Key Establishment Schemes

With the primitives and computations selected, key establishment can begin once the system parameters are generated and the public-keys distributed throughout the system.

Key establishment is the process by which two (or more) entities establish a shared secret key. Essentially, two methods are used to establish cryptographic keying material between parties: key agreement and key transport.

With a key agreement scheme, all parties contribute to the derived keying material with information that allows each party to derive the shared keying material. In a key transport scheme, one party determines the keying material that is wrapped (i.e. encrypted) and transported to the intended receivers.
With key transport schemes, the sender determines the key to be transported, wraps (i.e. encrypts) the key and sends the wrapped key to the receiver, who then unwraps (i.e., decrypts) the key. If the scheme is a symmetric key only system, the sender and receiver have manually established a symmetric key to be used as the key-wrapping key between the two parties. The keying material is wrapped using a NIST-approved key-wrapping algorithm (such as the AES key wrap algorithm).

Public-key based key agreement schemes can be transformed into a key transport scheme using an approved key-wrapping scheme, as recommended in NIST SP 800-56. An example is S/MIME, where key agreement is combined with key wrapping to achieve the effect of key transport. This is useful because it allows the efficient encryption of large emails to multiple recipients. The efficiency is that the email content is encrypted just once, with the content encryption key encrypted (wrapped) multiple times, once for each recipient.

There are three major categories of key agreement schemes defined in the standards with two of these categories having multiple cases:

Two-Party Participation: an interactive, two-way method where each party generates an ephemeral key pair. This method is used in the most widely deployed security protocols (for example IPSec).
One-Party Participation: a store-and-forward, one-way method where only the initiator generates an ephemeral key pair. This method is ideally suited to email and is used in the S/MIME protocol. It can also be used in SSL if the server has a static DH public-key.
Static Keys Only: a static (passive) method where each party has only a static key pair, no ephemeral keys are used. This method can be used in S/MIME and SSL but the absence of ephemeral keys diminishes its security. In this method, the shared symmetric keys are only assured to be distinct from previous by adding unencrypted (public) nonces to the derivation of the shared keys.

With all these options available for key establishment, the question becomes which scheme to use and when? In general, you need to determine which attributes are important for the level of security.

Continues in part 3

This Issue

Key Establishment Schemes - Part 1

Key Establishment Schemes - Part 2

Key Establishment Schemes - Part 3

MQV: Efficient and Authenticated Key Agreement

Scott Vanstone on Key Establishment and ECMQV

Crypto News

Issue Archive

Download PDF

Contact Us

This issue of Code and Cipher focusses on the subject of key establishment in current security standards and highlights the importance of this often overlooked but central area of concern.

Key Establishment Schemes - Part 2