Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Private Resource Pairing Joseph Calandrino Department of Computer Science University of Virginia August 10, 2005.

Published byRussell Gregory Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Private Resource Pairing Joseph Calandrino Department of Computer Science University of Virginia August 10, 2005."— Presentation transcript:

1 1 Private Resource Pairing Joseph Calandrino Department of Computer Science University of Virginia August 10, 2005

2 2 Motivating Scenario Emergency Room –Incapacitated unidentified tourist arrives at ER –Perfect biometric exists –Treatment is history-dependent

3 3 Private Resource Pairing Resource Possession – Confidential Resource Requests – Confidential Third Parties – Undesirable Can We Overcome This?

4 4 Related Work Private Matching Alice and Bob possess separate databases Alice wishes to determine intersection Neither wishes to reveal non-matches AliceBob Red Orange Yellow Green Blue Purple Blue White Yellow

5 5 Related Work Private Matching (AgES Protocol – Simplified) Alice and Bob agree on commutative encryption (E A (E B (X)) = (E B (E A (X))) and hash functions Generate secret encryption keys, A and B * Generate hashes; encrypt hashes Rh(‘R’)E A (h(‘R’)) Oh(‘O’)E A (h(‘O’)) Yh(‘Y’)E A (h(‘Y’)) Gh(‘G’)E A (h(‘G’)) Bh(‘B’)E A (h(‘B’)) Ph(‘P’)E B (h(‘P’)) Bh(‘B’)E B (h(‘B’)) Wh(‘W’)E B (h(‘W’)) Yh(‘Y’)E B (h(‘Y’)) AliceBob *Alice and Bob must generate new encryption keys each time they enter the private matching protocol

6 6 Related Work Private Matching (AgES Protocol – Simplified) Reorder encryptions lexicographically and exchange encryptions (Alice also saves hers) RE A (h(‘R’)) OE A (h(‘O’)) YE A (h(‘Y’)) GE A (h(‘G’)) BE A (h(‘B’)) P B W Y AliceBob E B (h(‘P’)) E B (h(‘B’)) E B (h(‘W’)) E B (h(‘Y’)) E A (h(‘R’)) E A (h(‘O’)) E A (h(‘Y’)) E A (h(‘G’)) E A (h(‘B’)) Alice’sBob’s

7 7 Related Work Private Matching (AgES Protocol – Simplified) Reorder encryptions lexicographically and exchange encryptions (Alice also saves hers) Re-encrypt encryptions (Bob saves originals) RE A (h(‘R’)) OE A (h(‘O’)) YE A (h(‘Y’)) GE A (h(‘G’)) BE A (h(‘B’)) P B W Y AliceBob E A (E B (h(‘P’))) E A (E B (h(‘B’))) E A (E B (h(‘W’))) E A (E B (h(‘Y’))) E A (h(‘R’))E B (E A (h(‘R’))) E A (h(‘O’))E B (E A (h(‘O’))) E A (h(‘Y’))E B (E A (h(‘Y’))) E A (h(‘G’))E B (E A (h(‘G’))) E A (h(‘B’))E B (E A (h(‘B’))) Bob’sAlice’s

8 8 Related Work Private Matching (AgES Protocol – Simplified) Bob returns the pairs; Alice matches on E A (h(X)) to get (X, E B (E A (h(X))) = (X, E A (E B (h(X))) Alice finds matches for B and Y, the intersection RE A (E B (h(‘R’))) OE A (E B (h(‘O’))) YE A (E B (h(‘Y’))) GE A (E B (h(‘G’))) BE A (E B (h(‘B’))) P B W Y AliceBob E A (E B (h(‘P’))) E A (E B (h(‘B’))) E A (E B (h(‘W’))) E A (E B (h(‘Y’))) Bob’s

9 9 Related Work Private Matching –Limited data ownership and need to know technique –More efficient/robust private pairing solution possible Private Information Retrieval Audit Logs Searching on Encrypted Data – Requestors reveal searches to provider

10 10 Behavioral Models Semi-Honest (Honest But Curious) Behavior –Parties do not lie –Parties do attempt to derive additional information if possible –Costs of lying may outweigh benefits Malicious Behavior –Potentially dishonest parties –More realistic

11 11 Private Resource Pairing… Basic Idea: Setup: 1.Participants agree on a commutative encryption scheme and a hash function 2.Providers generate random encryption keys 3.Providers publish lexicographically- reordered encrypted hashes of their resource metadata to potential requestors or host servers –Providers publish signatures for servers …under a Semi-Honest Behavior Model

12 12 Private Resource Pairing… Basic Idea: Search and Acquisition: 1.Requestor generates new encryption/decryption key pair* 2.Requestor gives encrypted hash of desired metadata to provider 3.Provider re-encrypts using its key and returns 4.Requestor decrypts re-encryption 5.Requestor matches result against published values –For host servers, requestors acquire values and verify signatures 6.If match found, requestor asks provider for resources related to metadata …under a Semi-Honest Behavior Model *Requestors must generate new keys for each search

13 13 Private Resource Pairing… Assumptions: Requestor identity alone yields no private data Providers publish data all at once, or publication order is irrelevant In the case of host servers: –Requestors download all or no data from a server –Servers are unable to collude Metadata is not fuzzy …under a Semi-Honest Behavior Model

14 14 Private Resource Pairing… Shortcomings of Semi-Honest Solution: –No enforcement of requestor need to know –No proof providers hold resources tied to published metadata Malicious Model Must Address These Issues …under a Semi-Honest Behavior Model

15 15 Private Resource Pairing… Proving Requestor Need to Know: Requestor Uses Two Tickets –First: To receive re-encryption Contains only encrypted metadata –Second: To access metadata-related resources Contains plaintext metadata …under a Malicious Behavior Model

16 16 Private Resource Pairing… Proving Requestor Need to Know: Tickets Supplier Must Distribute Tickets –Requestor must trust supplier with search metadata –Supplier can issue scope-limited tickets –Providers must be able to verify supplier trustworthiness –Suppliers should be unable to initiate searches –Assume suppliers and requestors cannot collude …under a Malicious Behavior Model

17 17 Private Resource Pairing… Proving Resource Possession: Identity-Based Signatures –Verification key is identity –Master secret required to generate signing keys Key Privacy in Public Key Cryptosystems –An adversary possessing a piece of ciphertext can gain no more than a negligible advantage in determining which public key out of a given set produced the ciphertext –RSA lacks this: C = M e mod n. If n Alice = 6, n Bob = 10, C = 7, an adversary knows that Bob’s public key encrypted C …under a Malicious Behavior Model

18 18 Private Resource Pairing… Proving Resource Possession: Two Cases: –Metadata Implies an Owner Everyone knows the “owner” of resources related to every piece of metadata Example: Biometrics –Metadata Implies No Clear Owner Metadata can imply many owners, or others are unable to accurately guess owners from metadata Example: Keywords …under a Malicious Behavior Model

19 19 Private Resource Pairing… Proving Resource Possession: Metadata Implies an Owner –System Privacy A set of instantiations of an identity-based signature scheme exist with different master secrets Adversary chooses an identity Random instantiation produces the identity’s signature of a nonce (unknown to adversary) The adversary receives the signature System privacy exists if the adversary can gain no more than a negligible advantage in determining signing instantiation given some parameters …under a Malicious Behavior Model

20 20 Private Resource Pairing… Proving Resource Possession: Metadata Implies an Owner –Owner (or Delegated Owner) Setup: Owners agree on signature scheme –Identity-based scheme –System privacy Owners independently generate master secrets Owners publish verification parameters …under a Malicious Behavior Model

21 21 Private Resource Pairing… Proving Resource Possession: Metadata Implies an Owner –Providers Acquire Proof: 1.Provider offers metadata, encrypted and unencrypted, to owner 2.Owner checks that encryption represents metadata –Private matching 3.Owners signs encryption using private key associated with the provider’s ID and return result 4.Provider checks signature 5.Provider publishes data …under a Malicious Behavior Model

22 22 Private Resource Pairing… Proving Resource Possession: Metadata Implies an Owner –Requestor Verifies Proof: 1.Requestor downloads owner parameters 2.Requestor checks signatures (using provider ID as key) for a signature of the encrypted hash of desired metadata …under a Malicious Behavior Model

23 23 Private Resource Pairing… Proving Resource Possession: Metadata Implies an Owner –If Owner Master Secret Compromised: Owner needs new master secret Only affects owner’s resources How do we update signatures? …under a Malicious Behavior Model

24 24 Private Resource Pairing… Proving Resource Possession: Metadata Does Not Imply an Owner –Use Universal Resource Owner Can be centralized or distributed Providers must trust owner Requestors need not reveal anything to universal owner Problems exist: key revocation, master secret compromise …under a Malicious Behavior Model

25 25 Evaluation Private Resource Pairing vs. Private Matching Private Resource Pairing: Semi-Honest Model –No known comparable protocol for malicious pairing protocol Private Matching: AgES –Requestor served as querying party with a single-entry DB –Additional step for requestor to ask for resources Ignored: –Server signature verification (implementation dependent) –Time to agree on hash/encryption function (same for both)

26 26 Theoretical Evaluation Computational Cost (in Units of Cost)

27 27 Theoretical Evaluation Communication Cost (in Units of Cost)

28 28 Performance Evaluation Implementation –Java-Based Implementation –Hash Function: SHA-1 –Commutative Encryption Function: Pohlig-Hellman with Common Modulus –Sort: Modified MergeSort (nlogn performance) –Number of Provider Metadata Items: 20

29 29 Performance Evaluation AgES Private Resource Pairing Setup Provider0 ms1177 ms Requestor0 ms Total0 ms1177 ms Search and Acquisition Provider1194 ms17 ms Requestor1218 ms867 ms Total2412 ms884 ms Performance Comparison

30 30 Evaluation Private Resource Pairing vs. Private Matching –Decrease in requestor computation time: 28.8% –Decrease in provider computation time: 98.6% –Pairing scales better than AgES –Potential AgES improvements: Avoid changing keys Avoid re-encryption

31 31 Conclusion Summary Future Work –Time-Scoped Searching –System Privacy –Classification Levels –Untrusted Servers –Fuzzy Metadata –Many more…

32 32 Thank You In Particular: Alfred Weaver David Evans Brent Waters

33 33 Questions?

Download ppt "1 Private Resource Pairing Joseph Calandrino Department of Computer Science University of Virginia August 10, 2005."

Similar presentations

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.

Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.
SCSC 455 Computer Security

SCSC 455 Computer Security
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Building an Encrypted and Searchable Audit Log Brent Waters Dirk Balfanz Glenn Durfee D.K. Smetters.

Building an Encrypted and Searchable Audit Log Brent Waters Dirk Balfanz Glenn Durfee D.K. Smetters.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Cryptographic Technologies

Cryptographic Technologies
Chapter 9: Key Management

Chapter 9: Key Management

Similar presentations

Ads by Google