370 likes | 505 Views
Modern Cryptography Lecture 13. Yongdae Kim. Admin Stuff. E-mail Subject should have [5471] in front, e.g. “ [5471] Project proposal ” CC TA: lin@cs.umn.edu Office hours Me: M 1:15 ~ 2:15, W 4:00 ~ 5:00 (and by appointment) TA: M 10:30 ~ 11:30, W 11:00 ~ 12:00 Work on projects
E N D
Modern CryptographyLecture 13 Yongdae Kim
Admin Stuff • E-mail • Subject should have [5471] in front, e.g. “[5471] Project proposal” • CC TA: lin@cs.umn.edu • Office hours • Me: M 1:15 ~ 2:15, W 4:00 ~ 5:00 (and by appointment) • TA: M 10:30 ~ 11:30, W 11:00 ~ 12:00 • Work on projects • Project presentation: May 2nd, 4th (Send me your preference) • Final exam: May 12th, 8:00 AM • Check Calendar
Recap • Math… • Proof techniques • Divisibility: a dividesb (a|b) if c such that b = ac • GCD, LCM, relatively prime, existence of GCD • Eucledean Algorithm • d = gcd (a, b) x, y such that d = a x + b y. • gcd(a, b) = gcd(a, b + ka) • Modular Arithmetic • a≡b (mod m) iff m | a-b iff a = b + mk for some k • a≡b (mod m), c≡d (mod m) a+c ≡(b+d) (mod m), ac ≡ bd (mod m) • gcd(a, n) =1 a has an arithmetic inverse modulo n. • Counting, probability, cardinality, … • Security Overview • one-way function if f(x) is easy to compute for all x X, but it is computationally infeasible to find any x X such that f(x) =y. • trapdoor one-way function if given trapdoor information, it becomes feasible to find an x X such that f(x) =y.
Recap • Cryptographic Primitives • SKE, PKE, Digital Signatures, Hash functions and MACs, Key Management through SKE, PKE • Block Ciphers • Modes of operation, meet-in-the-middle attack, Product cipher, Feistal cipher, DES • Hash function • Onewayness, weak/strong collision resistance, Birthday paradox • Merkle Damgard Construction • If the compression function is collision resistant, then strengthened Merkle-Damgård hash function is also collision resistant • Multi-collision attack, extension property • MAC • CBC-MAC, Secret prefix, Secret Suffix, HMAC • Authenticated Encryption
Recap (cnt) • Advanced number theory • CRT, Euler theorem: If a Zn* , then a f(n) =1 (mod n) • Cor: if r ´ s mod f(n) and (a, n)=1, then ar´ as (mod n) • Generator • If ordn(a) = f(n) then a is a generator of Zn*. • a is a generator iff a f(n)/p≠ 1 mod n for all p | f(n). • Let a Zm* and ord(a) = h. Then ord(ak) = h/gcd(h, k). • RSA Encryption • n = pq, f(n) = (p-1)(q-1), gcd(f(n), e) = 1, ed 1 mod f(n) • A’s public key is (n, e); A’s private key is d • Encryption: compute c = me mod n, Decryption: m = cd mod n • RSA Security • Computing d from (n, e) and factoring n are computationally equivalent • n cannot be shared • Small encryption exponent e = 3 • Homomorphic property
Recap (cnt) • Abstract Algebra • Group, cyclic groups, generator, group order, subgroup • Discrete logarithm problem • Diffie-Hellman • DLP vs. DHP, More efficient implementation (p, q, g) • Long-term vs. short-term Diffie-Hellman • ElGamal encryption • ElGamal vs. RSA encryption • RSA signature vs. DSA signature • Identificaiton: PINs and keys, graphical password, one-time pasword
Recap • Challenge-response protocol • SKE, MAC, PKE, Signature-based • Nonce vs. time-stamp • Key establishment • Session key, PFS, known-key attack, implicit key authentication, key confirmation • Kerberos • Hybrid key transport • Authenticated Diffie-Hellman: MTI, STS • Analysis of Key Establishment Protocols: reflection and interleaving attacks • Threshold Cryptography
Definition • Bilinear Map • G1 and G2 be two abelian groups of prime order q. • additive notation for G1: aP denotes the P added a times • the multiplicative notation for G2 • A map e : G1 G1→ G2 is called an admissible bilinear map if • Bilinearity For any P, Q G1 and a, b Zq, e(aP, bQ) = e(P, Q)ab • Non-degeneracy e(P, Q) 1 for at least one pair of P, Q G1. • Efficiency • Hash functions • h : {0, 1}* → {0. 1}n: A collision-free hash function • H : {0, 1}* → G1: A collision-free full domain hash function (called map-to-point) • H*: G2→ Zq: A collision-free full domain hash function
Crypto Assumptions • Playing with Bilinear maps • e(aP, bQ) = e(P, abQ) = e(P, Q)ab • e(aP, Q) e(cP, Q) = e( (a+c) P, Q) • Cryptographic Problems • DLP is hard on G1 and G2 • finding a from (P, aP) is hard • finding a from e(P, P)a is hard • DDH is easy • c = ab if and only if e(aP, bP ) = e(cP, P). • BDHP is hard • finding e(P, P)abc from aP, bP, cP is hard.
3-Way DH Key Agreement • Let P be public generator of G1 • Three public keys: aP (Alice), bP (Bob), cP (Carol) • Group key GABC=e(P,P)abc • Alice computes e(bP,cP)a=e(P,P)abc • Bob computes e(aP,cP)b=e(P,P)abc • Carol computes e(aP,bP)c=e(P,P)abc • Properties • No communication • Others cannot compute group key : BDH problem
Identity-Based Encryption • ID=name+date of birth • Trusted Third Party: secret s in Zq • Public params: generator P of G1 and sP • Secret Key Generation • IDAlice: Alice → TTP • sH(IDAlice): TTP → Alice • Encryption: Bob encrypts for Alice • Pick random r in Zq • Compute g=e(H(IDAlice), sP)) • Compute • gr= e(H(IDAlice), sP))r= e(H(IDAlice), rsP))= e(rH(IDAlice), sP)) • Ciphertext: < rP, c = m XOR H2(gr) >
IBE (Cont’d) • Decryption by Alice • Compute gr=e(H(IDAlice), rsP))=e(sH(IDAlice), rP)) • Compute H2(gr) • m = c XOR H2(gr) • Why others cannot decrypt? • Others know only H(IDAlice) and rP • It is hard to determine r from rP (DLP) • thus they cannot compute gr as e(H(IDAlice), sP))r • They don’t know s • cannot compute e(H(IDAlice), srP)) • They don’t know sH(IDAlice) • cannot compute e(sH(IDAlice), rP))
Discussion (PKI vs. Kerberos vs. IBE) • On-line vs. off-line TTP • Implication? • Non-reputation? • Revocation? • Scalability? • Trust issue?
Hash Chain • h: Cryptographically strong hash function • H0= x • Hn=h(Hn-1) = h(h(h(… h(x)))) • Random mapping statistics
One time password • Setup • User generates H0, H1, … Hn. • User Server: Hn • Server stores Hn as the user’s public password. • Authentication • At time 0: User Server: Hn-1 • Server verifies h(Hn-1) = Hn • Server stored Hn-1 as the user’s public password. • At time 1: User Server: Hn-2 • …
Stream Authentication • Streaming • Single-sender, single-receiver? • MAC! • Single-sender, multiple-receiver? • MAC? • Digital Signature?
Need for a separate scheme • Need for widespread & trusted streamed media dissemination • Attacker may alter stock quotes distributed through IP multicast • Solution is trivial for 1 sender receiver case • Multiple receiver – Need to use PKC • Digital Signatures: Too inefficient • Needs to scale to millions of users • Streamed media distribution can have high packet loss
TESLA • Fv(x) = Fv-1(F(x)), F0(x) = x • K0 = Fn (Kn), Ki = Fn-i(Kn) • cannot invert F & compute any Kj given Ki; j>i • Receiver can compute all Kj from Ki ; j < i • Kj = Fi-j (Ki) ; K’i = F’(Ki) Ki-1 Ki Ki+1 F F Pi Pi-1 Pi+1 Mi-1 Di-1 Ki-2 Mi Di Ki-1 Mi+1 Di+1 Ki MAC(K’i-1, Di-1) MAC(K’i, Di) MAC(K’i+1, Di+1) Authenticated Authenticated after receiving Pi+1 Not yet Authenticated
Key Strengthening • Preventing/mitigating on-line dictionary attack • Assuming that users will choose weak password • Salting • Stored key = h(password || random salt) • Ideally, random salt should be private, but public salt is still useful. Why? • Key strengthening • key = hash(password||salt) • for 1 to 65000 do • key = hash(key) • What does it provide?
Group Key Management • Secure group communication • IP Multicast • Pay-per-view video streaming • Video On Demand (VOD) • Secure teleconferencing • Online games • Group confidentiality service • How to share a common key over a group?
Assumption • There is a Group Controller (GC) • All nodes share a Traffic Encryption Key (TEK) to encrypt communication data. • When membership changes, TEK needs to be updated • Each node shares a Key Encryption Key with GC to encrypt TEK updates
Traffic Encryption Key A Group of Users ETEK(msg) u
Ek2(K), Ek(M) Ek3(K), Ek(M) Ek4(K), Ek(M) Ek1(K), Ek(M) Ek5(K), Ek(M) Ek7(K), Ek(M) Ek6(K), Ek(M) Simplest Approach u2 u3 u1 u4 GC u5 u7 u6
Ek2(K’) Ek3(K’) Ek1(K’) Ek4(K’) Ek5(K’) Ek7(K’) Ek6(K’) Ek2(K) Ek3(K) Ek1(K) Ek4(K) Ek8(K’) Ek5(K) Ek7(K) Ek6(K) Join? u2 u3 u1 u4 GC u8 u5 u7 u6
Ek2(K’) Ek3(K’) Ek1(K’) Ek4(K’) Ek5(K’) Ek7(K’) Ek6(K’) Ek8(K’) Leave u2 u3 u1 u4 GC u8 u5 u7 u6
One-way Function Tree (OFT) • Proposed by D. A. McGrew and A. T. Sherman bk = g(k): blinded key k = f ( g(kleft), g(kright) ) k : unblinded key unblinded key f kleft kright g g
Blinded & Unblinded Keys • Unblinded Key: the value that hasn’t been passed though g • Blinded Key: the value that has already been passed though g • If you know the unblinded key, you can compute the blinded key • The converse is not true
OFT Algorithm ki = f ( g(k2i), g(k2i+1) ) k1 k2 k3 k4 k5 k6 k7 k8 k9 k10 k11 k12 k13 k14 k15 u1 u2 u3 u4 u5 u6 u7 u8
OFT Algorithm (u4’s view) ki = f ( g(k2i), g(k2i+1) ) = f (bk2i, bk2i+1) k1 k2 Ek2(bk3) Ek5(bk4) k5 Ek11(bk10) k11 u1 u2 u3 u4 u5 u6 u7 u8
OFT Algorithm (leave) u1 u2 u3 u4 u5 u6 u7 u8
Proof of Possession • Storage Service Provider • How can a SSP prove that it stores all blocks? • Or how can a client verify that the SSP stores all blocks? • Constraints: The client does not have the copy of the whole storage. • Naïve solution • Storing hashes of each block?
Hash Tree Hi = h ( H2i, H2i+1) H1 H2 H3 H4 H5 H6 H7 H8 H9 H10 H11 H12 H13 H14 H15 B1 B2 B3 B4 B5 B6 B7 B8
Temporal Key Management • For each time interval, one can use different key to encrypt a file. • Temporal read access control can be provided by distributing keys for associated time interval • Constraints: One does not want to store all previous keys. • Naïve solution: Hash chain • Key generation: Kt = h(Kt+1) • Use Kt at time t. • Problem?
Hash Tree-based Solution Kright child = h2 (Kparent) Kleft child = h1 (Kparent) K1-8 K1-4 K5-8 K1-2 K3-4 K5-6 K7-8 K1 K2 K3 K4 K5 K6 K7 K8