Upload
mort
View
46
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Compliant Cryptologic Protocols. Ed Dawson, Kapali Viswanathan, Colin Boyd Information Security Institute Queensland University of Technology Brisbane, Australia. Sections of this Talk. Introduction to compliance in cryptosystems Generic goals Players in the game Applications - PowerPoint PPT Presentation
Citation preview
Compliant Cryptologic ProtocolsCompliant Cryptologic Protocols
Ed Dawson, Kapali Viswanathan, Colin Boyd
Information Security Institute
Queensland University of Technology
Brisbane, Australia.
Sections of this TalkSections of this Talk
1. Introduction to compliance in cryptosystems
1. Generic goals2. Players in the game3. Applications
2. A view of cryptosystem1. Visualisation of basic services2. A model for representing cryptosystems
Sections of this TalkSections of this Talk
3. Key-recovery systems (KRS)1. Long-term key-recovery2. Short-term key-recovery3. Hybrid key-recovery
4. Anonymous token systems (ATS)1. A description (definition)2. An application (Sealed-bid e-auction)
5. Summary and Conclusion
Section 1Section 1Introduction to Compliance in Introduction to Compliance in
CryptosystemsCryptosystems
Introduction to ComplianceIntroduction to Compliance
the act or process of complying to a desire, demand, or proposal or to coercion
a disposition to yield to others
conformity in fulfilling official requirements
What conformities (acts or events) can be What conformities (acts or events) can be cryptologically verified?cryptologically verified?
Meaning: Compliance
Investigating CompliancesInvestigating Compliances
• What can cryptologic compliance mean?
There are at least two mutually mistrusting sets of users
The users in a set require operational guarantees for the users in the other set
Example: Key Recovery SystemsExample: Key Recovery Systems
• Three mistrusting sets of users
1. Communicating entities• require confidential
communication with authentic entities
2. Wiretap authority• Requires to know what
others communicate
3. The cryptanalyst • wants to know everything
(P = NP?)Mistrusting sets
Sender Receiver
WiretapAuthority
Cryptanalyst
Compliance: Key Recovery SystemsCompliance: Key Recovery SystemsCommunicating entities are confident that the
cryptanalyst is unable to read the confidential messages (Cryptologic exercise)
The wiretap authority is confident that it can read the confidential messages (a cryptologic exercise, if not for super-encryption and similar techniques)Communicating entities are confident that the wiretap authorities will not read all the confidential messages without proper approval (Trust based: How trustworthy is the wiretap authority? – Not entirely a cryptologic exercise)
Example: E-Cash SystemsExample: E-Cash Systems• Four mistrusting sets of
users1. The bank:
– only it can mint valid cash– valid cash can be spent
only once
2. The user:– valid cash cannot be
invalidated– will be anonymous while
spending the cash
3. The merchant:– valid cash cannot be
invalidated– will accept only valid cash
4. The trustee:– can trace transactions
(thereby, identify the user)
Bank
MerchantUser
Trustee
Conditionally untraceable
Withdrawal
Spending
Facts: E-Cash SystemsFacts: E-Cash Systems
There is reduced or no anonymity for the user, if:
there is only one user (NUMBERS); or,
the user always withdraws from the same ATM and spends with the same merchant (SPACE); or,
the user always spends just after withdrawing the cash (TIME); or,
the user provides identification information to the merchant (DATA);
the machine that the user uses can be easily traced (DATA).
Compliance: E-Cash SystemsCompliance: E-Cash Systems
Only the bank can mint valid cash (cryptologic exercise)
Valid cash will be spent only once by the authorised user (must assume that the user does not reveal some long-term secret-key)
Compliance: E-Cash SystemsCompliance: E-Cash Systems
Withdrawal and spending transactions cannot be traced without the assistance of the trustee (cryptology prevents only data-level correlations --- number of regular users is important --- and does not prevent correlations in space/time/numbers)The trustee will trace only as prescribed by some set of rules (behaviour of entities is not – and cannot be – a cryptologic concern)
Compliance: E-Cash SystemsCompliance: E-Cash Systems
The merchant and the bank will accept valid coins (the behaviour of any entity is not a cryptologic concern)
Some More ExamplesSome More Examples
Other examples include:
1. Electronic auctions– Mistrusting sets: Auctioneer, bidder, sets of
bidders, optional trustee
2. Electronic voting– Mistrusting sets: Voter, sets of voters, voter
authenticator, vote authenticator, vote collector, vote teller, system observers
Entity which counts votes
Section 2Section 2Investigation and classification of Investigation and classification of
basic services and compliance basic services and compliance verification in cryptosystemsverification in cryptosystems
Basic Cryptologic ServicesBasic Cryptologic Services
• Is it possible to decide what is a cryptologic exercise and what is not? Yes
• How? By enumerating what cryptology can do
• What are the basic services? They are confidentiality and integrity
• Are they independent of each other? NO. But it may not be a flaw to treat separately
What is Compliance in What is Compliance in Cryptosystems?Cryptosystems?
• There is a need for some entities to verify the cryptologic behaviour of some other entities
• What is a cryptologic behaviour ? Entities use keys to transfer services to certain messages
• How can such transfer of service be verified? • If such a transfer of service can be verified, then
such a verification is called compliance verification
Classifying Compliance
• It is possible to classify various types of compliance verification by enumerating the modes of transfer of services
• There are two modes of transfer of services1. Restricted : the service is guaranteed until the
occurrence of a probabilistic or deterministic event
2. Universal: the service is guaranteed forever (forever is the idealisation for the span of time that is determined by the security properties of the cryptographic algorithms and the key management systems)
A Classification of ComplianceA Classification of Compliance
2 (basic services) 2 (modes of service)
= 4 ( categories of compliance verification)
• CL0: Universal confidentiality and integrity (signature systems)
• CL1: Universal integrity and restricted confidentiality (KRS, fair cash)
A Classification of ComplianceA Classification of Compliance
• CL2: Restricted integrity and universal confidentiality (deniable encryption)
• CL3: Restricted integrity and confidentiality (Oblivious Transfer?)
How to Enforce Compliance?
• If an integrity transfer must be verified, how can such a verification be made mandatory?
EL0: On-line monitor (Clipper, Wallet with observers)
EL1: Off-line monitor (Binding ElGamal, E-cash [Chaum, Brands])
Section 3Section 3Key Recovery SystemsKey Recovery Systems
(Compliance and Confidential (Compliance and Confidential Communications)Communications)
Introduction to KRSIntroduction to KRS
• Confidential decryption keys must be available for the receiver and the escrow authority
• Restricted Confidentiality: Confidential messages sent to the receiver is guaranteed against every adversary except the escrow agent
• Universal Integrity: The proof that the secret message (keying information and others) sent to the receiver is the same as that sent to the escrow authority (Proof that a certain key is being used)
Types of KRSTypes of KRS
1. Long-term key-recovery– Long-term confidentiality keys are accessible
for the escrow agent– Private-key recovery
2. Short-term key-recovery– Short-term confidentiality keys are accessible
for the escrow agent– Session-key recovery
Types of KRSTypes of KRS
3. Hybrid key-recovery– Long-term confidentiality key is shared by
the escrow agent and the receiver– Short-term confidentiality key is accessible
for the escrow agent and the receiver– Example: hybrid key-recovery system
Private-key Recovery SystemsPrivate-key Recovery Systems
1. Let public-key, y = OWF (x)
2. Escrow component, EC = Escrow (x)
3. Know (x) Know (EC)
The identity of the escrow authority and the identity of the user (owner of the public key
[y]) are indistinguishable. The escrow authority can do everything that the user can
do
Properties of Private-Key Properties of Private-Key RecoveryRecovery
• Merits1. Efficiency2. Backward compatibility
• Demerits1. Risk to private keys (Security of escrow database)2. Enforceability (users can change to a certified proxy-
key)3. Authentication and escrow functionalities are not
separate (co-existence of escrowed PKI and signature?)
4. Granularity (Past-present-future problem)5. Super-encryption
Session-key Recovery Systems
1. Let S be the session-key chosen by the sender
2. Escrow component, EC = Escrow (S)
3. Know (S) Know (EC)
Knowing the session-key is equivalent to knowing the escrow component.
Properties of Session-Key Properties of Session-Key RecoveryRecovery
• Merits1. Granularity2. Authentication and escrow functionalities are
separate
• Demerits1. Enforceability (requires trusted device to make sure
that keys are properly escrowed)2. Session-keys are random and uncertified (creates
communication and storage overhead)3. Super-encryption
Hybrid Key-Recovery SystemsHybrid Key-Recovery Systems
• Kapali Viswanathan, Colin Boyd, Ed Dawson, Strong Binding for Software Key Escrow. In International Workshop on Security, IWSEC'99. IEEE Press, 1999.
• Kapali Viswanathan, Colin Boyd, Ed Dawson, Hybrid Key Escrow. In Computers & Security, ISSN 0167-4048, Vol. 21, No. 1, 77-92. Elsevier Advanced Technology, 2002.
Message Dynamics: Hybrid Key-Message Dynamics: Hybrid Key-Recovery SystemsRecovery Systems
Sender
Authority
(Must have a secret that is
essential for the valid
communication to occur)
Authority
(Must have a secret that is
essential for the valid
communication to occur)
Receiver
(Ideally, must not be
able to recover the
message from the invalid flow)
Valid Valid Message Message
FlowFlow
Valid Valid Message Message
FlowFlow
Invalid Message Flow Invalid Message Flow (To be prevented)(To be prevented)
Message Dynamics With LEA
Sender
(Must enable key-recovery)
LEA
(Special User)
Receiver
(Can receive valid and secure communications)
Authority
(Cryptologically prevents receipt
of invalid communications)
Hybrid Key-Recovery SystemsHybrid Key-Recovery Systems
• Public-key, y = OWF (x)
• Private-key, x, is a universal secret
• x = x1 * x2
• User’s share is x1
• Escrow component EC = Escrow (x2)
• Similarly, LEA’s public key is
y’ = OWF(x1’ * x2’)
• LEA is a special user
Hybrid Key-Recovery SystemsHybrid Key-Recovery Systems
• Due to the public-key format and the protocol (Binding ElGamal)
• The session key, S, can be accessed if1. Know (x1) AND Know (x2); OR,
2. Know (x1’) AND Know(x2’)
The user (xThe user (x1) or the LEA (x) or the LEA (x1’) cannot access the ’) cannot access the
session key (S) if the escrow authority (xsession key (S) if the escrow authority (x2, x, x2’) ’)
does not assist themdoes not assist them
Properties of Hybrid Key- Properties of Hybrid Key- RecoveryRecovery
• Merits1. Solves several issues present in the previous types2. When source traceability is achieved using
appropriate signature techniques, it achieves all the properties of Clipper in a more secure fashion
3. Granularity4. Session is random but integrity is assured5. Enforceability level EL0 ( on-line monitor )
• Demerits1. On-line authority ( efficiency and scalability points of
views )2. Super-encryption
Section 4Section 4Anonymous Token SystemsAnonymous Token Systems
(Compliance and Confidential (Compliance and Confidential Identity)Identity)
What is What is cryptologic cryptologic anonymity?anonymity?
• Let a data, D, belong to a user, I
• Suppose that the correlation between the data and the identity is to remain confidential
• Confidentiality (Integrity ( I, D ) )
Cryptologic AnonymityCryptologic Anonymity: The correlation, (I, : The correlation, (I, D), must remain a secret (confidentiality D), must remain a secret (confidentiality
service ) and service ) and optionallyoptionally it cannot be changed it cannot be changed (integrity service)(integrity service)
Techniques for achieving Techniques for achieving cryptologic anonymitycryptologic anonymity
1. ( I , Confidential ( D ) ) [This entity has something]
2. (Confidential ( I ) , D ) [Some entity has this thing]
3. ( Confidential ( I ) , Confidential ( D ) ) [Some entity has something]Integrity service can be independently
provided to all of the above constructs
Anonymous Token Systems Anonymous Token Systems (ATS)(ATS)
• E-cash systems are essentially a PKI mechanism which provides certificates (tokens) with confidential identity
• Token Issuing Authority (Bank)
• Token Accepting Authority (Merchant)
TIA
TAAClient
Trustee
Conditionally untraceable
(OPTIONAL)
IssueToken
UtiliseToken
SubmitToken
Compliance Issues in ATSCompliance Issues in ATS
1. Only authenticated participants can participate
2. Participants must remain anonymous (confidential identity)
3. Optional revocation of anonymity (conditional confidentiality service for the identity)
Applications that can use ATSApplications that can use ATS
1. Electronic cash (I, D = Denomination)
2. Peer Review Protocol (I , D = PeerID)
3. Auction Protocol (I, D = Bid)
4. Electronic Voting Protocol (I, D = Vote)
Entities in Sealed-Bid Electronic-Entities in Sealed-Bid Electronic-Auction SystemsAuction Systems
1. Auctioneers– Valid participants– Non-repudiation of bid– Termination of bidding process
2. Bidders– Fairness of bidding process– Confidentiality of bid until the bid opening phase
3. Optional Trustee– If the bid is not opened after the bid opening phase,
the bid must be recovered
Properties of Sealed-Bid Auction Properties of Sealed-Bid Auction SystemsSystems
• Confidentiality of Bid
• Non-repudiation of Bid
• Publicly verifiability [OPTIONAL]
• Anonymity for losing bidders (or bids) [OPTIONAL]
• Independence of auction rules [OPTIONAL]
A Sealed-Bid Auction System A Sealed-Bid Auction System using ATSusing ATS
• Kapali Viswanathan, Colin Boyd, Ed Dawson, A Three Phased Schema for Sealed Bid Auction System Design. In Australasian Conference for Information Security and Privacy, ACISP'2000, 412-426. Lecture Notes in Computer Science, Springer-Verlag, 2000.
System DescriptionSystem Description
1. Every bidder, bi, is issued with a pseudonym, pi, using an ATS
2. The bidder authenticates using pi to gain access to an anonymous channel
3. The bidder anonymously commits (sealed-bid) to the bid value [ pi, commit ( bidi ) ]
pi = Universal-Integrity ( Restricted-Confidentiality ( bi ) )
commit( bidi ) = Universal-Integrity-Confidentiality ( bidi )
System DescriptionSystem Description4. After announcement of the closing of the
auction bid-commitment closing period, the bidders
1. Authenticate using pseudonym, pi
2. Open the bid [pi, bidi]5. After the announcement of the closing of
the auction bid-commitment opening period, the winning bid is selected from the list of opened bids [ SET-OF ( bidi ) ]
6. Enforceability level: EL1 (off-line monitor)
Properties of the Proposed System
• Merits1. Independent of auction rules2. User-controlled confidentiality for the bid3. Modular design (ATS + Basic auction)4. Public verification possible
• Demerits1. Requires anonymous communication channel2. Does not solve the problems related to the timing of
various phases (E.g. closing time of the bid registration phase)
SummarySummary
DirectionsDirections
&&ResearchResearch
SummarySummary
• Compliance is essential for secure e-commerce• Enforceability level determines the effectiveness
with which the compliance verification rules can be enforced
• Systems with on-line monitors ( hybrid key-recovery, Clipper ) have inherently more enforceability than do systems with off-line monitors ( Binding ElGamal, E-Cash without monitors )
Research DirectionsResearch Directions1.1. What are the relations What are the relations
among various among various applications of protocols applications of protocols (auction, voting etc)?(auction, voting etc)?
2.2. How to achieve robust e-How to achieve robust e-auction and e-voting auction and e-voting systems?systems?
3.3. Design a formal and Design a formal and simple syntax for the simple syntax for the representation of representation of confidentiality and confidentiality and integrity servicesintegrity services
Dawson, E., Viswanathan, K. and Boyd, C., “Compliant Cryptologic Protocols” in International Journal of Information Security (IJIS), Vol.1, No.3, November 2002, pp.189-202 (ISSN 1615-5262)