10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 1/22 An Attack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol.

Slides:



Advertisements
Similar presentations
Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.
Advertisements

Securing Critical Unattended Systems with Identity Based Cryptography A Case Study Johannes Blömer, Peter Günther University of Paderborn Volker Krummel.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
URSA: Providing Ubiquitous and Robust Security Support for MANET
Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York
PROVIDING ROBUST AND UBIQUITOUS SECURITY SUPPORT FOR MOBILE AD- HOC NETWORKS Georgios Georgiadis 6/5/2008.
1 Key Establishment in Ad Hoc Networks Part 1 of 2 S. Capkun, JP Hubaux.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Lect. 11: Public Key Cryptography. 2 Contents 1.Introduction to PKC 2.Hard problems  IFP  DLP 3.Public Key Encryptions  RSA  ElGamal 4.Digital Signatures.
1 A few challenges in security & privacy in the context of ubiquitous computing Gene Tsudik SCONCE: Secure Computing and Networking Center UC Irvine
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) L. Zhou and Z. J. Haas, Cornell University: Securing Ad Hoc Networks presented by Johanna Vartiainen.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
1 Key Management in Mobile Ad Hoc Networks Presented by Edith Ngai Spring 2003.
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人:陳昱升.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Dan Boneh Introduction What is cryptography? Online Cryptography Course Dan Boneh.
MOCA : Mobile Certificate Authority for Wireless Ad Hoc Networks The 2nd Annual PKI Research Workshop (PKI 2003) Seung Yi, Robin Kravets September. 25,
Lecture 6: Public Key Cryptography
8. Data Integrity Techniques
Lecture 8 Digital Signatures. This lecture considers techniques designed to provide the digital counterpart to a handwritten signature. A digital signature.
Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Network Security (A Very Brief Introduction)
Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.
30/04/2004Gene Tsudik, UCLA CSD Research Review1 Some Security Issues & Challenges in MANETs and Sensor Nets Gene Tsudik SCONCE: Secure Computing and Networking.
Lecture 11: Privacy and Anonymity Using Anonymizing Networks CS 336/536: Computer Network Security Fall 2014 Nitesh Saxena Some slides borrowed from Philippe.
RSA Ramki Thurimella.
02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.
Robust Sharing of Secrets when the Dealer Is Honest or Cheating Tal Rabin 1994 Brian Fry COEN
1 ? Admission Control in Peer Groups Gene Tsudik, School of ICS, UC Irvine Yongdae Kim, CS Dept., U. of Minnesota Peer Groups:
Topic 22: Digital Schemes (2)
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
Sakurai Lab. Information Technology & Security Lab. Practical Revisits for implementing the Distributing Security-Mediated PKI (Ongoing work) Jong-Phil.
CS461/ECE422 Spring 2012 Nikita Borisov — UIUC1.  Text Chapters 2 and 21  Handbook of Applied Cryptography, Chapter 8 
Signcryption Parshuram Budhathoki Department of Mathematical Sciences Florida Atlantic University April 18, 2013
1 Membership Control in P2P and MANETs Nitesh Saxena, Gene Tsudik, Jeong H. Yi Computer Science Department University of California at Irvine {nitesh,
Cryptanalysis and Improvement of an Access Control in User Hierarchy Based on Elliptic Curve Cryptosystem Reporter : Tzer-Long Chen Information Sciences.
Yu-Li Lin and Chien-Lung Hsu Department of Information Management, Chang-Gung University Information Science(SCI) Reporter: Tzer-Long Chen.
Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.
DISTRIBUTED CRYPTOSYSTEMS Moti Yung. Distributed Trust-- traditionally  Secret sharing: –Linear sharing over a group (Sum sharing) gives n out of n sharing.
Attacking Cryptographic Schemes Based on ‘Perturbation Polynomials’ Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.
PUBLIC-KEY CRYPTOGRAPHY AND RSA – Chapter 9 PUBLIC-KEY CRYPTOGRAPHY AND RSA – Chapter 9 Principles Applications Requirements RSA Algorithm Description.
Zero Knowledge Proofs Matthew Pouliotte Anthony Pringle Cryptography November 22, 2005 “A proof is whatever convinces me.” -~ Shimon Even.
PROACTIVE SECRET SHARING Or: How to Cope With Perpetual Leakage Herzberg et al. Presented by: Avinash Ravi Kevin Skapinetz.
Interleaving and Collusion Attacks on a Dynamic Group Key Agreement Scheme for Low-Power Mobile Devices * Junghyun Nam 1, Juryon Paik 2, Jeeyeon Kim 2,
1 Lect. 19: Secret Sharing and Threshold Cryptography.
COM 5336 Lecture 8 Digital Signatures
ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.
29/Jul/2009 Young Hoon Park.  M.Bellare, D.Micciancio, B.Warinschi, Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and.
Cryptographic Protocols Secret sharing, Threshold Security
Further Simplifications in Proactive RSA Signatures
Some slides borrowed from Philippe Golle, Markus Jacobson
Source: Ad Hoc Networks, Vol. 71, pp , 2018
Threshold RSA Cryptography
SCONCE: Secure Computing and Networking Center
For ASIACRYPT 2018 Constructing Ideal Secret Sharing Schemes based on Chinese Remainder Theorem Fuyou Miao University of Science and Technology of China.
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Cryptographic Protocols Secret Sharing, Threshold Security
Presentation transcript:

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 1/22 An Attack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol Stanislaw Jarecki, Nitesh Saxena, Jeong Hyun Yi School of Information and Computer Science University of California, Irvine

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 2/22 Outline Introduction: Access control in ad hoc groups Threshold cryptography Proactive signatures URSA proactive RSA scheme Our attack: efficient key recovery Discussion: Insecurity of URSA Open issues

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 3/22 Access Control in Ad Hoc Groups Access control is required to  prevent unauthorized entities from joining the group  bootstrap other security services, e.g., secure routing  remove misbehaving members  in general, make group decisions However, ad hoc group has  no infrastructure  no trusted group authority  dynamic membership Challenge: How to provide secure access control in a such a decentralized and dynamic environment?

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 4/22 Zhou and Haas [IEEE Comm. Mag’99] (t+1,n) secret sharing of group secret; Shamir [ACM COMM.’79] Threshold signatures  any set of t+1 members can sign messages on behalf of the group  tolerate up to t corruptions in the lifetime of the system Proactive Signatures  threshold signatures with increased resilience,  lifetime is divided into intervals  secret shares are updated  tolerate up to t corruptions in every interval Distribution of Trust using Threshold Cryptography

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 5/22 Access Control using Proactive Signatures Step 1: Certification request Step 2: Join commit (Signed Vote) Step 3: Certificate acquisition M new New member (M new ) wants to join the group If a quorum of t+1 current members approve, M new is issued a signed certificate via proactive signing protocol If no quorum found, membership is denied Vote 1 Vote 2

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 6/22 Provably Secure Proactive Signatures RSA based  Frankel, et al. [FOCS’97] [Crypto’97], Rabin [Crypto’98] DSA based;  Gennaro, et al. [EC’96] [IANDC’01] Schnorr based  Gennaro, et al. [RSA Security’03] BLS based  Boldyreva [PKC’03] None applicable for access control in ad hoc groups

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 7/22 Recent Access Control Schemes URSA URSA: Ubiquitous and Robust Access Control  Luo, et al. [ICNP’01, ISCC’02, WCMC’02, ToN’04]  Proposes a new proactive RSA scheme Others  Based on proactive DSA; Narasimha, et al. [ICNP’03], Saxena, et al. [SASN’03]  Based on proactive BLS; Saxena, et al. [ICISC’04] Under scrutiny in this work

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 8/22 URSA Proactive RSA Scheme (1/3) Setup Setup  Dealer generates RSA private key d and public key (e, N)  Randomly picks polynomial f(x) of degree t  Member M j is issued a secret share: f(x) = d + a 1 x + a 2 x 2 + … + a t x t (mod N) Signature generation Signature generation (signing group G, |G|=t+1)  Polynomial interpolation:,, where partial key:  M j outputs partial signature: ss j = f(j) (mod N) Recall: RSA signature s = m d (mod N)

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 9/22 URSA Proactive RSA Scheme (2/3) Signature reconstruction Signature reconstruction: Since  Try all (t+1) values of α, s.t. s e = m (mod N) Note: α is revealed

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 10/22 Problems with URSA Proactive RSA Robustness; Narasimha, et al. [ICNP’03]  Shares are computed mod N  Regular verifiability mechanisms fail  No verifiability  No robustness Fix  Share secret d modulo a large prime q  Use special purpose zero-knowledge proofs; Boudot [EC’00] & Camenisch and Michels [Crypto’99]

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 11/22 Problems with URSA Proactive RSA Is this scheme (modified with the robustness fix) secure in the presence of a coalition of t corrupt members? The answer is: negative

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 12/22 Our Attack (example): Binary Search t=1, n=2 Players M 1, M 2, Signing group G={1,2} Adversary A corrupts M 1 Recall: d = d 1 + d 2 – αN Signing protocol reveals α  If α = 0,  d = d 1 + d 2  d ≥ d 1  o/w if α = 1,  d = d 1 + (d 2 - N)  d < d 1 During proactive updates, A can choose ss 1 s.t. With every update round, the search interval is halved Binary search recovers d in log 2 (N) rounds 0 d 1 N Recall d 1 = ss 1 l 1 (mod N)

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 13/22 Our Attack: (t+1)-ary Search Adversary A corrupts M 1, M 2, …,M t (w.l.o.g) Signing group G p ={1,2,…,t, p}, where p > t A learns if d ≥ D p or d < D p, where During proactive updates, A can choose ss 1, ss 2,…, ss t s.t. Every round reveals log 2 (t+1) MSBs of d (t+1)-ary search recovers d inrounds 0D p1 D p2 D pt N

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 14/22 Optimal Choice of New Shares Solve following set of deterministic equations for ss 1, ss 2, …, ss t

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 15/22 URSA Proactive Update Simplified Classic protocol; Herzberg et al. [Crypto’95]  Update the shares but keep the same group secret d  A set of at least t+1 members update the polynomials  Each M i chooses random poly. δ i (z) of degree t s.t. δ i (0) = 0  M j gives δ j (i) to M i  M i ’s new share becomes ss i (old share was ss i ‘)  ss i ’ is deleted

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 16/22 Adversarial Behavior in Share Update B : t members corrupted by A M b B : member who “speaks last ” Update polynomial New shares are computed as M b waits until it receives all other shares and chooses its polynomial δ b (z) s.t. This sets A’s share to be ss 1, ss 2,…,ss t

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 17/22 Speeding-up the Attack Attack requires r = rounds Recover last 40-bits of d by brute-force given RSA public key (e,N)  r = Apply known results on RSA partial key exposure; Boneh, et al. [AC’01], Blomer-May [Crypto’03], Thm1: log 2 (e) MSBs of d determine 512-MSBs  r = e.g., for t = 7, |N|=1024, e =  r = 163 e = 3  r = 158

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 18/22 Speeding-up the Attack Number of proactive update rounds required for a given log N (e) value, for t=7 & |N|=1024

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 19/22 Attack Assumptions 1. Adversary corrupts t members of the update group Ω, one of whom “speaks last ” 2. In every round, t runs of the signing protocol are executed, the signing groups consisting of all bad and one (distinct) good player.

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 20/22 Insecurity of URSA For a modest threshold t=7, |N|=1024 and e=65537, the attack requires 163 proactive update rounds and a total of 1148 runs of the signing protocol The leakage is very fast  e.g. in just 34 rounds, 600 MSBs of d are revealed Other faster attacks are possible with signing group consisting of less than t bad players

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 21/22 Positive Result in a Related Work Jarecki and Saxena [in submission] URSA proactive RSA scheme (plus robustness fix) with additive-secret sharing is provably secure 2-4 times faster than the state-of-the-art Rabin’s proactive RSA [Crypto’98] However, not applicable for access control in ad hoc groups Open Problem: to design a provably secure proactive RSA scheme that yields an efficient access control mechanism for ad hoc groups!!

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 22/22 Thank You!

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 23/22

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 24/22

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 25/22 Speeding-up the Attack Thm2: For prime e ε [2 m, 2 m+1 ], with m ε [|N|/4,|N|/2], m MSBs of d determine d Thm3: For e ε [2 m, 2 m+1 ] and product of at most r primes, with m ε [|N|/4,|N|/2], m MSBs determine d given factorization of e  Thm4: For e ε [N 0.5, N 0.25 ], MSBs of d determine d, where α = log N (e) 

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 26/22 Our Attack: (t+1)-ary search Adversary A corrupts M 1, M 2, …,M t (w.l.o.g) Signing group G p ={1,2,…,t, p}, where p ε [t+1,..2t] Recall Signing protocol reveals α (Gp)  Compute  If S p ≥ α (Gp) N, A learns d ≥ D p  o/w if S p < α (Gp) N, A learns d < D p During proactive updates, A chooses ss 1, ss 2,…, ss t such that Every round reveals log 2 (t+1) MSBs of d (t+1)-ary search recovers d in rounds 0D t+1 D t+2 D 2t N-1