Upload
technical-dude
View
405
Download
1
Tags:
Embed Size (px)
Citation preview
Privacy in Encrypted Content Distribution Using Private Broadcast Encryption
Adam BarthDan BonehBrent Waters
Private Broadcast Encryption
• Make data available to select principals– Encrypt the data to those principals
• Often important to hide the set of principals– BCC recipients in encrypted email– Customer list (hide from competitors)– Promotion committee can read evaluations
• Private broadcast encryption– Recipient privacy against active attackers
Related Work
• Key privacy in public-key setting [BBDP01]– IK-CCA: Ciphertext does not leak public key
• Attacker viewing ciphertext encrypted under one of two public keys cannot guess which key was used
– Cramer-Shoup is IK-CCA (with common prime)– Important building block for recipient privacy
• Previous broadcast encryption systems– Increasing collusion resistance– Reducing ciphertext overhead– We focus on hiding recipient set
Our Results
• Generic construction (standard model)– Achieves CCA recipient privacy– Uses generic IK-CCA public-key system– Decryption time is linear in number of recipients
• Efficient construction (random oracle)– Achieves CCA recipient privacy– Assumes CDH is hard– Decryption in O(1) cryptographic operations
Broadcast Systems in Practice
• Microsoft Outlook– Encrypted email as a broadcast system– Outlook completely reveals BCC recipients
• issuerAndSerialNumber
– BCC recipients’ names can appear in the clear– Could send separate message for email
• Windows Encrypted File System
• Pretty Good Privacy (PGP)– GnuPG as an example implementation
Pretty Good Privacy?
• Message encrypted with symmetric key, K
• K encrypted for each recipient
• To speed decryption, components labeled with KeyIDs– Hash of public key
• User identities completely revealed
{ }K
A:B:C:
{K}pk(A)
{K}pk(B)
{K}pk(C)
Recipient Privacy in PGP
• PGP labels encryptions using a KeyIDC:\gpg>gpg --verbose -d message.txtgpg: armor header: Version: GnuPG v1.2.2 (MingW32)gpg: public key is 3CF61C7Bgpg: public key is 028EAE1C
• KeyIDs easily translated into names and email addresses using a public key server
• GPG includes option to withhold KeyIDs– Vulnerable to passive recipient privacy attack
Security Model
Private Broadcast Encryption
• I Setup()– Generates global parameters I
• (pk, sk) Keygen(I)– Generates public-private key pairs
• C Encrypt(S, M)– Encrypts plaintext M for recipient set S
• M Decrypt(sk, C)– Decrypts ciphertext C with private key sk
CPA Recipient Privacy Defined
Global Parameter
S0 and S1
S0 and S1 subsets of {1, …, n} such that |S0| = |S1|
Adversary Challenger
All public keys
Secret keys for S0 S1
b R {0,1}
M encrypted for Sb as C*
Guess b’Adversary wins if b’ = b
Some schemes vulnerable with large overlap, whereas others are
vulnerable with small overlap
Simple CPA Recipient Privacy
• Remove labels• Use key-private scheme• Reorder components
• O(n) decrypt time• CPA recipient privacy• But, active attack…
– Even with IK-CCA
A:B:C:
{K}pk(A)
{K}pk(B)
{K}pk(C)
B:A:C:
XXX
{ }K
{K}pk(B)
{K}pk(A)
{K}pk(C)
{ }K
Active Attack on Simple Scheme
• Attacker a recipient– Learns K
• Replaces message with something alluring
• Forwards malicious message to Alice
• Waits for response
• Receives response only if Alice was a recipient
{K}pk(B)
{K}pk(A)
{K}pk(C)
CCA Recipient Privacy Defined
Global Parameter
S0 and S1
S0 and S1 subsets of {1, …, n} such that |S0| = |S1|
Adversary Challenger
All public keys
Secret keys for S0 S1
b R {0,1}
M encrypted for Sb as C*
Guess b’Adversary wins if b’ = b
Decrypt query on (u, C)
Decrypt query on (u, C) (C C*)
Constructions
Primitives Used in Constructions
• Strong correctness– Decrypting with wrong key results in
• Strong signatures– Attacker cannot create a new signature– Even on a previously signed message– Example: RSA full-domain hash
• CCA key private (IK-CCA) cryptosystem– Ciphertext does not leak public key
Generic CCA Construction
• Start with CPA scheme• Generate a fresh signing
key pair (vk, sk)• Include verification key,
vk, in each component• Sign the ciphertext
• Thm: CCA recipient private
• O(n) decryption time
{ , K}pk(B)
{ , K}pk(A)
{ , K}pk(C)
{ }K
vkvkvk
Added Primitives for Efficiency
• A group G where CDH is hard– Extend public keys with ga, private keys with a
• Model hash function as a random oracle– Use extraction property to break CDH– Use DH self-corrector [Shoup97]
Ciphertext Component Labels
• Speed decryption with private labels• To make labels for every component:
– Pick a single fresh exponent r– Include gr in the ciphertext– Label component for (pk, ga) with H(gar)
• Each recipient computes own label with gr and a– Attacker can not associate H(gar) with ga
• Still need to tie labels to verification key…– Include gar in ciphertext components
Efficient CCA Construction
• Thm: CCA recipient private (in RO model)• O(1) cryptographic operations for decryption
{vk, , K}pk(B)
{vk, , K}pk(A)
{vk, , K}pk(C)
{M}K
H(gbr):H(gar):H(gcr):
gbr
gar
gcr
, gr
Conclusions
• Many widely-deployed content distribution systems lack recipient privacy– Email and encrypted file systems
• Introduced private broadcast encryption– Recipient privacy against an active attacker– Performance similar to non-private schemes
• Open problem: private broadcast encryption with shorter ciphertext
Questions?
Broadcast Semantics of Email
Mail User Agent(MUA)
Mail Transfer Agent(MTA) Recipient MTA
Recipient MTARecipientRecipient
Recipient
BCC privacy in S/MIME
• S/MIME label is the RecipientInfo field.• Label consists of the issuer and serial
number of the recipient’s certificate• Self-signed certificate:
– Full name and email address in the clear444:d=9 hl=2 l= 3 prim: OBJECT :commonName449:d=9 hl=2 l= 11 prim: PRINTABLESTRING :Henry Kyser462:d=7 hl=2 l= 32 cons: SET 464:d=8 hl=2 l= 30 cons: SEQUENCE 466:d=9 hl=2 l= 9 prim: OBJECT :emailAddress477:d=9 hl=2 l= 17 prim: IA5STRING :[email protected]
• VeriSign certificate: identity at verisign.com
BCC Privacy by User Agent
Completely Exposes Partially Reveals Protects Identity
Apple Mail.app 2.622
Outlook 2003
Outlook Express 6
Thunderbird 1.02
Outlook Web Access
EudoraGPG 2.0
GPGshell 3.42
Hushmail KMail 1.8
PGP Desktop 9.0
Turnpike 6.04
S/M
IME
-bas
edP
GP
-bas
ed
Sending Separate Encryptions
• Sending separate encryptions provides BCC privacy• Advantages of separate encryptions
– Can be deployed immediately and unilaterally– Conceals the number (and existence of) BCC recipients
• Disadvantages of separate encryptions– Difficult to implement for MUA plug-ins such as EudoraGPG– Increases MTA workload and network traffic