- 77 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about 'Seminar in Foundations of Privacy' - constance-wilkerson

Download Now**An Image/Link below is provided (as is) to download presentation**

Download Now

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Pairing of Wireless Devices

Scenario:

- Buy a new wireless camera
- Want to establish a secure channel for the first time
- Diffie-Hellman key agreement protocol

Diffie-Hellman Key Agreement

- Alice and Bob wish to agree on a secret key
- Public parameters:
- Group G
- Generator g2G

gx

Alice

Bob

gy

Both parties computeKA,B = gxy

- Security: Even when given (G, g, gx, gy) it is still hard to compute gxy

Diffie-Hellman Key Agreement

- Computational Diffie-Hellman assumption (CDH):For every probabilistic polynomial-time algorithm A, every polynomial p(n) and for all sufficiently large n,

Pr[A(Gn,gn,gnx,gny) = gnxy] < 1/p(n)

The probability is taken over A’s internal coins tosses and over the random choice of (x,y)

- Decisional Diffie-Hellman assumption (DDH):

c

{(g, gx, gy, gxy)} {(g, gx, gy, gc)}

for random x, y and c.

Computational Indistinguishability

Diffie-Hellman Key Agreement

- Alice and Bob wish to agree on a secret key
- Public parameters:
- Group G
- Generator g2G

gx

Alice

Bob

gy

Both parties computeKA,B = gxy

- CDH assumption: KA,B is hard to guess
- DDH assumption:KA,Bis as good as a random secret
- Secure against passive adversaries
- Eve is only allowed to read the sent messages

Pairing of Wireless Devices

gx

Scenario:

- Buy a new wireless camera
- Want to establish a secure channel for the first time
- Diffie-Hellman key agreement protocol

gy

Devices

Wireless

Cable pairing

- Simple
- Cheap
- Authenticated channel

“I thought this is a wireless camera…”

Pairing of Wireless Devices

Wireless pairing

gy

gx

ga

gb

Problem: Active adversaries (“man-in-the-middle”)

ENC(KE,B,m)

Alice

Eve

Bob

Diffie-Hellman Key Agreementgx

gy

- Suppose now that Eve is an active adversary
- “man-in-the-middle” attacker

Alice

Eve

Bob

ga

gb

KA,E = gxa

KE,B = gby

- Completely insecure:
- Eve can decrypt m, and then re-encrypt it

Diffie-Hellman Key Agreement

gx

gy

- Suppose now that Eve is an active adversary
- “man-in-the-middle” attacker

Alice

Eve

Bob

ga

gb

KA,E = gxa

KE,B = gby

- Solution - Message authentication:
- Alice and Bob authenticate gx and gy

m

Message Authentication- Assure the receiver of a message that it has not been changed by an active adversary

m

Alice

Eve

Bob

Problem specification:

Completeness: No interference m Bob accepts m (with high probability)

Soundness: mPr[Bob accepts m m ]

^

One-Time Authentication

- The secret key enables a single authentication of a message m {0,1}n

- H = {h| h: {0,1}n → {0,1}k } is a family of hash functions

- Alice and Bob share a random function hH
- h is not known to Eve

- To authenticate m {0,1}n Alice sends (m,h(m))

^

- Upon receiving (m,z):
- If z = h(m), then Bob outputs m and halts
- Otherwise, Bob outputs ? and halts

^

^

One-Time Authentication

- Hard to guess h(m)
- Success probability at most
- Should hold for any m

^

- What properties do we require from H?

^

One-Time Authentication

- Hard to guess h(m) even given h(m)
- Success probability at most
- Should hold for any m and m

^

- What properties do we require from H?

^

- Short representation for h- must have small log|H|

- Easy to compute h(m)given h and m

Universal Hash Functions

- Given h: {0,1}n → {0,1}k we can always guess a correct output with probability at least 2-k
- A family where this is tight is called universal2

Definition: a family H = {h| h: {0,1}n → {0,1}k } is called Strongly Universal2or pair-wise independent if:

- for allm1 m2 {0,1}nand y1, y2 {0,1}kwe have

Pr[h(m1) = y1 and h(m2) = y2 ] = 2-2k

where the probability is over a randomly chosen hH

In particularPr[h(m2) = y2 | h(m1) = y1 ] = 2-k

Theorem: when a strongly universal2 family is used in the protocol, Eve’s probability of cheating is at most 2-k

Constructing Universal Hash Functions

The linear polynomial construction:

- Fix a finite field F of size at least the message space 2n
- Could be either GF[2n] or GF[P] for some prime P ≥ 2n
- The family Hof functionsh: F→ Fis defined as

H= {ha,b(m) = a∙m + b | a, b F}

Claim: the family above is strongly universal2

Proof: for everym1≠m2,y1, y2 Fthere are uniquea, b Fsuch that

a∙m1+b = y1

a∙m2+b = y2

Size: each hHrepresented by 2n bits

Lower Bound

Theorem:Let H= {h| h: {0,1}n → {0,1}} be a family of pair-wise independent functions. Then

|H| isΩ(2n)

More precisely, to obtain a d-wise independence family |H| should beΩ(2n└d/2┘)

- N. Alon and J. SpencerThe Probabilistic MethodChapter 15 (derandomization), Proposition 2.3

More on Authentication

- Reducing the length of the secret key
- Almost-pair-wise independent hash functions
- Interaction

- Using the same secret key to authenticate any polynomial number of messages
- Requires computational assumptions
- Pseudorandom functions

- Authentication in the public-key world

- Much more to discuss…

m = gb || gy

Pairing of Wireless DevicesWireless pairing

gy

gx

ga

gb

m = gx || ga

- Impossible without additional setup

Manual Channel Model

m

Alice

Bob

s

. . .

s

- Insecure communication channel
- Low-bandwidth auxiliary channel:
- Enables Alice to “manually” authenticate one short string s

s

Interactive

Non-interactive

- Adversarial power:
- Choose the input message m
- Insecure channel: Full control
- Manual channel: Read, delay
- Delivery timing

Manual Channel Model

m

Alice

Bob

s

. . .

s

- Insecure communication channel
- Low-bandwidth auxiliary channel:
- Enables Alice to “manually” authenticate one short string s

s

Interactive

Non-interactive

Goal:Minimize the length of the manually authenticated string

Manual Channel Model

m

Alice

Bob

s

. . .

s

s

- No trusted infrastructure, such as:
- Public key infrastructure
- Shared secret key
- Common reference string
- .......

Suitable for ad hoc networks:

- Pairing of wireless devices
- Wireless USB, Bluetooth
- Secure phones
- AT&T, PGP, Zfone
- Many more...

Why Is This Model Reasonable?

- Implementing the manual channel:
- Compare two strings displayed by the devices

141

141

Why Is This Model Reasonable?

- Implementing the manual channel:
- Compare two strings displayed by the devices
- Type a string, displayed by one device, into the other device

141

141

Why Is This Model Reasonable?

- Implementing the manual channel:
- Compare two strings displayed by the devices
- Type a string, displayed by one device, into the other device
- Visual hashing

Why Is This Model Reasonable?

- Implementing the manual channel:
- Compare two strings displayed by the devices
- Type a string, displayed by one device, into the other device
- Visual hashing
- Voice channel

141

141

Eve

Bob

^

m

m

H(m)

The Naive Solutionm

Alice

Bob

H(m)

- H - collision resistant hash function (e.g., SHA-256)
- No efficient algorithm can find m m s.t. H(m) = H(m) with noticeable probability
- Any adversary that forges a message can be used to find a collision for H

^

^

The Naive Solution

m

Alice

Bob

H(m)

- H - collision resistant hash function (e.g., SHA-256)
- No efficient algorithm can find m m s.t. H(m) = H(m) with noticeable probability
- Any adversary that forges a message can be used to find a collision for H

^

^

Are we done?

- No. The output length of SHA-256 is too long (160 bits)
- Cannot be easily compared or typed by humans

Tight Bounds

m

n-bit

. . .

s

ℓ-bit

forgery probability

No setup or computational assumptions

- Upper bound: log*n-round protocol in which ℓ = 2log(1/) + O(1)

- Matching lower bound: n 2log(1/) ℓ 2log(1/) - 2

- One-way functions are necessary (and sufficient) for breaking the lower bound in the computational setting

Our Results - Tight Bounds

ℓ

ℓ = 2log(1/)

ℓ = log(1/)

One-way functions

Unconditional security

Computational security

Impossible

log(1/)

Outline

- Security definition
- Tight bounds
- The protocol
- Lower bound

Security Definition

m

n-bit

. . .

s

ℓ-bit

Unconditionally secure(n, ℓ, k, )-authentication protocol:

- n-bit input message
- ℓ manually authenticated bits
- k rounds

Completeness: No interference m Bob accepts m (with high probability)

^

Unforgeability: mPr[ Bob accepts m m ]

Outline

- Security definition
- Tight bounds
- The protocol
- Lower bound

For m = m1 ... mk GF[Q]k and x GF[Q], let m(x) = mixi

k

i = 1

The Protocol (simplified)- Based on the [GN93] hashing technique
- In each round, the parties:
- Cooperatively choose a hash function
- Reduce to authenticating a shorter message
- A short message is manually authenticated

^

Then, for any m ≠ m and for any c, c GF[Q],

^

^

^

Prob x RGF[Q] [ m(x) + c = m(x) + c ] k/Q

For m = m1 ... mk GF[Q]k and x GF[Q], let m(x) = mixi

k

i = 1

^

Then, for any m ≠ m and for any c, c GF[Q],

^

^

^

Prob x RGF[Q] [ m(x) + c = m(x) + c ] k/Q

The Protocol (simplified)x || m(x) + c

We hash m to

Other party chooses c

One party chooses x

The Protocol (simplified)

Alice

Bob

m

a1

a1R GF[Q1]

b1R GF[Q1]

b2

b1

a2R GF[Q2]

b2R GF[Q2]

m2

Accept iff m2 is consistent

m0 = m

Both parties set:

Q1 n/ , Q2 log(n)/

m1 = b1 || m0(b1) + a1

m2 = a2 || m1(a2) + b2

2log(1/) + 2loglog(n) + O(1)manually authenticated bits

Two GF[Q2]elements

- k rounds 2loglog(n) is reduced to 2log(k-1)(n)

Security Analysis

- Must consider all generic man-in-the-middle attacks.
- Three attacks in our case:

Attack #1

Alice

Eve

Bob

^

^

m

a1

m

a1

^

^

b2

b2

b1

b1

m2

Security Analysis

- Must consider all generic man-in-the-middle attacks.
- Three attacks in our case:

Attack #2

Alice

Eve

Bob

^

^

m

a1

b2

b1

m

a1

^

^

b2

b1

m2

Security Analysis

- Must consider all generic man-in-the-middle attacks.
- Three attacks in our case:

Attack #3

Alice

Eve

Bob

m

a1

^

^

b2

b1

m2

^

^

m

a1

b2

b1

m2

Security Analysis – Attack #1

Alice

Eve

Bob

^

^

m

a1

m

a1

^

^

b2

b2

b1

b1

m2

^

m0,A = m

m0,B = m

^

^

^

m1,A = b1 || m0,A(b1) + a1

m1,B = b1 || m0,B(b1) + a1

^

m2,A = a2 || m1,A(a2) + b2

m2,B = a2 || m1,B(a2) + b2

m0,A m0,B and m2,A = m2,B

Pr[

m1,A = m1,B

]

+

Pr[

m1,A m1,B and m2,A = m2,B

]

/2 + /2

m1,A = m1,B

]

Security Analysis – Attack #1Alice

Eve

Bob

^

^

m

a1

m

a1

^

b1

b1

^

m0,A = m

m0,B = m

^

^

^

m1,A = b1 || m0,A(b1) + a1

m1,B = b1 || m0,B(b1) + a1

Claim:

^

- Eve chooses b1 b1
- Eve chooses b1 = b1

m1,A m1,B

^

/2

^

Pr[ m0,A(b1) + a1 = m0,B(b1) + a1 ] /2

Outline

- Security definition
- Tight bounds
- The protocol
- Lower bound

Shannon Entropy

- Let X be random variable over domain X with probabilitydistribution PX
- The Shannon entropy of X is

H(X) = - ∑x2XPX(x) log PX(x)

(where 0log0 = 0)

- Measures the amount of randomness in X on average
- Measures how much we can compress X on average

0 · H(X) · log|X|

Equality ,X is constant

Equality ,X is uniform

A Related Notion: Min-Entropy

- Let X be random variable over domain X with probabilitydistribution PX
- The min-entropy of X is

H1(X) = - log maxx2XPX(x)

- Measures the amount of randomness in X in the worst-case
- Represents the most likely value(s)

0 · H1(X) · H(X) · log|X|

Equality ,X is uniform

Equality ,X is constant

Equality ,X is uniform

Conditional Shannon Entropy

- Let X and Y be two random variables over domains X and Ywith probability distributions PX andPY
- The conditional Shannon entropy of X given Y is

H(X|Y) = ∑y2YPY(y) H(X|Y=y)

- Observation:

H(X,Y) = H(X) + H(Y|X)

H(X,Y) = H(Y) + H(X|Y)

Shannon Mutual Information

I(X;Y) = H(X) – H(X|Y)

- The mutual information between X and Y is

I(X;Y) = I(Y;X)

- Observation:

- Conditional mutual information:

I(X;Y|Z) = H(X|Z) – H(X|Y,Z)

Lower Bound

Alice

Bob

M, X1

X2

S

- Goal: H(S) 2log(1/)

Evolving intuition:

- The parties must use at least log(1/) random bits

- Each party must use at least log(1/) random bits

- Each party must independently reduce H(S) by log(1/) bits

H(S) = H(S) - H(S | M, X1)

= I(S ; M, X1)

+ H(S | M, X1) - H(S | M, X1, X2)

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

+ H(S | M, X1, X2)

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

Lower BoundAlice

Bob

M, X1

X2

S

- Goal: H(S) 2log(1/)

Evolving intuition:

- The parties must use at least log(1/) random bits

- Each party must use at least log(1/) random bits

- Each party must independently reduce H(S) by log(1/) bits

Alice’s randomness

H(S)

Bob’s randomness

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

Lower BoundAlice

Bob

M, X1

X2

S

- Goal: H(S) 2log(1/)

Lemma 1: I(S ; M, X1) + H(S | M, X1, X2) log(1/)

Lemma 2: I(S ; X2 | M, X1) log(1/)

Alice’s randomness

H(S)

Bob’s randomness

^

m

x1

Eve wants Alice to manually authenticate s

^

x2

^

^

^

- Samples x2 from the distribution of X2 given m, x1 and s

If Pr[ s | m, x1 ] = 0 Eve quits

and hopes that s = s

^

^

Proof of Lemma 1Consider the following attack:

Alice

Eve

Bob

x2

m

x1

s

Eve acts as follows:

^

- Chooses m R {0,1}n

- Chooses mR {0,1}n

- Forwards s

^

^

Pr[ s = s and m ≠ m ] Pr[ s = s ] - 2-n

^

2 Pr[ s = s ]

^

Claim: Pr[ s = s ] 2 - { (S ; M, X1) + H(S | M, X1, X2) }

Proof of Lemma 1By the protocol requirements:

Since n log(1/), we get

which implies

(S ; M, X1) + H(S | M, X1, X2) log(1/) - 1

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

Lower BoundAlice

Bob

M, X1

X2

S

- Goal: H(S) 2log(1/) - 2

Lemma 1: I(S ; M, X1) + H(S | M, X1, X2) log(1/) - 1

Lemma 2: I(S ; X2 | M, X1) log(1/) - 1

Alice’s randomness

H(S)

Bob’s randomness

References

- Whitfield Diffie and Martin E. HellmanNew Directions in CryptographyIEEE Transactions on Information Theory 1976

- Peter Gemmell and Moni NaorCodes for Interactive AuthenticationCRYPTO 1993

- Moni Naor, Gil Segev and Adam SmithTight Bounds for Unconditionally Secure Authentication Protocols in the Manual Channel and Shared Key ModelsCRYPTO 2006

- T. Cover and J. A. ThomasElements of information Theory

Download Presentation

Connecting to Server..