Transcript Compliant Cryptologic Protocols
Compliant Cryptologic Protocols
Ed Dawson, Kapali Viswanathan, Colin Boyd
Information Security Institute Queensland University of Technology Brisbane, Australia.
Sections of this Talk 1. Introduction to compliance in cryptosystems 1. Generic goals 2. Players in the game 3. Applications 2. A view of cryptosystem 1. Visualisation of basic services 2. A model for
representing
cryptosystems
Sections of this Talk 3. Key-recovery systems (KRS) 1. Long-term key-recovery 2. Short-term key-recovery 3. Hybrid key-recovery 4. Anonymous token systems (ATS) 1. A description (definition) 2. An application (Sealed-bid e-auction) 5. Summary and Conclusion
Section 1
Introduction to Compliance in Cryptosystems
Introduction to Compliance
Meaning: Compliance
the act or process of complying to a desire, demand, or proposal or to coercion a disposition to yield to others
conformity in fulfilling official requirements
What conformities (acts or events) can be cryptologically verified?
Investigating Compliances • What can cryptologic compliance mean?
There are at least two
mutually mistrusting
sets of users The users in a set require
operational guarantees
for the users in the other set
Example: Key Recovery Systems Sender Cryptanalyst Wiretap Authority Receiver • Three mistrusting sets of users
1. Communicating entities
• require confidential communication with authentic entities
2. Wiretap authority
• Requires to know what others communicate
3. The cryptanalyst
• wants to know everything (P = NP?) Mistrusting sets
Compliance: Key Recovery Systems
Communicating entities are confident that
the
cryptanalyst
is unable to read the confidential messages ( Cryptologic exercise ) The wiretap authority is confident that it can read the confidential messages ( a cryptologic exercise, if not for super-encryption and similar techniques ) Communicating entities are confident that
wiretap authorities
will not read
all
the the confidential messages without proper approval ( Trust based: How trustworthy is the wiretap authority? – Not entirely a cryptologic exercise )
Withdrawal User Example: E-Cash Systems Bank Trustee Spending Merchant • Four mistrusting sets of users 1. The
bank:
– only it can mint valid cash – valid cash can be spent only once 2. The
user:
– valid cash cannot be invalidated – will be anonymous while spending the cash 3. The
merchant:
– valid cash cannot be invalidated – will accept only valid cash Conditionally untraceable 4. The
trustee:
– can trace transactions (thereby, identify the user)
Facts: E-Cash Systems There is reduced or no anonymity for the user, if: there is only one user (NUMBERS); or, the user always withdraws from the same ATM and spends with the same merchant (SPACE); or, the user always spends just after withdrawing the cash (TIME); or, the user provides identification information to the merchant (DATA); the machine that the user uses can be easily traced (DATA).
Compliance: E-Cash Systems Only the
bank
can mint valid cash ( cryptologic exercise ) Valid cash will be spent only once by the authorised user ( must assume that the user does not reveal some long-term secret-key )
Compliance: E-Cash Systems Withdrawal and spending transactions cannot be traced without the assistance of the trustee ( cryptology prevents only data level correlations --- number of
regular
users is important --- and
does not
correlations in space/time/numbers ) prevent The
trustee
will trace only as prescribed by some set of rules ( behaviour of entities is not – and cannot be – a cryptologic concern )
Compliance: E-Cash Systems The
merchant
and the
bank
will accept valid coins ( the behaviour of any entity is not a cryptologic concern )
Some More Examples Other examples include: 1. Electronic auctions – Mistrusting sets: Auctioneer, bidder, sets of bidders, optional trustee 2. Electronic voting – Mistrusting sets: Voter, sets of voters, voter authenticator, vote authenticator, vote collector, vote teller, system observers Entity which counts votes
Section 2
Investigation and classification of basic services and compliance verification in cryptosystems
Basic Cryptologic Services • Is it possible to decide what is a cryptologic exercise and what is not? Yes • How? By enumerating what cryptology can do • What are the
basic services
? They are confidentiality and integrity • Are they independent of each other? NO. But it may not be a flaw to treat separately
What is Compliance in Cryptosystems?
• There is a need for some entities to verify the
cryptologic behaviour
of some other entities • What is a cryptologic behaviour ? Entities use keys
to transfer
services to certain messages • How can such transfer of service be verified? • If such a transfer of service can be verified, then such a verification is called
compliance verification
Classifying Compliance • • It is possible to classify various types of compliance verification by enumerating the modes of transfer of services 1.
There are two modes of transfer of services Restricted : the service is guaranteed until the occurrence of a probabilistic or deterministic event 2.
Universal : the service is guaranteed forever (forever is the
idealisation
for the span of time that is determined by the security properties of the cryptographic algorithms and the key management systems)
A Classification of Compliance • • 2 (basic services) 2 (modes of service) = 4 ( categories of compliance verification)
CL0:
Universal confidentiality and integrity (signature systems)
CL1:
Universal integrity and restricted confidentiality (KRS, fair cash)
A Classification of Compliance • •
CL2:
Restricted integrity and universal confidentiality (deniable encryption)
CL3:
Restricted integrity and confidentiality (Oblivious Transfer?)
How to Enforce Compliance?
• If an integrity transfer must be verified, how can such a verification be made mandatory?
EL0:
On-line monitor (Clipper, Wallet with observers)
EL1:
Off-line monitor (Binding ElGamal, E-cash [Chaum, Brands])
Section 3
Key Recovery Systems (Compliance and Confidential Communications)
Introduction to KRS • • • Confidential decryption keys must be available for the receiver and the escrow authority Restricted Confidentiality : Confidential messages sent to the receiver is guaranteed against every adversary except the escrow agent Universal Integrity : The proof that the secret message (keying information and others) sent to the receiver is the same as that sent to the escrow authority (Proof that a certain key is being used)
Types of KRS 1. Long-term key-recovery – Long-term confidentiality keys are accessible for the escrow agent – Private-key recovery 2. Short-term key-recovery – Short-term confidentiality keys are accessible for the escrow agent – Session-key recovery
Types of KRS 3. Hybrid key-recovery – Long-term confidentiality key is
shared
by the escrow agent and the receiver – Short-term confidentiality key is accessible for the escrow agent and the receiver – Example: hybrid key-recovery system
Private-key Recovery Systems 1. Let public-key, y = OWF (x) 2. Escrow component, EC = Escrow (x) 3. Know (x) Know (EC) The identity of the escrow authority and the identity of the user (owner of the public key [y]) are
indistinguishable
. The escrow authority can do everything that the user can do
• • Properties of Private-Key Recovery 1.
Merits Efficiency 2.
Backward compatibility 1.
2.
Demerits Risk to private keys (Security of escrow database) Enforceability (users can change to a
certified
proxy key) 3.
4.
5.
Authentication and escrow functionalities are not separate (co-existence of escrowed PKI and signature?) Granularity (Past-present-future problem) Super-encryption
Session-key Recovery Systems 1. Let S be the session-key chosen by the sender 2. Escrow component, EC = Escrow (S) 3. Know (S) Know (EC) Knowing the session-key is
equivalent
to knowing the escrow component.
• • Properties of Session-Key Recovery 1.
Merits Granularity 2.
Authentication and escrow functionalities are separate 1.
2.
Demerits Enforceability (requires trusted device to make sure that keys are properly escrowed) Session-keys are random and uncertified (creates communication and storage overhead) 3.
Super-encryption
Hybrid Key-Recovery Systems • Kapali Viswanathan, Colin Boyd, Ed Dawson,
Strong Binding for Software Key Escrow
. In
International Workshop on Security, IWSEC'99
. IEEE Press, 1999.
• Kapali Viswanathan, Colin Boyd, Ed Dawson,
Hybrid Key Escrow
. In
Computers & Security
, ISSN 0167-4048, Vol. 21, No. 1, 77-92. Elsevier Advanced Technology, 2002.
Message Dynamics: Hybrid Key Recovery Systems Sender Valid Message Flow Authority (Must have a secret that is essential for the valid communication to occur) Valid Message Flow Receiver (Ideally, must not be able to recover the message from the invalid flow) Invalid Message Flow (To be prevented)
Message Dynamics With LEA Sender (
Must enable key-recovery
) Authority (
Cryptologically prevents receipt of invalid communications
) LEA (
Special User
) Receiver (
Can receive valid and secure communications
)
Hybrid Key-Recovery Systems • Public-key, y = OWF (x) • Private-key, x, is a universal secret • x = x 1 * x 2 • User’s share is x 1 • Escrow component EC = Escrow (x 2 ) • Similarly, LEA’s public key is y’ = OWF(x 1 ’ * x 2 ’) • LEA is a
special user
Hybrid Key-Recovery Systems • • Due to the public-key format and the protocol (Binding ElGamal) The session key, S, can be accessed if 1. Know (x 1 ) AND Know (x 2 ); OR, 2. Know (x 1 ’) AND Know(x 2 ’) The user (x 1 ) or the LEA (x 1 ’) cannot access the session key (S) if the escrow authority (x 2 , x 2 ’) does not assist them
• • Properties of Hybrid Key Recovery 1.
Merits Solves several issues present in the previous types 2.
3.
4.
5.
When source traceability is achieved using appropriate signature techniques, it achieves all the properties of Clipper in a more secure fashion Granularity Session is random but integrity is assured Enforceability level EL0 ( on-line monitor ) 1.
Demerits On-line authority ( efficiency and scalability points of views ) 2.
Super-encryption
Section 4
Anonymous Token Systems (Compliance and Confidential Identity)
What is
cryptologic
anonymity?
• • Let a data, D,
belong
to a user, I • Suppose that the correlation between the data and the identity is to remain confidential Confidentiality ( Integrity ( I, D ) )
Cryptologic Anonymity
: The correlation, (I, D), must remain a secret (confidentiality service ) and
optionally
it cannot be changed (integrity service)
Techniques for achieving cryptologic anonymity 1. ( I , Confidential
some
thing] ( D ) ) [
This
entity has 2. ( Confidential
this
thing] ( I ) , D ) [
Some
entity has 3. ( Confidential [
Some
( I ) , entity has Confidential
some
thing] ( D ) ) Integrity service can be independently provided to all of the above constructs
IssueToken Client Anonymous Token Systems (ATS) TIA SubmitToken Trustee UtiliseToken Conditionally untraceable (
OPTIONAL)
TAA • • • E-cash systems are essentially a PKI mechanism which provides certificates (tokens) with confidential identity
Token Issuing Authority
(Bank)
Token Accepting Authority
(Merchant)
Compliance Issues in ATS 1. Only authenticated participants can participate 2. Participants must remain anonymous (confidential identity) 3. Optional revocation of anonymity (conditional confidentiality service for the identity)
Applications that can use ATS 1. Electronic cash (I, D = Denomination) 2. Peer Review Protocol (I , D = PeerID) 3. Auction Protocol (I, D = Bid) 4. Electronic Voting Protocol (I, D = Vote)
Entities in Sealed-Bid Electronic Auction Systems 1.
2.
3.
– – – Auctioneers Valid participants Non-repudiation of bid Termination of bidding process – – Bidders Fairness of bidding process Confidentiality of bid until the bid opening phase – Optional Trustee If the bid is not opened after the bid opening phase, the bid must be recovered
Properties of Sealed-Bid Auction Systems • Confidentiality of Bid • Non-repudiation of Bid • Publicly verifiability [OPTIONAL] • Anonymity for losing bidders (or bids) [OPTIONAL] • Independence of auction rules [OPTIONAL]
A Sealed-Bid Auction System using ATS • Kapali Viswanathan, Colin Boyd, Ed Dawson,
A Three Phased Schema for Sealed Bid Auction System Design
. In
Australasian Conference for Information Security and Privacy, ACISP'2000
, 412 426. Lecture Notes in Computer Science, Springer-Verlag, 2000.
System Description 1. Every bidder, b i , is issued with a pseudonym, p i , using an ATS 2. The bidder authenticates using p i access to an anonymous channel to gain 3. The bidder
anonymously
commits (sealed bid) to the bid value [ p i , commit ( bid i ) ] p i = Universal-Integrity ( Restricted-Confidentiality ( b i ) ) commit( bid i ) = Universal-Integrity-Confidentiality ( bid i )
System Description 4. After announcement of the closing of the auction bid-commitment closing period, the bidders 1. Authenticate using pseudonym, p i 2. Open the bid [p i , bid i ] 5. After the announcement of the closing of the auction bid-commitment opening period, the winning bid is selected from the list of opened bids [ SET-OF ( bid i ) ] 6. Enforceability level: EL1 (off-line monitor)
• • Properties of the Proposed System 1.
Merits Independent of auction rules 2.
3.
4.
User-controlled confidentiality for the bid Modular design (ATS + Basic auction) Public verification possible 1.
2.
Demerits Requires anonymous communication channel Does not solve the problems related to the timing of various phases (E.g. closing time of the bid registration phase)
Summary & Research Directions
Summary • Compliance is essential for secure e-commerce • Enforceability level determines the effectiveness with which the compliance verification rules can be enforced • Systems with on-line monitors ( hybrid key recovery, Clipper ) have inherently more enforceability than do systems with off-line monitors ( Binding ElGamal, E-Cash without monitors )
Research Directions 1.
2.
3.
What are the relations among various applications of protocols (auction, voting etc)?
How to achieve robust e auction and e-voting systems?
Design a formal and simple syntax for the representation of confidentiality and integrity services
Dawson, E., Viswanathan, K. and Boyd, C., “Compliant Cryptologic Protocols” in
International Journal of Information Security (IJIS),
Vol.1, No.3, November 2002, pp.189-202 (ISSN 1615-5262)