Cryptography IIBen Adida

CIS, CSAIL, MIT3 May 2006

http://ben.adida.net/presentations/

Last Time....

Secret-Key Encryption

m0 m1 m2 m3 m4

IV c0 c1 c2 c3 c4

EK EK EK EK EKEnc Encsk sk sk sk sk EncEncEnc

Number Theory

computing logg y mod p is hard

computing gx

mod p is easy

Diffie-Hellman Key Exchange

Alice Bob

xA xB

yA = gxA yB = g

xB

yxB

A= g

xAxByxA

B= g

xAxB

yA

yB

Public-Key Encryption

Alice

pk

sk c = Encpk (m)

m = Decsk (c)

Bob

Charlie

Hybrid Encryption

generate a session key session key

c = Encsession key(m), Encpk (session key)

Signatures

Reverse the Public-Key Encryption operation!

Signsk (m) = !

Verifypk (m, !) = True/False

Signsk (m) = Decsk (m)

Verifypk (m, !) ! Encpk (!)?= m

Hash Functions

• “fingerprint” of a long document

• MD5 hashes to 128 bits, SHA1 hashes to 160 bits

• Properties★ Collision Attack

★ Pre-Image Attack

★ Second Pre-Image Attack

H(m) = hash, Signsk (H(m))

Certificates

Alice Bob

EncpkB(m)

TTP

cert = SignTTP (“Bob,pkB”)

pkB , cert

PGP

Alice Bob

Charlie

pkBob

pkCharlie

SignCharlie(“Bob”, pkBob)

EncpkBob(message)

Advanced Applications

Anti-Phishing

Fax Attack

Phone Attack

DNS

foo.com

MX Record

mail.foo.com

Alice Bob

wonderland.com

outgoing

mail server

mail.foo.com

incoming

mail server

MX2

1

3

4

SMTP Today

No Proof of Origin

Alice Bob

wonderland.com

outgoing

mail server

mail.foo.com

incoming

mail server

phish.com

?

User Interface

Indicators

Reputation

Management

A Platform of Trust

SSL

Automatic

Filtering

Reputation

Management

Light Sigs

We want to provide Just Enough Trust

Basic Signatures

Alice

SKalice

PKalice

signwonderland(PKalice , “alice@wonderland .com !!)

Authority

Wonderland

SKwonderland PKwonderland

DNS to distributeDomain-Level Keys

[DomainKeys]

wonderland.com

SKwonderland.com

Publish

DNS

wonderland.com

foo.com

PKwonderland.com

PK foo.com

From: AliceTo: BobSubject: 6.976

It's the best class I've ever taken, seriously. You should take it.

Alice

Email Authentication

Alice

alice@wonderland.com

Authority

wonderland

SKwonderland

DNS

wonderland.com

PKwonderland

SKalice

PKalice

PKalice

signwonderland(PKalice ,

“alice@wonderland .com!!)

Bob

bob@foo.com

signalice(message)

Email Authentication

Alice

alice@wonderland.com

Authority

wonderland

SKwonderland

SKalice

PKalice

• certifying a user’s public key can add significant overhead.

• distributing the secret key to all user access points is tricky.

... unless we rethink the security requirements a bit.

Email-BasedAuthentication

[Gar2003] Alice

wonderland.com

incoming

mail server

wonderland.com

keyserver

....

SKwonderland.com

SK alice@wonderland.com

SK eve@wonderland.com

SK dave@wonderland.com

SK

alice@wonderland.com

certifi

cate

(PK

alice@wonderla

nd.com

)

Server-Managed User Keys

Alicealice@wonderland.com

Authority

wonderland

SKwonderland

DNS

wonderland.com

PKwonderlandwonderland.com

incoming

mail server

SKalice

PKalice

Bob

bob@foo.com

From: AliceTo: BobSubject: 6.976

It's the best class I've ever taken, seriously. You should take it.

Alice

signwonderland(PKalice ,

“alice@wonderland .com!!)

PKalice

signalice(message)

DomainKeys

Alicealice@wonderland.com

Bobbob@foo.com

Authority

wonderland

SKwonderland

DNS

wonderland.com

PKwonderland

From: AliceTo: BobSubject: 6.976

It's the best class I've ever taken, seriously. You should take it.

Alice

From: AliceTo: BobSubject: 6.976

It's the best class I've ever taken, seriously. You should take it.

Alice

Can we get the benefits of both user keys and

domain keys?

ID-Based Crypto

keyserver

Alice Bob

MSK MPK

"bob@foo.com"

PKbob SKbob

ID-based Domains

BobAlice

SKalice@wonderland.com SKbob@foo.com

MPKwonderland.com MPKfoo.com

wonderland.com

keyserver

MSKwonderland.com

foo.com

keyserver

MSKfoo.com

DNS to distributeMaster Public Keys

wonderland.com

key server

MSKwonderland.com

DNS

wonderland.com

foo.com

MPKwonderland.com

MPKfoo.com

Publish

Email-Based Authentication for User Secret Keys

Alice

wonderland.com

incoming

mail server

wonderland.com

keyserver

MSKwonderland.com

SK

alice@wonderland.com

Lightweight Signatures

Wonderland.comNetwork

wonderland.com

key server

Alice

foo.comNetwork

foo.com

key server

Bob

PUBLISH

DNS

wonderland.com

foo.com

PUBLISH

MPKfoo

1 1

MPKwonderland

SKA 2

4

“alice@wonderland.com”

MPKbank

5

6

From: Alice

To: Bob

Subject: 6.976!

Dev is the best

professor ever!

Signed:

Alice

So What?

• Alice likes Bob

• Eve likes Bob

• Bob likes to gloat.BobAlice

Eve

Bob's Blog

Alice's Email -August 30th, 2005Check out what Alice wrote

me earlier today! Crazy

stuff.... who knew?

What if Bob publishes Alice’s Email on his blog?

This changes the nature of email.

Ad-Hoc Group SigsFrom: Alice

To: Bob

Subject: Coffee?

Hey Bob,

Wanna meet for coffee? I'd

love to get to know you

better.

Signed:

Alice or Bob

A Taste of Voting

Voting is Hard

Verifiability Anonymity

The Point of An Election

“The People have spoken....the bastards!”

Dick Tuck1966 Concession Speech

Provide enough evidenceto convince the loser.

concession speeches given before acceptance speeches.

Bulletin Board

Ben: “Bob”

Franz: “Alice” Whit:

“Bob”

Kevin: “Alice”

Ron: “Bob”

Can we getballot secrecy and

election audit-ability?

Encrypted Bulletin Board

Ben: d9cv0

Franz: e3s823 Whit:

n7390n

Kevin: x38vf

Ron: dfuciv2

Verification?

Universal VerifiabilityBallot Casting Assurance

Ben:

d9cv0

Franz:

e3s823 Whit:

n7390n

Kevin: x38vf

Ron:

dfuciv2

Kevin

Vote:

Alice

Tally:

Bob

Zero-Knowledge Proofs

“How to Explain Zero-Knowledge to Your Children”

Quisquater & Guillou

graphics from Wikipedia

“How to Explain Zero-Knowledge to Your Children”

Quisquater & Guillou

graphics from Wikipedia

“How to Explain Zero-Knowledge to Your Children”

Quisquater & Guillou

graphics from Wikipedia

Envelopes

Favorite:

Alice

President:

Mickey MousePresident:

Mickey MousePresident:

Mickey MousePresident:

Mickey MousePresident:

Mickey MousePresident:

Mickey MouseFavorite:

Alice

This last envelope probably contains “Alice”

Graph 3-Coloring

Graph 3-Coloring

Graph 3-Coloring

Graph 3-Coloring

What did you learn?

Nothing more than the fact that I probably know a true 3-coloring.

In particular

You did not learn enough to prove this same property to someone else.

Smells like....Proving the content of a vote while

preventing vote selling!

Alice

Voter

Registration Database

Bob

Voter

Carol

Voter

anonymization

decryption

Results

Encrypted Votes

encryption

Mixnet

Republicans Democrats Independents

Each mix server shuffles and rerandomizes the ciphertexts in private.

Decryption Mixnet

c = Encpk0(Encpk1

(Encpk2(m)))

Each mix server “unwraps”a layer of this encryption onion.

Verifying a Dec. Mixnet

Randomized Partial Checking - Juels, Jakobsson, Rivest 2002

1/2 of mix servers honest =no complete path is revealed

Prêt-à-Voter

_______

_______

_______

_______

Alice

Bob

Charlie

David

8c3859x0dfsw

_______

_______

_______

_______

Bob

Charlie

David

Alice

3l0c8v3923434

_______

_______

_______

_______

Charlie

David

Alice

Bob

uyq838v8i348j

H(Onion) that routes the ballot througha Chaumian mixnet to recover the candidate order

Questions?