2University of California, Irvine, USA. Affiliation-Hiding Key Exchange ..... Let Σ KGen, Sign, Verify be a EUFâCMA secure digital signature scheme. Main Idea.
Affiliation‐Hiding Key Exchange with Untrusted Group Authorities
Mark Manulis1, Bertram Poettering1, Gene Tsudik2 1Cryptographic Protocols
Group, TU Darmstadt & CASED, Germany 2University of California, Irvine, USA
Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010 | Mark Manulis | www.manulis.eu
CRYPÞ CRYPTOGRAPHIC PROTOCOLS
PKI‐based Authentication and Key Exchange Certification Authorities mainly responsible for Registration register users, issue certificates on user ids/keys Revocation revoke user certificates, manage CRLs CRL
id1, cert1
CA
id2, cert2
par CRL
id4, cert4
id3, cert3
par
CA
id5, cert5
id6, cert6
Authenticated Key Exchange succeeds if users prove possession of valid certificates. successful/unsuccessful executions reveal corresponding CAs
id1, cert1 K
id6, cert6
K
to communication partners and outsiders
Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010 | Mark Manulis | www.manulis.eu
CRYPÞ CRYPTOGRAPHIC PROTOCOLS
2
Affiliation‐Hiding Authenticated Key Exchange Group Authorities mainly responsible for Registration admit members, issue pseudonyms and credentials Revocation revoke credentials via pseudonym revocation lists PRLs Admission of Members PRL
GA
id1, cred1
Affiliation‐Hiding Authenticated Key Exchange
par
id1, cred1 id1
id2, cred2 K
U1
id2, cred2
U2
each user Ui obtains pseudonym idi and credential credi Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010 | Mark Manulis | www.manulis.eu
id2
K
succeeds if valid cred1 and cred2 have been issued by the same GA if unsuccessful then GA is not revealed
CRYPÞ CRYPTOGRAPHIC PROTOCOLS
3
(Linkable) AH‐AKE Syntax CreateGroup 1κ
Algorithm executed by the GA to create a group G. Outputs G.sk, G.pk and G.PRL.
AddUser U, GA
Protocol between GA and a new user U. U obtains pseudonym id and credential cred. Each U can be a member of multiple groups.
Handshake idi , idj
Protocol between users with idi and idj. Each user uses own cred for some group G. If both users use credentials for the same group G then they compute a shared key K.
Revoke G.sk, G.PRL, id
Algorithm executed by the GA of G. Adds pseudonym id to G.PRL. G.PRL is distributed in an authentic way.
Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010 | Mark Manulis | www.manulis.eu
CRYPÞ CRYPTOGRAPHIC PROTOCOLS
4
(Linkable) Affiliation‐Hiding Property Affiliation‐Hiding is the distinguished privacy property of AH‐AKE protocols. Let U be a member of some group G
U holds id, cred for G. adversary
U id
id, cred K If
does not have valid credential for G then no information about G should leak to
.
affiliation‐hiding is a privacy goal shared by all members of the group
Remark We consider linkable protocols where users participate via pseudonyms. Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010 | Mark Manulis | www.manulis.eu
CRYPÞ CRYPTOGRAPHIC PROTOCOLS
5
Authenticated Key Exchange Security Authenticated Key Exchange AKE Security Essentially the same goal as in the classical authenticated key exchange protocols.
id1, cred1
id2, cred2 id1
issued by G1 K
id2
issued by G2 K
If G1 G2 then U1 and U2 compute a secure session key k.
Requires key secrecy modeled as indistinguishability of K from a random key.
Requires forward secrecy, i.e. key secrecy in case U1 and U2 become corrupted.
Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010 | Mark Manulis | www.manulis.eu
CRYPÞ CRYPTOGRAPHIC PROTOCOLS
6
Malicious Group Authorities Current AH‐AKE protocols, e.g. BDS 03,CJT04,XY04,TX06, AKB07,JKT08 , assume that GAs are fully trusted Our goal is to reduce this trust by considering malicious behaviour of the GAs. Case 1: adversary controls GAs from the beginning may generate public group parameters in some rogue way. may admit honest users to its groups and misbehave upon their admission. may bias handshake executions amongst honest members of its group. may trace real identity U of a user from later handshake sessions. Case 2: adversary corrupts GAs at a later stage may mount attacks as in Case 1 except for the rogue generation of parameters. What is the impact of malicious GAs on the security and privacy in AH‐AKE protocols?
Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010 | Mark Manulis | www.manulis.eu
CRYPÞ CRYPTOGRAPHIC PROTOCOLS
7
Malicious GAs against Affiliation‐Hiding in AddUser Protocol U
GA
PRL In existing schemes
id, cred
par
learns id and even cred of U.
in Handshake Protocol U
U‘
id, cred K Even if
id id’
id’, cred’ K
does not introduce phantom group members it can immediately tell the affiliation of U upon seeing the pseudonym id.
Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010 | Mark Manulis | www.manulis.eu
CRYPÞ CRYPTOGRAPHIC PROTOCOLS
8
Malicious GAs against AKE‐Security in AddUser Protocol U
GA
PRL In existing schemes
id, cred
par
learns id and even cred of U.
in Handshake Protocol U
U‘
id, cred K Even if
id id’
id’, cred’ K
does not introduce phantom group members it can usually distinguish key K from random by impersonating id‘.
Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010 | Mark Manulis | www.manulis.eu
CRYPÞ CRYPTOGRAPHIC PROTOCOLS
9
New Requirement: Untraceability in AddUser Protocol U PRL
GA
id, cred
par
id, cred
can store id, U and possibly cred for the later use. in Handshake Protocol U id
id, cred K
K
can easily trace real identity U in its handshake sessions from pseudonym id. untraceability is an individual privacy goal of each user Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010 | Mark Manulis | www.manulis.eu
CRYPÞ CRYPTOGRAPHIC PROTOCOLS
10
State‐of‐the‐Art Linkable AH‐AKE Jarecki‐Kim‐Tsudik, CT‐RSA 2008 RSA modulus n pq where p 2p‘ 1, q 2q‘ 1 are safe primes. RSA exponents e, d where e d–1 mod φ n . Generator g s.t. ord q 2p‘q‘ and –1 ∉ g n* –1 × g . Hash functions Hn: 0,1 * n* and H : 0,1 * 0,1 κ . Group Parameters
G.sk p, q, d , public: G.pk n, g, e , G.PRL, H, Hn
AddUser Protocol
GA issues cred as an FDH‐RSA signature on some id
σ Hn id
Remark
d
mod n with id 0,1
κ
U
id, σ
PRL
GA
n, g, e, H, Hn p, q, d
From AddUser protocol GA learns U, id, σ . All previously discussed attacks of a malicious GA apply.
Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010 | Mark Manulis | www.manulis.eu
CRYPÞ CRYPTOGRAPHIC PROTOCOLS
11
State‐of‐the‐Art Linkable AH‐AKE (II) Handshake Protocol UA is in GA, UB is in GB
nA*
–1 × gA ,
UA idA, σA nA, gA, eA, GA.PRL random bit
θA
–1
bA·σ
exponent A·gA
xA
uniform in
UB
HnB idB
padding (hides nA)
mod nA kA·nA nA*
if idB ∉ GA.PRL: KA H rA, sidA , CA H rA, sidA, 0 s.t. rA θBeA·HnA idB –1 2xA mod nA else: KA, CA R 0,1 κ
idA, θA idB, θB
CA CB
check CB, accept KA random if check fails
Remark
nB*
θB
–1
dB
bB·σ
–1 × gB
idB, σB nB, gB, eB, GB.PRL
mod nB
xB B·gB mod
nB kB·nB
if idA ∉ GB.PRL: KB H rB, sidB , CA H rB, sidB, 1 s.t. rB θAeB·HnB idA –1 2xB mod nB else: KB, CB R 0,1 κ check CA, accept KB
if GA GB then rA rB g2exAxB Diffie‐Hellman value in g
Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010 | Mark Manulis | www.manulis.eu
CRYPÞ CRYPTOGRAPHIC PROTOCOLS
12
Avoiding Rogue Group Parameters How to enforce honest generation of parameters? Applies only if GA is malicious from the beginning. In general GA must prove that parameters have been generated in a correct way. This can be done by using appropriate non‐interactive zero‐knowledge proofs. In JKT08 protocol GA must provide a ZKPoK Πn,g for the following statement where n, g, κ are public: n pq
p 2p’ 1 q 2q’ 1 |p’| κ
|q’| κ p’, q’ PRIMES ord g 2p’q’ –1 ∉ g
Camenisch‐Michels, Eurocrypt 1999 show how to prove part of this, namely n pq
p 2p’ 1 q 2q’ 1 |p’| κ
|q’| κ p’, q’ PRIMES
We extend their proof towards the missing part ord g 2p’q’ –1 ∉ g We use the sufficient condition that gp’q’ ± ω mod n for some ω n* , ω 1. Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010 | Mark Manulis | www.manulis.eu
CRYPÞ CRYPTOGRAPHIC PROTOCOLS
13
First Step Towards Untraceability We need to break the link between real identity U and pseudonym id in AddUser. In JKT08 protocol Instead of GA issuing id, σ we use blind FDH‐RSA signature Chaum, Crypto 1982 . We assume that U checks ZKPoK Πn,g beforehand. U PRL pick id 0,1 r R n m1
GA
n, g, e, H, Hn, Πn,g p, q, d
κ
Hn id re mod n
m1 m2
m2
m1d mod n
σ m2·r–1 mod n if σe Hn id mod n store id, σ
Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010 | Mark Manulis | www.manulis.eu
CRYPÞ CRYPTOGRAPHIC PROTOCOLS
14
Preventing Impersonation of Honest Users The use of a blind signature on id alone is not sufficient! We should also care about impersonation attacks on honest users. UA
m1
m2 store idA, σ
m1
UA
Hn idA re mod n GA
PRL
UA registers to the group
1
2
observes handshakes of UA
obtains σ on idA
3
4
impersonates UA
Hn idA re mod n m2
par
idA, … idB, …
PRL
GA
par
idA, … idB, …
UB
UB
store idA, σ
We must ensure that each user can claim possession of the pseudonym! Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010 | Mark Manulis | www.manulis.eu
CRYPÞ CRYPTOGRAPHIC PROTOCOLS
15
Our AH‐AKE with Untrusted GAs: AddUser Let Σ
KGen, Sign, Verify be a EUF‐CMA secure digital signature scheme.
Main Idea
Bind pseudonyms to signature keys. U PRL
skU, pkU id pkU r R n m1
R
GA
n, g, e, H, Hn, Πn,g p, q, d
Σ.KGen 1κ
Hn id re mod n
m1 m2
m2
m1d mod n
σ m2·r–1 mod n if σe Hn id mod n store id, σ
The proof of possession of skU is postponed to the handshake protocol. Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010 | Mark Manulis | www.manulis.eu
CRYPÞ CRYPTOGRAPHIC PROTOCOLS
16
Our AH‐AKE with Untrusted GAs: Handshake UA skA, idA, σA nA, gA, eA, GA.PRL random bit
θA
–1
bA·σ
exponent A·gA
xA
uniform in
UB
HnB idB
padding (hides nA)
mod nA kA·nA nA*
if idB ∉ GA.PRL: KA H rA, sidA , CA H rA, sidA, 0 s.t. rA θBeA·HnA idB –1 2xA mod nA else: KA, CA R 0,1 κ sA Σ.Sign skA, CA, sidA
idA, θA idB, θB
sA sB
check sB, accept KA random if check fails
θB
–1
dB
bB·σ
skB, idB, σB nB, gB, eB, GB.PRL
mod nB
xB B·gB mod
nB kB·nB
if idA ∉ GB.PRL: KB H rB, sidB , CA H rB, sidB, 1 s.t. rB θAeB·HnB idA –1 2xB mod nB else: KB, CB R 0,1 κ sB Σ.Sign skB, CB, sidB check sA, accept KB
signatures sA and sB prevent impersonation attacks and provide key confirmation Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010 | Mark Manulis | www.manulis.eu
CRYPÞ CRYPTOGRAPHIC PROTOCOLS
17
Security of Our (Linkable) AH‐AKE Scheme Original JKT08 Protocol
secure in a model with trusted GAs
Affiliation‐Hiding
RSA assumption with Safe RSA Moduli given n, e, g find z such that ze g mod n
AKE‐Security
same assumptions as for affiliation‐hiding
Our AH‐AKE Protocol
secure in a model with untrusted GAs
Affiliation‐Hiding
‐ RSA assumption with Safe RSA Moduli ‐ CDH assumption in g 2p‘q‘ n* , ord g given g, ga, gb find gab ‐ soundness zero‐knowledge of Πn,g ‐ EUF‐CMA security of Σ
AKE‐Security
same assumptions as for affiliation‐hiding
Untraceability
soundness of Πn,g
Remark
ROM
ROM
In practice we may not need Πn,g e.g. if G.par are validated by TTP . In this case untraceability becomes unconditional.
Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010 | Mark Manulis | www.manulis.eu
CRYPÞ CRYPTOGRAPHIC PROTOCOLS
18
Summary of Contributions and Conclusion Untrusted GA Model for Linkable AH‐AKE Protocols stronger model for security and privacy of AH‐AKE protocols than JKT08 distinction between initially malicious and later corruptable GAs definition of untraceability as an additional individual privacy goal of users
Linkable AH‐AKE Protocol Resistant against Malicious GAs extended Camenisch‐Michels ZK proof towards ord g 2p’q’ –1 ∉ g blind registration with cryptographically protected pseudonyms in AddUser moving to signature‐based confirmation in JKT08 handshake similar efficiency as in the original JKT08 protocol if we omit Πn,g in practice Thank you! Affiliation‐Hiding Key Exchange with Untrusted Group Authorities ACNS 2010, Beijing, China, 23.06.2010 | Mark Manulis | www.manulis.eu
CRYPÞ CRYPTOGRAPHIC PROTOCOLS
19