1 / 58

Seminar in Foundations of Privacy - PowerPoint PPT Presentation

Seminar in Foundations of Privacy. Message Authentication in the Manual Channel Model. Gil Segev. Pairing of Wireless Devices. Scenario: Buy a new wireless camera Want to establish a secure channel for the first time Diffie-Hellman key agreement protocol. Diffie-Hellman Key Agreement.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

PowerPoint Slideshow about ' Seminar in Foundations of Privacy' - constance-wilkerson

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Message Authenticationin the Manual Channel Model

Gil Segev

Scenario:

• Buy a new wireless camera

• Want to establish a secure channel for the first time

• Diffie-Hellman key agreement protocol

• Alice and Bob wish to agree on a secret key

• Public parameters:

• Group G

• Generator g2G

gx

Alice

Bob

gy

Both parties computeKA,B = gxy

• Security: Even when given (G, g, gx, gy) it is still hard to compute gxy

• Computational Diffie-Hellman assumption (CDH):For every probabilistic polynomial-time algorithm A, every polynomial p(n) and for all sufficiently large n,

Pr[A(Gn,gn,gnx,gny) = gnxy] < 1/p(n)

The probability is taken over A’s internal coins tosses and over the random choice of (x,y)

• Decisional Diffie-Hellman assumption (DDH):

c

{(g, gx, gy, gxy)}  {(g, gx, gy, gc)}

for random x, y and c.

Computational Indistinguishability

• Alice and Bob wish to agree on a secret key

• Public parameters:

• Group G

• Generator g2G

gx

Alice

Bob

gy

Both parties computeKA,B = gxy

• CDH assumption: KA,B is hard to guess

• DDH assumption:KA,Bis as good as a random secret

• Eve is only allowed to read the sent messages

gx

Scenario:

• Buy a new wireless camera

• Want to establish a secure channel for the first time

• Diffie-Hellman key agreement protocol

gy

Devices

Wireless

Cable pairing

• Simple

• Cheap

• Authenticated channel

“I thought this is a wireless camera…”

Wireless pairing

Wireless pairing

gy

gx

ga

gb

ENC(KA,E,m)

ENC(KE,B,m)

Alice

Eve

Bob

Diffie-Hellman Key Agreement

gx

gy

• Suppose now that Eve is an active adversary

• “man-in-the-middle” attacker

Alice

Eve

Bob

ga

gb

KA,E = gxa

KE,B = gby

• Completely insecure:

• Eve can decrypt m, and then re-encrypt it

gx

gy

• Suppose now that Eve is an active adversary

• “man-in-the-middle” attacker

Alice

Eve

Bob

ga

gb

KA,E = gxa

KE,B = gby

• Solution - Message authentication:

• Alice and Bob authenticate gx and gy

m

Message Authentication

• Assure the receiver of a message that it has not been changed by an active adversary

m

Alice

Eve

Bob

Problem specification:

Completeness: No interference m Bob accepts m (with high probability)

Soundness: mPr[Bob accepts m  m ]

^

• The secret key enables a single authentication of a message m  {0,1}n

• H = {h| h: {0,1}n → {0,1}k } is a family of hash functions

• Alice and Bob share a random function hH

• h is not known to Eve

• To authenticate m  {0,1}n Alice sends (m,h(m))

^

• Upon receiving (m,z):

• If z = h(m), then Bob outputs m and halts

• Otherwise, Bob outputs ? and halts

^

^

• Hard to guess h(m)

• Success probability at most 

• Should hold for any m

^

• What properties do we require from H?

^

• Hard to guess h(m) even given h(m)

• Success probability at most 

• Should hold for any m and m

^

• What properties do we require from H?

^

• Short representation for h- must have small log|H|

• Easy to compute h(m)given h and m

• Given h: {0,1}n → {0,1}k we can always guess a correct output with probability at least 2-k

• A family where this is tight is called universal2

Definition: a family H = {h| h: {0,1}n → {0,1}k } is called Strongly Universal2or pair-wise independent if:

• for allm1 m2 {0,1}nand y1, y2 {0,1}kwe have

Pr[h(m1) = y1 and h(m2) = y2 ] = 2-2k

where the probability is over a randomly chosen hH

In particularPr[h(m2) = y2 | h(m1) = y1 ] = 2-k

Theorem: when a strongly universal2 family is used in the protocol, Eve’s probability of cheating is at most 2-k

The linear polynomial construction:

• Fix a finite field F of size at least the message space 2n

• Could be either GF[2n] or GF[P] for some prime P ≥ 2n

• The family Hof functionsh: F→ Fis defined as

H= {ha,b(m) = a∙m + b | a, b  F}

Claim: the family above is strongly universal2

Proof: for everym1≠m2,y1, y2 Fthere are uniquea, b  Fsuch that

a∙m1+b = y1

a∙m2+b = y2

Size: each hHrepresented by 2n bits

Theorem:Let H= {h| h: {0,1}n → {0,1}} be a family of pair-wise independent functions. Then

|H| isΩ(2n)

More precisely, to obtain a d-wise independence family |H| should beΩ(2n└d/2┘)

• N. Alon and J. SpencerThe Probabilistic MethodChapter 15 (derandomization), Proposition 2.3

• Reducing the length of the secret key

• Almost-pair-wise independent hash functions

• Interaction

• Using the same secret key to authenticate any polynomial number of messages

• Requires computational assumptions

• Pseudorandom functions

• Authentication in the public-key world

• Much more to discuss…

m = gb || gy

Pairing of Wireless Devices

Wireless pairing

gy

gx

ga

gb

m = gx || ga

Wireless pairing

gy

gx

ga

gb

Solution:

Manual Channel

Wireless pairing

gy

gx

141

ga

gb

141

User can compare two short strings

m

Alice

Bob

s

. . .

s

• Insecure communication channel

• Low-bandwidth auxiliary channel:

• Enables Alice to “manually” authenticate one short string s

s

Interactive

Non-interactive

• Choose the input message m

• Insecure channel: Full control

• Delivery timing

m

Alice

Bob

s

. . .

s

• Insecure communication channel

• Low-bandwidth auxiliary channel:

• Enables Alice to “manually” authenticate one short string s

s

Interactive

Non-interactive

Goal:Minimize the length of the manually authenticated string

m

Alice

Bob

s

. . .

s

s

• No trusted infrastructure, such as:

• Public key infrastructure

• Shared secret key

• Common reference string

• .......

• Pairing of wireless devices

• Wireless USB, Bluetooth

• Secure phones

• AT&T, PGP, Zfone

• Many more...

• Implementing the manual channel:

• Compare two strings displayed by the devices

141

141

• Implementing the manual channel:

• Compare two strings displayed by the devices

• Type a string, displayed by one device, into the other device

141

141

• Implementing the manual channel:

• Compare two strings displayed by the devices

• Type a string, displayed by one device, into the other device

• Visual hashing

• Implementing the manual channel:

• Compare two strings displayed by the devices

• Type a string, displayed by one device, into the other device

• Visual hashing

• Voice channel

141

141

Eve

Bob

^

m

m

H(m)

The Naive Solution

m

Alice

Bob

H(m)

• H - collision resistant hash function (e.g., SHA-256)

• No efficient algorithm can find m  m s.t. H(m) = H(m) with noticeable probability

• Any adversary that forges a message can be used to find a collision for H

^

^

m

Alice

Bob

H(m)

• H - collision resistant hash function (e.g., SHA-256)

• No efficient algorithm can find m  m s.t. H(m) = H(m) with noticeable probability

• Any adversary that forges a message can be used to find a collision for H

^

^

Are we done?

• No. The output length of SHA-256 is too long (160 bits)

• Cannot be easily compared or typed by humans

m

n-bit

. . .

s

ℓ-bit

 forgery probability

No setup or computational assumptions

• Upper bound: log*n-round protocol in which ℓ = 2log(1/) + O(1)

• Matching lower bound: n  2log(1/)  ℓ  2log(1/) - 2

• One-way functions are necessary (and sufficient) for breaking the lower bound in the computational setting

ℓ = 2log(1/)

ℓ = log(1/)

One-way functions

Unconditional security

Computational security

Impossible

log(1/)

• Security definition

• Tight bounds

• The protocol

• Lower bound

m

n-bit

. . .

s

ℓ-bit

Unconditionally secure(n, ℓ, k, )-authentication protocol:

• n-bit input message

• ℓ manually authenticated bits

• k rounds

Completeness: No interference m Bob accepts m (with high probability)

^

Unforgeability: mPr[ Bob accepts m  m ]

• Security definition

• Tight bounds

• The protocol

• Lower bound

For m = m1 ... mk GF[Q]k and x GF[Q], let m(x) = mixi

k

i = 1

The Protocol (simplified)

• Based on the [GN93] hashing technique

• In each round, the parties:

• Cooperatively choose a hash function

• Reduce to authenticating a shorter message

• A short message is manually authenticated

^

Then, for any m ≠ m and for any c, c  GF[Q],

^

^

^

Prob x RGF[Q] [ m(x) + c = m(x) + c ]  k/Q

For m = m1 ... mk GF[Q]k and x GF[Q], let m(x) = mixi

k

i = 1

^

Then, for any m ≠ m and for any c, c  GF[Q],

^

^

^

Prob x RGF[Q] [ m(x) + c = m(x) + c ]  k/Q

The Protocol (simplified)

x || m(x) + c

We hash m to

Other party chooses c

One party chooses x

The Protocol (simplified)

Alice

Bob

m

a1

a1R GF[Q1]

b1R GF[Q1]

b2

b1

a2R GF[Q2]

b2R GF[Q2]

m2

Accept iff m2 is consistent

m0 = m

Both parties set:

Q1 n/ , Q2 log(n)/

m1 = b1 || m0(b1) + a1

m2 = a2 || m1(a2) + b2

2log(1/) + 2loglog(n) + O(1)manually authenticated bits

Two GF[Q2]elements

• k rounds 2loglog(n) is reduced to 2log(k-1)(n)

• Must consider all generic man-in-the-middle attacks.

• Three attacks in our case:

Attack #1

Alice

Eve

Bob

^

^

m

a1

m

a1

^

^

b2

b2

b1

b1

m2

• Must consider all generic man-in-the-middle attacks.

• Three attacks in our case:

Attack #2

Alice

Eve

Bob

^

^

m

a1

b2

b1

m

a1

^

^

b2

b1

m2

• Must consider all generic man-in-the-middle attacks.

• Three attacks in our case:

Attack #3

Alice

Eve

Bob

m

a1

^

^

b2

b1

m2

^

^

m

a1

b2

b1

m2

Alice

Eve

Bob

^

^

m

a1

m

a1

^

^

b2

b2

b1

b1

m2

^

m0,A = m

m0,B = m

^

^

^

m1,A = b1 || m0,A(b1) + a1

m1,B = b1 || m0,B(b1) + a1

^

m2,A = a2 || m1,A(a2) + b2

m2,B = a2 || m1,B(a2) + b2

m0,A m0,B and m2,A = m2,B

Pr[

m1,A = m1,B

]

+

Pr[

m1,A m1,B and m2,A = m2,B

]

/2 + /2

m1,A = m1,B

]

Security Analysis – Attack #1

Alice

Eve

Bob

^

^

m

a1

m

a1

^

b1

b1

^

m0,A = m

m0,B = m

^

^

^

m1,A = b1 || m0,A(b1) + a1

m1,B = b1 || m0,B(b1) + a1

Claim:

^

• Eve chooses b1 b1

• Eve chooses b1 = b1

m1,A m1,B

^

/2

^

Pr[ m0,A(b1) + a1 = m0,B(b1) + a1 ]  /2

• Security definition

• Tight bounds

• The protocol

• Lower bound

Alice

Bob

m, x1

x2

s

• mR {0,1}n M, X1, X2, S are well defined random variables

Alice

Bob

M, X1

X2

S

• Goal: H(S)  2log(1/)

• Let X be random variable over domain X with probabilitydistribution PX

• The Shannon entropy of X is

H(X) = - ∑x2XPX(x) log PX(x)

(where 0log0 = 0)

• Measures the amount of randomness in X on average

• Measures how much we can compress X on average

0 · H(X) · log|X|

Equality ,X is constant

Equality ,X is uniform

• Let X be random variable over domain X with probabilitydistribution PX

• The min-entropy of X is

H1(X) = - log maxx2XPX(x)

• Measures the amount of randomness in X in the worst-case

• Represents the most likely value(s)

0 · H1(X) · H(X) · log|X|

Equality ,X is uniform

Equality ,X is constant

Equality ,X is uniform

• Let X and Y be two random variables over domains X and Ywith probability distributions PX andPY

• The conditional Shannon entropy of X given Y is

H(X|Y) = ∑y2YPY(y) H(X|Y=y)

• Observation:

H(X,Y) = H(X) + H(Y|X)

H(X,Y) = H(Y) + H(X|Y)

I(X;Y) = H(X) – H(X|Y)

• The mutual information between X and Y is

I(X;Y) = I(Y;X)

• Observation:

• Conditional mutual information:

I(X;Y|Z) = H(X|Z) – H(X|Y,Z)

Alice

Bob

M, X1

X2

S

• Goal: H(S)  2log(1/)

Evolving intuition:

• The parties must use at least log(1/) random bits

• Each party must use at least log(1/) random bits

• Each party must independently reduce H(S) by log(1/) bits

H(S) = H(S) - H(S | M, X1)

= I(S ; M, X1)

+ H(S | M, X1) - H(S | M, X1, X2)

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

+ H(S | M, X1, X2)

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

Lower Bound

Alice

Bob

M, X1

X2

S

• Goal: H(S)  2log(1/)

Evolving intuition:

• The parties must use at least log(1/) random bits

• Each party must use at least log(1/) random bits

• Each party must independently reduce H(S) by log(1/) bits

Alice’s randomness

H(S)

Bob’s randomness

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

Lower Bound

Alice

Bob

M, X1

X2

S

• Goal: H(S)  2log(1/)

Lemma 1: I(S ; M, X1) + H(S | M, X1, X2)  log(1/)

Lemma 2: I(S ; X2 | M, X1)  log(1/)

Alice’s randomness

H(S)

Bob’s randomness

^

m

x1

Eve wants Alice to manually authenticate s

^

x2

^

^

^

• Samples x2 from the distribution of X2 given m, x1 and s

If Pr[ s | m, x1 ] = 0 Eve quits

and hopes that s = s

^

^

Proof of Lemma 1

Consider the following attack:

Alice

Eve

Bob

x2

m

x1

s

Eve acts as follows:

^

• Chooses m R {0,1}n

• Chooses mR {0,1}n

• Forwards s

^

^

  Pr[ s = s and m ≠ m ]  Pr[ s = s ] - 2-n

^

2  Pr[ s = s ]

^

Claim: Pr[ s = s ]  2 - { (S ; M, X1) + H(S | M, X1, X2) }

Proof of Lemma 1

By the protocol requirements:

Since n  log(1/), we get

which implies

(S ; M, X1) + H(S | M, X1, X2) log(1/) - 1

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

Lower Bound

Alice

Bob

M, X1

X2

S

• Goal: H(S)  2log(1/) - 2

Lemma 1: I(S ; M, X1) + H(S | M, X1, X2)  log(1/) - 1

Lemma 2: I(S ; X2 | M, X1)  log(1/) - 1

Alice’s randomness

H(S)

Bob’s randomness

• Whitfield Diffie and Martin E. HellmanNew Directions in CryptographyIEEE Transactions on Information Theory 1976

• Peter Gemmell and Moni NaorCodes for Interactive AuthenticationCRYPTO 1993

• Moni Naor, Gil Segev and Adam SmithTight Bounds for Unconditionally Secure Authentication Protocols in the Manual Channel and Shared Key ModelsCRYPTO 2006

• T. Cover and J. A. ThomasElements of information Theory