Upload
benedict-griffin
View
39
Download
4
Embed Size (px)
DESCRIPTION
CSC 774 Advanced Network Security. Topic 2.5 Secret Handshake. Slides by Tong Zhou. Goals. Authenticate without revealing credentials Consider two groups G 1 and G 2 , two parties A G 1 and B G 2 . A and B wants to authenticate each other. - PowerPoint PPT Presentation
Citation preview
CSC 774 Dr. Peng Ning
Computer Science
CSC 774 Advanced Network Security
Topic 2.5 Secret Handshake
Slides by Tong Zhou
CSC 774 Dr. Peng NingComputer Science
Goals
• Authenticate without revealing credentials– Consider two groups G1 and G2, two parties A
G1 and B G2. A and B wants to authenticate each other.
– If G1 ≠ G2: A and B only know they are not in the same group.
– If G1 = G2: A and B can authenticate to each other.
– A third party learns nothing by observing conversations between A and B.
CSC 774 Dr. Peng NingComputer Science
Preliminaries: Pairing-based Cryptography
• Bilinear Maps:– Two cyclic groups of large prime order q: G1 and G2
– is a bilinear map if
• ê should be computable, non-degenerate and satisfies Bilinear Diffie-Hellman assumption, i.e., given P, aP, bP, cP, it is hard to compute
211:ˆ GGG →×e
abq QPebQaPeQPba ),(ˆ),(ˆ;,;, 1 =∈∈∀ GZ
abcPPe ),(ˆ
CSC 774 Dr. Peng NingComputer Science
Protocol Sketch
• Equipped with bilinear map ê and one-way hash function H1
• CA has a master key t.
• Assume a drivers and cops scenario.
CSC 774 Dr. Peng NingComputer Science
Protocol Sketch
Driver’s Licence:
“p65748392a”,TA
TA = tH1(“p65748392a-driver”)
Traffic cop credential:
“xy6542678d”,TB
TB = tH1(“xy6542678d-cop”)
Driver’s licence, please.
Please show me your pseudonym.
xy6542678d
p65748392a
)),cop”-d“xy6542678((ˆ 1 AA THeK = ))driver”-a“p65748392(,(ˆ 1HTeK BB =
BA KK =
CSC 774 Dr. Peng NingComputer Science
Protocol Sketch – Attacker Igor
Driver’s Licence:
“p65748392a”,TA
TA = tH1(“p65748392a-driver”)
Obtains Bob’s pseudonym
“xy6542678d”
I am a cop. Driver’s licence, please.
Please show me your pseudonym.
xy6542678d
p65748392a
)),cop”-d“xy6542678((ˆ 1 AA THeK = ???This guy is not a cop.
CSC 774 Dr. Peng NingComputer Science
Secret-Handshake Scheme (SHS)
• SHS.CreateGroup(G): executed by an administrator, generates the group secret GroupSecretG for G.
• SHS.AddUser(U,G,GroupSecretG): creates user secret
UserSecretU,G for new user U.
• SHS.HandShake(A,B): Users A and B authenticates each other. B discovers A G if and only if A discovers B G.
• SHS.TraceUser: Administrator tells the user from a transcript T generated during conversation between A and B.
• SHS.RemoveUser: Administrator revokes user U
CSC 774 Dr. Peng NingComputer Science
Pairing-Based Handshake (PBH)
• PBH.CreateGroup: Administrator sets GroupSecretG as a random number
• PBH.AddUser: Administrator generates pseudonyms for users:
and then generates the corresponding secret points:
where
H1 is a one-way hash function.
qGs Z∈
}id,,id{ 1 UtU L
}priv,,{priv 1 UtU L
)id(priv 1 UiGUi Hs=
CSC 774 Dr. Peng NingComputer Science
Pairing-Based Handshake (PBH)
• PBH.Handshake:
•
•
•
A BAA n,id
A B0,,id VnBB
A B1V
)1|||id|id|))id(,priv(ˆ( 121 BABABA nnHeHV =
)0|||id|id|)priv),id((ˆ( 120 BABABA nnHeHV =
€
S = H2( ˆ e (privA ,H1(idB )) | idA | idB | nA | nB | 2)
= H2( ˆ e (H1(idB ),privB ) | idA | idB | nA | nB | 2)
CSC 774 Dr. Peng NingComputer Science
Pairing-Based Handshake (PBH)
• PBH.TraceUser: Since the conversations of handshaking include the pseudonyms, administrator can easily figure out the users.
• PBH.RemoveUser: Administrator removes user U by broadcasting its pseudonyms to all the other users, so that other users won’t accept pseudonyms of U.
CSC 774 Dr. Peng NingComputer Science
Computational Diffie-Hellman Instead of Bilinear Diffie-Hellman• CreateGroup: Administrator picks (p,q,g). p and q are primes,
g is a generator of a subgroup in of order q. Also, picks up a private key x, and computes the public key y=gx mod p
• AddUser: For user U, administrator generates idU, then
generates a pair
so that
idU, w, t will be given to the user.
*pZ
),(),( *qptw ZZ∈
),( IDwHwy=tg
CSC 774 Dr. Peng NingComputer Science
Computational Diffie-Hellman Instead of Bilinear Diffie-Hellman• AddUser: For user U, administrator generates idU, then generates a pair
so that
idU, w, t will be given to the user.
– How to generate the pair (w,t)?
Randomly pick r, compute
pgw r mod=
),( IDwxHrt +=
),(),( *qptw ZZ∈
),( IDwHwy=tg
CSC 774 Dr. Peng NingComputer Science
Computational Diffie-Hellman Instead of Bilinear Diffie-Hellman• Handshake: Assume user A has (idA, wA, tA) and user B has (idB, wB, tB). Define several marks (ElGamal Encryption):
–
–
–
pwyPKwy wH mod)id,,Recover( )id,(==
)]mod(',mod[
],[)(Enc 21
pPKHmpg
ccmRR
PK
⊕=
=
)mod(')],[(Dec 1221 pcHcmcc tt ⊕==
CSC 774 Dr. Peng NingComputer Science
Computational Diffie-Hellman Instead of Bilinear Diffie-Hellman
A BBB w,id),idRecover( BBB wy,PK =
• Handshake:
A B
randomly picks
computes aa chr ,
)(Enc aPKa rCb
=aAAA chCw ,,,id ),idRecover( AAA wy,PK =
)(Dec ata Crb
=
)(Enc bPKb rCa
=A BbbB chrespC ,,
randomly picks
computes bb chr ,
),,( abab chrrHresp =)(Dec btb Cra
=
),,( bbaa chrrHresp =
verifies respb
A Baresp
verifies respa