Upload
treyton-vowels
View
229
Download
3
Tags:
Embed Size (px)
Citation preview
Computer Science
CSC 774 Dr. Peng Ning
CSC 774 Advanced Network Security
Topic 2.5 Secret Handshake
Slides by Tong Zhou
Computer Science CSC 774 Dr. Peng Ning
Goals
• Authenticate without revealing credentials– Consider two groups G1 and G2, two parties A
G1 and B G2. A and B wants to authenticate each other.
– If G1 ≠ G2: A and B only know they are not in the same group.
– If G1 = G2: A and B can authenticate to each other.
– A third party learns nothing by observing conversations between A and B.
Computer Science CSC 774 Dr. Peng Ning
Preliminaries: Pairing-based Cryptography
• Bilinear Maps:– Two cyclic groups of large prime order q: G1 and G2
– is a bilinear map if
• ê should be computable, non-degenerate and satisfies Bilinear Diffie-Hellman assumption, i.e., given P, aP, bP, cP, it is hard to compute
211:ˆ GGG →×e
abq QPebQaPeQPba ),(ˆ),(ˆ;,;, 1 =∈∈∀ GZ
abcPPe ),(ˆ
Computer Science CSC 774 Dr. Peng Ning
Protocol Sketch
• Equipped with bilinear map ê and one-way hash function H1
• CA has a master key t.
• Assume a drivers and cops scenario.
Computer Science CSC 774 Dr. Peng Ning
Protocol Sketch
Driver’s Licence:
“p65748392a”,TA
TA = tH1(“p65748392a-driver”)
Traffic cop credential:
“xy6542678d”,TB
TB = tH1(“xy6542678d-cop”)
Driver’s licence, please.
Please show me your pseudonym.
xy6542678d
p65748392a
)),cop”-d“xy6542678((ˆ 1 AA THeK = ))driver”-a“p65748392(,(ˆ 1HTeK BB =
BA KK =
Computer Science CSC 774 Dr. Peng Ning
Protocol Sketch – Attacker Igor
Driver’s Licence:
“p65748392a”,TA
TA = tH1(“p65748392a-driver”)
Obtains Bob’s pseudonym
“xy6542678d”
I am a cop. Driver’s licence, please.
Please show me your pseudonym.
xy6542678d
p65748392a
)),cop”-d“xy6542678((ˆ 1 AA THeK = ???This guy is not a cop.
Computer Science CSC 774 Dr. Peng Ning
Secret-Handshake Scheme (SHS)
• SHS.CreateGroup(G): executed by an administrator, generates the group secret GroupSecretG for G.
• SHS.AddUser(U,G,GroupSecretG): creates user secret
UserSecretU,G for new user U.
• SHS.HandShake(A,B): Users A and B authenticates each other. B discovers A G if and only if A discovers B G.
• SHS.TraceUser: Administrator tells the user from a transcript T generated during conversation between A and B.
• SHS.RemoveUser: Administrator revokes user U
Computer Science CSC 774 Dr. Peng Ning
Pairing-Based Handshake (PBH)
• PBH.CreateGroup: Administrator sets GroupSecretG as a random number
• PBH.AddUser: Administrator generates pseudonyms for users:
and then generates the corresponding secret points:
where
H1 is a one-way hash function.
qGs Z∈
}id,,id{ 1 UtU L
}priv,,{priv 1 UtU L
)id(priv 1 UiGUi Hs=
Computer Science CSC 774 Dr. Peng Ning
Pairing-Based Handshake (PBH)
• PBH.Handshake:
•
•
•
A BAA n,id
A B0,,id VnBB
A B1V
)1|||id|id|))id(,priv(ˆ( 121 BABABA nnHeHV =
)0|||id|id|)priv),id((ˆ( 120 BABABA nnHeHV =
€
S = H2( ˆ e (privA ,H1(idB )) | idA | idB | nA | nB | 2)
= H2( ˆ e (H1(idB ),privB ) | idA | idB | nA | nB | 2)
Computer Science CSC 774 Dr. Peng Ning
Pairing-Based Handshake (PBH)
• PBH.TraceUser: Since the conversations of handshaking include the pseudonyms, administrator can easily figure out the users.
• PBH.RemoveUser: Administrator removes user U by broadcasting its pseudonyms to all the other users, so that other users won’t accept pseudonyms of U.
Computer Science CSC 774 Dr. Peng Ning
Computational Diffie-Hellman Instead of Bilinear Diffie-Hellman• CreateGroup: Administrator picks (p,q,g). p and q are primes,
g is a generator of a subgroup in of order q. Also, picks up a private key x, and computes the public key y=gx mod p
• AddUser: For user U, administrator generates idU, then
generates a pair
so that
idU, w, t will be given to the user.
*pZ
),(),( *qptw ZZ∈
),( IDwHwy=tg
Computer Science CSC 774 Dr. Peng Ning
Computational Diffie-Hellman Instead of Bilinear Diffie-Hellman• AddUser: For user U, administrator generates idU, then generates a pair
so that
idU, w, t will be given to the user.
– How to generate the pair (w,t)?
Randomly pick r, compute
pgw r mod=
),( IDwxHrt +=
),(),( *qptw ZZ∈
),( IDwHwy=tg
Computer Science CSC 774 Dr. Peng Ning
Computational Diffie-Hellman Instead of Bilinear Diffie-Hellman• Handshake: Assume user A has (idA, wA, tA) and user B has (idB, wB, tB). Define several marks (ElGamal Encryption):
–
–
–
pwyPKwy wH mod)id,,Recover( )id,(==
)]mod(',mod[
],[)(Enc 21
pPKHmpg
ccmRR
PK
⊕=
=
)mod(')],[(Dec 1221 pcHcmcc tt ⊕==
Computer Science CSC 774 Dr. Peng Ning
Computational Diffie-Hellman Instead of Bilinear Diffie-Hellman
A BBB w,id),idRecover( BBB wy,PK =
• Handshake:
A B
randomly picks
computes
€
rA ,chA
€
CA = EncPKB(rA )
€
idA ,wA ,CA ,cha ),idRecover( AAA wy,PK =
€
rA = DectB(CA )
€
CB = EncPKA(rB )
A B
€
CB ,respB ,chB
randomly picks
computes
€
rB ,chB
€
respB = H(rA ,rB ,chA )
€
rB = DectA(CB )
€
respA = H(rA ,rB ,chB )
verifies respB
A B
€
respA verifies respA