Embed Size (px)
DESCRIPTION
A provably secure secret handshake with dynamic controlled matching. Alessandro Sorniotti, Refik Molva Computers and Security, Volume 29, Issue 5, July 2010 , pp 619-627. Outline. Introduction Preliminaries The scheme – SecureMatching The scheme – Secret Handshake Security analysis - PowerPoint PPT Presentation
Citation preview
1
A provably secure secret handshake with dynamic controlled matching
Alessandro Sorniotti, Refik Molva
Computers and Security, Volume 29, Issue 5, July 2010 , pp 619-627
2
Outline
Introduction Preliminaries The scheme – SecureMatching The scheme – Secret Handshake Security analysis Conclusion
3
Introduction
Secret Handshake 2003, proposed by Balfang et al. 2個使用者同時確認彼此是否為同單位的成員 Certification authority
有能力證明與驗證使用者身份。 發行 property credential與 matching reference,讓使用者能夠證明自己與驗證對方。
環境: untraceable and anonymous
4
Introduction
Matchmaking 1985, presented by Baldwin and Gramlich. 解決 HS的問題,但不同的地方是
使用者可以與其他單位的人進行通訊 與 HS主要的不同點
Matchmaking user可以設定自己的 credential與 matching reference
5
Introduction
本文提出 Secret handshake scheme with dynamic controlled
matching 使用者向 CA要求發行 credential與 reference,而有能力證明與驗證。
6
Outline
Introduction Preliminaries The scheme – SecureMatching The scheme – Secret Handshake Security analysis Conclusion
7
Preliminaries U: a set of users P: a set of properties (G1, +) and (G2, *): two groups of order q for some larg
e prime q. e: G1 × G1 → G2 is a bilinear map
Bilinear: P, Q∈G1 and a, b∈Zq*, e(aP, bQ) = e(P, Q)ab
Non-degenerate: e(P, P)≠1 is a generator of G2. Computable: an efficient algorithm exists to compute e(P, Q)
for all P, Q∈G1. H: P → G1 is a one-way hash function.
8
Outline
Introduction Preliminaries The scheme – SecureMatching The scheme – Secret Handshake Security analysis Conclusion
9
SecureMatching
Prover-verifier protocol 證明者必須說服驗證者我是該單位的成員。 Prover: 利用 credential來說服 verifier Verifier: 利用 reference來驗證 prover
10
SecureMatching
Setup: P ∈R G1: a random generator of G1.
r, s, t, v ∈R Zq*: random values.
R = rP, S = sP, T = tP, V = vrP System public parameters = {q, P, R, S, T, V, e, G1,
G2, H} System secret parameters = {r, s, t, v}
11
SecureMatching
Join User u∈U Secret value xu∈R Zq
*
Xu = xus-1rP
12
SecureMatching
Certify 當 CA接收到使用者 u的要求才開始執行 使用者 u隸屬於單位 p∈P CA先確認 (u, p)是否合法,確認無誤,發行 cre
dential credp = vH(p)給使用者 u
使用者 u驗證 : e(credp, R) = e(H(p), V) 驗證式成立,接受憑證;否則,放棄憑證。
13
SecureMatching
Grant 當 CA接收到使用者 u的要求才開始執行 使用者 u想與單位 p∈P進行通訊 CA先確認 p是否為 u的允許通訊單位 確認無誤,發行 matching reference
matchu,p = t-1r(credp + xuP)給使用者 u
使用者 u驗證 : e(matchu,p, T) = e(H(p), V)e(Xu, S) 驗證式成立,接受 reference;否則,放棄 refere
nce。
14
SecureMatching
Matching A: prover, A有 credpA來證明隸屬於單位 pA
B: verifier, B拿 matchB,pB來驗證 Protocol
1. B→A: B產生 n∈R Zq
*, 送 N1 = nP, N2 = nR給 A
2. A→B: A檢查 e(N1, P) = e(N2, R)
確認正確, A產生 r1, r2∈R Zq*,
送 disguisedCredpA = <r1credpA, r2N2, r1r2S, r1r2T>給 B
1
,
pA A
B pB pB B
cred vH p
match t r cred x P
15
SecureMatching
Matching Protocol
3. B檢查
如果 K = 1,代表 B確定 A是單位 pA的人(i.e. pA跟 pB是相同單位 )
1
1 2 2 1 2
1 2 ,
, ,
,
n
pA B
B pB
e rcred r N e r r S XK
e r r T match
1
,
pA A
B pB pB B
cred vH p
match t r cred x P
16
Outline
Introduction Preliminaries The scheme – SecureMatching The scheme – Secret Handshake Security analysis Conclusion
17
Secret Handshake
如何從 SM到 SHS Session key的交換 在 SM協定中,雙方成立後, key才有效
18
Secret Handshake
Secret Handshake
Alice Bob
credp1credp1XA
XA credp2credp2 matchB,p1
matchB,p1 XBXB
r1Ar1A
matchA,p2
matchA,p2
nAnAr3A
r3Ar2Ar2A r1B
r1B nBnBr3B
r3Br2Br2B
1
,
1 2 2 1 2 1 2
1
, , ,
p
u p p u
p p
u u
cred vH p
match t r cred x P
disguisedCred rcred r N rr S rr T
X x s rP
nAP, nAR
nBP, nBRr1B(credp2 + r3BP)r2B(nAR), r1Br2BS, r1Br2BT
r1A(credp1 + r3AP)r2A(nBR), r1Ar2AS, r1Ar2AT
19
Secret Handshake
Secret Handshake Alice與 Bob檢查方程式 K
Alice算出 KA = e(P, P)r1B r2B r3B r
Bob 算出 KB = e(P, P)r1A r2A r3A r
K’ = (KA)r1A r2A r3A K’’ = (KB)r1B r2B r3B
如果 K’ = K’’,則雙方成功交換 session key
1
1 2 2 1 2
1 2 ,
, ,
,
n
pA B
B pB
e rcred r N e r r S XK
e r r T match
20
Outline
Introduction Preliminaries The scheme – SecureMatching The scheme – Secret Handshake Security analysis Conclusion
21
Security analysis
Attack types Linking
攻擊者有能力得知相同兩人進行不同次的協定 Untraceability
Knowing 惡意 verifier不用正確的 reference,即可驗證 prover的單位
Detector resistance Forging
惡意 prover不用正確的 credential,即可說服 verifier Impersonation resistance
22
Security analysis
Security of SecureMatching and secret handshake Untraceability Detector resistance Impersonation resistance
BDDH assumption 給定 (P, aP, bP, cP, xP),決定 x = abc
23
Security analysis
Untraceability 給攻擊者 2份 disguised credential,攻擊者有能力證明這 2份是相同單位的 credential
Detector resistance 攻擊者不用正確的 reference,成功的與合法 pro
ver進行協定 Impersonation resistance
攻擊者偽造出一份假的 credential,有能力說服合法 verifier
24
Outline
Introduction Preliminaries The scheme – SecureMatching The scheme – Secret Handshake Security analysis Conclusion
25
Conclusion
利用 SecureMatching來達成 secret handshake User的 loading
![Practical and Provably Secure Onion Routing · 2012-07-16 · Practical and Provably Secure Onion Routing [IEEE CSF '12] Practical and Provably Secure OR - Esfandiar Mohammadi Anonymous](https://img.pdfslide.net/doc/110x75/5f03aa957e708231d40a2ccb/practical-and-provably-secure-onion-routing-2012-07-16-practical-and-provably.jpg)
