Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth Dan Boneh Brent Waters.

Slides:



Advertisements
Similar presentations
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Advertisements

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.
Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.
Identity Based Encryption
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Security Chapter The security environment 9.2 Basics of cryptography 9.3 User authentication 9.4 Attacks from inside the system 9.5 Attacks from.
CS 105 – Introduction to the World Wide Web  HTTP Request*  Domain Name Translation  Routing  HTTP Response*  Privacy and Cryptography  Adapted.
Cryptographic Technologies
Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
Lecture 12 Security. Summary  PEM  secure  PGP  S/MIME.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Computer Science Public Key Management Lecture 5.
By Jyh-haw Yeh Boise State University ICIKM 2013.
Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
Chapter 5 Digital Signatures MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.
Network Security. An Introduction to Cryptography The encryption model (for a symmetric-key cipher).
Electronic Mail Security
Secure r How do you do it? m Need to worry about sniffing, modifying, end- user masquerading, replaying. m If sender and receiver have shared secret.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
Security.  is one of the most widely used and regarded network services  currently message contents are not secure may be inspected either.
Public-Key Cryptography CS110 Fall Conventional Encryption.
Chapter 6 Electronic Mail Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.
1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Public Key Encryption CS432 – Security in Computing Copyright © 2005, 2008 by Scott Orr and the Trustees of Indiana University.
Key Mangement Marjan Causevski Sanja Zakovska. Contents Introduction Key Management Improving Key Management End-To-End Scheme Vspace Scheme Conclusion.
Cryptography and Network Security (CS435) Part Eight (Key Management)
Computer and Network Security Rabie A. Ramadan Lecture 6.
1 Information Security Practice I Lab 5. 2 Cryptography and security Cryptography is the science of using mathematics to encrypt and decrypt data.
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
Security Using PGP - Prajakta Bahekar. Importance of Security is one of the most widely used network service on Computer Currently .
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
Encryption Basics Module 7 Section 2. History of Encryption Secret - NSA National Security Agency –has powerful computers - break codes –monitors all.
PGP & IP Security  Pretty Good Privacy – PGP Pretty Good Privacy  IP Security. IP Security.
Electronic Commerce School of Library and Information Science PGP and cryptography I. What is encryption? Cryptographic systems II. What is PGP? How does.
Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.
Based on work with: Sergey Gorbunov and Vinod Vaikuntanathan Homomorphic Commitments & Signatures Daniel Wichs Northeastern University.
Private key
Key Management Network Systems Security Mort Anvari.
Electronic Mail Security Prepared by Dr. Lamiaa Elshenawy
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Cryptography and Network Security Chapter 10 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Homework #2 J. H. Wang Oct. 31, 2012.
1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.
Cryptographic Security Aveek Chakraborty CS5204 – Operating Systems1.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
Searchable Encryption in Cloud
Boneh-Franklin Identity Based Encryption Scheme
CIW Lesson 7 Part A Name: _______________________________________
Efficient CRT-Based RSA Cryptosystems
ELECTRONIC MAIL SECURITY
ELECTRONIC MAIL SECURITY
Key Management Network Systems Security
The power of Pairings towards standard model security
Presentation transcript:

Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth Dan Boneh Brent Waters

Private Broadcast Encryption Make data available to select principals –Encrypt the data to those principals Often important to hide the set of principals –BCC recipients in encrypted –Customer list (hide from competitors) –Promotion committee can read evaluations Private broadcast encryption –Recipient privacy against active attackers

Related Work Key privacy in public-key setting [BBDP01] –IK-CCA: Ciphertext does not leak public key Attacker viewing ciphertext encrypted under one of two public keys cannot guess which key was used –Cramer-Shoup is IK-CCA (with common prime) –Important building block for recipient privacy Previous broadcast encryption systems –Increasing collusion resistance –Reducing ciphertext overhead –We focus on hiding recipient set

Our Results Generic construction (standard model) –Achieves CCA recipient privacy –Uses generic IK-CCA public-key system –Decryption time is linear in number of recipients Efficient construction (random oracle) –Achieves CCA recipient privacy –Assumes CDH is hard –Decryption in O(1) cryptographic operations

Broadcast Systems in Practice Microsoft Outlook –Encrypted as a broadcast system –Outlook completely reveals BCC recipients issuerAndSerialNumber –BCC recipients’ names can appear in the clear –Could send separate message for Windows Encrypted File System Pretty Good Privacy (PGP) –GnuPG as an example implementation

Pretty Good Privacy? Message encrypted with symmetric key, K K encrypted for each recipient To speed decryption, components labeled with KeyIDs –Hash of public key User identities completely revealed { } K A: B: C: {K} pk(A) {K} pk(B) {K} pk(C)

Recipient Privacy in PGP PGP labels encryptions using a KeyID C:\gpg>gpg --verbose -d message.txt gpg: armor header: Version: GnuPG v1.2.2 (MingW32) gpg: public key is 3CF61C7B gpg: public key is 028EAE1C KeyIDs easily translated into names and addresses using a public key server GPG includes option to withhold KeyIDs –Vulnerable to passive recipient privacy attack

Security Model

Private Broadcast Encryption I  Setup( ) –Generates global parameters I (pk, sk)  Keygen(I) –Generates public-private key pairs C  Encrypt(S, M) –Encrypts plaintext M for recipient set S M  Decrypt(sk, C) –Decrypts ciphertext C with private key sk

CPA Recipient Privacy Defined Global Parameter S 0 and S 1 S 0 and S 1 subsets of {1, …, n} such that |S 0 | = |S 1 | AdversaryChallenger All public keys Secret keys for S 0  S 1 b  R {0,1} M encrypted for S b as C* Guess b’ Adversary wins if b’ = b Some schemes vulnerable with large overlap, whereas others are vulnerable with small overlap

Simple CPA Recipient Privacy Remove labels Use key-private scheme Reorder components O(n) decrypt time CPA recipient privacy But, active attack… –Even with IK-CCA A: B: C: {K} pk(A) {K} pk(B) {K} pk(C) B: A: C: X X X { } K {K} pk(B) {K} pk(A) {K} pk(C)

{ } K Active Attack on Simple Scheme Attacker a recipient –Learns K Replaces message with something alluring Forwards malicious message to Alice Waits for response Receives response only if Alice was a recipient {K} pk(B) {K} pk(A) {K} pk(C)

CCA Recipient Privacy Defined Global Parameter S 0 and S 1 S 0 and S 1 subsets of {1, …, n} such that |S 0 | = |S 1 | AdversaryChallenger All public keys Secret keys for S 0  S 1 b  R {0,1} M encrypted for S b as C* Guess b’ Adversary wins if b’ = b Decrypt query on (u, C) (C  C*)

Constructions

Primitives Used in Constructions Strong correctness –Decrypting with wrong key results in  Strong signatures –Attacker cannot create a new signature –Even on a previously signed message –Example: RSA full-domain hash CCA key private (IK-CCA) cryptosystem –Ciphertext does not leak public key

Generic CCA Construction Start with CPA scheme Generate a fresh signing key pair (vk, sk) Include verification key, vk, in each component Sign the ciphertext Thm: CCA recipient private O(n) decryption time {, K} pk(B) {, K} pk(A) {, K} pk(C) { } K  vk

Added Primitives for Efficiency A group G where CDH is hard –Extend public keys with g a, private keys with a Model hash function as a random oracle –Use extraction property to break CDH –Use DH self-corrector [Shoup97]

Ciphertext Component Labels Speed decryption with private labels To make labels for every component: –Pick a single fresh exponent r –Include g r in the ciphertext –Label component for (pk, g a ) with H(g ar ) Each recipient computes own label with g r and a –Attacker can not associate H(g ar ) with g a Still need to tie labels to verification key… –Include g ar in ciphertext components

Efficient CCA Construction Thm: CCA recipient private (in RO model) O(1) cryptographic operations for decryption {vk,, K} pk(B) {vk,, K} pk(A) {vk,, K} pk(C)  {M}K{M}K H(g br ): H(g ar ): H(g cr ): g br g ar g cr, g r

Conclusions Many widely-deployed content distribution systems lack recipient privacy – and encrypted file systems Introduced private broadcast encryption –Recipient privacy against an active attacker –Performance similar to non-private schemes Open problem: private broadcast encryption with shorter ciphertext

Questions?

Broadcast Semantics of Mail User Agent (MUA) Mail Transfer Agent (MTA) Recipient MTA Recipient

BCC privacy in S/MIME S/MIME label is the RecipientInfo field. Label consists of the issuer and serial number of the recipient’s certificate Self-signed certificate: –Full name and address in the clear 444:d=9 hl=2 l= 3 prim: OBJECT :commonName 449:d=9 hl=2 l= 11 prim: PRINTABLESTRING :Henry Kyser 462:d=7 hl=2 l= 32 cons: SET 464:d=8 hl=2 l= 30 cons: SEQUENCE 466:d=9 hl=2 l= 9 prim: OBJECT : Address 477:d=9 hl=2 l= 17 prim: IA5STRING VeriSign certificate: identity at verisign.com

BCC Privacy by User Agent Completely ExposesPartially RevealsProtects Identity Apple Mail.app Outlook 2003 Outlook Express 6 Thunderbird 1.02 Outlook Web Access EudoraGPG 2.0 GPGshell 3.42 HushmailKMail 1.8 PGP Desktop 9.0 Turnpike 6.04 S/MIME-based PGP-based

Sending Separate Encryptions Sending separate encryptions provides BCC privacy Advantages of separate encryptions –Can be deployed immediately and unilaterally –Conceals the number (and existence of) BCC recipients Disadvantages of separate encryptions –Difficult to implement for MUA plug-ins such as EudoraGPG –Increases MTA workload and network traffic

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.