Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

Slides:

Advertisements

Similar presentations

Securing Critical Unattended Systems with Identity Based Cryptography A Case Study Johannes Blömer, Peter Günther University of Paderborn Volker Krummel.

Advertisements

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Hybrid Signcryption with Insider Security Alexander W. Dent.

Encryption Public-Key, Identity-Based, Attribute-Based.

Digital Signatures and Hash Functions. Digital Signatures.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.

Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

Cryptographic Technologies

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Information Security of Embedded Systems : Algorithms and Measures Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T IKE Tutorial.

Hybrid Signcryption with Outsider Security

Key Distribution CS 470 Introduction to Applied Cryptography

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Building Better Signcryption Schemes with Tag-KEMs Tor E. Bjørstad and Alexander W. Dent University of Bergen, Norway Royal Holloway, University of London,

Security Management.

Sorting Out Digital Certificates Bill blog.codingoutloud.com ··· Boston Azure ··· 13·Dec·2012 ···

Cryptology Digital Signatures and Digital Certificates Prof. David Singer Dept. of Mathematics Case Western Reserve University.

1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.

AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.

Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.

Security Keys, Signatures, Encryption. Slides by Jyrki Nummenmaa ‘

10/1/2015 9:38:06 AM1AIIS. OUTLINE Introduction Goals In Cryptography Secrete Key Cryptography Public Key Cryptograpgy Digital Signatures 2 10/1/2015.

02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Cryptography Encryption/Decryption Franci Tajnik CISA Franci Tajnik.

©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.

James Higdon, Sameer Sherwani

Digital Signatures A Brief Overview by Tim Sigmon April, 2001.

IS511 Introduction to Information Security Lecture 4 Cryptography 2

1 Cryptography NOTES. 2 Secret Key Cryptography Single key used to encrypt and decrypt. Key must be known by both parties. Assuming we live in a hostile.

Encryption / Security Victor Norman IS333 / CS332 Spring 2014.

Review of Certificateless Cryptography Yu-Chi Chen.

1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.

ASYNCHRONOUS LARGE-SCALE CERTIFICATION BASED ON CERTIFICATE VERIFICATION TREES Josep Domingo-Ferrer, Marc Alba and Francesc Sebé Dept. of Computer Engineering.

Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.

Csci5233 computer security & integrity 1 Cryptography: an overview.

Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.

Digital Signatures, Message Digest and Authentication Week-9.

Copyright 1999 S.D. Personick. All Rights Reserved. Telecommunications Networking II Lecture 41b Cryptography and Its Applications.

WISTP’08 ©LAM /05/2008 A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup Christer Andersson Markulf Kohlweiss.

Cryptanalysis of Some Proxy Signature Schemes without Certificates Wun-She Yap, Swee-Huay Heng Bok-Min Goi Multimedia University.

A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.

INCS 741: Cryptography Overview and Basic Concepts.

 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.

Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.

TAG Presentation 18th May 2004 Paul Butler

Key management issues in PGP

TAG Presentation 18th May 2004 Paul Butler

The Secure Sockets Layer (SSL) Protocol

Presentation transcript:

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London

Overview PKE and IBE by infrastructure Certificateless encryption Certificate-chain certificateless encryption Security notions Applications

PKE and IBE by infrastructure

Basic premise A sender wishes to transmit a message confidentially to a receiver. No prior shared symmetric keys. ReceiverSender

PKI-based PKE A traditional PKE system requires a public- key infrastructure to support public keys. A certificate assures the link between digital identity and a public key. ReceiverSender CA ciphertext registration certificate

PKI-based PKE Certificates place an added computational burden on the sender. CAs provide other services too. ReceiverSender CA ciphertext registration certificate

IBE In IBE the digital identity is the public key. The corresponding private key is provided by a key generation centre. ReceiverSender KGC ciphertext private key

IBE Removes the (initial) need for certificates. The KGC has the ability to decrypt messages for the receiver. ReceiverSender KGC ciphertext private key

Certificateless encryption

Certificateless encryption was introduced by Al-Riyami and Paterson in The idea is to remove the disadvantages of IBE and PKI-based PKE: –The sender should not have to communicate with a TTP (no certificates). –Only the receiver should be able to decrypt messages (TTP security).

Certificateless encryption Basic idea is to have two pairs of keys: –A PKE key pair created by the sender and the public key is widely distributed. –An IBE key pair (identity/private key) created by the KGC. Both the identity and the public key are used to encrypt messages. Both the PKE “secret value” and the IBE “partial private key” are used to decrypt.

Certificateless encryption Basic idea is to have two pairs of keys. An outside attacker cannot decrypt ciphertexts as they will not have the partial private key for the identity. The KGC cannot decrypt ciphertexts as they will not have the secret value for the PKE key pair. Trivial attack by the KGC.

AP formulation The receiver produces a PKE pair then obtains the partial private key. ReceiverSender KGC ciphertext (2) partial private key (1) public key

AP formulation Implies the existence of secure IBE. All known examples use pairings. ReceiverSender KGC ciphertext (2) partial private key (1) public key

BSS formulation The receiver obtains the partial private key... then produces the PKE key pair. ReceiverSender KGC ciphertext (1) partial private key (2) public key

BSS formulation This does not imply the existence of IBE. Introduced to avoid the need for pairings. ReceiverSender KGC ciphertext (1) partial private key (2) public key

AP vs BSS formulation AP is a hopeful version of CLE: –Receiver can produce a public key in the hope that they will obtain the PPK. BSS is a pre-authorised version of CLE: –Receiver has to be authorised (through PPK) before producing private key. AP formulation is hard to construct. BSS formulation poofs are hard to read!

LK formulation The receiver can only produce key pair after undertaking a protocol with the KGC. ReceiverSender KGC ciphertext (1) key gen protocol (2) public key

LK formulation The receiver generates a traditional PKE key pair and sends pk to KGC. The KGC produces a certificate and sends it back to the receiver. The receiver publishes the certificate as the complete public key. Receiver KGC (1) protocol

BSS vs LK formulation LK formulation can be implemented using traditional PKI-based PKE via certificate forwarding. Potential for more efficient schemes using implicit certificates. BSS formulation does not require IBE but has no simple implementations. Can we implement BSS using PKE?

Certificate-chain certificateless encryption

Certificate-chain CLE We show that BSS formulation CLE can be implemented using PKI-based PKE. Recall that BSS formulation has that the public key can only be produced after the partial private key is received from KGC. The construction is based on the idea of a certificate chain. Each entity acts as a sub-CA which can only issue certificates for its own identity.

Certificate-chain CLE The KGC generates a signature key pair. The verification key mpk is published. The signing key msk is kept secret in order to produce partial private keys. Receiver KGC (1) partial private key

Certificate-chain CLE The KGC generates a new signing key pair (pk S,sk S ). The KGC generates a certificate cert 1 by signing (ID,pk S ) with msk. The PPK consists of (pk S,sk S,cert 1 ). Receiver KGC (1) partial private key mpk

Certificate-chain CLE The receiver generates an encryption key pair (pk E,sk E ). The receiver generates a certificate cert 2 by signing pk E using sk S. The public key is (pk S,cert 1,pk E,cert 2 ). Receiver KGC (1) partial private key mpk (pk S,sk S,cert 1 )

Certificate-chain CLE Before sending a message, the sender checks the encryption key pk E is well-formed. I.e. checks that pk S is a verification key for ID and so that pk E is an encryption key for ID. Receiver KGC (1) partial private key mpk (pk S,sk S,cert 1 ) (2) public key (pk S,cert 1,pk E,cert 2 )

Certificate-chain CLE In order to break the system an attacker must either: –Replace the public encryption key of the receiver (fake certificate) –Decrypt a message without knowing the decryption key Receiver KGC (1) partial private key mpk (pk S,sk S,cert 1 ) (2) public key (pk S,cert 1,pk E,cert 2 )

Certificate-chain CLE Simple construction with simple proofs. It can be implemented without pairings. In fact, for reasonable choices of signature scheme and encryption scheme, it is more efficient than any scheme with pairing.

Security notions

Security notions have to protect against attacks made by an outside attacker and by the key generation centre. No certificates so the attacker can convince the sender that any public key belongs to the receiver. ReceiverSender ciphertext sender’s list of public keys receiver’s list of key pairs

Security notions Trivial attack by the KGC: –Replace public key for attacker with one that has been generated by the KGC. –The KGC will then know the secret value for the PKE key pair and the partial private key value for the KGC key pair. ReceiverSender ciphertext sender’s list of public keys receiver’s list of key pairs

Security notions Two security notions: –Security against an outside attacker. The attacker can replace keys in the sender’s list of public keys. –Security against the KGC. The attacker cannot replace public keys but can generate KGC responses maliciously. ReceiverSender ciphertext sender’s list of public keys receiver’s list of key pairs

Security notions There are approximately twenty proposals for security models for CLE confidentiality. [Dent, 2008] provides an overview of all the proposals and recommends the “correct” ones for the AP and BSS formulation of certificateless encryption. Surprisingly, the models are not the same for the AP and BSS formulation.

Denial of decryption Liu, Au and Susilo noted that CLE allows for denial of service attacks. An attacker can widely distribute a “wrong” public key for an identity. No guarantee that the sender will recognise that the public key is incorrect. However, it denies the receiver the opportunity to decrypt the message.

Denial of decryption AP formulation CLE can never resist denial of decryption attacks. –Public key is produced before the partial private key is received, so no “authorisation”. BSS and LK formulation CLE may resist denial of decryption attacks. –It is impossible for the attacker to produce a public key which is regarded as “correct” without knowing the partial private key.

Denial of decryption The certificate-chain CLE has –security against outsider attacks –security against KGC attacks –security against DoD attacks Also, true for the simple PKI-based LK formulation CLE and other (specific) schemes.

Applications

Consider two distinct cases: –AP formulation –BSS and LK formulation AP formulation has significantly different functionality as the production of the public key is independent of production of the partial private key.

BSS and LK formulation Can be implemented with PKI techniques. Hard to think of a usage scenario in which PKI-based PKE is not also valid. May provide more efficient solution than using PKI-based techniques. See Boldyreva et al. (PKC 2007). Problems with practical use: revocation, policy, etc.?

AP formulation May be used as a communication system Unlikely to be more efficient than PKI- based techniques Therefore, only useful in situations in which it is important that the public key can be published before the PPK received. Denial of decryption problems? Cryptographic workflow systems?

AP formulation Very few realistic applications. Is there sufficient interest in privacy to warrant implementing CLE? Interesting applications to revocation? Techniques have been used in more viable technologies (such as attribute- based encryption).

Questions?