From: Cryptographers’ Track of the RSA Conference 2008 Date:2011-11-29 Reporter: Yi-Chun Shih 1.

Slides:



Advertisements
Similar presentations
Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Advertisements

Secure Multiparty Computations on Bitcoin
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Digital Signatures and Hash Functions. Digital Signatures.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Symmetric Key Infrastructure Karel Masarik, Daniel Cvrcek Faculty of Information Technology Brno University of Technology
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
A novel and efficient unlinkable secret handshakes scheme Author: Hai Huang and Zhenfu Cao Source: IEEE Comm. Letters 13 (5) (2009) Presenter: Yu-Chi Chen.
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
A novel and efficient unlinkable secret handshakes scheme Author: Hai Huang and Zhenfu Cao (PR China) Source: IEEE Comm. Letters 13 (5) (2009) Presenter:
Session 4 Asymmetric ciphers.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Cryptographic Techniques Instructor: Jerry Gao Ph.D. San Jose State University URL: May,
Identity Based Encryption
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Establishment of Conference Keys in Heterogeneous Networks Wade Trappe, Yuke Wang, K. J. Ray Liu ICC IEEE International Conference.
Chapter 9: Key Management
Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.
Certificateless Authenticated Two-Party Key Agreement Protocols
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes Author: Stanislaw Jarecki and Xiaomin Liu University of California, Irvine From:
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Key Distribution CS 470 Introduction to Applied Cryptography
Katz, Stoica F04 EE 122: (More) Network Security November 5, 2003.
Security Management.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Data Authentication Part II.
Computer Science Public Key Management Lecture 5.
Adaptively Secure Broadcast, Revisited
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
Guomin Yang et al. IEEE Transactions on Wireless Communication Vol. 6 No. 9 September
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Storage & Revoking.
Cyrtographic Security Identity-based Encryption 1Dennis Kafura – CS5204 – Operating Systems.
Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,
Key Management. Session and Interchange Keys  Key management – distribution of cryptographic keys, mechanisms used to bind an identity to a key, and.
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
Center for Information Security Technologies ID-based Authenticated Key Exchange for Low-Power Mobile Devices K. Y. Choi, J. Y. Hwang, D. H. Lee CIST,
A secure re-keying scheme Introduction Background Re-keying scheme User revocation User join Conclusion.
Linkability of Some Blind Signature Schemes Swee-Huay Heng 1, Wun-She Yap 1 Khoongming Khoo 2 1 Multimedia University, 2 DSO National Laboratories.
PUBLIC KEY CRYPTOGRAPHY ALGORITHM Concept and Example 1IT352 | Network Security |Najwa AlGhamdi.
6 June Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer.
An Improved Efficient Secret Handshakes Scheme with Unlinkability Author: Jie Gu and Zhi Xue Source: IEEE Comm. Letters 15 (2) (2011) Presenter: Yu-Chi.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Cryptographic Security Identity-Based Encryption.
Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect.
Secure Messenger Protocol using AES (Rijndael) Sang won, Lee
Private key
SPEAKER: HONG-JI WEI DATE: Efficient and Secure Anonymous Authentication Scheme with Roaming Used in Mobile Networks.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.
Diffie-Hellman Key Exchange first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts – note:
Cryptography services Lecturer: Dr. Peter Soreanu Students: Raed Awad Ahmad Abdalhalim
@Yuan Xue CS 285 Network Security Key Distribution and Management Yuan Xue Fall 2012.
 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
1 Secret Handshakes or Privacy-Preserving Interactive Authentication Gene Tsudik University of California, Irvine joint work with: Claude Castelluccia,
Information Security message M one-way hash fingerprint f = H(M)
Information Security message M one-way hash fingerprint f = H(M)
Information Security message M one-way hash fingerprint f = H(M)
Presentation transcript:

From: Cryptographers’ Track of the RSA Conference 2008 Date: Reporter: Yi-Chun Shih 1

 Introduction  Contribution  Perfect Forward Secrecy & Linkable Affiliation- Hiding  AH-AKE  Conclusion

 Affiliation-Hiding Authentication protocol, or Secret Handshakes(SH), allow two members of the same group to authenticate each other by hiding their affiliation - FBI agent

 Affiliation-Hiding Authenticated Key Exchange ( AH-AKE ) strengthens entity authentication schemes ( SH described in [BDS + 03] and [CJT04] ) :  output the key which is authenticated  satisfy the standard security requirement of AKE protocol ( but not include Perfect Forward Secrecy )

 Introduction  Contribution  Perfect Forward Secrecy & Linkable Affiliation- Hiding  AH-AKE  Conclusion

1. Strengthens the security of AH-AKE through Perfect Forward Secrecy (PFS)

2. Formalize the exact level of protecting privacy, called Linkable Affiliation-Hiding (LAH), the guarantee of privacy does not contain unlinkablility - Linkability : (under the ideal process) in the AH-AKE session, under the condition of player uses the same certificate, the same alias would revealed every time, so that the adversary could link this two instance, but the affiliation of the player would not be disclosed, unless the user is corrupted or the session is compromised

3. Under the condition of satisfying PFS and LAH, let the complexity of AH-AKE protocol ideal in Random Oracle Model (ROM) -ROM : regarded as perfect hash function

 Introduction  Contribution  Perfect Forward Secrecy & Linkable Affiliation- Hiding  AH-AKE  Conclusion

 PFS : ensure to keep each session secure, even the participant finally corrupted and gives away long-term secrete to the adversary  LAH : AH-AKE should confront with player corrupted and session revealed  Thus, LAH implies PFS

 LAH compares the view of actual execution and the view of fully-random  PFS compares the view of actual execution and the view of partial-random (only the key of tested session is random)  Lemma: If AH-AKE scheme is Linkable Affiliation-Hiding then it is Secure with Perfect Forward Secrecy

 Introduction  Contribution  Perfect Forward Secrecy & Linkable Affiliation- Hiding  AH-AKE  Conclusion

 AH-AKE is based on standard AKE (non affiliation-hiding), the difference is that the certification of AH-AKE is private , so the certification hierarchies and chains are not allowed

 AH-AKE scheme computes under the environment of a user set U and a group set G, and denote U  U is a member of G  G as U G

 purpose : allow a pair of players to establish common secret key that is authenticated, the conditions are (1) run the protocol on the public key of the same group (2) U i G and U j G  In the AH-AKE scheme, if a user is a member of many groups, that would affect execution efficient, but not security and affiliation- hiding

 All the public keys of groups and CA’s, and the certificate revocation lists (CRL) are public information  The communication between users and CA’s is through anonymous and authenticated channel  The execution of AH-AKE protocol is through the channel that is not authenticated  The adversary has fully control over the network

inputoutput / outcome Setupkpublic parameter (params) KGenparamsgroup PK, SK, CRL AddSK, U  U generates a certificate (cert) to U, and adds U to G; if cert is issued by PK, denotes as cert  Certs(PK) RevokeUUUU revokes cert into CRL, denotes as cert  RevokedCerts(CRL) * KGen, Add, Revoke are executed by the CA of group G

 π U s : protocol session or player instance - the s th instance of player U that execute the protocol session  sid i s : session id - the state argument that used by π i s to connect the public input and messages

 π i s and π j t are matching : PK i s = PK j t, cert i s  Certs(PK i s ), cert j t  Certs(PK j t ), cert i s  RevokedCerts(CRL j t ), cert j t  RevokedCerts(CRL i s ), role i s ≠role j t  π i s and π j t are partnered : sid i s = sid j t  If π i s and π j t are matching and partnered, they would output the same key, K i s = K j t

 Setup: -give security parameter k -define the smallest integer k’ and H 1 : {0,1}* -> {0,1} k  Kgen: - generate 2k’-bit safe RSA modulus n = pq -random choose g so that g generates the largest subset of Zn* -secret key : (p,q,d), public key : (n,g,e) -decides H n : {0,1}* -> Zn  Add: -manager chooses random string id and calculates σ = [H n (id)] d (mod n) -the certification of U, cert = (id, σ)  Revoke: manager add id to group CRL

random choose b A, x A initiator responser LINKABLE hide σ A Step 1

set v A For authentication purpose Step 2 : use the information the other side gave to compute v If id B has been revoked

ie, H 1 (r A, sid A, init) = H 1 (r B, sid B, init) authentication Step 3 If U A and U B belong to different groups

 Prove the correctness : If A, B belong to the same group, PK A = PK B = (n, g, e) r A =(Z B ) XA =(g 2eXB ) XA =(g 2eXA ) XB =(Z A ) XB =r B, where Z A =(θ A e h A -1 ) 2 =g 2eXA Z B =(θ B e h B -1 ) 2 =g 2eXB

sender ( Alice ) message ( M ) lock receiver ( Bob )

 Commitment phase has secrecy property :  receiver can not open the box  sender can not modify M  Decommitment phase has unambiguity / binding property : sender gives the key to allow receiver to open the box to know M

 The trapdoor is used to overcome the binding property  Take sealed-bid auctions for example, the participant can use trapdoor to modify his bid

 Introduction  Contribution  Perfect Forward Secrecy & Linkable Affiliation- Hiding  AH-AKE  Conclusion

 AH-AKE includes PFS and LAH  Use trapdoor to hide σ A