1 / 30

Beyond Secret Handshakes: Affiliation-Hiding Authenticated Key Exchange

Beyond Secret Handshakes: Affiliation-Hiding Authenticated Key Exchange. From: Cryptographers ’ Track of the RSA Conference 2008 Date:2011-11-29 Reporter : Yi-Chun Shih. Outline. Introduction Contribution Perfect Forward Secrecy & Linkable Affiliation-Hiding AH-AKE

pahana
Télécharger la présentation

Beyond Secret Handshakes: Affiliation-Hiding Authenticated Key Exchange

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Beyond Secret Handshakes:Affiliation-Hiding Authenticated Key Exchange From: Cryptographers’ Track of the RSA Conference 2008 Date:2011-11-29 Reporter: Yi-Chun Shih

  2. Outline • Introduction • Contribution • Perfect Forward Secrecy & Linkable Affiliation-Hiding • AH-AKE • Conclusion

  3. Introduction • Affiliation-Hiding Authentication protocol, or Secret Handshakes(SH),allow two members of the same group to authenticate each other by hiding their affiliation - FBI agent

  4. Affiliation-Hiding Authenticated Key Exchange ( AH-AKE ) strengthens entity authentication schemes ( SH described in [BDS+03] and [CJT04] ):  output the key which is authenticated  satisfy the standard security requirement of AKE protocol ( but not include Perfect Forward Secrecy )

  5. Outline • Introduction • Contribution • Perfect Forward Secrecy & Linkable Affiliation-Hiding • AH-AKE • Conclusion

  6. Contribution • Strengthens the security of AH-AKE through Perfect Forward Secrecy (PFS)

  7. Contribution (cont.) • Formalize the exact level of protecting privacy, called Linkable Affiliation-Hiding (LAH), the guarantee of privacy does not contain unlinkablility - Linkability : (under the ideal process) in the AH-AKE session, under the condition of player uses the same certificate, the same alias would revealed every time, so that the adversary could link this two instance, but the affiliation of the player would not be disclosed, unless the user is corruptedor the session is compromised

  8. Contribution (cont.) • Under the condition of satisfying PFS andLAH, let the complexity of AH-AKE protocol ideal in Random Oracle Model (ROM) -ROM : regarded as perfect hash function

  9. Outline • Introduction • Contribution • Perfect Forward Secrecy & Linkable Affiliation-Hiding • AH-AKE • Conclusion

  10. PFS & LAH • PFS : ensure to keep each session secure, even the participant finally corrupted and gives away long-term secrete to the adversary • LAH:AH-AKEshould confront with player corrupted and session revealed • Thus,LAHimpliesPFS

  11. LAHImpliesPFSSecurity • LAHcompares the view of actual execution and the view of fully-random • PFScompares the view of actual execution and the view of partial-random(only the key of tested session is random) • Lemma:IfAH-AKEschemeisLinkableAffiliation-HidingthenitisSecurewithPerfectForwardSecrecy

  12. Outline • Introduction • Contribution • Perfect Forward Secrecy & Linkable Affiliation-Hiding • AH-AKE • Conclusion

  13. AH-AKE • AH-AKEis based on standard AKE(non affiliation-hiding), the difference is that the certification of AH-AKE is private,so the certification hierarchies and chains are not allowed

  14. Entity • AH-AKEscheme computes under the environment of a user set Uand a group set G , and denote UUis a member ofGG asUG

  15. Protocol • purpose:allow a pair of players to establish common secret key that is authenticated, the conditions are (1)run the protocol on the public key of the same group(2) UiG and UjG • In the AH-AKE scheme, if a user is a member of many groups, that would affect execution efficient, but not security andaffiliation-hiding

  16. Public Information & Network Assumption • All the public keys of groups and CA’s, and the certificate revocation lists(CRL) are public information • The communication between users andCA’sis through anonymous and authenticated channel • The execution of AH-AKE protocolis through the channel that is not authenticated • The adversary has fully control over the network

  17. Syntax

  18. Instances & Session IDs • πUs: protocol session or player instance -the sth instance of playerUthat execute the protocol session • sidis:session id -the state argument that used byπisto connect thepublic input and messages

  19. Matching & Partnered Sessions, Correctness of AH-AKE’s • πisand πjtare matching : PKis= PKjt , certisCerts(PKis), certjtCerts(PKjt), certisRevokedCerts(CRLjt), certjtRevokedCerts(CRLis), roleis≠rolejt • πisand πjtare partnered : sidis= sidjt • If πisand πjtarematching andpartnered,they would output the same key,Kis= Kjt

  20. PFS-Secure AH-AKE Based On RSA • Setup: -givesecurity parameter k -define the smallest integerk’andH1:{0,1}* ->{0,1}k • Kgen: -generate 2k’-bit safe RSA modulus n = pq -random choosegso thatggenerates the largest subset of Zn* -secret key : (p,q,d), public key: (n,g,e) -decides Hn:{0,1}* ->Zn • Add: -managerchooses random stringidand calculatesσ= [Hn(id)]d (mod n) -the certification of U, cert = (id, σ) • Revoke:manageradd id to group CRL

  21. PFS-Secure AH-AKE Based On RSA initiator responser random choosebA, xA Step 1 hide σA

  22. PFS-Secure AH-AKE Based On RSA Step 2:use the information the other side gave to compute v set vA

  23. PFS-Secure AH-AKE Based On RSA Step 3 ie,H1(rA,sidA,init)=H1(rB,sidB,init)

  24. Prove the correctness: If A, B belong to the same group, PKA = PKB= (n, g, e) rA=(ZB)XA=(g2eXB)XA=(g2eXA)XB=(ZA)XB=rB, where ZA=(θAehA-1)2=g2eXA ZB=(θBehB-1)2=g2eXB

  25. PFS-Secure AH-AKE Based On RSA

  26. Commitment Schemes sender ( Alice ) message ( M ) lock receiver ( Bob )

  27. Commitment Schemes • Commitment phasehassecrecy property:  receivercan not open the box  sendercan not modifyM • Decommitment phasehasunambiguity / binding property: sendergives thekey to allowreceiver to open thebox to knowM

  28. Trapdoor Commitment • The trapdoor is used to overcome the binding property • Take sealed-bid auctions for example, the participant can use trapdoor to modify his bid

  29. Outline • Introduction • Contribution • Perfect Forward Secrecy & Linkable Affiliation-Hiding • AH-AKE • Conclusion

  30. Conclusion • AH-AKE includes PFS and LAH • Use trapdoor to hide σA

More Related