Seminar in Foundations of Privacy

1 / 58

# Seminar in Foundations of Privacy - PowerPoint PPT Presentation

Seminar in Foundations of Privacy. Message Authentication in the Manual Channel Model. Gil Segev. Pairing of Wireless Devices. Scenario: Buy a new wireless camera Want to establish a secure channel for the first time Diffie-Hellman key agreement protocol. Diffie-Hellman Key Agreement.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Seminar in Foundations of Privacy' - constance-wilkerson

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Seminar in Foundations of Privacy

Message Authenticationin the Manual Channel Model

Gil Segev

Pairing of Wireless Devices

Scenario:

• Buy a new wireless camera
• Want to establish a secure channel for the first time
• Diffie-Hellman key agreement protocol
Diffie-Hellman Key Agreement
• Alice and Bob wish to agree on a secret key
• Public parameters:
• Group G
• Generator g2G

gx

Alice

Bob

gy

Both parties computeKA,B = gxy

• Security: Even when given (G, g, gx, gy) it is still hard to compute gxy
Diffie-Hellman Key Agreement
• Computational Diffie-Hellman assumption (CDH):For every probabilistic polynomial-time algorithm A, every polynomial p(n) and for all sufficiently large n,

Pr[A(Gn,gn,gnx,gny) = gnxy] < 1/p(n)

The probability is taken over A’s internal coins tosses and over the random choice of (x,y)

• Decisional Diffie-Hellman assumption (DDH):

c

{(g, gx, gy, gxy)}  {(g, gx, gy, gc)}

for random x, y and c.

Computational Indistinguishability

Diffie-Hellman Key Agreement
• Alice and Bob wish to agree on a secret key
• Public parameters:
• Group G
• Generator g2G

gx

Alice

Bob

gy

Both parties computeKA,B = gxy

• CDH assumption: KA,B is hard to guess
• DDH assumption:KA,Bis as good as a random secret
• Secure against passive adversaries
• Eve is only allowed to read the sent messages
Pairing of Wireless Devices

gx

Scenario:

• Buy a new wireless camera
• Want to establish a secure channel for the first time
• Diffie-Hellman key agreement protocol

gy

Pairing of

Devices

Wireless

Cable pairing

• Simple
• Cheap
• Authenticated channel

“I thought this is a wireless camera…”

Pairing of Wireless Devices

Wireless pairing

Problem: Active adversaries (“man-in-the-middle”)

Pairing of Wireless Devices

Wireless pairing

gy

gx

ga

gb

Problem: Active adversaries (“man-in-the-middle”)

ENC(KA,E,m)

ENC(KE,B,m)

Alice

Eve

Bob

Diffie-Hellman Key Agreement

gx

gy

• Suppose now that Eve is an active adversary
• “man-in-the-middle” attacker

Alice

Eve

Bob

ga

gb

KA,E = gxa

KE,B = gby

• Completely insecure:
• Eve can decrypt m, and then re-encrypt it
Diffie-Hellman Key Agreement

gx

gy

• Suppose now that Eve is an active adversary
• “man-in-the-middle” attacker

Alice

Eve

Bob

ga

gb

KA,E = gxa

KE,B = gby

• Solution - Message authentication:
• Alice and Bob authenticate gx and gy

^

m

Message Authentication
• Assure the receiver of a message that it has not been changed by an active adversary

m

Alice

Eve

Bob

Problem specification:

Completeness: No interference m Bob accepts m (with high probability)

Soundness: mPr[Bob accepts m  m ]

^

One-Time Authentication
• The secret key enables a single authentication of a message m  {0,1}n
• H = {h| h: {0,1}n → {0,1}k } is a family of hash functions
• Alice and Bob share a random function hH
• h is not known to Eve
• To authenticate m  {0,1}n Alice sends (m,h(m))

^

• Upon receiving (m,z):
• If z = h(m), then Bob outputs m and halts
• Otherwise, Bob outputs ? and halts

^

^

One-Time Authentication
• Hard to guess h(m)
• Success probability at most 
• Should hold for any m

^

• What properties do we require from H?

^

One-Time Authentication
• Hard to guess h(m) even given h(m)
• Success probability at most 
• Should hold for any m and m

^

• What properties do we require from H?

^

• Short representation for h- must have small log|H|
• Easy to compute h(m)given h and m
Universal Hash Functions
• Given h: {0,1}n → {0,1}k we can always guess a correct output with probability at least 2-k
• A family where this is tight is called universal2

Definition: a family H = {h| h: {0,1}n → {0,1}k } is called Strongly Universal2or pair-wise independent if:

• for allm1 m2 {0,1}nand y1, y2 {0,1}kwe have

Pr[h(m1) = y1 and h(m2) = y2 ] = 2-2k

where the probability is over a randomly chosen hH

In particularPr[h(m2) = y2 | h(m1) = y1 ] = 2-k

Theorem: when a strongly universal2 family is used in the protocol, Eve’s probability of cheating is at most 2-k

Constructing Universal Hash Functions

The linear polynomial construction:

• Fix a finite field F of size at least the message space 2n
• Could be either GF[2n] or GF[P] for some prime P ≥ 2n
• The family Hof functionsh: F→ Fis defined as

H= {ha,b(m) = a∙m + b | a, b  F}

Claim: the family above is strongly universal2

Proof: for everym1≠m2,y1, y2 Fthere are uniquea, b  Fsuch that

a∙m1+b = y1

a∙m2+b = y2

Size: each hHrepresented by 2n bits

Lower Bound

Theorem:Let H= {h| h: {0,1}n → {0,1}} be a family of pair-wise independent functions. Then

|H| isΩ(2n)

More precisely, to obtain a d-wise independence family |H| should beΩ(2n└d/2┘)

• N. Alon and J. SpencerThe Probabilistic MethodChapter 15 (derandomization), Proposition 2.3
More on Authentication
• Reducing the length of the secret key
• Almost-pair-wise independent hash functions
• Interaction
• Using the same secret key to authenticate any polynomial number of messages
• Requires computational assumptions
• Pseudorandom functions
• Authentication in the public-key world
• Much more to discuss…

^

m = gb || gy

Pairing of Wireless Devices

Wireless pairing

gy

gx

ga

gb

m = gx || ga

• Impossible without additional setup
Pairing of Wireless Devices

Wireless pairing

gy

gx

ga

gb

Solution:

Manual Channel

The Manual Channel

Wireless pairing

gy

gx

141

ga

gb

141

User can compare two short strings

Manual Channel Model

m

Alice

Bob

s

. . .

s

• Insecure communication channel
• Low-bandwidth auxiliary channel:
• Enables Alice to “manually” authenticate one short string s

s

Interactive

Non-interactive

• Choose the input message m
• Insecure channel: Full control
• Manual channel: Read, delay
• Delivery timing
Manual Channel Model

m

Alice

Bob

s

. . .

s

• Insecure communication channel
• Low-bandwidth auxiliary channel:
• Enables Alice to “manually” authenticate one short string s

s

Interactive

Non-interactive

Goal:Minimize the length of the manually authenticated string

Manual Channel Model

m

Alice

Bob

s

. . .

s

s

• No trusted infrastructure, such as:
• Public key infrastructure
• Shared secret key
• Common reference string
• .......

Suitable for ad hoc networks:

• Pairing of wireless devices
• Wireless USB, Bluetooth
• Secure phones
• AT&T, PGP, Zfone
• Many more...
Why Is This Model Reasonable?
• Implementing the manual channel:
• Compare two strings displayed by the devices

141

141

Why Is This Model Reasonable?
• Implementing the manual channel:
• Compare two strings displayed by the devices
• Type a string, displayed by one device, into the other device

141

141

Why Is This Model Reasonable?
• Implementing the manual channel:
• Compare two strings displayed by the devices
• Type a string, displayed by one device, into the other device
• Visual hashing
Why Is This Model Reasonable?
• Implementing the manual channel:
• Compare two strings displayed by the devices
• Type a string, displayed by one device, into the other device
• Visual hashing
• Voice channel

141

141

Alice

Eve

Bob

^

m

m

H(m)

The Naive Solution

m

Alice

Bob

H(m)

• H - collision resistant hash function (e.g., SHA-256)
• No efficient algorithm can find m  m s.t. H(m) = H(m) with noticeable probability
• Any adversary that forges a message can be used to find a collision for H

^

^

The Naive Solution

m

Alice

Bob

H(m)

• H - collision resistant hash function (e.g., SHA-256)
• No efficient algorithm can find m  m s.t. H(m) = H(m) with noticeable probability
• Any adversary that forges a message can be used to find a collision for H

^

^

Are we done?

• No. The output length of SHA-256 is too long (160 bits)
• Cannot be easily compared or typed by humans
Tight Bounds

m

n-bit

. . .

s

ℓ-bit

 forgery probability

No setup or computational assumptions

• Upper bound: log*n-round protocol in which ℓ = 2log(1/) + O(1)
• Matching lower bound: n  2log(1/)  ℓ  2log(1/) - 2
• One-way functions are necessary (and sufficient) for breaking the lower bound in the computational setting
Our Results - Tight Bounds

ℓ = 2log(1/)

ℓ = log(1/)

One-way functions

Unconditional security

Computational security

Impossible

log(1/)

Outline
• Security definition
• Tight bounds
• The protocol
• Lower bound
Security Definition

m

n-bit

. . .

s

ℓ-bit

Unconditionally secure(n, ℓ, k, )-authentication protocol:

• n-bit input message
• ℓ manually authenticated bits
• k rounds

Completeness: No interference m Bob accepts m (with high probability)

^

Unforgeability: mPr[ Bob accepts m  m ]

Outline
• Security definition
• Tight bounds
• The protocol
• Lower bound

Preliminaries:

For m = m1 ... mk GF[Q]k and x GF[Q], let m(x) = mixi

k

i = 1

The Protocol (simplified)
• Based on the [GN93] hashing technique
• In each round, the parties:
• Cooperatively choose a hash function
• Reduce to authenticating a shorter message
• A short message is manually authenticated

^

Then, for any m ≠ m and for any c, c  GF[Q],

^

^

^

Prob x RGF[Q] [ m(x) + c = m(x) + c ]  k/Q

Preliminaries:

For m = m1 ... mk GF[Q]k and x GF[Q], let m(x) = mixi

k

i = 1

^

Then, for any m ≠ m and for any c, c  GF[Q],

^

^

^

Prob x RGF[Q] [ m(x) + c = m(x) + c ]  k/Q

The Protocol (simplified)

x || m(x) + c

We hash m to

Other party chooses c

One party chooses x

The Protocol (simplified)

Alice

Bob

m

a1

a1R GF[Q1]

b1R GF[Q1]

b2

b1

a2R GF[Q2]

b2R GF[Q2]

m2

Accept iff m2 is consistent

m0 = m

Both parties set:

Q1 n/ , Q2 log(n)/

m1 = b1 || m0(b1) + a1

m2 = a2 || m1(a2) + b2

2log(1/) + 2loglog(n) + O(1)manually authenticated bits

Two GF[Q2]elements

• k rounds 2loglog(n) is reduced to 2log(k-1)(n)
Security Analysis
• Must consider all generic man-in-the-middle attacks.
• Three attacks in our case:

Attack #1

Alice

Eve

Bob

^

^

m

a1

m

a1

^

^

b2

b2

b1

b1

m2

Security Analysis
• Must consider all generic man-in-the-middle attacks.
• Three attacks in our case:

Attack #2

Alice

Eve

Bob

^

^

m

a1

b2

b1

m

a1

^

^

b2

b1

m2

Security Analysis
• Must consider all generic man-in-the-middle attacks.
• Three attacks in our case:

Attack #3

Alice

Eve

Bob

m

a1

^

^

b2

b1

m2

^

^

m

a1

b2

b1

m2

Security Analysis – Attack #1

Alice

Eve

Bob

^

^

m

a1

m

a1

^

^

b2

b2

b1

b1

m2

^

m0,A = m

m0,B = m

^

^

^

m1,A = b1 || m0,A(b1) + a1

m1,B = b1 || m0,B(b1) + a1

^

m2,A = a2 || m1,A(a2) + b2

m2,B = a2 || m1,B(a2) + b2

m0,A m0,B and m2,A = m2,B

Pr[

m1,A = m1,B

]

+

Pr[

m1,A m1,B and m2,A = m2,B

]

/2 + /2

Pr[

m1,A = m1,B

]

Security Analysis – Attack #1

Alice

Eve

Bob

^

^

m

a1

m

a1

^

b1

b1

^

m0,A = m

m0,B = m

^

^

^

m1,A = b1 || m0,A(b1) + a1

m1,B = b1 || m0,B(b1) + a1

Claim:

^

• Eve chooses b1 b1
• Eve chooses b1 = b1

m1,A m1,B

^

/2

^

Pr[ m0,A(b1) + a1 = m0,B(b1) + a1 ]  /2

Outline
• Security definition
• Tight bounds
• The protocol
• Lower bound
Lower Bound

Alice

Bob

m, x1

x2

s

• mR {0,1}n M, X1, X2, S are well defined random variables
Lower Bound

Alice

Bob

M, X1

X2

S

• Goal: H(S)  2log(1/)
Shannon Entropy
• Let X be random variable over domain X with probabilitydistribution PX
• The Shannon entropy of X is

H(X) = - ∑x2XPX(x) log PX(x)

(where 0log0 = 0)

• Measures the amount of randomness in X on average
• Measures how much we can compress X on average

0 · H(X) · log|X|

Equality ,X is constant

Equality ,X is uniform

A Related Notion: Min-Entropy
• Let X be random variable over domain X with probabilitydistribution PX
• The min-entropy of X is

H1(X) = - log maxx2XPX(x)

• Measures the amount of randomness in X in the worst-case
• Represents the most likely value(s)

0 · H1(X) · H(X) · log|X|

Equality ,X is uniform

Equality ,X is constant

Equality ,X is uniform

Conditional Shannon Entropy
• Let X and Y be two random variables over domains X and Ywith probability distributions PX andPY
• The conditional Shannon entropy of X given Y is

H(X|Y) = ∑y2YPY(y) H(X|Y=y)

• Observation:

H(X,Y) = H(X) + H(Y|X)

H(X,Y) = H(Y) + H(X|Y)

Shannon Mutual Information

I(X;Y) = H(X) – H(X|Y)

• The mutual information between X and Y is

I(X;Y) = I(Y;X)

• Observation:
• Conditional mutual information:

I(X;Y|Z) = H(X|Z) – H(X|Y,Z)

Lower Bound

Alice

Bob

M, X1

X2

S

• Goal: H(S)  2log(1/)

Evolving intuition:

• The parties must use at least log(1/) random bits
• Each party must use at least log(1/) random bits
• Each party must independently reduce H(S) by log(1/) bits

H(S) = H(S) - H(S | M, X1)

= I(S ; M, X1)

+ H(S | M, X1) - H(S | M, X1, X2)

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

+ H(S | M, X1, X2)

= I(S ; M, X1)

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

Lower Bound

Alice

Bob

M, X1

X2

S

• Goal: H(S)  2log(1/)

Evolving intuition:

• The parties must use at least log(1/) random bits
• Each party must use at least log(1/) random bits
• Each party must independently reduce H(S) by log(1/) bits

Alice’s randomness

H(S)

Bob’s randomness

= I(S ; M, X1)

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

Lower Bound

Alice

Bob

M, X1

X2

S

• Goal: H(S)  2log(1/)

Lemma 1: I(S ; M, X1) + H(S | M, X1, X2)  log(1/)

Lemma 2: I(S ; X2 | M, X1)  log(1/)

Alice’s randomness

H(S)

Bob’s randomness

^

^

m

x1

Eve wants Alice to manually authenticate s

^

x2

^

^

^

• Samples x2 from the distribution of X2 given m, x1 and s

If Pr[ s | m, x1 ] = 0 Eve quits

and hopes that s = s

^

^

Proof of Lemma 1

Consider the following attack:

Alice

Eve

Bob

x2

m

x1

s

Eve acts as follows:

^

• Chooses m R {0,1}n
• Chooses mR {0,1}n
• Forwards s

^

^

^

  Pr[ s = s and m ≠ m ]  Pr[ s = s ] - 2-n

^

2  Pr[ s = s ]

^

Claim: Pr[ s = s ]  2 - { (S ; M, X1) + H(S | M, X1, X2) }

Proof of Lemma 1

By the protocol requirements:

Since n  log(1/), we get

which implies

(S ; M, X1) + H(S | M, X1, X2) log(1/) - 1

= I(S ; M, X1)

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

Lower Bound

Alice

Bob

M, X1

X2

S

• Goal: H(S)  2log(1/) - 2

Lemma 1: I(S ; M, X1) + H(S | M, X1, X2)  log(1/) - 1

Lemma 2: I(S ; X2 | M, X1)  log(1/) - 1

Alice’s randomness

H(S)

Bob’s randomness

References
• Whitfield Diffie and Martin E. HellmanNew Directions in CryptographyIEEE Transactions on Information Theory 1976
• Peter Gemmell and Moni NaorCodes for Interactive AuthenticationCRYPTO 1993
• Moni Naor, Gil Segev and Adam SmithTight Bounds for Unconditionally Secure Authentication Protocols in the Manual Channel and Shared Key ModelsCRYPTO 2006
• T. Cover and J. A. ThomasElements of information Theory