Draft:Symmetric key agreement

Symmetric Key Agreement

edit

Introduction

edit

Symmetric Key Agreement (SKA) is a method for securely agreeing a secret key between two or more parties, using solely symmetric cryptography and cryptographic hash functions as cryptographic primitives. Key Agreement protocols are synonymous with key exchange protocols.[1] and related to Symmetric Authenticated Key Exchange [2]. At the end of the agreement, all parties share the same key. Secure agreement is defined relative to a security model, for example the Universal Model [1].

SKA may assume the use of initial shared secrets[2] or a trusted third party with whom the agreeing parties share a secret is assumed[3]. If no third party is present, then achieving SKA can be trivial: we assume that two parties share an initial secret and have tautologically achieved SKA.

SKA contrasts with key-agreement protocols that include techniques from asymmetric cryptography. For example, key encapsulation mechanisms.

A secure key agreement can ensure confidentiality and data integrity[4] in communications systems, ranging from simple messaging applications to complex banking transactions. Symmetric-key protocols are needed in various low-resource applications, ranging from Wireless Sensor Networks (WSNs), Radio Frequency Identification (RFID) tags, smart cards, Controller Area Networks (CANs) for vehicular systems, smart home, up to industrial Internet of Things (IoT)[5].

The initial exchange of a shared key must be done in a manner that is private and integrity-assured. Historically, this was achieved by physical means, such as by using a trusted courier.

SKA with N parties

edit

One way to agree keys among a group of   parties is for each pair of communicating parties to separately agree a symmetric key. However, this quickly becomes difficult to manage as the number of keys required is  . Moreover, there is also the problem of how each pair of parties agrees a symmetric key in the first place, sometimes referred to as the key distribution problem. SKA solves this by introducing a trusted third-party which has a unique shared symmetric key with each party, agreed in advance. This reduces the number of pre-shared keys required to  .

Types of Secret Key Agreement

edit

Boyd et al.[6] classify two-party key agreement protocols according to two criteria as follows:

  1. whether a pre-shared key already exists or not
  2. the method of generating the session key.

The pre-shared key may be shared between the two parties, or each party may share a key with a trusted third party. If there is no secure channel (as may be established via a pre-shared key), it is impossible to create an authenticated session key[7].

The session key may be generated via: key transport, key agreement and hybrid. If there is no trusted third party, then the cases of key transport and hybrid session key generation are indistinguishable. SKA is concerned with protocols in which the session key is established using only symmetric primitives.

When evaluating protocols, it is important to state security goals and the security model[8]. For example, it may be required for the session key to be authenticated. A protocol can be evaluated for success only in the context of its goals and attack model[9]. An example of an adversarial model is the Dolev-Yao model.

Let us consider a toy example of SKA: Suppose that Alice and Bob want to share a key using SKA and that they each already have a secure communication channel established with a trusted third party, Tom. Tom can generate a new key and, using the secure communication channels, deliver that key to both Alice and Bob.

This toy example of SKA is very simplistic: for instance, it does not protect against replay attacks. Moreover, Tom knows the secret key agreed between Alice and Bob, and so if Tom at a later date is deemed untrustworthy, Alice and Bob’s shared key is insecure.

SKA protocols

edit

This protocol establishes a session key between two parties on the same network, using a server as a trusted third party. The original Needham-Schroeder protocol is vulnerable to a replay attack. Timestamps and nonces are included to fix this attack. It forms the basis for the Kerberos protocol.

Advantages and Disadvantages of SKA

edit

Advantages

edit
  • Efficiency and Speed: Symmetric key algorithms are typically faster and more efficient than their asymmetric counterparts. They require less computational power [10] and processing time[11].
  • Simplicity: The simplicity of symmetric key cryptography, with its straightforward encryption and decryption process using a single key, makes it easier to implement and manage, especially in systems with limited resources [12] .
  • Widespread Use, Acceptance, and Standardization: Symmetric key algorithms such as AES are widely accepted[14] and used in numerous applications, from encrypting data on hard drives to securing online transactions, owing to their proven reliability and performance[15].

Disadvantages

edit
  • Key Distribution Problem: Without the use of public-key cryptography, one may be left with undesirable key-management problems. Historically, the biggest challenge in symmetric cryptography is the secure distribution of the key. Both parties must have access to the secret key, and ensuring this without compromise over an insecure channel is a significant hurdle.[16]
  • Scalability Issues: In scenarios where multiple parties need to communicate securely, symmetric key cryptography becomes less practical. Each pair of users requires a unique key, leading to a combinatorial explosion of keys to manage as the number of users increases[17].
  • Lack of Non-Repudiation: Symmetric key cryptography inherently lacks non-repudiation, meaning it cannot provide proof of the origin of a message. This is because the same key is used for both encryption and decryption, making it impossible to verify the message's sender uniquely. Using a (usually online) Trusted Third Party, non-repudiation can be provided using symmetric keys [18].
  • Risk of Key Compromise: Like all security algorithms, symmetric cryptography hinges on the secrecy of the key. If the key is compromised, the security of all encrypted data is at risk. This necessitates rigorous key management and often frequent key changes, adding to the system's complexity[19].
  • Use of a Trusted Third Party: For scalable SKA, a trusted third party must be used[6]

Initial Key Distribution for Symmetric Key Agreement

edit

This section details the initial exchange of a shared key necessary for SKA.

Manual Keying

edit

Manual key agreement is a process where the shared secret key used for encryption and decryption is exchanged or agreed upon manually between the communicating parties. This method, while straightforward, is primarily used in situations where automatic or electronic key exchange is not feasible or deemed less secure. In a manual key agreement, the secret key is typically selected and exchanged through direct, secure, face-to-face communication or via a trusted courier. For instance, two individuals might meet in person to agree upon a secret key, or an organization might use secure physical mail to distribute keys to its branches. This key is then used to encrypt and decrypt messages or data shared between these parties. While manual key exchange can significantly reduce the risk of interception during the exchange process, it also comes with challenges like scalability, key distribution logistics, and the risk of compromise during physical transfer. Additionally, maintaining the confidentiality of the key over time requires strict operational security practices. Manual key agreement is often found in more constrained environments or scenarios where digital key exchange mechanisms are not trusted or practical, such as in certain military or diplomatic communications.

Asymmetric cryptography

edit

Key agreement is often achieved through well-established public key protocols like the Diffie-Hellman key exchange. This allows two parties to generate a shared secret key over an unsecured communication channel, The key is then used to encrypt data on the sender's end and decrypt it on the receiver's end, ensuring that only the parties who possess the key can access the information.

Protocols and Standards that permit SKA

edit
  • TLS-PSK (Transport Layer Security with Pre-Shared Keys): An extension of the TLS protocol, TLS-PSK allows the use of pre-shared keys to establish secure communications between client and server. Used in scenarios where certificate-based authentication is not feasible or desired.
  • IPsec with PSK: In IPsec (Internet Protocol Security), pre-shared keys can be used as an authentication method in the IKE (Internet Key Exchange) phase. Commonly used in VPN (Virtual Private Network) configurations for establishing secure tunnels.
  • SSH (Secure Shell) with PSK: SSH supports the use of symmetric key cryptography with pre-shared keys for establishing secure remote connections. PSKs can be used for both session establishment and data encryption.
  • WPA-PSK (Wi-Fi Protected Access Pre-Shared Key): WPA and WPA2 standards support PSK mode, known as WPA-Personal, for securing Wi-Fi networks. PSK mode is widely used in home and small office Wi-Fi networks, where each user enters a shared password to connect.
  • IKEv2 with PSK: IKEv2, the second version of the Internet Key Exchange protocol used in IPsec, supports PSKs for authentication. Preferred in certain VPN implementations for its simplicity and ease of setup compared to certificate-based authentication.
  • EAP-PSK (Extensible Authentication Protocol-Pre-Shared Key): EAP-PSK is an authentication protocol that uses a pre-shared key for authenticating clients in wireless and point-to-point connections. Designed to simplify the authentication process while maintaining security.
  • NIST SP 800-71[20]: Using symmetric key-wrapping schemes and replacing asymmetric digital signature schemes with symmetric-key message authentication schemes is one approach to replacing public key cryptographic key management in the relatively near term.
  • NSA CSfC Symmetric Key Management Requirements[21]: Symmetric Pre-Shared Keys (PSKs) may be used instead of X.509 authentication certificates to provide quantum resistant cryptographic protection of classified information for CSfC solutions.
  • RFC 8784[22] Mixing Preshared Keys in the Internet Key Exchange Protocol Version 2 (IKEv2) for Post-quantum Security
  • RFC 9206[23] Commercial National Security Algorithm (CNSA) Suite Cryptography for Internet Protocol Security (IPsec)
  • Juniper Networks [24] - SRX Series—supporting Post-quantum Preshared Key as defined in the RFC 8784
  • Cisco[25] – quantum-safe encryption using Postquantum Preshared Keys by implementing RFC 8784 applicable to all IKEv2 and IPsec VPNs
  • RFC 9258[27] Importing External Pre-Shared Keys (PSKs) for TLS 1.3
  • ISO/IEC 11770-2[28] IT Security techniques - Key management - Part 2: Mechanisms using symmetric techniques

Applications

edit

Symmetric key agreement is widely used in various applications:

  • Secure Web Browsing: When you visit a website with HTTPS, symmetric cryptography is at work, protecting your data as it travels between your browser and the server.
  • Virtual Private Networks (VPNs): VPNs use symmetric encryption to secure data transmitted across unsecured networks, like public Wi-Fi.
  • Encrypted Messaging: Many messaging apps employ symmetric encryption to ensure that only the sender and receiver can read the messages.

Quantum Resistance

edit

Quantum computing poses challenges to cryptography[29]. Symmetric key algorithms like AES256 are considered quantum-resistant due to their inherent structural properties that make them resistant to practical quantum computing attacks[30]. The most efficient known quantum attack against symmetric ciphers, Grover's algorithm, only provides a quadratic speedup. This means that an encryption method with a key of length n bits would, in a quantum scenario, have its effective security reduced to   bits. Therefore, AES256, which has a 256-bit key, would still offer a substantial 128 bits of security in a post-quantum world, making it a robust choice against the foreseeable capabilities of quantum computing. This level of security is still considered practically unbreakable with current and near-future quantum technology, positioning AES256 and similar symmetric algorithms as strong contenders in the realm of post-quantum cryptography. SKA automatically inherits the quantum resistance of the underlying symmetric key algorithm.

References

edit
  1. ^ a b Canetti, Ran; Krawczyk, Hugo (6 May 2001). "Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels". Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology. Springer-Verlag: 453–474. ISBN 978-3-540-42070-5.
  2. ^ a b Boyd, Colin; Davies, Gareth T.; de Kock, Bor; Gellert, Kai; Jager, Tibor; Millerjord, Lise (2021). "Symmetric Key Exchange with Full Forward Security and Robust Synchronization". Advances in Cryptology – ASIACRYPT 2021. Lecture Notes in Computer Science. Vol. 13093. Springer International Publishing. pp. 681–710. doi:10.1007/978-3-030-92068-5_23. hdl:11250/2989781. ISBN 978-3-030-92067-8.
  3. ^ Pagnia, Henning; Gaertner, Felix (1999). "On the impossibility of fair exchange without a trusted third party". Echnical Report TUD-BS-1999-02: 1–15.
  4. ^ Bellare, Mihir; Canetti, Ran; Krawczyk, Hugo (23 May 1998). "A modular approach to the design and analysis of authentication and key exchange protocols (Extended abstract)". Proceedings of the thirtieth annual ACM symposium on Theory of computing - STOC '98. Association for Computing Machinery. pp. 419–428. doi:10.1145/276698.276854. ISBN 0-89791-962-9.
  5. ^ Avoine, Gildas; Canard, Sébastien; Ferreira, Loïc (2020). "Symmetric-Key Authenticated Key Exchange (SAKE) with Perfect Forward Secrecy". Topics in Cryptology – CT-RSA 2020. Lecture Notes in Computer Science. Vol. 12006. Springer International Publishing. pp. 199–224. doi:10.1007/978-3-030-40186-3_10. ISBN 978-3-030-40185-6.
  6. ^ a b Boyd, Colin; Mathuria, Anish; Stebila, Douglas (2020). Protocols for Authentication and Key Establishment. Information Security and Cryptography. doi:10.1007/978-3-662-58146-9. ISBN 978-3-662-58145-2.
  7. ^ Boyd, C. (June 1993). "Security architectures using formal methods" (PDF). IEEE Journal on Selected Areas in Communications. 11 (5): 694–701. doi:10.1109/49.223872.
  8. ^ Gollmann, D. (6 May 1996). "What do we mean by entity authentication?". Proceedings 1996 IEEE Symposium on Security and Privacy. IEEE Computer Society. pp. 46–54. doi:10.1109/SECPRI.1996.502668. ISBN 978-0-8186-7417-4.
  9. ^ Katz, Jonathan; Lindell, Yehuda (2021). Introduction to modern cryptography (Third ed.). Boca Raton London New York: CRC Press Taylor & Francis Group. p. 49. ISBN 978-0815354369.
  10. ^ Hirani, Sohail (2003). "Energy Consumption of Encryption Schemes in Wireless Devices" (PDF). Doctoral Dissertation, University of Pittsburgh.
  11. ^ Khoei, Tala Talaei; Ghribi, Elias; Ranganathan, Prakash; Kaabouch, Naima (2021). A Performance Comparison of Encryption/Decryption Algorithms for UAV Swarm Communications (Report). doi:10.13140/RG.2.2.17379.48160.
  12. ^ "Symmetric key cryptography | IBM Quantum Learning". learning.quantum.ibm.com.
  13. ^ Malviya, Ashwini Kumar; Tiwari, Namita; Chawla, Meenu (July 2022). "Quantum cryptanalytic attacks of symmetric ciphers: A review". Computers and Electrical Engineering. 101: 108122. doi:10.1016/j.compeleceng.2022.108122.
  14. ^ Smid, Miles E. (16 August 2021). "Development of the Advanced Encryption Standard" (PDF). Journal of Research of the National Institute of Standards and Technology. 126. doi:10.6028/jres.126.024. PMC 9682931. PMID 36475081.
  15. ^ Bedoui, Mouna; Mestiri, Hassen; Bouallegue, Belgacem; Hamdi, Belgacem; Machhout, Mohsen (November 2022). "An improvement of both security and reliability for AES implementations". Journal of King Saud University - Computer and Information Sciences. 34 (10): 9844–9851. doi:10.1016/j.jksuci.2021.12.012.
  16. ^ Piper, Frederick C.; Murphy, Sean (2002). Cryptography: a very short introduction. Oxford: Oxford University Press. ISBN 978-0192803153.
  17. ^ Witzke, E. L.; Pierson, L. G. (1 July 1994). "Key management for large scale end-to-end encryption". Sandia National Labs., Albuquerque, NM (United States). {{cite journal}}: Cite journal requires |journal= (help)
  18. ^ "ISO/IEC 13888-2:2010". ISO.
  19. ^ Basin, David; Cremers, Cas; Horvat, Marko (July 2014). "Actor Key Compromise: Consequences and Countermeasures" (PDF). 2014 IEEE 27th Computer Security Foundations Symposium. pp. 244–258. doi:10.1109/CSF.2014.25. ISBN 978-1-4799-4290-9.
  20. ^ Barker, Elaine; Barker, William (2 July 2018). "Recommendation for Key Establishment using symmetric block ciphers".
  21. ^ "Commercial Solutions for Classified Symmetric Key Management Requirements Annex V2.1" (PDF).
  22. ^ "RFC 8784 Mixing Preshared Keys in the Internet Key Exchange Protocol Version 2 (IKEv2) for Post-quantum Security" (PDF).
  23. ^ "RFC 9206 Commercial National Security Algorithm (CNSA) Suite Cryptography for Internet Protocol Security (IPsec)" (PDF).
  24. ^ "Quantum Safe IPsec VPN".
  25. ^ "Configuring Quantum-Safe Encryption Using Postquantum Preshared Keys" (PDF).
  26. ^ "VIA 4.4.0 Release Notes".
  27. ^ "RFC 9258 Importing External Pre-shared Keys for TLS 1.3" (PDF).
  28. ^ "ISO/IEC 11770-2:2018 IT Security techniques - Key management - Part 2: Mechanisms using symmetric".
  29. ^ "Quantum Computing and Post-Quantum Cryptography" (PDF). National Security Agency. Retrieved 15 April 2024.
  30. ^ Grassl, Markus; Langenberg, Brandon; Roetteler, Martin; Steinwandt, Rainer (2016). "Applying Grover's Algorithm to AES: Quantum Resource Estimates". Post-Quantum Cryptography. Lecture Notes in Computer Science. Vol. 9606. pp. 29–43. arXiv:1512.04965. doi:10.1007/978-3-319-29360-8_3. ISBN 978-3-319-29359-2.