190 likes | 330 Vues
Secret Handshakes or Privacy-Preserving Interactive Authentication. Gene Tsudik University of California, Irvine joint work with: Claude Castelluccia, Stanisław Jarecki, Shouhuai Xu, Samad Nasserian. Motivation . Privacy is being gradually eroded Cameras everywhere
E N D
Secret Handshakesor Privacy-Preserving Interactive Authentication Gene Tsudik University of California, Irvine joint work with: Claude Castelluccia, Stanisław Jarecki, Shouhuai Xu, Samad Nasserian
Motivation • Privacy is being gradually eroded • Cameras everywhere • Search engines keep data • Stores keep track of habits via affinity cards • Libraries keep records of book checked out • Need privacy-preserving services • E-cash • Anonymous email • Anonymous signatures (e.g., group signatures) • Information Delivery • Trust negotiation • Authentication • Our focus: • Private (unobservable) authenticaiton
Example setting • Alice and Bob meet in a crowded network • All communication is observable • Man-in-the-middle attacks possible • Alice is an FBI agent • Bob is an FBI agent • They cannot authenticate publicly… • Alice will only “speak” with other FBI agents • Bob will only “speak” with other FBI agents • How can they authenticate in private?
Example setting • How can they authenticate in private? • Cannot just exchange signatures • Cannot simply share a common key • Cannot even exchange group signatures
message m Ciphertext c Alice decrypts m fromc c Adversary cannot get m fromc!!! Encryption: The General Idea Bob Alice Adversary
Problem: How does Bob know that KA is Alice’s public key? Key generation procedure Alice’s public encryption Key KA Alice’s secret decryption Key KS message m c = Enc( KA , m ) KA m = Dec( KS , c) c KS Public Key Encryption Bob Alice - computing m from KAand cis infeasible - computing even one bit of m is infeasible - deciding if m=m’ from (KA,c)is infeasible Adversary [list of useful security needs still growing…]
m = Dec(Ks, c ) m Public Key Infrastructure [PKI]: Certification Authority generates keys Certification Authority (CA) Alice’s public key Ka: Alice’s secret keyKs certA = SIGCA{Ka, Alice } c = Enc( Ka , m ) Alice Bob (knows CA’s public key) Bob verifies CA’s signature certA on Ka
m = Dec(Ks,c) m [PKI]: Users Generate Keys Independently Certification Authority (CA) Alice generates her secret-public key pair (Ks,Ka) on her own Ka + “physical authentication” certA = SIGCA{ A,Alice} ( Alice, Ka, certA ) c = Enc( Ka , m ) Alice Bob (knows CA) Bob verifies CA’s signature certA on {Ka, Alice}
Authentication: Bob is sure that he is talking to Alice Using a PKI: Certification Authority (CA) Alice generates secret-public key pair (Ks,Ka) on her own Ka + “physical authentication” certA = SIGCA{Ka,Alice} ( Ka , certA ) proof of knowledge of Kscorresponding to Ka Alice Bob (knows CA) Bob verifies CA’s signature certA on Ka
[PKI]: Authentication Reveals Alice’s Affiliation Alice’s CA: UCI (Public Key UCI) Alice generates secret-public key pair (Ks,Ka) on her own Ka + “physical authentication” certA = SIGuci{Ka,Alice} ( Ka , certA ) proof of knowledge of Kscorresponding to Ka Bob (knows UCI) Bob verifies UCI’s sig. certA on Ka and learns that Alice is at UCI
Traditional Public Key Authentication offers: No Affiliation Privacy Bob , FBI agent Alice, UCI student certA = SIGUCI{Alice’s Pub.Key Ka} proof of knowledge of Kscorresponding to Ka • Alice’s affiliation is publicly revealed by her certificate • Can Alice reveal her affiliation only to FBI members? • Can Bob keep his affliation private too?
proof of knowledge of UCI’s cert on Ka Public Key Authentication(changing the terms ) Bob , FBI agent Alice, UCI student Alice’s PKInfo Ka and affiliation UCI • Can Alice reveal her affiliation only to FBI members? On input UCIand Ka, Bob verifies the proof certA = SIGUCI{Ka}
proof of knowledge of UCI’s cert on Ka PolicyA= {FBI} Public Key Authentication:The Problem of Affiliation Privacy Bob , FBI agent Alice, UCI student Alice’s PKInfoKa and affiliation UCI ? • Can Alice reveal her affiliation only to FBI members? On input UCIand Ka, Bob verifies the proof certA = SIGUCI{Ka} • Can she hide this policy from other parties? • (and vice versa for Bob?)
Bob’s PKInfoKb proof of knowledge of UCI’s cert on Ka proof of knowledge of FBI’s cert on Kb Public Key Authentication:The Problem of Affiliation Privacy Alice’s PKInfoKa • Can Alice reveal her affiliation only to FBI members? certB= SIGFBI{Kb} certA = SIGUCI{Ka} PolicyB = {UCI} PolicyA= {FBI} • Can she hide this policy from other counterparties? • (and vice versa for Bob?)
1: signatures must work as decryption keys 2: ciphertexts must hide Cert. Signer assumed in encryption 3: public key info must hide Cert. Signer too Bob’s PKInfo Kb nA 1 2 3 Secret Handshakesvia “Encrypted Authentication” Alice’s PKInfoKa EncPK(FBI,Kb){proof of knowledge of SIGUCI{Ka}, nA} • Can Alice reveal her affiliation only to FBI members? encryption key derived for (FBI,Kb) signature = decryption key certB= SIGFBI{Kb} certA = SIGUCI{Ka} PolicyB = {UCI} PolicyA= {FBI} • Can she hide this policy from other counterparties? • (and vice versa for Bob?)
Bob’s PKInfo Kb Secret Handshakeswith “CA-oblivious” or “Signature-Based” Encryption Alice’s PKInfoKa EncPK(FBI,Kb){proof of knowledge of SIGUCI{Ka}, cA, nA} EncPK(UCI,Ka){proof of knowledge of SIGFBI{Kb}, cB, nB}, cA cB In addition, can derive a shared key K=f(nA,nB) certA = SIGUCI{Ka} certB= SIGFBI{Kb} PolicyA= {FBI} PolicyB = {UCI}
Outstanding Issues • Pseudonym re-use linkability (constant # of pseudonyms; must be replenished periodically) • Size of revocation information (#pseudonyms * #revoked) • O(n2) for n certificates and n policies • How to do group handshakes?
Recent Results • Balfanz, et al. (S&P 2003) • BGDH assumption (bilinear maps) • Castelluccia, et al. (Asiacrypt 2004) • discrete log assumption (Schnorr signatures) • Holt, Seamons (ACM CCS 2004) • Hidden credentials • Xu and Yung (CCS 2004) • k-anonymity [XY’04] • Xu and Tsudik (in submission) • framework supporting reusable credentials, group handshakes • (1) Group Signatures + (2) Group Key Agreement + (3) Centralized Group Key Distribution