1 / 16

On the Risks of IBE

On the Risks of IBE. Himanshu Khurana and Jim Basney NCSA, University of Illinois International Workshop on Applied PKC (IWAP), Dalian, China, Nov 2006. Introduction. Identity based cryptography flourishing Initial work by Cocks, Boneh and Franklin

stacy
Download Presentation

On the Risks of IBE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On the Risks of IBE Himanshu Khurana and Jim Basney NCSA, University of Illinois International Workshop on Applied PKC (IWAP), Dalian, China, Nov 2006

  2. Introduction • Identity based cryptography flourishing • Initial work by Cocks, Boneh and Franklin • Encrypted email is a killer app for IBE(Identity Based Encryption) • Primary benefit: eliminate key distribution • We analyze IBE for Email and argue that: • IBE brings significant risks to email security • Stronger trust assumptions • Unnecessarily complex cryptosystem • Can easily be replaced by other cryptosystems; e.g., RSA

  3. Domain A Domain B CAA (SKA, PKA) CAB (SKB, PKB) PKR {PKR}SKB SMIME: {m}PKR Sender (IDS) Receiver (IDR) Secure Email with RSA (SMIME)

  4. Domain A Domain B PKGA (SKA, PKA) PKGB (SKB, PKB) PKPKGB SKR IBE: {m}PKR Sender (IDS) Receiver (IDR) PKR = f(PKPKGB, IDR, policy) Secure Email with IBE

  5. Benefits of IBE • Eliminate User Key Distribution • One key fetch per domain (PKG) • Sender generates public keys of domain users • Policy-based encryption • E.g., “open after Monday” • Implicit user mobility • Recipient can get private key from any location onto any device

  6. Fully trusted PKG Generates private keys Online PKG Revocation via short-lived keys Weaker end-to-end encryption PKG can decrypt messages Partially trusted CA Users generate keys Offline CA Revocation via CRLs, OCSP Strong end-to-end encryption Only recipient can decrypt messages Trust AssumptionsIBE vs. RSA

  7. IBE Revocation • Goal: Minimize extent of compromise • IBE time-based sender policy [Boneh03] • How does sender determine appropriate policy? • Requires policy standardization • Update domain parameters [Smetters03] • Revoke the identity?

  8. RSA-based IBE • Can we implement IBE for email using RSA? • Prior work: • J. Callas. Identity-Based Encryption with Conventional Public-Key Infrastructure. In 4th Annual PKI R&D Workshop, number 7224 in Interagency Reports, pages 102–115. NIST, 2005. • X. Ding and G. Tsudik. Simple Identity-Based Cryptography with Mediated RSA. In CT-RSA, Lecture Notes in Computer Science 2612, Springer, pages 193–210, 2003.

  9. IDR PKR SKR {m}PKR IBE with Conventional PKI(Callas, 2005) Recipient Domain (PKR,SKR) = f(SKPKG,IDR) PKG (SKPKG) Sender (IDS) Receiver (IDR)

  10. SKR,SEM {m}PKR CertOrg SKR,U -1 SKR,SEM {{m}PKR } {m}PKR PKR = f(CertOrg,IDR) IB-mRSA(Ding and Tsudik, 2003) Recipient Domain CA SEM Sender (IDS) Receiver (IDR)

  11. KDC = Key Distribution Center • {m}k denotes symmetric encryption • {x}PK denotes asymmetric encryption Recipient Domain KDC (SK, PK) PKKDC {k||IDR||policy}PKKDC k Sender (IDS) E(m) Receiver (IDR) E(m) = {{m}k,{k||IDR||policy}PKKDC} Secure Email with IB-MKD(Identity Based - Message Key Distribution)

  12. Object-Based Key Distribution(Ford and Wiener, 1994) Recipient Domain Key Release Agent (SK, PK) PKKRA {k||policy}PKKRA k Sender (IDS) E(m) Receiver (IDR) E(m) = {{m}k,{k||policy}PKKRA}

  13. Analysis • IB-MKD achieves IBE benefits, same trust assumptions • Using widely-accepted RSA cryptosystem • Previous RSA-based IBE work fails to do so • Protocol differences in IB-MKD • User encrypts with domain public key • Highlights weaker notion of end-to-end encryption • Does not change security properties • Policy itself is encrypted • Additional feature not provided in IBE • Recipient must contact KDC for every message • More overhead than IBE but comparable to POP over SSL • Provides timely policy evaluation and immediate revocation

  14. System Comparison

  15. Online versus Offline • RSA-based IBE approaches assume online operation • Contact SEM/KDC for every message • Contact PKG for every recipient [Callas05] • IBE’s strength may be offline environments • Pre-distribute PKG parameters and secret keys • If timely revocation is not a strong requirement • Can RSA simulate offline IBE?

  16. Conclusions • Secure Email with IBE has strong trust assumptions • Need to be evaluated carefully before deployment • IBE’s complex cryptography may be unnecessary • IB-MKD achieves goals with RSA • Questions? • hkhurana@ncsa.uiuc.edu • jbasney@ncsa.uiuc.edu

More Related