On the risks of ibe
Download
1 / 16

On the Risks of IBE - PowerPoint PPT Presentation


  • 104 Views
  • Uploaded on

On the Risks of IBE. Himanshu Khurana and Jim Basney NCSA, University of Illinois International Workshop on Applied PKC (IWAP), Dalian, China, Nov 2006. Introduction. Identity based cryptography flourishing Initial work by Cocks, Boneh and Franklin

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'On the Risks of IBE' - stacy


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
On the risks of ibe l.jpg

On the Risks of IBE

Himanshu Khurana and Jim Basney

NCSA, University of Illinois

International Workshop on Applied PKC (IWAP), Dalian, China, Nov 2006


Introduction l.jpg
Introduction

  • Identity based cryptography flourishing

    • Initial work by Cocks, Boneh and Franklin

  • Encrypted email is a killer app for IBE(Identity Based Encryption)

    • Primary benefit: eliminate key distribution

  • We analyze IBE for Email and argue that:

    • IBE brings significant risks to email security

      • Stronger trust assumptions

      • Unnecessarily complex cryptosystem

        • Can easily be replaced by other cryptosystems; e.g., RSA


Secure email with rsa smime l.jpg

Domain A

Domain B

CAA

(SKA, PKA)

CAB

(SKB, PKB)

PKR

{PKR}SKB

SMIME: {m}PKR

Sender

(IDS)

Receiver

(IDR)

Secure Email with RSA (SMIME)


Secure email with ibe l.jpg

Domain A

Domain B

PKGA

(SKA, PKA)

PKGB

(SKB, PKB)

PKPKGB

SKR

IBE: {m}PKR

Sender

(IDS)

Receiver

(IDR)

PKR =

f(PKPKGB, IDR, policy)

Secure Email with IBE


Benefits of ibe l.jpg
Benefits of IBE

  • Eliminate User Key Distribution

    • One key fetch per domain (PKG)

    • Sender generates public keys of domain users

  • Policy-based encryption

    • E.g., “open after Monday”

  • Implicit user mobility

    • Recipient can get private key from any location onto any device


Trust assumptions ibe vs rsa l.jpg

Fully trusted PKG

Generates private keys

Online PKG

Revocation via short-lived keys

Weaker end-to-end encryption

PKG can decrypt messages

Partially trusted CA

Users generate keys

Offline CA

Revocation via CRLs, OCSP

Strong end-to-end encryption

Only recipient can decrypt messages

Trust AssumptionsIBE vs. RSA


Ibe revocation l.jpg
IBE Revocation

  • Goal: Minimize extent of compromise

  • IBE time-based sender policy [Boneh03]

    • How does sender determine appropriate policy?

    • Requires policy standardization

  • Update domain parameters [Smetters03]

  • Revoke the identity?


Rsa based ibe l.jpg
RSA-based IBE

  • Can we implement IBE for email using RSA?

  • Prior work:

    • J. Callas. Identity-Based Encryption with Conventional Public-Key Infrastructure. In 4th Annual PKI R&D Workshop, number 7224 in Interagency Reports, pages 102–115. NIST, 2005.

    • X. Ding and G. Tsudik. Simple Identity-Based Cryptography with Mediated RSA. In CT-RSA, Lecture Notes in Computer Science 2612, Springer, pages 193–210, 2003.


Ibe with conventional pki callas 2005 l.jpg

IDR

PKR

SKR

{m}PKR

IBE with Conventional PKI(Callas, 2005)

Recipient Domain

(PKR,SKR) = f(SKPKG,IDR)

PKG

(SKPKG)

Sender

(IDS)

Receiver

(IDR)


Ib mrsa ding and tsudik 2003 l.jpg

SKR,SEM

{m}PKR

CertOrg

SKR,U

-1

SKR,SEM

{{m}PKR }

{m}PKR

PKR = f(CertOrg,IDR)

IB-mRSA(Ding and Tsudik, 2003)

Recipient Domain

CA

SEM

Sender

(IDS)

Receiver

(IDR)


Secure email with ib mkd identity based message key distribution l.jpg

Recipient Domain

KDC

(SK, PK)

PKKDC

{k||IDR||policy}PKKDC

k

Sender

(IDS)

E(m)

Receiver

(IDR)

E(m) = {{m}k,{k||IDR||policy}PKKDC}

Secure Email with IB-MKD(Identity Based - Message Key Distribution)


Object based key distribution ford and wiener 1994 l.jpg
Object-Based Key Distribution(Ford and Wiener, 1994)

Recipient Domain

Key Release Agent

(SK, PK)

PKKRA

{k||policy}PKKRA

k

Sender

(IDS)

E(m)

Receiver

(IDR)

E(m) = {{m}k,{k||policy}PKKRA}


Analysis l.jpg
Analysis

  • IB-MKD achieves IBE benefits, same trust assumptions

    • Using widely-accepted RSA cryptosystem

    • Previous RSA-based IBE work fails to do so

  • Protocol differences in IB-MKD

    • User encrypts with domain public key

      • Highlights weaker notion of end-to-end encryption

      • Does not change security properties

    • Policy itself is encrypted

      • Additional feature not provided in IBE

    • Recipient must contact KDC for every message

      • More overhead than IBE but comparable to POP over SSL

      • Provides timely policy evaluation and immediate revocation



Online versus offline l.jpg
Online versus Offline

  • RSA-based IBE approaches assume online operation

    • Contact SEM/KDC for every message

    • Contact PKG for every recipient [Callas05]

  • IBE’s strength may be offline environments

    • Pre-distribute PKG parameters and secret keys

    • If timely revocation is not a strong requirement

  • Can RSA simulate offline IBE?


Conclusions l.jpg
Conclusions

  • Secure Email with IBE has strong trust assumptions

    • Need to be evaluated carefully before deployment

  • IBE’s complex cryptography may be unnecessary

    • IB-MKD achieves goals with RSA

  • Questions?


ad