Broadcast Encryption with Multiple Trust Authorities Alexander W. Dent Information Security Group Royal Holloway, University of London.

Slides:

Advertisements

Similar presentations

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Advertisements

Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

© 2004 Mobile VCE 3G © 2004 Mobile VCE 3G th October 2004 Regional Blackouts: Protection of Broadcast.

Encryption Public-Key, Identity-Based, Attribute-Based.

Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.

Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution of public keys –use of public-key.

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes Author: Stanislaw Jarecki and Xiaomin Liu University of California, Irvine From:

Group Key Distribution Chih-Hao Huang

Building Better Signcryption Schemes with Tag-KEMs Tor E. Bjørstad and Alexander W. Dent University of Bergen, Norway Royal Holloway, University of London,

A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.

Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.

X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.

Identity Based Encryption Debdeep Mukhopadhyay Associate Professor Dept of Computer Sc and Engg, IIT Kharagpur.

Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.

1 Hierarchical Identity-Based Encryption with Constant Size Ciphertext Dan Boneh, Xavier Boyen and Eu-Jin Goh Eurocrypt 2005 投影片製作：張淑慧.

Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Scalable Security and Accounting Services for Content-based Publish/Subscribe Systems Himanshu Khurana NCSA, University of Illinois.

Guomin Yang et al. IEEE Transactions on Wireless Communication Vol. 6 No. 9 September

James Higdon, Sameer Sherwani

1 A Secure System Based on Fingerprint Authentication Scheme Author ： Zhe Wu,Jie Tian,Liang Li, Cai-ping Jiang,Xin Yang Prestented by Chia Jui Hsu.

Identity-Based Secure Distributed Data Storage Schemes.

10. Key Management. Contents Key Management  Public-key distribution  Secret-key distribution via public-key cryptography.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Collusion-Resistant Group Key Management Using Attribute-

IND-CPA and IND-CCA Concepts Summary  Basic Encryption Security Definition: IND-CPA  Strong Encryption Security Definition: IND-CCA  IND-CPA, IND-CCA.

Yu-Li Lin and Chien-Lung Hsu Department of Information Management, Chang-Gung University Information Science(SCI) Reporter: Tzer-Long Chen.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Key-Policy Attribute-Based Encryption Present by Xiaokui.

A secure re-keying scheme Introduction Background Re-keying scheme User revocation User join Conclusion.

Linkability of Some Blind Signature Schemes Swee-Huay Heng 1, Wun-She Yap 1 Khoongming Khoo 2 1 Multimedia University, 2 DSO National Laboratories.

Digital Signatures, Message Digest and Authentication Week-9.

Protocols for public-key management. Key management –two problems Distribution of public keys (for public- key cryptography) Distribution of secret keys.

1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz

Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer.

Group-based Source Authentication in VANETs You Lu, Biao Zhou, Fei Jia, Mario Gerla UCLA {youlu, zhb, feijia,

Security Using PGP - Prajakta Bahekar. Importance of Security is one of the most widely used network service on Computer Currently .

1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,

Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.

Group Key Distribution Xiuzhen Cheng The George Washington University.

A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,

When DRM Meets Restricted Multicast A Content Encryption Key Scheme for Restricted Multicast and DRM Min FENG and Bin ZHU Microsoft Research Asia.

Fuzzy Identity Based Encryption Brent Waters Current Research with Amit Sahai.

Interleaving and Collusion Attacks on a Dynamic Group Key Agreement Scheme for Low-Power Mobile Devices * Junghyun Nam 1, Juryon Paik 2, Jeeyeon Kim 2,

Tae-Joon Kim Jong yun Jun

Key Management Network Systems Security Mort Anvari.

Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.

Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Cryptography and Network Security Chapter 10 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Encryption Extensions Model based on Hidden Attribute Certificate LI Yu 1,2,3, ZHAO Yong 1,2,3, GONG Bei 1 1 College of Computer Science and Technology,

ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.

Fall 2006CS 395: Computer Security1 Key Management.

1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.

Key Management and Distribution Anand Seetharam CST 312.

SDSM IN MOBILE CLOUD COMPUTING By- ID NO-1069 K.C. SHARMILAADEVI Sethu Institute Of Tech IV year-ECE Department CEC Batch: AUG 2012.

Fast Transmission to Remote Cooperative Groups: A New Key Management Paradigm.

SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.

Searchable Encryption in Cloud

Lan Zhou, Vijay Varadharajan, and Michael Hitchens

Zueyong Zhu† and J. William Atwood‡

Boneh-Franklin Identity Based Encryption Scheme

Hybrid Cloud Architecture for Software-as-a-Service Provider to Achieve Higher Privacy and Decrease Securiity Concerns about Cloud Computing P. Reinhold.

January 15th Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Security protocol for Body area networks]

Verifiable Attribute Based Keyword Search with Fine-Grained Owner-Enforced Search Authorization in the Cloud They really need a shorter title.

Presentation transcript:

Broadcast Encryption with Multiple Trust Authorities Alexander W. Dent Information Security Group Royal Holloway, University of London

Table of Contents Broadcast encryption in multiple domains (Or what we tried to do...) [8 slides] Our scheme (Or how we achieved our aim...) [4 slides] 2

Broadcast Encryption with Multiple Trust Authorities Broadcast encryption in structured organisations Broadcast encryption in collaborations The simple solution? An example use scenario 3

Broadcast encryption Encrypt a message using a pattern (ID 1,ID 2, *,ID 4 ). Key for any identity which matches pattern can decrypt the ciphertext. 4 Public parameters “Trust authority” “Department 1”“Department 2” “Project 1”“Project 2” “User 1”“User 2” Setup algorithm Key generation algorithm Key derivation algorithm

Broadcast encryption (TA,Dept,Project,User) targets a specific individual. (TA,Dept, *, * ) targets all members of a specific department. (TA, *,Project, * ) targets all users of a specific project. Etc. 5 Public parameters “Trust authority” “Department” “Project” “User”

Multiple trust authorities What if multiple institutions want to collaborate on a project? We would want: –Each trust authority retains control of its own trust domain and keys. –Trust domains can be set up independently of all other trust domains. –Trust authorities can easily form coalitions. –Membership of one coalition does not give that TA rights in any other coalition. 6

Multiple trust authorities 7 Public parameters “Trust authority” “Department 1”“Department 2” “Project 1”“Project 2” “User 1”“User 2” “Trust authority” “Department 1”“Department 2” “Project 1”“Project 2” “User 1”“User 2” (Public) protocol (Broadcast) key update message

Multiple trust authorities To address the coalition, use coalition master key (derived from master keys of coalition TAs). (TA,Dept,Proj,User) targets a single user. (TA,Dept, *, * ) targets a department under one TA. ( *, *,Proj, * ) targets all users on a project regardless of their TA. Users decrypt with their coalition decryption keys. 8 Public parameters “Trust authority” “Department” “Project” “User”

Assumptions All TAs have to use the same scheme. All TAs have to use same public parameters (and trust them). –Common problem with common solutions. All TAs have to use the same naming structure in their trust domains. –TA1 has (TA,Dept,Proj,User) –TA2 has (TA,Sector,Supervisor,Building,User) 9

Assumptions Why not use a single new WIBE scheme? –It cannot be set up in advance and every new coalition requires a new WIBE scheme. –It’s unclear who should hold the master private key for the coalition WIBE. –Every existing member of the trust authority would have to re-register and obtain a new key for the coalition. 10

Usage scenarios Use on joint projects is clear. Suppose a number of manufacturers are building general purpose sensors for use in multiple projects. (Man,Type, *, * ) could be used for software updates. ( *,Type,Proj, * ) could be used to update mission parameters. 11 Public parameters “Sensor Type” “Project” “Sensor Identity” “Manufacturer”

Boneh-Boyen MTA-WIBE The Boneh-Boyen HIBE/WIBE Ghost authorities 12

Our scheme Based on the Boneh-Boyen WIBE –Abdalla et al. (2006) and Boneh-Boyen (2004). Selective-identity IND-CPA secure in the standard model –Full CPA security achieved in ROM –Normal trick of hashing user identities Selective-identity IND-CCA secure in the standard model via novel Boneh-Katz transform (which applies to WIBEs too). 13

Boneh-Boyen HIBE 14 Public parameters (g 1, g 2, u 10,u 11,u 20,u 21,...) Master private key: Master public key: g2αg1αg2αg1α Level one key: (g 2 α (u 10 ·u 11 ID1 ) r, g 1 r ) Level two key: (g 2 α (u 10 ·u 11 ID1 ) r (u 20 ·u 21 ID2 ) s, g 1 r, g 1 s )

Our scheme Our scheme shows that two TAs can cooperate to create a “ghost” super TA. Each TA can figure out their key in this new hierarchy, but not the super TA’s key or each other’s keys. 15 TA1TA2 Ghost “super” TA

Our scheme 16 Public parameters (g 1, g 2, u 00,u 01,u 10,u 11,u 20,u 21,...) Master private key: Master public key: g2αg1αg2αg1α (g 2 α (u 10 ·u 11 TA2 ) t, g 1 t ) Level one key: (g 2 α (u 00 ·u 01 TA1 ) r (u 10 ·u 11 ID1 ) s, g 1 r, g 1 s ) g2βg1βg2βg1β TA1TA2 (g 2 α+β (u 10 ·u 11 TA1 ) x, g 1 x ) g2α+βg1α+βg2α+βg1α+β GHOST (g 2 α+β (u 10 ·u 11 TA2 ) t, g 1 t ) (g 2 β (u 10 ·u 11 TA1 ) x, g 1 x )

Conclusion We proposed a new functionality for encryption between trust domains. Instantiated that scheme with a novel version of the BB-WIBE. Gave a new transform for creating CCA- secure WIBEs from CPA-secure WIBEs. Other functionalities? 17 Questions?