slide1
Download
Skip this Video
Download Presentation
Secret Handshakes from Pairing-Based Key Agreements Dirk Balfanz, Glenn Durfee, Narrendar Shankar

Loading in 2 Seconds...

play fullscreen
1 / 55

Secret Handshakes from Pairing-Based Key Agreements Dirk Balfanz, Glenn Durfee, Narrendar Shankar - PowerPoint PPT Presentation


  • 95 Views
  • Uploaded on

Secret Handshakes from Pairing-Based Key Agreements Dirk Balfanz, Glenn Durfee, Narrendar Shankar Diana Smetters, Jessica Staddon, Hao-chi Wong Presented by Sen Xu, Feng Yue. A Scenario.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Secret Handshakes from Pairing-Based Key Agreements Dirk Balfanz, Glenn Durfee, Narrendar Shankar' - felice


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1
Secret Handshakes from Pairing-Based Key Agreements

Dirk Balfanz, Glenn Durfee, Narrendar Shankar

Diana Smetters, Jessica Staddon, Hao-chi Wong

Presented by

Sen Xu, Feng Yue

a scenario
A Scenario
  • Alice want to authenticate herself to the server, but don’t want to reveal her credential until the server is authenticated.
  • Similarly, the server don’t want to authenticate itself until Alice is authenticated.
solution secret handshake
Solution ? – Secret handshake!
  • non-members cannot recognize or perform the handshake.
  • What happen after a handshake:
  • A € G1, B € G2
  • A, B don’t know anything about the other party if G1 != G2
  • A, B know they belong to the same organization if G1 = G2
  • They can choose only authenticate to members with certain roles
  • A third party won’t learn anything
applications of secret handshake
Applications of Secret Handshake
  • Securely discover restricted services
  • Privacy preserving authentication
  • Identify roles in a certain group.
group background
Group Background
  • Cyclic group: in a group, there is an x such that each element of the group may be written as xk for some integer k.
  • x is called the generator of the cyclic group.
  • Eg. {2, 4, 8} x = 2
order of a group element
Order of a group, element
  • Order of a group G is simply the number of elements in G. misleading?
  • Order of an element g: least positive integer k such that gk is the identity element. In general, finding the order of the element of a group is at least as hard as factoring (Meijer 1996).
  • every group of prime order is cyclic.
identity element
Identity Element
  • The identity element I (also denoted E, e) of a group or related mathematical structure S is the unique element such that I*a=a*I=a for every element a €S . The symbol "E" derives from the German word for unity, "Einheit." An identity element is also called a unit element.
  • For multiplication i = 1
  • For addition i = 0
tate pairing
Tate Pairing
  • Elliptic curves: a type of cubic curve whose solutions are confined to a region of space
  • Form: y2 = x3 + ax + b
tate pairing continued
Tate Pairing continued
  • Bilinearity the most important property of Tate Pairing
  • e(aP, bQ) = e(P, Q)ab
an example of secret handshake
An example of secret handshake
  • Ministry of transportation: t (Master secrete)
  • Driver Alice: (“p65748392a”, TA)
  • TA = tH1(“p65748392a-driver”)

= tP

  • Cop Bob: (“xy6542678d”, TB)
  • TB = tH1(“xy6542678d-cop”)

= tQ

procedure
Procedure

“xy6542678d”

  • Bob Alice
  • Alice Bob
  • KA = e(H1(“xy6542678d-cop”), TA)

= e(Q, tP) = e(P, Q)t

  • KB = e(H1(TB, “xy6542678d-driver”)

= e(tQ, P) = e(P, Q)t

  • KA = KB

“p65748392a”

another example
Another Example
  • Pro-democrocy movement master secret m
  • Alice: (“y23987447y”, MA)
  • MA = mH1(“y23987447y-member”)
  • Claire: (“k61932843u”, MC)
  • MC = mH1(“y23987447y-member”)
  • Check procedure is the same
imposter
Imposter?
  • Dolores
  • Alice follows the procedure and generate a session key
  • Alice encrypt a number N with the session key, ask for N+1
  • Reply is not N+1
  • Dolores is not in the movement.
  • Dolores don’t know anything about the movement.
definitions of secret handshake scheme
Definitions of Secret-Handshake Scheme
  • A set U of possible users
  • A set G of groups
  • A set A of administrators (where do they come from?)
secret handshake scheme
Secret-handshake scheme
  • CreateGroup G {0,1}* (group secret generated by administrator)
  • AddUser: U x G x {0, 1}* {0,1}*

(user secret given by administrator)

  • Handshake (A, B)
  • TraceUser: {0,1}* U
  • RemoveUser: {0, 1}* x U {0, 1}* (insert u into RevokedUserlist)
concrete secret handshake scheme
Concrete Secret-Handshake Scheme
  • Computable, non-degenerate bilinear map e: G1 x G1 G2
  • Example: Modified Weil or Tate pairings on supersingular elliptic curves.
  • H1: {0, 1}* G1
  • H2 collision-resistant hash function
concrete secret handshake scheme1
Concrete Secret-Handshake Scheme
  • CreateGroup: SG € Zq
  • AddUser: “pseudonyms” list

idU1, …, idUt € {0, 1}* for U.

The administrator calculate:

privUi = SGH1(idUi)

  • UserSecretU,G = id + priv
concrete handshake
Concrete Handshake

idA, nA

  • A B
  • A B
  • A B
  • V0 = H2(e(privA, H1(idB)) ||idA||idB||nA||nB||0) (A)

= H2(e(H1(idA), privB) ||idA||idB||nA||nB||0) (B)

  • V1 = H2(e(privA, H1(idB)) ||idA||idB||nA||nB||1) (A)

= H2(e(privB, H1(idA)) ||idA||idB||nA||nB||1) (B)

idB, nB, V0

V1

concrete handshake continued
Concrete Handshake Continued
  • If both verification succeed, then
  • SA = H2(e(privA, H1(idB)) ||idA||idB||nA||nB||2)
  • SB = H2(e(H1(idA), privB) ||idA||idB||nA||nB||2)
  • e(privA, H1(idB)) = e(H1(idA), privB) SA = SB
  • TraceUser: given a transcript of a handshake between A and B, the administrator can recover the pseudonyms idA and idB and their users.
concrete secrete handshake scheme with roles
Concrete Secrete-Handshake scheme with Roles
  • CreateGroup
  • AddUser: “pseudonyms” list

idU1, …, idUt € {0, 1}* for U.

The administrator calculate:

privUi = SGH1(idUi||R)

concrete handshake with roles
Concrete Handshake with roles

idA, nA

  • A B
  • A B
  • A B
  • V0 = H2(e(H1(idA||R’A), privB) ||idA||idB||nA||nB||0) (B)

= H2(e(privA, H1(idB||R’B)) ||idA||idB||nA||nB||0) (A)

  • V1 = H2(e(privA, H1(idB||R’B)) ||idA||idB||nA||nB||1) (A)

= H2(e(H1(idA||R’A), privB) ||idA||idB||nA||nB||1)(B)

idB, nB, V0

V1

concrete handshake continued1
Concrete Handshake Continued
  • If both verification succeed, then
  • SA = H2(e(privA, H1(idB||R’B)) ||idA||idB||nA||nB||2)
  • SB = H2(e(H1(idA||R’A), privB) ||idA||idB||nA||nB||2)
  • TraceUser and RemoveUser are identical to PBH.
security for secret handshake schema
Security for Secret-Handshake Schema

Some definitions:

  • Security Parameter:
    • Length of prime modulus (q)
  • Negligible:
    • for all polynomials p(·), e(t)<1/p(t)
  • Random Simulation:
    • R replaces all outgoing messages with uniformly-random bit strings of the same length.
definitions
Definitions
  • Interaction:
    • Adversary modified SHS.Handshake(A,B)
    • A interacts with B:

A.Handshake (A, B)

    • A interacts with a random simulation: A.Handshake (A, R)
group member impersonation
Group Member Impersonation
  • Adversary attempts to convince U* that A is a member of G*
    • If A not obtain secrets fro any U in G*, then it should remain unable to convince U* of its membership in G*.
    • Trace the user secrets a successful adversary might be using. ( by transcript of A’s interaction with U*)
group member impersonation game
Group Member Impersonation Game
  • Randomized, polynomial-time adversary A
  • 1. A interacts with Us and obtains secrets for some users U’ in Us.
  • 2. A select a target user U* in G*.
  • 3. A attempts to convince U* that A belongs to G*.
    • SHS.Handshake (A, U*).
probability a wins the game
Probability A Wins the Game
  • A wins if it engages correctly in SHS.Handshake (A, U*)
    • AdvMIGA:= Pr[ A wins Member Impersonation Game ].
    • Conditional advantage restricted to E:

AdvMIGEA:=Pr[ A wins Member Impersonation Game | E ].

impersonation resistance
Impersonation Resistance
  • Impersonation Resistance
    • Suppose A never corrupts a member of the target group G*. Then U’ ^ G* = 0. The secret-handshake scheme SHS is said to ensure impersonation resistance if AdvMIGA (U0 ^ G* = 0) is negligible for all A.
impersonator tracing
Impersonator Tracing
  • Let T be a transcript of the interaction of A and U. The secret-handshake scheme SHS is said to permit impostor tracing when |Pr[SHS.TraceUser(T) in U0 ^ G*]-AdvMIGA| is negligible for all A.
group member detection
Group Member Detection
  • Adversary A has as its goal to learn how to identify members of a certain group G*
  • A interacts with players of the system, corrupts some users, picks a target user U*, and attempts to

learn if U* belongs to G.

group member detection1
Group Member Detection

Required property:

  • if A does not obtain secrets for any other

U inG*, then it should remain clueless when detecting whether U* in G.

In other words, the final interaction with

U should yield no new information to the adversary unless it has already obtained secrets from another member of G.

member detection game
Member Detection Game
  • 1. A interacts with users of its choice, and obtains secrets for some users U’ in U.
  • 2. A selects a target user U* besides U.
  • 3. Flip a random bit, b <- {0.1}.
  • 4. b=0, A interacts with U;

b=1, A interacts with R.

  • 5. A outputs a guess b* for b.
probability a wins the game1
Probability A Wins the Game
  • If b*=b, A wins the game.
  • AdvMDGA:=|Pr[A wins Member Detection Game]-1/2|.
  • Conditional Advantage restricted to occurrence of event E:

AdvMDGEA:=

|Pr[ A wins MDG|E ]-1/2| .

detection resistance
Detection Resistance
  • Let GU* be the group to which U* belongs, and suppose A never corrupts a member in GU*,

Then U0 ^ GU* = 0.

  • The secret-handshake scheme SHS is said to ensure detection resistance if AdvMDGa(U0 ^ GU*= 0) is negligible for all A.
detector tracing
Detector Tracing
  • Let T be a transcript of the interaction of A and U*, and let GU* be the group to which U* belongs.
  • The secret handshake scheme SHS is said to permit detector tracing when |Pr[SHS.TraceUser(T) belongs to U’ ^ GU*]-AdvMDGA|
  • is negligible for all A.
security of pairing based handshake
Security of Pairing-Based Handshake

Hardness of BDH Problem:

  • We say that the Bilinear Diffie-Hellman Problem (BDH) is hard if, for all probabilistic, polynomial-time algorithms B,
  • AdvBDHB:= Pr[e(P,aP,bP,cP) = e(P, P)abc]

is negligible in the security parameters.

security of pairing based handshake1
Security of Pairing-Based Handshake
  • Theorem 1 Suppose A is a probabilistic, polynomial time

(PPT) adversary. There is an PPT algorithm B such that

AdvMIGA <= Pr[ PBH.TraceUser(T) belongs to U’ ^ G* ] + e QH1QH2 ·AdvBDHB+ w,

where wis negligible in the security parameter.

security of pairing based handshake2
Security of Pairing-Based Handshake
  • Corollary 2 (PBH Impersonator Tracing)
  • Suppose A is a probabilistic, polynomial time adversary

If the BDH problem is hard, then

|Pr[PBH.TraceUser(T) belongs to U’ ^ G*]-AdvMIGA|

is negligible.

security of pairing based handshake3
Security of Pairing-Based Handshake
  • Corollary 3 (PBH Impersonation Resistance)
  • Suppose A is a probabilistic, polynomial time adversary.

If the BDH problem is hard, then AdvMIGA (U’ ^ G* = 0)

is negligible.

security of pairing based handshake4
Security of Pairing-Based Handshake
  • Theorem 4 Suppose A is a probabilistic, polynomial time

(PPT) adversary. There is an PPT algorithm B such that

AdvMDGA<= Pr[ PBH.TraceUser(T) belongs to U’ ^ G* ] + e QH1QH2 ·AdvBDHB+ w,

where wis negligible in the security parameter.

security of pairing based handshake5
Security of Pairing-Based Handshake
  • Corollary 2 (PBH Detector Tracing)
  • Suppose A is a probabilistic, polynomial time adversary

If the BDH problem is hard, then

|Pr[PBH.TraceUser(T) belongs to U’ ^ G*]-AdvMDGA|

is negligible.

security of pairing based handshake6
Security of Pairing-Based Handshake
  • Corollary 3 (PBH Detector Resistance)
  • Suppose A is a probabilistic, polynomial time adversary.

If the BDH problem is hard, then AdvMDGA (U’ ^ G* = 0)

is negligible.

additional security notions
Additional Security Notions
  • Forward Repudiability
    • Optional
    • Any evidence shold not provide a noon-repudiable proof that U1 is a member.
  • Indistinguishability to Eavesdroppers.
    • AdvDSTA:= |Pr[A(TReal) = 1]-Pr[A(TRand) = 1]|.
additional security notions1
Additional Security Notions
  • Collusion Resistance and Traitor Tracing
    • Remain secure even if collections of users pool their secrets in an attempt to undermine the system.
    • If a coalition of users manages to detect or impersonate group members, detect at least one of them.
    • Traditional Diffie-Hellman based key exchange protocol broken down
additional security notions2
Additional Security Notions
  • Unlinkability
    • If an eavesdropper sees two different handshakes performed by Alice, the content of the handshakes alone are unlinkable.
    • A user obtains a list of pseudonyms
    • Reuse a single pseudonym
ssl handshake protocol
SSL Handshake Protocol
  • Allow server and client to
    • authenticate each other
    • negotiate encryption and MAC algorithms
    • negotiate cryptographic keys to be used
  • Comprise a series of messages in phases
    • Establish Security Capabilities
    • Server Authentication and Key Exchange
    • Client Authentication and Key Exchange
    • Finish
implementation
Implementation
  • Small modification of two of the TLS handshake messages.
    • Server_Key_Exchange message
    • An indication that PHB is the algorithm
    • Server’s identity idB
    • Client_Key_Exchange message
    • Indication: PHB scheme
    • Client’s identity idA
implementation choices
Implementation Choices
  • Secure transport layer protocol
  • Security paramters
    • P = 12qr – 1
    • P 1024bits, q 160bits
    • Curve E : y2 = x3 + 1.
    • Bilinear map: Tate Paring
measurements
Measurements
  • q p time RSA
  • 120 bits 512 bits 0.8sec 512 bits
  • 160 bits 1024 bits 2.2sec 1024 bits
  • 200 bits 2048 bits 11.8sec 2048bits
user and role authorization
User and Role Authorization
  • The new user may have to be authorized to assume the role, in which case the administrator has to perform user authorization.
protocol deployment
Protocol Deployment
  • The two parties will exchange a cipher suite designator that clearly shows that they wish to engage in a secret handshake.
  • be mitigated by using some form of anonymous communication.
  • provide the best protection if the number of groups that are using it is large.
conclusion
Conclusion
  • A secret-handshake mechanism is a mechanism that would allow members of a group to authenticate each other secretly.
  • Allows members of a group to authenticate not only the fact that they belong to the same group, but also each other’s roles would be very desirable.
ad