messages For two parties to communicate confidentially they must first exchange the secret key so that each party is able to encrypt messages before sending and decrypt received ones This process is known as the key exchange The overarching problem with symmetrical cryptography or single key cryptography is that it requires a secret key to be communicated through trusted couriers diplomatic bags or any other secure communication channel If two parties cannot establish a secure initial key exchange they won t be able to communicate securely without the risk of messages being intercepted and decrypted by a third party who acquired the key during the initial key exchange Public key cryptography uses a two key system consisting of the public and the private keys where messages are encrypted with one key and decrypted with another It depends on the selected cryptographic algorithm which key public or private is used for encrypting messages and which for decrypting For example in RSA the private key is used for decrypting messages while in the Digital Signature Algorithm DSA the private key is used for authenticating them The public key can be sent over non secure channels or shared in public the private key is only available to its owner Known as the Diffie Hellman key exchange the encryption key can be openly communicated as it poses no risk to the confidentiality of encrypted messages One party exchanges the keys to another party where they can then encrypt messages using the key and send back the cipher text Only the decryption key in this case it s the private key can decrypt that message At no time during the Diffie Hellman key exchange is any sensitive information at risk of compromise as opposed to symmetrical key exchange Identification edit In principle the only remaining problem was to be sure or at least confident that a public key actually belonged to its supposed owner Because it is possible to spoof another s identity in any of several ways this is not a trivial or easily solved problem particularly when the two users involved have never met and know nothing about each other Diffie Hellman key exchange edit In 1976 Whitfield Diffie and Martin Hellman published a cryptographic protocol called the Diffie Hellman key exchange D H based on concepts developed by Hellman s PhD student Ralph Merkle The protocol enables users to securely exchange secret keys even if an opponent is monitoring that communication channel The D H key exchange protocol however does not by itself address authentication i e the problem of being sure of the actual identity of the person or entity at the other end of the communication channel Authentication is crucial when an opponent can both monitor and alter messages within the communication channel AKA man in the middle or MITM attacks and was addressed in the fourth section of the paper 2 Public key infrastructure edit Public key infrastructures PKIs have been proposed as a workaround for the problem of identity authentication In their most usual implementation each user applies to a certificate authority CA trusted by all parties for a digital certificate which serves for other users as a non tamperable authentication of identity The infrastructure is safe unless the CA itself is compromised In case it is though many PKIs provide a way to revoke certificates so other users will not trust them Revoked certificates are usually put in certificate revocation lists which any certificate can be matched against Several countries and other jurisdictions have passed legislation or issued regulations encouraging PKIs by giving more or less legal effect to these digital certificates see digital signature Many commercial firms as well as a few government departments have established such certificate authorities This does nothing to solve the problem though as the trustworthiness of the CA itself is still not guaranteed for any particular individual It is a form of argument from authority fallacy For actual trustworthiness personal verification that the certificate belongs to the CA and establishment of trust in the CA are required This is usually not possible There are known cases where authoritarian governments proposed establishing so called national CAs whose certificates would be mandatory to install on citizens devices and once installed and trusted could be used for monitoring intercepting modifying or blocking the encrypted internet traffic 3 4 5 For those new to such things these arrangements are best thought of as electronic notary endorsements that this public key belongs to this user As with notary endorsements there can be mistakes or misunderstandings in such vouchings Additionally the notary itself can be untrusted There have been several high profile public failures by assorted certificate authorities 6 7 Web of trust edit At the other end of the conceptual range is the web of trust system which avoids central Certificate Authorities entirely Each user is responsible for getting a certificate from another user before using that certificate to communicate with the user PGP and GPG an implementation of the OpenPGP Internet Standard employ just such a web of trust mechanism Password authenticated key agreement edit Password authenticated key agreement algorithms can perform a cryptographic key exchange utilizing knowledge of a user s password Quantum key exchange edit Main article quantum key distribution Quantum key distribution exploits certain properties of quantum physics to ensure its security It relies on the fact that observations or measurements of a quantum state introduces perturbations in that state Over many systems these perturbations are detectable as noise by the receiver making it possible to detect man in the middle attacks Beside the correctness and completeness of quantum mechanics the protocol assumes the availability of an authenticated channel between Alice and Bob See also editKey cryptography Key management Diffie Hellman key exchange Elliptic curve Diffie Hellman Forward secrecyReferences edit Emmett Dulaney Chuck Easttom October 5 2017 CompTIA Security Study Guide Exam SY0 501 John Wiley amp Sons ISBN 9781119416906 Diffie Whitfield Hellman Martin E November 1976 New Directions in Cryptography PDF IEEE Transactions on Information Theory IT 22 6 644 654 doi 10 1109 TIT 1976 1055638 Wolff Josephine 2015 12 14 Kazakhstan s Unsettling New Cybersecurity Plan Slate Retrieved 2019 01 09 Shapovalova Natalia 2016 01 05 Security Certificate Of The Republic Of Kazakhstan The State Will Be Able To Control The Encrypted Internet Traffic Of Users Mondaq Retrieved 2019 01 09 The Kremlin reportedly wants to create a state operated center for issuing SSL certificates Meduza 2016 02 15 Retrieved 2019 01 09 CA Symantec Issues Symantec caught once again improperly issuing illegitimate HTTPS certificates The possibility of Non Secret digital encryption J H Ellis January 1970 Non Secret Encryption Using a Finite Field MJ Williamson January 21 1974 Thoughts on Cheaper Non Secret Encryption MJ Williamson August 10 1976 New Directions in Cryptography W Diffie and M E Hellman IEEE Transactions on Information Theory vol IT 22 Nov 1976 pp 644 654 Cryptographic apparatus and method Martin E Hellman Bailey W Diffie and Ralph C Merkle U S Patent 4 200 770 29 April 1980 The First Ten Years of Public Key Cryptography Whitfield Diffie Proceedings of the IEEE vol 76 no 5 May 1988 pp 560 577 1 9MB PDF file Menezes Alfred van Oorschot Paul Vanstone Scott 1997 Handbook of Applied Cryptography Boca Raton Florida CRC Press ISBN 0 8493 8523 7 Available online Singh Simon 1999 The Code Book the evolution of secrecy from Mary Queen of Scots to quantum cryptography New York Doubleday ISBN 0 385 49531 5Cambodia Retrieved from https en wikipedia org w index php title Key exchange amp oldid 1183637442, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.