Presentation is loading. Please wait.

Presentation is loading. Please wait.

Systems Architecture Anonymous Key Agreement Dominik Oepen 11.06.2008.

Published byVincent Welch Modified over 8 years ago

Similar presentations

Presentation on theme: "Systems Architecture Anonymous Key Agreement Dominik Oepen 11.06.2008."— Presentation transcript:

1 Systems Architecture http://sar.informatik.hu-berlin.de Anonymous Key Agreement Dominik Oepen 11.06.2008

2 2 May 2006 - 2 Systems Architecture http://sar.informatik.hu-berlin.de Table of contents  Introduction  Key exchange in the original OR protocol  Telescoping  Bilinear pairings  Boneh-Franklin setup  Single pass protocol  Lambda pass protocol  Lessons learned

3 3 May 2006 - 3 Systems Architecture http://sar.informatik.hu-berlin.de Introduction  Communication over the Internet is generally non anonymous  Techniques like SSL/TLS or SSH only protect the content of a message  Who is talking to whom can easily be deduced from the source and target IP address  Onion routing networks aim at protecting the users privacy by allowing him to communicate without revealing his identity

4 4 May 2006 - 4 Systems Architecture http://sar.informatik.hu-berlin.de Onion routing networks  Onion routing networks protect their users identity by relaying traffic over various proxies, called onion router (OR)  The route of ORs is called a circuit Source: http://www.torproject.org/overview.html.enhttp://www.torproject.org/overview.html.en

5 5 May 2006 - 5 Systems Architecture http://sar.informatik.hu-berlin.de Message encryption  The user shares a symmetric key with each OR  Each message is wrapped in one layer of encryption per OR (hence the name onion routing)  Every OR removes one layer of encryption  The last OR (called the exit node) forwards the message to its destination Source: http://sarwiki.informatik.hu-berlin.de/The_Second-Generation_Onion_Routerhttp://sarwiki.informatik.hu-berlin.de/The_Second-Generation_Onion_Router

6 6 May 2006 - 6 Systems Architecture http://sar.informatik.hu-berlin.de Onion Routing Networks  The ORs only know their predecessor and successor  Therefore the path of a packet cannot be reconstructed  The user remains anonymous  Other mechanisms need to be used to protect the message on its way from the exit node to the target (or from malicious exit nodes)

7 7 May 2006 - 7 Systems Architecture http://sar.informatik.hu-berlin.de TOR  TOR = The onion Router  Probably the most widespread implementation of onion routing  Work on onion routing networks has been done since 1995  Work was funded among others by the DARPA  In 2003 “TOR: The second generation onion router” went online  Mastermind: Roger Dingledine

8 8 May 2006 - 8 Systems Architecture http://sar.informatik.hu-berlin.de The TOR threat model  TOR does not protect against an adversary who controls the entire net  TOR aims at frustrating an adversary, who has control over a fraction of the network  Timing attacks might still be possible  TOR offers anonymity only at layer 3 (network layer)  Users need to take care of cookies, java script, http refer headers, etc.

9 9 May 2006 - 9 Systems Architecture http://sar.informatik.hu-berlin.de Problems  How is the circuit constructed?  How are the keys exchanged between Alice and the ORs?  She has to exchange a key with each OR, but they may not learn her identity

10 10 May 2006 - 10 Systems Architecture http://sar.informatik.hu-berlin.de The original onion routing approach

11 11 May 2006 - 11 Systems Architecture http://sar.informatik.hu-berlin.de The original onion routing approach  Each OR has a private and a public key  Public keys and a list of available Onion routers are distributed via a directory server  The user obtains a signed list of ORs and corresponding public keys from a directory server  Then he randomly chooses nodes (normally three) for constructing a circuit

12 12 May 2006 - 12 Systems Architecture http://sar.informatik.hu-berlin.de The original onion routing approach  He constructs a packet (called an onion) containing: - A symmetric key for each OR - The destination of the next node  Each layer of the onion is encrypted with the public key of the corresponding OR  Complexity: Encryptions

13 13 May 2006 - 13 Systems Architecture http://sar.informatik.hu-berlin.de The original onion routing approach  Problem: - An attacker can record the encrypted traffic - He can than infiltrate the ORs of the circuit one by one learning their private keys - In the end he knows the route (and possibly the content of the messages)  We're looking for a protocol that provides forward secrecy - That means an attacker cannot learn the route of a packet by infiltrating the nodes at some later point in time

14 14 May 2006 - 14 Systems Architecture http://sar.informatik.hu-berlin.de The original onion routing approach  The original onion routing protocol can easily be changed to provide forward secrecy  Nodes regularly have to generate new public/private keys and safely discard the old ones  This means, that the nodes and the users frequently have to contact the directory servers  This leads to high overhead and is therefore inefficient

15 15 May 2006 - 15 Systems Architecture http://sar.informatik.hu-berlin.de Telescoping

16 16 May 2006 - 16 Systems Architecture http://sar.informatik.hu-berlin.de The TOR approach  The (2 nd generation) TOR protocol tries to solve some issues of the original onion routing protocol  Lowers the load of the directory servers  Provides forward secrecy  The TOR circuit construction algorithm is called Telescoping  Uses the Diffie Hellmann key exchange

17 17 May 2006 - 17 Systems Architecture http://sar.informatik.hu-berlin.de Diffie Hellmann  Establishing a shared secret between two parties, without sending it over the wire  Both parties contribute to the established key  An attacker cannot derive the key by eavesdropping on the communication  Based on the discrete logarithm problem

18 18 May 2006 - 18 Systems Architecture http://sar.informatik.hu-berlin.de Diffie Hellmann – The math Source: http://de.wikipedia.org/wiki/Diffie-Hellman-Schl%C3%BCsselaustauschhttp://de.wikipedia.org/wiki/Diffie-Hellman-Schl%C3%BCsselaustausch

19 19 May 2006 - 19 Systems Architecture http://sar.informatik.hu-berlin.de Telescoping  The user performs a Diffie Hellmann Key exchange with the first node, establishing a symmetric key  Using this key and relaying traffic over the first node, he performs a DH key exchange with the second node  He continues until the circuit is constructed

20 20 May 2006 - 20 Systems Architecture http://sar.informatik.hu-berlin.de Telescoping  Merits: - Directory servers are only needed, so users can learn the addresses of the nodes => low load - If the nodes drop the established keys when the communication is finished, the route cannot be reconstructed => forward secrecy - Telescoping can handle nodes that are not accepting connections  Flaws: - High latency for circuit construction ( Encryptions) - A new circuit is constructed every time the users contacts another host - => Circuit construction latency is crucial for the performance of TOR

21 21 May 2006 - 21 Systems Architecture http://sar.informatik.hu-berlin.de Bilinear Pairings

22 22 May 2006 - 22 Systems Architecture http://sar.informatik.hu-berlin.de Bilinear Pairings  Consider two additive cyclic groups G and Ġ and a multiplicative cyclic group GT, all of the same prime order n.  A bilinear map e is a map e: G × Ġ → GT with the following properties: 1.Bilinearity: 2.Non-degeneracy: The map does not send all pairs in G × Ġ to unity in GT 3.Computability: There is an efficient algorithm to compute e(P, Q) for any P ∈ G and Q ∈ Ġ. Symmetric bilinear pairing: G = Ġ Example: The modified Weil pairing over elliptic curve groups

23 23 May 2006 - 23 Systems Architecture http://sar.informatik.hu-berlin.de The bilinear Diffie Hellmann assumption  Given such a pairing, the bilinear Diffie-Hellman (BDH) problem is to compute ∈ GT given a generator P of G and elements  An equivalent formulation of the problem, due to the bilinearity of the map, is to compute given a generator P of G, and elements A, B and cP in G.  If there is no efficient algorithm to solve the BDH problem for G, GT, e, they are said to satisfy the BDH assumption.

24 24 May 2006 - 24 Systems Architecture http://sar.informatik.hu-berlin.de Boneh-Franklin setup  Private Key generator (PKG) issues private keys to the nodes ,where s is a master secret, and H:{0,1}* → G*  Two nodes can compute a shared key: with  Only the two nodes and the PKG know this key

25 25 May 2006 - 25 Systems Architecture http://sar.informatik.hu-berlin.de Boneh-Franklin setup  By replacing the IDs used in the Boneh-franklin setup with pseudonyms we can achieve anonymity  Pseudonym:,where is a random number out of  New corresponding private key:  Key exchange:  Compatible with non anonymous participants:  Implicit key authentication: Only the owners of and can compute the keys

26 26 May 2006 - 26 Systems Architecture http://sar.informatik.hu-berlin.de Pairing based key agreement Single pass pairing based circuit construction

27 27 May 2006 - 27 Systems Architecture http://sar.informatik.hu-berlin.de Pairing based onion routing  Two crucial time-scale parameters: - Master key validity period: Exposure time of the master secret s - Private key validity period: Exposure time of a circuit against compromise of the Ors  After each PKVP ORs drop their private keys, after each MKVP the master secret (and therefore all private keys) is discarded  PKVP approximately on the order of hours, MKVP on the order of days Forward secrecy in a pairing based onion routing network:

28 28 May 2006 - 28 Systems Architecture http://sar.informatik.hu-berlin.de Pairing based onion routing  PKG setup: - Private/public keys for signatures - Bilinear pairing: Prime number n, Groups G, Ġ and GT, map e and Hash function H - For every MKVP the PKG generates a random master secret s, a random U ∈ G (shared value for all users of the system) and computes sU -It publishes the signed tupel A pairing based onion routing protocol:

29 29 May 2006 - 29 Systems Architecture http://sar.informatik.hu-berlin.de Pairing based onion routing  User setup: -The user obtains from an OR or a website, where v m is a timestamp -Every PKVP v, the user computes: for each OR, with Q_vi = H(v | OR_i)

30 30 May 2006 - 30 Systems Architecture http://sar.informatik.hu-berlin.de Pairing based onion routing  Circuit construction: - For each OR the user generates a random number generates a Pseudonym and dervies a forward key - He constructs the following onion to construct the circuit: - Any OR that receives the onion calculates: and derives the keys - The rest of the protocol works just like the TOR protocol

31 31 May 2006 - 31 Systems Architecture http://sar.informatik.hu-berlin.de Pairing based onion routing

32 32 May 2006 - 32 Systems Architecture http://sar.informatik.hu-berlin.de Single pass pairing based protocol  Merits: - Each user only needs to obtain one single authenticated value on his own => low load on service provider - Lower overhead than telescoping - Circuits can be changed on the fly  Flaws: - Role of the PKG need to be more trusted than TORs directory servers - Only eventual forward secrecy, not immediate

33 33 May 2006 - 33 Systems Architecture http://sar.informatik.hu-berlin.de Distributed PKG  The PKG knows the master secret s and therefore can decrypt all messages in the system  Thus the PKG is a single point of failure  To mitigate this risk one can use a distributed PKG  Two possible solutions: - T out of m Shamir secret sharing: master secret is distributed among m PKGs, any t+1 can compute it or generate a clients private key - Completely distributed PKG: each of m PKGs provides a random share for the master secret, but at any given time only t+1 PKGs need to be online to retrieve a clients private key

34 34 May 2006 - 34 Systems Architecture http://sar.informatik.hu-berlin.de Lambda pass circuit construction

35 35 May 2006 - 35 Systems Architecture http://sar.informatik.hu-berlin.de Lambda pass circuit construction  Immediate forward secrecy: - Compromise of an ORs private key may not allow any information about the circuit path to be recovered - After the circuit is destroyed and the keys are dropped it should not be possible to reconstruct the key - Both parties should contribute randomness to the shared key  This is not possible in a single pass protocol  Therefore the single pass circuit scheme only provides eventual forward secrecy (forward secrecy is achieved after each PKVP)

36 36 May 2006 - 36 Systems Architecture http://sar.informatik.hu-berlin.de Lambda pass circuit construction  To achieve immediate forward secrecy, we extend our single pass protocol to a lambda pass protocol  At the beginning of the circuit construction the chooses λ ORs (with λ < l)  The user forms a TLS connection with  The user forms an onion according to the single pass protocol with OR_λ2 as the exit node

37 37 May 2006 - 37 Systems Architecture http://sar.informatik.hu-berlin.de Lambda pass circuit construction  OR_λ2 generates:  OR_λ2 sends a confirmation message along with his new pseudonym to the user and forgets  The user continues until he has established keys with all nodes

38 38 May 2006 - 38 Systems Architecture http://sar.informatik.hu-berlin.de Lambda pass circuit construction

39 39 May 2006 - 39 Systems Architecture http://sar.informatik.hu-berlin.de Lambda pass circuit construction  The reward: - Even if an attacker manages to corrupt some of the ORs private keys, he cannot link the λ parts of the circuits together -We achieve immediate forward secrecy at λ nodes

40 40 May 2006 - 40 Systems Architecture http://sar.informatik.hu-berlin.de Performance considerations

41 41 May 2006 - 41 Systems Architecture http://sar.informatik.hu-berlin.de Conclusions  The main drawback of today's onion routing techniques is performance  There are several methods for anonymous key agreement, which differ in performance, overhead and provided security  Bilinear pairings seem to offer a method for achieving good performance while keeping overhead low  Using a distributed PKG and a λ-pass circuit construction we can meet high security standards at a good performance level

Download ppt "Systems Architecture Anonymous Key Agreement Dominik Oepen 11.06.2008."

Similar presentations

Secure Mobile IP Communication

Secure Mobile IP Communication
Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
Security Risks for Ad Hoc Networks and how they can be alleviated By: Jones Olaiya Ogunduyilemi Supervisor: Jens Christian Godskesen © Dec. 2006.

Security Risks for Ad Hoc Networks and how they can be alleviated By: Jones Olaiya Ogunduyilemi Supervisor: Jens Christian Godskesen © Dec
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.

Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.
Tor (Anonymity Network) Scott Pardue. Tor Network  Nodes with routers within the network (entry, middle, exit)  Directory servers  Socket Secure (SOCKS)

Tor (Anonymity Network) Scott Pardue. Tor Network  Nodes with routers within the network (entry, middle, exit)  Directory servers  Socket Secure (SOCKS)
SSH Secure Login Connections over the Internet

SSH Secure Login Connections over the Internet
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Crowds: Anonymity for Web Transactions Michael K. Reiter Aviel D. Rubin Jan 31, 2006Presented by – Munawar Hafiz.

Crowds: Anonymity for Web Transactions Michael K. Reiter Aviel D. Rubin Jan 31, 2006Presented by – Munawar Hafiz.
Cryptography and Network Security (CS435) Part Eight (Key Management)

Cryptography and Network Security (CS435) Part Eight (Key Management)
PUBLIC-KEY CRYPTOGRAPH IT 352 : Lecture 2- part3 Najwa AlGhamdi, MSc – 2012 /1433.

PUBLIC-KEY CRYPTOGRAPH IT 352 : Lecture 2- part3 Najwa AlGhamdi, MSc – 2012 /1433.

Similar presentations

Ads by Google