Design and Security Analysis of Marked Blind Signature

Slides:



Advertisements
Similar presentations
The Diffie-Hellman Algorithm
Advertisements

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
BY JYH-HAW YEH COMPUTER SCIENCE DEPT. BOISE STATE UNIVERSITY Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
A Pairing-Based Blind Signature
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security
Digital Signatures and Hash Functions. Digital Signatures.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
Attacks on Digital Signature Algorithm: RSA
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Cryptographic Techniques Instructor: Jerry Gao Ph.D. San Jose State University URL: May,
1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Chapter 7-1 Signature Schemes.
Efficient fault-tolerant scheme based on the RSA system Author: N.-Y. Lee and W.-L. Tsai IEE Proceedings Presented by 詹益誌 2004/03/02.
Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.
Anonymity and Security in Public Internet Forums Ho-fung LEUNG Senior Member, IEEE Dept. of Computer Science & Engineering The Chinese University of Hong.
1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)
1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人:陳昱升.
1 Introduction to Information Security , Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
ASYMMETRIC CIPHERS.
By Jyh-haw Yeh Boise State University ICIKM 2013.
Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.
Multimedia Communication and Information Logistics for AFTER-SALES AND PRODUCT LIFE- CYCLE SUPPORT Click to edit Master title style
Lecture 8 Digital Signatures. This lecture considers techniques designed to provide the digital counterpart to a handwritten signature. A digital signature.
Digital Signatures Applied Handbook of Cryptography: Chapt 11
Chapter 5 Digital Signatures MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.
Bob can sign a message using a digital signature generation algorithm
1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.
Cryptology Digital Signatures and Digital Certificates Prof. David Singer Dept. of Mathematics Case Western Reserve University.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester ITGD 2202 University of Palestine.
AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CS 627 Elliptic Curves and Cryptography Paper by: Aleksandar Jurisic, Alfred J. Menezes Published: January 1998 Presented by: Sagar Chivate.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
Topic 22: Digital Schemes (2)
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
Cryptography and Network Security Chapter 13 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Linkability of Some Blind Signature Schemes Swee-Huay Heng 1, Wun-She Yap 1 Khoongming Khoo 2 1 Multimedia University, 2 DSO National Laboratories.
多媒體網路安全實驗室 Anonymous ID Signature Scheme with Provable Identity Date: Reporter :Chien-Wen Huang 出處: 2008 Second International Conference on Future.
Elliptic Curve Cryptography
A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,
Ensuring Sufficient Entropy in RSA Modulus Generation Wendy Mu Henry Corrigan-Gibbs Dan Boneh.
A Simple Traceable Pseudonym Certificate System for RSA-based PKI SCGroup Jinhae Kim.
Digital Signature Standard (DSS) US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993,
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
1 An Ordered Multi-Proxy Multi-Signature Scheme Authors: Min-Shiang Hwang, Shiang-Feng Tzeng, Shu-Fen Chiou Speaker: Shu-Fen Chiou.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
COM 5336 Lecture 8 Digital Signatures
Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 2007.
1 Introduction to Information Security , Spring 2016 Lecture 4: Applied cryptography: asymmetric Zvi Ostfeld Slides credit: Eran Tromer.
Cryptography and Network Security Chapter 13
Fourth Edition by William Stallings Lecture slides by Lawrie Brown
Unit 3 Section 6.4: Internet Security
Key Substitution Attacks on Some Provably Secure Signature Schemes
Digital signatures.
Digital Signatures.
LAB 3: Digital Signature
Presentation transcript:

Design and Security Analysis of Marked Blind Signature Attività formativa Design and Security Analysis of Marked Blind Signature Studente Claudia Snels Professore Giuseppe Bianchi

Presentation outline Introduction Security analysis Blind signatures New Marked Blind Signature (MBS) Security analysis General methods Security Analysis of MBS Ongoing work on MBS Applications Conclusions

Chaum’s Blind RSA Signature Be P mod n Server Client (Be P)d = B Pd mod n B Blinding Term P Message to be signed (d,n) Server’s private key (e,n) Server’s public key User unblinds the received message and obtains a valid signature for P Server doesn’t know what he has signed BLIND SIGNATURE Introduction: Blind signatures

Marked Blind Signature Goal: add random “mark” R inside signature R unknown/unforgeable by both server/client Application “stamp” the act of signing Anticipated certificate verification Wrap proof of possession of a certificate private key inside the signature! SPARTA pseudonym/authorization approach from Netlab (more later) Introduction: New Marked Blind Signatures

Marked Blind Signature Simpler (but flawed) version  easier to understand R=XY inserted by client (full-domain hashed with P) Blinding with same factor B Approach: use homomorphic property of RSA encryption X = client random; B = blinding factor Homomorphic computation of R=XY (blindly) Signed credential Server side blind insertion of R=XY Additive insertion to avoid forgery and easy attacks Flaw: traceability! Server associate to real user the following value

Marked Blind Signature Actual (correct) version Discrete Logarithm modulus n (server RSA) DL-strong base g (Double) Homomorphic computation of R=XY+Z - X,Z: client random - Y: server random - under the condition XY+Z<n Elimination of B now harmless Introduction: New Marked Blind Signatures

Signature verification Authorization Credential: Signed pseudonym After server signature, client computes R as Verification: Client verifies certificate P usual challenge handshake Client presents P, R, cred Server checks: Introduction: New Marked Blind Signatures

How to develop a security analysis Security protocol Message Exchange Message exchange Cryptographic primitives Logic correctness Explicitness of information exchanged Automatic Theorem Provers (Isabelle) Semantic Analysis Black Box Cryptography is supposed to work well Security analysis: General methods

How to develop a security analysis Cryptographic primitives Simple signatures scheme like RSA, Diffie-Hellmann More complicated schemes like Chaum’s Blind Signature, elliptic curve signature Massive usage of basic number theory theorems A jungle of papers about: zero knowledge proof, Random Oracles WHY? Security analysis: General methods

Security analysis: our choice Problem: Simple Ideas but with “uncommon” requirements (e.g. untraceability) are VERY difficult to proof Two strategies Design very complicated protocol which can satisfy a large number of hypothesis. Under such strict hypotheses a rigorous mathetical proof is possible Maintain a simple idea! Try an attack based security analysis, and build a rigorous proof when possible Problem: unapplicability of such protocols in software tools OUR CHOICE Security analysis: General methods

Main features of a blind signature scheme Unforgeability of R: R should be a random created by both peers but not forgeable in order to prevent traceability or reusage of the same marker Unforgeability of mbs: client should not be able to generate (forge) a valid signature Untraceability: Server should not be able to trace Client Security analysis of mbs

Security analysis of mbs Unforgeability of R We remind that the strategy of the attack is to choose a suitable x (for Client) or y (for Server) such that mod n or mod n. In the first case we have R=s, so its value is decided by Client. Values having this property are the Euler totient function and the Carmichael function, but this values are known only to Bob who possesses the factorization of n=pq. So we can conclude: Server can choose a suitable y but this is not an advantage for him Client can’t choose a suitable x, or in another way this is as difficult as factorising RSA modulo n R is UNFORGEABLE Security analysis of mbs

Security analysis of mbs Unforgeability of mbs How Alice can try to forge mbs? We refer to the one more forgery, in the sense that if Client owns a signing oracle she can’t obtain one more mbs than the number of queries she makes to the oracle. HOMOMORPHIC PROPERTY OF RSA With Marked Blind Signature is this possible? Security analysis of mbs

Security analysis of mbs Unforgeability of mbs Try to find a R and a message m such that Hard computation due to multiple hash terms presence of R inside and outside the Hash Under Random Oracle Hypothesis, our signature is as unforgeable as Chaum’s blind signature Security analysis of mbs

Security analysis of mbs Untraceability We focus on the possibility for the server to build a marker univocally linkable to one client (remember the flaw of the first scheme presented). In our case we can eliminate the blinding term B and produce the following ratios While good candidates for markers are Always blinded Not directly obtainable by Server Security analysis of mbs

Security analysis of mbs Untraceability In order to obtain we must have We have demonstrated that is not obtainable as long as Server doesn’t know B So next question is: how to obtain B? During handshake Blindness during handshake 2 equations 3 variables Security analysis of mbs

Formal proof of validity and blindness Definition. A signature scheme is called blind if Server’s view V and the triple (mbs,R,m) are statistically indipendent, that is during verification phase Server cannot recognise Client. Theorem. The triple (mbs,R,m) is a valid signature for message m and the mbs protocol is a blind scheme. Proof. Validity if the hash is collision free Security analysis of mbs

Formal proof of validity and blindness Blindness. we show that given any view V and any valid triple (mbs,R,m) there exist a unique pair of blinding factors B and R. Because Client chooses both blinding terms at random (in fact we have previously underlined the unforgeability of R), the blindness of the signature scheme follows. If the signature (mbs,R) has been generated during an execution of the protocol with view V consisting of y, x1, x2, (x1y + x2), then the following equations must hold One parameter solution x,s random R unforgeable Unique solution Security analysis of mbs

Security analysis of mbs Harn’s attack Harn’s attack is a Server attack based on: Blind signature Collection of signatures and handshake terms Let m be a generic message to be blindly signed, the attack is developed in two steps Server collects for each client the received term Bem and Bmd When Server receives the signature md he divides every Bmd term and tries if the B obtained gives a correct match for Bem. With a positive match he can trace user Security analysis of mbs

Resistance of mbs against Harn’s attack Let and the signature received by Server during verification and suppose that we have two registered users 1) If Server operates the strategy previously described and he succeds to identificate Client 1 2) If Server operates the strategy previously described but he first tries to identificate Client 2 as Client 1 We write Server uncorrectly identify Client 2 as Client 1 Security analysis of mbs

Open problems: distribution of R If we want the signature to be valid we must have R<n But x y and s are random It is necessary to choose suitable distributions and ranges such that R looks like a uniformly distributed random variable Problem: BAD distribution Naive approach Try x and y uniform in S uniform in Ongoing work on mbs

Attack on distribution of R The distribution of R has a very different concentration for high or low values of y. So if Server gives a Client a low y he knows that with very high probability R will assume a certain range of values and viceversa. Server can classify and consequently trace classes of users y=1 Ongoing work on MBS

Guidelines for distribution choices Y protects server from client’s attack on R so its distribution range should not be small Client is already protected by s so x can be small S can smooth the distribution of R (convolution) so it should have a large range Ongoing work on MBS

Some insights about distributions If x and y are uniform in the same range Logarithm like distribution If x and y uniform in Almost uniform And s uniform in Ongoing work on MBS

Sample MBS application: pseudonym’s blind authorization PKI-like Pseudonym assignement Infrastructure Blind signature P Alice Server auth Applications

Pseudonym assignement Infrastructure Pseudonym Hijacking Pseudonym assignement Infrastructure Evil Server P P auth Alice Evil is authorised as Alice, because he has stolen her pseudonym MBS as a tool to show possession of the pseudonym private key Applications

MBS for pseudonym authorization Inclusion of pseudonym private key to permit verification at registration time Applications

Conclusions Proven security of Marked Blind Signature Design of a simple scheme that can be easily integrated in an AAA with pseudoyms New insights about distributions of random numbers introduced in signatures and related server attacks Conclusions