180 likes | 300 Views
A secure broadcasting cryptosystem and its application to grid computing. Eun-Jun Yoon a , Kee-Young Yoo b,∗ a School of Computer Science and Engineering, Kyungpook National University, 1370 Sankyuk-Dong, Buk-Gu, Daegu 702-701, South Korea
E N D
A secure broadcasting cryptosystem and its application to grid computing Eun-Jun Yoona, Kee-Young Yoob,∗ a School of Computer Science and Engineering, Kyungpook National University, 1370 Sankyuk-Dong, Buk-Gu, Daegu 702-701, South Korea b Department of Computer Engineering, Kyungpook National University, 1370 Sankyuk-Dong, Buk-Gu, Daegu 702-701, South Korea
Outline • Introduction • General architecture of broadcasting cryptosystem • Notations • The Redefined Liaw’s broadcasting cryptosystem • Cryptanalysis • The proposed authenticated broadcasting cryptosystem • Application to grid computing environments • Security analysis • Conclusions
Introduction • This paper proposes a new secure broadcasting cryptosystem that can withstand various security attacks and is applicable to grid computing environment. • This paper extends our previous works and thenproposes a new secure authenticated broadcasting cryptosystem. • The proposed broadcasting cryptosystem not only has advantages of the broadcasting cryptosystem, but also is more secure and practical compared with previous related broadcasting cryptosystems.
General architecture of broadcasting cryptosystem The main purpose of a broadcasting cryptosystem is to establisha secure communication channel from a sender to a group oflegal receivers.
The Redefined Liaw’s broadcasting cryptosystem Receivers g Sender S CAS g={Ui}ai=2 B=t1t2…ta f(B)=Be mod N f(B) f(B) sk=K1(f(B)P1)d=K0Brc mod N Choose a message M Encrypts C=Esk(M) sk=Ki(f(B)Pi)d=K0Brc mod N Decrypt M=Dsk(C) Shared session key between S and g:sk=K0Brc mod N
Compute sk • S computes sk sk=K1(f(B)P1)d mod N =K1(Bt1-1rc)ed modג(N) mod N =K1Bt1-1rc mod N =K0Brc mod N • g compute sk from Ki , Piand f(B). sk=Ki(f(B)Pi)d mod N =Ki(Bti-1rc)ed modג(N) mod N =KiBti-1rc mod N =K0Brc mod N
Cryptanalysis(1/4) • Zhu–Wu’s cryptanalysis Any Ujcan simply derive the sk with Kj,Pj,d,f(B). sk=Kj(f(B)Pj)d mod N =Kj(Btj-1rc)ed modג(N) mod N =KjBtj-1rc mod N =K0Brc mod N Therefore, any Ujcan easily decrypt the ciphertext C=Esk(M).
Cryptanalysis(2/4) 2. Integrity violence of the session key from illegal modification Receivers g Sender S CAS g={Ui}ai=2 竄改成tx 竄改成tx B=t1t2…ta f(B)=Be mod N f(B) f(B) sk*=K0txrc sk*=K0txrc Choose a message M Encrypts C=Esk*(M) Decrypt M=Dsk*(C) Shared session key between S and g:sk=K0Brc mod N
Cryptanalysis(3/4) 3. Session key modification attack By 2 , if tx=0, then sk*=Kj(txPi)d mod N =Kj(0‧Pi)d mod N =Ki0mod N =1mod N The sk*=1 is wrong session key.
Cryptanalysis(4/4) 4. Message modification attack Receivers g Sender S CAS g={Ui}ai=2 B=t1t2…ta f(B)=Be mod N f(B) f(B) sk=Ki(f(B)Pi)d=K0Brc mod N sk=K1(f(B)P1)d=K0Brc mod N Choose a message M Encrypts C=Esk(M) 竄改成C* Decrypt Dsk(C)Dsk(C*)=M* Shared session key between S and g:sk=K0Brc mod N
The proposed authenticated broadcasting cryptosystem Receivers g Sender S CAS g={Ui}ai=2 Generate random z Zl={Ekl(z)}al=1 Y=h(z,f(B)) B=t1t2…ta f(B)=Be mod N f(B), Z1,Y f(B), Zi,Y Decrypt z=Dki(Zi) Verify Y=h(z,f(B))? sk=Kiz(f(B)Pi)d=K0zBrc mod N Decrypt z=Dk1(Z1) Verify Y=h(z,f(B))? sk=K1z(f(B)P1)d=K0zBrc mod N Choose a message M Encrypts C=Esk(M) V=h(sk,M) C,V Decrypt M=Dsk(C) Verify V=h(sk,M)? Shared session key between S and g:sk=K0zBrc mod N
Application to grid computing environments To securely coordinate the grid nodes’ resources in the grid domain, the control server has to broadcast all task messages securely.
Security analysis • It is infeasible to derive the sk by only knowing the public keys of the sender S for any illegitimate receiver, because the security of our broadcasting cryptosystem is the same as the RSA public key cryptosystem • Since an attacker does not have the private keys Ki, an illegitimate receiver cannot to evaluate the sk
Security analysis • There is no information available to compute the private keys Ki • Conspiracy attack cannot be applied to the proposed broadcasting cryptosystem since the users do not know parameter ti • It is computationally infeasible to get the private key e of CAS from f (B) and Pibecause of the RSA factoring challenge problem
Security analysis • Each receiver must decrypt Zi = EKi(zi) by using its private key Ki to get the random number zi and compute the sk = K0zBrc mod N. Without knowing the random number z, the attacker cannot compute sk. • It is secure to the integrity violence of the session key from illegal modification and the session key modification attack, by verify the integrity of the decrypted message z and the received f (B) by comparing whether Y ?=h(z, f (B))
Security analysis • It is secure to the message modification attack, The legitimate receivers g always do verify the integrity of the decrypted message M by comparing whether V ?=h(sk,M)
Conclusions • This paper pointed out that the redefinedLiaw’s broadcasting cryptosystem is still insecure to the integrityviolence of the session key from illegal modification, the sessionkey modification attack and the message modification attack. • Inaddition, this paper proposed a new authenticated broadcastingcryptosystem in order to overcome the weaknesses of thethe redefined Liaw’s broadcasting cryptosystem. • Moreover, Thispaper also presented an application example to grid computingenvironments of the proposed cryptosystem.