Topic 2.5 - Dr. Peng Ning
Download
Report
Transcript Topic 2.5 - Dr. Peng Ning
Computer Science
CSC 774 Advanced Network Security
Topic 2.5 Secret Handshake
Slides by Tong Zhou
CSC 774
Dr. Peng Ning
Goals
• Authenticate without revealing credentials
– Consider two groups G1 and G2, two parties A
G1 and B G2. A and B wants to authenticate each
other.
– If G1 ≠ G2: A and B only know they are not in the
same group.
– If G1 = G2: A and B can authenticate to each other.
– A third party learns nothing by observing
conversations between A and B.
Computer Science
CSC 774
Dr. Peng Ning
Preliminaries: Pairing-based Cryptography
• Bilinear Maps:
– Two cyclic groups of large prime order q: G1 and G2
– eˆ : G1 G1 G 2 is a bilinear map if
a, b Zq ; P, Q G1; eˆ(aP, bQ) eˆ(P, Q)ab
• ê should be computable, non-degenerate and satisfies
Bilinear Diffie-Hellman assumption, i.e., given P, aP,
abc
ˆ
e
(
P
,
P
)
bP, cP, it is hard to compute
Computer Science
CSC 774
Dr. Peng Ning
Protocol Sketch
• Equipped with bilinear map ê and one-way
hash function H1
• CA has a master key t.
• Assume a drivers and cops scenario.
Computer Science
CSC 774
Dr. Peng Ning
Protocol Sketch
K A eˆ( H1 (“xy6542678
d - cop”),TA ) K B eˆ(TB , H1 (“p65748392
a - driver”))
K A me
K
B
Please show
Driver’s
licence,
your pseudonym.please.
xy6542678d
p65748392a
Driver’s Licence:
Traffic cop credential:
“p65748392a”,TA
“xy6542678d”,TB
TB = tH1(“xy6542678d-cop”)
TA = tH1(“p65748392a-driver”)
Computer Science
CSC 774
Dr. Peng Ning
Protocol Sketch – Attacker Igor
K A eˆ( H1 (“xy6542678
d - cop”),TA )
???
This guy
is me
notI aam a cop. Driver’s
Please
show
cop.
your
pseudonym.licence, please.
xy6542678d
p65748392a
Driver’s Licence:
Obtains Bob’s pseudonym
“p65748392a”,TA
“xy6542678d”
TA = tH1(“p65748392a-driver”)
Computer Science
CSC 774
Dr. Peng Ning
Secret-Handshake Scheme (SHS)
•
SHS.CreateGroup(G): executed by an administrator,
generates the group secret GroupSecretG for G.
•
SHS.AddUser(U,G,GroupSecretG): creates user secret
UserSecretU,G for new user U.
•
SHS.HandShake(A,B): Users A and B authenticates each
other. B discovers A G if and only if A discovers B G.
•
SHS.TraceUser: Administrator tells the user from a
transcript T generated during conversation between A and B.
•
SHS.RemoveUser: Administrator revokes user U
Computer Science
CSC 774
Dr. Peng Ning
Pairing-Based Handshake (PBH)
• PBH.CreateGroup: Administrator sets GroupSecretG as a
random number sG Zq
• PBH.AddUser: Administrator generates pseudonyms for users:
{idU 1 ,, idUt }
and then generates the corresponding secret points:
{privU1,, privUt }
where
privUi sG H1 (idUi )
H1 is a one-way hash function.
Computer Science
CSC 774
Dr. Peng Ning
Pairing-Based Handshake (PBH)
•
PBH.Handshake:
•
•
•
id A , n A
A
B
id B , nB ,V0
A
B
V1
A
B
V0 H 2 (eˆ( H1 (id A ), privB ) | id A | id B | nA | nB | 0)
V1 H 2 (eˆ(privA , H1 (id B )) | id A | id B | nA | nB | 1)
S H 2 (eˆ(privA ,H1 (id B )) | id A | idB | n A | n B | 2)
H 2 (eˆ(H1(idB ),privB ) | id A | idB | n A | n B | 2)
Computer Science
CSC 774
Dr. Peng Ning
Pairing-Based Handshake (PBH)
• PBH.TraceUser: Since the conversations of
handshaking include the pseudonyms,
administrator can easily figure out the users.
• PBH.RemoveUser: Administrator removes
user U by broadcasting its pseudonyms to all
the other users, so that other users won’t accept
pseudonyms of U.
Computer Science
CSC 774
Dr. Peng Ning
Computational Diffie-Hellman Instead of
Bilinear Diffie-Hellman
• CreateGroup: Administrator picks (p,q,g). p and q are primes,
g is a generator of a subgroup in Z*p of order q. Also, picks up a
private key x, and computes the public key y=gx mod p
• AddUser: For user U, administrator generates idU, then
generates a pair
(w, t ) (Z*p , Z q )
so that
g t wy H ( w, ID)
idU, w, t will be given to the user.
Computer Science
CSC 774
Dr. Peng Ning
Computational Diffie-Hellman Instead of
Bilinear Diffie-Hellman
• AddUser: For user U, administrator generates idU, then generates a pair
(w, t ) (Z*p , Z q )
so that
g t wy H ( w, ID)
idU, w, t will be given to the user.
– How to generate the pair (w,t)?
Randomly pick r, compute
w g r mod p
t r xH ( w, ID)
Computer Science
CSC 774
Dr. Peng Ning
Computational Diffie-Hellman Instead of
Bilinear Diffie-Hellman
• Handshake: Assume user A has (idA, wA, tA) and user
B has (idB, wB, tB). Define several marks (ElGamal
Encryption):
–
Recover(y, id, w) PK wy H ( w,id) mod p
–
EncPK (m) [c1 , c2 ]
[ g R mod p, m H ' ( PK R mod p)]
–
Dect ([c1, c2 ]) m c2 H ' (c1t mod p)
Computer Science
CSC 774
Dr. Peng Ning
Computational Diffie-Hellman Instead of
Bilinear Diffie-Hellman
• Handshake:
PKB Recover(y,id B , wB )
randomly picks rA ,ch A
computes
CA EncPKB (rA )
id B , wB
A
A
B
idA ,w A ,CA ,ch a
B
rB DectA (CB ) A
CB ,resp B ,chB
resp A H(rA ,rB ,ch B )
rA DectB (CA )
randomly picks rB ,ch B
computes
verifies
respB
PKA Recover(y,id A , wA )
A
Computer Science
resp A
CSC 774
CB EncPKA (rB )
B resp H(r ,r ,ch )
B
A B
A
B
verifies respA
Dr. Peng Ning
Intuition
• If A and B are in the same group, each of them
can decrypt the random number (ra and rb).
• If not, neither of them can get any information
about ra or rb.
Computer Science
CSC 774
Dr. Peng Ning