Cryptography IIBen Adida
CIS, CSAIL, MIT3 May 2006
http://ben.adida.net/presentations/
Last Time....
Secret-Key Encryption
m0 m1 m2 m3 m4
IV c0 c1 c2 c3 c4
EK EK EK EK EKEnc Encsk sk sk sk sk EncEncEnc
Number Theory
computing logg y mod p is hard
computing gx
mod p is easy
Diffie-Hellman Key Exchange
Alice Bob
xA xB
yA = gxA yB = g
xB
yxB
A= g
xAxByxA
B= g
xAxB
yA
yB
Public-Key Encryption
Alice
pk
sk c = Encpk (m)
m = Decsk (c)
Bob
Charlie
Hybrid Encryption
generate a session key session key
c = Encsession key(m), Encpk (session key)
Signatures
Reverse the Public-Key Encryption operation!
Signsk (m) = !
Verifypk (m, !) = True/False
Signsk (m) = Decsk (m)
Verifypk (m, !) ! Encpk (!)?= m
Hash Functions
• “fingerprint” of a long document
• MD5 hashes to 128 bits, SHA1 hashes to 160 bits
• Properties★ Collision Attack
★ Pre-Image Attack
★ Second Pre-Image Attack
H(m) = hash, Signsk (H(m))
Certificates
Alice Bob
EncpkB(m)
TTP
cert = SignTTP (“Bob,pkB”)
pkB , cert
PGP
Alice Bob
Charlie
pkBob
pkCharlie
SignCharlie(“Bob”, pkBob)
EncpkBob(message)
Advanced Applications
Anti-Phishing
Fax Attack
Phone Attack
DNS
foo.com
MX Record
mail.foo.com
Alice Bob
wonderland.com
outgoing
mail server
mail.foo.com
incoming
mail server
MX2
1
3
4
SMTP Today
No Proof of Origin
Alice Bob
wonderland.com
outgoing
mail server
mail.foo.com
incoming
mail server
phish.com
?
User Interface
Indicators
Reputation
Management
A Platform of Trust
SSL
Automatic
Filtering
Reputation
Management
Light Sigs
We want to provide Just Enough Trust
Basic Signatures
Alice
SKalice
PKalice
signwonderland(PKalice , “alice@wonderland .com !!)
Authority
Wonderland
SKwonderland PKwonderland
DNS to distributeDomain-Level Keys
[DomainKeys]
wonderland.com
SKwonderland.com
Publish
DNS
wonderland.com
foo.com
PKwonderland.com
PK foo.com
From: AliceTo: BobSubject: 6.976
It's the best class I've ever taken, seriously. You should take it.
Alice
Email Authentication
Alice
Authority
wonderland
SKwonderland
DNS
wonderland.com
PKwonderland
SKalice
PKalice
PKalice
signwonderland(PKalice ,
“alice@wonderland .com!!)
Bob
signalice(message)
Email Authentication
Alice
Authority
wonderland
SKwonderland
SKalice
PKalice
• certifying a user’s public key can add significant overhead.
• distributing the secret key to all user access points is tricky.
... unless we rethink the security requirements a bit.
Email-BasedAuthentication
[Gar2003] Alice
wonderland.com
incoming
mail server
wonderland.com
keyserver
....
SKwonderland.com
SK
certifi
cate
(PK
alice@wonderla
nd.com
)
Server-Managed User Keys
Authority
wonderland
SKwonderland
DNS
wonderland.com
PKwonderlandwonderland.com
incoming
mail server
SKalice
PKalice
Bob
From: AliceTo: BobSubject: 6.976
It's the best class I've ever taken, seriously. You should take it.
Alice
signwonderland(PKalice ,
“alice@wonderland .com!!)
PKalice
signalice(message)
DomainKeys
Authority
wonderland
SKwonderland
DNS
wonderland.com
PKwonderland
From: AliceTo: BobSubject: 6.976
It's the best class I've ever taken, seriously. You should take it.
Alice
From: AliceTo: BobSubject: 6.976
It's the best class I've ever taken, seriously. You should take it.
Alice
Can we get the benefits of both user keys and
domain keys?
ID-based Domains
BobAlice
[email protected] [email protected]
MPKwonderland.com MPKfoo.com
wonderland.com
keyserver
MSKwonderland.com
foo.com
keyserver
MSKfoo.com
DNS to distributeMaster Public Keys
wonderland.com
key server
MSKwonderland.com
DNS
wonderland.com
foo.com
MPKwonderland.com
MPKfoo.com
Publish
Email-Based Authentication for User Secret Keys
Alice
wonderland.com
incoming
mail server
wonderland.com
keyserver
MSKwonderland.com
SK
Lightweight Signatures
Wonderland.comNetwork
wonderland.com
key server
Alice
foo.comNetwork
foo.com
key server
Bob
PUBLISH
DNS
wonderland.com
foo.com
PUBLISH
MPKfoo
1 1
MPKwonderland
SKA 2
4
MPKbank
5
6
From: Alice
To: Bob
Subject: 6.976!
Dev is the best
professor ever!
Signed:
Alice
So What?
• Alice likes Bob
• Eve likes Bob
• Bob likes to gloat.BobAlice
Eve
Bob's Blog
Alice's Email -August 30th, 2005Check out what Alice wrote
me earlier today! Crazy
stuff.... who knew?
What if Bob publishes Alice’s Email on his blog?
This changes the nature of email.
Ad-Hoc Group SigsFrom: Alice
To: Bob
Subject: Coffee?
Hey Bob,
Wanna meet for coffee? I'd
love to get to know you
better.
Signed:
Alice or Bob
A Taste of Voting
Voting is Hard
Verifiability Anonymity
The Point of An Election
“The People have spoken....the bastards!”
Dick Tuck1966 Concession Speech
Provide enough evidenceto convince the loser.
concession speeches given before acceptance speeches.
Bulletin Board
Ben: “Bob”
Franz: “Alice” Whit:
“Bob”
Kevin: “Alice”
Ron: “Bob”
Can we getballot secrecy and
election audit-ability?
Encrypted Bulletin Board
Ben: d9cv0
Franz: e3s823 Whit:
n7390n
Kevin: x38vf
Ron: dfuciv2
Verification?
Universal VerifiabilityBallot Casting Assurance
Ben:
d9cv0
Franz:
e3s823 Whit:
n7390n
Kevin: x38vf
Ron:
dfuciv2
Kevin
Vote:
Alice
Tally:
Bob
Zero-Knowledge Proofs
“How to Explain Zero-Knowledge to Your Children”
Quisquater & Guillou
graphics from Wikipedia
“How to Explain Zero-Knowledge to Your Children”
Quisquater & Guillou
graphics from Wikipedia
“How to Explain Zero-Knowledge to Your Children”
Quisquater & Guillou
graphics from Wikipedia
Envelopes
Favorite:
Alice
President:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MousePresident:
Mickey MouseFavorite:
Alice
This last envelope probably contains “Alice”
Graph 3-Coloring
Graph 3-Coloring
Graph 3-Coloring
Graph 3-Coloring
What did you learn?
Nothing more than the fact that I probably know a true 3-coloring.
In particular
You did not learn enough to prove this same property to someone else.
Smells like....Proving the content of a vote while
preventing vote selling!
Alice
Voter
Registration Database
Bob
Voter
Carol
Voter
anonymization
decryption
Results
Encrypted Votes
encryption
Mixnet
Republicans Democrats Independents
Each mix server shuffles and rerandomizes the ciphertexts in private.
Decryption Mixnet
c = Encpk0(Encpk1
(Encpk2(m)))
Each mix server “unwraps”a layer of this encryption onion.
Verifying a Dec. Mixnet
Randomized Partial Checking - Juels, Jakobsson, Rivest 2002
1/2 of mix servers honest =no complete path is revealed
Prêt-à-Voter
_______
_______
_______
_______
Alice
Bob
Charlie
David
8c3859x0dfsw
_______
_______
_______
_______
Bob
Charlie
David
Alice
3l0c8v3923434
_______
_______
_______
_______
Charlie
David
Alice
Bob
uyq838v8i348j
H(Onion) that routes the ballot througha Chaumian mixnet to recover the candidate order
Questions?