1 / 58

Seminar in Foundations of Privacy

Seminar in Foundations of Privacy. Message Authentication in the Manual Channel Model. Gil Segev. Pairing of Wireless Devices. Scenario: Buy a new wireless camera Want to establish a secure channel for the first time Diffie-Hellman key agreement protocol. Diffie-Hellman Key Agreement.

constance-wilkerson
Télécharger la présentation

Seminar in Foundations of Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Seminar in Foundations of Privacy Message Authenticationin the Manual Channel Model Gil Segev

  2. Pairing of Wireless Devices Scenario: • Buy a new wireless camera • Want to establish a secure channel for the first time • Diffie-Hellman key agreement protocol

  3. Diffie-Hellman Key Agreement • Alice and Bob wish to agree on a secret key • Public parameters: • Group G • Generator g2G gx Alice Bob gy Both parties computeKA,B = gxy • Security: Even when given (G, g, gx, gy) it is still hard to compute gxy

  4. Diffie-Hellman Key Agreement • Computational Diffie-Hellman assumption (CDH):For every probabilistic polynomial-time algorithm A, every polynomial p(n) and for all sufficiently large n, Pr[A(Gn,gn,gnx,gny) = gnxy] < 1/p(n) The probability is taken over A’s internal coins tosses and over the random choice of (x,y) • Decisional Diffie-Hellman assumption (DDH): c {(g, gx, gy, gxy)}  {(g, gx, gy, gc)} for random x, y and c. Computational Indistinguishability

  5. Diffie-Hellman Key Agreement • Alice and Bob wish to agree on a secret key • Public parameters: • Group G • Generator g2G gx Alice Bob gy Both parties computeKA,B = gxy • CDH assumption: KA,B is hard to guess • DDH assumption:KA,Bis as good as a random secret • Secure against passive adversaries • Eve is only allowed to read the sent messages

  6. Pairing of Wireless Devices gx Scenario: • Buy a new wireless camera • Want to establish a secure channel for the first time • Diffie-Hellman key agreement protocol gy

  7. Pairing of Devices Wireless Cable pairing • Simple • Cheap • Authenticated channel “I thought this is a wireless camera…”

  8. Pairing of Wireless Devices Wireless pairing Problem: Active adversaries (“man-in-the-middle”)

  9. Pairing of Wireless Devices Wireless pairing gy gx ga gb Problem: Active adversaries (“man-in-the-middle”)

  10. ENC(KA,E,m) ENC(KE,B,m) Alice Eve Bob Diffie-Hellman Key Agreement gx gy • Suppose now that Eve is an active adversary • “man-in-the-middle” attacker Alice Eve Bob ga gb KA,E = gxa KE,B = gby • Completely insecure: • Eve can decrypt m, and then re-encrypt it

  11. Diffie-Hellman Key Agreement gx gy • Suppose now that Eve is an active adversary • “man-in-the-middle” attacker Alice Eve Bob ga gb KA,E = gxa KE,B = gby • Solution - Message authentication: • Alice and Bob authenticate gx and gy

  12. ^ m Message Authentication • Assure the receiver of a message that it has not been changed by an active adversary m Alice Eve Bob Problem specification: Completeness: No interference m Bob accepts m (with high probability) Soundness: mPr[Bob accepts m  m ] ^

  13. One-Time Authentication • The secret key enables a single authentication of a message m  {0,1}n • H = {h| h: {0,1}n → {0,1}k } is a family of hash functions • Alice and Bob share a random function hH • h is not known to Eve • To authenticate m  {0,1}n Alice sends (m,h(m)) ^ • Upon receiving (m,z): • If z = h(m), then Bob outputs m and halts • Otherwise, Bob outputs ? and halts ^ ^

  14. One-Time Authentication • Hard to guess h(m) • Success probability at most  • Should hold for any m ^ • What properties do we require from H? ^

  15. One-Time Authentication • Hard to guess h(m) even given h(m) • Success probability at most  • Should hold for any m and m ^ • What properties do we require from H? ^ • Short representation for h- must have small log|H| • Easy to compute h(m)given h and m

  16. Universal Hash Functions • Given h: {0,1}n → {0,1}k we can always guess a correct output with probability at least 2-k • A family where this is tight is called universal2 Definition: a family H = {h| h: {0,1}n → {0,1}k } is called Strongly Universal2or pair-wise independent if: • for allm1 m2 {0,1}nand y1, y2 {0,1}kwe have Pr[h(m1) = y1 and h(m2) = y2 ] = 2-2k where the probability is over a randomly chosen hH In particularPr[h(m2) = y2 | h(m1) = y1 ] = 2-k Theorem: when a strongly universal2 family is used in the protocol, Eve’s probability of cheating is at most 2-k

  17. Constructing Universal Hash Functions The linear polynomial construction: • Fix a finite field F of size at least the message space 2n • Could be either GF[2n] or GF[P] for some prime P ≥ 2n • The family Hof functionsh: F→ Fis defined as H= {ha,b(m) = a∙m + b | a, b  F} Claim: the family above is strongly universal2 Proof: for everym1≠m2,y1, y2 Fthere are uniquea, b  Fsuch that a∙m1+b = y1 a∙m2+b = y2 Size: each hHrepresented by 2n bits

  18. Lower Bound Theorem:Let H= {h| h: {0,1}n → {0,1}} be a family of pair-wise independent functions. Then |H| isΩ(2n) More precisely, to obtain a d-wise independence family |H| should beΩ(2n└d/2┘) • N. Alon and J. SpencerThe Probabilistic MethodChapter 15 (derandomization), Proposition 2.3

  19. More on Authentication • Reducing the length of the secret key • Almost-pair-wise independent hash functions • Interaction • Using the same secret key to authenticate any polynomial number of messages • Requires computational assumptions • Pseudorandom functions • Authentication in the public-key world • Much more to discuss…

  20. ^ m = gb || gy Pairing of Wireless Devices Wireless pairing gy gx ga gb m = gx || ga • Impossible without additional setup

  21. Pairing of Wireless Devices Wireless pairing gy gx ga gb Solution: Manual Channel

  22. The Manual Channel Wireless pairing gy gx 141 ga gb 141 User can compare two short strings

  23. Manual Channel Model m Alice Bob s . . . s • Insecure communication channel • Low-bandwidth auxiliary channel: • Enables Alice to “manually” authenticate one short string s s Interactive Non-interactive • Adversarial power: • Choose the input message m • Insecure channel: Full control • Manual channel: Read, delay • Delivery timing

  24. Manual Channel Model m Alice Bob s . . . s • Insecure communication channel • Low-bandwidth auxiliary channel: • Enables Alice to “manually” authenticate one short string s s Interactive Non-interactive Goal:Minimize the length of the manually authenticated string

  25. Manual Channel Model m Alice Bob s . . . s s • No trusted infrastructure, such as: • Public key infrastructure • Shared secret key • Common reference string • ....... Suitable for ad hoc networks: • Pairing of wireless devices • Wireless USB, Bluetooth • Secure phones • AT&T, PGP, Zfone • Many more...

  26. Why Is This Model Reasonable? • Implementing the manual channel: • Compare two strings displayed by the devices 141 141

  27. Why Is This Model Reasonable? • Implementing the manual channel: • Compare two strings displayed by the devices • Type a string, displayed by one device, into the other device 141 141

  28. Why Is This Model Reasonable? • Implementing the manual channel: • Compare two strings displayed by the devices • Type a string, displayed by one device, into the other device • Visual hashing

  29. Why Is This Model Reasonable? • Implementing the manual channel: • Compare two strings displayed by the devices • Type a string, displayed by one device, into the other device • Visual hashing • Voice channel 141 141

  30. Alice Eve Bob ^ m m H(m) The Naive Solution m Alice Bob H(m) • H - collision resistant hash function (e.g., SHA-256) • No efficient algorithm can find m  m s.t. H(m) = H(m) with noticeable probability • Any adversary that forges a message can be used to find a collision for H ^ ^

  31. The Naive Solution m Alice Bob H(m) • H - collision resistant hash function (e.g., SHA-256) • No efficient algorithm can find m  m s.t. H(m) = H(m) with noticeable probability • Any adversary that forges a message can be used to find a collision for H ^ ^ Are we done? • No. The output length of SHA-256 is too long (160 bits) • Cannot be easily compared or typed by humans

  32. Tight Bounds m n-bit . . . s ℓ-bit  forgery probability No setup or computational assumptions • Upper bound: log*n-round protocol in which ℓ = 2log(1/) + O(1) • Matching lower bound: n  2log(1/)  ℓ  2log(1/) - 2 • One-way functions are necessary (and sufficient) for breaking the lower bound in the computational setting

  33. Our Results - Tight Bounds ℓ ℓ = 2log(1/) ℓ = log(1/) One-way functions Unconditional security Computational security Impossible log(1/)

  34. Outline • Security definition • Tight bounds • The protocol • Lower bound

  35. Security Definition m n-bit . . . s ℓ-bit Unconditionally secure(n, ℓ, k, )-authentication protocol: • n-bit input message • ℓ manually authenticated bits • k rounds Completeness: No interference m Bob accepts m (with high probability) ^ Unforgeability: mPr[ Bob accepts m  m ]

  36. Outline • Security definition • Tight bounds • The protocol • Lower bound

  37. Preliminaries: For m = m1 ... mk GF[Q]k and x GF[Q], let m(x) = mixi k  i = 1 The Protocol (simplified) • Based on the [GN93] hashing technique • In each round, the parties: • Cooperatively choose a hash function • Reduce to authenticating a shorter message • A short message is manually authenticated ^ Then, for any m ≠ m and for any c, c  GF[Q], ^ ^ ^ Prob x RGF[Q] [ m(x) + c = m(x) + c ]  k/Q

  38. Preliminaries: For m = m1 ... mk GF[Q]k and x GF[Q], let m(x) = mixi k  i = 1 ^ Then, for any m ≠ m and for any c, c  GF[Q], ^ ^ ^ Prob x RGF[Q] [ m(x) + c = m(x) + c ]  k/Q The Protocol (simplified) x || m(x) + c We hash m to Other party chooses c One party chooses x

  39. The Protocol (simplified) Alice Bob m a1 a1R GF[Q1] b1R GF[Q1] b2 b1 a2R GF[Q2] b2R GF[Q2] m2 Accept iff m2 is consistent m0 = m Both parties set: Q1 n/ , Q2 log(n)/ m1 = b1 || m0(b1) + a1 m2 = a2 || m1(a2) + b2 2log(1/) + 2loglog(n) + O(1)manually authenticated bits Two GF[Q2]elements • k rounds 2loglog(n) is reduced to 2log(k-1)(n)

  40. Security Analysis • Must consider all generic man-in-the-middle attacks. • Three attacks in our case: Attack #1 Alice Eve Bob ^ ^ m a1 m a1 ^ ^ b2 b2 b1 b1 m2

  41. Security Analysis • Must consider all generic man-in-the-middle attacks. • Three attacks in our case: Attack #2 Alice Eve Bob ^ ^ m a1 b2 b1 m a1 ^ ^ b2 b1 m2

  42. Security Analysis • Must consider all generic man-in-the-middle attacks. • Three attacks in our case: Attack #3 Alice Eve Bob m a1 ^ ^ b2 b1 m2 ^ ^ m a1 b2 b1 m2

  43. Security Analysis – Attack #1 Alice Eve Bob ^ ^ m a1 m a1 ^ ^ b2 b2 b1 b1 m2 ^ m0,A = m m0,B = m ^ ^ ^ m1,A = b1 || m0,A(b1) + a1 m1,B = b1 || m0,B(b1) + a1 ^ m2,A = a2 || m1,A(a2) + b2 m2,B = a2 || m1,B(a2) + b2 m0,A m0,B and m2,A = m2,B Pr[ m1,A = m1,B ] + Pr[ m1,A m1,B and m2,A = m2,B ] /2 + /2

  44. Pr[ m1,A = m1,B ] Security Analysis – Attack #1 Alice Eve Bob ^ ^ m a1 m a1 ^ b1 b1 ^ m0,A = m m0,B = m ^ ^ ^ m1,A = b1 || m0,A(b1) + a1 m1,B = b1 || m0,B(b1) + a1 Claim: ^ • Eve chooses b1 b1 • Eve chooses b1 = b1 m1,A m1,B ^  /2 ^ Pr[ m0,A(b1) + a1 = m0,B(b1) + a1 ]  /2

  45. Outline • Security definition • Tight bounds • The protocol • Lower bound

  46. Lower Bound Alice Bob m, x1 x2 s • mR {0,1}n M, X1, X2, S are well defined random variables

  47. Lower Bound Alice Bob M, X1 X2 S • Goal: H(S)  2log(1/)

  48. Shannon Entropy • Let X be random variable over domain X with probabilitydistribution PX • The Shannon entropy of X is H(X) = - ∑x2XPX(x) log PX(x) (where 0log0 = 0) • Measures the amount of randomness in X on average • Measures how much we can compress X on average 0 · H(X) · log|X| Equality ,X is constant Equality ,X is uniform

  49. A Related Notion: Min-Entropy • Let X be random variable over domain X with probabilitydistribution PX • The min-entropy of X is H1(X) = - log maxx2XPX(x) • Measures the amount of randomness in X in the worst-case • Represents the most likely value(s) 0 · H1(X) · H(X) · log|X| Equality ,X is uniform Equality ,X is constant Equality ,X is uniform

  50. Conditional Shannon Entropy • Let X and Y be two random variables over domains X and Ywith probability distributions PX andPY • The conditional Shannon entropy of X given Y is H(X|Y) = ∑y2YPY(y) H(X|Y=y) • Observation: H(X,Y) = H(X) + H(Y|X) H(X,Y) = H(Y) + H(X|Y)

More Related