Loading in 2 Seconds...

Secret Handshakes from Pairing-Based Key Agreements Dirk Balfanz, Glenn Durfee, Narrendar Shankar

Loading in 2 Seconds...

- 95 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about 'Secret Handshakes from Pairing-Based Key Agreements Dirk Balfanz, Glenn Durfee, Narrendar Shankar' - felice

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Secret Handshakes from Pairing-Based Key Agreements

Dirk Balfanz, Glenn Durfee, Narrendar Shankar

Diana Smetters, Jessica Staddon, Hao-chi Wong

Presented by

Sen Xu, Feng Yue

A Scenario

- Alice want to authenticate herself to the server, but don’t want to reveal her credential until the server is authenticated.
- Similarly, the server don’t want to authenticate itself until Alice is authenticated.

Solution ? – Secret handshake!

- non-members cannot recognize or perform the handshake.
- What happen after a handshake:
- A € G1, B € G2
- A, B don’t know anything about the other party if G1 != G2
- A, B know they belong to the same organization if G1 = G2
- They can choose only authenticate to members with certain roles
- A third party won’t learn anything

Applications of Secret Handshake

- Securely discover restricted services
- Privacy preserving authentication
- Identify roles in a certain group.

Group Background

- Cyclic group: in a group, there is an x such that each element of the group may be written as xk for some integer k.
- x is called the generator of the cyclic group.
- Eg. {2, 4, 8} x = 2

Order of a group, element

- Order of a group G is simply the number of elements in G. misleading?
- Order of an element g: least positive integer k such that gk is the identity element. In general, finding the order of the element of a group is at least as hard as factoring (Meijer 1996).
- every group of prime order is cyclic.

Identity Element

- The identity element I (also denoted E, e) of a group or related mathematical structure S is the unique element such that I*a=a*I=a for every element a €S . The symbol "E" derives from the German word for unity, "Einheit." An identity element is also called a unit element.
- For multiplication i = 1
- For addition i = 0

Tate Pairing

- Elliptic curves: a type of cubic curve whose solutions are confined to a region of space
- Form: y2 = x3 + ax + b

Tate Pairing continued

- Bilinearity the most important property of Tate Pairing
- e(aP, bQ) = e(P, Q)ab

An example of secret handshake

- Ministry of transportation: t (Master secrete)
- Driver Alice: (“p65748392a”, TA)
- TA = tH1(“p65748392a-driver”)

= tP

- Cop Bob: (“xy6542678d”, TB)
- TB = tH1(“xy6542678d-cop”)

= tQ

Procedure

“xy6542678d”

- Bob Alice
- Alice Bob
- KA = e(H1(“xy6542678d-cop”), TA)

= e(Q, tP) = e(P, Q)t

- KB = e(H1(TB, “xy6542678d-driver”)

= e(tQ, P) = e(P, Q)t

- KA = KB

“p65748392a”

Another Example

- Pro-democrocy movement master secret m
- Alice: (“y23987447y”, MA)
- MA = mH1(“y23987447y-member”)
- Claire: (“k61932843u”, MC)
- MC = mH1(“y23987447y-member”)
- Check procedure is the same

Imposter?

- Dolores
- Alice follows the procedure and generate a session key
- Alice encrypt a number N with the session key, ask for N+1
- Reply is not N+1
- Dolores is not in the movement.
- Dolores don’t know anything about the movement.

Definitions of Secret-Handshake Scheme

- A set U of possible users
- A set G of groups
- A set A of administrators (where do they come from?)

Secret-handshake scheme

- CreateGroup G {0,1}* (group secret generated by administrator)
- AddUser: U x G x {0, 1}* {0,1}*

(user secret given by administrator)

- Handshake (A, B)
- TraceUser: {0,1}* U
- RemoveUser: {0, 1}* x U {0, 1}* (insert u into RevokedUserlist)

Concrete Secret-Handshake Scheme

- Computable, non-degenerate bilinear map e: G1 x G1 G2
- Example: Modified Weil or Tate pairings on supersingular elliptic curves.
- H1: {0, 1}* G1
- H2 collision-resistant hash function

Concrete Secret-Handshake Scheme

- CreateGroup: SG € Zq
- AddUser: “pseudonyms” list

idU1, …, idUt € {0, 1}* for U.

The administrator calculate:

privUi = SGH1(idUi)

- UserSecretU,G = id + priv

Concrete Handshake

idA, nA

- A B
- A B
- A B
- V0 = H2(e(privA, H1(idB)) ||idA||idB||nA||nB||0) (A)

= H2(e(H1(idA), privB) ||idA||idB||nA||nB||0) (B)

- V1 = H2(e(privA, H1(idB)) ||idA||idB||nA||nB||1) (A)

= H2(e(privB, H1(idA)) ||idA||idB||nA||nB||1) (B)

idB, nB, V0

V1

Concrete Handshake Continued

- If both verification succeed, then
- SA = H2(e(privA, H1(idB)) ||idA||idB||nA||nB||2)
- SB = H2(e(H1(idA), privB) ||idA||idB||nA||nB||2)
- e(privA, H1(idB)) = e(H1(idA), privB) SA = SB
- TraceUser: given a transcript of a handshake between A and B, the administrator can recover the pseudonyms idA and idB and their users.

Concrete Secrete-Handshake scheme with Roles

- CreateGroup
- AddUser: “pseudonyms” list

idU1, …, idUt € {0, 1}* for U.

The administrator calculate:

privUi = SGH1(idUi||R)

Concrete Handshake with roles

idA, nA

- A B
- A B
- A B
- V0 = H2(e(H1(idA||R’A), privB) ||idA||idB||nA||nB||0) (B)

= H2(e(privA, H1(idB||R’B)) ||idA||idB||nA||nB||0) (A)

- V1 = H2(e(privA, H1(idB||R’B)) ||idA||idB||nA||nB||1) (A)

= H2(e(H1(idA||R’A), privB) ||idA||idB||nA||nB||1)(B)

idB, nB, V0

V1

Concrete Handshake Continued

- If both verification succeed, then
- SA = H2(e(privA, H1(idB||R’B)) ||idA||idB||nA||nB||2)
- SB = H2(e(H1(idA||R’A), privB) ||idA||idB||nA||nB||2)
- TraceUser and RemoveUser are identical to PBH.

Security for Secret-Handshake Schema

Some definitions:

- Security Parameter:
- Length of prime modulus (q)
- Negligible:
- for all polynomials p(·), e(t)<1/p(t)
- Random Simulation:
- R replaces all outgoing messages with uniformly-random bit strings of the same length.

Definitions

- Interaction:
- Adversary modified SHS.Handshake(A,B)
- A interacts with B:

A.Handshake (A, B)

- A interacts with a random simulation: A.Handshake (A, R)

Group Member Impersonation

- Adversary attempts to convince U* that A is a member of G*
- If A not obtain secrets fro any U in G*, then it should remain unable to convince U* of its membership in G*.
- Trace the user secrets a successful adversary might be using. ( by transcript of A’s interaction with U*)

Group Member Impersonation Game

- Randomized, polynomial-time adversary A
- 1. A interacts with Us and obtains secrets for some users U’ in Us.
- 2. A select a target user U* in G*.
- 3. A attempts to convince U* that A belongs to G*.
- SHS.Handshake (A, U*).

Probability A Wins the Game

- A wins if it engages correctly in SHS.Handshake (A, U*)
- AdvMIGA:= Pr[ A wins Member Impersonation Game ].
- Conditional advantage restricted to E:

AdvMIGEA:=Pr[ A wins Member Impersonation Game | E ].

Impersonation Resistance

- Impersonation Resistance
- Suppose A never corrupts a member of the target group G*. Then U’ ^ G* = 0. The secret-handshake scheme SHS is said to ensure impersonation resistance if AdvMIGA (U0 ^ G* = 0) is negligible for all A.

Impersonator Tracing

- Let T be a transcript of the interaction of A and U. The secret-handshake scheme SHS is said to permit impostor tracing when |Pr[SHS.TraceUser(T) in U0 ^ G*]-AdvMIGA| is negligible for all A.

Group Member Detection

- Adversary A has as its goal to learn how to identify members of a certain group G*
- A interacts with players of the system, corrupts some users, picks a target user U*, and attempts to

learn if U* belongs to G.

Group Member Detection

Required property:

- if A does not obtain secrets for any other

U inG*, then it should remain clueless when detecting whether U* in G.

In other words, the final interaction with

U should yield no new information to the adversary unless it has already obtained secrets from another member of G.

Member Detection Game

- 1. A interacts with users of its choice, and obtains secrets for some users U’ in U.
- 2. A selects a target user U* besides U.
- 3. Flip a random bit, b <- {0.1}.
- 4. b=0, A interacts with U;

b=1, A interacts with R.

- 5. A outputs a guess b* for b.

Probability A Wins the Game

- If b*=b, A wins the game.
- AdvMDGA:=|Pr[A wins Member Detection Game]-1/2|.
- Conditional Advantage restricted to occurrence of event E:

AdvMDGEA:=

|Pr[ A wins MDG|E ]-1/2| .

Detection Resistance

- Let GU* be the group to which U* belongs, and suppose A never corrupts a member in GU*,

Then U0 ^ GU* = 0.

- The secret-handshake scheme SHS is said to ensure detection resistance if AdvMDGa(U0 ^ GU*= 0) is negligible for all A.

Detector Tracing

- Let T be a transcript of the interaction of A and U*, and let GU* be the group to which U* belongs.
- The secret handshake scheme SHS is said to permit detector tracing when |Pr[SHS.TraceUser(T) belongs to U’ ^ GU*]-AdvMDGA|
- is negligible for all A.

Security of Pairing-Based Handshake

Hardness of BDH Problem:

- We say that the Bilinear Diffie-Hellman Problem (BDH) is hard if, for all probabilistic, polynomial-time algorithms B,
- AdvBDHB:= Pr[e(P,aP,bP,cP) = e(P, P)abc]

is negligible in the security parameters.

Security of Pairing-Based Handshake

- Theorem 1 Suppose A is a probabilistic, polynomial time

(PPT) adversary. There is an PPT algorithm B such that

AdvMIGA <= Pr[ PBH.TraceUser(T) belongs to U’ ^ G* ] + e QH1QH2 ·AdvBDHB+ w,

where wis negligible in the security parameter.

Security of Pairing-Based Handshake

- Corollary 2 (PBH Impersonator Tracing)
- Suppose A is a probabilistic, polynomial time adversary

If the BDH problem is hard, then

|Pr[PBH.TraceUser(T) belongs to U’ ^ G*]-AdvMIGA|

is negligible.

Security of Pairing-Based Handshake

- Corollary 3 (PBH Impersonation Resistance)
- Suppose A is a probabilistic, polynomial time adversary.

If the BDH problem is hard, then AdvMIGA (U’ ^ G* = 0)

is negligible.

Security of Pairing-Based Handshake

- Theorem 4 Suppose A is a probabilistic, polynomial time

(PPT) adversary. There is an PPT algorithm B such that

AdvMDGA<= Pr[ PBH.TraceUser(T) belongs to U’ ^ G* ] + e QH1QH2 ·AdvBDHB+ w,

where wis negligible in the security parameter.

Security of Pairing-Based Handshake

- Corollary 2 (PBH Detector Tracing)
- Suppose A is a probabilistic, polynomial time adversary

If the BDH problem is hard, then

|Pr[PBH.TraceUser(T) belongs to U’ ^ G*]-AdvMDGA|

is negligible.

Security of Pairing-Based Handshake

- Corollary 3 (PBH Detector Resistance)
- Suppose A is a probabilistic, polynomial time adversary.

If the BDH problem is hard, then AdvMDGA (U’ ^ G* = 0)

is negligible.

Additional Security Notions

- Forward Repudiability
- Optional
- Any evidence shold not provide a noon-repudiable proof that U1 is a member.
- Indistinguishability to Eavesdroppers.
- AdvDSTA:= |Pr[A(TReal) = 1]-Pr[A(TRand) = 1]|.

Additional Security Notions

- Collusion Resistance and Traitor Tracing
- Remain secure even if collections of users pool their secrets in an attempt to undermine the system.
- If a coalition of users manages to detect or impersonate group members, detect at least one of them.
- Traditional Diffie-Hellman based key exchange protocol broken down

Additional Security Notions

- Unlinkability
- If an eavesdropper sees two different handshakes performed by Alice, the content of the handshakes alone are unlinkable.
- A user obtains a list of pseudonyms
- Reuse a single pseudonym

SSL Handshake Protocol

- Allow server and client to
- authenticate each other
- negotiate encryption and MAC algorithms
- negotiate cryptographic keys to be used
- Comprise a series of messages in phases
- Establish Security Capabilities
- Server Authentication and Key Exchange
- Client Authentication and Key Exchange
- Finish

Implementation

- Small modification of two of the TLS handshake messages.
- Server_Key_Exchange message
- An indication that PHB is the algorithm
- Server’s identity idB
- Client_Key_Exchange message
- Indication: PHB scheme
- Client’s identity idA

Implementation Choices

- Secure transport layer protocol
- Security paramters
- P = 12qr – 1
- P 1024bits, q 160bits
- Curve E : y2 = x3 + 1.
- Bilinear map: Tate Paring

Measurements

- q p time RSA
- 120 bits 512 bits 0.8sec 512 bits
- 160 bits 1024 bits 2.2sec 1024 bits
- 200 bits 2048 bits 11.8sec 2048bits

User and Role Authorization

- The new user may have to be authorized to assume the role, in which case the administrator has to perform user authorization.

Protocol Deployment

- The two parties will exchange a cipher suite designator that clearly shows that they wish to engage in a secret handshake.
- be mitigated by using some form of anonymous communication.
- provide the best protection if the number of groups that are using it is large.

Conclusion

- A secret-handshake mechanism is a mechanism that would allow members of a group to authenticate each other secretly.
- Allows members of a group to authenticate not only the fact that they belong to the same group, but also each other’s roles would be very desirable.

Download Presentation

Connecting to Server..