Seminar in Foundations of Privacy
Download
1 / 58

Seminar in Foundations of Privacy - PowerPoint PPT Presentation


  • 77 Views
  • Uploaded on

Seminar in Foundations of Privacy. Message Authentication in the Manual Channel Model. Gil Segev. Pairing of Wireless Devices. Scenario: Buy a new wireless camera Want to establish a secure channel for the first time Diffie-Hellman key agreement protocol. Diffie-Hellman Key Agreement.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Seminar in Foundations of Privacy' - constance-wilkerson


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Seminar in Foundations of Privacy

Message Authenticationin the Manual Channel Model

Gil Segev


Pairing of wireless devices
Pairing of Wireless Devices

Scenario:

  • Buy a new wireless camera

  • Want to establish a secure channel for the first time

    • Diffie-Hellman key agreement protocol


Diffie hellman key agreement
Diffie-Hellman Key Agreement

  • Alice and Bob wish to agree on a secret key

  • Public parameters:

    • Group G

    • Generator g2G

gx

Alice

Bob

gy

Both parties computeKA,B = gxy

  • Security: Even when given (G, g, gx, gy) it is still hard to compute gxy


Diffie hellman key agreement1
Diffie-Hellman Key Agreement

  • Computational Diffie-Hellman assumption (CDH):For every probabilistic polynomial-time algorithm A, every polynomial p(n) and for all sufficiently large n,

Pr[A(Gn,gn,gnx,gny) = gnxy] < 1/p(n)

The probability is taken over A’s internal coins tosses and over the random choice of (x,y)

  • Decisional Diffie-Hellman assumption (DDH):

c

{(g, gx, gy, gxy)}  {(g, gx, gy, gc)}

for random x, y and c.

Computational Indistinguishability


Diffie hellman key agreement2
Diffie-Hellman Key Agreement

  • Alice and Bob wish to agree on a secret key

  • Public parameters:

    • Group G

    • Generator g2G

gx

Alice

Bob

gy

Both parties computeKA,B = gxy

  • CDH assumption: KA,B is hard to guess

  • DDH assumption:KA,Bis as good as a random secret

  • Secure against passive adversaries

    • Eve is only allowed to read the sent messages


Pairing of wireless devices1
Pairing of Wireless Devices

gx

Scenario:

  • Buy a new wireless camera

  • Want to establish a secure channel for the first time

    • Diffie-Hellman key agreement protocol

gy


Pairing of

Devices

Wireless

Cable pairing

  • Simple

  • Cheap

  • Authenticated channel

“I thought this is a wireless camera…”


Pairing of wireless devices2
Pairing of Wireless Devices

Wireless pairing

Problem: Active adversaries (“man-in-the-middle”)


Pairing of wireless devices3
Pairing of Wireless Devices

Wireless pairing

gy

gx

ga

gb

Problem: Active adversaries (“man-in-the-middle”)


Diffie hellman key agreement3

ENC(KA,E,m)

ENC(KE,B,m)

Alice

Eve

Bob

Diffie-Hellman Key Agreement

gx

gy

  • Suppose now that Eve is an active adversary

    • “man-in-the-middle” attacker

Alice

Eve

Bob

ga

gb

KA,E = gxa

KE,B = gby

  • Completely insecure:

    • Eve can decrypt m, and then re-encrypt it


Diffie hellman key agreement4
Diffie-Hellman Key Agreement

gx

gy

  • Suppose now that Eve is an active adversary

    • “man-in-the-middle” attacker

Alice

Eve

Bob

ga

gb

KA,E = gxa

KE,B = gby

  • Solution - Message authentication:

    • Alice and Bob authenticate gx and gy


Message authentication

^

m

Message Authentication

  • Assure the receiver of a message that it has not been changed by an active adversary

m

Alice

Eve

Bob

Problem specification:

Completeness: No interference m Bob accepts m (with high probability)

Soundness: mPr[Bob accepts m  m ]

^


One time authentication
One-Time Authentication

  • The secret key enables a single authentication of a message m  {0,1}n

  • H = {h| h: {0,1}n → {0,1}k } is a family of hash functions

  • Alice and Bob share a random function hH

    • h is not known to Eve

  • To authenticate m  {0,1}n Alice sends (m,h(m))

^

  • Upon receiving (m,z):

    • If z = h(m), then Bob outputs m and halts

    • Otherwise, Bob outputs ? and halts

^

^


One time authentication1
One-Time Authentication

  • Hard to guess h(m)

    • Success probability at most 

    • Should hold for any m

^

  • What properties do we require from H?

^


One time authentication2
One-Time Authentication

  • Hard to guess h(m) even given h(m)

    • Success probability at most 

    • Should hold for any m and m

^

  • What properties do we require from H?

^

  • Short representation for h- must have small log|H|

  • Easy to compute h(m)given h and m


Universal hash functions
Universal Hash Functions

  • Given h: {0,1}n → {0,1}k we can always guess a correct output with probability at least 2-k

  • A family where this is tight is called universal2

    Definition: a family H = {h| h: {0,1}n → {0,1}k } is called Strongly Universal2or pair-wise independent if:

    • for allm1 m2 {0,1}nand y1, y2 {0,1}kwe have

      Pr[h(m1) = y1 and h(m2) = y2 ] = 2-2k

      where the probability is over a randomly chosen hH

      In particularPr[h(m2) = y2 | h(m1) = y1 ] = 2-k

      Theorem: when a strongly universal2 family is used in the protocol, Eve’s probability of cheating is at most 2-k


Constructing universal hash functions
Constructing Universal Hash Functions

The linear polynomial construction:

  • Fix a finite field F of size at least the message space 2n

    • Could be either GF[2n] or GF[P] for some prime P ≥ 2n

  • The family Hof functionsh: F→ Fis defined as

    H= {ha,b(m) = a∙m + b | a, b  F}

    Claim: the family above is strongly universal2

    Proof: for everym1≠m2,y1, y2 Fthere are uniquea, b  Fsuch that

    a∙m1+b = y1

    a∙m2+b = y2

    Size: each hHrepresented by 2n bits


Lower bound
Lower Bound

Theorem:Let H= {h| h: {0,1}n → {0,1}} be a family of pair-wise independent functions. Then

|H| isΩ(2n)

More precisely, to obtain a d-wise independence family |H| should beΩ(2n└d/2┘)

  • N. Alon and J. SpencerThe Probabilistic MethodChapter 15 (derandomization), Proposition 2.3


More on authentication
More on Authentication

  • Reducing the length of the secret key

    • Almost-pair-wise independent hash functions

    • Interaction

  • Using the same secret key to authenticate any polynomial number of messages

    • Requires computational assumptions

    • Pseudorandom functions

  • Authentication in the public-key world

  • Much more to discuss…


Pairing of wireless devices4

^

m = gb || gy

Pairing of Wireless Devices

Wireless pairing

gy

gx

ga

gb

m = gx || ga

  • Impossible without additional setup


Pairing of wireless devices5
Pairing of Wireless Devices

Wireless pairing

gy

gx

ga

gb

Solution:

Manual Channel


The manual channel
The Manual Channel

Wireless pairing

gy

gx

141

ga

gb

141

User can compare two short strings


Manual channel model
Manual Channel Model

m

Alice

Bob

s

. . .

s

  • Insecure communication channel

  • Low-bandwidth auxiliary channel:

    • Enables Alice to “manually” authenticate one short string s

s

Interactive

Non-interactive

  • Adversarial power:

    • Choose the input message m

    • Insecure channel: Full control

    • Manual channel: Read, delay

    • Delivery timing


Manual channel model1
Manual Channel Model

m

Alice

Bob

s

. . .

s

  • Insecure communication channel

  • Low-bandwidth auxiliary channel:

    • Enables Alice to “manually” authenticate one short string s

s

Interactive

Non-interactive

Goal:Minimize the length of the manually authenticated string


Manual channel model2
Manual Channel Model

m

Alice

Bob

s

. . .

s

s

  • No trusted infrastructure, such as:

    • Public key infrastructure

    • Shared secret key

    • Common reference string

    • .......

Suitable for ad hoc networks:

  • Pairing of wireless devices

    • Wireless USB, Bluetooth

  • Secure phones

    • AT&T, PGP, Zfone

  • Many more...


Why is this model reasonable
Why Is This Model Reasonable?

  • Implementing the manual channel:

  • Compare two strings displayed by the devices

141

141


Why is this model reasonable1
Why Is This Model Reasonable?

  • Implementing the manual channel:

  • Compare two strings displayed by the devices

  • Type a string, displayed by one device, into the other device

141

141


Why is this model reasonable2
Why Is This Model Reasonable?

  • Implementing the manual channel:

  • Compare two strings displayed by the devices

  • Type a string, displayed by one device, into the other device

  • Visual hashing


Why is this model reasonable3
Why Is This Model Reasonable?

  • Implementing the manual channel:

  • Compare two strings displayed by the devices

  • Type a string, displayed by one device, into the other device

  • Visual hashing

  • Voice channel

141

141


The naive solution

Alice

Eve

Bob

^

m

m

H(m)

The Naive Solution

m

Alice

Bob

H(m)

  • H - collision resistant hash function (e.g., SHA-256)

    • No efficient algorithm can find m  m s.t. H(m) = H(m) with noticeable probability

  • Any adversary that forges a message can be used to find a collision for H

^

^


The naive solution1
The Naive Solution

m

Alice

Bob

H(m)

  • H - collision resistant hash function (e.g., SHA-256)

    • No efficient algorithm can find m  m s.t. H(m) = H(m) with noticeable probability

  • Any adversary that forges a message can be used to find a collision for H

^

^

Are we done?

  • No. The output length of SHA-256 is too long (160 bits)

    • Cannot be easily compared or typed by humans


Tight bounds
Tight Bounds

m

n-bit

. . .

s

ℓ-bit

 forgery probability

No setup or computational assumptions

  • Upper bound: log*n-round protocol in which ℓ = 2log(1/) + O(1)

  • Matching lower bound: n  2log(1/)  ℓ  2log(1/) - 2

  • One-way functions are necessary (and sufficient) for breaking the lower bound in the computational setting


Our results tight bounds
Our Results - Tight Bounds

ℓ = 2log(1/)

ℓ = log(1/)

One-way functions

Unconditional security

Computational security

Impossible

log(1/)


Outline
Outline

  • Security definition

  • Tight bounds

    • The protocol

    • Lower bound


Security definition
Security Definition

m

n-bit

. . .

s

ℓ-bit

Unconditionally secure(n, ℓ, k, )-authentication protocol:

  • n-bit input message

  • ℓ manually authenticated bits

  • k rounds

Completeness: No interference m Bob accepts m (with high probability)

^

Unforgeability: mPr[ Bob accepts m  m ]


Outline1
Outline

  • Security definition

  • Tight bounds

    • The protocol

    • Lower bound


The protocol simplified

Preliminaries:

For m = m1 ... mk GF[Q]k and x GF[Q], let m(x) = mixi

k

i = 1

The Protocol (simplified)

  • Based on the [GN93] hashing technique

  • In each round, the parties:

    • Cooperatively choose a hash function

    • Reduce to authenticating a shorter message

  • A short message is manually authenticated

^

Then, for any m ≠ m and for any c, c  GF[Q],

^

^

^

Prob x RGF[Q] [ m(x) + c = m(x) + c ]  k/Q


The protocol simplified1

Preliminaries:

For m = m1 ... mk GF[Q]k and x GF[Q], let m(x) = mixi

k

i = 1

^

Then, for any m ≠ m and for any c, c  GF[Q],

^

^

^

Prob x RGF[Q] [ m(x) + c = m(x) + c ]  k/Q

The Protocol (simplified)

x || m(x) + c

We hash m to

Other party chooses c

One party chooses x


The protocol simplified2
The Protocol (simplified)

Alice

Bob

m

a1

a1R GF[Q1]

b1R GF[Q1]

b2

b1

a2R GF[Q2]

b2R GF[Q2]

m2

Accept iff m2 is consistent

m0 = m

Both parties set:

Q1 n/ , Q2 log(n)/

m1 = b1 || m0(b1) + a1

m2 = a2 || m1(a2) + b2

2log(1/) + 2loglog(n) + O(1)manually authenticated bits

Two GF[Q2]elements

  • k rounds 2loglog(n) is reduced to 2log(k-1)(n)


Security analysis
Security Analysis

  • Must consider all generic man-in-the-middle attacks.

  • Three attacks in our case:

Attack #1

Alice

Eve

Bob

^

^

m

a1

m

a1

^

^

b2

b2

b1

b1

m2


Security analysis1
Security Analysis

  • Must consider all generic man-in-the-middle attacks.

  • Three attacks in our case:

Attack #2

Alice

Eve

Bob

^

^

m

a1

b2

b1

m

a1

^

^

b2

b1

m2


Security analysis2
Security Analysis

  • Must consider all generic man-in-the-middle attacks.

  • Three attacks in our case:

Attack #3

Alice

Eve

Bob

m

a1

^

^

b2

b1

m2

^

^

m

a1

b2

b1

m2


Security analysis attack 1
Security Analysis – Attack #1

Alice

Eve

Bob

^

^

m

a1

m

a1

^

^

b2

b2

b1

b1

m2

^

m0,A = m

m0,B = m

^

^

^

m1,A = b1 || m0,A(b1) + a1

m1,B = b1 || m0,B(b1) + a1

^

m2,A = a2 || m1,A(a2) + b2

m2,B = a2 || m1,B(a2) + b2

m0,A m0,B and m2,A = m2,B

Pr[

m1,A = m1,B

]

+

Pr[

m1,A m1,B and m2,A = m2,B

]

/2 + /2


Security analysis attack 11

Pr[

m1,A = m1,B

]

Security Analysis – Attack #1

Alice

Eve

Bob

^

^

m

a1

m

a1

^

b1

b1

^

m0,A = m

m0,B = m

^

^

^

m1,A = b1 || m0,A(b1) + a1

m1,B = b1 || m0,B(b1) + a1

Claim:

^

  • Eve chooses b1 b1

  • Eve chooses b1 = b1

m1,A m1,B

^

/2

^

Pr[ m0,A(b1) + a1 = m0,B(b1) + a1 ]  /2


Outline2
Outline

  • Security definition

  • Tight bounds

    • The protocol

    • Lower bound


Lower bound1
Lower Bound

Alice

Bob

m, x1

x2

s

  • mR {0,1}n M, X1, X2, S are well defined random variables


Lower bound2
Lower Bound

Alice

Bob

M, X1

X2

S

  • Goal: H(S)  2log(1/)


Shannon entropy
Shannon Entropy

  • Let X be random variable over domain X with probabilitydistribution PX

  • The Shannon entropy of X is

H(X) = - ∑x2XPX(x) log PX(x)

(where 0log0 = 0)

  • Measures the amount of randomness in X on average

  • Measures how much we can compress X on average

0 · H(X) · log|X|

Equality ,X is constant

Equality ,X is uniform


A related notion min entropy
A Related Notion: Min-Entropy

  • Let X be random variable over domain X with probabilitydistribution PX

  • The min-entropy of X is

H1(X) = - log maxx2XPX(x)

  • Measures the amount of randomness in X in the worst-case

  • Represents the most likely value(s)

0 · H1(X) · H(X) · log|X|

Equality ,X is uniform

Equality ,X is constant

Equality ,X is uniform


Conditional shannon entropy
Conditional Shannon Entropy

  • Let X and Y be two random variables over domains X and Ywith probability distributions PX andPY

  • The conditional Shannon entropy of X given Y is

H(X|Y) = ∑y2YPY(y) H(X|Y=y)

  • Observation:

H(X,Y) = H(X) + H(Y|X)

H(X,Y) = H(Y) + H(X|Y)


Shannon mutual information
Shannon Mutual Information

I(X;Y) = H(X) – H(X|Y)

  • The mutual information between X and Y is

I(X;Y) = I(Y;X)

  • Observation:

  • Conditional mutual information:

I(X;Y|Z) = H(X|Z) – H(X|Y,Z)


Lower bound3
Lower Bound

Alice

Bob

M, X1

X2

S

  • Goal: H(S)  2log(1/)

Evolving intuition:

  • The parties must use at least log(1/) random bits

  • Each party must use at least log(1/) random bits

  • Each party must independently reduce H(S) by log(1/) bits

H(S) = H(S) - H(S | M, X1)

= I(S ; M, X1)

+ H(S | M, X1) - H(S | M, X1, X2)

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

+ H(S | M, X1, X2)


Lower bound4

= I(S ; M, X1)

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

Lower Bound

Alice

Bob

M, X1

X2

S

  • Goal: H(S)  2log(1/)

Evolving intuition:

  • The parties must use at least log(1/) random bits

  • Each party must use at least log(1/) random bits

  • Each party must independently reduce H(S) by log(1/) bits

Alice’s randomness

H(S)

Bob’s randomness


Lower bound5

= I(S ; M, X1)

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

Lower Bound

Alice

Bob

M, X1

X2

S

  • Goal: H(S)  2log(1/)

Lemma 1: I(S ; M, X1) + H(S | M, X1, X2)  log(1/)

Lemma 2: I(S ; X2 | M, X1)  log(1/)

Alice’s randomness

H(S)

Bob’s randomness


Proof of lemma 1

^

^

m

x1

Eve wants Alice to manually authenticate s

^

x2

^

^

^

  • Samples x2 from the distribution of X2 given m, x1 and s

If Pr[ s | m, x1 ] = 0 Eve quits

and hopes that s = s

^

^

Proof of Lemma 1

Consider the following attack:

Alice

Eve

Bob

x2

m

x1

s

Eve acts as follows:

^

  • Chooses m R {0,1}n

  • Chooses mR {0,1}n

  • Forwards s


Proof of lemma 11

^

^

^

  Pr[ s = s and m ≠ m ]  Pr[ s = s ] - 2-n

^

2  Pr[ s = s ]

^

Claim: Pr[ s = s ]  2 - { (S ; M, X1) + H(S | M, X1, X2) }

Proof of Lemma 1

By the protocol requirements:

Since n  log(1/), we get

which implies

(S ; M, X1) + H(S | M, X1, X2) log(1/) - 1


Lower bound6

= I(S ; M, X1)

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

Lower Bound

Alice

Bob

M, X1

X2

S

  • Goal: H(S)  2log(1/) - 2

Lemma 1: I(S ; M, X1) + H(S | M, X1, X2)  log(1/) - 1

Lemma 2: I(S ; X2 | M, X1)  log(1/) - 1

Alice’s randomness

H(S)

Bob’s randomness


References
References

  • Whitfield Diffie and Martin E. HellmanNew Directions in CryptographyIEEE Transactions on Information Theory 1976

  • Peter Gemmell and Moni NaorCodes for Interactive AuthenticationCRYPTO 1993

  • Moni Naor, Gil Segev and Adam SmithTight Bounds for Unconditionally Secure Authentication Protocols in the Manual Channel and Shared Key ModelsCRYPTO 2006

  • T. Cover and J. A. ThomasElements of information Theory


ad