Cryptography for Backup Navigation Dan Boneh Stanford University
Introduction Focus of this talk: Data integrity (not confidentiality) An overview of identity-based cryptography Applications to ADS-B and DME
Data integrity 1: MAC k k Verify tag: Generate tag: F(k, m) = `tag’ Message m tag Verify tag: F(k, m) = `tag’ ? Generate tag: tag F(k, m) Difficulty with MACs: key management both sides must have the same secret key
Example MAC: (E) CBC-MAC E(k,) E(k,) E(k,) E(k,) E(k1,) key := (k, k1) message := (m[0], …, m[L]) tag
Problem: broadcast Integrity k k Sta1 msg tag k Sta2 k Sta3 The problem: Sta3 can forge messages to all others (note: TESLA)
Data integrity 2: Dig. Signatures PK SK Bob1 msg sig PK Bob2 sig S( SK, m) SK: secret key PK: public key PK Bob3 Ensures broadcast integrity Difficulty: (1) message needs to include PK and certificate [ msg, sig, PK, cert ] (2) revocation V( PK, m, sig) = `yes’ ? (100s of bytes)
Modern Signatures [BLS’01] Pairings <X,Y>: ,: <X, Y> = <X, Y> Signatures: fix an element g Secret Key: Public Key: g Sign( SK, M): sig = H(M) (20 bytes) Verify( PK=g, M, sig=H(M) ): test if <g , sig> = <PK, H(M)> <g, H(M)> <g , H(M)>
Performance MACs: built from fast block ciphers Time for short messages (<1KB): 1s Length: 32 to 128 bits Signatures: built from algebraic functions sign/verify time for short messages: 10ms Length: 20 bytes [BLS’01]
identity-based crypto
Identity-based Crypto The basic idea [Shamir 1984] A cryptosystem where anything is a public key Examples: 24-bit plane ID , pilot name , current date Practical systems: [BF 2001, …] Based on new tools: pairings on elliptic curves Commercially deployed (e.g. Voltage Security) master-key my ID is “652A4B” here is your secret key: SK PKG
ex 1: identity-based key exchange my ID is ID1 SKID1 SKID2 my ID is ID2 shared key = F(ID2, SKID1) shared key = F(ID1, SKID2) SKID1 and SKID2 generated at manufacturing time Updated periodically during maintenance Automatic revocation: ID = (plane-ID , month, year)
Application to DME or ADS-B (MLAT) Ping-pong protocol K1 K2 K3 ID1, data, MAC ID2, data, MAC ID3, data, MAC ID1 SK1 ID ID2 SK2 ID SKID K1, K2, K3 verify MACs ID3 SK3 Symmetric MACs with minimal overhead
Repeated authentication Initial setup requires computing a MAC key time 20ms Subsequent messages can be authenticated using established key: 1s / msg
identity-based signatures: ADS-B [ID, data, sig] SKID ID master-key verify sig using ID no need for plane to transmit PK or certificate PKG
Performance ID-based crypto: built from pairings on elliptic curves Time: dominated by pairing computation software: 20ms (1GhZ x86) hardware: 90s (FPGA) ID-based signature length: 40 bytes open problem: 20-byte ID-based sigs
THE END