1 Secret Handshakes or Privacy-Preserving Interactive Authentication Gene Tsudik University of California, Irvine joint work with: Claude Castelluccia, Stanisław Jarecki, Shouhuai Xu, Samad Nasserian

2 Motivation u Privacy is being gradually eroded Cameras everywhere Search engines keep data Stores keep track of habits via affinity cards Libraries keep records of book checked out u Need privacy-preserving services E-cash Anonymous Anonymous signatures (e.g., group signatures) Information Delivery Trust negotiation Authentication u Our focus: Private (unobservable) authenticaiton

3 Example setting u Alice and Bob meet in a crowded network u All communication is observable u Man-in-the-middle attacks possible u Alice is an FBI agent u Bob is an FBI agent u They cannot authenticate publicly… u Alice will only “speak” with other FBI agents u Bob will only “speak” with other FBI agents u How can they authenticate in private?

4 Example setting u How can they authenticate in private? u Cannot just exchange signatures u Cannot simply share a common key u Cannot even exchange group signatures

5 Encryption: The General Idea Alice Bob message m Alice decrypts m from c Ciphertext c c Adversary Adversary cannot get m from c !!!

6 Public Key Encryption Alice Bob message m m = Dec( K S, c) c = Enc( K A, m ) c Key generation procedure Alice’s secret decryption Key K S Alice’s public encryption Key K A KAKA - computing m from K A and c is infeasible - computing even one bit of m is infeasible - deciding if m=m’ from (K A,c) is infeasible [list of useful security needs still growing…]Adversary Problem: How does Bob know that K A is Alice’s public key? KSKS

7 Public Key Infrastructure [PKI]: Certification Authority generates keys Alice Bob (knows CA’s public key) Alice’s secret key K s Certification Authority (CA) Alice’s public key K a : cert A = SIG CA {K a, Alice } Bob verifies CA’s signature cert A on K a c = Enc( K a, m ) m m = Dec(K s, c )

8 [PKI]: Users Generate Keys Independently Bob (knows CA) Alice generates her secret-public key pair (K s,K a ) on her own Certification Authority (CA) cert A = SIG CA { A,Alice} Bob verifies CA’s signature cert A on {K a, Alice} c = Enc( K a, m ) K a + “physical authentication” ( Alice, K a, cert A ) m Alice m = Dec(K s,c)

9 proof of knowledge of K s corresponding to K a Using a PKI: Bob (knows CA) Alice generates secret- public key pair (K s,K a ) on her own Certification Authority (CA) Bob verifies CA’s signature cert A on K a K a + “physical authentication” Alice ( K a, cert A ) Authentication: Bob is sure that he is talking to Alice cert A = SIG CA {Ka,Alice}

10 [PKI]: Authentication Reveals Alice’s Affiliation Bob (knows UCI) Alice’s CA: UCI (Public Key UCI) Bob verifies UCI’s sig. cert A on K a and learns that Alice is at UCI proof of knowledge of K s corresponding to K a Alice generates secret- public key pair (K s,K a ) on her own K a + “physical authentication” ( K a, cert A ) cert A = SIG uci {Ka,Alice}

11 Traditional Public Key Authentication offers: No Affiliation Privacy cert A = SIG UCI {Alice’s Pub.Key K a } Alice, UCI student Bob Alice’s affiliation is publicly revealed by her certificate - Can Alice reveal her affiliation only to FBI members? - Can Bob keep his affliation private too?, FBI agent proof of knowledge of K s corresponding to K a

12 Alice’s PKInfo K a and affiliation UCI - Can Alice reveal her affiliation only to FBI members? Alice, UCI student Public Key Authentication (changing the terms ) Bob, FBI agent proof of knowledge of UCI’s cert on K a On input UCI and K a, Bob verifies the proof cert A = SIG UCI {K a }

13 - Can Alice reveal her affiliation only to FBI members? On input UCI and K a, Bob verifies the proof Alice, UCI student Public Key Authentication: The Problem of Affiliation Privacy Bob, FBI agent Alice’s PKInfo K a and affiliation UCI cert A = SIG UCI {K a } proof of knowledge of UCI’s cert on K a Policy A = {FBI} - Can she hide this policy from other parties? - (and vice versa for Bob?) ?

14 - Can Alice reveal her affiliation only to FBI members? proof of knowledge of FBI’s cert on Kb Public Key Authentication: The Problem of Affiliation Privacy Alice’s PKInfo Ka proof of knowledge of UCI’s cert on Ka Bob’s PKInfo Kb - (and vice versa for Bob?) - Can she hide this policy from other counterparties? cert A = SIG UCI {Ka} Policy A = {FBI} cert B = SIG FBI {Kb} Policy B = {UCI}

15 - Can she hide this policy from other counterparties? - Can Alice reveal her affiliation only to FBI members? Secret Handshakes via “Encrypted Authentication” 1 1: signatures must work as decryption keys 2 2: ciphertexts must hide Cert. Signer assumed in encryption Enc PK(FBI,Kb) {proof of knowledge of SIG UCI {Ka}, n A } nAnA Alice’s PKInfo Ka Bob’s PKInfo Kb encryption key derived for (FBI,Kb) signature = decryption key cert A = SIG UCI {Ka} Policy A = {FBI} cert B = SIG FBI {Kb} Policy B = {UCI} - (and vice versa for Bob?) 3 3: public key info must hide Cert. Signer too

16 Secret Handshakes with “CA-oblivious” or “Signature-Based” Encryption Enc PK(FBI,Kb) {proof of knowledge of SIG UCI {Ka}, c A, n A } Alice’s PKInfo Ka Bob’s PKInfo Kb cert A = SIG UCI {Ka} Policy A = {FBI} cert B = SIG FBI {Kb} Policy B = {UCI} Enc PK(UCI,Ka) {proof of knowledge of SIG FBI {Kb}, c B, n B }, c A c B In addition, can derive a shared key K=f(n A,n B )

17 - Pseudonym re-use  linkability (constant # of pseudonyms; must be replenished periodically) - Size of revocation information (#pseudonyms * #revoked) - O(n 2 ) for n certificates and n policies - How to do group handshakes? Outstanding Issues

18 - Balfanz, et al. (S&P 2003) - BGDH assumption (bilinear maps) - Castelluccia, et al. (Asiacrypt 2004) - discrete log assumption (Schnorr signatures) - Holt, Seamons (ACM CCS 2004) - Hidden credentials - Xu and Yung (CCS 2004) - k-anonymity [XY’04] - Xu and Tsudik (in submission) - framework supporting reusable credentials, group handshakes - (1) Group Signatures + (2) Group Key Agreement + (3) Centralized Group Key Distribution Recent Results

19 Questions?