Upload
jane-hoffman
View
30
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Optionally Identifiable Private Handshakes. Yanjiang Yang. Agenda. Introduction Review of Related Work Optionally Identifiable Private Handshakes Conclusion. Introduction Review of Related Work Optionally Identifiable Private Handshakes Conclusion. Secret handshakes. - PowerPoint PPT Presentation
Citation preview
RFID Security Seminar 2008
2
Agenda
• Introduction
• Review of Related Work
• Optionally Identifiable Private Handshakes
• Conclusion
RFID Security Seminar 2008
3
• Introduction
• Review of Related Work
• Optionally Identifiable Private Handshakes
• Conclusion
RFID Security Seminar 2008
4
Secret handshakes
• Users are increasingly concerned about individual privacy in cyberspace
– Privacy-preserving techniques are expected play a key part
– Secret handshakes• non-members learn nothing on the handshake
between the two users
• A non-member cannot impersonate a member
RFID Security Seminar 2008
5
Unlinkable secret handshakes
• Secret handshakes are linkable
• Unlinkable secret handshakes provides unlinkability
• Traceability is a feature of unlinkable secret handshakes
• Differences between unlinkable secret handshakes and anonymous credentials
RFID Security Seminar 2008
6
Project Summary - why should it be done? Private handshakes
• Traceability may not be always desired
• Hoepman proposed the concept of private handshakes
• No traceability whatsoever in private handshakes
RFID Security Seminar 2008
7
Optionally identifiable private handshakes
• Secret handshakes/private handshakes each have own applications
• A primitive optionally between them is more flexible
• We proposed the concept of optionally identifiable private handshakes
RFID Security Seminar 2008
8
Nutshell
Private handshakes(linkable) Secret
handshakes
Optionally identifiable private handshakes
No identifiability identifiability
Unlinkable secret handshakes
RFID Security Seminar 2008
9
• Introduction
• Review of Related Work
• Optionally Identifiable Private Handshakes
• Conclusion
RFID Security Seminar 2008
10
Secret handshakes
• Balfanz et al. first formulated the notion of secret handshakes (S&P’03)
• Castelluccia et al. proposed secret handshake protocols, with security under computational Diffie-Hellman assumption (Asiacrypt’04)
RFID Security Seminar 2008
11
Secret handshakes - continued
• Jarecki et al. (CT-RSA’07) and Vergnaud et al. (coding and cryptography’05) proposed RSA-based secret handshakes
RFID Security Seminar 2008
12
Unlinkable secret handshakes
• Xu et al. proposed k-anonymous secret handshakes (CCS’04)
• Tsudik et al. proposed (full) unlinkable secret handshakes, but all members from the same group are required to share a group secret
• Jarecki et al.’s scheme does not sharing of group secret (ACNS’07)
• Ateniese et al. proposed fuzzy unlinkable secret handnhakes (NDSS’07)
RFID Security Seminar 2008
13
Private handshakes
• Hoepma proposed private handshakes (security and privacy in Ad Hoc and sensor networks’07)
RFID Security Seminar 2008
14
• Introduction
• Review of Related Work
• Optionally Identifiable Private Handshakes
• Conclusion
RFID Security Seminar 2008
15
Project Summary - why should it be done?Model
• Entities – a set of users– a set of groups– a set of group administrators who create
groups and enrol users in groups. – a user may or may not be affiliated to a
group– if a user belongs to a group, then he is a
member of that group; otherwise, he is non-member of that group.
RFID Security Seminar 2008
16
Model - continued
• Algorithms– CreateGroup(1k)
– EnrolUser(G, u)
– HandShake(u1, u2, b)
– RevokeUser(G, u)
RFID Security Seminar 2008
17
Project Summary - why should it be done?Details of algorithms
• Parameters– e(GG1, G, G1) GG2
– H0, H1,H2
– Enc().
RFID Security Seminar 2008
18
Project Summary - why should it be done?Details of algorithms - continued
• CreateGroup(1k)– Group administrator selects sG
• EnrolUser(G, u)– Group administrator issues u a credential
xu = sGH0(u),
RFID Security Seminar 2008
19
Project Summary - why should it be done? Details of algorithms - continued
• Handshake(u1, u2, b)
R1=r1H0(u1)
u1 u2xu1=sGH0(u1) xu2=sGH0(u2)
R1, b
R2=r2H0(u2)
V2 = H1(e(R1,r2xu2), b)R2, V2
21))(),(( 2010rrsGuHuHe
u1 u2xu1=sGH0(u1) xu2=sGH0(u2)
RFID Security Seminar 2008
20
Details of algorithms - continued
u1 u2xu1=sGH0(u1) xu2=sGH0(u1)
H1(e(r1xu1, r2), b) =? V2
V1 = H1(b, e(r1xu1, R2))
sk1 = H2(e(r1xu1, R2), R1, R2)
H1(b, e(R1, r2xu2)) =? V1
sk2 = H2(e(r2xu2, R1), R1, R2)
V1
So far, private handshake is completed!
21))(),(( 2010rrsGuHuHe
RFID Security Seminar 2008
21
Details of algorithms - continued
u1 u2xu1=sGH0(u1) xu2=sGH0(u1)
C1 = Enc(sku1, r1, u1)C1
(r1’, u1’) = Enc(sku2, C1)
R1 =? r1’H0(u1’)
C2 = Enc(sku2, r2, u2)
sku2 = …C2 …
RFID Security Seminar 2008
23
Security
• Impersonation resistance
• Membership detection resistance
• Unlinkability of private handshake
• Unlinkability to eavesdropper
RFID Security Seminar 2008
24
• Introduction
• Review of Related Work
• Optionally Identifiable Private Handshakes
• Conclusion
RFID Security Seminar 2008
25
Conclusion
• We proposed the concept of private handshakes with optional identifiability, interpolating between private handshakes and secret handshakes, representing a more flexible primitive
• A concrete scheme was presented, and its security was defined and proved.