Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identification & ZKIP.

Published byAron Hudson Modified over 9 years ago

Similar presentations

Presentation on theme: "Identification & ZKIP."— Presentation transcript:

1 Identification & ZKIP

2 Contents Introduction Passwords Challenge-Response ZKIP

3 Why do need Identification ?
1. Bank machine withdrawals : 4 ~ 6-digit PIN(Personal Identification Number) at ATM(Automatic Teller Machine) 2. In store credit card purchases 3. Prepaid calling card : Asking a service by telephone card or membership cards 4. Remote login: Remote access to host under Client /Server environment 5. Access to restricted areas, etc.

4 Identification by personal information
Method Examples Reliability Security Cost What you Remember (know) Password Telephone # Reg. # M(theft) L(imperso- nation) M/L Cheap What you have Registered Seal Magnetic Card IC Card L(theft) M(imperso- nation) Reason- able M Bio-metric( Fingerprint, Eye, DNA, face, Voice, etc) What you are H(theft) H(Imperso- nation) Reasonable Expensive H

5 Biometric Information
Extracted from A. Jail’s presentation in SCIS2006, Japan

6 Way of Identification Password-based scheme (weak authentication)
crypt passwd under UNIX one-time password Challenge-Response scheme (strong authentication) Symmetric cryptosystem MAC(keyed-hash) function Asymmetric cryptosystem Cryptographic Protocols Fiat-Shamir identification protocol Schnorr identification protocol, etc

7 Identification by Password
Prover Verifier passwd table passwd,A A A h(passwd) y h = accept passwd n reject

8 Attack against Fixed PWDs
Replay fixed pwds Observe pwd as it is typed in Eavesdrop the data in cleartext Not suitable over open communication networks Exhaustive pwd search Let E(c) be the entropy of 8-char pwds from choices E(26)=37.6, E(36)=41.4, E(62)=47.6, E(95)=52.6 Pwd guessing and dictionary attacks A large dictionary contains 250,000 words Dictionary attack: order lists and compared to entries in the encrypted dictionary Combine numerical and alphabetical characters.

9 crypt passwd in UNIX I1= 0…0 next input Ii 2  i 25 user salt
64 user salt truncate to 8 ASCII chars; 0-pad if necessary user passwd 56 DES* 12 output, Oi O25 64 12 Repack 76 bits into 11 7-bit characters salt : 12-bit random from system clock when select passwd. DES* : DES with expansion E modified by 12-bit salt, 212 =4056 DES variations, encrypted passwd /etc/passwd

10 Challenge-Response Protocol
Assumption Secret Key : known to only P and V Random Challenge : P and V have perfect random number generator as their challenges. Very small probability that same challenges occur by chance in 2 different sessions MAC security : MAC is secure which no (ε, Q)-forger exist. Probability that Attack can correctly compute MAC is at most ε, given Q other MACs. (e.g. Q=10,000 or 100,000)

11 Challenge-Response Scheme(I)
Using Symmetric Cryptosystem K P V random challenge,x x y=eK(x) y y’=eK(x) y=y’ ? Vulnerable to parallel session attack (man-in-the-middle). Need to change x to be ID(V)||r

12 Challenge-Response Scheme(II)
Using Asymmetric Cryptosystem P can prove to have secret information in either way : (1) P decrypts a challenge encrypted under P’s public key. (2) P digitally signs a challenge. PK P V random challenge,x x y=e[sK,x] y y’= d[pk ,x] y = y’ ?

13 Zero-Knowledge Interactive Proof
GMR(Goldwasser, Micali, Rackoff) “The knowledge complexity of interactive-proof systems”, Proc. of 17th ACM Sym. on Theory of Computation, pp , 1985 “The knowledge complexity of interactive-proof systems”, Siam J. on Computation, Vol. 18, pp , 1989 (revised version) ZKIP (Zero Knowledge Interactive Proof) : between P and V Completeness : Only true P can prove V. Soundness : False P’ can’t prove V. 0-Knowledge : No knowledge transfer to V.

14 Concept of ZKIP By Quisquater and Guillou
P knows the secret, but doesn’t want to reveal his secret. 1. V stands at point A. 2. P walks all the way into the cave, either C or D. 3. After P disappeared into the cave, V walks to point B. 4. V shouts to P asking him either to: (a) come out of the left passage or (b) come out of the right passage 5. P complies, using the magic words to open secret door if he has to. 6. P and V repeat steps (1) -(5) t times A B C D P knows the magic words (secret) to open the door between C and D. Fig. 0-knowledge cave

15 Classification of ZKIPs
Property Perfect Computational Statistical ZK Interactive Object Membership Knowledge Computational power 1P/1V WH Model 0-K Minimum Know. Oracle ZKIP Non-interactive GMR Model * P:infinite, V: poly MP BCC Model Model 1 (P:poly V: infinite) (minimum disclosure) Model 2 (P:poly, V: poly) MV *AM-game : GMR model and V has random coin.

16 F-S Identification (I)
(Preparation) (TA) Unlike in RSA, a trusted center can generate a universal n, used by everyone as long as none knows the factorization. (P) (1) private key: choose random value S, s.t. gcd(S,n)=1.(1 < S < n) (2) public key : P computes I=S2 mod n, and publishes (I,n) as public Goal P has to convince V that he knows his private key S and its corresponding public key (I,n) (i.e., to prove that he knows a modular square root of I mod n), without revealing S.

17 F-S Identification (III)
public : I,n n=pq, I=S2 mod n V P x 1. generate unique random,r x=r2 mod n 2.ei={0,1} ei Repeat t-times y 3. If ei=0, send y=r If ei=1, send y=rS 4.If ei=0, check y2=x mod n? If ei=1, check y2=xI mod n? * commitment-witness-challenge-response-verification and repeat

18 F-S Identification (II)
1. P chooses random value r (1<r<n) and computes x=r2mod n. then sends x to V. 2. V requests from P one of the following request at random (a) r or (b) rS mod n 3. P sends the requested information to V. 4. V verifies that he received the right answer by checking whether (a) r2 = x mod n or (b) (rS)2 = xI mod n 5. If verification fails, V concludes that P does not know S, and thus he is not the claimed party. 6. This protocol is repeated t (usually 20 or 30) times, and if in all of them the verification succeeds, V concludes that P is the claimed party.

19 Security of F-S scheme (1) Assuming that computing S is difficult, the breaking is equivalent to that of factoring n. (2) Since P doesn’t know (when he chooses r or rS mod n) which question V will ask, he can’t choose the required answer in advance. (3) P can succeed in guessing V’s question with prob. 1/2 for each question. If the protocol is repeated t times, the prob. that V fails to catch P in all the times is only 2-t, which is exponentially reducing with t. (t=20 or 30) (4) Convinces V that P knows the square root of I, without revealing any information on S. However, V gets one bit of information : he learns that I is a quadratic residue

20 Other Identification schemes
Schnorr Identification scheme (p.371) Okamoto Identification scheme (p.378) Guillou-Quisquarter Identification scheme (p. 383) ID-based identification Others

21 Schnorr Identification (I)
Based on DLP under Trusted Authority (TA) TA decides public parameters p : large prime (1024 bit) q : large prime divisor of p-1 (160 bit) α Zp* has order q t : security parameter s.t. q > 2t Public parameters : p, q, α, t Prover choose private key : a ( 1 ≤ a ≤ q-1) public key v = α–a mod p Honest Verifier (choose r at random by the scheme) ZKIP

22 Schnorr Identification (II)
Public par. : p,q,α,t private key : a, public key: v 1. Select random k V P 2. Verify P’s public key generate random challenge , cert(P) r 3. y = k + ar mod q 4. Verify y

23 Schnorr Identification (III)
(TA) p=88667, q=1031, t=10, α=70322 has order q in Zp* (P) private key a = 755 public key v = α-a mod p = mod = 13136 P: random k = 543, αk mod p = mod = 84109, commit V: random challenge r =1000 P: y= k + ar mod q = x1000 mod 1031= 851 V: on receiving y, verify that = mod If equals, accept

Download ppt "Identification & ZKIP."

Similar presentations

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Lecture 15 Zero-Knowledge Techniques. Peggy: “I know the password to the Federal Reserve System computer, the ingredients in McDonald’s secret sauce,

Lecture 15 Zero-Knowledge Techniques. Peggy: “I know the password to the Federal Reserve System computer, the ingredients in McDonald’s secret sauce,
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.

Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.

SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.

Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Cryptography Basic (cont)

Cryptography Basic (cont)
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.

Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.

Similar presentations

Ads by Google