1 / 26

An Attack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol

An Attack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol. Stanislaw Jarecki, Nitesh Saxena , Jeong Hyun Yi School of Information and Computer Science University of California, Irvine. Outline. Introduction: Access control in ad hoc groups

neola
Download Presentation

An Attack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. An Attack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol Stanislaw Jarecki, Nitesh Saxena, Jeong Hyun Yi School of Information and Computer Science University of California, Irvine Security of Ad Hoc and Sensor Networks (SASN)

  2. Outline • Introduction: Access control in ad hoc groups • Threshold cryptography • Proactive signatures • URSA proactive RSA scheme • Our attack: efficient key recovery • Discussion: Insecurity of URSA • Open issues Security of Ad Hoc and Sensor Networks (SASN)

  3. Access Control in Ad Hoc Groups • Access control is required to • prevent unauthorized entities from joining the group • bootstrap other security services, e.g., secure routing • remove misbehaving members • in general, make group decisions • However, ad hoc group has • no infrastructure • no trusted group authority • dynamic membership Challenge: How to provide secure access control in a such a decentralized and dynamic environment? Security of Ad Hoc and Sensor Networks (SASN)

  4. Distribution of Trust using Threshold Cryptography Zhou and Haas [IEEE Comm. Mag’99] • (t+1,n) secret sharing of group secret; Shamir[ACM COMM.’79] • Threshold signatures • any set of t+1 members can sign messages on behalf of the group • tolerate up to t corruptions in the lifetime of the system • Proactive Signatures • threshold signatures with increased resilience, • lifetime is divided into intervals • secret shares are updated • tolerate up to t corruptions in every interval Security of Ad Hoc and Sensor Networks (SASN)

  5. Vote2 Vote1 Mnew Vote2 Vote2 Access Control using Proactive Signatures • New member (Mnew) wants to join the group • If a quorum of t+1 current members approve, Mnew is issued a signed certificate via proactive signing protocol • If no quorum found, membership is denied • Step 1: Certification request • Step 2: Join commit (Signed Vote) Mnew • Step 3: Certificate acquisition Security of Ad Hoc and Sensor Networks (SASN)

  6. Provably Secure Proactive Signatures None applicable for access control in ad hoc groups • RSA based • Frankel, et al. [FOCS’97][Crypto’97], Rabin [Crypto’98] • DSA based; • Gennaro, et al. [EC’96] [IANDC’01] • Schnorr based • Gennaro, et al. [RSA Security’03] • BLS based • Boldyreva [PKC’03] Security of Ad Hoc and Sensor Networks (SASN)

  7. Recent Access Control Schemes • URSA: Ubiquitous and Robust Access Control • Luo, et al. [ICNP’01, ISCC’02, WCMC’02, ToN’04] • Proposes a new proactive RSA scheme • Others • Based on proactive DSA; Narasimha, et al. [ICNP’03], Saxena, et al. [SASN’03] • Based on proactive BLS; Saxena, et al. [ICISC’04] Under scrutiny in this work Security of Ad Hoc and Sensor Networks (SASN)

  8. URSA Proactive RSA Scheme (1/3) • Setup • Dealer generates RSA private key d and public key (e, N) • Randomly picks polynomial f(x) of degree t • Member Mj is issued a secret share: f(x) = d + a1x + a2x2 + … + atxt (mod N) ssj = f(j) (mod N) • Signature generation (signing group G, |G|=t+1) • Polynomial interpolation: , , where partial key: • Mj outputs partial signature: Recall: RSA signature s = md (mod N) Security of Ad Hoc and Sensor Networks (SASN)

  9. URSA Proactive RSA Scheme (2/3) Signature reconstruction: Since   Try all (t+1) values of α, s.t.se = m (mod N) Note: α is revealed Security of Ad Hoc and Sensor Networks (SASN)

  10. Problems with URSA Proactive RSA • Robustness; Narasimha, et al. [ICNP’03] • Shares are computed mod N • Regular verifiability mechanisms fail • No verifiability  No robustness • Fix • Share secret d modulo a large prime q • Use special purpose zero-knowledge proofs; Boudot [EC’00] & Camenisch and Michels [Crypto’99] Security of Ad Hoc and Sensor Networks (SASN)

  11. Problems with URSA Proactive RSA Is this scheme (modified with the robustness fix) secure in the presence of a coalition of t corrupt members? The answer is: negative Security of Ad Hoc and Sensor Networks (SASN)

  12. Our Attack (example): Binary Search • t=1, n=2 • Players M1, M2 , Signing group G={1,2} • Adversary A corrupts M1 • Recall: d = d1 + d2 – αN • Signing protocol reveals α • If α= 0,  d = d1 + d2  d ≥ d1 • o/w if α= 1,  d = d1+ (d2 - N) d < d1 • During proactive updates, A can choose ss1 s.t. • With every update round, the search interval is halved • Binary search recovers d in log2(N) rounds Recall d1 = ss1l1 (mod N) 0 d1 N Security of Ad Hoc and Sensor Networks (SASN)

  13. Our Attack: (t+1)-ary Search • Adversary A corrupts M1, M2, …,Mt(w.l.o.g) • Signing group Gp={1,2,…,t, p}, where p > t • A learns if d ≥ Dp ord < Dp, where • During proactive updates, A can choose ss1, ss2,…, sst s.t. • Every round reveals log2(t+1) MSBs of d • (t+1)-ary search recovers d in rounds 0 Dp1 Dp2 Dpt N Security of Ad Hoc and Sensor Networks (SASN)

  14. Optimal Choice of New Shares • Solve following set of deterministic equations for ss1, ss2, …, sst Security of Ad Hoc and Sensor Networks (SASN)

  15. URSA Proactive Update • Simplified Classic protocol;Herzberg et al.[Crypto’95] • Update the shares but keep the same group secret d • A set of at least t+1 members update the polynomials • Each M ichooses random poly. δi(z) of degree t s.t. δi(0) = 0 • Mj gives δj(i) to Mi • Mi’s new share becomes ssi (old share was ssi‘) • ssi’ is deleted Security of Ad Hoc and Sensor Networks (SASN)

  16. Adversarial Behavior in Share Update • B : t members corrupted by A • Mb B : member who “speaks last ” • Update polynomial • New shares are computed as • Mb waits until it receives all other shares and chooses its polynomial δb(z) s.t. • This sets A’s share to be ss1, ss2,…,sst Security of Ad Hoc and Sensor Networks (SASN)

  17. Speeding-up the Attack • Attack requires r = rounds • Recover last 40-bits of d by brute-force given RSA public key (e,N)  r = • Apply known results on RSA partial key exposure; Boneh, et al. [AC’01],Blomer-May [Crypto’03], Thm1: log2(e) MSBs of d determine 512-MSBs  r = e.g., for t = 7, |N|=1024, e = 65537r = 163 e = 3  r = 158 Security of Ad Hoc and Sensor Networks (SASN)

  18. Speeding-up the Attack Number of proactive update rounds required for a given logN(e) value, for t=7 & |N|=1024 Security of Ad Hoc and Sensor Networks (SASN)

  19. Attack Assumptions • Adversary corrupts t members of the update group Ω, one of whom “speaks last ” • In every round, t runs of the signing protocol are executed, the signing groups consisting of all bad and one (distinct) good player. Security of Ad Hoc and Sensor Networks (SASN)

  20. Insecurity of URSA • For a modest threshold t=7, |N|=1024 and e=65537, the attack requires 163 proactive update rounds and a total of 1148 runs of the signing protocol • The leakage is very fast • e.g. in just 34 rounds, 600 MSBs of d are revealed • Other faster attacks are possible with signing group consisting of less than t bad players Security of Ad Hoc and Sensor Networks (SASN)

  21. Positive Result in a Related Work • Jarecki and Saxena [in submission] • URSA proactive RSA scheme (plus robustness fix) with additive-secret sharing is provably secure • 2-4 times faster than the state-of-the-art Rabin’s proactive RSA [Crypto’98] • However, not applicable for access control in ad hoc groups • Open Problem: to design a provably secure proactive RSA scheme that yields an efficient access control mechanism for ad hoc groups!! Security of Ad Hoc and Sensor Networks (SASN)

  22. Thank You! Security of Ad Hoc and Sensor Networks (SASN)

  23. Security of Ad Hoc and Sensor Networks (SASN)

  24. Security of Ad Hoc and Sensor Networks (SASN)

  25. Speeding-up the Attack Thm2: For prime e ε [2m, 2m+1], with m ε [|N|/4,|N|/2], m MSBs of d determine d Thm3: For e ε [2m, 2m+1] and product of at most r primes, with m ε [|N|/4,|N|/2], m MSBs determine d given factorization of e  Thm4: For e ε [N0.5, N0.25], MSBs of d determine d, where α = logN(e)  Security of Ad Hoc and Sensor Networks (SASN)

  26. Our Attack: (t+1)-ary search • Adversary A corrupts M1, M2, …,Mt (w.l.o.g) • Signing group Gp={1,2,…,t, p}, where p ε [t+1,..2t] • Recall • Signing protocol reveals α(Gp) • Compute • If Sp ≥ α(Gp)N , A learns d ≥ Dp • o/w if Sp < α(Gp)N , A learns d < Dp • During proactive updates, A chooses ss1, ss2,…, sst such that • Every round reveals log2(t+1) MSBs of d • (t+1)-ary search recovers d in rounds 0 Dt+1 Dt+2 D2t N-1 Security of Ad Hoc and Sensor Networks (SASN)

More Related