Non-Interactive Computation of Pairwise Keys in ... - Semantic Scholar

3 downloads 3068 Views 366KB Size Report
2University of California, Irvine, USA. Affiliation-Hiding Key Exchange ..... Let Σ KGen, Sign, Verify be a EUF‐CMA secure digital signature scheme. Main Idea.
Affiliation‐Hiding Key Exchange with Untrusted Group Authorities

Mark Manulis1, Bertram Poettering1, Gene Tsudik2 1Cryptographic Protocols

Group, TU Darmstadt & CASED, Germany  2University of California, Irvine, USA

Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010  | Mark Manulis | www.manulis.eu

CRYPÞ CRYPTOGRAPHIC PROTOCOLS

PKI‐based Authentication and Key Exchange Certification Authorities mainly responsible for Registration register users, issue certificates on user ids/keys Revocation revoke user certificates, manage CRLs CRL

id1, cert1

CA

id2, cert2

par CRL

id4, cert4

id3, cert3

par

CA

id5, cert5

id6, cert6

Authenticated Key Exchange succeeds if users prove possession of valid certificates. successful/unsuccessful executions reveal corresponding CAs

id1, cert1 K

id6, cert6

K

to communication partners and outsiders

Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010  | Mark Manulis | www.manulis.eu

CRYPÞ CRYPTOGRAPHIC PROTOCOLS

2

Affiliation‐Hiding Authenticated Key Exchange Group Authorities mainly responsible for Registration admit members, issue pseudonyms and credentials Revocation revoke credentials via pseudonym revocation lists  PRLs Admission of Members PRL

GA

id1, cred1

Affiliation‐Hiding Authenticated Key Exchange

par

id1, cred1 id1

id2, cred2 K

U1

id2, cred2

U2

each user Ui obtains pseudonym idi and credential credi Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010  | Mark Manulis | www.manulis.eu

id2

K

succeeds if valid cred1 and cred2 have been issued by the same  GA if unsuccessful then GA is not revealed

CRYPÞ CRYPTOGRAPHIC PROTOCOLS

3

(Linkable) AH‐AKE Syntax CreateGroup 1κ

Algorithm executed by the GA to create a group G.  Outputs  G.sk, G.pk  and G.PRL.

AddUser U, GA

Protocol between GA and a new user U. U obtains pseudonym id and credential cred. Each U can be a member of multiple groups.

Handshake idi , idj

Protocol between users with idi and idj. Each user uses own cred for some group G. If both users use credentials for the same group G  then they compute a shared key K.

Revoke G.sk, G.PRL, id

Algorithm executed by the GA of G. Adds pseudonym id to G.PRL. G.PRL is distributed in an authentic way.

Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010  | Mark Manulis | www.manulis.eu

CRYPÞ CRYPTOGRAPHIC PROTOCOLS

4

(Linkable) Affiliation‐Hiding Property Affiliation‐Hiding is the distinguished privacy property of AH‐AKE protocols. Let U be a member of some group G       

U holds id, cred  for G. adversary 

U id

id, cred K If

does not have valid credential for G then no information about G should leak to

.

affiliation‐hiding is a privacy goal shared by all members of the group

Remark We consider linkable protocols where users participate via pseudonyms. Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010  | Mark Manulis | www.manulis.eu

CRYPÞ CRYPTOGRAPHIC PROTOCOLS

5

Authenticated Key Exchange Security Authenticated Key Exchange  AKE  Security  Essentially the same goal as in the classical authenticated key exchange protocols.

id1, cred1

id2, cred2 id1

issued by G1 K

id2

issued by G2 K

If G1  G2 then U1 and U2 compute a secure session key k. ƒ

Requires key secrecy modeled as indistinguishability of K from a random key.

ƒ

Requires forward secrecy, i.e. key secrecy in case U1 and U2 become corrupted.

Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010  | Mark Manulis | www.manulis.eu

CRYPÞ CRYPTOGRAPHIC PROTOCOLS

6

Malicious Group Authorities Current AH‐AKE protocols, e.g.  BDS 03,CJT04,XY04,TX06, AKB07,JKT08 , assume that GAs are fully trusted Our goal is to reduce this trust by considering malicious behaviour of the GAs. Case 1: adversary controls GAs from the beginning ƒ may generate public group parameters in some rogue way.  ƒ may admit honest users to its groups and misbehave upon their admission. ƒ may bias handshake executions amongst honest members of its group. ƒ may trace real identity U of a user from later handshake sessions. Case 2: adversary corrupts GAs at a later stage ƒ may mount attacks as in Case 1 except for the rogue generation of parameters. What is the impact of malicious GAs on the security and privacy in AH‐AKE protocols?

Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010  | Mark Manulis | www.manulis.eu

CRYPÞ CRYPTOGRAPHIC PROTOCOLS

7

Malicious GAs against Affiliation‐Hiding in AddUser Protocol U

GA

PRL In existing schemes

id, cred

par

learns id and even cred  of U.

in Handshake Protocol U

U‘

id, cred K Even if

id id’

id’, cred’ K

does not introduce phantom group members it can immediately tell the affiliation of U upon seeing the pseudonym id.

Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010  | Mark Manulis | www.manulis.eu

CRYPÞ CRYPTOGRAPHIC PROTOCOLS

8

Malicious GAs against AKE‐Security in AddUser Protocol U

GA

PRL In existing schemes

id, cred

par

learns id and even cred  of U.

in Handshake Protocol U

U‘

id, cred K Even if

id id’

id’, cred’ K

does not introduce phantom group members it can usually distinguish key K from random by impersonating id‘.

Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010  | Mark Manulis | www.manulis.eu

CRYPÞ CRYPTOGRAPHIC PROTOCOLS

9

New Requirement: Untraceability in AddUser Protocol U PRL

GA

id, cred

par

id, cred

can store id, U  and possibly cred for the later use. in Handshake Protocol U id

id, cred K

K

can easily trace real identity U in its handshake sessions from pseudonym id. untraceability is an individual privacy goal of each user Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010  | Mark Manulis | www.manulis.eu

CRYPÞ CRYPTOGRAPHIC PROTOCOLS

10

State‐of‐the‐Art Linkable AH‐AKE Jarecki‐Kim‐Tsudik, CT‐RSA 2008 RSA modulus n   pq where p   2p‘   1, q   2q‘   1 are safe primes. RSA exponents e, d  where e   d–1 mod φ n . Generator g s.t. ord q    2p‘q‘  and  –1 ∉ g        n*    –1  × g . Hash functions Hn:  0,1 *    n* and H :  0,1 *    0,1 κ . Group Parameters 

G.sk    p, q, d , public: G.pk    n, g, e , G.PRL,  H, Hn

AddUser Protocol 

GA issues cred as an FDH‐RSA signature on some id

σ   Hn id

Remark

d

mod n with id   0,1

κ

U

id, σ

PRL

GA

n, g, e, H, Hn p, q, d

From AddUser protocol GA learns U, id, σ .  All previously discussed attacks of a malicious GA apply.

Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010  | Mark Manulis | www.manulis.eu

CRYPÞ CRYPTOGRAPHIC PROTOCOLS

11

State‐of‐the‐Art Linkable AH‐AKE (II) Handshake Protocol     UA is in GA, UB is in GB

nA* 

  –1  × gA , 

UA idA, σA nA, gA, eA, GA.PRL random bit

θA

  –1

bA·σ

exponent A·gA

xA

uniform in

UB

HnB idB

padding (hides nA)

mod nA  kA·nA nA*

if idB ∉ GA.PRL: KA  H rA, sidA , CA  H rA, sidA, 0 s.t. rA   θBeA·HnA idB –1 2xA mod nA else:   KA, CA R 0,1 κ

idA, θA idB, θB

CA CB

check CB, accept KA  random if check fails

Remark

nB* 

θB

  –1

dB

bB·σ

  –1  × gB

idB, σB nB, gB, eB, GB.PRL

mod nB

xB B·gB mod

nB  kB·nB

if idA ∉ GB.PRL: KB  H rB, sidB , CA  H rB, sidB, 1 s.t. rB   θAeB·HnB idA –1 2xB mod nB else:   KB, CB R 0,1 κ check CA, accept KB

if GA  GB then rA  rB  g2exAxB Diffie‐Hellman value in  g  

Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010  | Mark Manulis | www.manulis.eu

CRYPÞ CRYPTOGRAPHIC PROTOCOLS

12

Avoiding Rogue Group Parameters How to enforce honest generation of parameters? Applies only if GA is malicious from the beginning. In general GA must prove that parameters have been generated in a correct way. This can be done by using appropriate  non‐interactive  zero‐knowledge proofs. In JKT08 protocol GA must provide a ZKPoK Πn,g for the following statement where  n, g, κ  are public: n   pq

p   2p’ 1 q 2q’ 1   |p’| κ

|q’| κ  p’, q’   PRIMES  ord g    2p’q’   –1 ∉ g

Camenisch‐Michels,  Eurocrypt 1999 show how to prove part of this, namely n   pq

p   2p’ 1 q 2q’ 1   |p’| κ

|q’| κ  p’, q’   PRIMES

We extend their proof towards the missing part            ord g    2p’q’   –1 ∉ g   We use the sufficient condition that gp’q’  ± ω mod n for some ω   n* , ω  1. Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010  | Mark Manulis | www.manulis.eu

CRYPÞ CRYPTOGRAPHIC PROTOCOLS

13

First Step Towards Untraceability We need to break the link between real identity U and pseudonym id in AddUser. In JKT08 protocol Instead of GA issuing  id, σ  we use blind FDH‐RSA signature  Chaum,  Crypto 1982 . We assume that U checks ZKPoK Πn,g beforehand. U PRL pick id 0,1 r  R n m1

GA

n, g, e, H, Hn, Πn,g p, q, d

κ

Hn id re mod n

m1 m2

m2

 m1d mod n

σ  m2·r–1 mod n if σe  Hn id  mod n  store id, σ

Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010  | Mark Manulis | www.manulis.eu

CRYPÞ CRYPTOGRAPHIC PROTOCOLS

14

Preventing Impersonation of Honest Users The use of a blind signature on id alone is not sufficient! We should also care about impersonation attacks on honest users. UA

m1

m2 store idA, σ

m1

UA

Hn idA re mod n GA

PRL

UA registers to the group

1

2

observes handshakes of UA

obtains σ on idA

3

4

impersonates UA

Hn idA re mod n m2

par

idA, … idB, …

PRL

GA

par

idA, … idB, …

UB

UB

store idA, σ

We must ensure that each user can claim possession of the pseudonym! Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010  | Mark Manulis | www.manulis.eu

CRYPÞ CRYPTOGRAPHIC PROTOCOLS

15

Our AH‐AKE with Untrusted GAs: AddUser Let Σ

  KGen, Sign, Verify  be a EUF‐CMA secure digital signature scheme.

Main Idea

Bind pseudonyms to signature keys. U PRL

skU, pkU   id   pkU r  R n m1

R

GA

n, g, e, H, Hn, Πn,g p, q, d

Σ.KGen 1κ

Hn id re mod n

m1 m2

m2

 m1d mod n

σ  m2·r–1 mod n if σe  Hn id  mod n  store id, σ

The proof of possession of skU is postponed to the handshake protocol. Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010  | Mark Manulis | www.manulis.eu

CRYPÞ CRYPTOGRAPHIC PROTOCOLS

16

Our AH‐AKE with Untrusted GAs: Handshake UA skA, idA, σA nA, gA, eA, GA.PRL random bit

θA

  –1

bA·σ

exponent A·gA

xA

uniform in

UB

HnB idB

padding (hides nA)

mod nA  kA·nA nA*

if idB ∉ GA.PRL: KA  H rA, sidA , CA  H rA, sidA, 0 s.t. rA   θBeA·HnA idB –1 2xA mod nA else:   KA, CA R 0,1 κ sA   Σ.Sign skA,  CA, sidA

idA, θA idB, θB

sA sB

check sB, accept KA  random if check fails

θB

  –1

dB

bB·σ

skB, idB, σB nB, gB, eB, GB.PRL

mod nB

xB B·gB mod

nB  kB·nB

if idA ∉ GB.PRL: KB  H rB, sidB , CA  H rB, sidB, 1 s.t. rB   θAeB·HnB idA –1 2xB mod nB else:   KB, CB R 0,1 κ sB   Σ.Sign skB,  CB, sidB check sA, accept KB

signatures sA and sB prevent impersonation attacks and provide key confirmation Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010  | Mark Manulis | www.manulis.eu

CRYPÞ CRYPTOGRAPHIC PROTOCOLS

17

Security of Our (Linkable) AH‐AKE Scheme Original JKT08 Protocol

secure in a model with trusted GAs

Affiliation‐Hiding

RSA assumption with Safe RSA Moduli given n, e, g find z such that ze g mod n

AKE‐Security

same assumptions as for affiliation‐hiding

Our AH‐AKE Protocol

secure in a model with untrusted GAs

Affiliation‐Hiding

‐ RSA assumption with Safe RSA Moduli ‐ CDH assumption in g 2p‘q‘ n* , ord g given g, ga, gb find gab ‐ soundness zero‐knowledge of Πn,g ‐ EUF‐CMA security of Σ

AKE‐Security

same assumptions as for affiliation‐hiding

Untraceability

soundness of Πn,g

Remark

ROM

ROM

In practice we may not need Πn,g e.g. if G.par are validated by TTP . In this case untraceability becomes unconditional.

Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010  | Mark Manulis | www.manulis.eu

CRYPÞ CRYPTOGRAPHIC PROTOCOLS

18

Summary of Contributions and Conclusion Untrusted GA Model for Linkable  AH‐AKE Protocols ƒ stronger model for security and privacy of AH‐AKE protocols than JKT08 ƒ distinction between initially malicious and later corruptable GAs ƒ definition of untraceability as an additional  individual  privacy goal of users

Linkable  AH‐AKE Protocol Resistant against Malicious GAs ƒ extended Camenisch‐Michels ZK proof towards  ord g    2p’q’   –1 ∉ g   ƒ blind registration with cryptographically protected pseudonyms in AddUser ƒ moving to signature‐based confirmation in JKT08 handshake ƒ similar efficiency as in the original JKT08 protocol if we omit Πn,g in practice Thank you! Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010  | Mark Manulis | www.manulis.eu

CRYPÞ CRYPTOGRAPHIC PROTOCOLS

19