Computer Science

CSC 774 Dr. Peng Ning

CSC 774 Advanced Network Security

Topic 2.5 Secret Handshake

Slides by Tong Zhou

Computer Science CSC 774 Dr. Peng Ning

Goals

• Authenticate without revealing credentials– Consider two groups G1 and G2, two parties A

G1 and B G2. A and B wants to authenticate each other.

– If G1 ≠ G2: A and B only know they are not in the same group.

– If G1 = G2: A and B can authenticate to each other.

– A third party learns nothing by observing conversations between A and B.

Computer Science CSC 774 Dr. Peng Ning

Preliminaries: Pairing-based Cryptography

• Bilinear Maps:– Two cyclic groups of large prime order q: G1 and G2

– is a bilinear map if

• ê should be computable, non-degenerate and satisfies Bilinear Diffie-Hellman assumption, i.e., given P, aP, bP, cP, it is hard to compute

211:ˆ GGG →×e

abq QPebQaPeQPba ),(ˆ),(ˆ;,;, 1 =∈∈∀ GZ

abcPPe ),(ˆ

Computer Science CSC 774 Dr. Peng Ning

Protocol Sketch

• Equipped with bilinear map ê and one-way hash function H1

• CA has a master key t.

• Assume a drivers and cops scenario.

Computer Science CSC 774 Dr. Peng Ning

Protocol Sketch

Driver’s Licence:

“p65748392a”,TA

TA = tH1(“p65748392a-driver”)

Traffic cop credential:

“xy6542678d”,TB

TB = tH1(“xy6542678d-cop”)

Driver’s licence, please.

Please show me your pseudonym.

xy6542678d

p65748392a

)),cop”-d“xy6542678((ˆ 1 AA THeK = ))driver”-a“p65748392(,(ˆ 1HTeK BB =

BA KK =

Computer Science CSC 774 Dr. Peng Ning

Protocol Sketch – Attacker Igor

Driver’s Licence:

“p65748392a”,TA

TA = tH1(“p65748392a-driver”)

Obtains Bob’s pseudonym

“xy6542678d”

I am a cop. Driver’s licence, please.

Please show me your pseudonym.

xy6542678d

p65748392a

)),cop”-d“xy6542678((ˆ 1 AA THeK = ???This guy is not a cop.

Computer Science CSC 774 Dr. Peng Ning

Secret-Handshake Scheme (SHS)

• SHS.CreateGroup(G): executed by an administrator, generates the group secret GroupSecretG for G.

• SHS.AddUser(U,G,GroupSecretG): creates user secret

UserSecretU,G for new user U.

• SHS.HandShake(A,B): Users A and B authenticates each other. B discovers A G if and only if A discovers B G.

• SHS.TraceUser: Administrator tells the user from a transcript T generated during conversation between A and B.

• SHS.RemoveUser: Administrator revokes user U

Computer Science CSC 774 Dr. Peng Ning

Pairing-Based Handshake (PBH)

• PBH.CreateGroup: Administrator sets GroupSecretG as a random number

• PBH.AddUser: Administrator generates pseudonyms for users:

and then generates the corresponding secret points:

where

H1 is a one-way hash function.

qGs Z∈

}id,,id{ 1 UtU L

}priv,,{priv 1 UtU L

)id(priv 1 UiGUi Hs=

Computer Science CSC 774 Dr. Peng Ning

Pairing-Based Handshake (PBH)

• PBH.Handshake:

•

•

•

A BAA n,id

A B0,,id VnBB

A B1V

)1|||id|id|))id(,priv(ˆ( 121 BABABA nnHeHV =

)0|||id|id|)priv),id((ˆ( 120 BABABA nnHeHV =

€

S = H2( ˆ e (privA ,H1(idB )) | idA | idB | nA | nB | 2)

= H2( ˆ e (H1(idB ),privB ) | idA | idB | nA | nB | 2)

Computer Science CSC 774 Dr. Peng Ning

Pairing-Based Handshake (PBH)

• PBH.TraceUser: Since the conversations of handshaking include the pseudonyms, administrator can easily figure out the users.

• PBH.RemoveUser: Administrator removes user U by broadcasting its pseudonyms to all the other users, so that other users won’t accept pseudonyms of U.

Computer Science CSC 774 Dr. Peng Ning

Computational Diffie-Hellman Instead of Bilinear Diffie-Hellman• CreateGroup: Administrator picks (p,q,g). p and q are primes,

g is a generator of a subgroup in of order q. Also, picks up a private key x, and computes the public key y=gx mod p

• AddUser: For user U, administrator generates idU, then

generates a pair

so that

idU, w, t will be given to the user.

*pZ

),(),( *qptw ZZ∈

),( IDwHwy=tg

Computer Science CSC 774 Dr. Peng Ning

Computational Diffie-Hellman Instead of Bilinear Diffie-Hellman• AddUser: For user U, administrator generates idU, then generates a pair

so that

idU, w, t will be given to the user.

– How to generate the pair (w,t)?

Randomly pick r, compute

pgw r mod=

),( IDwxHrt +=

),(),( *qptw ZZ∈

),( IDwHwy=tg

Computer Science CSC 774 Dr. Peng Ning

Computational Diffie-Hellman Instead of Bilinear Diffie-Hellman• Handshake: Assume user A has (idA, wA, tA) and user B has (idB, wB, tB). Define several marks (ElGamal Encryption):

–

–

–

pwyPKwy wH mod)id,,Recover( )id,(==

)]mod(',mod[

],[)(Enc 21

pPKHmpg

ccmRR

PK

⊕=

=

)mod(')],[(Dec 1221 pcHcmcc tt ⊕==

Computer Science CSC 774 Dr. Peng Ning

Computational Diffie-Hellman Instead of Bilinear Diffie-Hellman

A BBB w,id),idRecover( BBB wy,PK =

• Handshake:

A B

randomly picks

computes

€

rA ,chA

€

CA = EncPKB(rA )

€

idA ,wA ,CA ,cha ),idRecover( AAA wy,PK =

€

rA = DectB(CA )

€

CB = EncPKA(rB )

A B

€

CB ,respB ,chB

randomly picks

computes

€

rB ,chB

€

respB = H(rA ,rB ,chA )

€

rB = DectA(CB )

€

respA = H(rA ,rB ,chB )

verifies respB

A B

€

respA verifies respA

Computer Science

Intuition

• If A and B are in the same group, each of them can decrypt the random number (ra and rb).

• If not, neither of them can get any information about ra or rb.

CSC 774 Dr. Peng Ning