Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004 Jeju-do

Зарегистрируйтесь, чтобы просмотреть полный документ!

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine

Public Key Authentication No Affiliation Privacy Alice: PK A, certified by UCI Bob cert. A = SIGUCI{ “Alice, etc”, A} proof of possession of Sec. Key SKA A Alice’s affiliation (UCI) is revealed by her certificate • Can Alice authenticate herself in a way that reveals her affiliation only if the verifier passes some criteria she sets? • Seems like a Chicken and Egg Problem: The party that authenticates itself first has to reveal its affiliation…

“Secret Handshake”: Authentication with Secrecy Properties Bob, certified by IACR Alice, certified by UCI Parties Exchange Pseudonyms A, B Secret Handshake Protocol cert. A = SIGUCI{A} Policy. A= {IACR} cert. B = SIGIACR{B} Policy. B = {UCI} A 1: Only IACR members learn Alice’s affiliation A 2: Only IACR members learn that IACR Alice’s policy B: (and vice versa for Bob)

Secret Handshake Authentication Our Results • • Previous Results: - Privacy for Symmetric-Key Authentication [e. g. Abadi] - Secret Handshakes (for Public-Key Authentication) introduced in [Balfanz, et al. ’ 03], solved under “Bilinear Diffie-Hellman” assumption on El. Curves with Bilinear Maps Our Results: - Solution based on standard groups, assuming hardness of Computational Diffie-Hellman - Efficiency improvements - Blinded certificate issuance => Less trust in CA - Extension to general PKI where A and B have different CA’s - Connection with “CA-Oblivious” Encryption

Standard Authentication using Public Key Infrastructure Bob Alice, certified by UCI Alice’s PK A, Alice’s CA UCI, cert. A proof of possession of Sec. Key SKA A cert. A = SIGUCI{A} Sec. Key SKA On input UCI and A, Bob verifies the proof

PKI-based Authentication (changing the terms ) Bob Alice, certified by UCI Pseudonym A, Alice’s CA UCI, cert. A Alice’s PK ? proof of possession of UCI’s signature on A cert. A = SIGUCI{A} Sec. Key SKA On input UCI and A, Bob verifies the proof Certificate cert. A, i. e. CA’s signature on Alice’s public key A, can serve as the only authentication secret Þ no need for the secret key SKA Þ no need for A to be a public key (any ID string will do)

Affiliation Privacy in Authentication: Problem for Both Parties Alice, certified by UCI Alice’s Pseudonym A Bob, certified by IACR Bob’s Pseudonym B proof of possession of UCI’s sign. on A proof of possession of IACR’s sign. on B cert. A = SIGUCI{A} Policy. A= {IACR} cert. B = SIGIACR{B} Policy. B = {UCI}

Our Solution: Secret Handshakes from Signature-Based Encryption (pt. 1) Bob, certified by IACR Alice, certified by UCI Bob’s Pseudonym B Enc. PK(IACR, B){A, proof of poss. of SIGUCI{A} + n} n cert. A = SIGUCI{A} Policy. A= {IACR} encryption key derived for (IACR, B) signature = decryption key cert. B = SIGIACR{B} Policy. B = {UCI} Security of the Authentication Scheme: For Alice: Semantic security of Enc => only Bob can return n For Bob: Proof of signature possession includes Bob’s nonce

Our Solution: Secret Handshakes from Signature-Based Encryption (pt. 2) Bob, certified by IACR Alice, certified by UCI Bob’s Pseudonym B Enc. PK(IACR, B){A, proof of poss. of SIGUCI{A} + n} n cert. A = SIGUCI{A} Policy. A= {IACR} encryption key derived for (IACR, B) signature = decryption key cert. B = SIGIACR{B} Policy. B = {UCI} What’s needed for “Secret Handshake” Secrecy: 1. CA-obliviousness: Pseudonym B must hide Bob’s CA Ciphertext must hide CA Alice used in encryption 2. Semantic security of Encryption under Chosen Message Attack

Chosen-Message Attack on a Signature Scheme: Signer (PK) M 1 Unsigned message M* + Forged signature on M* Sig. PK(M 1) Mn Sig. PK(Mn)

Chosen-Message Attack on Signature-Based Encryption: Certification Authority (PK = IACR) B 1 Sig. PK(B 1) Bn Sig. PK(Bn) Unsigned Pseudonym B* m 1 , m 2 Enc. PK(IACR, B*){mb} b Signature Security: inability to output on B* Encryption Security: inability to use B* to decrypt

Previous Results on Signature-Based Encryption • Signature-Based Encryption of [Li, Du, Boneh, PODC’ 03] - RSA, Factoring (Rabin Sigs. ), or Billinear Maps (BLS Sigs. ) - No secrecy properties • Here: - Computational Diffie-Hellman (Schnorr Signatures) - Affiliation secrecy for both sender and receiver Terminology Caveat: [LDB]’s “obliviousness”: sender doesn’t know if receiver decrypts Our “CA-obliviousness”: affiliation privacy for both parties

CA-oblivious Signature-Based Encryption secure under Comp. Diffie-Hellman [CDH] Schnorr Signature (CA is the signer): SKCA: x , PKCA: y = g x mod p Sign(“B”) = (s, r) , s. t. g s = r * y H(r, “B”) mod p Schnorr-based Encryption (Bob is a decryptor): Pseudonym: (r , “B”), for a random string “B” Decryption Key: SKB = s Encryption Key: PKB = r * y H(r, “B”) [= g s] El. Gamal ciphertext: (c 1, c 2) = (g k , H( PKB k ) M) CA-obliviousness: r and c 1 are random values in Zp* Semantic Security under CMA attack: Recall [PS’ 96]: Schnorr sign. forger => x (DL attack) Ciphertext distinguisher => computing zx on rnd. z (CDH att. )

Conclusions and Open Problems Contributions: • “Secret Handshake” Authentication under Computational Diffie Hellman (no bilinear maps) • Efficiency improvements, reduced trust in CA Open Problems: • How to handle certificate chains? • Linkability (our pseudonyms are constant & public) • O(n 2) computation blow-up when Bob has n certificates and Alice has n CA’s in its policy

Скачать презентацию Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004 Jeju-do

de35141948ff2d02470da7812a853e19.ppt

Количество слайдов: 14