CT-RSA'031 Two-Efficient and Provably Secure Schemes for Server- Assisted Threshold Signatures Ravi Sandhu Joint work with Shouhuai Xu.

Slides:

Advertisements

Similar presentations

27/08/03VOQUAL 031 Variation of glottal LF parameters across F0, vowels and phonetic environment Michelle Tooher & John McKenna School of Computing, Dublin.

Advertisements

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Cryptography and Network Security

Digital Signatures and Hash Functions. Digital Signatures.

Cryptographic Security Presented by: Josh Baker October 9 th, CS5204 – Operating Systems.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.

Public Key Algorithms 4/17/2017 M. Chatterjee.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011

Introduction to Public Key Cryptography

SSH Secure Login Connections over the Internet

CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.

Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.

Bob can sign a message using a digital signature generation algorithm

1 AN EFFICIENT METHOD FOR FACTORING RABIN SCHEME SATTAR J ABOUD 1, 2 MAMOUN S. AL RABABAA and MOHAMMAD A AL-FAYOUMI 1 1 Middle East University for Graduate.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

10/1/2015 9:38:06 AM1AIIS. OUTLINE Introduction Goals In Cryptography Secrete Key Cryptography Public Key Cryptograpgy Digital Signatures 2 10/1/2015.

Issues in Cryptography Ronald L. Rivest MIT Laboratory for Computer Science.

02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.

Cryptography, Authentication and Digital Signatures

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.

10. Key Management. Contents Key Management  Public-key distribution  Secret-key distribution via public-key cryptography.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.

4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.

Section 4.4: The RSA Cryptosystem Practice HW Handwritten and Maple Exercises p at end of class notes.

CIST/ETRI/ISIT/KDDI/Kyusyu Univ./NICT Joint Research Workshop on Ubiquitous Network Security 2005 Verifier-Based Password-Authenticated Key Exchange Jeong.

Middleware for Secure Environments Presented by Kemal Altıntaş Hümeyra Topcu-Altıntaş Osman Şen.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.

Public Key Encryption.

1 Lecture 9: Cryptographic Authentication objectives and classification one-way –secret key –public key mutual –secret key –public key establishing session.

Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme

Lecture 2: Introduction to Cryptography

Chapter 3 – Public Key Cryptography and RSA (A). Private-Key Cryptography traditional private/secret/single-key cryptography uses one key shared by both.

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

Chapter 9 Public Key Cryptography and RSA. Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender.

Cryptography Against Physical Attacks Dana Dachman-Soled University of Maryland

COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.

Innovative Intrusion-Resilient, DDoS-Resistant Authentication System (IDAS) System Yanjun Zhao.

VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.

Key Management and Distribution Anand Seetharam CST 312.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.

Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.

Intrusion Resilience via the Bounded-Storage Model Stefan Dziembowski Warsaw University and CNR Pisa.

Web Applications Security Cryptography 1

Cryptographic Hash Function

Outline What does the OS protect? Authentication for operating systems

Outline What does the OS protect? Authentication for operating systems

SSH: SECURE LOGIN CONNECTIONS OVER THE INTERNET

Presentation transcript:

CT-RSA'031 Two-Efficient and Provably Secure Schemes for Server- Assisted Threshold Signatures Ravi Sandhu Joint work with Shouhuai Xu

CT-RSA'032 Roadmap Motivation Cryptographic preliminaries First scheme: TPAKE-HTSig Second scheme: LW-TSig Related work

CT-RSA'033 Motivation Modern cryptography is key-centric RSA Rivest-Shamir-Adleman have no short cut in breaking RSA But you can generate Rivests digital signatures once you compromised his private key This has no counterpart in handwriting signatures Since compromise will inevitably happen, one can only expect second to the best Minimize the damage

CT-RSA'034 Motivation So how to protect the private signing keys (or functions) conveniently cheaply efficiently

CT-RSA'035 Our Approach Assume a set of (>2) servers provide service (e.g., for economic incentives) like threshold signing Differ from standard threshold signing only a user can invoke her signing function compromise of a users machine does not necessarily mean her signing function is compromised (i.e., the adversary may still unable to invoke the servers) compromise of a threshold number of servers does not necessarily mean her signing function is compromised

CT-RSA'036 Our Approach The core underlying our approach is some convenient, cheap, efficient mechanisms whereby the servers collaboratively authenticate a user threshold password authenticated key exchange (e.g., [MacKenzie et al. Crypto02]) symmetric key-based authentication (e.g., MAC) Dont confuse server-added signature (which is motivated to provide better efficiency) with our server-assisted signature (which is motivated to provide better security) though they do overlap sometimes

CT-RSA'037 Roadmap Motivation Cryptographic preliminaries First scheme: TPAKE-HTSig Second scheme: LW-Tsig Related work

CT-RSA'038 Cryptographic Preliminaries Message authentication code (MAC) secure against adaptive chosen message attack Signature scheme (Sig.Init, Sig.Sig, Sig.Ver) secure against adaptive chosen message attack we are interested in a class of signature schemes that have efficient distributed version

CT-RSA'039 Cryptographic Preliminaries Threshold Signature scheme (TSig.Init, TSig.Sig, TSig.Ver) secure against adaptive chosen message attack 2-party Signature scheme (2Sig.Init, 2Sig.Sig, 2Sig.Ver) secure against adaptive chosen message attack Hybrid-Threshold Signature scheme, which is a composition of TSig and 2Sig, consists of (HTSig.Init, HTSig.Sig, HTSig.Ver) a user splits her private key X into two shares X1, X2 the user holds X1 as in 2Sig the user shares X2 among the servers as in TSig

CT-RSA'0310 Cryptographic Preliminaries Threshold Password-Authenticated Key Exchange scheme (TPAKE.Init, TPAKE.Login) a user shares her password among servers via TPAKE.Init a user authenticates herself to the servers via TPAKE.Login, which may also output a fresh session key with each server TPAKE.Login is secure against off-line dictionary attack compromise of no more than a threshold number of servers does not make the password subject to off-line dictionary attack the first TPAKE is due to [MacKenzie et al. Crypto02]

CT-RSA'0311 Roadmap Motivation Cryptographic preliminaries First scheme: TPAKE-HTSig Second scheme: LW-Tsig Related work

CT-RSA'0312 First Scheme: TPAKE-HTSig TPAKE-HTSig is a composition of TPAKE and HTSig Idea is simple Run a TPAKE to authenticate a user and generate a fresh session key that is common to the user and each individual server The servers authenticate signing requests using the session keys; the signing operation is similar to TSig.Sig The user obtains a signature as in 2Sig.Sig

CT-RSA'0313 TPAKE-HTSig MAC key1 (m) MAC key2 (m) MAC keyn (m) … server 1 server 2 server n partial signature 1 partial signature 2 partial signature n TPAKE.Login outputs key1 TPAKE.Login outputs key2 TPAKE.Login outputs keyn

CT-RSA'0314 TPAKE-HTSig: another look TPAKE glue: session key based authentication HTSig

CT-RSA'0315 TPAKE-HTSig Some comments We give a specification of TPAKE, so any scheme (e.g., more efficient than [MSJ02]) satisfying it can plug-and-play DLOG based HTSig can pug-and-play in TPAKE-HTSig RSA-based HTSig is more subtle [Shoup Eurocrypt00] scheme cannot be used unless one assume that no threshold number of servers are compromised [Rabin Crypto98] scheme can be used, but need additional care

CT-RSA'0316 Roadmap Motivation Cryptographic preliminaries First scheme: TPAKE-HTSig Second scheme: LW-TSig Related work

CT-RSA'0317 Second Scheme: LW-TSig LW-TSig stands for Light-Weight server-assisted Threshold Signatures Idea is simple a user holds (say) a smartcard she shares her private key among the servers, as in TSig she shares a symmetric key with each server invocation of signing function is based on MACs

CT-RSA'0318 LW-TSig MAC key1 (m) MAC key2 (m) MAC keyn (m) … server 1 server 2 server n partial signature 1 partial signature 2 partial signature n

CT-RSA'0319 LW-TSig Some comments a smartcard does not need a cryptographic co-processor communication between a smartcard and the servers can be done via a signature receiver

CT-RSA'0320 Roadmap Motivation Cryptographic preliminaries First scheme: TPAKE-HTSig Second scheme: LW-Tsig Related work

CT-RSA'0321 Related Work taxonomy systems protecting private signing functionsInstead of comparing our work with the related works one-by-one, we present a taxonomy of systems protecting private signing functions The taxonomy is based on user storage media user storage media: human-memory (for password), soft-token, hard-token, soft- & hard-token number of runtime key-shares number of runtime key-shares: 1, 2, >2

CT-RSA'0322 Taxonomy 1 2 >2 human- memory soft-tokenhard-token soft- & hard-token runtime number of runtime key-shares downloading a user downloads (say, to a public computer) her private key stored at some remote server(s) password-based authenticated key exchange (for session key) user storage media

CT-RSA'0323 Taxonomy 1 2 >2 human- memory soft-tokenhard-token soft- & hard-token runtime number of runtime key-shares downloading a user utilizes a password to activate multiple remote servers to generate a threshold signature special case of TPAKE-HTSig downsized (password, >2) user storage media

CT-RSA'0324 Taxonomy 1 2 >2 human- memory soft-tokenhard-token soft- & hard-token runtime number of runtime key-shares downloading special case of TPAKE-HTSig Two types of systems: password-protected private key (a variant can block off-line dictionary attack if public keys are kept secret) forward-security: compromising todays private key does not mean compromising yesterday's private key downsized (password, >2) (soft-token,1) user storage media

CT-RSA'0325 Taxonomy 1 2 >2 human- memory soft-tokenhard-token soft- & hard-token runtime number of runtime key-shares downloading special case of TPAKE-HTSig password-based authentication composition of two-party and threshold signatures downsized (password, >2) (soft-token,1) TPAKE-HTSig downsized TPAKE-HTSig user storage media

CT-RSA'0326 Taxonomy 1 2 >2 human- memory soft-tokenhard-token soft- & hard-token runtime number of runtime key-shares downloading special case of TPAKE-HTSig downsized (password, >2) (soft-token,1) TPAKE-HTSig downsized TPAKE-HTSig traditional LW-TSig downsized LW-TSig a user invokes a set of remote servers via symmetric authentication user storage media

CT-RSA'0327 Taxonomy 1 2 >2 human- memory soft-tokenhard-token soft- & hard-token runtime number of runtime key-shares downloading special case of TPAKE-HTSig downsized (password, >2) (soft-token,1) TPAKE-HTSig downsized TPAKE-HTSig traditional LW-TSig downsized LW-TSig key-insulation/ intrusion-resilience compromise of todays private key does not mean compromise of yesterdays or tomorrows private key even if soft-token and hard-token are compromised simultaneously, forward- security is still ensured user storage media

CT-RSA'0328 Taxonomy 1 2 >2 human- memory soft-tokenhard-token soft- & hard-token runtime number of runtime key-shares user storage media downloading special case of TPAKE-HTSig downsized (password, >2) (soft-token,1) TPAKE-HTSig downsized TPAKE-HTSig traditional LW-TSig downsized LW-TSig key-insulation/ intrusion-resilience extension to TPAKE- HTSig and LW-TSig two-party signatures

CT-RSA'0329 Questions?

CT-RSA'0330 Q & A Our constructions are obtained via modular composition, but our security analysis method is more specific Canettis is more general Why [Shoup Eurocrypt00] cannot be used? An adversary compromising a threshold number of servers can obtain X2. Since [S00] requests that the public exponent corresponding to X2 be public, the adversary can factor the users RSA modulus.

CT-RSA'0331 Q & A What care we need for [Rabin Crypto98]? If [MSJ02] TPAKE is used, we need another layer of invocation that a threshold number of servers activates all the servers. This is specific to [MSJ02], though. Denial-of-service attack is appropriately dealt with; otherwise, the secret share of a server under denial-of- service attack is interpolated and could make the threshold protection meaningless.