slide1
Download
Skip this Video
Download Presentation
Seminar in Foundations of Privacy

Loading in 2 Seconds...

play fullscreen
1 / 58

Seminar in Foundations of Privacy - PowerPoint PPT Presentation


  • 77 Views
  • Uploaded on

Seminar in Foundations of Privacy. Message Authentication in the Manual Channel Model. Gil Segev. Pairing of Wireless Devices. Scenario: Buy a new wireless camera Want to establish a secure channel for the first time Diffie-Hellman key agreement protocol. Diffie-Hellman Key Agreement.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Seminar in Foundations of Privacy' - constance-wilkerson


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Seminar in Foundations of Privacy

Message Authenticationin the Manual Channel Model

Gil Segev

pairing of wireless devices
Pairing of Wireless Devices

Scenario:

  • Buy a new wireless camera
  • Want to establish a secure channel for the first time
    • Diffie-Hellman key agreement protocol
diffie hellman key agreement
Diffie-Hellman Key Agreement
  • Alice and Bob wish to agree on a secret key
  • Public parameters:
    • Group G
    • Generator g2G

gx

Alice

Bob

gy

Both parties computeKA,B = gxy

  • Security: Even when given (G, g, gx, gy) it is still hard to compute gxy
diffie hellman key agreement1
Diffie-Hellman Key Agreement
  • Computational Diffie-Hellman assumption (CDH):For every probabilistic polynomial-time algorithm A, every polynomial p(n) and for all sufficiently large n,

Pr[A(Gn,gn,gnx,gny) = gnxy] < 1/p(n)

The probability is taken over A’s internal coins tosses and over the random choice of (x,y)

  • Decisional Diffie-Hellman assumption (DDH):

c

{(g, gx, gy, gxy)}  {(g, gx, gy, gc)}

for random x, y and c.

Computational Indistinguishability

diffie hellman key agreement2
Diffie-Hellman Key Agreement
  • Alice and Bob wish to agree on a secret key
  • Public parameters:
    • Group G
    • Generator g2G

gx

Alice

Bob

gy

Both parties computeKA,B = gxy

  • CDH assumption: KA,B is hard to guess
  • DDH assumption:KA,Bis as good as a random secret
  • Secure against passive adversaries
    • Eve is only allowed to read the sent messages
pairing of wireless devices1
Pairing of Wireless Devices

gx

Scenario:

  • Buy a new wireless camera
  • Want to establish a secure channel for the first time
    • Diffie-Hellman key agreement protocol

gy

slide7

Pairing of

Devices

Wireless

Cable pairing

  • Simple
  • Cheap
  • Authenticated channel

“I thought this is a wireless camera…”

pairing of wireless devices2
Pairing of Wireless Devices

Wireless pairing

Problem: Active adversaries (“man-in-the-middle”)

pairing of wireless devices3
Pairing of Wireless Devices

Wireless pairing

gy

gx

ga

gb

Problem: Active adversaries (“man-in-the-middle”)

diffie hellman key agreement3

ENC(KA,E,m)

ENC(KE,B,m)

Alice

Eve

Bob

Diffie-Hellman Key Agreement

gx

gy

  • Suppose now that Eve is an active adversary
    • “man-in-the-middle” attacker

Alice

Eve

Bob

ga

gb

KA,E = gxa

KE,B = gby

  • Completely insecure:
    • Eve can decrypt m, and then re-encrypt it
diffie hellman key agreement4
Diffie-Hellman Key Agreement

gx

gy

  • Suppose now that Eve is an active adversary
    • “man-in-the-middle” attacker

Alice

Eve

Bob

ga

gb

KA,E = gxa

KE,B = gby

  • Solution - Message authentication:
    • Alice and Bob authenticate gx and gy
message authentication

^

m

Message Authentication
  • Assure the receiver of a message that it has not been changed by an active adversary

m

Alice

Eve

Bob

Problem specification:

Completeness: No interference m Bob accepts m (with high probability)

Soundness: mPr[Bob accepts m  m ]

^

one time authentication
One-Time Authentication
  • The secret key enables a single authentication of a message m  {0,1}n
  • H = {h| h: {0,1}n → {0,1}k } is a family of hash functions
  • Alice and Bob share a random function hH
    • h is not known to Eve
  • To authenticate m  {0,1}n Alice sends (m,h(m))

^

  • Upon receiving (m,z):
    • If z = h(m), then Bob outputs m and halts
    • Otherwise, Bob outputs ? and halts

^

^

one time authentication1
One-Time Authentication
  • Hard to guess h(m)
    • Success probability at most 
    • Should hold for any m

^

  • What properties do we require from H?

^

one time authentication2
One-Time Authentication
  • Hard to guess h(m) even given h(m)
    • Success probability at most 
    • Should hold for any m and m

^

  • What properties do we require from H?

^

  • Short representation for h- must have small log|H|
  • Easy to compute h(m)given h and m
universal hash functions
Universal Hash Functions
  • Given h: {0,1}n → {0,1}k we can always guess a correct output with probability at least 2-k
  • A family where this is tight is called universal2

Definition: a family H = {h| h: {0,1}n → {0,1}k } is called Strongly Universal2or pair-wise independent if:

    • for allm1 m2 {0,1}nand y1, y2 {0,1}kwe have

Pr[h(m1) = y1 and h(m2) = y2 ] = 2-2k

where the probability is over a randomly chosen hH

In particularPr[h(m2) = y2 | h(m1) = y1 ] = 2-k

Theorem: when a strongly universal2 family is used in the protocol, Eve’s probability of cheating is at most 2-k

constructing universal hash functions
Constructing Universal Hash Functions

The linear polynomial construction:

  • Fix a finite field F of size at least the message space 2n
    • Could be either GF[2n] or GF[P] for some prime P ≥ 2n
  • The family Hof functionsh: F→ Fis defined as

H= {ha,b(m) = a∙m + b | a, b  F}

Claim: the family above is strongly universal2

Proof: for everym1≠m2,y1, y2 Fthere are uniquea, b  Fsuch that

a∙m1+b = y1

a∙m2+b = y2

Size: each hHrepresented by 2n bits

lower bound
Lower Bound

Theorem:Let H= {h| h: {0,1}n → {0,1}} be a family of pair-wise independent functions. Then

|H| isΩ(2n)

More precisely, to obtain a d-wise independence family |H| should beΩ(2n└d/2┘)

  • N. Alon and J. SpencerThe Probabilistic MethodChapter 15 (derandomization), Proposition 2.3
more on authentication
More on Authentication
  • Reducing the length of the secret key
    • Almost-pair-wise independent hash functions
    • Interaction
  • Using the same secret key to authenticate any polynomial number of messages
    • Requires computational assumptions
    • Pseudorandom functions
  • Authentication in the public-key world
  • Much more to discuss…
pairing of wireless devices4

^

m = gb || gy

Pairing of Wireless Devices

Wireless pairing

gy

gx

ga

gb

m = gx || ga

  • Impossible without additional setup
pairing of wireless devices5
Pairing of Wireless Devices

Wireless pairing

gy

gx

ga

gb

Solution:

Manual Channel

the manual channel
The Manual Channel

Wireless pairing

gy

gx

141

ga

gb

141

User can compare two short strings

manual channel model
Manual Channel Model

m

Alice

Bob

s

. . .

s

  • Insecure communication channel
  • Low-bandwidth auxiliary channel:
    • Enables Alice to “manually” authenticate one short string s

s

Interactive

Non-interactive

  • Adversarial power:
    • Choose the input message m
    • Insecure channel: Full control
    • Manual channel: Read, delay
    • Delivery timing
manual channel model1
Manual Channel Model

m

Alice

Bob

s

. . .

s

  • Insecure communication channel
  • Low-bandwidth auxiliary channel:
    • Enables Alice to “manually” authenticate one short string s

s

Interactive

Non-interactive

Goal:Minimize the length of the manually authenticated string

manual channel model2
Manual Channel Model

m

Alice

Bob

s

. . .

s

s

  • No trusted infrastructure, such as:
    • Public key infrastructure
    • Shared secret key
    • Common reference string
    • .......

Suitable for ad hoc networks:

  • Pairing of wireless devices
    • Wireless USB, Bluetooth
  • Secure phones
    • AT&T, PGP, Zfone
  • Many more...
why is this model reasonable
Why Is This Model Reasonable?
  • Implementing the manual channel:
  • Compare two strings displayed by the devices

141

141

why is this model reasonable1
Why Is This Model Reasonable?
  • Implementing the manual channel:
  • Compare two strings displayed by the devices
  • Type a string, displayed by one device, into the other device

141

141

why is this model reasonable2
Why Is This Model Reasonable?
  • Implementing the manual channel:
  • Compare two strings displayed by the devices
  • Type a string, displayed by one device, into the other device
  • Visual hashing
why is this model reasonable3
Why Is This Model Reasonable?
  • Implementing the manual channel:
  • Compare two strings displayed by the devices
  • Type a string, displayed by one device, into the other device
  • Visual hashing
  • Voice channel

141

141

the naive solution

Alice

Eve

Bob

^

m

m

H(m)

The Naive Solution

m

Alice

Bob

H(m)

  • H - collision resistant hash function (e.g., SHA-256)
    • No efficient algorithm can find m  m s.t. H(m) = H(m) with noticeable probability
  • Any adversary that forges a message can be used to find a collision for H

^

^

the naive solution1
The Naive Solution

m

Alice

Bob

H(m)

  • H - collision resistant hash function (e.g., SHA-256)
    • No efficient algorithm can find m  m s.t. H(m) = H(m) with noticeable probability
  • Any adversary that forges a message can be used to find a collision for H

^

^

Are we done?

  • No. The output length of SHA-256 is too long (160 bits)
    • Cannot be easily compared or typed by humans
tight bounds
Tight Bounds

m

n-bit

. . .

s

ℓ-bit

 forgery probability

No setup or computational assumptions

  • Upper bound: log*n-round protocol in which ℓ = 2log(1/) + O(1)
  • Matching lower bound: n  2log(1/)  ℓ  2log(1/) - 2
  • One-way functions are necessary (and sufficient) for breaking the lower bound in the computational setting
our results tight bounds
Our Results - Tight Bounds

ℓ = 2log(1/)

ℓ = log(1/)

One-way functions

Unconditional security

Computational security

Impossible

log(1/)

outline
Outline
  • Security definition
  • Tight bounds
    • The protocol
    • Lower bound
security definition
Security Definition

m

n-bit

. . .

s

ℓ-bit

Unconditionally secure(n, ℓ, k, )-authentication protocol:

  • n-bit input message
  • ℓ manually authenticated bits
  • k rounds

Completeness: No interference m Bob accepts m (with high probability)

^

Unforgeability: mPr[ Bob accepts m  m ]

outline1
Outline
  • Security definition
  • Tight bounds
    • The protocol
    • Lower bound
the protocol simplified

Preliminaries:

For m = m1 ... mk GF[Q]k and x GF[Q], let m(x) = mixi

k

i = 1

The Protocol (simplified)
  • Based on the [GN93] hashing technique
  • In each round, the parties:
    • Cooperatively choose a hash function
    • Reduce to authenticating a shorter message
  • A short message is manually authenticated

^

Then, for any m ≠ m and for any c, c  GF[Q],

^

^

^

Prob x RGF[Q] [ m(x) + c = m(x) + c ]  k/Q

the protocol simplified1

Preliminaries:

For m = m1 ... mk GF[Q]k and x GF[Q], let m(x) = mixi

k

i = 1

^

Then, for any m ≠ m and for any c, c  GF[Q],

^

^

^

Prob x RGF[Q] [ m(x) + c = m(x) + c ]  k/Q

The Protocol (simplified)

x || m(x) + c

We hash m to

Other party chooses c

One party chooses x

the protocol simplified2
The Protocol (simplified)

Alice

Bob

m

a1

a1R GF[Q1]

b1R GF[Q1]

b2

b1

a2R GF[Q2]

b2R GF[Q2]

m2

Accept iff m2 is consistent

m0 = m

Both parties set:

Q1 n/ , Q2 log(n)/

m1 = b1 || m0(b1) + a1

m2 = a2 || m1(a2) + b2

2log(1/) + 2loglog(n) + O(1)manually authenticated bits

Two GF[Q2]elements

  • k rounds 2loglog(n) is reduced to 2log(k-1)(n)
security analysis
Security Analysis
  • Must consider all generic man-in-the-middle attacks.
  • Three attacks in our case:

Attack #1

Alice

Eve

Bob

^

^

m

a1

m

a1

^

^

b2

b2

b1

b1

m2

security analysis1
Security Analysis
  • Must consider all generic man-in-the-middle attacks.
  • Three attacks in our case:

Attack #2

Alice

Eve

Bob

^

^

m

a1

b2

b1

m

a1

^

^

b2

b1

m2

security analysis2
Security Analysis
  • Must consider all generic man-in-the-middle attacks.
  • Three attacks in our case:

Attack #3

Alice

Eve

Bob

m

a1

^

^

b2

b1

m2

^

^

m

a1

b2

b1

m2

security analysis attack 1
Security Analysis – Attack #1

Alice

Eve

Bob

^

^

m

a1

m

a1

^

^

b2

b2

b1

b1

m2

^

m0,A = m

m0,B = m

^

^

^

m1,A = b1 || m0,A(b1) + a1

m1,B = b1 || m0,B(b1) + a1

^

m2,A = a2 || m1,A(a2) + b2

m2,B = a2 || m1,B(a2) + b2

m0,A m0,B and m2,A = m2,B

Pr[

m1,A = m1,B

]

+

Pr[

m1,A m1,B and m2,A = m2,B

]

/2 + /2

security analysis attack 11

Pr[

m1,A = m1,B

]

Security Analysis – Attack #1

Alice

Eve

Bob

^

^

m

a1

m

a1

^

b1

b1

^

m0,A = m

m0,B = m

^

^

^

m1,A = b1 || m0,A(b1) + a1

m1,B = b1 || m0,B(b1) + a1

Claim:

^

  • Eve chooses b1 b1
  • Eve chooses b1 = b1

m1,A m1,B

^

/2

^

Pr[ m0,A(b1) + a1 = m0,B(b1) + a1 ]  /2

outline2
Outline
  • Security definition
  • Tight bounds
    • The protocol
    • Lower bound
lower bound1
Lower Bound

Alice

Bob

m, x1

x2

s

  • mR {0,1}n M, X1, X2, S are well defined random variables
lower bound2
Lower Bound

Alice

Bob

M, X1

X2

S

  • Goal: H(S)  2log(1/)
shannon entropy
Shannon Entropy
  • Let X be random variable over domain X with probabilitydistribution PX
  • The Shannon entropy of X is

H(X) = - ∑x2XPX(x) log PX(x)

(where 0log0 = 0)

  • Measures the amount of randomness in X on average
  • Measures how much we can compress X on average

0 · H(X) · log|X|

Equality ,X is constant

Equality ,X is uniform

a related notion min entropy
A Related Notion: Min-Entropy
  • Let X be random variable over domain X with probabilitydistribution PX
  • The min-entropy of X is

H1(X) = - log maxx2XPX(x)

  • Measures the amount of randomness in X in the worst-case
  • Represents the most likely value(s)

0 · H1(X) · H(X) · log|X|

Equality ,X is uniform

Equality ,X is constant

Equality ,X is uniform

conditional shannon entropy
Conditional Shannon Entropy
  • Let X and Y be two random variables over domains X and Ywith probability distributions PX andPY
  • The conditional Shannon entropy of X given Y is

H(X|Y) = ∑y2YPY(y) H(X|Y=y)

  • Observation:

H(X,Y) = H(X) + H(Y|X)

H(X,Y) = H(Y) + H(X|Y)

shannon mutual information
Shannon Mutual Information

I(X;Y) = H(X) – H(X|Y)

  • The mutual information between X and Y is

I(X;Y) = I(Y;X)

  • Observation:
  • Conditional mutual information:

I(X;Y|Z) = H(X|Z) – H(X|Y,Z)

lower bound3
Lower Bound

Alice

Bob

M, X1

X2

S

  • Goal: H(S)  2log(1/)

Evolving intuition:

  • The parties must use at least log(1/) random bits
  • Each party must use at least log(1/) random bits
  • Each party must independently reduce H(S) by log(1/) bits

H(S) = H(S) - H(S | M, X1)

= I(S ; M, X1)

+ H(S | M, X1) - H(S | M, X1, X2)

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

+ H(S | M, X1, X2)

lower bound4

= I(S ; M, X1)

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

Lower Bound

Alice

Bob

M, X1

X2

S

  • Goal: H(S)  2log(1/)

Evolving intuition:

  • The parties must use at least log(1/) random bits
  • Each party must use at least log(1/) random bits
  • Each party must independently reduce H(S) by log(1/) bits

Alice’s randomness

H(S)

Bob’s randomness

lower bound5

= I(S ; M, X1)

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

Lower Bound

Alice

Bob

M, X1

X2

S

  • Goal: H(S)  2log(1/)

Lemma 1: I(S ; M, X1) + H(S | M, X1, X2)  log(1/)

Lemma 2: I(S ; X2 | M, X1)  log(1/)

Alice’s randomness

H(S)

Bob’s randomness

proof of lemma 1

^

^

m

x1

Eve wants Alice to manually authenticate s

^

x2

^

^

^

  • Samples x2 from the distribution of X2 given m, x1 and s

If Pr[ s | m, x1 ] = 0 Eve quits

and hopes that s = s

^

^

Proof of Lemma 1

Consider the following attack:

Alice

Eve

Bob

x2

m

x1

s

Eve acts as follows:

^

  • Chooses m R {0,1}n
  • Chooses mR {0,1}n
  • Forwards s
proof of lemma 11

^

^

^

  Pr[ s = s and m ≠ m ]  Pr[ s = s ] - 2-n

^

2  Pr[ s = s ]

^

Claim: Pr[ s = s ]  2 - { (S ; M, X1) + H(S | M, X1, X2) }

Proof of Lemma 1

By the protocol requirements:

Since n  log(1/), we get

which implies

(S ; M, X1) + H(S | M, X1, X2) log(1/) - 1

lower bound6

= I(S ; M, X1)

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

Lower Bound

Alice

Bob

M, X1

X2

S

  • Goal: H(S)  2log(1/) - 2

Lemma 1: I(S ; M, X1) + H(S | M, X1, X2)  log(1/) - 1

Lemma 2: I(S ; X2 | M, X1)  log(1/) - 1

Alice’s randomness

H(S)

Bob’s randomness

references
References
  • Whitfield Diffie and Martin E. HellmanNew Directions in CryptographyIEEE Transactions on Information Theory 1976
  • Peter Gemmell and Moni NaorCodes for Interactive AuthenticationCRYPTO 1993
  • Moni Naor, Gil Segev and Adam SmithTight Bounds for Unconditionally Secure Authentication Protocols in the Manual Channel and Shared Key ModelsCRYPTO 2006
  • T. Cover and J. A. ThomasElements of information Theory
ad