Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the Risks of IBE Himanshu Khurana and Jim Basney NCSA, University of Illinois International Workshop on Applied PKC (IWAP), Dalian, China, Nov 2006.

Published byPaul Willis Modified over 9 years ago

Similar presentations

Presentation on theme: "On the Risks of IBE Himanshu Khurana and Jim Basney NCSA, University of Illinois International Workshop on Applied PKC (IWAP), Dalian, China, Nov 2006."— Presentation transcript:

1 On the Risks of IBE Himanshu Khurana and Jim Basney NCSA, University of Illinois International Workshop on Applied PKC (IWAP), Dalian, China, Nov 2006

2 Introduction Identity based cryptography flourishing  Initial work by Cocks, Boneh and Franklin Encrypted email is a killer app for IBE (Identity Based Encryption)  Primary benefit: eliminate key distribution We analyze IBE for Email and argue that:  IBE brings significant risks to email security Stronger trust assumptions Unnecessarily complex cryptosystem  Can easily be replaced by other cryptosystems; e.g., RSA

3 Secure Email with RSA (SMIME) SMIME: {m} PK R PK R Domain ADomain B CA A (SK A, PK A ) CA B (SK B, PK B ) Sender (ID S ) Receiver (ID R ) {PK R } SK B

4 IBE: {m} PK R PK R = f(PK PKG B, ID R, policy) Secure Email with IBE Domain ADomain B PKG A (SK A, PK A ) PKG B (SK B, PK B ) Sender (ID S ) Receiver (ID R ) PK PKG B SK R

5 Benefits of IBE Eliminate User Key Distribution  One key fetch per domain (PKG)  Sender generates public keys of domain users Policy-based encryption  E.g., “open after Monday” Implicit user mobility  Recipient can get private key from any location onto any device

6 Trust Assumptions IBEvs.RSA Fully trusted PKG  Generates private keys Online PKG  Revocation via short- lived keys Weaker end-to-end encryption  PKG can decrypt messages Partially trusted CA  Users generate keys Offline CA  Revocation via CRLs, OCSP Strong end-to-end encryption  Only recipient can decrypt messages

7 IBE Revocation Goal: Minimize extent of compromise IBE time-based sender policy [Boneh03]  How does sender determine appropriate policy?  Requires policy standardization Update domain parameters [Smetters03] Revoke the identity?

8 RSA-based IBE Can we implement IBE for email using RSA? Prior work:  J. Callas. Identity-Based Encryption with Conventional Public-Key Infrastructure. In 4th Annual PKI R&D Workshop, number 7224 in Interagency Reports, pages 102–115. NIST, 2005.  X. Ding and G. Tsudik. Simple Identity-Based Cryptography with Mediated RSA. In CT-RSA, Lecture Notes in Computer Science 2612, Springer, pages 193–210, 2003.

9 IBE with Conventional PKI (Callas, 2005) Recipient Domain PKG (SK PKG ) Sender (ID S ) Receiver (ID R ) (PK R,SK R ) = f(SK PKG,ID R ) SK R {m} PK R PK R ID R

10 IB-mRSA (Ding and Tsudik, 2003) Recipient Domain Sender (ID S ) Receiver (ID R ) Cert Org SEMCA SK R,U SK R,SEM {m} PK R PK R = f(Cert Org,ID R ) {m} PK R {{m} PK R } SK R,SEM

11 Secure Email with IB-MKD (Identity Based - Message Key Distribution) PK KDC Recipient Domain KDC (SK, PK) Sender (ID S ) Receiver (ID R ) KDC = Key Distribution Center {m} k denotes symmetric encryption {x} PK denotes asymmetric encryption {k||ID R ||policy} PK KDC k E(m) E(m) = {{m} k,{k||ID R ||policy} PK KDC }

12 Object-Based Key Distribution (Ford and Wiener, 1994) PK KRA Recipient Domain Key Release Agent (SK, PK) Sender (ID S ) Receiver (ID R ) {k||policy} PK KRA k E(m) E(m) = {{m} k,{k||policy} PK KRA }

13 Analysis IB-MKD achieves IBE benefits, same trust assumptions  Using widely-accepted RSA cryptosystem  Previous RSA-based IBE work fails to do so Protocol differences in IB-MKD  User encrypts with domain public key Highlights weaker notion of end-to-end encryption Does not change security properties  Policy itself is encrypted Additional feature not provided in IBE  Recipient must contact KDC for every message More overhead than IBE but comparable to POP over SSL Provides timely policy evaluation and immediate revocation

14 System Comparison S/MIMEIBEIB-mRSACallasIB-MKD Trusted Entities CA is partially trusted for public key distribution. PKG is fully trusted.CA and SEM are fully trusted. PKG is fully trusted. KDC is fully trusted. End-to-end Encryption CA can’t decrypt messages. PKG can decrypt messages. CA can decrypt messages but SEM cannot. PKG can decrypt messages. KDC can decrypt messages. Encryption Key Fetch One key fetch per recipient. One key fetch per domain. One key fetch per recipient. One key fetch per domain. Decryption Key Fetch Offline. Recipient generates the private key. One key fetch per policy. Contact SEM for partial decryption of each message. One key fetch per policy. Obtain symmetric key from KDC for each message. RevocationOCSP/CRLs.Short-lived keys.Immediate revocation via SEM. Could support short-lived keys. Immediate revocation via KDC. Policy-based Encryption No direct support.Policy included in key generation. No direct support.Could be extended to support. Policy associated with message key. Recipient Mobility Requires smartcard or key repository. Implicit. Recipient fetches key from PKG. Requires smartcard or key repository. Implicit. Recipient fetches key from PKG. Implicit. Recipient fetches key from KDC. Encryption Key/Target Recipient key. KDC public key.

15 Online versus Offline RSA-based IBE approaches assume online operation  Contact SEM/KDC for every message  Contact PKG for every recipient [Callas05] IBE’s strength may be offline environments  Pre-distribute PKG parameters and secret keys  If timely revocation is not a strong requirement Can RSA simulate offline IBE?

16 Conclusions Secure Email with IBE has strong trust assumptions  Need to be evaluated carefully before deployment IBE’s complex cryptography may be unnecessary  IB-MKD achieves goals with RSA Questions?  hkhurana@ncsa.uiuc.edu  jbasney@ncsa.uiuc.edu

Download ppt "On the Risks of IBE Himanshu Khurana and Jim Basney NCSA, University of Illinois International Workshop on Applied PKC (IWAP), Dalian, China, Nov 2006."

Similar presentations

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Symmetric Key Infrastructure Karel Masarik, Daniel Cvrcek Faculty of Information Technology Brno University of Technology

Symmetric Key Infrastructure Karel Masarik, Daniel Cvrcek Faculty of Information Technology Brno University of Technology
RIKE Using Revocable Identities to Support Key Escrow in PKIs Nan Zhang, Jingqiang Lin, Jiwu Jing, Neng Gao State Key Laboratory of Information Security,

RIKE Using Revocable Identities to Support Key Escrow in PKIs Nan Zhang, Jingqiang Lin, Jiwu Jing, Neng Gao State Key Laboratory of Information Security,
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
An Introduction to Identity-based Cryptography

An Introduction to Identity-based Cryptography
Pretty Good Privacy (PGP). How PGP works PGP uses both public-key cryptography and symmetric key cryptography, and includes a system which binds the public.

Pretty Good Privacy (PGP). How PGP works PGP uses both public-key cryptography and symmetric key cryptography, and includes a system which binds the public.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
National Center for Supercomputing Applications PKI and CKM ® Scaling Study NCASSR Kick-off Meeting June 11-12, 2003 Jim Basney

National Center for Supercomputing Applications PKI and CKM ® Scaling Study NCASSR Kick-off Meeting June 11-12, 2003 Jim Basney
An In-Depth Examination of PKI Strengths, Weaknesses and Recommendations.

An In-Depth Examination of PKI Strengths, Weaknesses and Recommendations.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.

Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.
Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.
Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.

Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

Similar presentations

Ads by Google