1 / 28

Design and Security Analysis of Marked Blind Signature

Attività formativa. Design and Security Analysis of Marked Blind Signature. Studente Claudia Snels. Professore Giuseppe Bianchi. Presentation outline. Introduction Blind signatures New Marked Blind Signature (MBS) Security analysis General methods Security Analysis of MBS

thetis
Download Presentation

Design and Security Analysis of Marked Blind Signature

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attività formativa Design and Security Analysis of Marked Blind Signature Studente Claudia Snels Professore Giuseppe Bianchi

  2. Presentation outline • Introduction • Blind signatures • New Marked Blind Signature (MBS) • Security analysis • General methods • Security Analysis of MBS • Ongoing work on MBS • Applications • Conclusions

  3. Chaum’s Blind RSA Signature Be P mod n Server Client (Be P)d = B Pd mod n (d,n) Server’s private key (e,n) Server’s public key B Blinding Term P Message to be signed User unblinds the received message and obtains a valid signature for P Server doesn’t know what he has signed BLIND SIGNATURE Introduction: Blind signatures

  4. Marked Blind Signature • Goal: add random “mark” R inside signature • R unknown/unforgeable by both server/client • Application • “stamp” the act of signing • Anticipated certificate verification • Wrap proof of possession of a certificate private key inside the signature! • SPARTA pseudonym/authorization approach from Netlab (more later) Introduction: New Marked Blind Signatures

  5. R=XY inserted by client (full-domain hashed with P) Blinding with same factor B X = client random; B = blinding factor Homomorphic computation of R=XY Server side blind insertion of R=XY Additive insertion to avoid forgery and easy attacks Flaw: traceability! Server associate to real user the following value (blindly) Signed credential Marked Blind SignatureSimpler (but flawed) version  easier to understand Approach: use homomorphic property of RSA encryption

  6. Discrete Logarithm modulus n (server RSA) DL-strong base g Elimination of B now harmless (Double) Homomorphic computation of R=XY+Z - X,Z: client random - Y: server random - under the condition XY+Z<n Marked Blind SignatureActual (correct) version Introduction: New Marked Blind Signatures

  7. Signature verification • Authorization Credential: • Signed pseudonym • After server signature, client computes R as • Verification: • Client verifies certificate P • usual challenge handshake • Client presents P, R, cred • Server checks: Introduction: New Marked Blind Signatures

  8. How to develop a security analysis Security protocol Message Exchange Message exchange Cryptographic primitives Logic correctness Explicitness of information exchanged Automatic Theorem Provers (Isabelle) Semantic Analysis Black Box Cryptography is supposed to work well Security analysis: General methods

  9. How to develop a security analysis Cryptographic primitives Simple signatures scheme like RSA, Diffie-Hellmann More complicated schemes like Chaum’s Blind Signature, elliptic curve signature Massive usage of basic number theory theorems A jungle of papers about: zero knowledge proof, Random Oracles WHY? Security analysis: General methods

  10. Security analysis: our choice Problem: Simple Ideas but with “uncommon” requirements (e.g. untraceability) are VERY difficult to proof Two strategies Design very complicated protocol which can satisfy a large number of hypothesis. Under such strict hypotheses a rigorous mathetical proof is possible Maintain a simple idea! Try an attack based security analysis, and build a rigorous proof when possible Problem: unapplicability of such protocols in software tools OUR CHOICE Security analysis: General methods

  11. Main features of a blind signature scheme • Unforgeability of R: R should be a random created by both peers but not forgeable in order to prevent traceability or reusage of the same marker • Unforgeability of mbs: client should not be able to generate (forge) a valid signature • Untraceability: Server should not be able to trace Client Security analysis of mbs

  12. Unforgeability of R We remind that the strategy of the attack is to choose a suitable x (for Client) or y (for Server) such that mod n or mod n. In the first case we have R=s, so its value is decided by Client. • Values having this property are the Euler totient function and the Carmichael function, but this values are known only to Bob who possesses the factorization of n=pq. • So we can conclude: • Server can choose a suitable y but this is not an advantage for him • Client can’t choose a suitable x, or in another way this is as difficult as factorising RSA modulo n R is UNFORGEABLE Security analysis of mbs

  13. Unforgeability of mbs How Alice can try to forge mbs? We refer to the one more forgery, in the sense that if Client owns a signing oracle she can’t obtain one more mbs than the number of queries she makes to the oracle. HOMOMORPHIC PROPERTY OF RSA With Marked Blind Signature is this possible? Security analysis of mbs

  14. Unforgeability of mbs Try to find a R and a message m such that • Hard computation due to • multiple hash terms • presence of R inside and outside the Hash Under Random Oracle Hypothesis, our signature is as unforgeable as Chaum’s blind signature Security analysis of mbs

  15. Untraceability We focus on the possibility for the server to build a marker univocally linkable to one client (remember the flaw of the first scheme presented). In our case we can eliminate the blinding term B and produce the following ratios While good candidates for markers are Always blinded Not directly obtainable by Server Security analysis of mbs

  16. Untraceability we must have In order to obtain We have demonstrated that is not obtainable as long as Server doesn’t know B So next question is: how to obtain B? During handshake Blindness during handshake 2 equations 3 variables Security analysis of mbs

  17. Formal proof of validity and blindness Definition. A signature scheme is called blind if Server’s view V and the triple (mbs,R,m) are statistically indipendent, that is during verification phase Server cannot recognise Client. Theorem. The triple (mbs,R,m) is a valid signature for message m and the mbs protocol is a blind scheme. Proof. Validity if the hash is collision free Security analysis of mbs

  18. Formal proof of validity and blindness Blindness. we show that given any view V and any valid triple (mbs,R,m) there exist a unique pair of blinding factors B and R. Because Client chooses both blinding terms at random (in fact we have previously underlined the unforgeability of R), the blindness of the signature scheme follows. If the signature (mbs,R) has been generated during an execution of the protocol with view V consisting of y, x1, x2, (x1y + x2), then the following equations must hold One parameter solution x,s random R unforgeable Unique solution Security analysis of mbs

  19. Harn’s attack Harn’s attack is a Server attack based on: • Blind signature • Collection of signatures and handshake terms Let m be a generic message to be blindly signed, the attack is developed in two steps • Server collects for each client the received term Bem and Bmd • When Server receives the signature md he divides every Bmd term and tries if the B obtained gives a correct match for Bem. With a positive match he can trace user Security analysis of mbs

  20. Resistance of mbs against Harn’s attack and the signature received by Server during Let verification and suppose that we have two registered users Server operates the strategy previously described and he succeds to identificate Client 1 1) If Server operates the strategy previously described but he first tries to identificate Client 2 as Client 1 2) If We write Server uncorrectly identify Client 2 as Client 1 Security analysis of mbs

  21. Open problems: distribution of R If we want the signature to be valid we must have R<n But x y and s are random It is necessary to choose suitable distributions and ranges such that R looks like a uniformly distributed random variable Problem: BAD distribution Naive approach Tryx and y uniform in S uniform in Ongoing work on mbs

  22. Attack on distribution of R The distribution of R has a very different concentration for high or low values of y. So if Server gives a Client a low y he knows that with very high probability R will assume a certain range of values and viceversa. Server can classify and consequently trace classes of users y=1 Ongoing work on MBS

  23. Guidelines for distribution choices • Y protects server from client’s attack on R so its distribution range should not be small • Client is already protected by s so x can be small • S can smooth the distribution of R (convolution) so it should have a large range Ongoing work on MBS

  24. Some insights about distributions If x and y are uniform in the same range Logarithm like distribution If x and y uniform in Almost uniform And s uniform in Ongoing work on MBS

  25. Sample MBS application:pseudonym’s blind authorization PKI-like Pseudonym assignement Infrastructure Blind signature P Alice Server auth Applications

  26. Pseudonym Hijacking Pseudonym assignement Infrastructure Evil Server P P auth Alice Evil is authorised as Alice, because he has stolen her pseudonym MBS as a tool to show possession of the pseudonym private key Applications

  27. MBS for pseudonym authorization Inclusion of pseudonym private key to permit verification at registration time Applications

  28. Conclusions • Proven security of Marked Blind Signature • Design of a simple scheme that can be easily integrated in an AAA with pseudoyms • New insights about distributions of random numbers introduced in signatures and related server attacks Conclusions

More Related