1 / 16

Cryptography for Backup Navigation

Cryptography for Backup Navigation. Dan Boneh Stanford University. Introduction. Focus of this talk: Data integrity (not confidentiality) An overview of identity-based cryptography Applications to ADS-B and DME. Verify tag: F (k , m) = `tag’. ?. Data integrity 1: MAC .

iliana
Télécharger la présentation

Cryptography for Backup Navigation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography for Backup Navigation Dan Boneh Stanford University

  2. Introduction • Focus of this talk: • Data integrity (not confidentiality) • An overview of identity-based cryptography • Applications to ADS-B and DME

  3. Verify tag: F(k, m) = `tag’ ? Data integrity 1: MAC • Difficulty with MACs: key management • both sides must have the same secret key k k Message m tag Generate tag: tag  F(k, m)

  4. Example MAC: (E) CBC-MAC m[0] m[1] m[3] m[4]     E(k,) E(k,) E(k,) E(k,) E(k1,) key := (k, k1) message := (m[0], …, m[L]) tag

  5. Problem: broadcast Integrity The problem: Sta3 can forge messages to all others (note: TESLA) k Sta1 k msg tag k Sta2 k Sta3

  6. Data integrity 2: Dig. Signatures PK Bob1 SK msg sig PK Bob2 sig S( SK, m) SK: secret key PK: public key PK Bob3 • Ensures broadcast integrity • Difficulty: (1) message needs to include PK and certificate • [ msg, sig, PK, cert ] • (2) revocation ? V( PK, m, sig) = `yes’ (100s of bytes)

  7. Modern Signatures [BLS’01] • Pairings <X,Y>: ,: <X, Y> = <X, Y> • Signatures: fix an element g • Secret Key:  Public Key: g • Sign( SK, M): sig = H(M)(20 bytes) • Verify( PK=g, M, sig=H(M) ): test if <g , sig> = <PK, H(M)> <g, H(M)> <g , H(M)>

  8. Performance • MACs: built from fast block ciphers • Time for short messages (<1KB): 1s • Length: 32 to 128 bits • Signatures: built from algebraic functions • sign/verify time for short messages: 10ms • Length: 20 bytes [BLS’01]

  9. identity-based crypto

  10. Identity-based Crypto • The basic idea [Shamir 1984] • A cryptosystem where anything is a public key • Examples: 24-bit plane ID , pilot name , current date • Practical systems: [BF 2001, …] • Based on new tools: pairings on elliptic curves • Commercially deployed (e.g. Voltage Security) master-key my ID is “652A4B” here is your secret key: SK PKG

  11. ex 1: identity-based key exchange • SKID1 and SKID2 generated at manufacturing time • Updated periodically during maintenance • Automatic revocation: ID = (plane-ID , month, year) my ID is ID1 SKID1 SKID2 my ID is ID2 shared key = F(ID1, SKID2) shared key = F(ID2, SKID1)

  12. Application to DME or ADS-B (MLAT) • Ping-pong protocol K1 ID1 SK1 ID1, data, MAC ID K2 ID2, data, MAC ID2 SK2 ID SKID ID3, data, MAC ID3 SK3 K1, K2, K3 verify MACs K3  Symmetric MACs with minimal overhead

  13. Repeated authentication • Initial setup requires computing a MAC key • time  20ms • Subsequent messages can be authenticated using established key:  1s / msg

  14. identity-based signatures: ADS-B [ID, data, sig] ID SKID master-key verify sigusing ID no need for plane to transmit PK or certificate PKG

  15. Performance • ID-based crypto: built from pairings on elliptic curves • Time: dominated by pairing computation software: 20ms (1GhZ x86) hardware: 90s (FPGA) • ID-based signature length: 40 bytes • open problem: 20-byte ID-based sigs

  16. THE END

More Related