下載/瀏覽Download

Download Report

Transcript 下載/瀏覽Download 

多媒體網路安全實驗室
Anonymous Authentication
Systems Based on Private
Information Retrieval
Date:2012.3.26
Reporter: Hong Ji Wei
出處:Networked Digital Technologies, 2009. NDT '09. First International
Conference
多媒體網路安全實驗室
Outline
1
2
3
4
35
Introduction
PIR Based Authentication
Authentication Protocol Preventing Replay Attacks
Authentication Protocol Anonymous
against Authentication-Server
Conclusions and Future Work
多媒體網路安全實驗室
Introduction
Due to increase of data storage available and
progress of data mining technologies.
We focus on authentication with three types of
entities:
 a user who sends an authentication request.
 an authentication-server who receives and verifies
the request.
 a database who supplies the authentication-server
with information for verifying the request.
多媒體網路安全實驗室
Novel authentication protocols that satisfy the
following important properties:
 secure against replay-attacks.
 the database(s) cannot identify which user is
authenticating(anonymity against the database(s)).
 the authentication-server cannot identify to which
user a given authentication-request corresponds
(anonymity against the authentication-server).
多媒體網路安全實驗室
PIR Based Authentication
The simple protocol has properties that
 the authentication-server does not need not to store
a set of passwords of users.
 the database cannot identify which user is
authenticating with the authentication-server.
1.Users:A user Ui is assigned a unique identifier
def
i  [n]  {1,2,..., n}, and password pi  {0,1}m
2.Authentication-Server:who has sent an
authentication request with identifier i is truly
user Ui.
多媒體網路安全實驗室
3.
Databases: A database D stores a set P
={p1, p2, ..., pn} of passwords of users.
 It is important for an authentication protocol to
satisfy the following requirements:
 Correctness:if z  pi , the probability that the user U
is rejected by S.
 Soundness:if z  pi , the probability that the user U
is accepted by S.
 Anonymity against Database:It is hard for the
database D to compute any information about the
identifier.
i
i
多媒體網路安全實驗室
Simple Authentication Protocol Based on
PIR
 Definition 1 A single-database PIR for consists of
the following three functions:
lq
lr
1.Query function Q: [ n]  {0,1}  {0,1}  {0,1}ls
2.Answer function A:
({0,1} )  {0,1}  {0,1}la
3.Reconstruction function R:
m
n
lq
[ n]  {0,1}  {0,1}  {0,1}
lq
ls
la
 {0,1}
m
多媒體網路安全實驗室
For any set X  {xi | 1  i  n, xi  {0,1}m }
For any i, j  [ n],any probabilistic polynomialtime algorithm B, and sufficiently large w
多媒體網路安全實驗室
Simple authentication protocol based on
PIR
多媒體網路安全實驗室
Theorem 1 The simple authentication protocol
based on PIR satisfies correctness and
soundness.
Theorem 2 The simple authentication protocol
based on PIR satisfies anonymity against
database.
Proof: it is hard for any polynomial-time algorithms
to compute any information about i from q.
多媒體網路安全實驗室
Authentication Protocol Preventing Replay
Attacks
Prevent the authentication-server from
obtaining a password, and prevents replayattacks.
 Password Protection and Security against
Replay-Attack
1.Password Protection: it is hard for the S to compute
the user’s password.
2.Security against Replay-attacks: it is hard for any
adversary who can obtain transcripts of previous
communication.
多媒體網路安全實驗室
 Challenge-Response Authentication Protocol
We assume that there exists an ideal hash
function s.t.
1.it is hard to guess the input from an output (onewayness)
2.it is hard to find two inputs that hash to the same
output(collision resistance)
3.it is hard to distinguish whether an outputs from the
hash function or from true random function
(pseudo-randomness).
 Let
H : {0,1}*  {0,1}m be an ideal hash function.
多媒體網路安全實驗室
Challenge-Response Authentication
Protocol Based on PIR
多媒體網路安全實驗室
Theorem 3 The challenge-response
authentication protocol based on PIR satisfies
correctness, soundness, anonymity against
database, password protection, and security
against replay-attack.
Proof:
1. (Correctness and soundness)
'
'
z

p
 If
i ,then clearlyH ( z || r )  H ( p i || r ) , the
probability that Ui is rejected by S is negligible,
多媒體網路安全實驗室
 (Anonymity against Database) Since r is random
value,r clearly includes no information about i.
 (Password Protection) Since q  Q1 (i, r ) and H is a
one-way hash function, it is hard to compute pi from
a  A( P , q)
'
 (Security against Replay-attacks) since H has onewayness and pseudo-randomnes.
多媒體網路安全實驗室
Authentication Protocol Anonymous
against Authentication-Server
In addition to the four requirements shown in
the previous sections, we consider the following
requirement.
 Anonymity against Authentication-Server : It is hard
for the authentication-server S to compute any
information about the identifier i.
多媒體網路安全實驗室
Definition 2: An information theoretical kdatabase PIR without identifiers in
reconstruction
 k query functions Q1,…,Qk : [ n]  {0,1}lr  {0,1}lq
 Answer functions, A :
l
({0,1}m ) n  {0,1} q  {0,1}la
 Reconstruction function ,R :
({0,1}la ) k  {0,1}m
多媒體網路安全實驗室
These functions satisfy the following requirements:
 For any set X  {xi | 1  i  n, xi  {0,1}m }
 For any i, j  [ n] , t  [k ] , q  {0,1} q
l
 For any i, j  [ n] , x {0,1}m
多媒體網路安全實驗室
Authentication Protocol Anonymous against
Authentication-Server
 The key idea of the authentication protocol is to use
a public key encryption scheme:
key generation algorithm K , encryption algorithm E,
and decryption algorithm T
*


{
0
,
1
}
, T ( sk , E ( pk ,  ))  
1.For any
y
(
pk
,
sk
)

K
(
1
)
Where
2.Semantic secure
多媒體網路安全實驗室
 PIR-Based Authentication Protocol Anonymous
against Authentication-Server
多媒體網路安全實驗室
Theorem 4 The proposed protocol satisfies
correctness,soundness, password protection,
security against replay-attacks, anonymity
against databases, and anonymity against
authentication-server
proof:(Correctness and Soundness)
'
'
H
(
z
||
r
)

H
(
p
||
r
) if z  pi
 It is clear that
i
(Anonymity against Authentication-Server)
 Since the public encryption scheme is semantic
secure.
多媒體網路安全實驗室
Conclusions and Future Work
a single database which satisfies correctness,
soundness, anonymity against database,
password protection, and security against
replay-attacks.
multiple databases which satisfies anonymity
against authentication-server in addition to the
previous properties.
The authentication protocol proposed is based
on an information theoretical PIR.
多媒體網路安全實驗室