Author(s): Bruce Schneier

ISBN: 0471128457

Publication Date: 01/01/96

Previous | Table of Contents | Next |

Another method is suggested in [352]. First, each listener shares a secret key with Alice, one that is larger than any possible encrypted message. All of those keys should be pairwise prime. She encrypts the message in a random key, *K.* Then, she computes a single integer, *R,* such that *R* modulo a secret key is congruent to *K* when that secret key is supposed to decrypt the message, and *R* modulo a secret key is otherwise congruent to zero.

For example, if Alice wants the secret to be received by Bob, Carol, and Ellen, but not by Dave and Frank, she encrypts the message with *K* and then computes *R* such that

*R*≡*K*(mod*K*_{B})*R*≡*K*(mod*K*_{C})*R*≡ 0 (mod*K*_{D})*R*≡*K*(mod*K*_{E})*R*≡ 0 (mod*K*_{F})

This is a straightforward algebra problem, one that Alice can solve easily. When listeners receive the broadcast, they compute the received key modulo their secret key. If they were intended to receive the message, they recover the key. Otherwise, they recover nothing.

Yet a third way, using a threshold scheme (see Section 3.7), is suggested in [141]. Like the others, every potential receiver gets a secret key. This key is a shadow in a yet-uncreated threshold scheme. Alice saves some secret keys for herself, adding some randomness to the system. Let’s say there are *k* people out there.

Then, to broadcast *M,* Alice encrypts *M* with key *K* and does the following.

**(1)**Alice chooses a random number,*j.*This number serves to hide the number of recipients of the message. It doesn’t have to be very large; it can be as small as 0.**(2)**Alice creates a (*k*+*j*+ 1, 2*k*+*j*+ 1) threshold scheme, with:*K*as the secret.- The secret keys of the intended recipients as shadows.
- The secret keys of nonrecipients not as shadows.
*j*randomly chosen shadows, not the same as any of the secret keys.

**(3)**Alice broadcasts*k*+*j*randomly chosen shadows, none of which is any of the shadows listed in step (2).**(4)**All listeners who receive the broadcast add their shadow to the*k*+*j*shadows they received. If adding their shadow allows them to calculate the secret, then they have recovered the key. If it does not, then they haven’t.

Another approach can be found in [885,886,1194]. For yet another approach, see [1000].

*Conference Key Distribution*

This protocol allows a group of *n* users to agree on a secret key using only insecure channels. The group shares two large primes, *p* and *q,* and a generator *g* the same size as *q.*

**(1)**User*i,*where i goes from 1 to*n,*chooses a random*r*_{i}less than*q,*and broadcasts*z*_{i}=*g*^{ri}mod*p*

**(2)**Every user verifies that*z*_{j}^{q}≡ 1 (mod*p*), for all*i*from 1 to*n.***(3)**User*i*broadcasts*x*_{i}= (*z*_{i+1}/*z*_{i-1})^{ri}mod*p*

**(4)**User*i*computes*K*= (*z*_{i-1})^{nri}**x*_{i}^{n-1}**x*_{i}+1^{n-2}*...**x*_{i-2}mod*p*

All index computations in the above protocol—*i* - 1, *i* - 2, and *i* + 1—should be computed mod *n.* At the end of the protocol, all honest users have the same *K.* No one else gets anything. However, this protocol falls to a man-in-the-middle attack. Another protocol, not quite as pretty, is in [757].

*Tatebayashi-Matsuzaki-Newman*

This key distribution protocol is suitable for networks [1521]. Alice wants to generate a session key with Bob using Trent, the KDC. All parties know Trent’s public key, *n.* Trent knows the two large primes that *n* factors to, and hence can easily take cube roots modulo *n.* A lot of the details are left out of the following protocol, but you get the idea.

**(1)**Alice chooses a random number,*r*_{A}, and sends Trent*r*_{A}^{3}mod*n*

**(2)**Trent tells Bob that someone wants to exchange a key with him.**(3)**Bob chooses a random number,*r*_{B}, and sends Trent*r*_{B}^{3}mod*n*

**(4)**Trent uses his private key to recover*r*_{A}and*r*_{B}. He sends Alice*r*_{A}⊕*r*_{B}

**(5)**Alice calculates- (
*r*_{A}⊕*r*_{B}) ⊕*r*_{A}=*r*_{B}

She uses this*r*_{B}to communicate securely with Bob.- (

This protocol looks good, but it has a horrible flaw. Carol can listen in on step (3) and use that information, with the help of an unsuspecting Trent and another malicious user (Dave), to recover *r*_{B} [1472].

**(1)**Carol chooses a random number,*r*_{C}, and sends Trent*r*_{B}^{3}*r*_{C}^{3}mod*n*

**(2)**Trent tells Dave that someone wants to exchange a key with him.**(3)**Dave chooses a random number,*r*_{D}, and sends Trent*r*_{D}^{3}mod*n*

**(4)**Trent uses his private key to recover*r*_{C}and*r*_{D}. He sends Carol- (
*r*_{B}*r*_{C}) mod^{n}⊕*r*_{D}

- (
**(5)**Dave sends*r*_{D}to Carol.**(6)**Carol uses*r*_{C}and*r*_{D}to recover*r*_{B}. She uses*r*_{B}to eavesdrop on Alice and Bob.

This is not good.

Previous | Table of Contents | Next |