1 / 25

Privacy in Encrypted Content Distribution Using Private Broadcast Encryption

Privacy in Encrypted Content Distribution Using Private Broadcast Encryption. Adam Barth Dan Boneh Brent Waters. Private Broadcast Encryption. Make data available to select principals Encrypt the data to those principals Often important to hide the set of principals

ansel
Download Presentation

Privacy in Encrypted Content Distribution Using Private Broadcast Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth Dan Boneh Brent Waters

  2. Private Broadcast Encryption • Make data available to select principals • Encrypt the data to those principals • Often important to hide the set of principals • BCC recipients in encrypted email • Customer list (hide from competitors) • Promotion committee can read evaluations • Private broadcast encryption • Recipient privacy against active attackers

  3. Related Work • Key privacy in public-key setting [BBDP01] • IK-CCA: Ciphertext does not leak public key • Attacker viewing ciphertext encrypted under one of two public keys cannot guess which key was used • Cramer-Shoup is IK-CCA (with common prime) • Important building block for recipient privacy • Previous broadcast encryption systems • Increasing collusion resistance • Reducing ciphertext overhead • We focus on hiding recipient set

  4. Our Results • Generic construction (standard model) • Achieves CCA recipient privacy • Uses generic IK-CCA public-key system • Decryption time is linear in number of recipients • Efficient construction (random oracle) • Achieves CCA recipient privacy • Assumes CDH is hard • Decryption in O(1) cryptographic operations

  5. Broadcast Systems in Practice • Microsoft Outlook • Encrypted email as a broadcast system • Outlook completely reveals BCC recipients • issuerAndSerialNumber • BCC recipients’ names can appear in the clear • Could send separate message for email • Windows Encrypted File System • Pretty Good Privacy (PGP) • GnuPG as an example implementation

  6. Message encrypted with symmetric key, K K encrypted for each recipient To speed decryption, components labeled with KeyIDs Hash of public key User identities completely revealed {}K Pretty Good Privacy? {K}pk(A) {K}pk(B) {K}pk(C) A: B: C:

  7. Recipient Privacy in PGP • PGP labels encryptions using a KeyID C:\gpg>gpg --verbose -d message.txt gpg: armor header: Version: GnuPG v1.2.2 (MingW32) gpg: public key is 3CF61C7B gpg: public key is 028EAE1C • KeyIDs easily translated into names and email addresses using a public key server • GPG includes option to withhold KeyIDs • Vulnerable to passive recipient privacy attack

  8. Security Model

  9. Private Broadcast Encryption • I Setup() • Generates global parameters I • (pk, sk)  Keygen(I) • Generates public-private key pairs • C  Encrypt(S, M) • Encrypts plaintext M for recipient set S • M  Decrypt(sk, C) • Decrypts ciphertext C with private key sk

  10. CPA Recipient Privacy Defined Adversary Challenger Global Parameter S0 and S1 subsets of {1, …, n} such that |S0| = |S1| S0 and S1 All public keys Some schemes vulnerable with large overlap, whereas others are vulnerable with small overlap Secret keys for S0S1 bR {0,1} M encrypted for Sb as C* Guess b’ Adversary wins if b’ = b

  11. X X X {}K Simple CPA Recipient Privacy • Remove labels • Use key-private scheme • Reorder components • O(n) decrypt time • CPA recipient privacy • But, active attack… • Even with IK-CCA {K}pk(A) {K}pk(B) {K}pk(C) {K}pk(B) {K}pk(A) {K}pk(C) A: B: C: B: A: C:

  12. Active Attack on Simple Scheme • Attacker a recipient • Learns K • Replaces message with something alluring • Forwards malicious message to Alice • Waits for response • Receives response only if Alice was a recipient {K}pk(B) {K}pk(A) {K}pk(C) {}K

  13. CCA Recipient Privacy Defined Adversary Challenger Global Parameter S0 and S1 subsets of {1, …, n} such that |S0| = |S1| S0 and S1 All public keys Secret keys for S0S1 Decrypt query on (u, C) bR {0,1} M encrypted for Sb as C* Decrypt query on (u, C) (C C*) Guess b’ Adversary wins if b’ = b

  14. Constructions

  15. Primitives Used in Constructions • Strong correctness • Decrypting with wrong key results in  • Strong signatures • Attacker cannot create a new signature • Even on a previously signed message • Example: RSA full-domain hash • CCA key private (IK-CCA) cryptosystem • Ciphertext does not leak public key

  16. Generic CCA Construction  • Start with CPA scheme • Generate a fresh signing key pair (vk, sk) • Include verification key, vk, in each component • Sign the ciphertext • Thm: CCA recipient private • O(n) decryption time { , K}pk(B) { , K}pk(A) { , K}pk(C) vk vk vk {}K

  17. Added Primitives for Efficiency • A group G where CDH is hard • Extend public keys with ga, private keys with a • Model hash function as a random oracle • Use extraction property to break CDH • Use DH self-corrector [Shoup97]

  18. Ciphertext Component Labels • Speed decryption with private labels • To make labels for every component: • Pick a single fresh exponent r • Include gr in the ciphertext • Label component for (pk, ga) with H(gar) • Each recipient computes own label with gr and a • Attacker can not associate H(gar) with ga • Still need to tie labels to verification key… • Include gar in ciphertext components

  19. Efficient CCA Construction  , gr H(gbr): H(gar): H(gcr): {vk, , K}pk(B) {vk, , K}pk(A) {vk, , K}pk(C) gbr gar gcr • Thm: CCA recipient private (in RO model) • O(1) cryptographic operations for decryption {M}K

  20. Conclusions • Many widely-deployed content distribution systems lack recipient privacy • Email and encrypted file systems • Introduced private broadcast encryption • Recipient privacy against an active attacker • Performance similar to non-private schemes • Open problem: private broadcast encryption with shorter ciphertext

  21. Questions?

  22. Mail Transfer Agent (MTA) Recipient MTA Mail User Agent (MUA) Recipient Recipient Recipient MTA Recipient Broadcast Semantics of Email

  23. BCC privacy in S/MIME • S/MIME label is the RecipientInfo field. • Label consists of the issuer and serial number of the recipient’s certificate • Self-signed certificate: • Full name and email address in the clear 444:d=9 hl=2 l= 3 prim: OBJECT :commonName 449:d=9 hl=2 l= 11 prim: PRINTABLESTRING :Henry Kyser 462:d=7 hl=2 l= 32 cons: SET 464:d=8 hl=2 l= 30 cons: SEQUENCE 466:d=9 hl=2 l= 9 prim: OBJECT :emailAddress 477:d=9 hl=2 l= 17 prim: IA5STRING :h9565@hotmail.com • VeriSign certificate: identity at verisign.com

  24. BCC Privacy by User Agent S/MIME-based PGP-based

  25. Sending Separate Encryptions • Sending separate encryptions provides BCC privacy • Advantages of separate encryptions • Can be deployed immediately and unilaterally • Conceals the number (and existence of) BCC recipients • Disadvantages of separate encryptions • Difficult to implement for MUA plug-ins such as EudoraGPG • Increases MTA workload and network traffic

More Related