1. Outline 1. Background 1. Attacks on distance-bounding 2. Symmetric vs asymmetric protocol 3. Motivation: DBPK-Log 2. VSSDB 1. Building blocks 2. Protocol.

Slides:

Advertisements

Similar presentations

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Advertisements

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.

Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.

Digital Signatures and Hash Functions. Digital Signatures.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Digital Signatures and applications Math 7290CryptographySu07.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

Buyer-Seller Watermarking (BSW) Protocols Geong Sen Poh 31 Oct 2006.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

Security Management.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Computer Science Public Key Management Lecture 5.

Introduction to Public Key Cryptography

Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.

8. Data Integrity Techniques

Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.

Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.

AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.

(Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi

Wireless and Security CSCI 5857: Encoding and Encryption.

SAR-SSI, 16/05/2014Cristina Onete CIDRE Keep your friends close with distance-bounding protocols.

IT 221: Introduction to Information Security Principles Lecture 6:Digital Signatures and Authentication Protocols For Educational Purposes Only Revised:

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

1 Authentication and Digital Signature Schemes and Their Applications to E-commerce ( 身份認證與數位簽章技術及其在電子商務上的應用 ) Advisor: Chin-Chen Chang 1, 2 Student: Ya-Fen.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Networks Management and Security Lecture 3.

Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.

Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,

Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.

Authors: Yih-Chun Hu, Adrian Perrig, David B. Johnson

Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.

1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.

1 一個新的代理簽章法 A New Proxy Signature Scheme 作者 : 洪國寶, 許琪慧, 郭淑娟與邱文怡報告者 : 郭淑娟.

Digital Signatures, Message Digest and Authentication Week-9.

1 Normal executable Infected executable Sequence of program instructions Entry Original program Entry Jump Replication and payload Viruses.

Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer.

On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU.

A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,

Lecture 5.1: Message Authentication Codes, and Key Distribution

Hoda Jannati School of Computer Science

Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830.

Secure Messenger Protocol using AES (Rijndael) Sang won, Lee

Based on work with: Sergey Gorbunov and Vinod Vaikuntanathan Homomorphic Commitments & Signatures Daniel Wichs Northeastern University.

Interleaving and Collusion Attacks on a Dynamic Group Key Agreement Scheme for Low-Power Mobile Devices * Junghyun Nam 1, Juryon Paik 2, Jeeyeon Kim 2,

Robust and Efficient Password- Authenticated Key Agreement Using Smart Cards Authors: Wen-Shenq Juang, Sian-Teng Chen and Horng-Twu Liaw Src: IEEE Transaction.

1 An Ordered Multi-Proxy Multi-Signature Scheme Authors: Min-Shiang Hwang, Shiang-Feng Tzeng, Shu-Fen Chiou Speaker: Shu-Fen Chiou.

ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.

 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

Mar 18, 2003Mårten Trolin1 Agenda Parts that need to be secured Card authentication Key management.

Fourth Edition by William Stallings Lecture slides by Lawrie Brown

Apr 1, 2003Mårten Trolin1 Previous lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.

Key Substitution Attacks on Some Provably Secure Signature Schemes

CS480 Cryptography and Information Security

Efficient Public-Key Distance Bounding

Presentation transcript:

1

Outline 1. Background 1. Attacks on distance-bounding 2. Symmetric vs asymmetric protocol 3. Motivation: DBPK-Log 2. VSSDB 1. Building blocks 2. Protocol 3. Conclusion 2

Objective of distance-bounding Authentication protocol + proximity testing Verifier is trusted, prover is untrusted. 3 Range Legitimate prover Verifier

Possible applications 4 Wireless payment Access control

Range R-A Distance fraud A malicious prover want to cheat on the distance computed by the verifier.

Range R-A Prover is unaware that an attack is taking place. Relay- Attack Proxy ATTACKER Mafia fraud An attacker relay the communication through a proxy close to a legitimate prover.

Range R-A Relay- Attack Collusion of users Terrorist fraud A far away legitimate prover colludes with an adversary located close to the verifier to enable him to authenticate only once.

Generic format of a DB protocol 1. Initialization phase (1 st lazy phase), 2. Interactive phase (heart of the protocol), 3. Verification phase (2 nd lazy phase). 8 c R= F(c) TsTs Distance = Prover Verifier TpTp TrTr

Symmetric versus asymmetric protocols Symmetric response function: secret shared between the prover and verifier, R=f S (c). Examples of symmetric protocols : Swiss Knife [Kim et al., ICSC 2008], SKI [Boreanu et al, ISC’13], [Gambs et al, AsiaCCS’13], … Asymmetric response function: the verifier has not access to the prover’s secret. Verification of the challenges uses homomorphic property of bit commitment. Only one protocol in the litterature: [Bussard and Bagga, SEC 2005] 9

Bussard and Bagga protocol (B&B) Initialization phase Prover: Selects k at random, Computes e = x k Computes commitment : a i = commit(k i,u i ) b i = commit(e i,v i ) 1. a i, b i Prover Verifier 3. Final verification phase Z= ZKProof (x)[Z ⋀ y] 3. ZKProof(x)[Z ⋀ Y] 2. Fast bit exchange phase Verifier: Sends bit challenge {0,1}, Prover replies with k i if 0 or e i if fast bit exchange phase b i m rounds Y=F(x) Deduce Z=commit(x,v)

Contributions B&B-like distance bounding with better resistance to terrorist attack, Introduction of mode during the fast phase, Security bounds formally proved. 11

VSSDB 12

Ingredients 13 (3,3) secret sharing scheme: secret is encrypted using two strings k, l into e, each bit of the secret is shared in three parts, Verifiable secret sharing: each bit of the secret is verified separately, Homomorphic bit commitment [Brassard et al, 1988]: P, Q primes; N=P×Q and Jacobi(–1/N)= +1, S = –1 mod N, Commit(b,rand)= S b × rand 2 mod N, Commit(b,rand 2 )× Commit(b,rand 2 )= Commit(ba,rand 3 )

Registration phase Prover  Certification Authority (CA): Priv Key ={Sk sign,x} kept secret. Pub key ={Com i },PK Sign sent to the verifier. {Com i }, Com i =Commit(x i,v i ), v i =H i (x). 14

Initialization phase Prover computes session specific information. 1. Verifier replies with a nonce. 3. Prover computes fresh proof. 4. Verifier checks for the freshness of the proof.

Fast bit exchange Verifier starts the clock. 5. Verifier stops the clock. 5. Prover replies as soon as possible.

Verification phase 17 1.Validity of the signature of the transcript, 2.Responses correspond to the commits, 3.Commitments corresponds to the secret key.

Security analysis Distance fraud Binding of HBCommit, mode are chosen by the verifier. Mafia fraud Hiding of HBCommit, Terrorist fraud ? GameTF [Fischlin et al., ACNS 2013]. 18

GameTF security Definition: If an attacker succeeds in a terrorist fraud then he can launch better mafia fraud attack. Trapdoor in the prover: 19

Terrorist VSSDB 20

Security bounds 21

Conclusion and future work We designed an asymmetric distance-bounding provably secure against distance, mafia and terrorist frauds. Additional contribution: Introduction of mode in the response function to avoid response of more than one bit. Future work: privacy-preservation, other secret sharing schemes. 22

23 Contact:

Attack of Bay and co-authors 24 Initialization phase: Attacker: Receives z form the malicious prover Selects k and e at random, Computes commitment (for the m-1 last rounds) : a’ i = commit (k i ) b’ i =commit (e i ) Computes a’ 0 for k 0 at random. b’ 0 = a’ 0 ×∏ (a’ i ×b’ i ) 2 i-1 × Z -1 mod N. 1. a i ’, b’ i Attacker Verifier 3. ZKProof 2. fast bit exchange phase Final verification phase: The verification phase is relayed to the prover. Y=F(S) Deduce Z=F(S) Prover Z Challenge-response phase: The attacker wins if first challenge=0.

Opening function 25

Attacks on distance bounding Distance fraud Range R-A T-A Legitimate prover