Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth Dan Boneh Brent Waters.

Published byAshley Conley Modified over 9 years ago

Similar presentations

Presentation on theme: "Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth Dan Boneh Brent Waters."— Presentation transcript:

1 Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth Dan Boneh Brent Waters

2 Private Broadcast Encryption Make data available to select principals –Encrypt the data to those principals Often important to hide the set of principals –BCC recipients in encrypted email –Customer list (hide from competitors) –Promotion committee can read evaluations Private broadcast encryption –Recipient privacy against active attackers

3 Related Work Key privacy in public-key setting [BBDP01] –IK-CCA: Ciphertext does not leak public key Attacker viewing ciphertext encrypted under one of two public keys cannot guess which key was used –Cramer-Shoup is IK-CCA (with common prime) –Important building block for recipient privacy Previous broadcast encryption systems –Increasing collusion resistance –Reducing ciphertext overhead –We focus on hiding recipient set

4 Our Results Generic construction (standard model) –Achieves CCA recipient privacy –Uses generic IK-CCA public-key system –Decryption time is linear in number of recipients Efficient construction (random oracle) –Achieves CCA recipient privacy –Assumes CDH is hard –Decryption in O(1) cryptographic operations

5 Broadcast Systems in Practice Microsoft Outlook –Encrypted email as a broadcast system –Outlook completely reveals BCC recipients issuerAndSerialNumber –BCC recipients’ names can appear in the clear –Could send separate message for email Windows Encrypted File System Pretty Good Privacy (PGP) –GnuPG as an example implementation

6 Pretty Good Privacy? Message encrypted with symmetric key, K K encrypted for each recipient To speed decryption, components labeled with KeyIDs –Hash of public key User identities completely revealed { } K A: B: C: {K} pk(A) {K} pk(B) {K} pk(C)

7 Recipient Privacy in PGP PGP labels encryptions using a KeyID C:\gpg>gpg --verbose -d message.txt gpg: armor header: Version: GnuPG v1.2.2 (MingW32) gpg: public key is 3CF61C7B gpg: public key is 028EAE1C KeyIDs easily translated into names and email addresses using a public key server GPG includes option to withhold KeyIDs –Vulnerable to passive recipient privacy attack

8 Security Model

9 Private Broadcast Encryption I  Setup( ) –Generates global parameters I (pk, sk)  Keygen(I) –Generates public-private key pairs C  Encrypt(S, M) –Encrypts plaintext M for recipient set S M  Decrypt(sk, C) –Decrypts ciphertext C with private key sk

10 CPA Recipient Privacy Defined Global Parameter S 0 and S 1 S 0 and S 1 subsets of {1, …, n} such that |S 0 | = |S 1 | AdversaryChallenger All public keys Secret keys for S 0  S 1 b  R {0,1} M encrypted for S b as C* Guess b’ Adversary wins if b’ = b Some schemes vulnerable with large overlap, whereas others are vulnerable with small overlap

11 Simple CPA Recipient Privacy Remove labels Use key-private scheme Reorder components O(n) decrypt time CPA recipient privacy But, active attack… –Even with IK-CCA A: B: C: {K} pk(A) {K} pk(B) {K} pk(C) B: A: C: X X X { } K {K} pk(B) {K} pk(A) {K} pk(C)

12 { } K Active Attack on Simple Scheme Attacker a recipient –Learns K Replaces message with something alluring Forwards malicious message to Alice Waits for response Receives response only if Alice was a recipient {K} pk(B) {K} pk(A) {K} pk(C)

13 CCA Recipient Privacy Defined Global Parameter S 0 and S 1 S 0 and S 1 subsets of {1, …, n} such that |S 0 | = |S 1 | AdversaryChallenger All public keys Secret keys for S 0  S 1 b  R {0,1} M encrypted for S b as C* Guess b’ Adversary wins if b’ = b Decrypt query on (u, C) (C  C*)

14 Constructions

15 Primitives Used in Constructions Strong correctness –Decrypting with wrong key results in  Strong signatures –Attacker cannot create a new signature –Even on a previously signed message –Example: RSA full-domain hash CCA key private (IK-CCA) cryptosystem –Ciphertext does not leak public key

16 Generic CCA Construction Start with CPA scheme Generate a fresh signing key pair (vk, sk) Include verification key, vk, in each component Sign the ciphertext Thm: CCA recipient private O(n) decryption time {, K} pk(B) {, K} pk(A) {, K} pk(C) { } K  vk

17 Added Primitives for Efficiency A group G where CDH is hard –Extend public keys with g a, private keys with a Model hash function as a random oracle –Use extraction property to break CDH –Use DH self-corrector [Shoup97]

18 Ciphertext Component Labels Speed decryption with private labels To make labels for every component: –Pick a single fresh exponent r –Include g r in the ciphertext –Label component for (pk, g a ) with H(g ar ) Each recipient computes own label with g r and a –Attacker can not associate H(g ar ) with g a Still need to tie labels to verification key… –Include g ar in ciphertext components

19 Efficient CCA Construction Thm: CCA recipient private (in RO model) O(1) cryptographic operations for decryption {vk,, K} pk(B) {vk,, K} pk(A) {vk,, K} pk(C)  {M}K{M}K H(g br ): H(g ar ): H(g cr ): g br g ar g cr, g r

20 Conclusions Many widely-deployed content distribution systems lack recipient privacy –Email and encrypted file systems Introduced private broadcast encryption –Recipient privacy against an active attacker –Performance similar to non-private schemes Open problem: private broadcast encryption with shorter ciphertext

21 Questions?

22 Broadcast Semantics of Email Mail User Agent (MUA) Mail Transfer Agent (MTA) Recipient MTA Recipient

23 BCC privacy in S/MIME S/MIME label is the RecipientInfo field. Label consists of the issuer and serial number of the recipient’s certificate Self-signed certificate: –Full name and email address in the clear 444:d=9 hl=2 l= 3 prim: OBJECT :commonName 449:d=9 hl=2 l= 11 prim: PRINTABLESTRING :Henry Kyser 462:d=7 hl=2 l= 32 cons: SET 464:d=8 hl=2 l= 30 cons: SEQUENCE 466:d=9 hl=2 l= 9 prim: OBJECT :emailAddress 477:d=9 hl=2 l= 17 prim: IA5STRING :h9565@hotmail.com VeriSign certificate: identity at verisign.com

24 BCC Privacy by User Agent Completely ExposesPartially RevealsProtects Identity Apple Mail.app 2.622 Outlook 2003 Outlook Express 6 Thunderbird 1.02 Outlook Web Access EudoraGPG 2.0 GPGshell 3.42 HushmailKMail 1.8 PGP Desktop 9.0 Turnpike 6.04 S/MIME-based PGP-based

25 Sending Separate Encryptions Sending separate encryptions provides BCC privacy Advantages of separate encryptions –Can be deployed immediately and unilaterally –Conceals the number (and existence of) BCC recipients Disadvantages of separate encryptions –Difficult to implement for MUA plug-ins such as EudoraGPG –Increases MTA workload and network traffic

Download ppt "Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth Dan Boneh Brent Waters."

Similar presentations

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.

Security Chapters 14,15. The Security Environment Threats Security goals and threats.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.

Security Chapters 14,15. The Security Environment Threats Security goals and threats.
Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.
Identity Based Encryption

Identity Based Encryption
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Security Chapter 9 9.1 The security environment 9.2 Basics of cryptography 9.3 User authentication 9.4 Attacks from inside the system 9.5 Attacks from.

Security Chapter The security environment 9.2 Basics of cryptography 9.3 User authentication 9.4 Attacks from inside the system 9.5 Attacks from.
CS 105 – Introduction to the World Wide Web  HTTP Request*  Domain Name Translation  Routing  HTTP Response*  Privacy and Cryptography  Adapted.

CS 105 – Introduction to the World Wide Web  HTTP Request*  Domain Name Translation  Routing  HTTP Response*  Privacy and Cryptography  Adapted.
Cryptographic Technologies

Cryptographic Technologies
Introduction to Signcryption November 22, 2004. 22/11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.

Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
Lecture 12 e-mail Security. Summary  PEM  secure email  PGP  S/MIME.

Lecture 12 Security. Summary  PEM  secure  PGP  S/MIME.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.

Similar presentations

Ads by Google