© Information Security Group, ICU1 Identification & ZKIP

1 © Information Security Group, ICU

Identification & ZKIPIdentification & ZKIP


Contents

IntroductionPasswordsChallenge-ResponseZKIP


Why do need Identification ?

1. Bank machine withdrawals : 4 ~ 6-digit PIN(Personal Identification Number) at ATM(Automatic Teller Machine)

2. In store credit card purchases3. Prepaid calling card : Asking a service

by telephone card or membership cards4. Remote login: Remote access to host

under Client /Server environment

5. Access to restricted areas, etc.


Identification by personal information

Method Examples Reliability Security Cost

What youRemember(know)

PasswordTelephone # Reg. #

M/LM(theft)L(imperso- nation)

Cheap

What you have

Registered SealMagnetic Card IC Card

ML(theft)M(imperso-nation)

Reason-able

What you are

Bio-metric(Fingerprint,Eye, DNA, face,Voice, etc)

HH(theft)H(Imperso- nation)

Reasonable

Expensive


Biometric Information

Extracted from A. Jail’s presentation in SCIS2006, Japan


Way of Identification

Password-based scheme (weak authentication) crypt passwd under UNIX one-time password

Challenge-Response scheme (strong authentication) Symmetric cryptosystem MAC(keyed-hash) function Asymmetric cryptosystem

Cryptographic Protocols Fiat-Shamir identification protocol Schnorr identification protocol, etc


Identification by Password

passwd,Apasswd table

A h(passwd)

Prover Verifier

passwd h =

A

yaccept

n

reject


Attack against Fixed PWDs

Replay fixed pwds Observe pwd as it is typed in Eavesdrop the data in cleartext Not suitable over open communication networks

Exhaustive pwd search Let E(c) be the entropy of 8-char pwds from choices E(26)=37.6, E(36)=41.4, E(62)=47.6, E(95)=52.6

Pwd guessing and dictionary attacks A large dictionary contains 250,000 words Dictionary attack: order lists and compared to entries in the encr

ypted dictionary Combine numerical and alphabetical characters.


crypt passwd in UNIX

truncate to 8ASCII chars; 0-pad if necessary

userpasswd DES*

Repack 76 bitsinto 11 7-bitcharacters

encrypted passwd

/etc/passwd

user salt

I1= 0…0next input Ii

2 i 25

output, Oi

O25

56

64

64

12

12

salt : 12-bit random from system clock when select passwd.DES* : DES with expansion E modified by 12-bit salt, 212 =4056 DES variations,


Challenge-Response Protocol

AssumptionSecret Key : known to only P and VRandom Challenge : P and V have perfect ra

ndom number generator as their challenges. Very small probability that same challenges occur by chance in 2 different sessions

MAC security : MAC is secure which no (ε, Q)-forger exist. Probability that Attack can correctly compute MAC is at most ε, given Q other MACs. (e.g. Q=10,000 or 100,000)


Challenge-Response Scheme(I)

Using Symmetric Cryptosystem

P Vrandom challenge,x

x

y=eK(x)y

y’=eK(x)y=y’ ?

K

Vulnerable to parallel session attack (man-in-the-middle). Need to change x to be ID(V)||r


Challenge-Response Scheme(II)Using Asymmetric Cryptosystem P can prove to have secret information in either

way :(1) P decrypts a challenge encrypted under P’s public key.(2) P digitally signs a challenge.

P Vrandom challenge,x

x

y=e[sK,x]y

y’= d[pk ,x]y = y’ ?

PK


Zero-Knowledge Interactive Proof

GMR(Goldwasser, Micali, Rackoff) 1. “The knowledge complexity of interactive-proof systems”, Pr

oc. of 17th ACM Sym. on Theory of Computation, pp.291-304, 1985

2. “The knowledge complexity of interactive-proof systems”, Siam J. on Computation, Vol. 18, pp.186-208, 1989 (revised version)

ZKIP (Zero Knowledge Interactive Proof) : between P and V Completeness : Only true P can prove V. Soundness : False P’ can’t prove V. 0-Knowledge : No knowledge transfer to V.


Concept of ZKIP

By Quisquater and Guillou

P knows the secret, but doesn’t want to reveal his secret.

1. V stands at point A.

2. P walks all the way into the cave, either C or D.

3. After P disappeared into the cave, V walks to point B.

4. V shouts to P asking him either to:

(a) come out of the left passage or (b) come out of the right passage

5. P complies, using the magic words to open secret door if he has to.

6. P and V repeat steps (1) -(5) t times

P knows the magic words (secret)to open the door betweenC and D.

Fig. 0-knowledge cave

A

B

C D


Classification of ZKIPs

1P/1V

Interactive

Non-interactive

ZK

GMR Model * P:infinite, V: poly

BCC Model Model 1 (P:poly V: infinite) (minimum disclosure) Model 2 (P:poly, V: poly)

0-KMinimum Know.Oracle ZKIP

WH

PerfectComputationalStatistical

MembershipKnowledgeComputational power

Property

Object

Model

MP

MV

*AM-game : GMR model and V has random coin.


F-S Identification (I)

(Preparation)

(TA) Unlike in RSA, a trusted center can generate a universal n, used by everyone as long as none knows the factorization.

(P) (1) private key: choose random value S, s.t. gcd(S,n)=1.(1 < S <

n) (2) public key : P computes I=S2 mod n, and publishes (I,n) as pub

lic

Goal P has to convince V that he knows his private key S and its corres

ponding public key (I,n) (i.e., to prove that he knows a modular square root of I mod n), without revealing S.


F-S Identification (III)

V Ppublic : I,n n=pq, I=S2 mod n

1. generate unique random,r x=r2 mod n

2.ei={0,1}

x

ei

Repeat t-times 3. If ei=0, send y=r

If ei=1, send y=rS

y

4.If ei=0, check y2=x mod n? If ei=1, check y2=xI mod n?

* commitment-witness-challenge-response-verification and repeat


F-S Identification (II)

1. P chooses random value r (1<r<n) and computes x=r2mod n.

then sends x to V.

2. V requests from P one of the following request at random

(a) r or (b) rS mod n

3. P sends the requested information to V.

4. V verifies that he received the right answer by checking whether

(a) r2 = x mod n or (b) (rS)2 = xI mod n

5. If verification fails, V concludes that P does not know S, and thus he is not the claimed party.

6. This protocol is repeated t (usually 20 or 30) times, and if in all of them t

he verification succeeds, V concludes that P is the claimed party.


Security of F-S scheme

(1) Assuming that computing S is difficult, the breaking is equivalent to that of factoring n.

(2) Since P doesn’t know (when he chooses r or rS mod n) which question V will ask, he can’t choose the required answer in advance.

(3) P can succeed in guessing V’s question with prob. 1/2 for each question. If the protocol is repeated t times, the prob. that V fails to catch P in all the times is only 2-t, which is exponentially reducing with t. (t=20 or 30)

(4) Convinces V that P knows the square root of I, without revealing any information on S. However, V gets one bit of information : he learns that I is a quadratic residue


Other Identification schemes

Schnorr Identification scheme (p.371)Okamoto Identification scheme (p.378)Guillou-Quisquarter Identification scheme (p. 3

83)ID-based identificationOthers


Schnorr Identification (I)

Based on DLP under Trusted Authority (TA) TA decides public parameters

p : large prime (1024 bit) q : large prime divisor of p-1 (160 bit) α Zp

* has order q

t : security parameter s.t. q > 2t Public parameters : p, q, α, t

Prover choose private key : a ( 1 ≤ a ≤ q-1) public key v = α–a mod p

Honest Verifier (choose r at random by the scheme) ZKIP


Schnorr Identification (II)

1 1 mod qkpktr 21

?(*) mod pvry

private key : a, public key: v

1. Select random k V P

Public par. : p,q,α,t

r

3. y = k + ar mod qy

2. Verify P’s public key generate random challenge

4. Verify

, cert(P)

mod (*) pvv kararkrarkry


Schnorr Identification (III)

(TA) p=88667, q=1031, t=10, α=70322 has order q in Zp

*

(P) private key a = 755 public key v = α-a mod p = 703221031-755 mod 88667 = 13136

P: random k = 543, αk mod p = 70322543 mod 88667 = 84109, commit V: random challenge r =1000 P: y= k + ar mod q = 543 + 755x1000 mod 1031= 851 V: on receiving y, verify that 84109 = 70322851 131361000

mod 88667. If equals, accept

Documents

© Information Security Group, ICU1 Identification & ZKIP