Secret Handshakes from Pairing-Based Key Agreements
Download
1 / 55

Secret Handshakes from Pairing-Based Key Agreements Dirk Balfanz, Glenn Durfee, Narrendar Shankar - PowerPoint PPT Presentation


  • 94 Views
  • Uploaded on

Secret Handshakes from Pairing-Based Key Agreements Dirk Balfanz, Glenn Durfee, Narrendar Shankar Diana Smetters, Jessica Staddon, Hao-chi Wong Presented by Sen Xu, Feng Yue. A Scenario.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Secret Handshakes from Pairing-Based Key Agreements Dirk Balfanz, Glenn Durfee, Narrendar Shankar' - felice


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Secret Handshakes from Pairing-Based Key Agreements

Dirk Balfanz, Glenn Durfee, Narrendar Shankar

Diana Smetters, Jessica Staddon, Hao-chi Wong

Presented by

Sen Xu, Feng Yue


A scenario
A Scenario

  • Alice want to authenticate herself to the server, but don’t want to reveal her credential until the server is authenticated.

  • Similarly, the server don’t want to authenticate itself until Alice is authenticated.


Solution secret handshake
Solution ? – Secret handshake!

  • non-members cannot recognize or perform the handshake.

  • What happen after a handshake:

  • A € G1, B € G2

  • A, B don’t know anything about the other party if G1 != G2

  • A, B know they belong to the same organization if G1 = G2

  • They can choose only authenticate to members with certain roles

  • A third party won’t learn anything


Applications of secret handshake
Applications of Secret Handshake

  • Securely discover restricted services

  • Privacy preserving authentication

  • Identify roles in a certain group.


Group background
Group Background

  • Cyclic group: in a group, there is an x such that each element of the group may be written as xk for some integer k.

  • x is called the generator of the cyclic group.

  • Eg. {2, 4, 8} x = 2


Order of a group element
Order of a group, element

  • Order of a group G is simply the number of elements in G. misleading?

  • Order of an element g: least positive integer k such that gk is the identity element. In general, finding the order of the element of a group is at least as hard as factoring (Meijer 1996).

  • every group of prime order is cyclic.


Identity element
Identity Element

  • The identity element I (also denoted E, e) of a group or related mathematical structure S is the unique element such that I*a=a*I=a for every element a €S . The symbol "E" derives from the German word for unity, "Einheit." An identity element is also called a unit element.

  • For multiplication i = 1

  • For addition i = 0


Tate pairing
Tate Pairing

  • Elliptic curves: a type of cubic curve whose solutions are confined to a region of space

  • Form: y2 = x3 + ax + b


Y 2 x 3 x 1 y 2 x 3 x
Y2 = x3 – x + 1 Y2 = x3 – x


Tate pairing continued
Tate Pairing continued

  • Bilinearity the most important property of Tate Pairing

  • e(aP, bQ) = e(P, Q)ab


An example of secret handshake
An example of secret handshake

  • Ministry of transportation: t (Master secrete)

  • Driver Alice: (“p65748392a”, TA)

  • TA = tH1(“p65748392a-driver”)

    = tP

  • Cop Bob: (“xy6542678d”, TB)

  • TB = tH1(“xy6542678d-cop”)

    = tQ


Procedure
Procedure

“xy6542678d”

  • Bob Alice

  • Alice Bob

  • KA = e(H1(“xy6542678d-cop”), TA)

    = e(Q, tP) = e(P, Q)t

  • KB = e(H1(TB, “xy6542678d-driver”)

    = e(tQ, P) = e(P, Q)t

  • KA = KB

“p65748392a”


Another example
Another Example

  • Pro-democrocy movement master secret m

  • Alice: (“y23987447y”, MA)

  • MA = mH1(“y23987447y-member”)

  • Claire: (“k61932843u”, MC)

  • MC = mH1(“y23987447y-member”)

  • Check procedure is the same


Imposter
Imposter?

  • Dolores

  • Alice follows the procedure and generate a session key

  • Alice encrypt a number N with the session key, ask for N+1

  • Reply is not N+1

  • Dolores is not in the movement.

  • Dolores don’t know anything about the movement.


Definitions of secret handshake scheme
Definitions of Secret-Handshake Scheme

  • A set U of possible users

  • A set G of groups

  • A set A of administrators (where do they come from?)


Secret handshake scheme
Secret-handshake scheme

  • CreateGroup G {0,1}* (group secret generated by administrator)

  • AddUser: U x G x {0, 1}* {0,1}*

    (user secret given by administrator)

  • Handshake (A, B)

  • TraceUser: {0,1}* U

  • RemoveUser: {0, 1}* x U {0, 1}* (insert u into RevokedUserlist)


Concrete secret handshake scheme
Concrete Secret-Handshake Scheme

  • Computable, non-degenerate bilinear map e: G1 x G1 G2

  • Example: Modified Weil or Tate pairings on supersingular elliptic curves.

  • H1: {0, 1}* G1

  • H2 collision-resistant hash function


Concrete secret handshake scheme1
Concrete Secret-Handshake Scheme

  • CreateGroup: SG € Zq

  • AddUser: “pseudonyms” list

    idU1, …, idUt € {0, 1}* for U.

    The administrator calculate:

    privUi = SGH1(idUi)

  • UserSecretU,G = id + priv


Concrete handshake
Concrete Handshake

idA, nA

  • A B

  • A B

  • A B

  • V0 = H2(e(privA, H1(idB)) ||idA||idB||nA||nB||0) (A)

    = H2(e(H1(idA), privB) ||idA||idB||nA||nB||0) (B)

  • V1 = H2(e(privA, H1(idB)) ||idA||idB||nA||nB||1) (A)

    = H2(e(privB, H1(idA)) ||idA||idB||nA||nB||1) (B)

idB, nB, V0

V1


Concrete handshake continued
Concrete Handshake Continued

  • If both verification succeed, then

  • SA = H2(e(privA, H1(idB)) ||idA||idB||nA||nB||2)

  • SB = H2(e(H1(idA), privB) ||idA||idB||nA||nB||2)

  • e(privA, H1(idB)) = e(H1(idA), privB) SA = SB

  • TraceUser: given a transcript of a handshake between A and B, the administrator can recover the pseudonyms idA and idB and their users.


Concrete secrete handshake scheme with roles
Concrete Secrete-Handshake scheme with Roles

  • CreateGroup

  • AddUser: “pseudonyms” list

    idU1, …, idUt € {0, 1}* for U.

    The administrator calculate:

    privUi = SGH1(idUi||R)


Concrete handshake with roles
Concrete Handshake with roles

idA, nA

  • A B

  • A B

  • A B

  • V0 = H2(e(H1(idA||R’A), privB) ||idA||idB||nA||nB||0) (B)

    = H2(e(privA, H1(idB||R’B)) ||idA||idB||nA||nB||0) (A)

  • V1 = H2(e(privA, H1(idB||R’B)) ||idA||idB||nA||nB||1) (A)

    = H2(e(H1(idA||R’A), privB) ||idA||idB||nA||nB||1)(B)

idB, nB, V0

V1


Concrete handshake continued1
Concrete Handshake Continued

  • If both verification succeed, then

  • SA = H2(e(privA, H1(idB||R’B)) ||idA||idB||nA||nB||2)

  • SB = H2(e(H1(idA||R’A), privB) ||idA||idB||nA||nB||2)

  • TraceUser and RemoveUser are identical to PBH.


Security for secret handshake schema
Security for Secret-Handshake Schema

Some definitions:

  • Security Parameter:

    • Length of prime modulus (q)

  • Negligible:

    • for all polynomials p(·), e(t)<1/p(t)

  • Random Simulation:

    • R replaces all outgoing messages with uniformly-random bit strings of the same length.


Definitions
Definitions

  • Interaction:

    • Adversary modified SHS.Handshake(A,B)

    • A interacts with B:

      A.Handshake (A, B)

    • A interacts with a random simulation: A.Handshake (A, R)


Group member impersonation
Group Member Impersonation

  • Adversary attempts to convince U* that A is a member of G*

    • If A not obtain secrets fro any U in G*, then it should remain unable to convince U* of its membership in G*.

    • Trace the user secrets a successful adversary might be using. ( by transcript of A’s interaction with U*)


Group member impersonation game
Group Member Impersonation Game

  • Randomized, polynomial-time adversary A

  • 1. A interacts with Us and obtains secrets for some users U’ in Us.

  • 2. A select a target user U* in G*.

  • 3. A attempts to convince U* that A belongs to G*.

    • SHS.Handshake (A, U*).


Probability a wins the game
Probability A Wins the Game

  • A wins if it engages correctly in SHS.Handshake (A, U*)

    • AdvMIGA:= Pr[ A wins Member Impersonation Game ].

    • Conditional advantage restricted to E:

      AdvMIGEA:=Pr[ A wins Member Impersonation Game | E ].


Impersonation resistance
Impersonation Resistance

  • Impersonation Resistance

    • Suppose A never corrupts a member of the target group G*. Then U’ ^ G* = 0. The secret-handshake scheme SHS is said to ensure impersonation resistance if AdvMIGA (U0 ^ G* = 0) is negligible for all A.


Impersonator tracing
Impersonator Tracing

  • Let T be a transcript of the interaction of A and U. The secret-handshake scheme SHS is said to permit impostor tracing when |Pr[SHS.TraceUser(T) in U0 ^ G*]-AdvMIGA| is negligible for all A.


Group member detection
Group Member Detection

  • Adversary A has as its goal to learn how to identify members of a certain group G*

  • A interacts with players of the system, corrupts some users, picks a target user U*, and attempts to

    learn if U* belongs to G.


Group member detection1
Group Member Detection

Required property:

  • if A does not obtain secrets for any other

    U inG*, then it should remain clueless when detecting whether U* in G.

    In other words, the final interaction with

    U should yield no new information to the adversary unless it has already obtained secrets from another member of G.


Member detection game
Member Detection Game

  • 1. A interacts with users of its choice, and obtains secrets for some users U’ in U.

  • 2. A selects a target user U* besides U.

  • 3. Flip a random bit, b <- {0.1}.

  • 4. b=0, A interacts with U;

    b=1, A interacts with R.

  • 5. A outputs a guess b* for b.


Probability a wins the game1
Probability A Wins the Game

  • If b*=b, A wins the game.

  • AdvMDGA:=|Pr[A wins Member Detection Game]-1/2|.

  • Conditional Advantage restricted to occurrence of event E:

    AdvMDGEA:=

    |Pr[ A wins MDG|E ]-1/2| .


Detection resistance
Detection Resistance

  • Let GU* be the group to which U* belongs, and suppose A never corrupts a member in GU*,

    Then U0 ^ GU* = 0.

  • The secret-handshake scheme SHS is said to ensure detection resistance if AdvMDGa(U0 ^ GU*= 0) is negligible for all A.


Detector tracing
Detector Tracing

  • Let T be a transcript of the interaction of A and U*, and let GU* be the group to which U* belongs.

  • The secret handshake scheme SHS is said to permit detector tracing when |Pr[SHS.TraceUser(T) belongs to U’ ^ GU*]-AdvMDGA|

  • is negligible for all A.


Security of pairing based handshake
Security of Pairing-Based Handshake

Hardness of BDH Problem:

  • We say that the Bilinear Diffie-Hellman Problem (BDH) is hard if, for all probabilistic, polynomial-time algorithms B,

  • AdvBDHB:= Pr[e(P,aP,bP,cP) = e(P, P)abc]

    is negligible in the security parameters.


Security of pairing based handshake1
Security of Pairing-Based Handshake

  • Theorem 1 Suppose A is a probabilistic, polynomial time

    (PPT) adversary. There is an PPT algorithm B such that

    AdvMIGA <= Pr[ PBH.TraceUser(T) belongs to U’ ^ G* ] + e QH1QH2 ·AdvBDHB+ w,

    where wis negligible in the security parameter.


Security of pairing based handshake2
Security of Pairing-Based Handshake

  • Corollary 2 (PBH Impersonator Tracing)

  • Suppose A is a probabilistic, polynomial time adversary

    If the BDH problem is hard, then

    |Pr[PBH.TraceUser(T) belongs to U’ ^ G*]-AdvMIGA|

    is negligible.


Security of pairing based handshake3
Security of Pairing-Based Handshake

  • Corollary 3 (PBH Impersonation Resistance)

  • Suppose A is a probabilistic, polynomial time adversary.

    If the BDH problem is hard, then AdvMIGA (U’ ^ G* = 0)

    is negligible.


Security of pairing based handshake4
Security of Pairing-Based Handshake

  • Theorem 4 Suppose A is a probabilistic, polynomial time

    (PPT) adversary. There is an PPT algorithm B such that

    AdvMDGA<= Pr[ PBH.TraceUser(T) belongs to U’ ^ G* ] + e QH1QH2 ·AdvBDHB+ w,

    where wis negligible in the security parameter.


Security of pairing based handshake5
Security of Pairing-Based Handshake

  • Corollary 2 (PBH Detector Tracing)

  • Suppose A is a probabilistic, polynomial time adversary

    If the BDH problem is hard, then

    |Pr[PBH.TraceUser(T) belongs to U’ ^ G*]-AdvMDGA|

    is negligible.


Security of pairing based handshake6
Security of Pairing-Based Handshake

  • Corollary 3 (PBH Detector Resistance)

  • Suppose A is a probabilistic, polynomial time adversary.

    If the BDH problem is hard, then AdvMDGA (U’ ^ G* = 0)

    is negligible.


Additional security notions
Additional Security Notions

  • Forward Repudiability

    • Optional

    • Any evidence shold not provide a noon-repudiable proof that U1 is a member.

  • Indistinguishability to Eavesdroppers.

    • AdvDSTA:= |Pr[A(TReal) = 1]-Pr[A(TRand) = 1]|.


Additional security notions1
Additional Security Notions

  • Collusion Resistance and Traitor Tracing

    • Remain secure even if collections of users pool their secrets in an attempt to undermine the system.

    • If a coalition of users manages to detect or impersonate group members, detect at least one of them.

    • Traditional Diffie-Hellman based key exchange protocol broken down


Additional security notions2
Additional Security Notions

  • Unlinkability

    • If an eavesdropper sees two different handshakes performed by Alice, the content of the handshakes alone are unlinkable.

    • A user obtains a list of pseudonyms

    • Reuse a single pseudonym


Ssl handshake protocol
SSL Handshake Protocol

  • Allow server and client to

    • authenticate each other

    • negotiate encryption and MAC algorithms

    • negotiate cryptographic keys to be used

  • Comprise a series of messages in phases

    • Establish Security Capabilities

    • Server Authentication and Key Exchange

    • Client Authentication and Key Exchange

    • Finish



Implementation
Implementation

  • Small modification of two of the TLS handshake messages.

    • Server_Key_Exchange message

    • An indication that PHB is the algorithm

    • Server’s identity idB

    • Client_Key_Exchange message

    • Indication: PHB scheme

    • Client’s identity idA


Implementation choices
Implementation Choices

  • Secure transport layer protocol

  • Security paramters

    • P = 12qr – 1

    • P 1024bits, q 160bits

    • Curve E : y2 = x3 + 1.

    • Bilinear map: Tate Paring


Measurements
Measurements

  • q p time RSA

  • 120 bits 512 bits 0.8sec 512 bits

  • 160 bits 1024 bits 2.2sec 1024 bits

  • 200 bits 2048 bits 11.8sec 2048bits


User and role authorization
User and Role Authorization

  • The new user may have to be authorized to assume the role, in which case the administrator has to perform user authorization.



Protocol deployment
Protocol Deployment

  • The two parties will exchange a cipher suite designator that clearly shows that they wish to engage in a secret handshake.

  • be mitigated by using some form of anonymous communication.

  • provide the best protection if the number of groups that are using it is large.


Conclusion
Conclusion

  • A secret-handshake mechanism is a mechanism that would allow members of a group to authenticate each other secretly.

  • Allows members of a group to authenticate not only the fact that they belong to the same group, but also each other’s roles would be very desirable.


ad