1 / 19

Secret Handshakes or Privacy-Preserving Interactive Authentication

Secret Handshakes or Privacy-Preserving Interactive Authentication. Gene Tsudik University of California, Irvine joint work with: Claude Castelluccia, Stanisław Jarecki, Shouhuai Xu, Samad Nasserian. Motivation . Privacy is being gradually eroded Cameras everywhere

finian
Download Presentation

Secret Handshakes or Privacy-Preserving Interactive Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secret Handshakesor Privacy-Preserving Interactive Authentication Gene Tsudik University of California, Irvine joint work with: Claude Castelluccia, Stanisław Jarecki, Shouhuai Xu, Samad Nasserian

  2. Motivation • Privacy is being gradually eroded • Cameras everywhere • Search engines keep data • Stores keep track of habits via affinity cards • Libraries keep records of book checked out • Need privacy-preserving services • E-cash • Anonymous email • Anonymous signatures (e.g., group signatures) • Information Delivery • Trust negotiation • Authentication • Our focus: • Private (unobservable) authenticaiton

  3. Example setting • Alice and Bob meet in a crowded network • All communication is observable • Man-in-the-middle attacks possible • Alice is an FBI agent • Bob is an FBI agent • They cannot authenticate publicly… • Alice will only “speak” with other FBI agents • Bob will only “speak” with other FBI agents • How can they authenticate in private?

  4. Example setting • How can they authenticate in private? • Cannot just exchange signatures • Cannot simply share a common key • Cannot even exchange group signatures

  5. message m Ciphertext c Alice decrypts m fromc c Adversary cannot get m fromc!!! Encryption: The General Idea Bob Alice Adversary

  6. Problem: How does Bob know that KA is Alice’s public key? Key generation procedure Alice’s public encryption Key KA Alice’s secret decryption Key KS message m c = Enc( KA , m ) KA m = Dec( KS , c) c KS Public Key Encryption Bob Alice - computing m from KAand cis infeasible - computing even one bit of m is infeasible - deciding if m=m’ from (KA,c)is infeasible Adversary [list of useful security needs still growing…]

  7. m = Dec(Ks, c ) m Public Key Infrastructure [PKI]: Certification Authority generates keys Certification Authority (CA) Alice’s public key Ka: Alice’s secret keyKs certA = SIGCA{Ka, Alice } c = Enc( Ka , m ) Alice Bob (knows CA’s public key) Bob verifies CA’s signature certA on Ka

  8. m = Dec(Ks,c) m [PKI]: Users Generate Keys Independently Certification Authority (CA) Alice generates her secret-public key pair (Ks,Ka) on her own Ka + “physical authentication” certA = SIGCA{ A,Alice} ( Alice, Ka, certA ) c = Enc( Ka , m ) Alice Bob (knows CA) Bob verifies CA’s signature certA on {Ka, Alice}

  9. Authentication: Bob is sure that he is talking to Alice Using a PKI: Certification Authority (CA) Alice generates secret-public key pair (Ks,Ka) on her own Ka + “physical authentication” certA = SIGCA{Ka,Alice} ( Ka , certA ) proof of knowledge of Kscorresponding to Ka Alice Bob (knows CA) Bob verifies CA’s signature certA on Ka

  10. [PKI]: Authentication Reveals Alice’s Affiliation Alice’s CA: UCI (Public Key UCI) Alice generates secret-public key pair (Ks,Ka) on her own Ka + “physical authentication” certA = SIGuci{Ka,Alice} ( Ka , certA ) proof of knowledge of Kscorresponding to Ka Bob (knows UCI) Bob verifies UCI’s sig. certA on Ka and learns that Alice is at UCI

  11. Traditional Public Key Authentication offers: No Affiliation Privacy Bob , FBI agent Alice, UCI student certA = SIGUCI{Alice’s Pub.Key Ka} proof of knowledge of Kscorresponding to Ka • Alice’s affiliation is publicly revealed by her certificate • Can Alice reveal her affiliation only to FBI members? • Can Bob keep his affliation private too?

  12. proof of knowledge of UCI’s cert on Ka Public Key Authentication(changing the terms ) Bob , FBI agent Alice, UCI student Alice’s PKInfo Ka and affiliation UCI • Can Alice reveal her affiliation only to FBI members? On input UCIand Ka, Bob verifies the proof certA = SIGUCI{Ka}

  13. proof of knowledge of UCI’s cert on Ka PolicyA= {FBI} Public Key Authentication:The Problem of Affiliation Privacy Bob , FBI agent Alice, UCI student Alice’s PKInfoKa and affiliation UCI ? • Can Alice reveal her affiliation only to FBI members? On input UCIand Ka, Bob verifies the proof certA = SIGUCI{Ka} • Can she hide this policy from other parties? • (and vice versa for Bob?)

  14. Bob’s PKInfoKb proof of knowledge of UCI’s cert on Ka proof of knowledge of FBI’s cert on Kb Public Key Authentication:The Problem of Affiliation Privacy Alice’s PKInfoKa • Can Alice reveal her affiliation only to FBI members? certB= SIGFBI{Kb} certA = SIGUCI{Ka} PolicyB = {UCI} PolicyA= {FBI} • Can she hide this policy from other counterparties? • (and vice versa for Bob?)

  15. 1: signatures must work as decryption keys 2: ciphertexts must hide Cert. Signer assumed in encryption 3: public key info must hide Cert. Signer too Bob’s PKInfo Kb nA 1 2 3 Secret Handshakesvia “Encrypted Authentication” Alice’s PKInfoKa EncPK(FBI,Kb){proof of knowledge of SIGUCI{Ka}, nA} • Can Alice reveal her affiliation only to FBI members? encryption key derived for (FBI,Kb) signature = decryption key certB= SIGFBI{Kb} certA = SIGUCI{Ka} PolicyB = {UCI} PolicyA= {FBI} • Can she hide this policy from other counterparties? • (and vice versa for Bob?)

  16. Bob’s PKInfo Kb Secret Handshakeswith “CA-oblivious” or “Signature-Based” Encryption Alice’s PKInfoKa EncPK(FBI,Kb){proof of knowledge of SIGUCI{Ka}, cA, nA} EncPK(UCI,Ka){proof of knowledge of SIGFBI{Kb}, cB, nB}, cA cB In addition, can derive a shared key K=f(nA,nB) certA = SIGUCI{Ka} certB= SIGFBI{Kb} PolicyA= {FBI} PolicyB = {UCI}

  17. Outstanding Issues • Pseudonym re-use  linkability (constant # of pseudonyms; must be replenished periodically) • Size of revocation information (#pseudonyms * #revoked) • O(n2) for n certificates and n policies • How to do group handshakes?

  18. Recent Results • Balfanz, et al. (S&P 2003) • BGDH assumption (bilinear maps) • Castelluccia, et al. (Asiacrypt 2004) • discrete log assumption (Schnorr signatures) • Holt, Seamons (ACM CCS 2004) • Hidden credentials • Xu and Yung (CCS 2004) • k-anonymity [XY’04] • Xu and Tsudik (in submission) • framework supporting reusable credentials, group handshakes • (1) Group Signatures + (2) Group Key Agreement + (3) Centralized Group Key Distribution

  19. Questions?

More Related