1 / 30

463.5.2 Privacy Enhancing Technologies

463.5.2 Privacy Enhancing Technologies. Computer Security II CS463/ECE424 University of Illinois. Overview. Anonymous Communication Digital Cash Off the Record Messaging. Digital Cash. Cash is a universally anonymous payment system Can we store money in a digital wallet?

irina
Télécharger la présentation

463.5.2 Privacy Enhancing Technologies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 463.5.2 Privacy Enhancing Technologies Computer Security II CS463/ECE424 University of Illinois

  2. Overview Anonymous Communication Digital Cash Off the Record Messaging

  3. Digital Cash Cash is a universally anonymous payment system Can we store money in a digital wallet? Digital Cash: A payment message bearing a digital signature which functions as a medium of exchange or store of value Need to be backed by a trusted third party, usually the government and the banking industry. Offline/Online

  4. Digital Cash : Desired Properties Physical Cash Untraceable Cannot double spend Can we have similar properties for Digital Cash?

  5. Traceable Signature Protocol Alice gets Digital Cash from Bank Alice creates m=amount, serial number Private, public key pair of the bank is d,e (mod n) Bank returns md Alice pays Digital Cash to a Merchant md Merchant can verify md with the Bank

  6. Blind signatures Blind signatures are used when you want someone to sign something but you don’t want them to see what they are signing This is done by multiplying the message by a secret number (called blinding). The signer signs the blinded message The secret number can be divided out to get a signed version of the message

  7. RSA Blind Signatures Alice wants Bank to sign message m Chose a blinding factor b Alice gives r = m.be to the Bank Bank signs this giving Alice rd=(m.be)d Alice can then remove the blind by calculating Rd.b-1 = md.bed.b-1 = md.b.b-1 = md

  8. Example Banks public key = 17 (n=77) Banks private key = 53 Alice’s message = 28 Alice chooses a blinding factor=6 Alice asks Bob to sign 28*617 mod 77 = 70 Bob signs 70 and sends Alice 7053 mod 77=42 Alice can compute 42.6-1(mod 77) to get 7 Note that 2853 mod 77 = 7

  9. Untraceable Digital Cash Alice creates k items of m Random Serial Number Random Serial Number m1 mk , …, m1 = (…, amount, serial number) mk = (…, amount, serial number)

  10. Untraceable Digital Cash Alice creates blinding factors:b1e,…, bke Blind the units - m1b1e, …, mk bke m1b1e mkbke , …, Bank • Send to bank for signing

  11. Untraceable Digital Cash Bank chooses k –1 items to check (at random) Customer gives all blinding factors except one (say unit i) Bank checks they are correct i

  12. Untraceable Digital Cash Bank signs the remaining one and sends it back – (mibei)d = midbi Customer Serial no • The customer removes the blind using bi-1 mid

  13. Problem! When the merchant receives the coin verify that the bank signed the coin verify that the coin hasn’t already been spent Bank can maintain list of spent coins Trivial if merchant has connection with Bank at the time of sale. How can we extend the protocol to an offline setting? Idea: if user spends the coin twice, ensure that the user is caught by the Bank

  14. Secret Sharing Let us denote Alice’s username as I We will split I into n parts such that Each part on its own does not contain any information about I All n parts can be combined to reveal username How does it work? Alice picks a random numbers r Alice calculates s = I  r

  15. Secret Sharing Alice’s Username = 2510 Alice picks a random number r = 1500: S=2510  1500 = 3090 The username can now be split into 2 parts 1500 and 3090 On their own they don’t reveal the username, but when combined using the XOR, the username is revealed 1500  3090 = 2510

  16. A Typical Coin User ID: 1500 3090 4545 6159 5878 7992 • Header Information – 100$ • Serial number - 123456 • Transaction Item – pairs of user IDs

  17. A Typical Coin (before spending) User ID: 1500 XOR 3090 =2510 4545 XOR 6159 =2510 5878 XOR 7992 =2510 • Header Information – 100$ • Serial number - 123456 • Transaction Item – pairs of user ID’s User ID

  18. Spending Cash Alice presents a token to a Merchant Merchant asks Alice to reveal part of each user ID pair Merchant decides if he wants to know the right half or the left half Alice blanks out the other half

  19. Blanking User ID: 0 3090 4545 6159 5878 7992 Randomly blank one side of each identity pair

  20. Blanking User ID: 0 3090 4545 0 5878 7992 Randomly blank one side of each identity pair

  21. Blanking User ID: 0 3090 4545 0 5878 0 Randomly blank one side of each identity pair

  22. The coin is now spent User ID: 0 3090 4545 0 5878 0 • You can no longer tell who owns the coin • Merchant would now deposit this coin into the bank • Note that token has half of user ID pair revealed • Bank verifies token and adds to database of spent tokens

  23. The coin is copied and spent at another merchant • Before the user spent the coin the first time, the user made a copy of it • User ID: 1500 0 4545 0 0 7992 • Merchant would now deposit this coin into the bank

  24. How can we catch the user? Original Coin User ID: 0 3090 4545 0 5878 0 Duplicate Coin User ID: 1500 0 4545 0 0 7992 This is what is in the bank

  25. How can we catch the user? Original Coin User ID: 0 3090 4545 0 5878 0 Duplicate Coin User ID: 1500 0 4545 0 0 7992 3090 XOR 1500 = 2510 5878 XOR 7992 = 2510 User ID This is what is in the bank

  26. Probability of catching the culprit Depends on the number of the identity strings used Probability of catching a user is: 1 - ½n , where n is the number of identity strings E.g. n = 10, the probability of catching a user is: 0.999

  27. Off The Record Messaging “Casual Conversation” Alice and Bob talk in a room No one else can hear Unless being recorded No one else knows what they say Unless Alice or Bob tell them No one can prove what was said Not even Alice or Bob

  28. Desired Properties Confidentiality Authentication Deniability No digital signatures Perfect Forward Secrecy If you lose control of your private keys, no previous conversation is compromised.

  29. Protocol Sketch Assume Alice and Bob know each other’s public key Use public keys to share a secret symmetric key The secret key is “short lived” Messages encrypted by secret key (AES) Provides confidentiality Deniable Authentication Message Authentication Codes Since only the two parties know the secret key, provides authentication Discard symmetric key after use

  30. Discussion Propose a protocol for self destructing data

More Related