11 Identification & ZKIP
Introduction Passwords Challenge-Response ZKIP 22
Bank machine withdrawals : 4 ~ 6 digit PIN(Personal Identification Number) at ATM(Automatic Teller Machine) In store credit card purchases Prepaid calling card : Asking a service by telephone card or membership cards Remote login: Remote access to host under Client /Server environment Access to restricted areas, etc. 33
MethodExamplesReliabilitySecurityCost What you Remember (know) Password Telephone # Reg. # M/L M(theft) L(imperso- nation) Cheap What you have Registered Seal Magnetic Card IC Card ML(theft) M(imperso- nation) Reason- Able What you Are Bio-metric( Fingerprint, Eye, DNA, face, Voice, etc.) HH(theft) H(imperso- nation) Reasonable Expensive 44
55 Extracted from A. Jail’s presentation in SCIS2006, Japan
Password-based scheme (weak authentication) ◦ crypt passwd under UNIX ◦ one-time password Challenge-Response scheme (strong authentication) ◦ Symmetric cryptosystem ◦ MAC(keyed-hash) function ◦ Asymmetric cryptosystem Cryptographic Protocols ◦ Fiat-Shamir identification protocol ◦ Schnorr identification protocol, etc 66
77 passwd,A passwd table A h(passwd) ProverVerifier passwd h = A y accept n reject
Replay fixed pwds ◦ Observe pwd as it is typed in ◦ Eavesdrop the data in cleartext ◦ Not suitable over open communication networks Exhaustive pwd search ◦ Let E(c) be the entropy of 8-char pwds from choices ◦ E(26)=37.6, E(36)=41.4, E(62)=47.6, E(95)=52.6 Pwd guessing and dictionary attacks ◦ A large dictionary contains 250,000 words ◦ Dictionary attack: order lists and compared to entries in the encrypted dictionary ◦ Combine numerical and alphabetical characters. 88
99 truncate to 8 ASCII chars; 0-pad if necessary user passwd DES* Repack 76 bits into 11 7-bit characters encrypted passwd /etc/passwd user salt I 1 = 0…0 next input I i 2 i 25 output, O i O salt : 12-bit random from system clock when select passwd. DES* : DES with expansion E modified by 12-bit salt, 2 12 =4056 DES variations,
Assumption ◦ Secret Key : known to only P and V ◦ Random Challenge : P and V have perfect random number generator as their challenges. Very small probability that same challenges occur by chance in 2 different sessions ◦ MAC security : MAC is secure which no (ε, Q)- forger exist. Probability that Attack can correctly compute MAC is at most ε, given Q other MACs. (e.g. Q=10,000 or 100,000) 10
Using Symmetric Cryptosystem 11 P V random challenge,x x y=e K (x) y y’=e K (x) y=y’ ? K Vulnerable to parallel session attack (man-in-the-middle). Need to change x to be ID(V)||r
Using Asymmetric Cryptosystem P can prove to have secret information in either way : (1) P decrypts a challenge encrypted under P’s public key. (2) P digitally signs a challenge. 12 P V random challenge,x x y=e[s K,x] y y’= d[p k,x] y = y’ ? P K
GMR (Goldwasser, Micali, Rackoff) 1.“The knowledge complexity of interactive-proof systems”, Proc. of 17 th ACM Sym. on Theory of Computation, pp , “The knowledge complexity of interactive-proof systems”, Siam J. on Computation, Vol. 18, pp , 1989 (revised version) ZKIP (Zero Knowledge Interactive Proof) : between P and V ◦ Completeness : Only true P can prove V. ◦ Soundness : False P’ can’t prove V. ◦ 0-Knowledge : No knowledge transfer to V. 13
14
15
16 1P/1V Interactive Non-interactive ZK GMR Model * P:infinite, V: poly BCC Model Model 1 (P:poly V: infinite) (minimum disclosure) Model 2 (P:poly, V: poly) 0-K Minimum Know. Oracle ZKIP WH Perfect Computational Statistical Membership Knowledge Computational power Property Object Model MP MV *AM-game : GMR model and V has random coin.
(Preparation) (TA) Unlike in RSA, a trusted center can generate a universal n, used by everyone as long as none knows the factorization. (P) (i) private key: choose random value S, s.t. gcd(S,n)=1. (1 < S < n) (ii) public key : P computes I=S 2 mod n, and publishes (I,n) as public Goal P has to convince V that he knows his private key S and its corresponding public key (I,n) (i.e., to prove that he knows a modular square root of I mod n), without revealing S. 17
1. P chooses random value r (1<r<n) and computes x=r 2 mod n. then sends x to V. 2. V requests from P one of the following request at random (a) r or (b) rS mod n 3. P sends the requested information to V. 4. V verifies that he received the right answer by checking whether (a) r 2 = x mod n or (b) (rS) 2 = xI mod n 5. If verification fails, V concludes that P does not know S, and thus he is not the claimed party. 6. This protocol is repeated t (usually 20 or 30) times, and if in all of them the verification succeeds, V concludes that P is the claimed party. 18
19 V P public : I,n n=pq, I=S 2 mod n 2.e i ={0,1} x eiei Repeat t-times 3. If e i =0, send y=r If e i =1, send y=rS y 4.If e i =0, check y 2 =x mod n? If e i =1, check y 2 =xI mod n? * commitment-witness-challenge-response-verification and repeat
Assuming that computing S is difficult, the breaking is equivalent to that of factoring n. Since P doesn’t know (when he chooses r or rS mod n) which question V will ask, he can’t choose the required answer in advance. P can succeed in guessing V’s question with prob. 1/2 for each question. If the protocol is repeated t times, the prob. that V fails to catch P in all the times is only 2 -t, which is exponentially reducing with t. (t=20 or 30) 20
Schnorr Identification Scheme Okamoto Identification scheme Guillou-Quisquarter Identification scheme Others 21