Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards Mobile Cryptography Authors: Tomas Sander Christian F. Tschudin Presented: Xiang Lin.

Published byRhoda Grant Modified over 9 years ago

Similar presentations

Presentation on theme: "Towards Mobile Cryptography Authors: Tomas Sander Christian F. Tschudin Presented: Xiang Lin."— Presentation transcript:

1 Towards Mobile Cryptography Authors: Tomas Sander Christian F. Tschudin Presented: Xiang Lin

2 Outline  Security problems of mobile agents 1.How can a mobile agent conceal a function it wants to have executed? 2.How can a mobile agent remotely sign a document without disclosing the u ser's private key?  Solution: 1.non-interactive EEF 1) EEF via Composition Techniques 2) EEF via Homomorphic Function 2.undetachable digital signature  Conclusion and Question

3 Mobile agent Mobile agents are programs that - together with their data resources - can move in a computer network from host to host in order to go after their task. Alice’s Home Platform As a travel agent, she creates 3 agents for her: 1.Shopping agent 2.Jobseeker agent 3.Stock watch agent 1. Security problems of MA But mobile agent hasn’t been widely used. why? Security problem

4 Problem malicious agent attacks host malicious agent attacks other agent he meets n Agent should have signature n Signature verified by host n Techniques of protecting the execution environment again hostile mobile code n A public interface for agent n Host enforces separation between agents Solution malicious host attacks agent 1. Security problems of MA (cont.)

5 Example: Alice wants to fly from Auckland to San Francisco next Sunday. Alice sends out a shopping agent called Mobile Travel Agent to visit relative airline servers. The Mobile Agent negotiates and gets the best offers and then returns this information back to Alice. Alice decides to buy a ticket. The Mobile Travel Agents digitally signs an order and pays the best flight for Alice. malicious host attacks agent Main possible attacks (not all)Main sub-problems (not all) 1. Agent could be brainwashed by a malicious h ost. So it forgets the best prices collected befor e. 2. a malicious host will spy the user’s private ke y when agent digitally sign the order. 3. a malicious host will steal the agent’s electro nic money. 1.Can a mobile agent protect itself against ta mpering by a malicious host? (code and exec ution integrity) 2.Can a mobile agent remotely sign a docum ent without disclosing the user's private key ? (computing with secrets in public) 3.Can a mobile agent conceal the function it wants to have executed? (code privacy) 1. Security problems of MA (cont.) Problem is serious but essential

6 Constraints for solution on MA security n Mobile agents should be allowed to execute on untru sted hosts but still have guarantees for their correct e xecution n Mobile agents should not require interactive protocols with their originator n Protection mechanisms should be provably secure

7 "It is impossible to prevent agent tampering unless trusted (and tamper-resistant) hardware... is available." D. Chess et al. IBM 1995 "It is FUNDAMENTALLY impossible to secure a MA from a malicious host. Therefore don't bother trying!" (summarized by L. Hurst) Security Panel of Mobile Agents'97 Workshop Assumptions: Agent carries cleartext data, which can be read and changed Agent carries cleartext functions, which can be manipulated Agent carries cleartext message, which can be faked Based on REASON: The host has full access to the agent’s code and data, because the agent code has to be executed by the hosting system. Some people say: impossible 1. Security problems of MA (cont.)

8 Our Approach n 1. use encrypted data directly.* n 2. execute encrypted functions directly too. n 3. use undetachable signature technique. * A new method via EEF has been developed in the article

9 n Problem 1: How can a mobile agent con ceal the function “f” it wants to have executed? Use non-interactive EEF Use non-interactive EEF (Evaluation of Encrypted Function)

10 n Scenario I has a function “f”, i.e. evaluating the price of ticket I has an input “x”, i.e. flight fare. I am willing to compute f(x) for Alice But I don’t want Bob to learn anything about my “f” That’s fine. I don’t want to know anything about “f”. I just want to give you my “x”. By the way, You don’t need to contact with your agent during computation if you can. Alice ’s Home Platform Bob ’s Platform

11 1. EEF via Composition Techniques 2. EEF via Homomorphic Function How can we realize the EEF?

12 1. EEF via Composition Techniques (Scheme) : Alice ’s Home Platform Bob ’s Platform (1)Alice randomly finds a rational function “s“ and then combine these two functions: E(f) := s o f. She writes a program P(E(f)) which implements E(f) on her home platform. (2)Alice assigns an agent to carry the P(E(f)) (3)Agent visits Bob P(E(f)) (4)Bob provides x, executes P(E(f)) at x and then store the result P(E(f))(x) in agent. Actually, Bob can see the cleartext of program. But he cannot understand it. P(E(f))(x) (5)Alice use inverse function S -1 : S -1 (E(f)(x)) and obtains f(x) when agent comes back. Get f(x) Provid e x interact only 2 times

13 Limitation: 1. only proved for rational function 2. depends on the difficulty of decomposing E(f) to s and f: No polynomial time algorithm for decomposing multivariate rational functions has been proved.* * See [18] 1. EEF via Composition Techniques (cont.) :

14 2. EEF via Homomorphic Function : Alice ’s Home Platform Bob ’s Platform (1)Alice encrypts the function “f”: E(f) by using homomorphic function. She then writes a program P(E(f)) which implements E(f) on her home platform. (2)Alice assigns an agent to carry the P(E(f)) (3)Agent visits Bob P(E(f)) (4)Bob provides x, executes P(E(f)) at x and then store the result P(E(f))(x) in agent. Actually, Bob can see the cleartext of program. But he cannot understand it. P(E(f))(x) (5)Alice decrypts P(E(f))(x) and obtains f(x) when agent comes back. Get f(x) Provid e x interact only 2 times

15 Definition in Homomorphism * is from James M. Adler, Wei Daiy, Richard L. Green z, C. Andrew Neff “Computational Details of the VoteHere Homomorphic Election System” Homomorphic function: function meets homomorphic property. *Homomorphic property: f(E(m1;m2)) = g(E(m1;E(m2))); where f and g are functions depending on the cryptosystem used. Important homomorphic properties on public-key systems: n multiplicative property : compute E(x*y) from E(x) and E(y) that does not reveal x and y n mixed multiplicative property : compute E(x*y) from E(x) and y that does not reveal x n additive property : compute E(x+y) from E(x) and E(y) and does not reveal x and y

16 PROPOSTION: If E: R → S (R,S rings) be an additively and mixed multiplicatively homomorphic encryption scheme. Then we can implement non-interactive EEF for polynomials p  R[X 1, …, X s ] with E. Proof: Let p be the polynomial ∑ a i1…is X 1 i1... X 1 is ; 1.Replace each coefficient a i1…is of p with E( a i1…is ); 2.Evaluate each monomials of p on the input x 1, …, x s ; Store in a list L := […,…,(x 1 i1 …x s is ),…]; 3.Use mixed multiplicatively homomorphic to get the list M := […,…,E( a i1…is x 1 i1 …x s is ),…]; 4.Use additively homomorphic property to add up all the elements; 2. EEF via Homomorphic Function (cont.) :

17 DEFINITION: Let E: Z/NZ → R (R rings) be an additively homomorphic encryption scheme. Then we can implement non-interactive EEF* for polynomials p  R[X 1, …, X s ] with E. Weak the requirements: (when any E meets the first requirement, it will meet the 2 nd automatically if we use rings Z/NZ) if rings Z/NZ is introduced in stead one character of rings Z/NZ: Every additively homomorphic encryption scheme on Z/NZ is also mixed-multiplicatively. 2. EEF via Homomorphic Function (cont.) : * See [8] for real EEF example

18 Limitation: 1. only proved for rational function 2. depends on the difficulty of decrypting E(f) 3. information leakage: reveals a part of non- zero coefficients of the unencrypted function “p” 2. EEF via Composition Techniques (cont.) :

19 n Problem 2: How Can a mobile agent rem otely sign a document without di sclosing the user's private key? Use undetachable digital signature techniques Use undetachable digital signature techniques

20 n Scenario I want my mobile agent to sign the order on Bob’s site using my private key. I can spy the private key when Alice’s mobile agent sign the order Actually, it doesn’t matter. I can use EEF to encrypt signature function “s”. But there is still a matter. I can use it to sign other documents, though I cannot understand it. Alice ’s Home Platform Bob ’s Platform Private key

21 1. The signature routine “s” has to be glued unremovably to the data it is supposed to sign 2. Also repeated execution of the mobile program should not disclose significant information about the signing routine. Requirements for the solution

22 Goal: The mobile program carries a rational function f and wants to sign the output f (x) with a (private) signing function s. Notation: Digital signature of a message y: s(y) Verification function (public): v z is a valid signature of y () only if v(z) = y Scheme: Assume signing function s: rational function. The signing mobile program for f consists of two parts: P (f ) and P signed := P (s o f ) y is a correct output of f () only if v(P signed (x)) = y Outline of undetachable signature method

23 Attacks to undetachable signature method n Left decomposition attack – given h:= s o f and f, determine s n Interpolation attack I – the adversary is able to produce (z, v(z)) – (z, v(z)) = (s(v(z)), v(z)) – s is a low degree rational scheme – s is discoverable using interpolation techniques n Interpolation attack II – the adversary is able to produce (l, s(l)) – s is a low degree rational scheme – s is discoverable using interpolation techniques n Inversion attack – if the adversary is able to find a pre-image x of n under f, i.e. f(x) = n, he can pro duce a valid signature for n using f signed (x)

24 Improved Undetachable Signature Method n Definition: s = (s 1 …s k ) : R k -> R k a bijective function called bi-directional map v = (v 1 …v k ) : R k -> R k the inverse function of s, i.e. s o v = v o s = id R k Let f : R l - > R t be the function whose output we want to be signed G 2,…G k : R t -> R public functions Use v2…vk as the public key for signature verification ( !!!! NO v1) n Construction of the signed function Chose a random rational function r : R l ->R Build the map f signed :R l ->R k with components given by f signed,I := s i (r, G 2 o f, …G k o f), i = 1 … k Send (f, f signed ) nExecution - Get the result (y:=f(x), z:=f signed (x)) nVerification – Compute G i (y) and v i (z),i = 2..k z is a signature of y iff v i (z)=G i (y) for all i

25 Explanation: n The key is that the adversary doesn’t know r and v 1 1)Because the adversary doesn’t know r, the left decomposition a ttack to find s i from the i th component of f signed is even harder 2)Because the adversary doesn’t know v1 he cannot compute I/o pairs for the interpolation of s i 3)Because the adversary doesn’t know r, he cannot compute i/o pairs for the interpolation of s i (second interpolation attack) 4)Even if the adversary is able to invert f, the scheme is not broke n: without r he cannot compute pre-images of (r, G 2 o f, …G k o f) :R l ->R k

26 Conclusions: n Analyze and concrete the security problem of mobile agent. n First achieve an approach (EEF) to effectively hide computations from a malicious host, though it is still limited in for polynomials and rational functions. n Also propose a method for digital signing by mobile agents without disclosing the private key.

27 Question & Outlook: n Can this technique actually be applied to arbitrary functions because EEF is limited only in polynomials and rational functions now? n Can we find the homomorphic function E(f) easily for practical use?

Download ppt "Towards Mobile Cryptography Authors: Tomas Sander Christian F. Tschudin Presented: Xiang Lin."

Similar presentations

Operating System Security

Operating System Security
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Mobile Agents Integrity in E-commerce Applications Antonio Corradi, Rebecca Montanari {acorradi, University of Bologna - Italy.

Mobile Agents Integrity in E-commerce Applications Antonio Corradi, Rebecca Montanari {acorradi, University of Bologna - Italy.
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Protecting Mobile Agents from Malicious Host Nathan Balon.

Protecting Mobile Agents from Malicious Host Nathan Balon.
The Mobile Code Paradigm and Its Security Issues Anthony Chan and Michael Lyu September 27, 1999.

The Mobile Code Paradigm and Its Security Issues Anthony Chan and Michael Lyu September 27, 1999.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.

Security Chapters 14,15. The Security Environment Threats Security goals and threats.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Similar presentations

Ads by Google