1 Private Resource Pairing Joseph Calandrino Department of Computer Science University of Virginia August 10, 2005.

Slides:



Advertisements
Similar presentations
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Advertisements

Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.
SCSC 455 Computer Security
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Building an Encrypted and Searchable Audit Log Brent Waters Dirk Balfanz Glenn Durfee D.K. Smetters.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Cryptographic Technologies
Chapter 9: Key Management
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Security Management.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Introduction to Public Key Cryptography
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Bob can sign a message using a digital signature generation algorithm
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
Overview of Privacy Preserving Techniques.  This is a high-level summary of the state-of-the-art privacy preserving techniques and research areas  Focus.
10/1/2015 9:38:06 AM1AIIS. OUTLINE Introduction Goals In Cryptography Secrete Key Cryptography Public Key Cryptograpgy Digital Signatures 2 10/1/2015.
Chapter 4: Intermediate Protocols
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
Week 4 - Wednesday.  What did we talk about last time?  RSA algorithm.
1 Cryptography NOTES. 2 Secret Key Cryptography Single key used to encrypt and decrypt. Key must be known by both parties. Assuming we live in a hostile.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 14: Public Key Infrastructure.
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.
PUBLIC-KEY CRYPTOGRAPH IT 352 : Lecture 2- part3 Najwa AlGhamdi, MSc – 2012 /1433.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Digital Signatures, Message Digest and Authentication Week-9.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
1 Normal executable Infected executable Sequence of program instructions Entry Original program Entry Jump Replication and payload Viruses.
Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.
Secure Conjunctive Keyword Search Over Encrypted Data Philippe Golle Jessica Staddon Palo Alto Research Center Brent Waters Princeton University.
Chapter 3 – Public Key Cryptography and RSA (A). Private-Key Cryptography traditional private/secret/single-key cryptography uses one key shared by both.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Cryptographic Security Identity-Based Encryption.
Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 10: Certificates and Hashes.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Information Security message M one-way hash fingerprint f = H(M)
Information Security message M one-way hash fingerprint f = H(M)
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Information Security message M one-way hash fingerprint f = H(M)
Building an Encrypted and Searchable Audit Log
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Ensuring Correctness over Untrusted Private Database
Presentation transcript:

1 Private Resource Pairing Joseph Calandrino Department of Computer Science University of Virginia August 10, 2005

2 Motivating Scenario Emergency Room –Incapacitated unidentified tourist arrives at ER –Perfect biometric exists –Treatment is history-dependent

3 Private Resource Pairing Resource Possession – Confidential Resource Requests – Confidential Third Parties – Undesirable Can We Overcome This?

4 Related Work Private Matching Alice and Bob possess separate databases Alice wishes to determine intersection Neither wishes to reveal non-matches AliceBob Red Orange Yellow Green Blue Purple Blue White Yellow

5 Related Work Private Matching (AgES Protocol – Simplified) Alice and Bob agree on commutative encryption (E A (E B (X)) = (E B (E A (X))) and hash functions Generate secret encryption keys, A and B * Generate hashes; encrypt hashes Rh(‘R’)E A (h(‘R’)) Oh(‘O’)E A (h(‘O’)) Yh(‘Y’)E A (h(‘Y’)) Gh(‘G’)E A (h(‘G’)) Bh(‘B’)E A (h(‘B’)) Ph(‘P’)E B (h(‘P’)) Bh(‘B’)E B (h(‘B’)) Wh(‘W’)E B (h(‘W’)) Yh(‘Y’)E B (h(‘Y’)) AliceBob *Alice and Bob must generate new encryption keys each time they enter the private matching protocol

6 Related Work Private Matching (AgES Protocol – Simplified) Reorder encryptions lexicographically and exchange encryptions (Alice also saves hers) RE A (h(‘R’)) OE A (h(‘O’)) YE A (h(‘Y’)) GE A (h(‘G’)) BE A (h(‘B’)) P B W Y AliceBob E B (h(‘P’)) E B (h(‘B’)) E B (h(‘W’)) E B (h(‘Y’)) E A (h(‘R’)) E A (h(‘O’)) E A (h(‘Y’)) E A (h(‘G’)) E A (h(‘B’)) Alice’sBob’s

7 Related Work Private Matching (AgES Protocol – Simplified) Reorder encryptions lexicographically and exchange encryptions (Alice also saves hers) Re-encrypt encryptions (Bob saves originals) RE A (h(‘R’)) OE A (h(‘O’)) YE A (h(‘Y’)) GE A (h(‘G’)) BE A (h(‘B’)) P B W Y AliceBob E A (E B (h(‘P’))) E A (E B (h(‘B’))) E A (E B (h(‘W’))) E A (E B (h(‘Y’))) E A (h(‘R’))E B (E A (h(‘R’))) E A (h(‘O’))E B (E A (h(‘O’))) E A (h(‘Y’))E B (E A (h(‘Y’))) E A (h(‘G’))E B (E A (h(‘G’))) E A (h(‘B’))E B (E A (h(‘B’))) Bob’sAlice’s

8 Related Work Private Matching (AgES Protocol – Simplified) Bob returns the pairs; Alice matches on E A (h(X)) to get (X, E B (E A (h(X))) = (X, E A (E B (h(X))) Alice finds matches for B and Y, the intersection RE A (E B (h(‘R’))) OE A (E B (h(‘O’))) YE A (E B (h(‘Y’))) GE A (E B (h(‘G’))) BE A (E B (h(‘B’))) P B W Y AliceBob E A (E B (h(‘P’))) E A (E B (h(‘B’))) E A (E B (h(‘W’))) E A (E B (h(‘Y’))) Bob’s

9 Related Work Private Matching –Limited data ownership and need to know technique –More efficient/robust private pairing solution possible Private Information Retrieval Audit Logs Searching on Encrypted Data – Requestors reveal searches to provider

10 Behavioral Models Semi-Honest (Honest But Curious) Behavior –Parties do not lie –Parties do attempt to derive additional information if possible –Costs of lying may outweigh benefits Malicious Behavior –Potentially dishonest parties –More realistic

11 Private Resource Pairing… Basic Idea: Setup: 1.Participants agree on a commutative encryption scheme and a hash function 2.Providers generate random encryption keys 3.Providers publish lexicographically- reordered encrypted hashes of their resource metadata to potential requestors or host servers –Providers publish signatures for servers …under a Semi-Honest Behavior Model

12 Private Resource Pairing… Basic Idea: Search and Acquisition: 1.Requestor generates new encryption/decryption key pair* 2.Requestor gives encrypted hash of desired metadata to provider 3.Provider re-encrypts using its key and returns 4.Requestor decrypts re-encryption 5.Requestor matches result against published values –For host servers, requestors acquire values and verify signatures 6.If match found, requestor asks provider for resources related to metadata …under a Semi-Honest Behavior Model *Requestors must generate new keys for each search

13 Private Resource Pairing… Assumptions: Requestor identity alone yields no private data Providers publish data all at once, or publication order is irrelevant In the case of host servers: –Requestors download all or no data from a server –Servers are unable to collude Metadata is not fuzzy …under a Semi-Honest Behavior Model

14 Private Resource Pairing… Shortcomings of Semi-Honest Solution: –No enforcement of requestor need to know –No proof providers hold resources tied to published metadata Malicious Model Must Address These Issues …under a Semi-Honest Behavior Model

15 Private Resource Pairing… Proving Requestor Need to Know: Requestor Uses Two Tickets –First: To receive re-encryption Contains only encrypted metadata –Second: To access metadata-related resources Contains plaintext metadata …under a Malicious Behavior Model

16 Private Resource Pairing… Proving Requestor Need to Know: Tickets Supplier Must Distribute Tickets –Requestor must trust supplier with search metadata –Supplier can issue scope-limited tickets –Providers must be able to verify supplier trustworthiness –Suppliers should be unable to initiate searches –Assume suppliers and requestors cannot collude …under a Malicious Behavior Model

17 Private Resource Pairing… Proving Resource Possession: Identity-Based Signatures –Verification key is identity –Master secret required to generate signing keys Key Privacy in Public Key Cryptosystems –An adversary possessing a piece of ciphertext can gain no more than a negligible advantage in determining which public key out of a given set produced the ciphertext –RSA lacks this: C = M e mod n. If n Alice = 6, n Bob = 10, C = 7, an adversary knows that Bob’s public key encrypted C …under a Malicious Behavior Model

18 Private Resource Pairing… Proving Resource Possession: Two Cases: –Metadata Implies an Owner Everyone knows the “owner” of resources related to every piece of metadata Example: Biometrics –Metadata Implies No Clear Owner Metadata can imply many owners, or others are unable to accurately guess owners from metadata Example: Keywords …under a Malicious Behavior Model

19 Private Resource Pairing… Proving Resource Possession: Metadata Implies an Owner –System Privacy A set of instantiations of an identity-based signature scheme exist with different master secrets Adversary chooses an identity Random instantiation produces the identity’s signature of a nonce (unknown to adversary) The adversary receives the signature System privacy exists if the adversary can gain no more than a negligible advantage in determining signing instantiation given some parameters …under a Malicious Behavior Model

20 Private Resource Pairing… Proving Resource Possession: Metadata Implies an Owner –Owner (or Delegated Owner) Setup: Owners agree on signature scheme –Identity-based scheme –System privacy Owners independently generate master secrets Owners publish verification parameters …under a Malicious Behavior Model

21 Private Resource Pairing… Proving Resource Possession: Metadata Implies an Owner –Providers Acquire Proof: 1.Provider offers metadata, encrypted and unencrypted, to owner 2.Owner checks that encryption represents metadata –Private matching 3.Owners signs encryption using private key associated with the provider’s ID and return result 4.Provider checks signature 5.Provider publishes data …under a Malicious Behavior Model

22 Private Resource Pairing… Proving Resource Possession: Metadata Implies an Owner –Requestor Verifies Proof: 1.Requestor downloads owner parameters 2.Requestor checks signatures (using provider ID as key) for a signature of the encrypted hash of desired metadata …under a Malicious Behavior Model

23 Private Resource Pairing… Proving Resource Possession: Metadata Implies an Owner –If Owner Master Secret Compromised: Owner needs new master secret Only affects owner’s resources How do we update signatures? …under a Malicious Behavior Model

24 Private Resource Pairing… Proving Resource Possession: Metadata Does Not Imply an Owner –Use Universal Resource Owner Can be centralized or distributed Providers must trust owner Requestors need not reveal anything to universal owner Problems exist: key revocation, master secret compromise …under a Malicious Behavior Model

25 Evaluation Private Resource Pairing vs. Private Matching Private Resource Pairing: Semi-Honest Model –No known comparable protocol for malicious pairing protocol Private Matching: AgES –Requestor served as querying party with a single-entry DB –Additional step for requestor to ask for resources Ignored: –Server signature verification (implementation dependent) –Time to agree on hash/encryption function (same for both)

26 Theoretical Evaluation Computational Cost (in Units of Cost)

27 Theoretical Evaluation Communication Cost (in Units of Cost)

28 Performance Evaluation Implementation –Java-Based Implementation –Hash Function: SHA-1 –Commutative Encryption Function: Pohlig-Hellman with Common Modulus –Sort: Modified MergeSort (nlogn performance) –Number of Provider Metadata Items: 20

29 Performance Evaluation AgES Private Resource Pairing Setup Provider0 ms1177 ms Requestor0 ms Total0 ms1177 ms Search and Acquisition Provider1194 ms17 ms Requestor1218 ms867 ms Total2412 ms884 ms Performance Comparison

30 Evaluation Private Resource Pairing vs. Private Matching –Decrease in requestor computation time: 28.8% –Decrease in provider computation time: 98.6% –Pairing scales better than AgES –Potential AgES improvements: Avoid changing keys Avoid re-encryption

31 Conclusion Summary Future Work –Time-Scoped Searching –System Privacy –Classification Levels –Untrusted Servers –Fuzzy Metadata –Many more…

32 Thank You In Particular: Alfred Weaver David Evans Brent Waters

33 Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.