590 likes | 741 Views
Introduction to Practical Cryptography. Redaction Proxy Cryptography. Agenda. Redaction Proxy Cryptography. Redaction. Process of removing sensitive or confidential information from a document without distorting the meaning of the document.
E N D
Introduction to Practical Cryptography RedactionProxy Cryptography
Agenda • Redaction • Proxy Cryptography
Redaction • Process of removing sensitive or confidential information from a document without distorting the meaning of the document. • Portion of a document may be redactable, others may be non-redactable. • Should provide indication when something has been redacted; otherwise, meaning of the document can be altered by removing portions of the content.
Redaction • Removal of information from documents, media … The project involved people with a budget of • Image with brand name that must be removed
Redaction Example • Original content: • John Doe testified that Al Smith did not commit the crime. • After redaction: • [REDACTED] testified that Al Smith did not commit the crime. • testified that Al Smith did not commit the crime. • If redaction is not indicated, the meaning can be changed: • John Doe testified that Al Smith did commit the crime.
Redaction - Examples • Government documents • classified information is removed prior to public release • Financial documents • mortgage application: different people need subsets of the information - appraiser doesn’t need to see income • Legal documents • some information remains under attorney-client privilege • Medical Records • Different employees access different information • Corporations • different employees have access to subsets of information • Public records • towns in US that place mortgage, property tax information online – remove personal information
Mistakes • Changing the background color to match the font color - underlying text is still there, can be retrieved by changing the color • Changes saved automatically by program as part of revision history • Drawing a black box over the text – box can be removed
Information Leakage • Length of redacted area • The budget for project is . • The budget for project is . • The first name of the witness is . • Inferred content • Name • Address • Date • Value • Human error • Forget to redact/overlook one or more pieces
Formatting • Altering length of redacted area to reduce information leakage changes format • Alters length of document • Re-align paragraphs, page breaks • If alter number of pixels in an image, can garble display of rest of image
Authenticating Document • How to sign a document? • Hash then encrypt doesn’t work – sign the original then redact invalidates signature • If document signed after redaction, what indicates information was not altered in the process?
Authenticating a Document • How to sign a document? • “The witness is John Smith” • Hash: 07ed235678a3b4de0075 • Encrypt with RSA: 453872907 • Redact • The witness is • Send redacted documented and signature
Authenticating a Document • Recipient receives • The witness is • Signature 453872907 • Recipient tries to verify signature • Decrypt signature: 07ed235678a3b4de0075 • Hash received text: 3245cea1eded01821111 • Doesn’t match decrypted signature
Authenticating a Document • How to verify information that was not suppose to be redacted was left intact? • The problem is not only how to authenticate what remains in the clear, but that information that was suppose to remain in the clear was not redacted
Authenticating a Document • Need to authenticate non-redacted information is unchanged from the original • How? • Need to authenticate that information was not improperly removed • How?
Authenticating a Document • Hash tree – also called Merkle tree D0 D1 D2 D3 H1 H2 H3 H0 H01 H23 H
Algorithm • Uses 4 binary trees • Roots of two trees are used for the signature • Retain nodes which allow the roots to be recomputed. • Nodes retained depends on which subdocuments are redacted and which ones are non-redactable. • Easiest way to explain is via diagrams …
R and X Trees r11 seed r’s formed by random bit generation using parent node as seed r22 r21 r31 r33 r32 r34 r43 r47 r41 r45 r42 r46 r44 r48 m3 m7 m1 m5 m2 m6 m4 m8 hash (mi || r4i) x41 x42 x43 x44 x45 x47 x46 x48 x31 x32 x33 x34 x’s formed by hashing children x11 x21 x11 root
S and Y Trees s11 seed s’s formed by random bit generation using parent node as seed s22 s21 s31 s33 s32 s34 s43 s47 s41 s45 s42 s46 s44 s48 y4i = hash (s4i) y41 y42 y43 y44 y45 y47 y46 y48 y31 y32 y33 y34 y’s formed by hashing children y22 y21 y11 root
How Trees are Used • Sign(x root || y root) • Original document: include r seed and s seed. • Recipient can recompute all xi,yi to verify signature. • Redact mi: delete path of r nodes to xi, include xi and siblings of deleted r nodes. • Non-redactable mi: delete path of s nodes to yi , include yi and siblings of deleted s nodes. • If both children of an x node are included, save parent node instead; likewise for y nodes.
Redacted Subdocument r11 seed r22 r21 r31 r33 r32 r34 r43 r47 r41 r45 r42 r46 r44 r48 m2 is redacted r42 must be “removed” m3 m7 m1 m5 m1 m6 m4 m8 x41 x42 x43 x44 x45 x47 x46 x48 x31 x32 x33 x34 x22 x21 x11 root
Adjacent Redacted Subdocuments r11 seed r22 r21 r31 r33 r32 r34 r43 r47 r41 r45 r42 r46 r44 r48 m1 and m2 are redacted m3 m7 m0 m5 m1 m6 m4 m8 x41 x42 x43 x44 x45 x47 x46 x48 x31 x32 x33 x34 x22 x21 x11 root
Non-Redactable Subdocument s11 seed m5 is non-redactable s45 must be “removed” s22 s21 s31 s33 s32 s11 s43 s47 s41 s45 s42 s46 s44 s48 y41 y42 y43 y44 y45 y47 y46 y48 y31 y32 y33 y34 y22 y21 y11 root
Adjacent Non-Redactable Subdocuments s11 m5 and m6 are non-redactable seed s22 s21 s31 s33 s32 s34 s43 s47 s41 s45 s42 s46 s44 s48 y41 y42 y43 y44 y45 y46 y46 y47 y31 y32 y33 y34 y22 y21 y11 root
Architecture • Allow different document processing applications (document editors and viewers) to utilize the redaction software through a common API. • Permit the application to decide what information must be signed and verified • e.g. content only, content and some formatting, content and all formatting • Permit the application to decide what constitutes a subdocument
Issues • Format converter • Difficulty varies per editor/viewer - pdf vs ASCII • Opening file of same format in different editors can unintentionally modify the content • User interface • What should be a subdocument? • Should white space matter? • How to indicate to the user a subdocument has been redacted and a subdocument is non-redactable? • If redaction is indicated, length provides hint to the user about the deleted content. However, changing the length can alter the appearance and any white space in the content.
Original Text "Did you ever see an unhappy horse? Did you ever see a bird that has the blues? One reason why birds and horses are not unhappy is because they are not trying to impress other birds and horses." Dale Carnegie
Subdocuments <"Did><you><ever><see><an><unhappy><horse?><Did><you><ever><see><a> <bird><that><has><the><blues?><One><reason><why><birds><and><horses> <are><not><unhappy><is><because><they><are><not><trying><to><impress><other><birds><and><horses.“><Dale> <Carnegie>
Redact Author’s Name "Did you ever see an unhappy horse? Did you ever see a bird that has the blues? One reason why birds and horses are not unhappy is because they are not trying to impress other birds and horses." [R] [R]
Make Two Words Non-Redactable "Did you ever see an unhappy [N]horse? Did you ever see a [N]bird that has the blues? One reason why birds and horses are not unhappy is because they are not trying to impress other birds and horses." [R] [R]
Alter Content "Did you ever see an unhappy [N]horse? Did you ever see a [N]bird that has the blues? One reason why birds and horses are not unhappy is because they are not trying to impress other people and horses." [R] [R]
Examples http://www.nsa.gov/public/crypt_spectrum.cfm
Proxy Cryptography • Convert ciphertext from encryption with one key to encryption with another key: • Encrypt with one key, let recipient decrypt with some other key • Similar notion for signatures: sign with one key, let recipient verify with another key.
Proxy Cryptography • Allows an intermediate entity (proxy) to convert ciphertext between two keys without exposing the plaintext • Proxy converts C1 to C2 • A,B publish kab • ka, kb private keys A C1 Proxy C2 B C1 = Eka(P) C2 = Hkab(C1) P = Dkb(C2)
Proxy Cryptography • VPNs • File servers • Transform A’s signature into B’s signature
Proxy Cryptography • Applied to public key ciphers • El Gamal, RSA [Okamoto, Mambo, ‘97; Blaze, et.al. ‘98]
Blaze, et. al • similar in structure to ElGamal encryption • but with the parameters used differently and the inverse of the secret used to recover the message • the speed of the scheme is comparable to standard ElGamal encryption, although initial key generation requires the additional calculation and storage of a parameter a-1
Cryptosystem X (encryption) • Parameters • p is a prime of the form 2q + 1 for a prime q • g is a generator in Z*p • p and g are public • A’s private key • A's private key: a, 0 < a < p -1, randomly picked from Z*2q (a is relatively prime to p-1) • A calculates inverse: a-1 mod 2q. • A’s public key: (ga mod p, g, p)
Cryptosystem X (encryption) • Encryption • Select a unique random k from Z*2q , k is secret • To encrypt message m with A's key, compute and send ciphertext values (c1, c2): • c1 = mgk mod p • c2 = (ga)k mod p • Decryption: • A (knows a-1) calculates gk and recovers m: • c2(a)-1= gk (mod p), solve for gk • Compute (gk) -1 mod p • m = c1 ((c2(a)-1)-1 ) mod p
Example • Parameters • p = 23 = 2x11 + 1 • g = 5 (generates {5,2,10,4,20,8,17,16,11,9,22,18,21, 13,19,3,15,6,7,12,14,1}) • a = 3 • a-1 = 15 (15*3 = 45 = 1 mod 22) • ga mod p = 53 mod 23 = 10 • Encrypt m = 2 using k = 7 • gk mod 23 = 17 • c1 = mgk = 2*57 mod 23 = 11 • c2 = (ga)k = 107 mod 23 = 14 • Decrypt • c2 ^ ((a^-1)) = 1415 mod 23 (142 mod 23 = 12, 127 * 14 mod 23, 122 = 6 mod 23) • = 63*12*14 mod 23 = 17 • c1 = m*g^k mod 23: • 11 = m*17 mod 23 • 11*17-1 mod 23 = m (17-1 mod 23 = 19) • 11*19 mod 23 = 2
Proxy Function for X • c1 ciphertext component produced by Cryptosystem X is independent of the recipient's public key. • Recipient A's key is embedded only in the c2 exponent • Proxy function to convert ciphertext for A into ciphertext for B • remove A's key a from c2 and replace it with B's key b. • similar to the first step of the decryption function, raising c2 to a-1 to remove a. • then contribute a factor of b to the exponent. • simply raising c2 to a-1 and then to b would accomplish this • but does not qualify as a secure proxy function; anyone who examines the proxy key learns the secret keys for both A and B. • This problem is avoided by combining the two steps into one. Hence, the proxy key AB: (a-1)b • the proxy function is simply c2AB
Symmetric proxy function for X • Note that this is a “symmetric” proxy function; • A and B must trust one another bilaterally. • B can learn A's secret (by multiplying the proxy key by b-1 ) • A can similarly discover B's key. • This proxy function is also translucent • the proxy key does not directly reveal A or B, but anyone can verify a guess by encrypting a message with A's public key, applying the proxy function, and comparing the result with the encryption of the same message (with the same k) with B's public key. • Applying the proxy function is more efficient than decryption and reencryption, in that only one exponentiation is required.
Proxy Signature • Signature will verify with key other than that of the original signer
why a symmetric key cipher that is closed under functional composition is useful for applications but undesirable from a security perspective Or more appropriately …
Motivation • Each Ai wants to exchange ciphertext with each Aj • Size of data requires use of a symmetric key cipher • Collectively, the Ai’s do not share a key A3 A3 A4 A2 A2 A4 A5 A1 A5 A1 A6 A8 A8 A6 A7 A7 Pair-wise establishment or sharing of keys Gateway converting ciphertext between keys
Motivation • Converting from encryption under one key,k1, to encryption under another key, k2: • For example, VPN gateways • Is there a way to perform the conversion that • Is faster than decrypting with k1 and encrypting with k2? • Avoids exposing the plaintext during the conversion? A C1 Gateway C2 B C2 = Ek2(Dk1(C1)) C1 = Ek1(P) P = Dk2(C2)
Notation • S: a symmetric key cipher • K: key space of S • |K|: size of K • k,ki: element of K • E: encryption function of S • D: decryption function of S • Ek: encryption using key k • Dk: decryption using key k • Gkg: conversion function using key kg • P: plaintext • C: ciphertext
Overview • Conversion function Gfor symmetric key cipher S • Gkg(Ek1(P)) = Ek2(P) plaintext P • Such that • kg dependent on k1 and k2 • P may or may not be exposed during the conversion • G is a secureconversion function if P is not exposed • G exists: (trivially) use Ek2(Dk1(C)) • Existence of G requiring less work than Ek2(Dk1(C)) has implications on security of S
Proxy Cryptography and Symmetric Key Ciphers • Can a proxy exist for symmetric key ciphers? • Trivial construction – “onion routing” [Ivan, Dodis, ‘03] • Subset of secure conversion functions • Workload • Total work across 3 entities is same as if proxy decrypted then encrypted • Reallocates work to A • But … • notice that A, B share key material and A has B’s entire key A C1 Proxy C2 B C1 = Ek2(Ek1(P)) C2 = Dk2(C1) P = Dk1(C2)