Date post: | 15-Dec-2015 |
Category: |
Documents |
Upload: | treyton-vowels |
View: | 226 times |
Download: | 3 times |
Computer Science
CSC 774 Dr. Peng Ning
CSC 774 Advanced Network Security
Topic 2.5 Secret Handshake
Slides by Tong Zhou
Computer Science CSC 774 Dr. Peng Ning
Goals
• Authenticate without revealing credentials– Consider two groups G1 and G2, two parties A
G1 and B G2. A and B wants to authenticate each other.
– If G1 ≠ G2: A and B only know they are not in the same group.
– If G1 = G2: A and B can authenticate to each other.
– A third party learns nothing by observing conversations between A and B.
Computer Science CSC 774 Dr. Peng Ning
Preliminaries: Pairing-based Cryptography
• Bilinear Maps:– Two cyclic groups of large prime order q: G1 and G2
– is a bilinear map if
• ê should be computable, non-degenerate and satisfies Bilinear Diffie-Hellman assumption, i.e., given P, aP, bP, cP, it is hard to compute
211:ˆ GGG →×e
abq QPebQaPeQPba ),(ˆ),(ˆ;,;, 1 =∈∈∀ GZ
abcPPe ),(ˆ
Computer Science CSC 774 Dr. Peng Ning
Protocol Sketch
• Equipped with bilinear map ê and one-way hash function H1
• CA has a master key t.
• Assume a drivers and cops scenario.
Computer Science CSC 774 Dr. Peng Ning
Protocol Sketch
Driver’s Licence:
“p65748392a”,TA
TA = tH1(“p65748392a-driver”)
Traffic cop credential:
“xy6542678d”,TB
TB = tH1(“xy6542678d-cop”)
Driver’s licence, please.
Please show me your pseudonym.
xy6542678d
p65748392a
)),cop”-d“xy6542678((ˆ 1 AA THeK = ))driver”-a“p65748392(,(ˆ 1HTeK BB =
BA KK =
Computer Science CSC 774 Dr. Peng Ning
Protocol Sketch – Attacker Igor
Driver’s Licence:
“p65748392a”,TA
TA = tH1(“p65748392a-driver”)
Obtains Bob’s pseudonym
“xy6542678d”
I am a cop. Driver’s licence, please.
Please show me your pseudonym.
xy6542678d
p65748392a
)),cop”-d“xy6542678((ˆ 1 AA THeK = ???This guy is not a cop.
Computer Science CSC 774 Dr. Peng Ning
Secret-Handshake Scheme (SHS)
• SHS.CreateGroup(G): executed by an administrator, generates the group secret GroupSecretG for G.
• SHS.AddUser(U,G,GroupSecretG): creates user secret
UserSecretU,G for new user U.
• SHS.HandShake(A,B): Users A and B authenticates each other. B discovers A G if and only if A discovers B G.
• SHS.TraceUser: Administrator tells the user from a transcript T generated during conversation between A and B.
• SHS.RemoveUser: Administrator revokes user U
Computer Science CSC 774 Dr. Peng Ning
Pairing-Based Handshake (PBH)
• PBH.CreateGroup: Administrator sets GroupSecretG as a random number
• PBH.AddUser: Administrator generates pseudonyms for users:
and then generates the corresponding secret points:
where
H1 is a one-way hash function.
qGs Z∈
}id,,id{ 1 UtU L
}priv,,{priv 1 UtU L
)id(priv 1 UiGUi Hs=
Computer Science CSC 774 Dr. Peng Ning
Pairing-Based Handshake (PBH)
• PBH.Handshake:
•
•
•
A BAA n,id
A B0,,id VnBB
A B1V
)1|||id|id|))id(,priv(ˆ( 121 BABABA nnHeHV =
)0|||id|id|)priv),id((ˆ( 120 BABABA nnHeHV =
€
S = H2( ˆ e (privA ,H1(idB )) | idA | idB | nA | nB | 2)
= H2( ˆ e (H1(idB ),privB ) | idA | idB | nA | nB | 2)
Computer Science CSC 774 Dr. Peng Ning
Pairing-Based Handshake (PBH)
• PBH.TraceUser: Since the conversations of handshaking include the pseudonyms, administrator can easily figure out the users.
• PBH.RemoveUser: Administrator removes user U by broadcasting its pseudonyms to all the other users, so that other users won’t accept pseudonyms of U.
Computer Science CSC 774 Dr. Peng Ning
Computational Diffie-Hellman Instead of Bilinear Diffie-Hellman• CreateGroup: Administrator picks (p,q,g). p and q are primes,
g is a generator of a subgroup in of order q. Also, picks up a private key x, and computes the public key y=gx mod p
• AddUser: For user U, administrator generates idU, then
generates a pair
so that
idU, w, t will be given to the user.
*pZ
),(),( *qptw ZZ∈
),( IDwHwy=tg
Computer Science CSC 774 Dr. Peng Ning
Computational Diffie-Hellman Instead of Bilinear Diffie-Hellman• AddUser: For user U, administrator generates idU, then generates a pair
so that
idU, w, t will be given to the user.
– How to generate the pair (w,t)?
Randomly pick r, compute
pgw r mod=
),( IDwxHrt +=
),(),( *qptw ZZ∈
),( IDwHwy=tg
Computer Science CSC 774 Dr. Peng Ning
Computational Diffie-Hellman Instead of Bilinear Diffie-Hellman• Handshake: Assume user A has (idA, wA, tA) and user B has (idB, wB, tB). Define several marks (ElGamal Encryption):
–
–
–
pwyPKwy wH mod)id,,Recover( )id,(==
)]mod(',mod[
],[)(Enc 21
pPKHmpg
ccmRR
PK
⊕=
=
)mod(')],[(Dec 1221 pcHcmcc tt ⊕==
Computer Science CSC 774 Dr. Peng Ning
Computational Diffie-Hellman Instead of Bilinear Diffie-Hellman
A BBB w,id),idRecover( BBB wy,PK =
• Handshake:
A B
randomly picks
computes
€
rA ,chA
€
CA = EncPKB(rA )
€
idA ,wA ,CA ,cha ),idRecover( AAA wy,PK =
€
rA = DectB(CA )
€
CB = EncPKA(rB )
A B
€
CB ,respB ,chB
randomly picks
computes
€
rB ,chB
€
respB = H(rA ,rB ,chA )
€
rB = DectA(CB )
€
respA = H(rA ,rB ,chB )
verifies respB
A B
€
respA verifies respA