Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes

Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes By Jyh-haw Yeh Computer Science Dept. Boise State University

Proxy Signcryption • Signcryption: combining two words – Signature and Encryption. • Proxy Signcryption: proxy signs and encrypts a message in one scheme. • Protect the confidentiality of the signed messages from eavesdroppers. • Applications: online proxy auction or online contract signing by an authorized proxy.

Proxy Signcryption • Three entities involved: original signer (OS), proxy signer (PS) and signature verifier (SV). • Scenario: • OS delegates his signing right to PS • PS, on behave of OS, signs and encrypts a message to SV • SV recovers and verifies the message

Proxy Signcryption • One cryptosystem with five phases: • Cryptosystem setup (by Key Generation Center) • Proxy credential generation (by OS) • Proxy credential verification (by PS) • Signcrypted message generation (by PS) • Signature recovery and verification (by SV)

Proxy Signcryption • Security requirement: • Proxy credential non-repudiation: OS cannot deny a proxy credential issued by him/her later. • Require proxy credential unforgeability • Require correct proxy credential generation/verification algorithms • If OS denies a proxy credential, a trusted third party should resolve the conflict

Proxy Signcryption • Security requirement: • Signcrypted message non-repudiation: PS cannot deny a signcrypted message from him/her later • Require signcrypted message unforgeability • Require correct signcrypted message generation/verification algorithms • If OS/PS later denies a signcrypted message, a trusted third party should resolve the conflict.

Proxy Credential Forgery attack The attack tries to cryptanalyzing the proxy credential and find a way to generate a fake credential which can pass the verification process. If a proxy credential can be forged, then the scheme will not have non-repudiation property

Math Background • Many proxy signcryption schemes were designed based on “bilinear pairings” • Two cyclic groups (G1, +) and (G2, x), B is a generator of G1 • A bilinear map e: G1×G1  G2 • X, Y, Z in G1 e(X,Y) = e(Y,X) e(aX, bY) = e(X,Y)^{ab} e(X,Y+Z) = e(X,Y)e(X,Z)

Math Background • Given X and Y, e(X,Y) can be computed in poly-time • Given B, aB and bB, it’s hard to compute abB • Given B, aB, bB, cB, it’s hard to identify an element h in G2 such that h = e(B,B)^{abc}

LWXY Scheme • Setup: KGC chooses system para (G1, G2, q, B, e, h1, h2, ,3), where • q is the order of G1 and G2 • h1: {0,1}^k × G1 Z_q • h2: G1  G1 • h3: G2 × G1  {0,1}^k • Each user ichooses a private key x_i in Z_q and a public key Y_i = x_iB

LWXY Scheme • Proxy credential (σ, N, w) generation: • W: proxy warrant specifies delegated rights • N = dB, where d is a random nymber • σ= (x_o + dw) mod q • Proxy credential verification: • σB ?= Y_o + wN. Why? Since σB = (x_o + dw)B = x_oB + dBw = Y_o + wN • Signcrypted message generation: ignored • Signature recovery and verification: ignored

Proxy Credential Forgery Attack to LWXY • PS can create a fake proxy credential (σ’, N’, w’) from his original one to increase his signing power • Generate w’ to increase his delegation time and/or add designated signature verifiers. • σ’=(w’/w) σ = (w’/w) x_o + dw’ mod q • N’ = ((w’/w) Y_o + w’ N – Y_o)/w’

Proxy Credential Forgery Attack to LWXY The fake credential can pass the verification, since σ’B = ((w’/w) x_o + dw’ )B = (w’/w)Y_o + w’N = Y_o + (w’/w)Y_o + w’N – Y_o = Y_o + w’(((w’/w)Y_o + w’N – Y_o)/w’) = Y_o + w’ N’

Modify LWHY to Prevent The Attack • Change the way to create proxy credentials • N = dB • σ = (x-coordinate of N)x_o + dw mod q • Change the proxy credential verification to • σB ?= (x-coordinate of N)Y_o + wN

EA Scheme • Setup: KGC chooses system para (G1, G2, q, B, Y_pub, e, h1, h2, h3), where • Y_pub = sB is a system public key and s is a system master key. • h1: {0,1}^*  G1 • h2: G2  {0,1}^n • h3: {0,1}^* ×G2  Z_q • Each user i has public-private keys pairs Y_i = h1(ID_i) and X_i = sY_i

EA Scheme • Proxy credential (σ, N) generation: • σ = X_o + dY_pub, where d is a random number • N = dB • Proxy credential verification: • e(B, σ) ?= e(Y_pub, Y_o + N). Why? Since e(B, σ) = e(B, X_o + dY_pub) = e(B, sY_o + dsB) = e(sB, Y_o + dB) = e(Y_pub, Y_o + N) • Signcrypted message generation: ignored • Signature recovery and verification: ignored

Proxy Credential Forgery Attack to EA • PS can create a fake a proxy credential (σ’, N’) from his original one and give it to another person without the permission of OS • σ’ = σ+ d’Y_pub = X_o + (d+d’)Y_pub = X_o + d”Y_pub • N’ = N + d’B = dB + d’B = (d+d’)B = d”B

Proxy Credential Forgery Attack to EA The fake credential (σ’, N’) can pass the verification, since e(B, σ’) = e(B, X_o + d”Y_pub) = e(B, sY_o + d”sB) = e(sB, Y_o + d”B) = e(Y_pub, Y_o + N’)

Modify EA to Prevent Attack • Change the way to create proxy credentials • N = dB • σ = (x-coordinate of N)X_o + dY_pub mod q • Change the proxy credential verification to • e(B, σ) ?= e(Y_pub, (x-coordinate of N)Y_o + N)

Efficiency • Comparing to LWHY, the modified LWHY adds 1 modular multiplication (MM) and 1 point multiplication (PM) in G1 • Both LWHY/modified LWHY requires 4 bilinear pairing (BP) operations • 1 BP is about 11,110 MM • 1PM is about a few hundred MM • Comparing to EA, the modified EA adds 3 PM • Both EA/modified EA require 8 BP

Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes

Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes

Presentation Transcript

Proxy server

PROXY X

PROXY SERVER

Proxy IdP

Proxy Benchmarking

PROXY SERVER

Proxy MIP6

OWASP Zed Attack Proxy

Proxy

Best Proxy

Proxy Server

fmovies proxy

1337x proxy