Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Secret Handshakes or Privacy-Preserving Interactive Authentication Gene Tsudik University of California, Irvine joint work with: Claude Castelluccia,

Published byChristal Clark Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Secret Handshakes or Privacy-Preserving Interactive Authentication Gene Tsudik University of California, Irvine joint work with: Claude Castelluccia,"— Presentation transcript:

1 1 Secret Handshakes or Privacy-Preserving Interactive Authentication Gene Tsudik University of California, Irvine joint work with: Claude Castelluccia, Stanisław Jarecki, Shouhuai Xu, Samad Nasserian

2 2 Motivation u Privacy is being gradually eroded Cameras everywhere Search engines keep data Stores keep track of habits via affinity cards Libraries keep records of book checked out u Need privacy-preserving services E-cash Anonymous email Anonymous signatures (e.g., group signatures) Information Delivery Trust negotiation Authentication u Our focus: Private (unobservable) authenticaiton

3 3 Example setting u Alice and Bob meet in a crowded network u All communication is observable u Man-in-the-middle attacks possible u Alice is an FBI agent u Bob is an FBI agent u They cannot authenticate publicly… u Alice will only “speak” with other FBI agents u Bob will only “speak” with other FBI agents u How can they authenticate in private?

4 4 Example setting u How can they authenticate in private? u Cannot just exchange signatures u Cannot simply share a common key u Cannot even exchange group signatures

5 5 Encryption: The General Idea Alice Bob message m Alice decrypts m from c Ciphertext c c Adversary Adversary cannot get m from c !!!

6 6 Public Key Encryption Alice Bob message m m = Dec( K S, c) c = Enc( K A, m ) c Key generation procedure Alice’s secret decryption Key K S Alice’s public encryption Key K A KAKA - computing m from K A and c is infeasible - computing even one bit of m is infeasible - deciding if m=m’ from (K A,c) is infeasible [list of useful security needs still growing…]Adversary Problem: How does Bob know that K A is Alice’s public key? KSKS

7 7 Public Key Infrastructure [PKI]: Certification Authority generates keys Alice Bob (knows CA’s public key) Alice’s secret key K s Certification Authority (CA) Alice’s public key K a : cert A = SIG CA {K a, Alice } Bob verifies CA’s signature cert A on K a c = Enc( K a, m ) m m = Dec(K s, c )

8 8 [PKI]: Users Generate Keys Independently Bob (knows CA) Alice generates her secret-public key pair (K s,K a ) on her own Certification Authority (CA) cert A = SIG CA { A,Alice} Bob verifies CA’s signature cert A on {K a, Alice} c = Enc( K a, m ) K a + “physical authentication” ( Alice, K a, cert A ) m Alice m = Dec(K s,c)

9 9 proof of knowledge of K s corresponding to K a Using a PKI: Bob (knows CA) Alice generates secret- public key pair (K s,K a ) on her own Certification Authority (CA) Bob verifies CA’s signature cert A on K a K a + “physical authentication” Alice ( K a, cert A ) Authentication: Bob is sure that he is talking to Alice cert A = SIG CA {Ka,Alice}

10 10 [PKI]: Authentication Reveals Alice’s Affiliation Bob (knows UCI) Alice’s CA: UCI (Public Key UCI) Bob verifies UCI’s sig. cert A on K a and learns that Alice is at UCI proof of knowledge of K s corresponding to K a Alice generates secret- public key pair (K s,K a ) on her own K a + “physical authentication” ( K a, cert A ) cert A = SIG uci {Ka,Alice}

11 11 Traditional Public Key Authentication offers: No Affiliation Privacy cert A = SIG UCI {Alice’s Pub.Key K a } Alice, UCI student Bob Alice’s affiliation is publicly revealed by her certificate - Can Alice reveal her affiliation only to FBI members? - Can Bob keep his affliation private too?, FBI agent proof of knowledge of K s corresponding to K a

12 12 Alice’s PKInfo K a and affiliation UCI - Can Alice reveal her affiliation only to FBI members? Alice, UCI student Public Key Authentication (changing the terms ) Bob, FBI agent proof of knowledge of UCI’s cert on K a On input UCI and K a, Bob verifies the proof cert A = SIG UCI {K a }

13 13 - Can Alice reveal her affiliation only to FBI members? On input UCI and K a, Bob verifies the proof Alice, UCI student Public Key Authentication: The Problem of Affiliation Privacy Bob, FBI agent Alice’s PKInfo K a and affiliation UCI cert A = SIG UCI {K a } proof of knowledge of UCI’s cert on K a Policy A = {FBI} - Can she hide this policy from other parties? - (and vice versa for Bob?) ?

14 14 - Can Alice reveal her affiliation only to FBI members? proof of knowledge of FBI’s cert on Kb Public Key Authentication: The Problem of Affiliation Privacy Alice’s PKInfo Ka proof of knowledge of UCI’s cert on Ka Bob’s PKInfo Kb - (and vice versa for Bob?) - Can she hide this policy from other counterparties? cert A = SIG UCI {Ka} Policy A = {FBI} cert B = SIG FBI {Kb} Policy B = {UCI}

15 15 - Can she hide this policy from other counterparties? - Can Alice reveal her affiliation only to FBI members? Secret Handshakes via “Encrypted Authentication” 1 1: signatures must work as decryption keys 2 2: ciphertexts must hide Cert. Signer assumed in encryption Enc PK(FBI,Kb) {proof of knowledge of SIG UCI {Ka}, n A } nAnA Alice’s PKInfo Ka Bob’s PKInfo Kb encryption key derived for (FBI,Kb) signature = decryption key cert A = SIG UCI {Ka} Policy A = {FBI} cert B = SIG FBI {Kb} Policy B = {UCI} - (and vice versa for Bob?) 3 3: public key info must hide Cert. Signer too

16 16 Secret Handshakes with “CA-oblivious” or “Signature-Based” Encryption Enc PK(FBI,Kb) {proof of knowledge of SIG UCI {Ka}, c A, n A } Alice’s PKInfo Ka Bob’s PKInfo Kb cert A = SIG UCI {Ka} Policy A = {FBI} cert B = SIG FBI {Kb} Policy B = {UCI} Enc PK(UCI,Ka) {proof of knowledge of SIG FBI {Kb}, c B, n B }, c A c B In addition, can derive a shared key K=f(n A,n B )

17 17 - Pseudonym re-use  linkability (constant # of pseudonyms; must be replenished periodically) - Size of revocation information (#pseudonyms * #revoked) - O(n 2 ) for n certificates and n policies - How to do group handshakes? Outstanding Issues

18 18 - Balfanz, et al. (S&P 2003) - BGDH assumption (bilinear maps) - Castelluccia, et al. (Asiacrypt 2004) - discrete log assumption (Schnorr signatures) - Holt, Seamons (ACM CCS 2004) - Hidden credentials - Xu and Yung (CCS 2004) - k-anonymity [XY’04] - Xu and Tsudik (in submission) - framework supporting reusable credentials, group handshakes - (1) Group Signatures + (2) Group Key Agreement + (3) Centralized Group Key Distribution Recent Results

19 19 Questions?

Download ppt "1 Secret Handshakes or Privacy-Preserving Interactive Authentication Gene Tsudik University of California, Irvine joint work with: Claude Castelluccia,"

Similar presentations

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Optionally Identifiable Private Handshakes Yanjiang Yang.

Optionally Identifiable Private Handshakes Yanjiang Yang.
From: Cryptographers’ Track of the RSA Conference 2008 Date:2011-11-29 Reporter: Yi-Chun Shih 1.

From: Cryptographers’ Track of the RSA Conference 2008 Date: Reporter: Yi-Chun Shih 1.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
PGP Overview 2004/11/30 Information-Center meeting peterkim.

PGP Overview 2004/11/30 Information-Center meeting peterkim.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
A novel and efficient unlinkable secret handshakes scheme Author: Hai Huang and Zhenfu Cao (PR China) Source: IEEE Comm. Letters 13 (5) (2009) Presenter:

A novel and efficient unlinkable secret handshakes scheme Author: Hai Huang and Zhenfu Cao (PR China) Source: IEEE Comm. Letters 13 (5) (2009) Presenter:
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
1 A few challenges in security & privacy in the context of ubiquitous computing Gene Tsudik SCONCE: Secure Computing and Networking Center UC Irvine

1 A few challenges in security & privacy in the context of ubiquitous computing Gene Tsudik SCONCE: Secure Computing and Networking Center UC Irvine
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Chapter 9: Key Management

Chapter 9: Key Management
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Similar presentations

Ads by Google