Advanced Security Constructions and Key Management Class 16

Outline  One-Time Signatures Lamport’s signature Improved signature constructions Merkle-Winternitz Signature  Efficient Authenticators (amortize signature) One-way chains (self-authenticating values) Chained hashes Merkle Hash Trees  Applications Efficient short-lived certificates, S/Key Untrusted external storage Stream signatures (Gennaro, Rohatgi)  Zhou & Haas’s key distribution

One-Time Signatures  Challenge: digital signatures expensive for generation and verification  Goal: amortize digital signature

One-Time Signatures  Use one-way functions without trapdoor  Efficient for signature generation and verification  Caveat: can only use one time  Example: 1-bit one-time signature P0, P1 are public values (public key) S0, S1 are private values (private key) S1P1 S0P0 S1 S0 P S0’ S1’

Lamport’s One-Time Signature  Uses 1-bit signature construction to sign multiple bits S1 P1 S0 P0 Bit 0Bit 1Bit 2Bit n S1’ P1’ S0’ P0’ S1’’ P1’’ S0’’ P0’’ S1* P1* S0* P0* Private values Public values … Sign 0 Sign 1

Improved Construction I  Uses 1-bit signature construction to sign multiple bits S0 P0 Bit 0Bit 1Bit 2Bit n S0’ P0’ S0’’ P0’’ S0* P0* … c0 p0 c0’ p0’ c0* p0* … Bit 0Bit 1Bit log(n) Sign messageChecksum bits: encode # of signature bits = 0

Improved Construction II  Lamport signature has high overhead  Goal: reduce size of public and private key  Approach: use one-way hash chains  S1 = F( S0 ) S2PS3S0S1 Signature chain C1C0C3C2 Checksum chain P = F( S3 || C0 ) Sig(0)Sig(1)Sig(2)Sig(3)

Merkle-Winternitz Construction  Intuition: encode sum of checksum chain S2’’PS3’’S0’’S1’’ C1C0C3C2 S2’S3’S0’S1’ S2S3S0S1 C1’C0’C3’C2’ Signature Bits 0,1 Checksum Bits 0,1 Checksum Bits 2,3 Signature Bits 2,3 Signature Bits 4,5

Efficient Authenticators  One-way chains  Chained hashes  Merkle hash trees

Recall One-Way Hash Chains?  Versatile cryptographic primitive  Construction Pick random r N and public one-way function F r i = F(r i+1 ) Secret value: r N, public value r 0  Properties Use in reverse order of construction: r 1, r 2 … r N Infeasible to derive r i from r j (j<i) Efficiently authenticate r i knowing r j (j<i): verify r j = F i-j (r i ) Robust to missing values r6r6 r7r7 r4r4 r3r3 FFF r5r5 F

One-Way Chain Application  S/Key one-time password system  Goal Use a different password at every login Server cannot derive password for next login  Solution: one-way chain Pick random password P L Prepare sequence of passwords P i = F(P i+1 ) Use passwords P 0, P 1, …, P L-1, P L Server can easily authenticate user p6p6 p7p7 p4p4 p3p3 FFF p5p5 F

Chained Hashes  More general construction than one-way hash chains  Useful for authenticating a sequence of data values D 0, D 1, …, D N  H * authenticates entire chain DNDN D N-1 H N-1 H(D N ) D N-2 H N-2 H( D N-1 || H N-1 ) D0D0 H0H0 … H*H*

Merkle Hash Trees  Authenticate a sequence of data values D 0, D 1, …, D N  Construct binary tree over data values T0T0 D0D0 D2D2 D3D3 D1D1 D4D4 D6D6 D7D7 D5D5 T1T1 T2T2 T3T3 T4T4 T5T5 T6T6

Merkle Hash Trees II  Verifier knows T 0  How can verifier authenticate leaf D i ?  Solution: recompute T 0 using D i  Example authenticate D 2, send D 3 T 3 T 2  Verify T 0 = H( H( T 3 || H( D 2 || D 3 )) || T 2 ) T0T0 D0D0 D2D2 D3D3 D1D1 D4D4 D6D6 D7D7 D5D5 T1T1 T2T2 T3T3 T4T4 T5T5 T6T6

Untrusted External Storage  Problem: how can we store memory of a secure coprocessor in untrusted storage?  Solution: construct Merkle hash tree over all memory pages Secure Coprocessor Small persistent storage Mallory’s Storage

Stream Signatures  Gennaro & Rohatgi, Crypto ‘97  Problem Sender sends a sequence of packets to receiver Receiver wants to immediately authenticate each packet Efficient authentication of packets On-line case (real-time data), off-line case (stored data)

Off-line Case  Sender know entire stream before sending  Use chained hashes, precompute H i  Digitally sign the first packet  (H * )  Each packet authenticates the next packet PNPN P N-1 H N-1 P N-2 H N-2 P0P0 H0H0 … H*H*

On-line Case  Use a one-time signature to authenticate packets Sender has regular signature (SK,PK) Sender signs public key of one-time signature  SK (pk0) Sign packet P i and one-time public key pk i with pk i-1 P0P0 pk 1  sk 0 (P 0 || pk 1 ) P1P1 pk 2  sk 1 (P 1 || pk 2 )

Stream Signature Discussion  Computation and communication cost  Robustness to DoS attack (packet injection)  Robustness to packet loss Loss of a single packet prevents authentication of subsequent packets How could we improve the loss robustness?

Alternative Stream Signature Packet 1Packet 2 Hash(P1) Packet 3 Hash(P2) Hash(P3) Signature Signature Packet  Add hashes to later packets  Periodically send a signature packet

Improving Robustness Packet 1Packet 2 Hash(P1) Packet 3 Hash(P2) Hash(P3) Signature Signature Packet Hash(P1) Hash(P2)

Securing Ad Hoc Networks  Zhou & Haas, IEEE Network Magazine ’99  Security goals Availability Confidentiality Integrity Authentication  Secure Routing  Key management

Attacker Assumptions  Attacker can physically compromise nodes  “Mobile Adversary” Adversary can compromise any node Temporarily compromises node, then moves on to next node Every node may be compromised at one time  Attacker compromises at most t nodes at any one moment

Secure Routing  Authenticate all routing messages, to prevent external attackers  Proposes to use multiple paths to tolerate internal attackers Drawback: internal attackers could easily fake multiple paths

Key Management Service  Consider public-key infrastructure (PKI) Everybody trusts certification authority (CA) CA authenticates and signs public keys of other nodes  PKI drawbacks Revocation requires on-line PKI Single point of failure, CA replication increases vulnerability to node compromise  Solution: distributed CA

Distributed CA Model  Private CA key is shared among set of nodes Signing needs coalition of t+1 correct nodes Secret sharing prevents t malicious nodes from reconstructing CA private key  Requirements for key management service Robustness: service available to answer requests correctly Confidentiality: adversary never learns CA private key

Threshold Cryptography  Share secret S among n nodes, require t+1 nodes for reconstruction (n, t+1) secret sharing scheme  Share private key K among n nodes, require t+1 nodes for signing (n, t+1) threshold signature scheme Node i gets share k i For signing, nodes send partial signature to combiner Combiner collects 2t+1 partial signatures

Proactive Security  Use share refreshing against mobile adversaries  If (s 1, s 2, …, s n ) is a sharing of k, and (s’ 1, s’ 2, …, s’ n ) is a sharing of k’, then (s 1 + s’ 1, s 2 + s’ 2, …, s n + s’ n ) is a correct sharing of k + k’  Trick, set k’ = 0, so new sharing also represents k

Share Refreshing s1s1 s2s2 s3s3 snsn s 1,1 s 1,2 s 1,n s 2,1 s 2,2 s 2,n s 3,1 s 3,2 s 3,n s n,1 s n,2 s n,n s’ 1 + s’ 2 + s’ n + Shares of 0

Discussion  How can share refreshing tolerate faulty nodes?  How can we tolerate compromised combiner? Who decides to be a combiner?  How can we bootstrap this system? How can we introduce a new node?  Why should node sign a message? How does node authenticate message?  Is signature combination expensive if we have t faulty nodes?