Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth Dan Boneh Brent Waters.

Download Report

Transcript Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth Dan Boneh Brent Waters. 

Privacy in Encrypted Content
Distribution Using Private
Broadcast Encryption
Adam Barth
Dan Boneh
Brent Waters
Private Broadcast Encryption
• Make data available to select principals
– Encrypt the data to those principals
• Often important to hide the set of principals
– BCC recipients in encrypted email
– Customer list (hide from competitors)
– Promotion committee can read evaluations
• Private broadcast encryption
– Recipient privacy against active attackers
Related Work
• Key privacy in public-key setting [BBDP01]
– IK-CCA: Ciphertext does not leak public key
• Attacker viewing ciphertext encrypted under one of
two public keys cannot guess which key was used
– Cramer-Shoup is IK-CCA (with common prime)
– Important building block for recipient privacy
• Previous broadcast encryption systems
– Increasing collusion resistance
– Reducing ciphertext overhead
– We focus on hiding recipient set
Our Results
• Generic construction (standard model)
– Achieves CCA recipient privacy
– Uses generic IK-CCA public-key system
– Decryption time is linear in number of recipients
• Efficient construction (random oracle)
– Achieves CCA recipient privacy
– Assumes CDH is hard
– Decryption in O(1) cryptographic operations
Broadcast Systems in Practice
• Microsoft Outlook
– Encrypted email as a broadcast system
– Outlook completely reveals BCC recipients
• issuerAndSerialNumber
– BCC recipients’ names can appear in the clear
– Could send separate message for email
• Windows Encrypted File System
• Pretty Good Privacy (PGP)
– GnuPG as an example implementation
Pretty Good Privacy?
• Message encrypted
with symmetric key, K
• K encrypted for each
recipient
• To speed decryption,
components labeled
with KeyIDs
– Hash of public key
• User identities
completely revealed
A: {K}pk(A)
B: {K}pk(B)
C: {K}pk(C)
{
}K
Recipient Privacy in PGP
• PGP labels encryptions using a KeyID
C:\gpg>gpg --verbose -d message.txt
gpg: armor header: Version: GnuPG v1.2.2 (MingW32)
gpg: public key is 3CF61C7B
gpg: public key is 028EAE1C
• KeyIDs easily translated into names and
email addresses using a public key server
• GPG includes option to withhold KeyIDs
– Vulnerable to passive recipient privacy attack
Security Model
Private Broadcast Encryption
• I  Setup()
– Generates global parameters I
• (pk, sk)  Keygen(I)
– Generates public-private key pairs
• C  Encrypt(S, M)
– Encrypts plaintext M for recipient set S
• M  Decrypt(sk, C)
– Decrypts ciphertext C with private key sk
CPA Recipient Privacy Defined
Adversary
S0 and S1 subsets
of {1, …, n} such
that |S0| = |S1|
Global Parameter
Challenger
S0 and S1
All public keys
Some schemes vulnerable with
large overlap, whereas others are
Secret keys
for S0overlap
 S1
vulnerable
with small
b R {0,1}
M encrypted for Sb as C*
Guess b’
Adversary wins if b’ = b
Simple CPA Recipient Privacy
• Remove labels
• Use key-private scheme
• Reorder components
• O(n) decrypt time
• CPA recipient privacy
• But, active attack…
– Even with IK-CCA
A: {K}pk(B)
B:
X
pk(A)
{K}
B:
A:
pk(B)
pk(A)
X
C: {K}pk(C)
X
{
}K
Active Attack on Simple Scheme
• Attacker a recipient
{K}pk(B)
{K}pk(A)
{K}pk(C)
– Learns K
• Replaces message with
something alluring
• Forwards malicious
message to Alice
• Waits for response
• Receives response only
if Alice was a recipient
{
}K
CCA Recipient Privacy Defined
Adversary
S0 and S1 subsets
of {1, …, n} such
that |S0| = |S1|
Global Parameter
Challenger
S0 and S1
All public keys
Secret keys for S0  S1
Decrypt query on (u, C)
b R {0,1}
M encrypted for Sb as C*
Decrypt query on (u, C)
Guess b’
(C  C*)
Adversary wins if b’ = b
Constructions
Primitives Used in Constructions
• Strong correctness
– Decrypting with wrong key results in 
• Strong signatures
– Attacker cannot create a new signature
– Even on a previously signed message
– Example: RSA full-domain hash
• CCA key private (IK-CCA) cryptosystem
– Ciphertext does not leak public key
Generic CCA Construction
• Start with CPA scheme
• Generate a fresh signing
key pair (vk, sk)
• Include verification key,
vk, in each component
• Sign the ciphertext
• Thm: CCA recipient
private
• O(n) decryption time

{ vk , K}pk(B)
{ vk , K}pk(A)
{ vk , K}pk(C)
{
}K
Added Primitives for Efficiency
• A group G where CDH is hard
– Extend public keys with ga, private keys with a
• Model hash function as a random oracle
– Use extraction property to break CDH
– Use DH self-corrector [Shoup97]
Ciphertext Component Labels
• Speed decryption with private labels
• To make labels for every component:
– Pick a single fresh exponent r
– Include gr in the ciphertext
– Label component for (pk, ga) with H(gar)
• Each recipient computes own label with gr and a
– Attacker can not associate H(gar) with ga
• Still need to tie labels to verification key…
– Include gar in ciphertext components
Efficient CCA Construction
,
r
g
br
H(g ): {vk,
br
g ,
K}pk(B)
H(gar): {vk, gar, K}pk(A)
cr
cr
H(g ): {vk, g , K}pk(C)
{M}K
• Thm: CCA recipient private (in RO model)
• O(1) cryptographic operations for decryption
Conclusions
• Many widely-deployed content distribution
systems lack recipient privacy
– Email and encrypted file systems
• Introduced private broadcast encryption
– Recipient privacy against an active attacker
– Performance similar to non-private schemes
• Open problem: private broadcast encryption
with shorter ciphertext
Questions?
Broadcast Semantics of Email
Mail Transfer Agent
(MTA)
Recipient MTA
Mail User Agent
(MUA)
Recipient
Recipient
Recipient MTA
Recipient
BCC privacy in S/MIME
• S/MIME label is the RecipientInfo field.
• Label consists of the issuer and serial
number of the recipient’s certificate
• Self-signed certificate:
– Full name and email address in the clear
444:d=9
449:d=9
462:d=7
464:d=8
466:d=9
477:d=9
hl=2
hl=2
hl=2
hl=2
hl=2
hl=2
l=
l=
l=
l=
l=
l=
3
11
32
30
9
17
prim:
prim:
cons:
cons:
prim:
prim:
OBJECT
PRINTABLESTRING
SET
SEQUENCE
OBJECT
IA5STRING
:commonName
:Henry Kyser
:emailAddress
:[email protected]
• VeriSign certificate: identity at verisign.com
BCC Privacy by User Agent
S/MIME-based
Apple Mail.app 2.622
Outlook 2003
Outlook Express 6
Thunderbird 1.02
PGP-based
Completely Exposes
EudoraGPG 2.0
GPGshell 3.42
Partially Reveals
Protects Identity
Outlook Web Access
Hushmail
KMail 1.8
PGP Desktop 9.0
Turnpike 6.04
Sending Separate Encryptions
• Sending separate encryptions provides BCC privacy
• Advantages of separate encryptions
– Can be deployed immediately and unilaterally
– Conceals the number (and existence of) BCC recipients
• Disadvantages of separate encryptions
– Difficult to implement for MUA plug-ins such as EudoraGPG
– Increases MTA workload and network traffic